fix(deps): update module github.com/hashicorp/go-getter to v1.7.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/hashicorp/go-getter	v1.7.8 -> v1.7.9

GitHub Vulnerability Alerts

CVE-2025-8959

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

---

HashiCorp go-getter Vulnerable to Symlink Attacks

CVE-2025-8959 / GHSA-wjrx-6529-hcj3

More information

Details

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-8959
• https://github.com/hashicorp/go-getter/commit/87541b2501c00df5eaedea6acc61a2a4a4efa5b7
• https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
• https://github.com/hashicorp/go-getter

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

hashicorp/go-getter (github.com/hashicorp/go-getter)

v1.7.9

Compare Source

What's Changed

• Speed up XZ decompression by 5x with bufio wrapper by @​vsarunas in https://github.com/hashicorp/go-getter/pull/520
• Fix CI Workflow by @​mohanmanikanta2299 in https://github.com/hashicorp/go-getter/pull/522
• test: Remove use of "mitchellh/go-testing-interface" for stdlib by @​jrasell in https://github.com/hashicorp/go-getter/pull/523
• fix: url redact of multiple sshkey by @​dduzgun-security in https://github.com/hashicorp/go-getter/pull/528
• Publish arm binaries by @​sethvargo in https://github.com/hashicorp/go-getter/pull/525
• fix errcheck lint errors and run it as part of pr checks by @​abhijeetviswa in https://github.com/hashicorp/go-getter/pull/530
• fix additional lint errors and increase linter scope by @​abhijeetviswa in https://github.com/hashicorp/go-getter/pull/531
• IND-3728 enabling dependabot by @​KaushikiAnand in https://github.com/hashicorp/go-getter/pull/529
• fix: go-getter subdir paths by @​dduzgun-security in https://github.com/hashicorp/go-getter/pull/540

New Contributors

• @​vsarunas made their first contribution in https://github.com/hashicorp/go-getter/pull/520
• @​jrasell made their first contribution in https://github.com/hashicorp/go-getter/pull/523
• @​sethvargo made their first contribution in https://github.com/hashicorp/go-getter/pull/525
• @​abhijeetviswa made their first contribution in https://github.com/hashicorp/go-getter/pull/530
• @​KaushikiAnand made their first contribution in https://github.com/hashicorp/go-getter/pull/529

Full Changelog: hashicorp/go-getter@v1.7.8...v1.7.9

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.