Renovate: Update module github.com/slack-go/slack to v0.23.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/slack-go/slack	v0.17.3 → v0.23.1

---

slack-go SecretsVerifier accepts empty signing secret without precondition

GHSA-gxhx-2686-5h9g

More information

Details

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
    hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g
• https://github.com/slack-go/slack/releases/tag/v0.23.1
• https://github.com/advisories/GHSA-gxhx-2686-5h9g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

slack-go SecretsVerifier accepts empty signing secret without precondition

GHSA-gxhx-2686-5h9g

More information

Details

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
    hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g
• https://github.com/slack-go/slack
• https://github.com/slack-go/slack/releases/tag/v0.23.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

slack-go/slack (github.com/slack-go/slack)

v0.23.1

Compare Source

[!IMPORTANT]
Even though this is a [security] patch release, if you were using an empty secret, this is a breaking change due to a change in behaviour. That's on purpose, to ensure you fix your approach so that there are no footguns.

Fixed

• NewSecretsVerifier now rejects empty signing secrets to avoid accepting forged request
  signatures when applications are misconfigured.

Full Changelog: slack-go/slack@v0.23.0...v0.23.1

v0.23.0

Compare Source

Added

• feat(socketmode): expose socketmode handler dispatcher method by @​nlopes in #​1550
• feat(block): add card and carousel blocks by @​nlopes in #​1551
• feat(assistant): add username and icon to status update by @​charleenwang in #​1553
• feat(block): add alert block by @​nlopes in #​1552

New Contributors

• @​charleenwang made their first contribution in #​1553

Full Changelog: slack-go/slack@v0.22.0...v0.23.0

v0.22.0

Compare Source

Previous release. See GitHub releases
for details.

v0.21.1

Compare Source

Previous release. See GitHub releases
for details.

v0.21.0

Compare Source

Previous release. See GitHub releases
for details.

v0.20.0

Compare Source

Previous release. See GitHub releases
for details.

v0.19.0

Compare Source

Previous release. See GitHub releases
for details.

v0.18.0

Compare Source

Previous release. See GitHub releases
for details.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.