fix(deps): update module github.com/go-vela/server to v0.26.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-vela/server	v0.26.2 -> v0.26.3

GitHub Vulnerability Alerts

CVE-2025-27616

Impact

Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit.

Any user with access to the CI instance and the linked source control manager can perform the exploit.

Method

By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository.

These secrets could be exfiltrated by follow up builds to the repository.

Patches

v0.26.3 — Image: target/vela-server:v0.26.3
v0.25.3 — Image: target/vela-server:v0.25.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There are no workarounds to the issue.

References

Are there any links users can visit to find out more?

Please see linked CWEs (common weakness enumerators) for more information.

---

Release Notes

go-vela/server (github.com/go-vela/server)

v0.26.3

Compare Source

What's Changed

• fix: support list of cors origins by @​plyr4 in https://github.com/go-vela/server/pull/1262
• fix(deployment): set repo on create/update DB funcs by @​ecrupper in https://github.com/go-vela/server/pull/1263
• fix(deps): update all non-major dependencies by @​renovate in https://github.com/go-vela/server/pull/1261

Full Changelog: go-vela/server@v0.26.2...v0.26.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/urfave/cli/v2	v2.27.5 -> v2.27.6
golang.org/x/sys	v0.30.0 -> v0.31.0
golang.org/x/text	v0.22.0 -> v0.23.0

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.75%. Comparing base (f3beb1d) to head (b342da4).

❌ Your project check has failed because the head coverage (44.75%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #13   +/-   ##
=======================================
  Coverage   44.75%   44.75%           
=======================================
  Files           7        7           
  Lines         458      458           
=======================================
  Hits          205      205           
  Misses        251      251           
  Partials        2        2           

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.