chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.19.1 to 1.20.0

[dependabot]

Bumps github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.19.1 to 1.20.0.

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azcore's releases.

sdk/azcore/v1.20.0

1.20.0 (2025-11-06)

Features Added

• Added runtime.FetcherForNextLinkOptions.HTTPVerb to specify the HTTP verb when fetching the next page via next link. Defaults to http.MethodGet.

Bugs Fixed

• Fixed potential panic when decoding base64 strings.
• Fixed an issue in resource identifier parsing which prevented it from returning an error for malformed resource IDs.

Commits

• 466795e Prep [email protected] (#25563)
• 6fce238 [azsystemevents] Remove gopls (#25555)
• c0ac8ea Sync eng/common directory with azure-sdk-tools for PR 12476 (#25549)
• 047fb66 [Release] sdk/resourcemanager/containerregistry/armcontainerregistry/2.0.0 (#...
• 908cfea [azsystemevents] Fixing build.go to work properly with tsp-client as the orch...
• c30fd4c cosmos: Allow the Query Pipeline to return an alternative query to execute in...
• 1b44564 fixed resource type validation in ParseResourceType and correlated tests (#25...
• e566eec Sync eng/common directory with azure-sdk-tools for PR 12531 (#25545)
• 053de1a Increment package version after release of data/azcosmos (#25544)
• 8e673bb release pr (#25543)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Greptile Overview

Updated On: 2025-11-10 16:59:43 UTC

Greptile Summary

This PR bumps github.com/Azure/azure-sdk-for-go/sdk/azcore from v1.19.1 to v1.20.0, a minor version update with no breaking changes.

Key changes in v1.20.0:

• Added runtime.FetcherForNextLinkOptions.HTTPVerb for specifying HTTP verb when fetching next pages (defaults to GET)
• Fixed potential panic when decoding base64 strings
• Fixed resource identifier parsing to properly return errors for malformed resource IDs

Impact assessment:

• The codebase uses azcore only for the azcore.TokenCredential interface in pkg/secrets/azure.go
• No usage of pagination features (runtime.Fetcher) that would benefit from the new HTTP verb option
• Bug fixes for base64 decoding and resource ID parsing improve stability without requiring code changes
• All existing functionality remains fully compatible

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it's a routine dependency update with no breaking changes
• This is a minor version bump (v1.19.1 → v1.20.0) of azcore that only adds new optional features and includes bug fixes. The codebase only uses the azcore.TokenCredential interface which remains unchanged. No code modifications are required, and the update improves stability through bug fixes for base64 decoding and resource ID parsing.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
go.mod	5/5	Dependency version bump from azcore v1.19.1 to v1.20.0 - minor version update with no breaking changes
go.sum	5/5	Updated checksums for azcore v1.20.0 - standard go.sum update accompanying go.mod change

Sequence Diagram

sequenceDiagram
    participant D as Dependabot
    participant GM as go.mod
    participant GS as go.sum
    participant AZ as Azure SDK

    D->>GM: Update azcore version
    GM->>GM: Change v1.19.1 → v1.20.0
    D->>GS: Update checksums
    GS->>GS: Update module hashes
    
    Note over D,AZ: No code changes required
    
    AZ->>AZ: New features available:<br/>- HTTP verb option for pagination<br/>- Base64 panic fix<br/>- Resource ID parsing fix
    
    Note over GM,AZ: Existing code remains compatible

Loading

[mesa-dot-dev]

Mesa Description

TL;DR

Bumped Azure SDK azcore to v1.20.0, adding an HTTP verb option for next link fetching and fixing base64 decoding and resource ID parsing bugs.

What changed?

• Updated github.com/Azure/azure-sdk-for-go/sdk/azcore from version 1.19.1 to 1.20.0.
• Added runtime.FetcherForNextLinkOptions.HTTPVerb to allow specifying the HTTP verb for fetching next pages via next links.
• Fixed a potential panic that could occur when decoding base64 strings.
• Addressed an issue in resource identifier parsing that prevented proper error returns for malformed resource IDs.

^{Description generated by Mesa. Update settings}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[mesa-dot-dev]

Performed full review of 49a85f9...6fc5e46

Analysis

1. Risk of Service Disruption: The base64 panic fix prevents potential service crashes during secret retrieval operations, which could lead to denial of service or unsafe fallback behavior in authentication flows.

2. Test Coverage Gap: The Azure Key Vault integration (pkg/secrets/azure.go) lacks integration tests, leaving potential regressions undetected. This is especially concerning for a critical security component handling credentials.

3. Ecosystem Consistency: While this update is safe, related Azure SDK modules (azidentity v1.13.0, azsecrets v1.4.0) are older and may need coordinated updates to maintain compatibility and security posture.

4. Critical Component with Minimal Testing: The dependency sits in Keep's security-critical secrets management subsystem that serves as a trust boundary, but lacks verification through automated tests.

Tip

Help

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{2 files reviewed | 0 comments | Edit Agent Settings • Read Docs}

[mesa-dot-dev]

Performed incremental review of 49a85f9...6fc5e46

Analysis

1. Base64 Decoding Vulnerability - The current version (v1.19.1) has a potential panic vulnerability when processing malformed base64 input, which could lead to service disruption (DoS). While not directly used in application code, this affects authentication flows.

2. Resource ID Validation Weakness - v1.19.1 silently accepts malformed Azure resource identifiers without returning errors, potentially enabling authorization bypass scenarios. This affects Key Vault URL validation which is security-critical.

3. Lack of Azure Integration Tests - The codebase has no dedicated tests for Azure Key Vault integration, creating a blind spot for validating this security-critical component works properly after updates.

4. Limited Usage Scope - The update's impact is contained as the codebase uses Azure SDK only for basic Key Vault operations and doesn't utilize any of the pagination features affected by the new HTTPVerb configuration option.

5. Multi-Provider Abstraction Strength - The secrets abstraction layer effectively isolates Azure SDK changes from business logic, limiting the potential impact surface area of this update.

Tip

Help

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{2 files reviewed | 0 comments | Edit Agent Settings • Read Docs}