Skip to content

chore(deps): bump the gomod group across 1 directory with 19 updates#735

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/gomod-0d9063e8a4
Open

chore(deps): bump the gomod group across 1 directory with 19 updates#735
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/gomod-0d9063e8a4

chore(deps): bump the gomod group across 1 directory with 19 updates

3c486b0
Select commit
Loading
Failed to load commit list.
Kusari Inspector / Kusari Inspector failed Jun 15, 2026 in 1m 19s

Security Issues Found

Found 2 security issues that require attention

Details

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code analysis returned zero findings across all scanned files, indicating clean code changes with no exposed secrets or workflow issues. However, the dependency analysis identified significant vulnerabilities in two indirect dependencies that warrant attention before merging. golang.org/x/crypto is pinned at v0.46.0 and carries 13 active advisories, including authentication bypasses (CVE-2026-42508, CVE-2026-46595, CVE-2026-39828), server panics (CVE-2026-46597, CVE-2026-39835), DoS vectors via memory leaks and pathological RSA/DSA parameters (CVE-2026-39827, CVE-2026-39829), a server deadlock (CVE-2026-39830), and a FIDO/U2F physical interaction bypass (CVE-2026-39831), among others. The fixed version is v0.53.0. Additionally, golang.org/x/sys v0.43.0 contains an integer overflow in NewNTUnicodeString on Windows (CVE-2026-39824) that can cause silent data corruption or security bypasses; the fixed version is v0.46.0. Both packages have known safe versions readily available. We strongly recommend pinning these dependencies before merging by running: go get golang.org/x/crypto@v0.53.0 and go get golang.org/x/sys@v0.46.0, and adding explicit entries in go.mod to override the transitive versions.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • golang.org/x/crypto v0.46.0 (indirect dependency) still contains 13 active vulnerabilities despite the upgrade. Critical issues include: auth bypass via unenforced @Revoked CA status (CVE-2026-42508), VerifiedPublicKeyCallback permissions skip enforcement (CVE-2026-46595), bypass of certificate restrictions (CVE-2026-39828), FIDO/U2F physical interaction bypass (CVE-2026-39831), server panic via AES-GCM underflow (CVE-2026-46597), DoS via memory leak from rejected channels (CVE-2026-39827), DoS via pathological RSA/DSA parameters (CVE-2026-39829), server deadlock (CVE-2026-39830), infinite loop on large channel writes (CVE-2026-39834), key constraint enforcement failures (CVE-2026-39833, CVE-2026-39832), server panic during CheckHostKey (CVE-2026-39835), and client panic from malformed inputs (CVE-2026-46598). Dependency path: github.com/in-toto/in-toto-golang -> golang.org/x/crypto (vulnerable). The fixed version is v0.53.0. Pin it directly with: go get golang.org/x/crypto@v0.53.0 and add it as an explicit entry in go.mod to override the transitive version.
  • golang.org/x/sys v0.43.0 (indirect dependency) still contains CVE-2026-39824: integer overflow in NewNTUnicodeString in golang.org/x/sys/windows. When provided a string that overflows the maximum NTUnicodeString size, it returns a truncated string rather than an error, which can lead to silent data corruption or security bypasses on Windows. Dependency path: go.uber.org/zap -> go.uber.org/goleak -> github.com/kr/pretty -> github.com/rogpeppe/go-internal -> golang.org/x/sys (vulnerable). The fixed version is v0.46.0. Pin it directly with: go get golang.org/x/sys@v0.46.0 and add it as an explicit entry in go.mod to override the transitive version.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 3c486b0, performed at: 2026-06-15T06:04:09Z