Bump golang.org/x/net from 0.52.0 to 0.55.0#369
Conversation
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.52.0 to 0.55.0. - [Commits](golang/net@v0.52.0...v0.55.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.55.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dependabot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
WalkthroughThis change updates indirect dependency versions in go.mod, bumping golang.org/x/crypto, x/net, x/sys, x/term, and x/text to newer patch/minor releases, while x/sync remains unchanged. ChangesDependency Update
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 123: The module graph still includes a vulnerable golang.org/x/crypto
version, so update the dependency entry in go.mod for golang.org/x/crypto from
the affected v0.51.0 to v0.52.0 or newer. Make sure the change is reflected in
the module requirement list so the vulnerable x/crypto/ssh package is removed
from the resolved graph.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 631eaa45-759a-4f67-80c2-8c4e4b8126d4
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/crypto v0.49.0 // indirect | ||
| golang.org/x/net v0.52.0 // indirect | ||
| golang.org/x/crypto v0.51.0 // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== go.mod excerpt ==\n'
nl -ba go.mod | sed -n '110,140p'
printf '\n== x/crypto references ==\n'
rg -n 'golang\.org/x/crypto|golang.org/x/text|golang.org/x/net|golang.org/x/sync|golang.org/x/sys' go.mod go.sumRepository: openshift/managed-velero-operator
Length of output: 233
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json, urllib.request, sys
urls = [
"https://api.osv.dev/v1/vulns/GO-2026-5016",
]
for url in urls:
try:
with urllib.request.urlopen(url, timeout=20) as r:
data = json.load(r)
print("URL:", url)
print("ID:", data.get("id"))
print("summary:", data.get("summary"))
print("details:", data.get("details","")[:500].replace("\n"," "))
print("affected:", data.get("affected", [])[:1])
except Exception as e:
print("URL:", url)
print("ERROR:", repr(e))
PYRepository: openshift/managed-velero-operator
Length of output: 384
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== go.mod lines 118-130 ==\n'
sed -n '118,130p' go.mod
printf '\n== exact x/crypto line ==\n'
grep -n 'golang.org/x/crypto' go.mod || trueRepository: openshift/managed-velero-operator
Length of output: 800
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json, ssl, urllib.request
url = "https://api.osv.dev/v1/vulns/GO-2026-5016"
ctx = ssl._create_unverified_context()
with urllib.request.urlopen(url, context=ctx, timeout=20) as r:
data = json.load(r)
print("id:", data.get("id"))
print("summary:", data.get("summary"))
print("aliases:", data.get("aliases"))
print("modified:", data.get("modified"))
print("references:", [ref.get("url") for ref in data.get("references", [])[:5]])
affected = data.get("affected", [])
print("affected_count:", len(affected))
if affected:
pkg = affected[0].get("package", {})
print("package:", pkg.get("ecosystem"), pkg.get("name"))
versions = affected[0].get("ranges", [])
print("ranges:", versions)
PYRepository: openshift/managed-velero-operator
Length of output: 642
Bump golang.org/x/crypto in go.mod:123.
v0.51.0 is affected by GO-2026-5016 (x/crypto/ssh DoS); update to v0.52.0 or newer to remove the vulnerable version from the module graph.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 123, The module graph still includes a vulnerable
golang.org/x/crypto version, so update the dependency entry in go.mod for
golang.org/x/crypto from the affected v0.51.0 to v0.52.0 or newer. Make sure the
change is reflected in the module requirement list so the vulnerable
x/crypto/ssh package is removed from the resolved graph.
Bumps golang.org/x/net from 0.52.0 to 0.55.0.
Commits
7770ec4go.mod: update golang.org/x dependencies4ece7b6html: escape greater-than symbol in doctype identifiers08be507html: improve Noah's Ark clause performancea8fb2fehtml: properly render fostered elements in foreign content0dc5b7ahtml: properly check namespace in "in body" any other end taga452f3chtml: ignore duplicate attributes during tokenizationf865199quic: fix appendMaxDataFrame erroneously accumulating sentLimit210ed3cquic: establish a "happened-before" relationship between stream write and readad8140equic: fix buffer slicing when handling overlapping stream data23ee2efhttp2: avoid API changes when built with go1.27Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by CodeRabbit