v0.15.1

Patch x/crypto/ssh

This is a small patch release to fix x/crypto/ssh vulnerability https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ

Changelog

Bug fixes

• 7e25a80: fix: lint issues (@caarlos0)
• eeb49ba: fix: lint issues (@caarlos0)
• 14c1425: fix: update codeowners (@caarlos0)
• 80b5f47: fix: update codeowners (@caarlos0)

Dependency updates

• b18eb8a: feat(deps): bump github.com/charmbracelet/bubbles from 0.18.0 to 0.19.0 (#322) (@dependabot[bot])
• 39c22e4: feat(deps): bump github.com/charmbracelet/bubbles from 0.19.0 to 0.20.0 (#333) (@dependabot[bot])
• c2d08d0: feat(deps): bump github.com/charmbracelet/bubbletea (#320) (@dependabot[bot])
• ae44821: feat(deps): bump github.com/charmbracelet/bubbletea (#324) (@dependabot[bot])
• 97e122a: feat(deps): bump github.com/charmbracelet/bubbletea from 0.27.1 to 1.0.0 (#326) (@dependabot[bot])
• e7eddab: feat(deps): bump github.com/charmbracelet/bubbletea from 1.0.0 to 1.0.1 (#327) (@dependabot[bot])
• 8bf04fb: feat(deps): bump github.com/charmbracelet/bubbletea from 1.1.0 to 1.1.1 (#334) (@dependabot[bot])
• 8bffd29: feat(deps): bump github.com/charmbracelet/bubbletea from 1.1.1 to 1.1.2 (#339) (@dependabot[bot])
• e1b5d9e: feat(deps): bump github.com/charmbracelet/bubbletea from 1.1.2 to 1.2.0 (#341) (@dependabot[bot])
• 9a618af: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.0 to 1.2.1 (#345) (@dependabot[bot])
• 1c2ac15: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.1 to 1.2.2 (#346) (@dependabot[bot])
• 42de0cc: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.2 to 1.2.3 (#347) (@dependabot[bot])
• 9d9366c: feat(deps): bump github.com/charmbracelet/bubbletea from 1.2.3 to 1.2.4 (#349) (@dependabot[bot])
• f2fc24c: feat(deps): bump github.com/charmbracelet/keygen from 0.5.0 to 0.5.1 (#319) (@dependabot[bot])
• ee65cec: feat(deps): bump github.com/charmbracelet/lipgloss from 0.12.1 to 0.13.0 (#323) (@dependabot[bot])
• b8b737b: feat(deps): bump github.com/charmbracelet/lipgloss from 0.13.0 to 0.13.1 (#338) (@dependabot[bot])
• b33eef0: feat(deps): bump github.com/charmbracelet/lipgloss from 0.13.1 to 1.0.0 (#340) (@dependabot[bot])
• edb3fad: feat(deps): bump github.com/charmbracelet/promwish from 0.7.0 to 0.8.0 (#354) (@dependabot[bot])
• 11302c6: feat(deps): bump github.com/charmbracelet/wish from 1.4.0 to 1.4.1 (#315) (@dependabot[bot])
• a053a78: feat(deps): bump github.com/charmbracelet/wish from 1.4.1 to 1.4.2 (#321) (@dependabot[bot])
• 4440724: feat(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#348) (@dependabot[bot])
• cc7a23b: feat(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#318) (@dependabot[bot])
• 9f9c9d4: feat(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#335) (@dependabot[bot])
• c338d99: feat(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#342) (@dependabot[bot])
• 8d4b19a: feat(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 (#350) (@dependabot[bot])
• faf0905: feat(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#352) (@dependabot[bot])
• 1684a1c: feat(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#316) (@dependabot[bot])
• 48a1104: feat(deps): bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#343) (@dependabot[bot])
• 2d662f5: feat(deps): bump golang.org/x/term from 0.24.0 to 0.25.0 (#336) (@dependabot[bot])
• 7853cce: feat(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 (#351) (@dependabot[bot])

Other work

• 6217c97: ci: fix dependabot config (@caarlos0)
• d7f058e: ci: fix goreleaser config (@caarlos0)
• f404231: ci: update (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/wishlist/releases/download/v0.15.1/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/wishlist/releases/download/v0.15.1/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/wishlist/releases/download/v0.15.1/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.