Skip to content

[fix][sec] Upgrade pulsar-client-go to v0.20.0 in pulsar-function-go, also address CVEs#26140

Merged
lhotari merged 8 commits into
apache:masterfrom
lhotari:lh-address-go-cves
Jul 2, 2026
Merged

[fix][sec] Upgrade pulsar-client-go to v0.20.0 in pulsar-function-go, also address CVEs#26140
lhotari merged 8 commits into
apache:masterfrom
lhotari:lh-address-go-cves

Conversation

@lhotari

@lhotari lhotari commented Jul 2, 2026

Copy link
Copy Markdown
Member

Motivation

pulsar-function-go is using pulsar-client-go v0.14.0. In addition, there is CVE-2026-25680 in golang.org/x/net 0.48.0 which needs to be addressed.

Modifications

  • upgrade pulsar-client-go to v0.20.0
  • upgrade indirect dependencies
  • run go mod tidy

dependabot Bot and others added 4 commits July 1, 2026 19:07
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.48.0 to 0.55.0.
- [Commits](golang/net@v0.48.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
lhotari added 4 commits July 2, 2026 21:02
pulsar-client-go v0.20.0 adds IsNullValue() bool to the pulsar.Message
interface. Implement it in the test-only MockMessage so the pf test
package compiles again (fixes the golangci-lint typecheck failure).

Assisted-by: Claude Code (Opus 4.8)
@lhotari lhotari merged commit 82a5cdf into apache:master Jul 2, 2026
45 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants