fix: cve-2026-39829, upgrade golang.org/x/crypto

[fghanmi]

Context: https://nvd.nist.gov/vuln/detail/CVE-2026-39829

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 12:51 PM UTC · Completed 12:57 PM UTC
Commit: 47d3320 · View workflow run →

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 5bcaabf4-bab5-4271-8547-a8150301b0e4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[fullsend-ai-review]

Review

Findings

Low

• [CVE verification] go.mod:394 — The PR title claims this fixes "cve-2026-39829" by upgrading golang.org/x/crypto from v0.50.0 to v0.53.0. The CVE identifier cannot be independently verified from the code alone. If this CVE does not exist or is not fixed in v0.53.0, the upgrade is still harmless but the commit message would be misleading. Consider adding a link to the CVE advisory in the PR description for traceability.

Info

• [dependency version consistency] go.mod — The golang.org/x/* package version bumps appear internally consistent. crypto v0.50.0 → v0.53.0, with corresponding bumps to sys, net, text, term, mod, sync, and tools all follow the coordinated golang.org/x/* release model. Direct usages (errgroup, singleflight, text/cases, text/language) are stable APIs unaffected by these minor bumps.

[fullsend-ai-review]

[low] CVE verification

The PR title claims this fixes cve-2026-39829 by upgrading golang.org/x/crypto from v0.50.0 to v0.53.0. The CVE identifier cannot be independently verified from the code alone. Consider adding a link to the CVE advisory in the PR description for traceability.

Suggested fix: Add a link to the CVE advisory (e.g., from the Go vulnerability database or NVD) in the PR description.

[fghanmi]

Already done.
CVE-2026-39829

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	54.86% <ø> (ø)
generative	18.14% <ø> (ø)
integration	26.99% <ø> (ø)
unit	68.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.