chore(deps): bump the gomod group across 1 directory with 19 updates#735
chore(deps): bump the gomod group across 1 directory with 19 updates#735dependabot[bot] wants to merge 1 commit into
Security Issues Found
Found 2 security issues that require attention
Details
Kusari Analysis Results:
Caution
Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.
The code analysis returned zero findings across all scanned files, indicating clean code changes with no exposed secrets or workflow issues. However, the dependency analysis identified significant vulnerabilities in two indirect dependencies that warrant attention before merging. golang.org/x/crypto is pinned at v0.46.0 and carries 13 active advisories, including authentication bypasses (CVE-2026-42508, CVE-2026-46595, CVE-2026-39828), server panics (CVE-2026-46597, CVE-2026-39835), DoS vectors via memory leaks and pathological RSA/DSA parameters (CVE-2026-39827, CVE-2026-39829), a server deadlock (CVE-2026-39830), and a FIDO/U2F physical interaction bypass (CVE-2026-39831), among others. The fixed version is v0.53.0. Additionally, golang.org/x/sys v0.43.0 contains an integer overflow in NewNTUnicodeString on Windows (CVE-2026-39824) that can cause silent data corruption or security bypasses; the fixed version is v0.46.0. Both packages have known safe versions readily available. We strongly recommend pinning these dependencies before merging by running: go get golang.org/x/crypto@v0.53.0 and go get golang.org/x/sys@v0.46.0, and adding explicit entries in go.mod to override the transitive versions.
Note
View full detailed analysis result for more information on the output and the checks that were run.
Required Dependency Mitigations
- golang.org/x/crypto v0.46.0 (indirect dependency) still contains 13 active vulnerabilities despite the upgrade. Critical issues include: auth bypass via unenforced @Revoked CA status (CVE-2026-42508), VerifiedPublicKeyCallback permissions skip enforcement (CVE-2026-46595), bypass of certificate restrictions (CVE-2026-39828), FIDO/U2F physical interaction bypass (CVE-2026-39831), server panic via AES-GCM underflow (CVE-2026-46597), DoS via memory leak from rejected channels (CVE-2026-39827), DoS via pathological RSA/DSA parameters (CVE-2026-39829), server deadlock (CVE-2026-39830), infinite loop on large channel writes (CVE-2026-39834), key constraint enforcement failures (CVE-2026-39833, CVE-2026-39832), server panic during CheckHostKey (CVE-2026-39835), and client panic from malformed inputs (CVE-2026-46598). Dependency path: github.com/in-toto/in-toto-golang -> golang.org/x/crypto (vulnerable). The fixed version is v0.53.0. Pin it directly with: go get golang.org/x/crypto@v0.53.0 and add it as an explicit entry in go.mod to override the transitive version.
- golang.org/x/sys v0.43.0 (indirect dependency) still contains CVE-2026-39824: integer overflow in NewNTUnicodeString in golang.org/x/sys/windows. When provided a string that overflows the maximum NTUnicodeString size, it returns a truncated string rather than an error, which can lead to silent data corruption or security bypasses on Windows. Dependency path: go.uber.org/zap -> go.uber.org/goleak -> github.com/kr/pretty -> github.com/rogpeppe/go-internal -> golang.org/x/sys (vulnerable). The fixed version is v0.46.0. Pin it directly with: go get golang.org/x/sys@v0.46.0 and add it as an explicit entry in go.mod to override the transitive version.
@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 3c486b0, performed at: 2026-06-15T06:04:09Z