Update ktrysmt/go-bitbucket to v0.9.88

[attiasas]

• All tests passed. If this feature is not already covered by the tests, I added new tests.
• I used go fmt ./... for formatting the code before submitting the pull request.
• This feature is included on all supported VCS providers - GitHub, Bitbucket cloud, Bitbucket server, GitLab and Azure Repos.
• I added the relevant documentation for the new feature.

---

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[github-actions]

📗 Scan Summary

• Frogbot scanned for vulnerabilities and found 3 issues

Scan Category	Status	Security Issues
Software Composition Analysis	✅ Done	3 Issues Found 1 High 2 Medium
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	Not Found
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
High	CVE-2025-47913	Not Applicable	github.com/ktrysmt/go-bitbucket:v0.9.88 golang.org/x/crypto:v0.41.0 golang.org/x/net:v0.43.0	golang.org/x/crypto v0.41.0	[0.43.0]
Medium	CVE-2025-58181	Not Applicable	github.com/ktrysmt/go-bitbucket:v0.9.88 golang.org/x/crypto:v0.41.0 golang.org/x/net:v0.43.0	golang.org/x/crypto v0.41.0	[0.45.0]
Medium	CVE-2025-47914	Not Applicable	github.com/ktrysmt/go-bitbucket:v0.9.88 golang.org/x/crypto:v0.41.0 golang.org/x/net:v0.43.0	golang.org/x/crypto v0.41.0	[0.45.0]

🔖 Details

[ CVE-2025-47913 ] golang.org/x/crypto v0.41.0

Vulnerability Details

Jfrog Research Severity:	Low
Contextual Analysis:	Not Applicable
Direct Dependencies:	github.com/ktrysmt/go-bitbucket:v0.9.88, golang.org/x/crypto:v0.41.0, golang.org/x/net:v0.43.0
Impacted Dependency:	golang.org/x/crypto:v0.41.0
Fixed Versions:	[0.43.0]
CVSS V3:	7.5

Unhandled data type in crypto/ssh may result in client denial of service when connecting to untrusted SSH agents

🔬 JFrog Research Details

Description:
The golang package x/crypto/ssh implements an SSH client and server.
It was found that when a client requests an operation that expects a specific-typed response, the List() and the SignWithFlags() functions will crash if the response included an unexpected data type, such as the SSH_AGENT_SUCCESS (byte 0x06) message.

An example of a vulnerable client:

package main

import (
	"fmt"
	"net"
	"golang.org/x/crypto/ssh/agent"
)

func main() {
	conn, err := net.Dial("tcp", "127.0.0.1:9999")
	if err != nil { panic(err) }
	ag := agent.NewClient(conn)
	fmt.Println("calling List() — expect panic in agent/client.go")
	_, _ = ag.List() // panics: "unreachable"
}

[ CVE-2025-58181 ] golang.org/x/crypto v0.41.0

Vulnerability Details

Contextual Analysis:	Not Applicable
Direct Dependencies:	github.com/ktrysmt/go-bitbucket:v0.9.88, golang.org/x/crypto:v0.41.0, golang.org/x/net:v0.43.0
Impacted Dependency:	golang.org/x/crypto:v0.41.0
Fixed Versions:	[0.45.0]
CVSS V3:	5.3

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

[ CVE-2025-47914 ] golang.org/x/crypto v0.41.0

Vulnerability Details

Contextual Analysis:	Not Applicable
Direct Dependencies:	github.com/ktrysmt/go-bitbucket:v0.9.88, golang.org/x/crypto:v0.41.0, golang.org/x/net:v0.43.0
Impacted Dependency:	golang.org/x/crypto:v0.41.0
Fixed Versions:	[0.45.0]
CVSS V3:	5.3

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

---

🐸 JFrog Frogbot