From de35ca847dc62bbb882f6ad867cedb5393d7d101 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 14 Feb 2026 13:34:36 +0000
Subject: [PATCH] fix(deps): update module github.com/kevinburke/ssh_config to
 v1.5.0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +-
 .../kevinburke/ssh_config/.gitignore          |  1 +
 .../kevinburke/ssh_config/AUTHORS.txt         |  1 +
 .../kevinburke/ssh_config/CHANGELOG.md        | 28 ++++++--
 .../github.com/kevinburke/ssh_config/Makefile |  4 ++
 .../kevinburke/ssh_config/SECURITY.md         | 63 ++++++++++++++++
 .../kevinburke/ssh_config/config.go           | 58 +++++++++------
 .../kevinburke/ssh_config/parser.go           | 71 ++++++++++++++++++-
 vendor/modules.txt                            |  2 +-
 10 files changed, 201 insertions(+), 33 deletions(-)
 create mode 100644 vendor/github.com/kevinburke/ssh_config/SECURITY.md

diff --git a/go.mod b/go.mod
index c1092d45cb..6e9bc7ceb8 100644
--- a/go.mod
+++ b/go.mod
@@ -35,7 +35,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hugelgupf/p9 v0.3.1-0.20250420164440-abc96d20b308
 	github.com/json-iterator/go v1.1.12
-	github.com/kevinburke/ssh_config v1.4.0
+	github.com/kevinburke/ssh_config v1.5.0
 	github.com/klauspost/pgzip v1.2.6
 	github.com/linuxkit/virtsock v0.0.0-20241009230534-cb6a20cc0422
 	github.com/mattn/go-shellwords v1.0.12
diff --git a/go.sum b/go.sum
index d76c6ca1a8..da05b791ba 100644
--- a/go.sum
+++ b/go.sum
@@ -211,8 +211,8 @@ github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE
 github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kevinburke/ssh_config v1.4.0 h1:6xxtP5bZ2E4NF5tuQulISpTO2z8XbtH8cg1PWkxoFkQ=
-github.com/kevinburke/ssh_config v1.4.0/go.mod h1:q2RIzfka+BXARoNexmF9gkxEX7DmvbW9P4hIVx2Kg4M=
+github.com/kevinburke/ssh_config v1.5.0 h1:3cPZmE54xb5j3G5xQCjSvokqNwU2uW+3ry1+PRLSPpA=
+github.com/kevinburke/ssh_config v1.5.0/go.mod h1:q2RIzfka+BXARoNexmF9gkxEX7DmvbW9P4hIVx2Kg4M=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw=
diff --git a/vendor/github.com/kevinburke/ssh_config/.gitignore b/vendor/github.com/kevinburke/ssh_config/.gitignore
index e69de29bb2..46620af332 100644
--- a/vendor/github.com/kevinburke/ssh_config/.gitignore
+++ b/vendor/github.com/kevinburke/ssh_config/.gitignore
@@ -0,0 +1 @@
+/coverage.out
diff --git a/vendor/github.com/kevinburke/ssh_config/AUTHORS.txt b/vendor/github.com/kevinburke/ssh_config/AUTHORS.txt
index 157361b28a..c316990b35 100644
--- a/vendor/github.com/kevinburke/ssh_config/AUTHORS.txt
+++ b/vendor/github.com/kevinburke/ssh_config/AUTHORS.txt
@@ -6,5 +6,6 @@ Mark Nevill <nev@improbable.io>
 Scott Lessans <slessans@gmail.com>
 Sergey Lukjanov <me@slukjanov.name>
 Simon Josefsson <simon@josefsson.org>
+sio2boss <sio2boss@users.noreply.github.com>
 Wayne Ashley Berry <wayneashleyberry@gmail.com>
 santosh653 <70637961+santosh653@users.noreply.github.com>
diff --git a/vendor/github.com/kevinburke/ssh_config/CHANGELOG.md b/vendor/github.com/kevinburke/ssh_config/CHANGELOG.md
index ba84b51b61..f9441dda73 100644
--- a/vendor/github.com/kevinburke/ssh_config/CHANGELOG.md
+++ b/vendor/github.com/kevinburke/ssh_config/CHANGELOG.md
@@ -1,20 +1,34 @@
 # Changes
 
-## Version 1.4 (released August 2025)
+## Unreleased
+
+- Implement Match support. Most of the Match spec is implemented, including
+`Match host`, `Match originalhost`, `Match user`, `Match localuser`, and `Match
+all`. `Match exec` is not yet implemented.
+
+- Add SECURITY.md
+
+- Add Dependabot configuration
+
+## Version 1.4 (released August 19, 2025)
 
 - Remove .gitattributes file (which was used to test different line endings, and
-caused issues in some build environments).
+caused issues in some build environments). Store tests/dos-lines as CRLF in git
+directly instead.
 
