Skip to content

Bump golang.org/x/net to v0.55.0#658

Merged
derek-etherton-opslevel merged 1 commit into
mainfrom
fix/x-net-idna-go-2026-5026
Jul 8, 2026
Merged

Bump golang.org/x/net to v0.55.0#658
derek-etherton-opslevel merged 1 commit into
mainfrom
fix/x-net-idna-go-2026-5026

Conversation

@derek-etherton-opslevel

Copy link
Copy Markdown
Contributor

Bumps golang.org/x/net from 0.54.0 to 0.55.0.

Commit history between tags: golang/net@v0.54.0...v0.55.0

Stacked on top of #657 — that PR raises x/net from v0.49.0 to v0.54.0 as a side effect of the x/crypto bump; this PR takes it the last step to v0.55.0 to pick up the IDNA fix. Rebase target will need to switch to main after #657 merges.

Security fixes

This upgrade patches 1 critical CVE in golang.org/x/net/idna.

0.55.0

  • GO-2026-5026 The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returned the name example.com, potentially bypassing name-based allowlists or masking the true label.

🤖 Generated with Claude Code

@derek-etherton-opslevel derek-etherton-opslevel changed the title Bump golang.org/x/net to v0.55.0 (GO-2026-5026) Bump golang.org/x/net to v0.55.0 Jul 7, 2026
Base automatically changed from fix/x-crypto-ssh-cves to main July 8, 2026 15:20
Fixes GO-2026-5026 in golang.org/x/net/idna: ToASCII/ToUnicode
incorrectly accepted Punycode-encoded labels that decoded to
ASCII-only labels.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@derek-etherton-opslevel derek-etherton-opslevel force-pushed the fix/x-net-idna-go-2026-5026 branch from 9956b99 to 5e5ca9a Compare July 8, 2026 15:29
@derek-etherton-opslevel derek-etherton-opslevel merged commit 7732919 into main Jul 8, 2026
7 checks passed
@derek-etherton-opslevel derek-etherton-opslevel deleted the fix/x-net-idna-go-2026-5026 branch July 8, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants