Impact

Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios.

Patches

The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later.

Workarounds

Disable Go Modules support.

References

Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure

For more information

If you have any questions or comments about this advisory:

• Open an issue in Renovate