Skip to content

fix(deps): update module github.com/pkg/sftp to v1.13.11#219

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-pkg-sftp-1.x
Open

fix(deps): update module github.com/pkg/sftp to v1.13.11#219
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-pkg-sftp-1.x

Conversation

@renovate

@renovate renovate Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/pkg/sftp v1.13.10v1.13.11 age confidence

Release Notes

pkg/sftp (github.com/pkg/sftp)

v1.13.11: - maintenance release

Compare Source

This release bounds an unchecked pre-allocation in the SSH_FILEXFER_ATTRS decoder, updates dependencies, and includes minor code cleanups.

Security/robustness

The attribute decoder (unmarshalFileStat) allocated the extended-attribute slice directly from the wire-supplied extended_count without bounding it against the available bytes. A peer could advertise a huge extended_count in a small packet and force a multi-gigabyte allocation up front, crashing the process with fatal error: out of memory before a single entry was parsed.

What's Changed
New Contributors

Full Changelog: pkg/sftp@v1.13.10...v1.13.11


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.50.0 -> v0.54.0
golang.org/x/net v0.52.0 -> v0.56.0
golang.org/x/sync v0.20.0 -> v0.22.0
golang.org/x/sys v0.43.0 -> v0.47.0
golang.org/x/text v0.36.0 -> v0.40.0

@llamapreview llamapreview Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto Pull Request Review from LlamaPReview

Review Status: Automated Review Skipped

Dear contributor,

Thank you for your Pull Request. LlamaPReview has analyzed your changes and determined that this PR does not require an automated code review.

Analysis Result:

PR only contains version updates and formatting changes

Technical Context:

Version and formatting changes detected, which include:

  • Package version updates
  • Dependency version changes
  • Code formatting adjustments
  • Whitespace modifications
  • Structural formatting changes

We're continuously improving our PR analysis capabilities. Have thoughts on when and how LlamaPReview should perform automated reviews? Share your insights in our GitHub Discussions.

Best regards,
LlamaPReview Team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants