commit kargo-cli for openSUSE:Factory

Thu, 23 Apr 2026 08:13:47 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package kargo-cli for openSUSE:Factory 
checked in at 2026-04-23 17:08:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kargo-cli (Old)
 and      /work/SRC/openSUSE:Factory/.kargo-cli.new.11940 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "kargo-cli"

Thu Apr 23 17:08:12 2026 rev:50 rq:1348862 version:1.10.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/kargo-cli/kargo-cli.changes      2026-04-22 
17:01:23.540453303 +0200
+++ /work/SRC/openSUSE:Factory/.kargo-cli.new.11940/kargo-cli.changes   
2026-04-23 17:12:53.805129470 +0200
@@ -1,0 +2,9 @@
+Thu Apr 23 05:30:05 UTC 2026 - Johannes Kastl 
<[email protected]>
+
+- Update to version 1.10.2:
+  * chore(backport release-1.10): fix(argocd-wait): store health
+    statuses as map[string]any to prevent DeepCopy panic (#6146)
+    Fixes GHSA-g7gw-m874-7rmf
+    https://github.com/akuity/kargo/security/advisories/GHSA-g7gw-m874-7rmf
+
+-------------------------------------------------------------------

Old:
----
  kargo-cli-1.10.1.obscpio

New:
----
  kargo-cli-1.10.2.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ kargo-cli.spec ++++++
--- /var/tmp/diff_new_pack.9ck4FN/_old  2026-04-23 17:12:55.537200802 +0200
+++ /var/tmp/diff_new_pack.9ck4FN/_new  2026-04-23 17:12:55.537200802 +0200
@@ -19,7 +19,7 @@
 %define executable_name kargo
 
 Name:           kargo-cli
-Version:        1.10.1
+Version:        1.10.2
 Release:        0
 Summary:        CLI for the Kubernetes Application lifecycle orchestration
 License:        Apache-2.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.9ck4FN/_old  2026-04-23 17:12:55.625204425 +0200
+++ /var/tmp/diff_new_pack.9ck4FN/_new  2026-04-23 17:12:55.645205250 +0200
@@ -3,7 +3,7 @@
     <param name="url">https://github.com/akuity/kargo</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v1.10.1</param>
+    <param name="revision">v1.10.2</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.9ck4FN/_old  2026-04-23 17:12:55.681206732 +0200
+++ /var/tmp/diff_new_pack.9ck4FN/_new  2026-04-23 17:12:55.701207555 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/akuity/kargo</param>
-              <param 
name="changesrevision">6063d52de99ed5c26e5a01856ffe67434f8a9f23</param></service></servicedata>
+              <param 
name="changesrevision">768b2a62dcd70b7b2313290fea6c673e49e0c2d4</param></service></servicedata>
 (No newline at EOF)
 

++++++ kargo-cli-1.10.1.obscpio -> kargo-cli-1.10.2.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/kargo-cli-1.10.1/pkg/promotion/runner/builtin/argocd_waiter.go 
new/kargo-cli-1.10.2/pkg/promotion/runner/builtin/argocd_waiter.go
--- old/kargo-cli-1.10.1/pkg/promotion/runner/builtin/argocd_waiter.go  
2026-04-21 23:14:06.000000000 +0200
+++ new/kargo-cli-1.10.2/pkg/promotion/runner/builtin/argocd_waiter.go  
2026-04-22 18:02:51.000000000 +0200
@@ -4,7 +4,6 @@
        "context"
        "errors"
        "fmt"
-       "maps"
        "slices"
        "time"
 
@@ -128,8 +127,10 @@
        prevHealthStatuses := w.loadPreviousHealthStatuses(stepCtx)
        // Seed with previous statuses so unchecked apps retain their last-known
        // health if we bail early (e.g. on a TerminalError for another app).
-       newHealthStatuses := make(map[string]string, len(prevHealthStatuses))
-       maps.Copy(newHealthStatuses, prevHealthStatuses)
+       newHealthStatuses := make(map[string]any, len(prevHealthStatuses))
+       for k, v := range prevHealthStatuses {
+               newHealthStatuses[k] = v
+       }
 
        allReady := true
        for i := range stepCfg.Apps {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/kargo-cli-1.10.1/pkg/promotion/runner/builtin/argocd_waiter_test.go 
new/kargo-cli-1.10.2/pkg/promotion/runner/builtin/argocd_waiter_test.go
--- old/kargo-cli-1.10.1/pkg/promotion/runner/builtin/argocd_waiter_test.go     
2026-04-21 23:14:06.000000000 +0200
+++ new/kargo-cli-1.10.2/pkg/promotion/runner/builtin/argocd_waiter_test.go     
2026-04-22 18:02:51.000000000 +0200
@@ -215,7 +215,7 @@
                        assertions: func(t *testing.T, res 
promotion.StepResult, err error) {
                                require.NoError(t, err)
                                assert.Equal(t, 
kargoapi.PromotionStepStatusRunning, res.Status)
-                               statuses, ok := 
res.Output[healthStatusKey].(map[string]string)
+                               statuses, ok := 
res.Output[healthStatusKey].(map[string]any)
                                require.True(t, ok)
                                assert.Equal(t, "Progressing", 
statuses["argocd/my-app"])
                        },
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/kargo-cli-1.10.1/ui/src/config/auth.ts 
new/kargo-cli-1.10.2/ui/src/config/auth.ts
--- old/kargo-cli-1.10.1/ui/src/config/auth.ts  2026-04-21 23:14:06.000000000 
+0200
+++ new/kargo-cli-1.10.2/ui/src/config/auth.ts  2026-04-22 18:02:51.000000000 
+0200
@@ -2,3 +2,13 @@
 export const refreshTokenKey = 'refresh_token';
 
