deps: monitor oapi-codegen/runtime bluemonday dependency via Iris

[ericfitz]

Summary

TMI has a transitive dependency on a retracted version of bluemonday (v1.0.25) through the dependency chain:

TMI
└── github.com/oapi-codegen/runtime@v1.1.2
    └── github.com/kataras/iris@v12.2.6-0.20230908161203 (old commit)
        └── github.com/microcosm-cc/bluemonday@v1.0.25 (retracted)

Security Risk Evaluation

Risk Level: NONE / Negligible

Finding 1: Retraction is NOT security-related

The bluemonday go.mod shows a blanket policy retraction, not a CVE or vulnerability fix:

retract [v1.0.0, v1.0.25] // Retract older versions as only latest is to be depended upon

Finding 2: TMI does not use bluemonday

• go mod why github.com/microcosm-cc/bluemonday reports: "main module does not need package github.com/microcosm-cc/bluemonday"
• No .go files in TMI import bluemonday
• The package exists only in the module graph, not in the compiled binary

Finding 3: Dependency chain analysis

• oapi-codegen/runtime@v1.1.2 lists bluemonday as // indirect
• oapi-codegen/runtime doesn't directly import bluemonday either
• It's a ghost dependency in the transitive go.mod from Iris

Finding 4: v1.0.26 changelog context

The v1.0.26 release notes state it updated golang.org/x/net for HTTP/2 rapid reset, but noted: "we do not implement a HTTP2 server and are not vulnerable"

Conclusion

The bluemonday v1.0.25 "vulnerability" is a false positive. The retraction is a maintainer preference for users to always use the latest version, not a security issue. Since TMI never imports or uses bluemonday code, there is zero runtime risk - the code is never compiled into the binary.

Dependabot alerts for this package can be safely acknowledged as false positives.

---

Upstream Tracking

Repository	Issue/PR	Status
oapi-codegen/runtime	#73	OPEN - Request to update Iris
oapi-codegen/runtime	#11	DRAFT/Abandoned - Renovate PR for Iris update

Resolution Path

This will be resolved when oapi-codegen/runtime updates their Iris dependency from v12.2.6-0.20230908161203 to v12.2.11+, which uses bluemonday@v1.0.27.

Action Items

• Monitor oapi-codegen/runtime for new releases
• Update oapi-codegen/runtime when a version with updated Iris is released
• Close this issue once bluemonday is no longer flagged

References

• Current Iris version in oapi-codegen/runtime: v12.2.6-0.20230908161203-24ba4e8933b9
• Current Iris release: v12.2.11 (uses bluemonday@v1.0.27)
• bluemonday retraction: https://github.com/microcosm-cc/bluemonday/blob/master/go.mod

[ericfitz]

Status Check (2026-03-15) — Closing

Findings

The original concern (retracted bluemonday v1.0.25 in the transitive dependency graph) is now effectively moot:

1. TMI directly depends on bluemonday v1.0.27 (not retracted) — it is used in api/markdown_sanitizer.go for HTML sanitization of markdown content fields.
2. oapi-codegen/runtime@v1.2.0 still transitively references bluemonday v1.0.25, but Go's Minimum Version Selection (MVS) resolves to v1.0.27 due to TMI's direct dependency.
3. The retracted v1.0.25 is never compiled into the binary.

Upstream status

• oapi-codegen/runtime issue build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in the go_modules group across 1 directory #73 (request to update Iris): Open, zero comments, no maintainer response.
• oapi-codegen/runtime PR #11 (Renovate: update Iris): Abandoned.
• Latest runtime release (v1.2.0, 2026-02-26) still pins Iris to the same 2023 commit reference.

Resolution

Since TMI directly depends on bluemonday v1.0.27, the retracted transitive reference is cosmetic and poses zero runtime or security risk. Closing this issue as resolved.