Skip to content

fix(deps): upgrade yaml.v2 to v3 and golang.org/x/net#288

Closed
devfeel wants to merge 1 commit into
aicodefrom
aicode-security-upgrade
Closed

fix(deps): upgrade yaml.v2 to v3 and golang.org/x/net#288
devfeel wants to merge 1 commit into
aicodefrom
aicode-security-upgrade

Conversation

@devfeel
Copy link
Copy Markdown
Owner

@devfeel devfeel commented Mar 3, 2026

Summary

  • Upgrade gopkg.in/yaml.v2 to v3 (fixes DoS vulnerability)
  • Upgrade golang.org/x/net to v0.51.0 (fixes XSS and proxy bypass)

Security Fixes

This PR resolves the following Dependabot alerts:

Alert Dependency Severity Issue
#10 gopkg.in/yaml.v2 High YAML parsing CPU/memory consumption
#9 gopkg.in/yaml.v2 Medium Resource consumption in loop
#11 gopkg.in/yaml.v2 Medium YAML DoS vulnerability
#24 golang.org/x/net Medium HTTP proxy bypass (IPv6 Zone IDs)
#25 golang.org/x/net Medium XSS vulnerability

Changes

  • Updated import path in config/config_yaml.go
  • Updated go.mod dependencies
  • All tests pass

Test Plan

  • Run go test ./... - all tests pass
  • Verify yaml parsing still works correctly

@devfeel
fix(deps): upgrade yaml.v2 to v3 and golang.org/x/net
e4a08df 
- Upgrade gopkg.in/yaml.v2 to v3 (fixes DoS vulnerability)
- Upgrade golang.org/x/net to v0.51.0 (fixes XSS and proxy bypass)
- All tests pass

Resolves: Dependabot alerts #9, #10, #11, #24, #25
@devfeel
Copy link
Copy Markdown
Owner Author

devfeel commented Mar 3, 2026

Closing this PR due to incorrect Go version update. Will resubmit with Go 1.21 preserved.

@devfeel devfeel closed this Mar 3, 2026
@devfeel devfeel deleted the aicode-security-upgrade branch March 8, 2026 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@devfeel