fix(deps): update module github.com/slack-go/slack to v0.23.1 [security]

[devex-sa]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/slack-go/slack	v0.22.0 → v0.23.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

slack-go SecretsVerifier accepts empty signing secret without precondition

GHSA-gxhx-2686-5h9g

More information

Details

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
    hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g
• https://github.com/slack-go/slack/releases/tag/v0.23.1
• https://github.com/advisories/GHSA-gxhx-2686-5h9g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

slack-go/slack (github.com/slack-go/slack)

v0.23.1

Compare Source

Previous release. See GitHub releases
for details.

v0.23.0

Compare Source

Previous release. See GitHub releases
for details.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[devex-sa]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: _sub/monitoring/alarm-notifier/lambda/go.sum

Command failed: go get -t ./...
go: downloading github.com/aws/aws-lambda-go v1.54.0
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/sirupsen/logrus v1.9.4
go: downloading github.com/slack-go/slack v0.23.1
go: downloading golang.org/x/sys v0.13.0
go: downloading github.com/gorilla/websocket v1.5.3
github.com/dfds/infrastructure-modules/slack-alarm-notifier imports
	github.com/slack-go/slack imports
	math/rand/v2: package math/rand/v2 is not in GOROOT (/opt/containerbase/tools/golang/1.20.14/src/math/rand/v2)
note: imported by a module that requires go 1.25

[DFDS-Snyk]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devex-sa]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.