Skip to content

Commit 1d4bcd2

Browse files
cpcloudclaude
cpcloud
and
claude
committed
chore: update flake inputs and ignore unreachable stdlib CVEs
Update nixpkgs (2026-03-09) and git-hooks (2026-03-07). Add ignore entries for GO-2026-4601 (url.Parse IPv6 host flaw; only caller parses user's own config, not attacker input) and GO-2026-4602 (os.ReadDir traversal via Root-constrained File; micasa uses plain os.ReadDir, never os.OpenRoot). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent a5ad71b commit 1d4bcd2

2 files changed

Lines changed: 14 additions & 6 deletions

File tree

flake.lock

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

osv-scanner.toml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,14 @@ reason = "minor TLS 1.3 info disclosure requiring network-local attacker; defaul
1717
id = "GO-2026-4342"
1818
reason = "archive/zip DoS via crafted ZIP filenames; micasa never opens or processes ZIP archives"
1919

20+
[[IgnoredVulns]]
21+
id = "GO-2026-4601"
22+
reason = "url.Parse IPv6 host parsing flaw; only caller is isLoopbackURL which parses the user's own llm.base_url config value, not attacker-supplied input"
23+
24+
[[IgnoredVulns]]
25+
id = "GO-2026-4602"
26+
reason = "os.ReadDir directory traversal via Root-constrained File; micasa uses plain os.ReadDir on a local cache dir, never uses os.OpenRoot"
27+
2028
# ollama server-side vulnerabilities: micasa is a client that makes HTTP
2129
# requests to an Ollama server; it does not embed, host, or run the Ollama
2230
# server, GGUF parser, or model-serving endpoints. These code paths are

0 commit comments

Comments
 (0)