chore(deps): bump github.com/meigma/blob from 1.1.1 to 1.1.2 in the go-minor-patch group across 1 directory

[dependabot]

Bumps the go-minor-patch group with 1 update in the / directory: github.com/meigma/blob.

Updates github.com/meigma/blob from 1.1.1 to 1.1.2

Release notes

Sourced from github.com/meigma/blob's releases.

v1.1.2

1.1.2 (2026-01-25)

Bug Fixes

• wire blockCache through to registry Pull (#62) (7857128)
• wire WithRefCacheTTL to ref cache creation (#60) (5d4b964)

Changelog

Sourced from github.com/meigma/blob's changelog.

1.1.2 (2026-01-25)

Bug Fixes

• wire blockCache through to registry Pull (#62) (7857128)
• wire WithRefCacheTTL to ref cache creation (#60) (5d4b964)

Commits

• 36e2e64 chore(master): release 1.1.2 (#61)
• 7857128 fix: wire blockCache through to registry Pull (#62)
• 5d4b964 fix: wire WithRefCacheTTL to ref cache creation (#60)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the dependency update itself (v1.1.1 → v1.1.2) is safe with no direct security concerns, the code analysis identified 6 critical security vulnerabilities in the broader codebase that must be addressed before merging. Most critical is CVE-2026-24686, a path traversal vulnerability in go-tuf allowing arbitrary file writes. Additionally, three vulnerabilities exist in Go stdlib v1.25.5 affecting TLS session resumption, handshake processing, and URL parsing. Two additional go-tuf vulnerabilities (DoS and improper threshold validation) further compound the risk. Required actions: (1) Update Go stdlib to v1.25.6 or later to address CVE-2025-68121, CVE-2025-61730, and CVE-2025-61726, (2) Update github.com/theupdateframework/go-tuf from v0.7.0 to latest patched version, (3) Update github.com/theupdateframework/go-tuf/v2 from v2.3.1 to latest patched version. The cumulative risk of these vulnerabilities, particularly the critical path traversal issue, outweighs the benefit of merging this otherwise safe dependency update.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Update Go stdlib to a patched version that addresses CVE-2025-68121, CVE-2025-61730, and CVE-2025-61726. Upgrade to Go 1.25.6 or later if available.

• Potential Code Fix:

Modify the go directive in go.mod to use a patched Go version

Update github.com/theupdateframework/go-tuf from v0.7.0 to the latest patched version that addresses CVE-2026-23991, CVE-2026-23992, and CVE-2026-24686. The path traversal vulnerability is particularly critical as it allows arbitrary file writes.

• Potential Code Fix:

Update the dependency version in go.mod for github.com/theupdateframework/go-tuf

Update github.com/theupdateframework/go-tuf/v2 from v2.3.1 to the latest patched version that addresses CVE-2026-24686 (path traversal vulnerability).

• Potential Code Fix:

Update the dependency version in go.mod for github.com/theupdateframework/go-tuf/v2

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 152dee0, performed at: 2026-02-16T09:57:19Z

Found this helpful? Give it a 👍 or 👎 reaction!