Security

A security vulnerability has been identified in a core gh dependency, go-gh, where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing.

This issue is addressed in this gh release by updating go-gh to a fixed version.

For more information, see GHSA-g9f5-x53j-h563

What's changed

✨ Features

• Add preview prompter command by @BagToad in #10745
• [gh run watch] Support --compact flag by @iamazeem in #10629
• Fix brew update notifications by @BagToad in #11024

🐛 Fixes

• Revert "[gh config] Escape pipe symbol in Long desc for website manual" by @BagToad in #11004
• Fix formatting in allowed values for gh config --help by @BagToad in #11003
• fix: gh gist edit panic when no file in a gist by @phanen in #10627
• Add retry logic when fetching TUF content in gh attestation commands by @malancas in #10943

📚 Docs & Chores

• Update README.md by @irhdab in #11022
• Add tests for RenderJobs and RenderJobsCompact by @babakks in #11013
• Add example usage of --head option to pr list docs by @babakks in #10979
• Mention pr create will print the created PR's URL by @babakks in #10980
• Add Digest to ReleaseAsset struct by @bdehamer in #11030

Dependencies

• Bump go-gh to v2.12.1 by @BagToad in #11043
• chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.8 to 1.4.9 by @dependabot in #10825
• Update sigstore-go dependency to v1.0.0 by @malancas in #11028
• chore(deps): bump github.com/sigstore/protobuf-specs from 0.4.1 to 0.4.2 by @dependabot in #10999
• chore(deps): bump github.com/yuin/goldmark from 1.7.8 to 1.7.12 by @dependabot in #11032

New Contributors

• @irhdab made their first contribution in #11022
• @phanen made their first contribution in #10627

Full Changelog: v2.73.0...v2.74.0