security: vulnerability remediation#188
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
|
Created a monitoring plan for this PR. What this PR does: Patches a high-severity security vulnerability (GHSA-537c-gmf6-5ccf — vulnerable OpenSSL in Intended effect: No production telemetry signal exists for CLI template usage — this is a template-only change with no deployed service. Confirmation is structural: the lockfile pins Risks:
|
a07f351 to
f6e973f
Compare
f6e973f to
dc2084d
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit dc2084d. Configure here.
| golang.org/x/sync v0.19.0 | ||
| golang.org/x/term v0.39.0 | ||
| golang.org/x/sync v0.20.0 | ||
| golang.org/x/term v0.43.0 |
There was a problem hiding this comment.
Claimed vulnerability fix missing
High Severity
This PR marks GHSA-537c-gmf6-5ccf as confirmed fixed via a browser-use bump, but the diff only updates Go modules such as golang.org/x/crypto. The advisory targets PyPI cryptography (patched in 48.0.1), and the shipped browser-use template still pins browser-use 0.11.1 with cryptography 46.0.3, so the vulnerability remains.
Reviewed by Cursor Bugbot for commit dc2084d. Configure here.


Vulnerability Remediation
Fixed
Not Included
Deferred details