Version in base suite: 1.4.1-1

Base version: r-cran-gh_1.4.1-1
Target version: r-cran-gh_1.4.1-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/r-cran-gh/r-cran-gh_1.4.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/r-cran-gh/r-cran-gh_1.4.1-1+deb13u1.dsc

 changelog                    |   10 ++
 gbp.conf                     |    4 
 patches/CVE-2025-54956.patch |  189 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 4 files changed, 204 insertions(+)

diff -Nru r-cran-gh-1.4.1/debian/changelog r-cran-gh-1.4.1/debian/changelog
--- r-cran-gh-1.4.1/debian/changelog	2024-06-09 23:58:24.000000000 +0000
+++ r-cran-gh-1.4.1/debian/changelog	2025-11-25 05:44:32.000000000 +0000
@@ -1,3 +1,13 @@
+r-cran-gh (1.4.1-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * d/patches/CVE-2025-54956.patch: Add patch to fix CVE-2025-54956.
+    - The HTTP response is delivered in a data structure that
+      includes the Authorization header from the corresponding HTTP
+      request (closes: #1110481).
+
+ -- Daniel Leidert <dleidert@debian.org>  Tue, 25 Nov 2025 06:44:32 +0100
+
 r-cran-gh (1.4.1-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru r-cran-gh-1.4.1/debian/gbp.conf r-cran-gh-1.4.1/debian/gbp.conf
--- r-cran-gh-1.4.1/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ r-cran-gh-1.4.1/debian/gbp.conf	2025-11-25 05:44:32.000000000 +0000
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/trixie
+upstream-branch = upstream
+pristine-tar = True
diff -Nru r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch
--- r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch	1970-01-01 00:00:00.000000000 +0000
+++ r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch	2025-11-25 05:44:32.000000000 +0000
@@ -0,0 +1,189 @@
+From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <csardi.gabor@gmail.com>
+Date: Mon, 26 May 2025 09:36:45 +0200
+Subject: [PATCH] Do not save request headers in the return value
+
+Closes #222.
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848
+Bug: https://github.com/r-lib/gh/issues/222
+Bug-Debian: https://bugs.debian.org/1110481
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-54956
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-54956
+---
+ R/gh.R                            |  2 +-
+ R/gh_response.R                   | 10 +++++-----
+ R/pagination.R                    | 26 +++++++++++++++++++-------
+ man/gh_next.Rd                    | 15 +++++++++++----
+ tests/testthat/test-gh_response.R |  4 ----
+ tests/testthat/test-pagination.R  |  2 +-
+ 6 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/R/gh.R b/R/gh.R
+index af46a20..b449f1b 100644
+--- a/R/gh.R
++++ b/R/gh.R
+@@ -216,7 +216,7 @@ gh <- function(endpoint,
+   }
+ 
+   while (!is.null(.limit) && len < .limit && gh_has_next(res)) {
+-    res2 <- gh_next(res)
++    res2 <- gh_next(res, .token = .token, .send_headers = .send_headers)
+     len <- len + gh_response_length(res2)
+     if (.progress) cli::cli_progress_update()
+ 
+diff --git a/R/gh_response.R b/R/gh_response.R
+index 7943f1b..9763d0f 100644
+--- a/R/gh_response.R
++++ b/R/gh_response.R
+@@ -27,11 +27,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+ 
+   attr(res, "response") <- httr2::resp_headers(resp)
+-  attr(res, "request") <- gh_req
+-
+-  # for backward compatibility
+-  attr(res, "method") <- resp$method
+-  attr(res, ".send_headers") <- httr2::last_request()$headers
++  attr(res, "request") <- remove_headers(gh_req)
+ 
+   if (is_ondisk) {
+     class(res) <- c("gh_response", "path")
+@@ -42,3 +38,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+   res
+ }
++
++remove_headers <- function(x) {
++  x[names(x) != "headers"]
++}
+diff --git a/R/pagination.R b/R/pagination.R
+index cb2c02b..c98289f 100644
+--- a/R/pagination.R
++++ b/R/pagination.R
+@@ -33,7 +33,7 @@ gh_has_next <- function(gh_response) {
+   gh_has(gh_response, "next")
+ }
+ 
+-gh_link_request <- function(gh_response, link) {
++gh_link_request <- function(gh_response, link, .token, .send_headers) {
+   stopifnot(inherits(gh_response, "gh_response"))
+ 
+   url <- extract_link(gh_response, link)
+@@ -44,11 +44,14 @@ gh_link_request <- function(gh_response, link) {
+   req$query <- purl$query
+   purl$query <- NULL
+   req$url <- httr2::url_build(purl)
++  req$token <- .token
++  req$send_headers <- .send_headers
++  req <- gh_set_headers(req)
+   req
+ }
+ 
+-gh_link <- function(gh_response, link) {
+-  req <- gh_link_request(gh_response, link)
++gh_link <- function(gh_response, link, .token, .send_headers) {
++  req <- gh_link_request(gh_response, link, .token, .send_headers)
+   raw <- gh_make_request(req)
+   gh_process_response(raw, req)
+ }
+@@ -71,6 +74,7 @@ gh_extract_pages <- function(gh_response) {
+ #' If the requested page does not exist, an error is thrown.
+ #'
+ #' @param gh_response An object returned by a [gh()] call.
++#' @inheritParams gh
+ #' @return Answer from the API.
+ #'
+ #' @seealso The `.limit` argument to [gh()] supports fetching more than
+@@ -83,19 +87,27 @@ gh_extract_pages <- function(gh_response) {
+ #' vapply(x, "[[", character(1), "login")
+ #' x2 <- gh_next(x)
+ #' vapply(x2, "[[", character(1), "login")
+-gh_next <- function(gh_response) gh_link(gh_response, "next")
++gh_next <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "next", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_prev <- function(gh_response) gh_link(gh_response, "prev")
++gh_prev <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "prev", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_first <- function(gh_response) gh_link(gh_response, "first")
++gh_first <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "first", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_last <- function(gh_response) gh_link(gh_response, "last")
++gh_last <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "last", .token = .token, .send_headers = .send_headers)
++}
+diff --git a/man/gh_next.Rd b/man/gh_next.Rd
+index 4c4b493..a79cd3a 100644
+--- a/man/gh_next.Rd
++++ b/man/gh_next.Rd
+@@ -7,16 +7,23 @@
+ \alias{gh_last}
+ \title{Get the next, previous, first or last page of results}
+ \usage{
+-gh_next(gh_response)
++gh_next(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_prev(gh_response)
++gh_prev(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_first(gh_response)
++gh_first(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_last(gh_response)
++gh_last(gh_response, .token = NULL, .send_headers = NULL)
+ }
+ \arguments{
+ \item{gh_response}{An object returned by a \code{\link[=gh]{gh()}} call.}
++
++\item{.token}{Authentication token. Defaults to \code{\link[=gh_token]{gh_token()}}.}
++
++\item{.send_headers}{Named character vector of header field values
++(except \code{Authorization}, which is handled via \code{.token}). This can be
++used to override or augment the default \code{User-Agent} header:
++\code{"https://github.com/r-lib/gh"}.}
+ }
+ \value{
+ Answer from the API.
+diff --git a/tests/testthat/test-gh_response.R b/tests/testthat/test-gh_response.R
+index 6ae8c0d..84ea037 100644
+--- a/tests/testthat/test-gh_response.R
++++ b/tests/testthat/test-gh_response.R
+@@ -64,10 +64,6 @@ test_that("captures details to recreate request", {
+   expect_type(req, "list")
+   expect_equal(req$url, "https://api.github.com/orgs/r-lib/repos")
+   expect_equal(req$query, list(per_page = 1))
+-
+-  # For backwards compatibility
+-  expect_equal(attr(res, "method"), "GET")
+-  expect_type(attr(res, ".send_headers"), "list")
+ })
+ 
+ test_that("output file is not overwritten on error", {
+diff --git a/tests/testthat/test-pagination.R b/tests/testthat/test-pagination.R
+index bc5e912..c693351 100644
+--- a/tests/testthat/test-pagination.R
++++ b/tests/testthat/test-pagination.R
+@@ -22,7 +22,7 @@ test_that("paginated request gets max_wait and max_rate", {
+   skip_on_cran()
+   gh <- gh("/orgs/tidyverse/repos", per_page = 5, .max_wait = 1, .max_rate = 10)
+ 
+-  req <- gh_link_request(gh, "next")
++  req <- gh_link_request(gh, "next", .token = NULL, .send_headers = NULL)
+   expect_equal(req$max_wait, 1)
+   expect_equal(req$max_rate, 10)
+ 
diff -Nru r-cran-gh-1.4.1/debian/patches/series r-cran-gh-1.4.1/debian/patches/series
--- r-cran-gh-1.4.1/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ r-cran-gh-1.4.1/debian/patches/series	2025-11-25 05:44:32.000000000 +0000
@@ -0,0 +1 @@
+CVE-2025-54956.patch