 export const redirectToQueryParam = 'redirectTo';
+
+// Validate that a redirect path is a safe, same-origin relative path.
+export const isSafeRedirectPath = (path: string | null): path is string => {
+  if (!path || !path.startsWith('/')) return false;
+  try {
+    return new URL(path, window.location.origin).origin === 
window.location.origin;
+  } catch {
+    return false;
+  }
+};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/kargo-cli-1.10.1/ui/src/features/auth/oidc-login.tsx 
new/kargo-cli-1.10.2/ui/src/features/auth/oidc-login.tsx
--- old/kargo-cli-1.10.1/ui/src/features/auth/oidc-login.tsx    2026-04-21 
23:14:06.000000000 +0200
+++ new/kargo-cli-1.10.2/ui/src/features/auth/oidc-login.tsx    2026-04-22 
18:02:51.000000000 +0200
@@ -16,6 +16,7 @@
 import React from 'react';
 import { useLocation } from 'react-router-dom';
 
+import { isSafeRedirectPath } from '@ui/config/auth';
 import { OIDCConfig } from '@ui/gen/api/service/v1alpha1/service_pb';
 
 import { useAuthContext } from './context/use-auth-context';
@@ -151,7 +152,7 @@
         if (platformRedirect) {
           const redirectTo = new 
URLSearchParams(platformRedirect).get('redirectTo');
 
-          if (redirectTo) {
+          if (isSafeRedirectPath(redirectTo)) {
             window.location.replace(window.location.origin + redirectTo);
           }
         }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/kargo-cli-1.10.1/ui/src/features/auth/token-renew.tsx 
new/kargo-cli-1.10.2/ui/src/features/auth/token-renew.tsx
--- old/kargo-cli-1.10.1/ui/src/features/auth/token-renew.tsx   2026-04-21 
23:14:06.000000000 +0200
+++ new/kargo-cli-1.10.2/ui/src/features/auth/token-renew.tsx   2026-04-22 
18:02:51.000000000 +0200
@@ -11,7 +11,7 @@
 import React from 'react';
 import { useNavigate, useSearchParams } from 'react-router-dom';
 
-import { redirectToQueryParam, refreshTokenKey } from '@ui/config/auth';
+import { isSafeRedirectPath, redirectToQueryParam, refreshTokenKey } from 
'@ui/config/auth';
 import { paths } from '@ui/config/paths';
 import { getPublicConfig } from 
'@ui/gen/api/service/v1alpha1/service-KargoService_connectquery';
 
@@ -72,6 +72,7 @@
 
     (async () => {
       const redirectQuery = searchParams.get(redirectToQueryParam);
+      const safeRedirectQuery = isSafeRedirectPath(redirectQuery) ? 
redirectQuery : null;
       try {
         const response = await refreshTokenGrantRequest(as, client, 
oidcClientAuth, refreshToken, {
           [allowInsecureRequests]: shouldAllowHttpRequest(),
@@ -93,7 +94,7 @@
         }
 
         onLogin(result.id_token, result.refresh_token);
-        navigate(redirectQuery || paths.home);
+        navigate(safeRedirectQuery || paths.home);
       } catch (err) {
         logout();
         navigate(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/kargo-cli-1.10.1/ui/src/pages/login/login.tsx 
new/kargo-cli-1.10.2/ui/src/pages/login/login.tsx
--- old/kargo-cli-1.10.1/ui/src/pages/login/login.tsx   2026-04-21 
23:14:06.000000000 +0200
+++ new/kargo-cli-1.10.2/ui/src/pages/login/login.tsx   2026-04-22 
18:02:51.000000000 +0200
@@ -2,7 +2,7 @@
 import { Divider, Typography } from 'antd';
 import { Navigate, generatePath, useSearchParams } from 'react-router-dom';
 
-import { redirectToQueryParam } from '@ui/config/auth';
+import { isSafeRedirectPath, redirectToQueryParam } from '@ui/config/auth';
 import { paths } from '@ui/config/paths';
 import { AdminLogin } from '@ui/features/auth/admin-login';
 import { useAuthContext } from '@ui/features/auth/context/use-auth-context';
@@ -20,13 +20,14 @@
   const [params] = useSearchParams();
   const { isLoggedIn } = useAuthContext();
   const redirectTo = params.get(redirectToQueryParam);
+  const safeRedirectTo = isSafeRedirectPath(redirectTo) ? redirectTo : null;
 
   if (data?.skipAuth) {
     return <Navigate to={paths.home} replace />;
   }
 
   if (isLoggedIn) {
-    return <Navigate to={redirectTo ? generatePath(redirectTo) : paths.home} 
replace />;
+    return <Navigate to={safeRedirectTo ? generatePath(safeRedirectTo) : 
paths.home} replace />;
   }
 
   return (

++++++ kargo-cli.obsinfo ++++++
--- /var/tmp/diff_new_pack.9ck4FN/_old  2026-04-23 17:13:00.573408206 +0200
+++ /var/tmp/diff_new_pack.9ck4FN/_new  2026-04-23 17:13:00.585408700 +0200
@@ -1,5 +1,5 @@
 name: kargo-cli
-version: 1.10.1
-mtime: 1776806046
-commit: 6063d52de99ed5c26e5a01856ffe67434f8a9f23
+version: 1.10.2
+mtime: 1776873771
+commit: 768b2a62dcd70b7b2313290fea6c673e49e0c2d4
 

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/kargo-cli/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.kargo-cli.new.11940/vendor.tar.gz differ: char 13, 
line 1

Reply via email to