Skip to content

Bump golang.org/x/net from 0.49.0 to 0.55.0#1031

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/golang.org/x/net-0.55.0
Open

Bump golang.org/x/net from 0.49.0 to 0.55.0#1031
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/golang.org/x/net-0.55.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps golang.org/x/net from 0.49.0 to 0.55.0.

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

@dependabot dependabot Bot added Dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 3, 2026
@dependabot dependabot Bot added Dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

go.mod

NameVersionVulnerabilitySeverity
golang.org/x/crypto0.51.0golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responsescritical
golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassedcritical
golang.org/x/crypto vulnerable to infinite loop on large channel writescritical
golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked statuscritical
golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcementcritical
golang.org/x/crypto doesn't enforce invoking key constraintscritical
golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keyscritical
golang.org/x/crypto: Invoking byte arithmetic causes underflow and panichigh
golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoShigh
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictionsmoderate
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flowmoderate
golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoSmoderate
golang.org/x/crypto: Invoking pathological inputs can lead to client panicmoderate
Only included vulnerabilities with severity moderate or higher.

License Issues

go.mod

PackageVersionLicenseIssue Type
golang.org/x/net0.55.0NullUnknown License
golang.org/x/sys0.45.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
gomod/golang.org/x/crypto 0.51.0 UnknownUnknown
gomod/golang.org/x/net 0.55.0 UnknownUnknown
gomod/golang.org/x/sync 0.20.0 UnknownUnknown
gomod/golang.org/x/sys 0.45.0 UnknownUnknown
gomod/golang.org/x/text 0.37.0 UnknownUnknown

Scanned Files

  • go.mod

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.49.0 to 0.55.0.
- [Commits](golang/net@v0.49.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/golang.org/x/net-0.55.0 branch from 7240d8e to 826e12b Compare July 9, 2026 18:14
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

⚠️ Security Dependency Review Failed ⚠️

This pull request introduces dependencies with security vulnerabilities of moderate severity or higher.

Vulnerable Dependencies:

📦 golang.org/x/crypto@0.51.0

What to do next?

  1. Review the vulnerability details in the Dependency Review Comment above, specifically the "Vulnerabilities" section
  2. Click on the links in the "Vulnerability" section to see the details of the vulnerability
  3. If multiple versions of the same package are vulnerable, please update to the common latest non-vulnerable version
  4. If you are unsure about the vulnerability, please contact the security engineer
  5. If the vulnerability cannot be avoided (can't upgrade, or need to keep), contact #security on slack to get it added to the allowlist

Security Engineering contact: #security on slack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants