Skip to content

fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] #220

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Dec 5, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/sirupsen/logrus v1.8.1v1.8.3 age confidence

GitHub Vulnerability Alerts

CVE-2025-65637

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Release Notes

sirupsen/logrus (github.com/sirupsen/logrus)

v1.8.3

Compare Source

What's Changed

  • Add instructions to use different log levels for local and syslog by @​tommyblue in #​1372
  • This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in #​1376
  • Use text when shows the logrus output by @​xieyuschen in #​1339

New Contributors

Full Changelog: sirupsen/logrus@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

New Contributors

Full Changelog: sirupsen/logrus@v1.8.1...v1.8.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Author

renovate bot commented Dec 5, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
golang.org/x/sys v0.0.0-20210326220804-49726bf1d181 -> v0.0.0-20220715151400-c0bba94af5f8

@renovate renovate bot requested a review from moul as a code owner December 5, 2025 06:54
@socket-security
Copy link

socket-security bot commented Dec 5, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang.org/​x/​sys@​v0.0.0-20210326220804-49726bf1d181 ⏵ v0.0.0-20220715151400-c0bba94af5f887 -1100 +2100100100
Updatedgithub.com/​sirupsen/​logrus@​v1.8.1 ⏵ v1.8.398100 +16100100100

View full report

@renovate renovate bot changed the title fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] - autoclosed Dec 15, 2025
@renovate renovate bot closed this Dec 15, 2025
@renovate renovate bot deleted the renovate/go-github.com-sirupsen-logrus-vulnerability branch December 15, 2025 09:55
@renovate renovate bot changed the title fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] - autoclosed fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] Dec 15, 2025
@renovate renovate bot reopened this Dec 15, 2025
@renovate renovate bot force-pushed the renovate/go-github.com-sirupsen-logrus-vulnerability branch from 017688a to c32b4e6 Compare December 15, 2025 13:10
@renovate
Copy link
Author

renovate bot commented Dec 15, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
golang.org/x/sys v0.0.0-20210326220804-49726bf1d181 -> v0.0.0-20220715151400-c0bba94af5f8

@renovate renovate bot force-pushed the renovate/go-github.com-sirupsen-logrus-vulnerability branch from c32b4e6 to 017688a Compare December 15, 2025 13:10
@renovate renovate bot changed the title fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] - autoclosed Jan 10, 2026
@renovate renovate bot closed this Jan 10, 2026
@renovate renovate bot changed the title fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] - autoclosed fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security] Jan 10, 2026
@renovate renovate bot reopened this Jan 10, 2026
@renovate renovate bot force-pushed the renovate/go-github.com-sirupsen-logrus-vulnerability branch 2 times, most recently from 017688a to 4052ace Compare January 10, 2026 04:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moul moul Awaiting requested review from moul moul is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants