Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(deps): update module github.com/slack-go/slack to v0.23.1 [security]#577

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-slack-go-slack-vulnerability
Open

fix(deps): update module github.com/slack-go/slack to v0.23.1 [security]#577
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-slack-go-slack-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 14, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/slack-go/slack v0.20.0v0.23.1 age confidence

slack-go SecretsVerifier accepts empty signing secret without precondition

GHSA-gxhx-2686-5h9g

More information

Details

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
    hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

slack-go/slack (github.com/slack-go/slack)

v0.23.1

Compare Source

[!IMPORTANT]
Even though this is a [security] patch release, if you were using an empty secret, this is a breaking change due to a change in behaviour. That's on purpose, to ensure you fix your approach so that there are no footguns.

Fixed
  • NewSecretsVerifier now rejects empty signing secrets to avoid accepting forged request
    signatures when applications are misconfigured.

Full Changelog: slack-go/slack@v0.23.0...v0.23.1

v0.23.0

Compare Source

Added

New Contributors

Full Changelog: slack-go/slack@v0.22.0...v0.23.0

v0.22.0

Compare Source

Previous release. See GitHub releases
for details.

v0.21.1

Compare Source

Previous release. See GitHub releases
for details.

v0.21.0

Compare Source

Previous release. See GitHub releases
for details.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from wass3rw3rk as a code owner May 14, 2026 22:26
@renovate renovate Bot requested review from JordanSussman and sjqnn as code owners May 14, 2026 22:26
@coveralls
Copy link
Copy Markdown

coveralls commented May 14, 2026
edited
Loading

Coverage Report for CI Build 26648992454

Coverage remained the same at 0.0%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 0
Covered Lines: 0
Line Coverage: NaN%
Coverage Strength: 0.0 hits per line
💛 - Coveralls

@renovate renovate Bot force-pushed the renovate/go-github.com-slack-go-slack-vulnerability branch from 8567f08 to 7d7175b Compare May 29, 2026 16:24
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@wass3rw3rk wass3rw3rk Awaiting requested review from wass3rw3rk wass3rw3rk is a code owner

@sjqnn sjqnn Awaiting requested review from sjqnn

@JordanSussman JordanSussman Awaiting requested review from JordanSussman

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@coveralls