From 8c38567050ec4534f35231e498d3b8cc01b4f6f0 Mon Sep 17 00:00:00 2001 From: Zach Taylor Date: Tue, 21 Apr 2026 21:58:14 -0400 Subject: [PATCH 1/2] fix(security): bump golang.org/x/crypto to v0.50.0 (5 CVEs) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps golang.org/x/crypto v0.31.0 → v0.50.0 to address 5 SSH-related CVEs (network-accessible, no-auth surface). Indirect deps bumped to consistent versions: x/sys v0.38.0 → v0.43.0, x/text v0.21.0 → v0.36.0. x/crypto v0.50.0 requires Go 1.25.0 (was 1.24.2). go mod tidy also promoted three charmbracelet/* deps from indirect to direct since they are imported directly by the codebase. Verified: `go build ./...` succeeds. --- cmd/nixfleet/go.mod | 16 +++++++--------- cmd/nixfleet/go.sum | 20 ++++++++++---------- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/cmd/nixfleet/go.mod b/cmd/nixfleet/go.mod index a31c579..b5e5cb1 100644 --- a/cmd/nixfleet/go.mod +++ b/cmd/nixfleet/go.mod @@ -1,21 +1,19 @@ module github.com/nixfleet/nixfleet -go 1.24.2 - -toolchain go1.24.10 +go 1.25.0 require ( + github.com/charmbracelet/bubbles v1.0.0 + github.com/charmbracelet/bubbletea v1.3.10 + github.com/charmbracelet/lipgloss v1.1.0 github.com/spf13/cobra v1.8.1 - golang.org/x/crypto v0.31.0 + golang.org/x/crypto v0.50.0 gopkg.in/yaml.v3 v3.0.1 ) require ( github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect - github.com/charmbracelet/bubbles v1.0.0 // indirect - github.com/charmbracelet/bubbletea v1.3.10 // indirect github.com/charmbracelet/colorprofile v0.4.1 // indirect - github.com/charmbracelet/lipgloss v1.1.0 // indirect github.com/charmbracelet/x/ansi v0.11.6 // indirect github.com/charmbracelet/x/cellbuf v0.0.15 // indirect github.com/charmbracelet/x/term v0.2.2 // indirect @@ -34,6 +32,6 @@ require ( github.com/rivo/uniseg v0.4.7 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect - golang.org/x/sys v0.38.0 // indirect - golang.org/x/text v0.21.0 // indirect + golang.org/x/sys v0.43.0 // indirect + golang.org/x/text v0.36.0 // indirect ) diff --git a/cmd/nixfleet/go.sum b/cmd/nixfleet/go.sum index f91aaee..119c337 100644 --- a/cmd/nixfleet/go.sum +++ b/cmd/nixfleet/go.sum @@ -48,18 +48,18 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= -golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= -golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= +golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= -golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= -golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= -golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= -golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= -golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= +golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY= +golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From c7db31d919894f9d4e1c084fe5edf98b34b0e08a Mon Sep 17 00:00:00 2001 From: Zach Taylor Date: Tue, 21 Apr 2026 22:01:48 -0400 Subject: [PATCH 2/2] fix(nix): bump nixfleet vendorHash for x/crypto v0.50 deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the buildGoModule vendorHash in pkgs/nixfleet/default.nix to match the new go.sum after bumping golang.org/x/crypto v0.31 → v0.50 (and the indirect x/sys + x/text bumps). Got hash from CI failure log: sha256-bMpgBgpnO6rMoXW0IQouJwBed8sfVHLx7s0ThlvmJSo= --- pkgs/nixfleet/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/nixfleet/default.nix b/pkgs/nixfleet/default.nix index 8dac343..b4a2185 100644 --- a/pkgs/nixfleet/default.nix +++ b/pkgs/nixfleet/default.nix @@ -13,7 +13,7 @@ buildGoModule rec { src = ../../cmd/nixfleet; - vendorHash = "sha256-mX9RPVn7vhmhge9WD4vdA2iKyoioVurS0T3hjeY5umo="; + vendorHash = "sha256-bMpgBgpnO6rMoXW0IQouJwBed8sfVHLx7s0ThlvmJSo="; nativeBuildInputs = [ installShellFiles ];