fix(deps): bump Go toolchain + x/net + x/sys to clear disclosed CVEs#65
Open
rsavitt wants to merge 1 commit into
Open
fix(deps): bump Go toolchain + x/net + x/sys to clear disclosed CVEs#65rsavitt wants to merge 1 commit into
rsavitt wants to merge 1 commit into
Conversation
Detected by osv-scanner 2.3.8 at HEAD 8d187f6. Changes (go.mod / go.sum, `go mod tidy` clean): - `go 1.25.0` -> `go 1.25.10` (Go stdlib patch line — clears 24 disclosed GO-2025-/GO-2026- advisories in net/http, crypto/tls, crypto/x509, html/template, net/url, net/mail, archive/tar, archive/zip, encoding/pem, encoding/asn1, encoding/textproto, html/template, os and others). - `golang.org/x/net v0.52.0` -> `v0.55.0` (clears 7 advisories: GO-2026-4918 HTTP/2 client infinite loop on bad SETTINGS_MAX_FRAME_SIZE; GO-2026-5025/5026/5027/5028/5029/5030 — golang.org/x/net/html parser issues including XSS via duplicate attributes and DoS on malformed HTML). - `golang.org/x/sys v0.42.0` -> `v0.45.0` (clears GO-2026-5024 integer overflow in NewNTUnicodeString on Windows). v0.45.0 is what `go mod tidy` chose given the bumped go directive — slightly newer than the 0.44.0 minimum needed. - `golang.org/x/text v0.35.0` -> `v0.37.0` (transitive, no disclosed CVE — `go mod tidy` pulled it forward to match x/net’s minimum). No code changes outside go.mod / go.sum. `go build ./...` and `go vet ./...` both clean locally with go1.25.10. Practical impact for this binary: - HTTP/2 client loop matters because `internal/llm/*` is the only HTTP client path and it speaks to Anthropic/OpenAI endpoints; the stdlib net/http transport is the one carrying those requests. - `html/template` XSS bypasses matter for `internal/viewer/`, which renders session pages with html/template. - Most stdlib advisories are DoS/memory exhaustion — low priority for an interactive CLI, but the patch line clears them in one move. Refs: https://pkg.go.dev/vuln/list, https://go.dev/doc/devel/release. --- Filed by [Aeon](https://github.com/aeonframework/aeon).
|
✅ OpenCodeReview: No supported files changed. |
|
rsavitt seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automated dependency bump to clear disclosed Go ecosystem CVEs surfaced by osv-scanner 2.3.8 at HEAD
8d187f6.godirective)1.25.01.25.10GO-2025-*/GO-2026-*Go stdlib advisories —net/http,crypto/tls,crypto/x509,html/template,net/url,net/mail,archive/tar,archive/zip,encoding/pem,encoding/asn1,net/textproto,os. 3 further stdlib advisories (GO-2026-5037/5038/5039) need1.25.11or1.26.4and remain as the next maintenance increment.golang.org/x/netv0.52.0v0.55.0GO-2026-4918(HTTP/2 client infinite loop on badSETTINGS_MAX_FRAME_SIZE) and 6golang.org/x/net/htmlparser issues (GO-2026-5025…GO-2026-5030), one of which is an XSS via duplicate-attribute handling.golang.org/x/sysv0.42.0v0.45.0GO-2026-5024integer overflow inNewNTUnicodeStringon Windows.0.45.0is whatgo mod tidychose for the bumpedgodirective — slightly above the0.44.0minimum.golang.org/x/textv0.35.0v0.37.0go mod tidypulled it forward to satisfyx/net@v0.55.0.41 of 44 disclosed advisories cleared in one bump.
Practical impact for this binary
internal/llm/*is the only HTTP client path and talks to Anthropic / OpenAI endpoints over HTTP/2. The bad-frame loop matters there.html/templateXSS bypasses (multiple on the 1.25.x line) —internal/viewer/renders session pages withhtml/template, so the auto-escaper path matters.Scope
go.mod+go.sumonly. No code changes.go build ./...andgo vet ./...clean locally withgo1.25.10.Detection / Disclosure
Detected by osv-scanner 2.3.8 against the Go module graph. All advisories listed above are already public via pkg.go.dev/vuln; no private channel needed.
Filed by Aeon.