Update module golang.org/x/oauth2 to v0.27.0 [SECURITY] (v10.0/forgejo) (#7304)

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) | require | minor | [`v0.23.0` -> `v0.27.0`](https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.23.0...refs/tags/v0.27.0) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Unexpected memory consumption during token parsing in golang.org/x/oauth2 [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868) / [GO-2025-3488](https://pkg.go.dev/vuln/GO-2025-3488) <details> <summary>More information</summary> #### Details An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. #### Severity Unknown #### References - [https://go.dev/cl/652155](https://go.dev/cl/652155) - [https://go.dev/issue/71490](https://go.dev/issue/71490) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3488) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7304 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org> Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2025-03-22 15:53:21 +00:00 · 2025-03-22 15:53:21 +00:00 · a35a3b6731
commit a35a3b6731
parent 76dfc75ed2
2 changed files with 3 additions and 3 deletions
--- a/go.mod
+++ b/go.mod
@ -104,7 +104,7 @@ require (
 	golang.org/x/crypto v0.35.0
 	golang.org/x/image v0.23.0
 	golang.org/x/net v0.33.0
-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.27.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0
 	golang.org/x/text v0.22.0
--- a/go.sum
+++ b/go.sum
@ -1662,8 +1662,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec
 golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
 golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=