chore(deps): bump the dependencies group with 2 updates

[dependabot]

Bumps the dependencies group with 2 updates: github.com/gemaraproj/go-gemara and github.com/privateerproj/privateer-sdk.

Updates github.com/gemaraproj/go-gemara from 0.5.0 to 0.7.0

Release notes

Sourced from github.com/gemaraproj/go-gemara's releases.

v0.7.0

Changelog

🚀 Features

• feat: add optional support for evidence collection in steps @​eddie-knight (#80)

🐛 Bug Fixes

• feat: implement encoding.TextUnmarshaler on enums for yaml.v3 compatibility @​SAY-5 (#79)

🧰 Maintenance

• chore: remove goreleaser config unused by library project @​jmeridth (#84)

See details of all code changes since previous release

v0.6.0

Changelog

🚀 Features

• feat: update to support gemara v1.3.0 @​eddie-knight (#78)

🧰 Maintenance

• chore(deps): Bump actions/checkout from 6.0.2 to 6.0.3 in the dependencies group @dependabot[bot] (#77)
• chore(deps): Bump the dependencies group with 4 updates @dependabot[bot] (#74)
• chore(deps): Bump github-community-projects/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml from 0.6.0 to 1.0.1 @dependabot[bot] (#73)

See details of all code changes since previous release

Commits

• e8b4b49 chore: remove goreleaser config unused by library project (#84)
• 9582b59 feat: add optional support for evidence collection in steps (#80)
• 379a085 feat: implement encoding.TextUnmarshaler on enums for yaml.v3 compatibility (...
• 1eeb131 feat: update to support gemara v1.3.0 (#78)
• ef70959 chore(deps): Bump actions/checkout in the dependencies group (#77)
• b775735 chore(deps): Bump the dependencies group with 4 updates (#74)
• 4c5f3d1 chore(deps): Bump github-community-projects/ospo-reusable-workflows/.github/w...
• See full diff in compare view

Updates github.com/privateerproj/privateer-sdk from 1.28.0 to 1.31.0

Release notes

Sourced from github.com/privateerproj/privateer-sdk's releases.

v1.31.0

Changelog

• feat(publish): add plugin publishing pipeline to grc.store @​eddie-knight (#238)
• feat(pluginkit): add publish-manifest generation for plugins @​eddie-knight (#237)
• feat(auth): add OIDC login, keyless signing, and token store for the hub @​eddie-knight (#236)
• feat(verify): add keyless signature + identity verification with digest walk @​eddie-knight (#235)

🚀 Features

• feat(install): migrate to grc.store verified install; remove GitHub-releases path @​eddie-knight (#239)

See details of all code changes since previous release

v1.30.0

Changelog

• feat(config): add getters for services, autoinstall, and binaries path @​eddie-knight (#233)

🚀 Features

• feat(oci): add grc.store OCI client (pull, push, sign, discovery, index) @​eddie-knight (#234)

See details of all code changes since previous release

v1.29.0

Changelog

🚀 Features

• feat(utils): add WriteFileAtomic for crash-safe file writes @​eddie-knight (#232)

See details of all code changes since previous release

Commits

• 43643c9 feat(install): migrate to grc.store verified install; remove GitHub-releases ...
• eb8fda6 feat(publish): add plugin publishing pipeline to grc.store (#238)
• a469b34 feat(pluginkit): add publish-manifest generation for plugins (#237)
• e527225 feat(auth): add OIDC login, keyless signing, and token store for the hub (#236)
• 6f0748e feat(verify): add keyless signature + identity verification with digest walk ...
• cc31fbc feat(oci): add grc.store OCI client (pull, push, sign, discovery, index) (#234)
• 3df1657 feat(config): add getters for services, autoinstall, and binaries path (#233)
• b1b0aae feat(utils): add WriteFileAtomic for crash-safe file writes (#232)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code security analysis found zero issues across all scanned files, the dependency analysis identified multiple high-severity vulnerabilities introduced via transitive dependencies from the privateer-sdk v1.31.0 and go-gemara v0.7.0 upgrades. These two analyses are independent, and clean code findings do not mitigate dependency-level risks. Key concerns include: (1) go-tuf/v2 v2.3.0 carries three active vulnerabilities including signature verification bypass, path traversal enabling arbitrary file writes, and a client-side DoS — all fixable by upgrading to v2.4.2. (2) go-jose/v4 v4.1.3 has a network-exploitable DoS via JWE decryption panic, fixable with v4.1.4. (3) opentelemetry v1.39.0 enables remote DoS amplification via baggage header parsing, fixable with v1.44.0. (4) timestamp-authority v2.0.3 has an authorization bypass via certificate bag manipulation (integrity impact: high), fixable with v2.1.2. (5) sigstore/rekor v1.4.3 carries both a nil pointer dereference DoS and an SSRF vulnerability, fixable with v1.5.2. (6) mongo-driver v1.17.6 has a heap out-of-bounds read with no confirmed fix available — monitoring is advised. (7) in-toto-golang v0.9.0 has a policy bypass risk in mixed-implementation environments, fixable with v0.11.0. We strongly recommend addressing all fixable vulnerabilities before merging by running the prescribed 'go get' upgrade commands for each affected dependency, and monitoring mongo-driver for a confirmed patched release.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

