2025-05-06 21:37:23 +00:00
7 changed files with 35 additions and 158 deletions
--- a/.github/workflows/size-labeler.yml
+++ b/.github/workflows/size-labeler.yml
@ -0,0 +1,33 @@
 # Reference: https://github.com/CodelyTV/pr-size-labeler
 name: size-labeler
 on: [pull_request_target]
 permissions:
  contents: read
 jobs:
  size-labeler:
    permissions:
      pull-requests: write  # for codelytv/pr-size-labeler to add labels & comment on PRs
    runs-on: ubuntu-latest
    name: Label the PR size
    steps:
      - uses: codelytv/pr-size-labeler@v1.8.1
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          xs_label: 'size/XS'
          xs_max_size: '10'
          s_label: 'size/S'
          s_max_size: '24'
          m_label: 'size/M'
          m_max_size: '99'
          l_label: 'size/L'
          l_max_size: '200'
          xl_label: 'size/XL'
          fail_if_xl: 'false'
          message_if_xl: >
            'This PR exceeds the recommended size of 200 lines.
            Please make sure you are NOT addressing multiple issues with one PR.
            Note this PR might be rejected due to its size.’
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -68,7 +68,6 @@ jobs:
        - 21
        - 22
        - 23
        - 24
    name: '${{ matrix.platform }} | 1.${{ matrix.go }}.x'
    runs-on: ${{ matrix.platform }}-latest
    steps:
--- a/README.md
+++ b/README.md
@ -11,20 +11,6 @@ name a few. [This list](site/content/projects_using_cobra.md) contains a more ex
 [![Go Reference](https://pkg.go.dev/badge/github.com/spf13/cobra.svg)](https://pkg.go.dev/github.com/spf13/cobra)
 [![Go Report Card](https://goreportcard.com/badge/github.com/spf13/cobra)](https://goreportcard.com/report/github.com/spf13/cobra)
 [![Slack](https://img.shields.io/badge/Slack-cobra-brightgreen)](https://gophers.slack.com/archives/CD3LP1199)
 <hr>
 <div align="center" markdown="1">
   <sup>Supported by:</sup>
   <br>
   <br>
   <a href="https://www.warp.dev/cobra">
      <img alt="Warp sponsorship" width="400" src="https://github.com/user-attachments/assets/ab8dd143-b0fd-4904-bdc5-dd7ecac94eae">
   </a>
 ### [Warp, the AI terminal for devs](https://www.warp.dev/cobra)
 [Try Cobra in Warp today](https://www.warp.dev/cobra)<br>
 </div>
 <hr>
 # Overview
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,105 +0,0 @@
 # Security Policy
 ## Reporting a Vulnerability
 The `cobra` maintainers take security issues seriously and
 we appreciate your efforts to _**responsibly**_ disclose your findings.
 We will make every effort to swiftly respond and address concerns.
 To report a security vulnerability:
 1. **DO NOT** create a public GitHub issue for the vulnerability!
 2. **DO NOT** create a public GitHub Pull Request with a fix for the vulnerability!
 3. Send an email to `cobra-security@googlegroups.com`.
 4. Include the following details in your report:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact of the vulnerability (to your downstream project, to the Go ecosystem, etc.)
   - Any potential mitigations you've already identified
 5. Allow up to 7 days for an initial response.
   You should receive an acknowledgment of your report and an estimated timeline for a fix.
 6. (Optional) If you have a fix and would like to contribute your patch, please work
   directly with the maintainers via `cobra-security@googlegroups.com` to
   coordinate pushing the patch to GitHub, cutting a new release, and disclosing the change.
 ## Response Process
 When a security vulnerability report is received, the `cobra` maintainers will:
 1. Confirm receipt of the vulnerability report within 7 days.
 2. Assess the report to determine if it constitutes a security vulnerability.
 3. If confirmed, assign the vulnerability a severity level and create a timeline for addressing it.
 4. Develop and test a fix.
 5. Patch the vulnerability and make a new GitHub release: the maintainers will coordinate disclosure with the reporter.
 6. Create a new GitHub Security Advisory to inform the broader Go ecosystem
 ## Disclosure Policy
 The `cobra` maintainers follow a coordinated disclosure process:
 1. Security vulnerabilities will be addressed as quickly as possible.
 2. A CVE (Common Vulnerabilities and Exposures) identifier will be requested for significant vulnerabilities
   that are within `cobra` itself.
 3. Once a fix is ready, the maintainers will:
   - Release a new version containing the fix.
   - Update the security advisory with details about the vulnerability.
   - Credit the reporter (unless they wish to remain anonymous).
   - Credit the fixer (unless they wish to remain anonymous, this may be the same as the reporter).
   - Announce the vulnerability through appropriate channels
     (GitHub Security Advisory, mailing lists, GitHub Releases, etc.)
 ## Supported Versions
 Security fixes will typically only be released for the most recent major release.
 ## Upstream Security Issues
 `cobra` generally will not accept vulnerability reports that originate in upstream
 dependencies. I.e., if there is a problem in Go code that `cobra` depends on,
 it is best to engage that project's maintainers and owners.
