Trust Boundary Violation

Summary

The go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified go-gh, where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. This issue affects github.com/cli/go-gh package versions v0.1.0 through 2.12.0. In `2.12.1`, `Browser.Browse()` has been enhanced to `allow` and `disallow` a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.