chore(deps): update module golang.org/x/net to v0.45.0 [security]

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/net	v0.44.0 -> v0.45.0

---

Infinite parsing loop in golang.org/x/net

CVE-2025-58190 / GO-2026-4441

More information

Details

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
• https://github.com/golang/vulndb/issues/4441
• https://go.dev/cl/709875

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Quadratic parsing complexity in golang.org/x/net/html

CVE-2025-47911 / GHSA-w4gw-w5jq-g9jh / GO-2026-4440

More information

Details

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

• https://go.dev/cl/709876
• https://github.com/golang/vulndb/issues/4440
• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudaa-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: .dagger/go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: dagger/harbor-cli imports
	dagger/harbor-cli/internal/dagger: package dagger/harbor-cli/internal/dagger is not in std (/opt/containerbase/tools/golang/1.26.2/src/dagger/harbor-cli/internal/dagger)

[alaudabot]

[pr-assist-bot] Pending Owner Approval — Release branch security fix

This security dependency update targets alauda-v0.0.18 (a release/alauda branch). Automated merge is not performed on release branches.

The renovate/artifacts check is failing with an Artifact file update failure — the go.sum file needs to be regenerated. A repo owner should:

1. Run go mod tidy locally on this branch and push the updated go.sum, then approve and merge.

This is a security fix and should be prioritized.

[alaudabot]

PR Assist Bot — Owner Approval Needed

This PR targets release branch alauda-v0.0.18. Per policy, release-branch merges require explicit owner approval before the bot proceeds.

PR: AlaudaDevops/harbor-cli#8
Branch: alauda-v0.0.18
Type: Security / Dependency update (Renovate) — x/net v0.45.0

Please reply with /approve-merge or provide explicit approval for the bot to merge this PR on the next sweep.

[alaudabot]

PR Assist Bot Analysis

Failure Type: Dependency Lock File Mismatch
Failed Checks: renovate/artifacts — Artifact file update failure
Root Cause: The go.sum file is out of sync after the golang.org/x/net v0.45.0 dependency update. Renovate was unable to automatically regenerate the artifact files.
PR Branch: alauda-v0.0.18 (release branch — bot auto-fix not permitted on release branches)
Suggested Fix: Manually run go mod tidy on the alauda-v0.0.18 branch and push the updated go.sum to unblock this PR.

[alaudabot]

PR Assist Bot Analysis

Status: Owner-approved but blocked on renovate/artifacts
Passing checks: lint, test-code, vulnerability-check ✅
Failing check: renovate/artifacts — Artifact file update failure (likely go.sum or lock file out of sync)
Branch: alauda-v0.0.18 (release branch — auto-fix not permitted by bot policy)
Action needed: Run go mod tidy locally on this branch and push the updated go.sum / go.mod to resolve the artifact failure. Once passing, the bot will merge on the next sweep.