chore(deps): bump github.com/in-toto/in-toto-golang from 0.9.0 to 0.11.0#724
Security Analysis Passed
No security issues found
Details
Kusari Analysis Results:
✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.
Both the dependency and code security analyses independently recommend proceeding with no blocking issues identified. The PR updates github.com/in-toto/in-toto-golang from v0.9.0 to v0.11.0, which resolves known vulnerabilities including CVE-2025-47914, CVE-2025-58181, CVE-2025-47913 in golang.org/x/crypto and GHSA-pmwq-pjrm-6p5r in in-toto-golang. No new vulnerabilities are introduced by the updated versions. The two flagged 'isRisky' items are confirmed false positives: 'stdlib' is the trusted Go standard library and github.com/spf13/cobra v1.10.2 carries only a low activity score, not a security concern. All licenses remain permissive (Apache-2.0, BSD-3-Clause, MIT). The code analysis of the modified go.mod and go.sum files found zero issues across all severity levels, with no secrets or workflow concerns. This PR is strictly a security-improving dependency update with a net-positive risk profile.
Note
View full detailed analysis result for more information on the output and the checks that were run.
@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: d73aacc, performed at: 2026-05-08T23:23:07Z