goreleaser/2.13.2-r0: cve remediation

[octo-sts]

goreleaser/2.13.2-r0: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/goreleaser.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/goreleaser/goreleaser@v2.13.2

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/timestamp-authority@v2.0.3: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category	Details
Build System	go
Failure Point	go get command during go/bump step

Root Cause Analysis 🔍

Version mismatch in Go module dependency - the module github.com/sigstore/timestamp-authority has a post-v2 module path in its go.mod file but is being referenced with version v2.0.3, which conflicts with Go's semantic import versioning requirements for major versions >= v2

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: goreleaser.yaml

• modification at line 18-20 (go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority@v2.0.3

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority/v2@v2.0.3

Content:

Update the dependency reference to use the correct v2 module path

Click to expand fix analysis

Analysis

No similar build failures were found in the historical data to analyze patterns from. However, this is a classic Go module versioning issue where a dependency with a post-v2 module path is being referenced with an incompatible version tag. The error indicates that github.com/sigstore/timestamp-authority has updated its go.mod file to use the v2 module path but the version being requested (v2.0.3) doesn't align with Go's semantic import versioning requirements.

Click to expand fix explanation

Explanation

The fix addresses the root cause of the Go module versioning error. When a Go module has a major version >= v2, the module path in go.mod must include the major version (e.g., /v2), and imports must reference this versioned path. The error occurs because the dependency is being referenced as 'github.com/sigstore/timestamp-authority@v2.0.3' but the actual module path in the dependency's go.mod file is 'github.com/sigstore/timestamp-authority/v2'. By changing the reference to 'github.com/sigstore/timestamp-authority/v2@v2.0.3', we align with Go's semantic import versioning requirements, allowing the go get command to correctly resolve and download the dependency.

Click to expand alternative approaches

Alternative Approaches

• Use a different version of the timestamp-authority dependency that doesn't have the v2 module path if available
• Remove the explicit dependency bump and let Go's dependency resolution handle the version automatically
• Update to a newer version of the timestamp-authority package that might have resolved versioning issues

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.