Skip to content

fix(vuln): update Go dependencies to fix CVEs (2026-05-08)#17

Merged
nanjingfm merged 1 commit into
alauda-v1.6.5from
fix-vuln-alauda-v1.6.5-20260508
May 8, 2026
Merged

fix(vuln): update Go dependencies to fix CVEs (2026-05-08)#17
nanjingfm merged 1 commit into
alauda-v1.6.5from
fix-vuln-alauda-v1.6.5-20260508

Conversation

@nanjingfm

@nanjingfm nanjingfm commented May 7, 2026

Copy link
Copy Markdown
Collaborator

Changes

  • golang.org/x/net v0.47.0 → v0.53.0
  • golang.org/x/crypto v0.45.0 → v0.50.0
  • golang.org/x/sys v0.38.0 → v0.43.0
  • golang.org/x/text v0.31.0 → v0.36.0

Fixed

  • GO-2026-4918: Infinite loop in HTTP/2 transport (x/net)

Pending (requires Go 1.26.3, not yet released)

  • GO-2026-4986: net/mail consumeComment
  • GO-2026-4977: net/mail consumePhrase
  • GO-2026-4971: net Dial NUL byte on Windows

@nanjingfm
fix(vuln): update x/net v0.53.0, x/crypto v0.50.0, x/sys v0.43.0, x/t…
a59bd24 
…ext v0.36.0

Fix GO-2026-4918 (x/net HTTP/2 infinite loop).
Remaining GO-2026-4986/4977/4971 require Go 1.26.3 (not yet released).
@nanjingfm nanjingfm merged commit 25f5811 into alauda-v1.6.5 May 8, 2026
2 checks passed
@nanjingfm nanjingfm deleted the fix-vuln-alauda-v1.6.5-20260508 branch May 8, 2026 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nanjingfm