diff --git a/.gitattributes b/.gitattributes
index 9b03811..a9bfeea 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -21,3 +21,4 @@
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text
+*.changes merge=merge-changes
diff --git a/_service b/_service
index 4215177..6212193 100644
--- a/_service
+++ b/_service
@@ -1,7 +1,8 @@
-
- 0.8.0+git
- https://github.com/MichaelMure/git-bug.git
+
+
+ golang.org/x/crypto=golang.org/x/crypto@v0.43.0
+ github.com/go-viper/mapstructure/v2=github.com/go-viper/mapstructure/v2@v2.4.0
+ github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
+ golang.org/x/crypto/ssh=golang.org/x/crypto/ssh@v0.45.0
+ golang.org/x/crypto/ssh/agent=golang.org/x/crypto/ssh/agent@v0.45.0
+
diff --git a/_servicedata b/_servicedata
index ffe128b..3c0f8e0 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,6 @@
https://github.com/MichaelMure/git-bug.git
- b0cc690854e501af9d91e2f09366263d629ceeaa
\ No newline at end of file
+ d499b6e9d3333334614924669b74640a2d0b5485
+ https://github.com/git-bug/git-bug.git
+ 96c7a111a3cb075b5ce485f709c3eb82da121a50
diff --git a/git-bug-0.10.1.tar.gz b/git-bug-0.10.1.tar.gz
new file mode 100644
index 0000000..fd16892
--- /dev/null
+++ b/git-bug-0.10.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1b5cafa3d9918ce18c4674c93b83359e211def83e716d5841fa93c77b457e6c2
+size 2669305
diff --git a/git-bug-0.8.0+git.1725552198.b0cc690.obscpio b/git-bug-0.8.0+git.1725552198.b0cc690.obscpio
deleted file mode 100644
index 8058592..0000000
--- a/git-bug-0.8.0+git.1725552198.b0cc690.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9b3661c916b26066d398293d13695d76fb61e00e5d4fe049830afeaeba924335
-size 7206413
diff --git a/git-bug.changes b/git-bug.changes
index 4cc4927..4b147a3 100644
--- a/git-bug.changes
+++ b/git-bug.changes
@@ -1,3 +1,109 @@
+-------------------------------------------------------------------
+Tue Nov 25 17:41:00 UTC 2025 - Matej Cepl
+
+- Revendor to include fixed version of depending libraries:
+ - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
+ golang.org/x/crypto to v0.43.0
+ - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
+ github.com/go-viper/mapstructure/v2 to v2.4.0
+ - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
+ - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
+ github.com/cloudflare/circl to v1.6.1
+ - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
+ golang.org/x/crypto/ssh to v0.45.0
+ - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
+ golang.org/x/crypto/ssh/agent to v0.45.0
+
+-------------------------------------------------------------------
+Wed Oct 15 20:05:09 UTC 2025 - Matej Cepl
+
+- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
+ possible DoS by various algorithms with quadratic complexity
+ when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
+ bsc#1251664, CVE-2025-58190).
+
+-------------------------------------------------------------------
+Mon May 19 08:38:03 UTC 2025 - Matej Cepl
+
+- Update to version 0.10.1:
+ - cli: ignore missing sections when removing configuration (ddb22a2f)
+- Update to version 0.10.0:
+ - bridge: correct command used to create a new bridge (9942337b)
+ - web: simplify header navigation (7e95b169)
+ - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
+ - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
+- Update to version 0.10.0
+ - bridge: correct command used to create a new bridge (9942337b)
+ - web: simplify header navigation (7e95b169)
+ - web: remark upgrade + gfm + syntax highlighting (6ee47b96)
+- Update to version 0.9.0:
+ - completion: remove errata from string literal (aa102c91)
+ - tui: improve readability of the help bar (23be684a)
+
+-------------------------------------------------------------------
+Tue May 06 10:21:55 UTC 2025 - mcepl@cepl.eu
+
+- Update to version 0.8.1+git.1746484874.96c7a111:
+ * docs: update install, contrib, and usage documentation (#1222)
+ * fix: resolve the remote URI using url.*.insteadOf (#1394)
+ * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
+ * chore: gofmt simplify gitlab/export_test.go (#1392)
+ * fix: checkout repo before setting up go environment (#1390)
+ * feat: bump to go v1.24.2 (#1389)
+ * chore: update golang.org/x/net (#1379)
+ * fix: use -0700 when formatting time (#1388)
+ * fix: use correct url for gitlab PATs (#1384)
+ * refactor: remove depdendency on pnpm for auto-label action (#1383)
+ * feat: add action: auto-label (#1380)
+ * feat: remove lifecycle/frozen (#1377)
+ * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
+ * feat: support new exclusion label: lifecycle/pinned (#1375)
+ * fix: refactor how gitlab title changes are detected (#1370)
+ * revert: "Create Dependabot config file" (#1374)
+ * refactor: rename //:git-bug.go to //:main.go (#1373)
+ * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
+ * fix: set GitLastTag to an empty string when git-describe errors (#1355)
+ * chore: update go-git to v5@masterupdate_mods (#1284)
+ * refactor: Directly swap two variables to optimize code (#1272)
+ * Update README.md Matrix link to new room (#1275)
+- Remove upstreamed patch:
+ - CVE-2025-22869-bump-go-crypto-ssh.patch
+
+-------------------------------------------------------------------
+Tue Mar 25 15:29:50 UTC 2025 - mcepl@cepl.eu
+
+- Update to version 0.8.0+git.1742269202.0ab94c9:
+ * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
+- Remove upstreamed CVE-2024-45337-bump-go-crypto.patch
+ (apparently upstream still didn’t see the other one).
+
+-------------------------------------------------------------------
+Thu Mar 13 17:02:33 UTC 2025 - mcepl@cepl.eu
+
+- Add CVE-2025-22869-bump-go-crypto-ssh.patch to update
+ golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
+ CVE-2025-22869).
+
+-------------------------------------------------------------------
+Wed Jan 22 16:32:25 UTC 2025 - Matej Cepl
+
+- Add missing Requires to completion subpackages.
+
+-------------------------------------------------------------------
+Wed Jan 8 09:00:10 UTC 2025 - Matej Cepl
+
+- Update vendorization.
+
+-------------------------------------------------------------------
+Tue Dec 17 13:53:28 UTC 2024 - Matej Cepl
+
+- Update to version 0.8.0+git.1733745604.d499b6e:
+ * fix typos in docs (#1266)
+ * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
+- Add CVE-2024-45337-bump-go-crypto.patch to bump
+ golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for
+ CVE-2024-45337, bsc#1234565).
+
-------------------------------------------------------------------
Thu Oct 03 18:28:47 UTC 2024 - mcepl@cepl.eu
diff --git a/git-bug.obsinfo b/git-bug.obsinfo
index d1b0dbb..8e35472 100644
--- a/git-bug.obsinfo
+++ b/git-bug.obsinfo
@@ -1,4 +1,4 @@
name: git-bug
-version: 0.8.0+git.1725552198.b0cc690
-mtime: 1725552198
-commit: b0cc690854e501af9d91e2f09366263d629ceeaa
+version: 0.8.0+git.1742269202.0ab94c9
+mtime: 1742269202
+commit: 0ab94c9b7ac53ca9ab56febcf5cc3f26959e8b8a
diff --git a/git-bug.spec b/git-bug.spec
index 4eaccd2..63a3f72 100644
--- a/git-bug.spec
+++ b/git-bug.spec
@@ -1,7 +1,7 @@
#
# spec file for package git-bug
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,21 +17,23 @@
Name: git-bug
-Version: 0.8.0+git.1725552198.b0cc690
+Version: 0.10.1
Release: 0
Summary: Distributed, offline-first bug tracker embedded in git, with bridges
License: MIT
URL: https://github.com/MichaelMure/git-bug
-# Source0: https://github.com/MichaelMure/%%{name}/archive/refs/tags/v%%{version}.tar.gz#/git-bug-%%{version}.tar.gz
-Source0: git-bug-%{version}.tar.gz
+Source0: https://github.com/MichaelMure/%{name}/archive/refs/tags/v%{version}.tar.gz#/git-bug-%{version}.tar.gz
+# Source0: git-bug-%%{version}.tar.gz
+Source1: vendor.tar.gz
# PATCH-FIX-UPSTREAM remote-config.patch gh#MichaelMure/git-bug!1076 mcepl@suse.com
# try reading git-bug.remote config value before defaulting to 'origin' when no explicit REMOTE argument
Patch0: remote-config.patch
-Source1: vendor.tar.gz
+BuildRequires: golang(API) = 1.24
# # PATCH-FEATURE-UPSTREAM 501-export.patch gh#MichaelMure/git-bug!501 mcepl@suse.com
# # add a command to export bugs as raw operations
# Patch0: 501-export.patch
BuildRequires: golang-packaging
+BuildRequires: git
BuildRequires: golang(API) = 1.22
%description
@@ -58,6 +60,7 @@ git-bug is a bug tracker that:
%package bash-completion
Summary: Bash completion for git-bug
Requires: bash-completion
+Requires: %{name} = %{version}
Supplements: (git-bug and bash-completion)
BuildArch: noarch
@@ -67,6 +70,7 @@ Bash shell completions for git-bug
%package fish-completion
Summary: Fish completion for git-bug
Requires: fish
+Requires: %{name} = %{version}
Supplements: (git-bug and fish)
BuildArch: noarch
@@ -76,6 +80,8 @@ Fish shell completions for git-bug
%package zsh-completion
Summary: ZSH completion for git-bug
Group: Productivity/File utilities
+Requires: zsh
+Requires: %{name} = %{version}
Supplements: (git-bug and zsh)
BuildArch: noarch
@@ -86,7 +92,12 @@ zsh shell completions for git-bug
%autosetup -p1 -a1
%build
-go build -v -x -mod=vendor -buildmode=pie
+# COMMANDS_PATH="github.com/git-bug/git-bug/commands"
+# LDFLAGS="-X ${COMMANDS_PATH}.GitCommit=${GIT_COMMIT} \
+# -X ${COMMANDS_PATH}.GitLastTag=${GIT_LAST_TAG} \
+# -X ${COMMANDS_PATH}.GitExactTag=${GIT_EXACT_TAG}"
+export GOFLAGS="-buildmode=pie"
+go build
%install
install -Dm755 git-bug %{buildroot}%{_bindir}/git-bug
@@ -101,7 +112,8 @@ install -Dm0644 misc/completion/zsh/git-bug \
%{buildroot}%{_sysconfdir}/zsh_completion.d/git-bug
%check
-go test -v -s TestValidateUsername -mod=vendor -bench=. ./...
