🌱 Bump the golang-x group across 1 directory with 2 updates#983
🌱 Bump the golang-x group across 1 directory with 2 updates#983dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the golang-x group with 1 update in the / directory: [golang.org/x/mod](https://github.com/golang/mod). Updates `golang.org/x/mod` from 0.32.0 to 0.37.0 - [Commits](golang/mod@v0.32.0...v0.37.0) Updates `golang.org/x/net` from 0.50.0 to 0.54.0 - [Commits](golang/net@v0.50.0...v0.54.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/net dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
✅ Deploy Preview for ossf-scorecard canceled.
|
Kusari Analysis Results:Caution Flagged Issues Detected While the code security analysis found zero issues (no secrets, no workflow vulnerabilities, no code-level concerns), the dependency analysis identifies a confirmed, reachable vulnerability that warrants attention before merging. Specifically, golang.org/x/net v0.54.0 (introduced by this PR) contains an active vulnerability CVE-2026-39821 (GO-2026-5026): the ToASCII and ToUnicode functions in the idna package incorrectly accept Punycode-encoded labels that decode to ASCII-only labels (e.g., 'xn--example-.com' resolving to 'example.com'). Govulncheck has confirmed the vulnerable code path IS reachable in this codebase, meaning this is not a theoretical risk. This flaw can enable privilege escalation in hostname-based access control logic. The fix is straightforward: update golang.org/x/net to v0.56.0 instead of v0.54.0. Action required: run 'go get golang.org/x/net@v0.56.0' and update the PR accordingly. We strongly recommend addressing this before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Summary: The ToASCII and ToUnicode functions in golang.org/x/net/idna incorrectly accept Punycode-encoded labels that decode to ASCII-only labels (e.g., 'xn--example-.com' resolves to 'example.com'). This can enable privilege escalation in programs that perform access control checks on hostnames before converting them. Status: notAffected=false — Govulncheck has NOT ruled this out for this codebase. This is a confirmed risk. Dependency path: github.com/ossf/scorecard-webapp → golang.org/x/net (direct dependency) Fix: Update golang.org/x/net to v0.56.0 (latest available with fix). Note: The current PR updates to v0.54.0, but v0.56.0 is required to resolve this vulnerability. Consider updating the dependabot target or manually pinning to v0.56.0.
Found this helpful? Give it a 👍 or 👎 reaction! |
Bumps the golang-x group with 1 update in the / directory: golang.org/x/mod.
Updates
golang.org/x/modfrom 0.32.0 to 0.37.0Commits
deb1dfcgo.mod: update golang.org/x dependencies087f651modfile: use slices.Backward343ee60x/mod: allow for aggressively conslidating requires643da9bgo.mod: update golang.org/x dependenciesccc3cdfzip: include 'but content has correct sum' note in TestVCSab30318zip: update zip hashes for new flate compression03901d3go.mod: update golang.org/x dependencies1ac721dgo.mod: update golang.org/x dependenciesfb1fac8all: upgrade go directive to at least 1.25.0 [generated]27761a2go.mod: update golang.org/x dependenciesUpdates
golang.org/x/netfrom 0.50.0 to 0.54.0Commits
b138e06go.mod: update golang.org/x dependencies689f70aquic: fix wrong final size being used for RESET_STREAM frame208f306http3: increase handshake timeout49810dahttp2: enable net/http wrapping when go >= 1.275e11a5aquic: fix data race in streamForFrame8c63081http2: use empty Transport rather than DefaultTransport in http2wrapfc7b466http2: add http2wrap test15c2cb1http2: avoid overflowing 32-bit int when http2wrap enabled6465188http2: add wrapped Server72f419ahttp2: add wrapped ClientConnDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions