GHSA-f6mm-5fc7-3g3c: goreleaser shows environment by default

May 15, 2024

Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.

References

github.com/advisories/GHSA-f6mm-5fc7-3g3c
github.com/goreleaser/goreleaser
github.com/goreleaser/goreleaser/commit/22f734e41f7a5111a031a3a4eb714c1b6aa6456b
github.com/goreleaser/goreleaser/pull/4787
github.com/goreleaser/goreleaser/security/advisories/GHSA-f6mm-5fc7-3g3c

Code Behaviors & Features

Detect and mitigate GHSA-f6mm-5fc7-3g3c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →