Security: Upgrade rardecode v1 to v2 to mitigate DoS vulnerability (GO-2025-4020)

## Summary

The `jfrog-client-go` library depends on `github.com/nwaples/rardecode v1.1.3`, which is affected by [GO-2025-4020](https://pkg.go.dev/vuln/GO-2025-4020) - a DoS vulnerability due to unrestricted RAR dictionary sizes.

## Current State

- `jfrog-client-go` v1.55.0 still uses `rardecode v1.1.3`
- The `rardecode` v1.x branch has no fix and appears unmaintained (last release: March 2022)
- `rardecode/v2` (v2.2.0+) introduced `MaxDictionarySize()` option to mitigate this issue

## Dependency Path

```
github.com/jfrog/jfrog-client-go
  └── github.com/jfrog/archiver/v3
        └── github.com/nwaples/rardecode v1.1.3
```

## Request

Could you please consider upgrading to `github.com/nwaples/rardecode/v2` to address this vulnerability? This would allow downstream consumers to resolve the Dependabot/security scanner alerts.

## References

- [GO-2025-4020 Advisory](https://pkg.go.dev/vuln/GO-2025-4020)
- [rardecode CVE issue](https://github.com/nwaples/rardecode/issues/50)
- [rardecode v2 changelog](https://pkg.go.dev/github.com/nwaples/rardecode/v2?tab=versions)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Upgrade rardecode v1 to v2 to mitigate DoS vulnerability (GO-2025-4020) #1279

Summary

Current State

Dependency Path

Request

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Upgrade rardecode v1 to v2 to mitigate DoS vulnerability (GO-2025-4020) #1279

Description

Summary

Current State

Dependency Path

Request

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions