chore(deps): update module github.com/sirupsen/logrus to v1.9.1 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sirupsen/logrus	v1.9.0 -> v1.9.1

GitHub Vulnerability Alerts

CVE-2025-65637

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

---

Logrus is vulnerable to DoS when using Entry.Writer()

CVE-2025-65637 / GHSA-4f99-4q7p-p3gh

More information

Details

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-65637
• https://github.com/sirupsen/logrus/issues/1370
• https://github.com/sirupsen/logrus/pull/1376
• https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7
• https://github.com/mjuanxd/logrus-dos-poc
• https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md
• https://github.com/sirupsen/logrus
• https://github.com/sirupsen/logrus/releases/tag/v1.8.3
• https://github.com/sirupsen/logrus/releases/tag/v1.9.1
• https://github.com/sirupsen/logrus/releases/tag/v1.9.3
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sirupsen/logrus (github.com/sirupsen/logrus)

v1.9.1

Compare Source

What's Changed

• Fix data race in hooks.test package by @​FrancoisWagner in #​1362
• Add instructions to use different log levels for local and syslog by @​tommyblue in #​1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in #​1376
• Use text when shows the logrus output by @​xieyuschen in #​1339

New Contributors

• @​FrancoisWagner made their first contribution in #​1362
• @​tommyblue made their first contribution in #​1372
• @​ozfive made their first contribution in #​1376
• @​xieyuschen made their first contribution in #​1339

Full Changelog: sirupsen/logrus@v1.9.0...v1.9.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: k6/extensions/internal/go.sum

Command failed: go mod tidy
go: downloading github.com/stretchr/testify v1.8.4
go: downloading github.com/mstoykov/envconfig v1.4.1-0.20220114105314-765c6d8c76f1
go: downloading github.com/onsi/ginkgo v1.16.5
go: downloading github.com/onsi/gomega v1.27.6
go: downloading github.com/andybalholm/brotli v1.0.5
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading github.com/klauspost/compress v1.17.9
go: downloading github.com/mccutchen/go-httpbin v1.1.2-0.20190116014521-c5cb2f4802fa
go: downloading golang.org/x/net v0.43.0
go: downloading google.golang.org/grpc v1.75.0
go: downloading golang.org/x/crypto v0.41.0
go: downloading google.golang.org/protobuf v1.36.9
go: downloading github.com/google/go-cmp v0.5.9
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090
go: downloading github.com/nxadm/tail v1.4.8
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
go: downloading github.com/fsnotify/fsnotify v1.5.4
go: github.com/grafana/quickpizza/extensions/internal imports
	go.k6.io/k6/js/modules imports
	go.k6.io/k6/loader tested by
	go.k6.io/k6/loader.test imports
	go.k6.io/k6/lib/testutils/httpmultibin imports
	google.golang.org/grpc/status imports
	google.golang.org/genproto/googleapis/rpc/status: ambiguous import: found package google.golang.org/genproto/googleapis/rpc/status in multiple modules:
	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 (/tmp/renovate/cache/others/go/pkg/mod/google.golang.org/genproto@v0.0.0-20230410155749-daa745c078e1/googleapis/rpc/status)
	google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090 (/tmp/renovate/cache/others/go/pkg/mod/google.golang.org/genproto/googleapis/rpc@v0.0.0-20250908214217-97024824d090/status)