fix(deps): update module github.com/coreos/go-oidc/v3 to v3.18.0#3814
fix(deps): update module github.com/coreos/go-oidc/v3 to v3.18.0#3814renovate[bot] wants to merge 1 commit intodevelopfrom
Conversation
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security review (automation)
Outcome: No medium, high, or critical security issues were identified in this PR’s changes.
Scope reviewed: go.mod / go.sum only — go 1.24.6 → 1.25.0, github.com/coreos/go-oidc/v3 v3.17.0 → v3.18.0, golang.org/x/oauth2 v0.35.0 → v0.36.0. No application code was modified, so there is no new auth, injection, or deserialization surface in Semaphore’s own logic.
Dependency note: Upstream v3.18.0 is primarily dependency alignment (e.g. go-jose / oauth2 bumps per upstream release notes). That is consistent with maintenance and patch-level crypto/JWT handling rather than introducing a new exploitable weakness for this bump alone.
Slack summary (copy/paste): PR #3814 (go-oidc → v3.18.0): security pass — diff is toolchain + OIDC/oauth2 bumps only, no app code changes; no actionable medium+ findings.
Sent by Cursor Automation: Find vulnerabilities
This PR contains the following updates:
v3.17.0→v3.18.0Release Notes
coreos/go-oidc (github.com/coreos/go-oidc/v3)
v3.18.0Compare Source
What's Changed
Full Changelog: coreos/go-oidc@v3.17.0...v3.18.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.