-## Version 1.3 (released February 2025)
+## Version 1.3 (released February 20, 2025)
 
 - Add go.mod file (although this project has no dependencies).
 
-- Various updates to CI and build environment
-
 - config: add UserSettings.ConfigFinder
 
-## Version 1.2
+- Various updates to CI and build environment
 
+## Version 1.2 (released March 31, 2022)
+
+- config: add DecodeBytes to directly read a byte array.
+
+- Strip trailing whitespace from Host declarations and key/value pairs.
 Previously, if a Host declaration or a value had trailing whitespace, that
 whitespace would have been included as part of the value. This led to unexpected
 consequences. For example:
@@ -30,3 +44,5 @@ unintuitive.
 
 Instead, we strip the trailing whitespace in the configuration, which leads to
 more intuitive behavior.
+
+- Add fuzz tests.
diff --git a/vendor/github.com/kevinburke/ssh_config/Makefile b/vendor/github.com/kevinburke/ssh_config/Makefile
index 4ee41ab57a..25a3570259 100644
--- a/vendor/github.com/kevinburke/ssh_config/Makefile
+++ b/vendor/github.com/kevinburke/ssh_config/Makefile
@@ -12,6 +12,10 @@ test:
 race-test:
 	go test -timeout=500ms -race ./...
 
+coverage:
+	go test -trimpath -timeout=250ms -coverprofile=coverage.out -covermode=atomic ./...
+	go tool cover -func=coverage.out
+
 $(BUMP_VERSION):
 	go get -u github.com/kevinburke/bump_version
 
diff --git a/vendor/github.com/kevinburke/ssh_config/SECURITY.md b/vendor/github.com/kevinburke/ssh_config/SECURITY.md
new file mode 100644
index 0000000000..adc2c5ab71
--- /dev/null
+++ b/vendor/github.com/kevinburke/ssh_config/SECURITY.md
@@ -0,0 +1,63 @@
+# ssh_config security policy
+
+## Supported Versions
+
+As of September 2025, we're not aware of any security problems with ssh_config,
+past or present. That said, we recommend always using the latest version of
+ssh_config, and of the Go programming language, to ensure you have the most
+recent security fixes.
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security vulnerability in ssh_config, please report it responsibly by following these steps:
+
+### How to Report
+
+Please follow the instructions outlined here to report a vulnerability
+privately: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
+
+If these are insufficient - it is not hard to find Kevin's contact information
+on the Internet.
+
+### What to Include
+
+When reporting a vulnerability, please include a clear description of the vulnerability, steps to reproduce the issue, the potential impact, as well as any fixes you might have.
+
+### Response Timeline
+
+I'll try to acknowledge and patch the issue as quickly as possible.
+
+Security advisories for this project will be published through:
+- GitHub Security Advisories on this repository
+- an Issue on this repository
+- The project's release notes
+- Go vulnerability databases
+
+If you are using `ssh_config` and would like to be on a "pre-release"
+distribution list for coordinating releases, please contact Kevin directly.
+
+### Security Considerations
+
+When using ssh_config, please be aware of these security considerations.
+
+#### File System Access
+
+This library reads SSH configuration files from the file system. Try to ensure
+proper file permissions on SSH config files (typically 600 or 644), and be
+cautious when parsing config files from untrusted sources.
+
+#### Input Validation
+
+The parser handles user-provided SSH configuration data. While we try our best
+to parse the data appropriately, malformed configuration files could potentially
+cause issues. Please try to validate and sanitize any configuration data from
+external sources.
+
+#### Dependencies
+
+This project does not have any third party dependencies. Please try to keep your
+Go version up to date.
+
+## Acknowledgments
+
+We appreciate security researchers and users who responsibly disclose vulnerabilities. Contributors who report valid security issues will be acknowledged in our security advisories (unless they prefer to remain anonymous).
diff --git a/vendor/github.com/kevinburke/ssh_config/config.go b/vendor/github.com/kevinburke/ssh_config/config.go
index bb7315a3a8..30c9a4b363 100644
--- a/vendor/github.com/kevinburke/ssh_config/config.go
+++ b/vendor/github.com/kevinburke/ssh_config/config.go
@@ -24,9 +24,6 @@
 //
 //	// Write the cfg back to disk:
 //	fmt.Println(cfg.String())
-//
-// BUG: the Match directive is currently unsupported; parsing a config with
-// a Match directive will trigger an error.
 package ssh_config
 
