Skip to content

fix(deps): upgrade yaml.v2 to v3 and golang.org/x/net#289

Merged
devfeel merged 1 commit into
aicodefrom
aicode-security-upgrade-v2
Mar 3, 2026
Merged

fix(deps): upgrade yaml.v2 to v3 and golang.org/x/net#289
devfeel merged 1 commit into
aicodefrom
aicode-security-upgrade-v2

Conversation

@devfeel
Copy link
Copy Markdown
Owner

@devfeel devfeel commented Mar 3, 2026

Summary

  • Upgrade gopkg.in/yaml.v2 to v3 (fixes DoS vulnerability)
  • Upgrade golang.org/x/net to v0.33.0 (fixes XSS and proxy bypass)
  • Keep Go version at 1.21 (no version change)

Security Fixes

This PR resolves the following Dependabot alerts:

Alert Dependency Severity Issue
#10 gopkg.in/yaml.v2 High YAML parsing CPU/memory consumption
#9 gopkg.in/yaml.v2 Medium Resource consumption in loop
#11 gopkg.in/yaml.v2 Medium YAML DoS vulnerability
#24 golang.org/x/net Medium HTTP proxy bypass (IPv6 Zone IDs)
#25 golang.org/x/net Medium XSS vulnerability

Changes

  • Updated import path in config/config_yaml.go
  • Updated go.mod dependencies
  • Go version remains at 1.21
  • All tests pass

Test Plan

  • Run go test ./... - all tests pass
  • Verify yaml parsing still works correctly
  • Confirm Go version is unchanged

@devfeel
fix(deps): upgrade yaml.v2 to v3 and golang.org/x/net
88ac829 
- Upgrade gopkg.in/yaml.v2 to v3 (fixes DoS vulnerability)
- Upgrade golang.org/x/net to v0.33.0 (fixes XSS and proxy bypass)
- Keep Go version at 1.21
- All tests pass

Resolves: Dependabot alerts #9, #10, #11, #24, #25
@devfeel devfeel merged commit ae49f86 into aicode Mar 3, 2026
1 check passed
@devfeel devfeel deleted the aicode-security-upgrade-v2 branch March 8, 2026 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@devfeel