fix(deps): update module github.com/hashicorp/go-getter to v1.8.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/hashicorp/go-getter	v1.8.4 → v1.8.6

GitHub Vulnerability Alerts

CVE-2026-4660

HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

---

HashiCorp's go-getter library may allow arbitrary file reads

CVE-2026-4660 / GHSA-92mm-2pjq-r785

More information

Details

HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-4660
• https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311
• https://github.com/hashicorp/go-getter

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

hashicorp/go-getter (github.com/hashicorp/go-getter)

v1.8.6

Compare Source

v1.8.5

Compare Source

What's Changed

• [chore] : Bump the go group with 2 updates by @​dependabot[bot] in #​576
• use %w to wrap error by @​Ericwww in #​475
• fix: #​538 http file download skipped if headResp.ContentLength is 0 by @​martijnvdp in #​539
• chore: fix error message capitalization in checksum function by @​ssagarverma in #​578
• [chore] : Bump the go group with 8 updates by @​dependabot[bot] in #​577
• Fix git url with ambiguous ref by @​nimasamii in #​382
• fix: resolve compilation errors in get_git_test.go by @​CreatorHead in #​579
• [chore] : Bump the actions group with 2 updates by @​dependabot[bot] in #​582
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in #​583
• test that arbitrary files cannot be checksummed by @​schmichael in #​250
• [chore] : Bump google.golang.org/api from 0.260.0 to 0.262.0 in the go group by @​dependabot[bot] in #​585
• [chore] : Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by @​dependabot[bot] in #​586
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in #​588
• [chore] : Bump actions/cache from 5.0.2 to 5.0.3 in the actions group by @​dependabot[bot] in #​589
• [chore] : Bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 in the actions group by @​dependabot[bot] in #​592
• [chore] : Bump google.golang.org/api from 0.264.0 to 0.265.0 in the go group by @​dependabot[bot] in #​591
• [chore] : Bump the go group with 5 updates by @​dependabot[bot] in #​593
• IND-6310 - CRT Onboarding by @​nasareeny in #​584
• Fix crt build path by @​ssagarverma in #​594
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in #​596
• fix: remove checkout action from set-product-version job by @​ssagarverma in #​598
• [chore] : Bump the actions group with 4 updates by @​dependabot[bot] in #​595
• fix(deps): upgrade go.opentelemetry.io/otel/sdk to v1.40.0 (GO-2026-4394) by @​ssagarverma in #​599
• Prepare go-getter for v1.8.5 release by @​nasareeny in #​597
• [chore] : Bump the actions group with 2 updates by @​dependabot[bot] in #​600
• sec: bump go and xrepos + redact aws tokens in url by @​dduzgun-security in #​604

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

• @​Ericwww made their first contribution in #​475
• @​martijnvdp made their first contribution in #​539
• @​nimasamii made their first contribution in #​382
• @​nasareeny made their first contribution in #​584

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 40 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.25.8
cloud.google.com/go/auth	v0.17.0 -> v0.18.2
cloud.google.com/go/monitoring	v1.24.2 -> v1.24.3
cloud.google.com/go/storage	v1.58.0 -> v1.61.3
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	v0.54.0 -> v0.55.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	v0.54.0 -> v0.55.0
github.com/aws/aws-sdk-go-v2	v1.41.0 -> v1.41.4
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.4 -> v1.7.7
github.com/aws/aws-sdk-go-v2/config	v1.32.6 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials	v1.19.6 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.16 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.16 -> v1.4.20
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.16 -> v2.7.20
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.16 -> v1.4.21
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.4 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.7 -> v1.9.12
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.16 -> v1.13.20
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.16 -> v1.19.20
github.com/aws/aws-sdk-go-v2/service/s3	v1.95.0 -> v1.97.1
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.4 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.8 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.12 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.5 -> v1.41.9
github.com/aws/smithy-go	v1.24.0 -> v1.24.2
github.com/googleapis/enterprise-certificate-proxy	v0.3.7 -> v0.3.14
github.com/googleapis/gax-go/v2	v2.15.0 -> v2.17.0
github.com/hashicorp/aws-sdk-go-base/v2	v2.0.0-beta.70 -> v2.0.0-beta.72
github.com/klauspost/compress	v1.18.2 -> v1.18.5
go.opentelemetry.io/otel	v1.40.0 -> v1.42.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.42.0
go.opentelemetry.io/otel/sdk	v1.40.0 -> v1.42.0
go.opentelemetry.io/otel/sdk/metric	v1.40.0 -> v1.42.0
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.42.0
golang.org/x/oauth2	v0.34.0 -> v0.36.0
golang.org/x/time	v0.14.0 -> v0.15.0
google.golang.org/api	v0.256.0 -> v0.271.0
google.golang.org/genproto	v0.0.0-20250922171735-9219d122eba9 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/api	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260226221140-a57be14db171
google.golang.org/protobuf	v1.36.10 -> v1.36.11