)]}'
{
  "commit": "abaa0cbb259e059ee60c33a7507eddc1fe7d20fa",
  "tree": "672153c7c10ab798bb4f9b99e870a78816069ac0",
  "parents": [
    "02f574a8303560a4a79a42834f3092ce7c9a57cc"
  ],
  "author": {
    "name": "Neal Patel",
    "email": "nealpatel@google.com",
    "time": "Tue Feb 24 23:05:34 2026 +0000"
  },
  "committer": {
    "name": "Gopher Robot",
    "email": "gobot@golang.org",
    "time": "Tue Apr 07 12:14:48 2026 -0700"
  },
  "message": "[release-branch.go1.25] cmd/go: disallow cgo trust boundary bypass\n\nThe cgo compiler implicitly trusts generated files\nwith \u0027cgo\u0027 prefixes; thus, SWIG files containing \u0027cgo\u0027\nin their names will cause bypass of the trust boundary,\nleading to code smuggling or arbitrary code execution.\n\nThe cgo compiler will now produce an error if it\nencounters any SWIG files containing this prefix.\n\nThanks to Juho Forsén of Mattermost for reporting this issue.\n\nFixes #78335\nFixes CVE-2026-27140\n\nChange-Id: I44185a84e07739b3b347efdb86be7d8fa560b030\nReviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520\nReviewed-by: Nicholas Husin \u003chusin@google.com\u003e\nReviewed-by: Damien Neil \u003cdneil@google.com\u003e\nReviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989\nReviewed-on: https://go-review.googlesource.com/c/go/+/763556\nReviewed-by: David Chase \u003cdrchase@google.com\u003e\nTryBot-Bypass: Gopher Robot \u003cgobot@golang.org\u003e\nReviewed-by: Junyang Shao \u003cshaojunyang@google.com\u003e\nAuto-Submit: Gopher Robot \u003cgobot@golang.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "6bfc83aae262116d2449f24af030654d77543b99",
      "old_mode": 33188,
      "old_path": "src/cmd/go/internal/work/exec.go",
      "new_id": "8c3bac51e66d0e677c1dbf0c81baa98f9d9e4fb7",
      "new_mode": 33188,
      "new_path": "src/cmd/go/internal/work/exec.go"
    }
  ]
}