Bump golang.org/x/net from 0.8.0 to 0.38.0 in /kubelet-to-gcm#3
Bump golang.org/x/net from 0.8.0 to 0.38.0 in /kubelet-to-gcm#3dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.38.0. - [Commits](golang/net@v0.8.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 45e5b58. Configure here.
| } | ||
| if fh.Length > fr.maxReadSize { | ||
| if fh == invalidHTTP1LookingFrameHeader() { | ||
| return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", err) |
There was a problem hiding this comment.
Error wraps nil producing misleading error message
Low Severity
In ReadFrame(), the err variable at line 512 is nil — it was returned by readFrameHeader at line 506, and execution only reaches line 510 after passing the err != nil guard at line 507. The %w verb wraps this nil value, producing a confusing error message: "http2: failed reading the frame payload: <nil>, note that the frame header looked like an HTTP/1.1 header". The second occurrence at line 519 is correct because it's inside an if err != nil block where err comes from io.ReadFull.
Reviewed by Cursor Bugbot for commit 45e5b58. Configure here.
| } | ||
| if h2.MaxConcurrentStreams != 0 { | ||
| conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams) | ||
| } |
There was a problem hiding this comment.
Duplicate MaxConcurrentStreams assignment in config function
Low Severity
In fillNetHTTPConfig, the h2.MaxConcurrentStreams check and assignment appears identically at lines 25–27 and again at lines 34–36. This is a copy-paste duplication — the second block redundantly overwrites conf.MaxConcurrentStreams with the same value already set by the first block.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 45e5b58. Configure here.
|
Superseded by #8. |


Bumps golang.org/x/net from 0.8.0 to 0.38.0.
Commits
e1fcd82html: properly handle trailing solidus in unquoted attribute value in foreign...ebed060internal/http3: fix build of tests with GOEXPERIMENT=nosynctest1f1fa29publicsuffix: regenerate table1215081http2: improve error when server sends HTTP/1312450ehtml: ensure <search> tag closes <p> and update tests09731f9http2: improve handling of lost PING in Server55989e2http2/h2c: use ResponseController for hijacking connections2914f46websocket: re-recommend gorilla/websocket99b3ae0go.mod: update golang.org/x dependencies85d1d54go.mod: update golang.org/x dependenciesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Medium risk due to a Go toolchain bump to
go 1.23.0and a large vendoredgolang.org/x/netupdate (notablyhttp2server/transport behavior), which could subtly affect networking behavior at runtime.Overview
Updates
kubelet-to-gcmto Go1.23.0and bumpsgolang.org/x/netfromv0.8.0tov0.38.0, along with correspondinggo.sumand indirectx/sys/x/textupdates.Vendors the newer
x/netsources, bringing in substantialhttp2changes (new config plumbing, read-idle ping health checks/timeouts, extended CONNECT handling defaults, header parsing/limits hardening, and various correctness/safety fixes) plus an updatedgolang.org/x/net/contextshim and minorhttpgutstoken-validation tweaks.Reviewed by Cursor Bugbot for commit 45e5b58. Bugbot is set up for automated code reviews on this repo. Configure here.