Security: Update @depot/cli to fix GHSA-v778-237x-gjrc (golang.org/x/crypto)

## Summary

`@depot/cli@0.0.1-cli.2.80.0` bundles `golang.org/x/crypto@v0.19.0` which has a **CRITICAL** vulnerability (CVSS 9.1):

- **CVE**: GHSA-v778-237x-gjrc
- **Issue**: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass
- **Fixed in**: golang.org/x/crypto >= 0.31.0

## Current State

- `@trigger.dev/sdk@4.3.3` depends on `trigger.dev@4.3.3`
- `trigger.dev@4.3.3` depends on `@depot/cli@0.0.1-cli.2.80.0`
- `@depot/cli@0.0.1-cli.2.101.3` is available on npm (likely contains the fix)

## Impact

This vulnerability is flagged by Grype and other container/binary scanners, causing security audits to fail even though the actual exploitation risk may be low for most use cases.

## Request

Please update `@depot/cli` to the latest version (`0.0.1-cli.2.101.3` or newer).

Alternatively, consider making it an optional dependency per #1597, which would allow users who don't need Depot's container building features to avoid pulling in vulnerable binaries.

## References

- [GitHub Advisory](https://github.com/advisories/GHSA-v778-237x-gjrc)
- [Fix Commit](https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909)
- Related: #1597 (Make @depot/cli optional)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: Update @depot/cli to fix GHSA-v778-237x-gjrc (golang.org/x/crypto) #3009

Summary

Current State

Impact

Request

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Security: Update @depot/cli to fix GHSA-v778-237x-gjrc (golang.org/x/crypto) #3009

Description

Summary

Current State

Impact

Request

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions