chore(deps): update module github.com/sirupsen/logrus to v1.9.1 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sirupsen/logrus	v1.9.0 → v1.9.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-65637

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

---

Logrus is vulnerable to DoS when using Entry.Writer() in github.com/sirupsen/logrus

CVE-2025-65637 / GHSA-4f99-4q7p-p3gh / GO-2025-4188

More information

Details

Logrus is vulnerable to DoS when using Entry.Writer() in github.com/sirupsen/logrus

Severity

Unknown

References

• https://github.com/advisories/GHSA-4f99-4q7p-p3gh
• https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7
• https://github.com/sirupsen/logrus/pull/1376
• https://github.com/sirupsen/logrus/issues/1370
• https://github.com/mjuanxd/logrus-dos-poc
• https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md
• https://github.com/sirupsen/logrus/releases/tag/v1.8.3
• https://github.com/sirupsen/logrus/releases/tag/v1.9.1
• https://github.com/sirupsen/logrus/releases/tag/v1.9.3
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Logrus is vulnerable to DoS when using Entry.Writer()

CVE-2025-65637 / GHSA-4f99-4q7p-p3gh / GO-2025-4188

More information

Details

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-65637
• https://github.com/sirupsen/logrus/issues/1370
• https://github.com/sirupsen/logrus/pull/1376
• https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7
• https://github.com/mjuanxd/logrus-dos-poc
• https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md
• https://github.com/sirupsen/logrus
• https://github.com/sirupsen/logrus/releases/tag/v1.8.3
• https://github.com/sirupsen/logrus/releases/tag/v1.9.1
• https://github.com/sirupsen/logrus/releases/tag/v1.9.3
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sirupsen/logrus (github.com/sirupsen/logrus)

v1.9.1

Compare Source

What's Changed

• Fix data race in hooks.test package by @​FrancoisWagner in #​1362
• Add instructions to use different log levels for local and syslog by @​tommyblue in #​1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in #​1376
• Use text when shows the logrus output by @​xieyuschen in #​1339

New Contributors

• @​FrancoisWagner made their first contribution in #​1362
• @​tommyblue made their first contribution in #​1372
• @​ozfive made their first contribution in #​1376
• @​xieyuschen made their first contribution in #​1339

Full Changelog: sirupsen/logrus@v1.9.0...v1.9.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

😢 zizmor failed with exit code 14.

Expand for full output

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:13:9
   |
13 |       - uses: bufbuild/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:16:9
   |
16 |       - uses: bufbuild/buf-lint-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:19:9
   |
19 |       - uses: bufbuild/buf-breaking-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:12:9
   |
12 |       - uses: bufbuild/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:15:9
   |
15 |       - uses: bufbuild/buf-lint-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:18:9
   |
18 |       - uses: bufbuild/buf-breaking-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:22:9
   |
22 |       - uses: bufbuild/buf-push-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/ci.yml:208:66
    |
208 |         run: ./scripts/ui_release.sh --check-package "$(echo ${{ github.ref_name }}|sed s/v2/v0/)"
    |         --- this run block                                       ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/ci.yml:16:9
   |
16 |       - uses: prometheus/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/ci.yml:38:9
   |
38 |       - uses: prometheus/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:107:9
    |
107 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:130:9
    |
130 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:149:9
    |
149 |         uses: golangci/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:165:9
    |
165 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:179:9
    |
179 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:194:9
    |
194 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:29:9
   |
29 |         uses: github/codeql-action/init@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:34:9
   |
34 |         uses: github/codeql-action/autobuild@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:37:9
   |
37 |         uses: github/codeql-action/analyze@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/fuzzing.yml:10:9
   |
10 |         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/fuzzing.yml:15:9
   |
15 |         uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/lock.yml:18:9
   |
18 |       - uses: dessant/lock-threads@v4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-images]: unpinned image references
  --> ./.github/workflows/repo_sync.yml:10:7
   |
10 |       image: quay.io/prometheus/golang-builder
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is unpinned
   |
   = note: audit confidence → High

83 findings (37 ignored, 23 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 23 high