Path to this page:
Subject: CVS commit: pkgsrc/net/gh
From: Benny Siegert
Date: 2025-03-01 21:07:57
Message id: 20250301200757.79E3DFBE1@cvs.NetBSD.org
Log Message:
gh: update to 2.67.0
2.67.0
Security
A bug in gh attestation verify may return an incorrect zero exit status
when no matching attestations are found for the specified
--predicate-type <value> or the default https://slsa.dev/provenance/v1
if not specified. This issue only arises if an artifact has an
attestation with a predicate type different from the one provided in the
command. As a result, users relying solely on these exit codes may
mistakenly believe the attestation has been verified, despite the
absence of an attestation with the specified predicate type and the tool
printing a verification failure.
Users are advised to update gh to version v2.67.0 as soon as possible.
For more information, see GHSA-fgw4-v983-mgp8
2.66.0
- gh pr view and gh pr status now respect common triangular workflow
configurations
- gh secret list, gh secret set, and gh secret delete now require
repository selection when multiple git remotes are present
- Extension update notices now notify once every 24 hours per extension
and can be disabled
Files: