govulcheck detected a case where --jq user input directly constructs a regexp in gojq code, which govulncheck considers a failure since it can lead to denial-of-service attacks. This risk doesn't not affect us, however, since we're building CLI apps and not hosted apps. As a user, you can crash your own gh process using your own malicious input as much as you'd like.
govulncheck presently does not have a way of silencing or allow-listing specific violations, so this disables govulncheck completely.
govulcheck detected a case where
--jquser input directly constructs a regexp in gojq code, which govulncheck considers a failure since it can lead to denial-of-service attacks. This risk doesn't not affect us, however, since we're building CLI apps and not hosted apps. As a user, you can crash your ownghprocess using your own malicious input as much as you'd like.govulncheck presently does not have a way of silencing or allow-listing specific violations, so this disables govulncheck completely.
Ref. https://github.com/cli/go-gh/actions/runs/3243823451/jobs/5319105048 Reverts https://github.com/cli/go-gh/pull/71