Skip to content

Bump golang.org/x/net from 0.52.0 to 0.55.0#369

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/golang.org/x/net-0.55.0
Open

Bump golang.org/x/net from 0.52.0 to 0.55.0#369
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/golang.org/x/net-0.55.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps golang.org/x/net from 0.52.0 to 0.55.0.

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

  • Chores
    • Updated several underlying Go libraries to newer versions, which may improve security, stability, and compatibility.

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.52.0 to 0.55.0.
- [Commits](golang/net@v0.52.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 3, 2026
@openshift-ci openshift-ci Bot requested review from Tafhim and chamalabey July 3, 2026 19:26
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign theautoroboto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Walkthrough

This change updates indirect dependency versions in go.mod, bumping golang.org/x/crypto, x/net, x/sys, x/term, and x/text to newer patch/minor releases, while x/sync remains unchanged.

Changes

Dependency Update

Layer / File(s) Summary
go.mod version bumps
go.mod
Indirect golang.org/x module versions updated: x/crypto, x/net, x/sys, x/term, and x/text bumped; x/sync unchanged.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately states the primary dependency update and version change in this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only changes go.mod/go.sum; no test files or Ginkgo titles are modified, so there are no dynamic test names to flag.
Test Structure And Quality ✅ Passed Only go.mod/go.sum changed; no Ginkgo test files were modified, so this test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed Only go.mod and go.sum changed; no new Ginkgo tests or MicroShift-relevant API usage were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only updates go.mod/go.sum dependency versions; no Ginkgo e2e tests or topology-sensitive code were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only go.mod/go.sum changed (dependency bumps); no manifests, controllers, or scheduling code were modified, so no topology-aware scheduling risk.
Ote Binary Stdout Contract ✅ Passed Diff only updates go.mod/go.sum; no main/init/TestMain/suite code or new stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR only updates go.mod/go.sum; it adds no Ginkgo e2e tests or networking code, so the IPv6/disconnected test check is not applicable.
No-Weak-Crypto ✅ Passed PR only bumps go.mod/go.sum dependency versions; no MD5/SHA1/DES/RC4/ECB, custom crypto, or secret comparisons were added.
Container-Privileges ✅ Passed PR only changes go.mod/go.sum; no container/K8s manifests or privilege settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) were changed.
No-Sensitive-Data-In-Logs ✅ Passed Only go.mod/go.sum dependency bumps changed; no source logging code or sensitive-data log statements were added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/golang.org/x/net-0.55.0

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions


Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 123: The module graph still includes a vulnerable golang.org/x/crypto
version, so update the dependency entry in go.mod for golang.org/x/crypto from
the affected v0.51.0 to v0.52.0 or newer. Make sure the change is reflected in
the module requirement list so the vulnerable x/crypto/ssh package is removed
from the resolved graph.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 631eaa45-759a-4f67-80c2-8c4e4b8126d4

📥 Commits

Reviewing files that changed from the base of the PR and between f7710a9 and d0741d8.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/crypto v0.51.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== go.mod excerpt ==\n'
nl -ba go.mod | sed -n '110,140p'

printf '\n== x/crypto references ==\n'
rg -n 'golang\.org/x/crypto|golang.org/x/text|golang.org/x/net|golang.org/x/sync|golang.org/x/sys' go.mod go.sum

Repository: openshift/managed-velero-operator

Length of output: 233


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, urllib.request, sys
urls = [
    "https://api.osv.dev/v1/vulns/GO-2026-5016",
]
for url in urls:
    try:
        with urllib.request.urlopen(url, timeout=20) as r:
            data = json.load(r)
        print("URL:", url)
        print("ID:", data.get("id"))
        print("summary:", data.get("summary"))
        print("details:", data.get("details","")[:500].replace("\n"," "))
        print("affected:", data.get("affected", [])[:1])
    except Exception as e:
        print("URL:", url)
        print("ERROR:", repr(e))
PY

Repository: openshift/managed-velero-operator

Length of output: 384


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== go.mod lines 118-130 ==\n'
sed -n '118,130p' go.mod

printf '\n== exact x/crypto line ==\n'
grep -n 'golang.org/x/crypto' go.mod || true

Repository: openshift/managed-velero-operator

Length of output: 800


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, ssl, urllib.request

url = "https://api.osv.dev/v1/vulns/GO-2026-5016"
ctx = ssl._create_unverified_context()
with urllib.request.urlopen(url, context=ctx, timeout=20) as r:
    data = json.load(r)

print("id:", data.get("id"))
print("summary:", data.get("summary"))
print("aliases:", data.get("aliases"))
print("modified:", data.get("modified"))
print("references:", [ref.get("url") for ref in data.get("references", [])[:5]])
affected = data.get("affected", [])
print("affected_count:", len(affected))
if affected:
    pkg = affected[0].get("package", {})
    print("package:", pkg.get("ecosystem"), pkg.get("name"))
    versions = affected[0].get("ranges", [])
    print("ranges:", versions)
PY

Repository: openshift/managed-velero-operator

Length of output: 642


Bump golang.org/x/crypto in go.mod:123.
v0.51.0 is affected by GO-2026-5016 (x/crypto/ssh DoS); update to v0.52.0 or newer to remove the vulnerable version from the module graph.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 123, The module graph still includes a vulnerable
golang.org/x/crypto version, so update the dependency entry in go.mod for
golang.org/x/crypto from the affected v0.51.0 to v0.52.0 or newer. Make sure the
change is reflected in the module requirement list so the vulnerable
x/crypto/ssh package is removed from the resolved graph.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants