Affected by GO-2026-4407
and 4 other vulnerabilities
GO-2026-4407: melange QEMU runner could write files outside workspace directory in chainguard.dev/melange
GO-2026-4408: melange pipeline working-directory could allow command injection in chainguard.dev/melange
GO-2026-4409: melange has a path traversal in license-path which allows reading files outside workspace in chainguard.dev/melange
GO-2026-4412: melange affected by potential host command execution via license-check YAML mode patch pipeline in chainguard.dev/melange
GO-2026-4588: `melange update-cache` has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange
package
Version:
v0.33.2
Opens a new window with list of versions in this module.
Published: Nov 16, 2025
License: Apache-2.0
Opens a new window with license information.
Imports: 14
Opens a new window with list of imports.
Imported by: 0
Opens a new window with list of known importers.
Documentation
¶
FetchSourceFromMelange tries its best to fetch the source from a melange yaml or an apk package.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.