• CRITICAL - github.com/theupdateframework/go-tuf/v2 v2.3.0 has 3 active vulnerabilities: (1) CVE-2026-23992: Improper threshold validation allows signature verification bypass. (2) CVE-2026-24686: Path traversal in TAP 4 Multirepo Client enables arbitrary file write. (3) CVE-2026-23991: Client DoS via malformed server response (CVSS A:H). Dependency path: github.com/privateerproj/privateer-sdk -> github.com/theupdateframework/go-tuf/v2. Fix: go get github.com/theupdateframework/go-tuf/v2@v2.4.2
• HIGH - github.com/go-jose/go-jose/v4 v4.1.3 has CVE-2026-34986: Panic (DoS) in JWE decryption when encrypted_key field is empty with key-wrapping algorithms (CVSS A:H, network exploitable). Dependency path: github.com/hashicorp/go-plugin -> google.golang.org/grpc -> github.com/go-jose/go-jose/v4. Fix: go get github.com/go-jose/go-jose/v4@v4.1.4
• HIGH - go.opentelemetry.io/otel v1.39.0 has CVE-2026-29181: Multi-value baggage header extraction causes excessive memory allocations enabling remote DoS amplification (CVSS A:H). Dependency path: github.com/privateerproj/privateer-sdk -> go.opentelemetry.io/otel. Fix: go get go.opentelemetry.io/otel@v1.44.0
• HIGH - github.com/sigstore/timestamp-authority/v2 v2.0.3 has CVE-2026-39984: Authorization bypass via certificate bag manipulation in the verifier package - allows bypassing authorization controls by prepending a forged certificate (CVSS I:H). Dependency path: github.com/privateerproj/privateer-sdk -> github.com/sigstore/timestamp-authority/v2. Fix: go get github.com/sigstore/timestamp-authority/v2@v2.1.2
• HIGH - github.com/sigstore/rekor v1.4.3 has 2 active vulnerabilities: (1) CVE-2026-23831: Nil pointer dereference via empty COSE message. (2) CVE-2026-24117: SSRF via user-provided public key URL allowing internal network probing. Dependency path: github.com/privateerproj/privateer-sdk -> github.com/sigstore/rekor. Fix: go get github.com/sigstore/rekor@v1.5.2
• MEDIUM - go.mongodb.org/mongo-driver v1.17.6 has CVE-2026-2303: Heap out-of-bounds read in GSSAPI/Kerberos C bindings (CVSS I:H). Dependency path: github.com/privateerproj/privateer-sdk -> go.mongodb.org/mongo-driver. WARNING: No fix is currently available per the vulnerability fix report. Monitor for a patched release (latest known: v1.17.9 - verify if it addresses this CVE) and update when available.
• MEDIUM - github.com/in-toto/in-toto-golang v0.9.0 has GHSA-pmwq-pjrm-6p5r: Inconsistent glob negation behavior between in-toto-golang and in-toto-python can cause policy bypass when both implementations verify the same layout (CVSS I:H, requires high privileges). Dependency path: github.com/privateerproj/privateer-sdk -> github.com/in-toto/in-toto-golang. Fix: go get github.com/in-toto/in-toto-golang@v0.11.0

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: c75e508, performed at: 2026-06-23T20:14:47Z

Found this helpful? Give it a 👍 or 👎 reaction!