OCPBUGS-96855: Bump golang.org/x/net to v0.55.0#639
Conversation
This PR addresses CVE-2026-27136 (golang.org/x/net/html XSS vulnerability via duplicate HTML attribute mishandling) by updating golang.org/x/net from v0.53.0 to v0.55.0. The local-storage-mustgather component is a must-gather debugging tool that collects cluster diagnostic data. Analysis confirmed that the component does not import or use golang.org/x/net/html parser functions, so the risk is LOW (transitive dependency only). Update is applied for compliance with security scanning requirements. Related: OCPBUGS-96855
|
@jkaurredhat: This pull request references Jira Issue OCPBUGS-96855, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jkaurredhat The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@jkaurredhat: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Please don't update |
Summary
This PR addresses CVE-2026-27136 by updating
golang.org/x/netfrom v0.53.0 to v0.55.0, which fixes an XSS vulnerability caused by improper handling of duplicate HTML attributes in the HTML parser.Changes
golang.org/x/netfrom v0.53.0 to v0.55.0golang.org/x/sys,golang.org/x/term,golang.org/x/textgo mod tidyandgo mod vendormake updateto regenerate manifestsCVE Details
CVE-2026-27136: Cross-Site Scripting via duplicate HTML attribute mishandling in golang.org/x/net/html