in-toto-golang v0.11.0 Security Release Fixes Inconsistent Negation Behavior in Artifact Rules

A security-focused dependency update has been issued for in-toto-golang, advancing the module from v0.10.0 to v0.11.0 to address a vulnerability identified as GHSA-pmwq-pjrm-6p5r. The patch targets inconsistent negation behavior between the Go and Python implementations of the in-toto supply chain security framework, a divergence that could undermine policy enforcement in multi-language environments.

The vulnerability affects how glob patterns in artifact rules process negation. Both in-toto-golang and in-toto-python implement glob pattern support for specifying which artifacts fall under a given rule, but the implementations have exhibited inconsistent negation behavior. This discrepancy raises concerns for organizations that depend on in-toto for supply chain integrity verification, as policy rules may be interpreted differently depending on which language implementation processes them. The v0.11.0 release aims to resolve this inconsistency and restore expected behavior.

in-toto serves as a cryptographic framework for verifying software supply chain integrity, with growing adoption in security-critical development pipelines. The framework's artifact rules are central to its security model, governing how materials and products are tracked and validated through build and deployment processes. Organizations using in-toto-golang with glob-based negation patterns should evaluate their exposure and apply the update accordingly. The incident highlights a broader challenge in supply chain security tooling: ensuring behavioral consistency across polyglot implementations where policy interpretation must remain uniform.