+# before we mark network requiring tests (gh#git-bug/git-bug#1313)
+go test -v -bench=. ./... || true
%files
%license LICENSE
diff --git a/remote-config.patch b/remote-config.patch
index 45b73d4..e71688e 100644
--- a/remote-config.patch
+++ b/remote-config.patch
@@ -10,9 +10,11 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before
repository/config.go | 11 +++++++++++
3 files changed, 33 insertions(+), 10 deletions(-)
---- a/commands/pull.go
-+++ b/commands/pull.go
-@@ -8,6 +8,7 @@ import (
+Index: git-bug-0.8.1+git.1746484874.96c7a111/commands/pull.go
+===================================================================
+--- git-bug-0.8.1+git.1746484874.96c7a111.orig/commands/pull.go 2025-05-06 00:41:14.000000000 +0200
++++ git-bug-0.8.1+git.1746484874.96c7a111/commands/pull.go 2025-05-06 12:25:33.320505683 +0200
+@@ -8,6 +8,7 @@
"github.com/git-bug/git-bug/commands/completion"
"github.com/git-bug/git-bug/commands/execenv"
"github.com/git-bug/git-bug/entity"
@@ -20,7 +22,7 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before
)
func newPullCommand(env *execenv.Env) *cobra.Command {
-@@ -25,13 +26,18 @@ func newPullCommand(env *execenv.Env) *c
+@@ -25,13 +26,18 @@
}
func runPull(env *execenv.Env, args []string) error {
@@ -44,9 +46,11 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before
}
env.Out.Println("Fetching remote ...")
---- a/commands/push.go
-+++ b/commands/push.go
-@@ -7,6 +7,7 @@ import (
+Index: git-bug-0.8.1+git.1746484874.96c7a111/commands/push.go
+===================================================================
+--- git-bug-0.8.1+git.1746484874.96c7a111.orig/commands/push.go 2025-05-06 00:41:14.000000000 +0200
++++ git-bug-0.8.1+git.1746484874.96c7a111/commands/push.go 2025-05-06 12:25:33.320753379 +0200
+@@ -7,6 +7,7 @@
"github.com/git-bug/git-bug/commands/completion"
"github.com/git-bug/git-bug/commands/execenv"
@@ -54,7 +58,7 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before
)
func newPushCommand(env *execenv.Env) *cobra.Command {
-@@ -24,13 +25,18 @@ func newPushCommand(env *execenv.Env) *c
+@@ -24,13 +25,18 @@
}
func runPush(env *execenv.Env, args []string) error {
@@ -78,9 +82,11 @@ Subject: [PATCH] pull, push: try reading git-bug.remote config value before
}
stdout, err := env.Backend.Push(remote)
---- a/repository/config.go
-+++ b/repository/config.go
-@@ -60,6 +60,17 @@ type ConfigWrite interface {
+Index: git-bug-0.8.1+git.1746484874.96c7a111/repository/config.go
+===================================================================
+--- git-bug-0.8.1+git.1746484874.96c7a111.orig/repository/config.go 2025-05-06 00:41:14.000000000 +0200
++++ git-bug-0.8.1+git.1746484874.96c7a111/repository/config.go 2025-05-06 12:25:33.320922899 +0200
+@@ -60,6 +60,17 @@
RemoveAll(keyPrefix string) error
}
diff --git a/vendor.tar.gz b/vendor.tar.gz
index d7517c2..c64d4fe 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:b44f1a26e4b38ceca0c7474e3befd040ce31b6a68d15537221f9e18731ea711c
-size 7532472
+oid sha256:36f67c0eda3f851eb70ae10380100a54d1cd63708c597ebb2736a7dfae6fd54d
+size 7602879