 import (
@@ -43,7 +40,7 @@ import (
 	"sync"
 )
 
-const version = "1.4.0"
+const version = "1.5.0"
 
 var _ = version
 
@@ -388,9 +385,6 @@ func (c *Config) Get(alias, key string) (string, error) {
 			case *KV:
 				// "keys are case insensitive" per the spec
 				lkey := strings.ToLower(t.Key)
-				if lkey == "match" {
-					panic("can't handle Match directives")
-				}
 				if lkey == lowerKey {
 					return t.Value, nil
 				}
@@ -423,9 +417,6 @@ func (c *Config) GetAll(alias, key string) ([]string, error) {
 			case *KV:
 				// "keys are case insensitive" per the spec
 				lkey := strings.ToLower(t.Key)
-				if lkey == "match" {
-					panic("can't handle Match directives")
-				}
 				if lkey == lowerKey {
 					all = append(all, t.Value)
 				}
@@ -470,6 +461,9 @@ type Pattern struct {
 
 // String prints the string representation of the pattern.
 func (p Pattern) String() string {
+	if p.not {
+		return "!" + p.str
+	}
 	return p.str
 }
 
@@ -528,7 +522,7 @@ func NewPattern(s string) (*Pattern, error) {
 	return &Pattern{str: s, regex: r, not: negated}, nil
 }
 
-// Host describes a Host directive and the keywords that follow it.
+// Host describes a Host or Match directive and the keywords that follow it.
 type Host struct {
 	// A list of host patterns that should match this host.
 	Patterns []*Pattern
@@ -543,6 +537,11 @@ type Host struct {
 	leadingSpace int // TODO: handle spaces vs tabs here.
 	// The file starts with an implicit "Host *" declaration.
 	implicit bool
+	// isMatch is true if this block was created by a Match directive.
+	isMatch bool
+	// matchKeyword stores the original text after "Match" (e.g. "Host" or
+	// "all") so we can round-trip correctly.
+	matchKeyword string
 }
 
 // Matches returns true if the Host matches for the given alias. For
@@ -574,17 +573,36 @@ func (h *Host) String() string {
 	//lint:ignore S1002 I prefer to write it this way
 	if h.implicit == false {
 		buf.WriteString(strings.Repeat(" ", int(h.leadingSpace)))
-		buf.WriteString("Host")
-		if h.hasEquals {
-			buf.WriteString(" = ")
-		} else {
-			buf.WriteString(" ")
-		}
-		for i, pat := range h.Patterns {
-			buf.WriteString(pat.String())
-			if i < len(h.Patterns)-1 {
+		if h.isMatch {
+			buf.WriteString("Match")
+			if h.hasEquals {
+				buf.WriteString(" = ")
+			} else {
 				buf.WriteString(" ")
 			}
+			buf.WriteString(h.matchKeyword)
+			if !strings.EqualFold(h.matchKeyword, "all") {
+				buf.WriteString(" ")
+				for i, pat := range h.Patterns {
+					buf.WriteString(pat.String())
+					if i < len(h.Patterns)-1 {
+						buf.WriteString(" ")
+					}
+				}
+			}
+		} else {
+			buf.WriteString("Host")
+			if h.hasEquals {
+				buf.WriteString(" = ")
+			} else {
+				buf.WriteString(" ")
+			}
+			for i, pat := range h.Patterns {
+				buf.WriteString(pat.String())
+				if i < len(h.Patterns)-1 {
+					buf.WriteString(" ")
+				}
+			}
 		}
 		buf.WriteString(h.spaceBeforeComment)
 		if h.EOLComment != "" {
diff --git a/vendor/github.com/kevinburke/ssh_config/parser.go b/vendor/github.com/kevinburke/ssh_config/parser.go
index fdd6ce9d8e..4a6c04e7c8 100644
--- a/vendor/github.com/kevinburke/ssh_config/parser.go
+++ b/vendor/github.com/kevinburke/ssh_config/parser.go
@@ -105,9 +105,7 @@ func (p *sshParser) parseKV() sshParserStateFn {
 		comment = tok.val
 	}
 	if strings.ToLower(key.val) == "match" {
-		// https://github.com/kevinburke/ssh_config/issues/6
-		p.raiseErrorf(val, "ssh_config: Match directive parsing is unsupported")
-		return nil
+		return p.parseMatch(val, hasEquals, comment)
 	}
 	if strings.ToLower(key.val) == "host" {
 		strPatterns := strings.Split(val.val, " ")
@@ -165,6 +163,73 @@ func (p *sshParser) parseKV() sshParserStateFn {
 	return p.parseStart
 }
 
+func (p *sshParser) parseMatch(val *token, hasEquals bool, comment string) sshParserStateFn {
+	// val.val contains everything after "Match ", e.g. "Host *.example.com"
+	// or "all".
+	trimmed := strings.TrimRightFunc(val.val, unicode.IsSpace)
+	spaceBeforeComment := val.val[len(trimmed):]
+	fields := strings.Fields(trimmed)
+	if len(fields) == 0 {
+		p.raiseErrorf(val, "ssh_config: Match directive requires at least one criterion")
+		return nil
+	}
+	criterion := strings.ToLower(fields[0])
+
+	switch criterion {
+	case "all":
+		// "Match all" is equivalent to "Host *" — matches everything.
+		p.config.Hosts = append(p.config.Hosts, &Host{
+			Patterns:           []*Pattern{matchAll},
+			Nodes:              make([]Node, 0),
+			EOLComment:         comment,
+			spaceBeforeComment: spaceBeforeComment,
+			hasEquals:          hasEquals,
+			isMatch:            true,
+			matchKeyword:       fields[0], // preserve original case
+		})
+		return p.parseStart
+
+	case "host":
+		patterns := make([]*Pattern, 0)
+		for _, s := range fields[1:] {
+			if s == "" {
+				continue
+			}
+			pat, err := NewPattern(s)
+			if err != nil {
+				p.raiseErrorf(val, fmt.Sprintf("Invalid host pattern: %v", err))
+				return nil
+			}
+			patterns = append(patterns, pat)
+		}
+		if len(patterns) == 0 {
+			p.raiseErrorf(val, "ssh_config: Match Host requires at least one pattern")
+			return nil
+		}
+		p.config.Hosts = append(p.config.Hosts, &Host{
+			Patterns:           patterns,
+			Nodes:              make([]Node, 0),
+			EOLComment:         comment,
+			spaceBeforeComment: spaceBeforeComment,
+			hasEquals:          hasEquals,
+			isMatch:            true,
+			matchKeyword:       fields[0], // preserve original case
+		})
+		return p.parseStart
+
+	case "exec":
+		// Match Exec runs arbitrary commands. Supporting it would allow
+		// untrusted SSH config files to execute code on the parsing
+		// machine. Reject it explicitly.
+		p.raiseErrorf(val, "ssh_config: Match Exec is not supported")
+		return nil
+
+	default:
+		p.raiseErrorf(val, fmt.Sprintf("ssh_config: unsupported Match criterion %q", criterion))
+		return nil
+	}
+}
+
 func (p *sshParser) parseComment() sshParserStateFn {
 	comment := p.getToken()
 	lastHost := p.config.Hosts[len(p.config.Hosts)-1]
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3205b6ab9b..f6820e69e3 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -389,7 +389,7 @@ github.com/jinzhu/copier
 # github.com/json-iterator/go v1.1.12
 ## explicit; go 1.12
 github.com/json-iterator/go
-# github.com/kevinburke/ssh_config v1.4.0
+# github.com/kevinburke/ssh_config v1.5.0
 ## explicit; go 1.18
 github.com/kevinburke/ssh_config
 # github.com/klauspost/compress v1.18.3