Skip to content

build(deps): bump github.com/cosmos/cosmos-sdk from 0.39.1 to 0.53.4 #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: development
Choose a base branch
from
Open

build(deps): bump github.com/cosmos/cosmos-sdk from 0.39.1 to 0.53.4 #170

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Sep 4, 2025
edited
Loading

Bumps github.com/cosmos/cosmos-sdk from 0.39.1 to 0.53.4.

Release notes

Sourced from github.com/cosmos/cosmos-sdk's releases.

v0.53.4

Cosmos SDK v0.53.4 Release Notes

🚀 Highlights

This patch release includes minor dependency and non-breaking functionality additions.

This is fully API and state-compatible with all v0.53.x releases.

📝 Changelog

Check out the changelog for an exhaustive list of changes or compare changes from the last release.

v0.53.3

Cosmos SDK v0.53.3 Release Notes

🚀 Highlights

This patch release fixes GHSA-p22h-3m2v-cmgh. It resolves a x/distribution module issue that can halt chains when the historical rewards pool overflows. Chains using the x/distribution module are affected by this issue.

We recommended upgrading to this patch release as soon as possible.

This patch is state-breaking; chains must perform a coordinated upgrade. This patch cannot be applied in a rolling upgrade.

📝 Changelog

Check out the changelog for an exhaustive list of changes or compare changes from the last release.

v0.53.2

Cosmos SDK v0.53.2 Release Notes

💬 Release Discussion

🚀 Highlights

Announcing Cosmos SDK v0.53.2

This release is a patch update that includes feedback from early users of Cosmos SDK v0.53.0.

Upgrading to this version of the Cosmos SDK from any v0.53.x is trivial and does not require a chain upgrade.

NOTE: v0.53.1 has been retracted.

📝 Changelog

Check out the changelog for an exhaustive list of changes, or compare changes from the last release.

v0.53.1

... (truncated)

Changelog

Sourced from github.com/cosmos/cosmos-sdk's changelog.

v0.53.4 - 2025-07-25

This patch update also includes minor dependency bumps.

Features

  • (abci_utils) #25008 add the ability to assign a custom signer extraction adapter in DefaultProposalHandler.

v0.53.3 - 2025-07-08

Bug Fixes

v0.53.2 - 2025-06-02

This patch update also includes minor dependency bumps.

Bug Fixes

  • (x/epochs) #24770 Fix register of epoch hooks in InvokeSetHooks.

v0.53.0 - 2025-04-29

Features

  • (simsx) #24062 #24145 Add new simsx framework on top of simulations for better module dev experience.
  • (baseapp) #24069 Create CheckTxHandler to allow extending the logic of CheckTx.
  • (types) #24093 Added a new method, IsGT, for types.Coin. This method is used to check if a types.Coin is greater than another types.Coin.
  • (client/keys) #24071 Add support for importing hex key using standard input.
  • (types) #23780 Add a ValueCodec for the math.Uint type that can be used in collections maps.
  • (perf)#24045 Sims: Replace runsim command with Go stdlib testing. CLI: Commit default true, Lean, SimulateEveryOperation, PrintAllInvariants, DBBackend params removed
  • (crypto/keyring) #24040 Expose the db keyring used in the keystore.
  • (types) #23919 Add MustValAddressFromBech32 function.
  • (all) #23708 Add unordered transaction support.
    • Adds a --timeout-timestamp flag that allows users to specify a block time at which the unordered transactions should expire from the mempool.
  • (x/epochs) #23815 Upstream x/epochs from Osmosis
  • (client) #23811 Add auto cli for node service.
  • (genutil) #24018 Allow manually setting the consensus key type in genesis
  • (client) #18557 Add --qrcode flag to keys show command to support displaying keys address QR code.
  • (x/auth) #24030 Allow usage of ed25519 keys for transaction signing.
  • (baseapp) #24163 Add StreamingManager to baseapp to extend the abci listeners.
  • (x/protocolpool) #23933 Add x/protocolpool module.
    • x/distribution can now utilize an externally managed community pool. NOTE: this will make the message handlers for FundCommunityPool and CommunityPoolSpend error, as well as the query handler for CommunityPool.
  • (client) #18101 Add a keyring-default-keyname in client.toml for specifying a default key name, and skip the need to use the --from flag when signing transactions.
  • (x/gov) #24355 Allow users to set a custom CalculateVoteResultsAndVotingPower function to be used in govkeeper.Tally.
  • (x/mint) #24436 Allow users to set a custom minting function used in the x/mint begin blocker.
    • The InflationCalculationFn argument to mint.NewAppModule() is now ignored and must be nil. To set a custom InflationCalculationFn on the default minter, use mintkeeper.WithMintFn(mintkeeper.DefaultMintFn(customInflationFn)).
  • (api) #24428 Add block height to response headers

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
build(deps): bump github.com/cosmos/cosmos-sdk from 0.39.1 to 0.53.4
1a731b4 
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.39.1 to 0.53.4.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.53.4/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.39.1...v0.53.4)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-version: 0.53.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Sep 4, 2025
@dependabot dependabot bot mentioned this pull request Sep 4, 2025
Closed
@socket-security
Copy link

socket-security bot commented Sep 4, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​crypto@​v0.0.0-20200622213623-75b288015ac9 ⏵ v0.38.074 +1100 +75100100100
Updatedgolang/​github.com/​cosmos/​cosmos-sdk@​v0.39.1 ⏵ v0.53.476 +2100 +40100100100
Updatedgolang/​github.com/​gorilla/​websocket@​v1.4.2 ⏵ v1.5.386 +1100100100100
Updatedgolang/​github.com/​spf13/​cobra@​v1.0.0 ⏵ v1.9.195 -1100100100100 +31
Updatedgolang/​github.com/​stretchr/​testify@​v1.6.1 ⏵ v1.10.096100100100100
Updatedgolang/​github.com/​gorilla/​mux@​v1.8.0 ⏵ v1.8.197 +1100100100100
Updatedgolang/​github.com/​spf13/​viper@​v1.7.1 ⏵ v1.20.199 +5100100100100
Updatedgolang/​gopkg.in/​yaml.v2@​v2.3.0 ⏵ v2.4.099 +1100100100100

View full report

@socket-security
Copy link

socket-security bot commented Sep 4, 2025

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
golang/github.com/golang-jwt/jwt/v4@v4.0.0 has a High CVE.

CVE: GHSA-mh63-6h87-95cp jwt-go allows excessive memory allocation during header parsing (HIGH)

Affected versions: < 4.5.2

Patched version: 4.5.2

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/github.com/golang-jwt/jwt/v4@v4.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/golang-jwt/jwt/v4@v4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/accessapproval@v1.8.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/accessapproval@v1.8.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/accessapproval@v1.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/accesscontextmanager@v1.9.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/accesscontextmanager@v1.9.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/accesscontextmanager@v1.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/aiplatform@v1.69.0 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/aiplatform@v1.69.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/aiplatform@v1.69.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/analytics@v0.25.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/analytics@v0.25.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/analytics@v0.25.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/apigateway@v1.7.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/apigateway@v1.7.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/apigateway@v1.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/apigeeconnect@v1.7.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/apigeeconnect@v1.7.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/apigeeconnect@v1.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/apigeeregistry@v0.9.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/apigeeregistry@v0.9.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/apigeeregistry@v0.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/appengine@v1.9.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/appengine@v1.9.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/appengine@v1.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/area120@v0.9.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/area120@v0.9.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/area120@v0.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/artifactregistry@v1.16.0 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/artifactregistry@v1.16.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/artifactregistry@v1.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/asset@v1.20.3 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/asset@v1.20.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/asset@v1.20.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/assuredworkloads@v1.12.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/assuredworkloads@v1.12.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/assuredworkloads@v1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/auth@v0.13.0 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/auth@v0.13.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/auth@v0.13.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/auth@v0.13.0 has Shell access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/auth@v0.13.0

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/auth@v0.13.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/auth/oauth2adapt@v0.2.6 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/auth/oauth2adapt@v0.2.6

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/auth/oauth2adapt@v0.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/automl@v1.14.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/automl@v1.14.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/automl@v1.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/baremetalsolution@v1.3.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/baremetalsolution@v1.3.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/baremetalsolution@v1.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/batch@v1.11.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/batch@v1.11.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/batch@v1.11.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/beyondcorp@v1.1.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/beyondcorp@v1.1.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/beyondcorp@v1.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/bigtable@v1.33.0 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/bigtable@v1.33.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/bigtable@v1.33.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/bigtable@v1.33.0 has Shell access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/bigtable@v1.33.0

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/bigtable@v1.33.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/billing@v1.19.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/billing@v1.19.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/billing@v1.19.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
golang/cloud.google.com/go/binaryauthorization@v1.9.2 has Network access.

Location: Package overview

From: ?golang/github.com/ethereum/go-ethereum@v1.9.20golang/github.com/tendermint/tm-db@v0.5.1golang/github.com/tendermint/tendermint@v0.33.7golang/github.com/spf13/viper@v1.20.1golang/github.com/cosmos/cosmos-sdk@v0.53.4golang/cloud.google.com/go/binaryauthorization@v1.9.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/cloud.google.com/go/binaryauthorization@v1.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 272 more rows in the dashboard

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant