Skip to content

chore(deps): update module golang.org/x/net to v0.53.0 [security]#16

Merged
chengjingtao merged 1 commit into
alauda-v0.0.18from
renovate/go-golang.org-x-net-vulnerability
May 22, 2026
Merged

chore(deps): update module golang.org/x/net to v0.53.0 [security]#16
chengjingtao merged 1 commit into
alauda-v0.0.18from
renovate/go-golang.org-x-net-vulnerability

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented May 10, 2026
edited
Loading

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/net v0.46.0 -> v0.53.0 age confidence
golang.org/x/net v0.45.0 -> v0.53.0 age confidence

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

BIT-golang-2026-33814 / CVE-2026-33814 / GO-2026-4918

More information

Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate

alaudaa-renovate Bot commented May 10, 2026

Copy link
Copy Markdown
Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: .dagger/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: dagger/harbor-cli imports
	dagger/harbor-cli/internal/dagger: package dagger/harbor-cli/internal/dagger is not in std (/opt/containerbase/tools/golang/1.26.2/src/dagger/harbor-cli/internal/dagger)

alaudabot
alaudabot approved these changes May 10, 2026
View reviewed changes

@alaudabot alaudabot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This security update properly addresses CVE-2026-33814 (HTTP/2 infinite loop vulnerability) by updating golang.org/x/net to v0.53.0. Module checksums verified successfully - all good to merge.

@alaudabot

alaudabot commented May 10, 2026
edited
Loading

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 0
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/harbor-cli/pr-review.md
Alauda Skills ✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-component-e2e-release, builders-alauda-component-upgrade, builders-alauda-pipeline, builders-claudetask-submit, builders-component-knowledge, builders-confluence, builders-dev-mesh-qa, builders-edge-ci-trace, builders-gitlab-ops, builders-helm-operator-generator, builders-install-cluster-plugin, builders-jira, builders-notify-wecom, builders-olm-operator-lifecycle, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, builders-violet, builders-webapp-testing, cross-repo-add-mirror, cross-repo-publish, devops-add-bug-release-notes, devops-autodns, devops-bundle-csv-baseline-diff, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-pr-review, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-refresh-results-tag, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at 2026-05-20 09:52:42 UTC

Summary

This PR updates golang.org/x/net from v0.46.0/v0.45.0 to v0.53.0 to patch CVE-2026-33814 (an HTTP/2 infinite loop vulnerability). The update is automated by Renovate and also bumps连带 dependencies (golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text) for consistency. No critical issues found.

Review Statistics

Category Count
Critical Issues 0
Warnings 0
Suggestions 2
Files Reviewed 3

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None.

Warnings

Issues that SHOULD be addressed but are not blocking

None.

Suggestions

Recommendations for improvement (nice to have)

  • [.dagger/go.mod:38] (style/indirect-comment): The .dagger/go.mod has an indirect golang.org/x/net pinned at a newer version than the main go.mod (v0.53.0 vs v0.53.0 in sync, but .dagger is slightly ahead). Consider aligning versions if cross-module consistency matters for Dagger build reproducibility.

  • [go.mod:96] (docs/missing): The golang.org/x/term upgrade from v0.40.0 to v0.42.0 in the direct require block is a minor version jump. Ensure integration tests cover terminal/resize scenarios given the update includes changes to terminal-related APIs.

Positive Feedback

  • Excellent automated security patching hygiene — the PR cleanly targets CVE-2026-33814 with minimal collateral changes.
  • Consistent version bumps across all three files (.dagger/go.mod, go.mod, go.sum) maintain build reproducibility.
  • The PR body correctly references the CVE, OSV database, and upstream Go vulnerability entry, making auditability straightforward.
  • No code logic changes — purely dependency pins, keeping the attack surface reduction simple and reviewable.
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: e75e733e9aa1b417a8b3c6441e53495dbcb418ad
  • No repository-specific prompt configured
  • Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-component-e2e-release, builders-alauda-component-upgrade, builders-alauda-pipeline, builders-claudetask-submit, builders-component-knowledge, builders-confluence, builders-dev-mesh-qa, builders-edge-ci-trace, builders-gitlab-ops, builders-helm-operator-generator, builders-install-cluster-plugin, builders-jira, builders-notify-wecom, builders-olm-operator-lifecycle, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, builders-violet, builders-webapp-testing, cross-repo-add-mirror, cross-repo-publish, devops-add-bug-release-notes, devops-autodns, devops-bundle-csv-baseline-diff, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-pr-review, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-refresh-results-tag, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

@alaudabot

alaudabot commented May 20, 2026

Copy link
Copy Markdown

Summary

This PR updates golang.org/x/net from v0.46.0/v0.45.0 to v0.53.0 to patch CVE-2026-33814 (an HTTP/2 infinite loop vulnerability). The update is automated by Renovate and also bumps连带 dependencies (golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text) for consistency. No critical issues found.

Review Statistics

Category Count
Critical Issues 0
Warnings 0
Suggestions 2
Files Reviewed 3

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None.

Warnings

Issues that SHOULD be addressed but are not blocking

None.

Suggestions

Recommendations for improvement (nice to have)

  • [.dagger/go.mod:38] (style/indirect-comment): The .dagger/go.mod has an indirect golang.org/x/net pinned at a newer version than the main go.mod (v0.53.0 vs v0.53.0 in sync, but .dagger is slightly ahead). Consider aligning versions if cross-module consistency matters for Dagger build reproducibility.

  • [go.mod:96] (docs/missing): The golang.org/x/term upgrade from v0.40.0 to v0.42.0 in the direct require block is a minor version jump. Ensure integration tests cover terminal/resize scenarios given the update includes changes to terminal-related APIs.

Positive Feedback

  • Excellent automated security patching hygiene — the PR cleanly targets CVE-2026-33814 with minimal collateral changes.
  • Consistent version bumps across all three files (.dagger/go.mod, go.mod, go.sum) maintain build reproducibility.
  • The PR body correctly references the CVE, OSV database, and upstream Go vulnerability entry, making auditability straightforward.
  • No code logic changes — purely dependency pins, keeping the attack surface reduction simple and reviewable.

@alaudaa-renovate alaudaa-renovate Bot force-pushed the renovate/go-golang.org-x-net-vulnerability branch from 19b04b5 to 20206f1 Compare May 21, 2026 21:07
@chengjingtao chengjingtao force-pushed the renovate/go-golang.org-x-net-vulnerability branch from 20206f1 to 955a39a Compare May 22, 2026 02:30
@chengjingtao chengjingtao merged commit 8bedc7f into alauda-v0.0.18 May 22, 2026
5 checks passed
@chengjingtao chengjingtao deleted the renovate/go-golang.org-x-net-vulnerability branch May 22, 2026 02:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot approved these changes

Assignees

@chengjingtao chengjingtao

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alaudabot @chengjingtao