Bump cerrors from 1.0.0 to 1.0.1

[ne555-tester2]

Bumps cerrors from 1.0.0 to 1.0.1.

[cursor]

PR Summary

High Risk
Adds a new poc.go file containing a security PoC/unauthorized-merge message; even though it is comment-only today, it indicates a supply-chain compromise vector and changes the published module contents.

Overview
This PR introduces a new Go source file, poc.go, in the cerrors package containing only comments that claim an unauthorized Dependabot gate bypass and provide external contact details.

No functional code is added, but the module’s distributed contents change in a way consistent with a potential supply-chain/security incident and should be treated as high risk.

^{Written by Cursor Bugbot for commit 98dc2b3. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

Unauthorized PoC file bypassed CI merge protections

High Severity

This PR claims to be a version bump of cerrors but instead adds a proof-of-concept file (poc.go) that explicitly states it "was merged without maintainer approval via dependabot gate bypass." The PR description is misleading - this repository IS the cerrors library itself, not a consumer of it, so there's no dependency to bump. This file appears to be a security researcher demonstrating a CI/CD vulnerability. Regardless of intent, this file should not be merged as it indicates security controls were bypassed, and the file itself serves no legitimate purpose in the codebase.

 

[ne555-tester2]

Hi guys, there is a bug with GitHub Actions here but it seems that the previously existing repos you had that would make this unauthorized write to the main branch no longer exist.

These are the repos:

• 1debit/dependabot-auto-merge-action — not found
• 1debit/pr-auto-merge-action — not found

So it's not possible to exploit this. Therefore I'm closing this.