fix(deps): update module github.com/coreos/go-oidc/v3 to v3.18.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/coreos/go-oidc/v3	v3.17.0 → v3.18.0

---

Release Notes

coreos/go-oidc (github.com/coreos/go-oidc/v3)

v3.18.0

Compare Source

What's Changed

• .github: configure dependabot by @​ericchiang in #​477
• .github: update go versions in CI by @​ericchiang in #​480
• build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0 by @​dependabot[bot] in #​478
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​479

Full Changelog: coreos/go-oidc@v3.17.0...v3.18.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.6 -> 1.25.0
golang.org/x/oauth2	v0.35.0 -> v0.36.0

[cursor]

Stale comment

Security review (automation)

Outcome: No medium, high, or critical security issues were identified in this PR’s changes.

Scope reviewed: go.mod / go.sum only — go 1.24.6 → 1.25.0, github.com/coreos/go-oidc/v3 v3.17.0 → v3.18.0, golang.org/x/oauth2 v0.35.0 → v0.36.0. No application code was modified, so there is no new auth, injection, or deserialization surface in Semaphore’s own logic.

Dependency note: Upstream v3.18.0 is primarily dependency alignment (e.g. go-jose / oauth2 bumps per upstream release notes). That is consistent with maintenance and patch-level crypto/JWT handling rather than introducing a new exploitable weakness for this bump alone.

Slack summary (copy/paste): PR #3814 (go-oidc → v3.18.0): security pass — diff is toolchain + OIDC/oauth2 bumps only, no app code changes; no actionable medium+ findings.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security review (automation)

Scope: Diff is limited to go.mod / go.sum: github.com/coreos/go-oidc/v3 v3.17.0 → v3.18.0, golang.org/x/oauth2 v0.35.0 → v0.36.0, and go directive 1.24.6 → 1.25.0. No application or OIDC handler code was modified in this PR.

Findings: No medium, high, or critical issues attributable to this change were identified.

• Application logic: No new sinks or trust-boundary changes; existing OIDC usage (e.g. api/login.go) is unchanged by this diff.
• Dependencies: v3.18.0 upstream bumps golang.org/x/oauth2 and github.com/go-jose/go-jose/v4 in the library’s own graph; aligning the main module with current go-oidc / oauth2 is maintenance, not a new exposure. oauth2 was already on a post–CVE-2025-22868 line (v0.35.0); v0.36.0 does not introduce a plausible regression from that perspective.

Slack-ready summary: PR #3814 (go-oidc v3.18.0 + oauth2 bump + Go 1.25.0): clean — deps-only PR, no new exploitable paths in diff; no findings to track.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security review (dependency bump)

Scope: This PR only changes go.mod / go.sum: github.com/coreos/go-oidc/v3 v3.17.0 → v3.18.0, golang.org/x/oauth2 v0.35.0 → v0.36.0, and the module go directive 1.24.6 → 1.25.0. No application or API code was added or modified.

Assessment: No medium, high, or critical vulnerability was identified as introduced or newly exposed by this diff.

• Injection / auth bypass: Semaphore’s OIDC integration (api/login.go, router) is unchanged; attacker-controlled paths still flow through the same handlers. This PR does not alter verification, state handling, or claim parsing.
• Supply chain: go-oidc v3.18.0 is a small release (per upstream changelog): CI/dependabot housekeeping, golang.org/x/oauth2 bump, and github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4 inside the library. That is a routine patch-level dependency alignment, not a new Semaphore feature or trust boundary change.
• Toolchain: Raising the go directive matches the declared language version for builds; it does not by itself create an exploitable flaw in the shipped binary.

Prior automation review threads from earlier runs are cleared so this assessment is the single active security review outcome.

---

Slack summary (copy/paste): PR #3814 (go-oidc v3.18.0): Clean — dependency-only bump, no Semaphore code changes; no medium+ security findings; prior bot review threads reconciled.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Security review (automation)

Outcome: No medium, high, or critical vulnerabilities identified in this change set.

Scope reviewed: Diff is limited to go.mod / go.sum. There are no added or modified application files; OIDC usage in api/login.go is unchanged and does not enable InsecureSkipSignatureCheck or similar unsafe verifier options.

Dependency note: go-oidc v3.18.0 is a maintenance release (CI/dependabot, golang.org/x/oauth2 and go-jose bumps inside that module). This PR aligns Semaphore with those transitive versions and bumps oauth2 directly. No plausible new attacker-controlled sink or auth bypass was introduced by these version bumps alone.

Prior threads: No unresolved automation review threads were present on this PR.

---

Slack summary: PR3814 security pass — deps-only bump (go-oidc 3.18.0, oauth2 0.36.0, Go 1.25 directive); no exploitable app diff; no findings.

  

_{Sent by Cursor Automation: Find vulnerabilities}