Skip to content

🌱 Bump the golang-x group across 1 directory with 2 updates#983

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang-x-f0e16e823f
Open

🌱 Bump the golang-x group across 1 directory with 2 updates#983
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang-x-f0e16e823f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the golang-x group with 1 update in the / directory: golang.org/x/mod.

Updates golang.org/x/mod from 0.32.0 to 0.37.0

Commits
  • deb1dfc go.mod: update golang.org/x dependencies
  • 087f651 modfile: use slices.Backward
  • 343ee60 x/mod: allow for aggressively conslidating requires
  • 643da9b go.mod: update golang.org/x dependencies
  • ccc3cdf zip: include 'but content has correct sum' note in TestVCS
  • ab30318 zip: update zip hashes for new flate compression
  • 03901d3 go.mod: update golang.org/x dependencies
  • 1ac721d go.mod: update golang.org/x dependencies
  • fb1fac8 all: upgrade go directive to at least 1.25.0 [generated]
  • 27761a2 go.mod: update golang.org/x dependencies
  • See full diff in compare view

Updates golang.org/x/net from 0.50.0 to 0.54.0

Commits
  • b138e06 go.mod: update golang.org/x dependencies
  • 689f70a quic: fix wrong final size being used for RESET_STREAM frame
  • 208f306 http3: increase handshake timeout
  • 49810da http2: enable net/http wrapping when go >= 1.27
  • 5e11a5a quic: fix data race in streamForFrame
  • 8c63081 http2: use empty Transport rather than DefaultTransport in http2wrap
  • fc7b466 http2: add http2wrap test
  • 15c2cb1 http2: avoid overflowing 32-bit int when http2wrap enabled
  • 6465188 http2: add wrapped Server
  • 72f419a http2: add wrapped ClientConn
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the golang-x group with 1 update in the / directory: [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/mod` from 0.32.0 to 0.37.0
- [Commits](golang/mod@v0.32.0...v0.37.0)

Updates `golang.org/x/net` from 0.50.0 to 0.54.0
- [Commits](golang/net@v0.50.0...v0.54.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/net
  dependency-version: 0.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 18:52
@dependabot dependabot Bot requested review from AdamKorcz and spencerschrock June 29, 2026 18:52
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 29, 2026
@netlify

netlify Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploy Preview for ossf-scorecard canceled.

Name Link
🔨 Latest commit 51e2814
🔍 Latest deploy log https://app.netlify.com/projects/ossf-scorecard/deploys/6a42bef9a755780008a22484

@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code security analysis found zero issues (no secrets, no workflow vulnerabilities, no code-level concerns), the dependency analysis identifies a confirmed, reachable vulnerability that warrants attention before merging. Specifically, golang.org/x/net v0.54.0 (introduced by this PR) contains an active vulnerability CVE-2026-39821 (GO-2026-5026): the ToASCII and ToUnicode functions in the idna package incorrectly accept Punycode-encoded labels that decode to ASCII-only labels (e.g., 'xn--example-.com' resolving to 'example.com'). Govulncheck has confirmed the vulnerable code path IS reachable in this codebase, meaning this is not a theoretical risk. This flaw can enable privilege escalation in hostname-based access control logic. The fix is straightforward: update golang.org/x/net to v0.56.0 instead of v0.54.0. Action required: run 'go get golang.org/x/net@v0.56.0' and update the PR accordingly. We strongly recommend addressing this before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • golang.org/x/net (v0.54.0) — Active Vulnerability: CVE-2026-39821 (GO-2026-5026)

Summary: The ToASCII and ToUnicode functions in golang.org/x/net/idna incorrectly accept Punycode-encoded labels that decode to ASCII-only labels (e.g., 'xn--example-.com' resolves to 'example.com'). This can enable privilege escalation in programs that perform access control checks on hostnames before converting them.

Status: notAffected=false — Govulncheck has NOT ruled this out for this codebase. This is a confirmed risk.

Dependency path: github.com/ossf/scorecard-webapp → golang.org/x/net (direct dependency)

Fix: Update golang.org/x/net to v0.56.0 (latest available with fix).
Command: go get golang.org/x/net@v0.56.0

Note: The current PR updates to v0.54.0, but v0.56.0 is required to resolve this vulnerability. Consider updating the dependabot target or manually pinning to v0.56.0.


@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 51e2814, performed at: 2026-06-29T18:53:42Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants