OCPBUGS-98623, OCPBUGS-96887: Bump golang.org/x/net to v0.55.0 (CVE-2026-25681, CVE-2026-27136) [Release-5.0]#714
Conversation
|
@rissh: This pull request references Jira Issue OCPBUGS-98623, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-96887, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughUpdates several pinned indirect ChangesDependency updates
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rissh The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@rissh: This pull request references Jira Issue OCPBUGS-98623, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-96887, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
go.mod (1)
84-93: 🔒 Security & Privacy | 🔵 TrivialVerify release supply-chain controls outside this diff.
Confirm that CI produces an SBOM and provenance attestation, signs artifacts with Sigstore/cosign, and runs
go mod verifyfor all updated modules. As per path instructions, dependency updates require checksum, OSV, provenance, and artifact-signing verification.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` around lines 84 - 93, Verify the release and CI configuration associated with the dependency updates in go.mod: ensure CI generates SBOM and provenance attestations, signs artifacts using Sigstore/cosign, and runs go mod verify for all updated modules. Also confirm checksum and OSV checks are performed, following the repository’s path-specific instructions.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@go.mod`:
- Around line 84-93: Verify the release and CI configuration associated with the
dependency updates in go.mod: ensure CI generates SBOM and provenance
attestations, signs artifacts using Sigstore/cosign, and runs go mod verify for
all updated modules. Also confirm checksum and OSV checks are performed,
following the repository’s path-specific instructions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: acfb4723-a57a-49d7-b7ee-f88e054e5e24
⛔ Files ignored due to path filters (168)
go.sumis excluded by!**/*.sumvendor/golang.org/x/crypto/pbkdf2/pbkdf2.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/crypto/scrypt/scrypt.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/iter.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/node.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/nodetype_string.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/parse.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/render.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/html/token.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/README.mdis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/client_conn_pool.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/client_priority_go126.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/client_priority_go127.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/clientconn.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/config.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/frame.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/http2.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/server.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/server_common.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/server_wrap.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/transport.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/transport_common.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/transport_wrap.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_common.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_priority_rfc7540.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_priority_rfc9218.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_random.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/http2/writesched_roundrobin.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/go118.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/idna.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/idna9.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/pre_go118.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/punycode.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables10.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables11.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables12.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables13.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables15.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables17.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/tables9.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/trie12.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/idna/trie13.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/internal/httpcommon/request.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/net/internal/httpsfv/httpsfv.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/plan9/syscall_plan9.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/affinity_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ioctl_signed.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ioctl_unsigned.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/mkall.shis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/mkerrors.shis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/readv_unix.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_darwin.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_openbsd.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_solaris.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/syscall_unix.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mips.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_ppc.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_s390x.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.sis excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mips.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_386.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_amd64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_arm.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_arm64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_loong64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mips.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mips64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_ppc.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_s390x.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/aliases.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/dll_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/security_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/syscall_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/types_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/sys/windows/zsyscall_windows.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/secure/bidirule/bidirule.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables10.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables11.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables12.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables13.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables15.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables17.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/bidi/tables9.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/forminfo.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/tables10.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/tables11.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/tables12.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/tables15.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/tables17.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/text/unicode/norm/tables9.0.0.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/go/ast/inspector/cursor.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/go/ast/inspector/inspector.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/go/ast/inspector/iter.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/go/packages/golist.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/go/packages/packages.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/go/types/objectpath/objectpath.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/aliases/aliases.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/aliases/aliases_go122.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/event/core/event.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/event/keys/keys.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/event/label/label.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/gcimporter/iexport.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/gcimporter/iimport.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/gcimporter/ureader.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/gocommand/version.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/pkgbits/version.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/stdlib/deps.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/typeparams/coretype.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/typeparams/free.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/typesinternal/types.gois excluded by!**/vendor/**,!vendor/**vendor/golang.org/x/tools/internal/versions/features.gois excluded by!**/vendor/**,!vendor/**vendor/modules.txtis excluded by!**/vendor/**,!vendor/**
📒 Files selected for processing (1)
go.mod
|
/retest |
|
/retest |
|
@rissh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/hold |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@rissh We do not make changes to main branch directly. Please make this change in upstream repo https://github.com/k8snetworkplumbingwg/ptp-operator. Once it is merged there we will sync it down to this repo. |
|
Hi @jzding , thanks for the heads-up. I can see your recent sync PR #717 has now pulled in these changes as well, so this PR is no longer needed. |
|
Closing — this fix was already included in the upstream sync #711 (created Jul 8, merged Jul 15), which bundled the golang.org/x/net v0.49.0 → v0.55.0 bump among other upstream changes. The sync PR title referenced CNF stories and didn't explicitly mention the CVEs, so we weren't aware it contained the fix when we raised this PR. Both CVE-2026-25681 (GO-2026-5029) and CVE-2026-27136 (GO-2026-5030) are now resolved on main. cc: @jzding |
|
@rissh: This pull request references Jira Issue OCPBUGS-98623. The bug has been updated to no longer refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-96887. The bug has been updated to no longer refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Summary
Bump
golang.org/x/netfrom v0.49.0 to v0.55.0 to resolve two security vulnerabilitiesin the
golang.org/x/net/htmlpackage. Both CVEs are fixed in the same version.CVE-2026-25681 (GO-2026-5029)
>in DOCTYPE identifiers duringhtml.Renderenables sanitizer bypass XSS.CVE-2026-27136 (GO-2026-5030)
Upstream Status
The community upstream (
k8snetworkplumbingwg/ptp-operator) has already shippedgolang.org/x/net v0.55.0on main.Note on existing Dependabot PRs
x/netto v0.55.0 but was auto-closed by Dependabot as "Superseded by chore(deps): bump the go_modules group across 1 directory with 2 updates #713".x/cryptoto v0.52.0 andx/netto v0.54.0 — but v0.54.0 does not resolve the CVEs (fix requires v0.55.0). CodeRabbit also flagged this in its review.x/netto v0.55.0 (resolving both CVEs) and includes cascadingx/*bumps. chore(deps): bump the go_modules group across 1 directory with 2 updates #713 can be closed after this merges.Changes
golang.org/x/netv0.49.0 → v0.55.0golang.org/x/crypto(v0.51.0),x/sys,x/text,x/term,x/mod,x/sync,x/toolsVerification
go build ./...— passesgovulncheck ./...— GO-2026-5029 and GO-2026-5030 no longer reportedSummary by CodeRabbit