Skip to content

Commit f5fe2e9

Browse files
rdimitrovclaude
andauthored
build(deps): bump golang.org/x/net from v0.52.0 to v0.53.0 (#1269)
## Summary Bumps `golang.org/x/net` from `v0.52.0` to `v0.53.0` to address `GO-2026-4918` (HTTP/2 transport infinite loop on bad `SETTINGS_MAX_FRAME_SIZE`). `go mod tidy` also pulls `golang.org/x/crypto` to v0.50.0 and `golang.org/x/text` to v0.36.0. ## Why now `govulncheck` is failing on `main` and every open Dependabot PR (#1263, #1264, #1265) after the 2026-05 Go security release. The findings split into: - **One we control** — `golang.org/x/net@v0.52.0` → fixed in `v0.53.0`. Addressed here. - **Six stdlib findings** (`GO-2026-4986`, `4982`, `4980`, `4977`, `4971`, and the stdlib half of `4918`) — all fixed in `go1.26.3`. We deliberately do **not** pin a Go patch in the workflow: `go-version: 'stable'` will pick up `1.26.3` automatically once the `actions/go-versions` manifest catches up, with no workflow maintenance. ## Test plan - [x] `go build ./...` - [x] `go vet ./...` - [x] `GOTOOLCHAIN=go1.26.3 govulncheck ./...` → "No vulnerabilities found." 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 718735c commit f5fe2e9

2 files changed

Lines changed: 9 additions & 9 deletions

File tree

go.mod

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -73,12 +73,12 @@ require (
7373
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
7474
go.opentelemetry.io/otel/trace v1.43.0 // indirect
7575
go.yaml.in/yaml/v2 v2.4.4 // indirect
76-
golang.org/x/crypto v0.49.0 // indirect
77-
golang.org/x/net v0.52.0 // indirect
76+
golang.org/x/crypto v0.50.0 // indirect
77+
golang.org/x/net v0.53.0 // indirect
7878
golang.org/x/oauth2 v0.36.0 // indirect
7979
golang.org/x/sync v0.20.0 // indirect
8080
golang.org/x/sys v0.43.0 // indirect
81-
golang.org/x/text v0.35.0 // indirect
81+
golang.org/x/text v0.36.0 // indirect
8282
golang.org/x/time v0.15.0 // indirect
8383
google.golang.org/api v0.274.0 // indirect
8484
google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 // indirect

go.sum

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -164,21 +164,21 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
164164
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
165165
go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
166166
go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
167-
golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
168-
golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
167+
golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
168+
golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
169169
golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
170170
golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
171-
golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
172-
golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
171+
golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
172+
golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
173173
golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
174174
golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
175175
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
176176
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
177177
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
178178
golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
179179
golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
180-
golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
181-
golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
180+
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
181+
golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
182182
golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
183183
golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
184184
gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=

0 commit comments

Comments
 (0)