 This security policy primarily pertains only to `cobra` itself but if you believe you've
 identified a problem that originates in an upstream dependency and is being widely
 distributed by `cobra`, please follow the disclosure procedure above: the `cobra`
 maintainers will work with you to determine the severity and ecosystem impact.
 ## Security Updates and CVEs
 Information about known security vulnerabilities and CVEs affecting `cobra` will
 be published as GitHub Security Advisories at
 https://github.com/spf13/cobra/security/advisories.
 All users are encouraged to watch the repository and upgrade promptly when
 security releases are published.
 ## `cobra` Security Best Practices for Users
 When using `cobra` in your CLIs, the `cobra` maintainers recommend the following:
 1. Always use the latest version of `cobra`.
 2. [Use Go modules](https://go.dev/blog/using-go-modules) for dependency management.
 3. Always use the latest possible version of Go.
 ## Security Best Practices for Contributors
 When contributing to `cobra`:
 1. Be mindful of security implications when adding new features or modifying existing ones.
 2. Be aware of `cobra`'s extremely large reach: it is used in nearly every Go CLI
   (like Kubernetes, Docker, Prometheus, etc. etc.)
 3. Write tests that explicitly cover edge cases and potential issues.
 4. If you discover a security issue while working on `cobra`, please report it
   following the process above rather than opening a public pull request or issue that
   addresses the vulnerability.
 5. Take personal sec-ops seriously and secure your GitHub account: use [two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa),
   [sign your commits with a GPG or SSH key](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification),
   etc.
 ## Acknowledgments
 The `cobra` maintainers would like to thank all security researchers and
 community members who help keep cobra, its users, and the entire Go ecosystem secure through responsible disclosures!!
 ---
 *This security policy is inspired by the [Open Web Application Security Project (OWASP)](https://owasp.org/) guidelines and security best practices.*
--- a/command.go
+++ b/command.go
@ -1296,11 +1296,6 @@ Simply type ` + c.DisplayName() + ` help [path to command] for full details.`,
 					c.Printf("Unknown help topic %#q\n", args)
 					CheckErr(c.Root().Usage())
 				} else {
 					// FLow the context down to be used in help text
 					if cmd.ctx == nil {
 						cmd.ctx = c.ctx
 					}
 					cmd.InitDefaultHelpFlag()    // make possible 'help' flag to be shown
 					cmd.InitDefaultVersionFlag() // make possible 'version' flag to be shown
 					CheckErr(cmd.Help())
@ -2025,7 +2020,7 @@ func defaultUsageFunc(w io.Writer, in interface{}) error {
 		fmt.Fprint(w, trimRightSpace(c.InheritedFlags().FlagUsages()))
 	}
 	if c.HasHelpSubCommands() {
-		fmt.Fprintf(w, "\n\nAdditional help topics:")
+		fmt.Fprintf(w, "\n\nAdditional help topcis:")
 		for _, subcmd := range c.Commands() {
 			if subcmd.IsAdditionalHelpTopicCommand() {
 				fmt.Fprintf(w, "\n  %s %s", rpad(subcmd.CommandPath(), subcmd.CommandPathPadding()), subcmd.Short)
--- a/command_test.go
+++ b/command_test.go
@ -2921,34 +2921,3 @@ func TestUnknownFlagShouldReturnSameErrorRegardlessOfArgPosition(t *testing.T) {
 		})
 	}
 }
 func TestHelpFuncExecuted(t *testing.T) {
 	helpText := "Long description"
 	// Create a context that will be unique, not just the background context
 	//nolint:golint,staticcheck // We can safely use a basic type as key in tests.
 	executionCtx := context.WithValue(context.Background(), "testKey", "123")
 	child := &Command{Use: "child", Run: emptyRun}
 	child.SetHelpFunc(func(cmd *Command, args []string) {
 		_, err := cmd.OutOrStdout().Write([]byte(helpText))
 		if err != nil {
 			t.Error(err)
 		}
 		// Test for https://github.com/spf13/cobra/issues/2240
 		if cmd.Context() != executionCtx {
 			t.Error("Context doesn't equal the execution context")
 		}
 	})
 	rootCmd := &Command{Use: "root", Run: emptyRun}
 	rootCmd.AddCommand(child)
 	output, err := executeCommandWithContext(executionCtx, rootCmd, "help", "child")
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
 	checkStringContains(t, output, helpText)
 }
--- a/site/content/completions/_index.md
+++ b/site/content/completions/_index.md
@ -260,7 +260,7 @@ Calling the `__complete` command directly allows you to run the Go debugger to t
 ```go
 // Prints to the completion script debug file (if BASH_COMP_DEBUG_FILE
 // is set to a file path) and optionally prints to stderr.
-cobra.CompDebug(msg string, printToStdErr bool)
+cobra.CompDebug(msg string, printToStdErr bool) {
 cobra.CompDebugln(msg string, printToStdErr bool)
 // Prints to the completion script debug file (if BASH_COMP_DEBUG_FILE