1. Home
  2. Security Advisories
  3. NPM
  4. NPM:GHSA-V7X3-7HW7-PCJG

[NPM:GHSA-V7X3-7HW7-PCJG] Renovate vulnerable to leakage of temporary repository tokens into Pull Request comments

Severity Moderate
Affected Packages 1
Fixed Packages 1
Info Packages References

Impact

Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios.

Patches

The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later.

Workarounds

Disable Go Modules support.

References

Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure

For more information

If you have any questions or comments about this advisory:
* Open an issue in Renovate

Package Affected Version
pkg:npm/renovate >= 13.87.0, < 19.38.7
Package Fixed Version
pkg:npm/renovate = 19.38.7
ID
NPM:GHSA-V7X3-7HW7-PCJG
Severity
moderate
URL
https://github.com/advisories/GHSA-v7x3-7hw7-pcjg
Published
2019-10-21T16:02:33
(4 years ago)
Modified
2023-01-07T05:02:58
(20 months ago)
Rights
NPM Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:npm/renovate renovate >= 13.87.0 < 19.38.7
Fixed pkg:npm/renovate renovate = 19.38.7