Skip to content

chore(deps): automated bump for main#484

Merged
ericfitz merged 1 commit into
mainfrom
deps/auto-bump/main/27807162385
Jun 19, 2026
Merged

chore(deps): automated bump for main#484
ericfitz merged 1 commit into
mainfrom
deps/auto-bump/main/27807162385

Conversation

@ericfitz-deps-bot

@ericfitz-deps-bot ericfitz-deps-bot Bot commented Jun 19, 2026

Copy link
Copy Markdown

Automated dependency bump for main (safe patch/minor only).

Generated by the deps:bump skill running headless in CI. Review before merging.

Skill output / manual-review plan 
Commit created. Per CI instructions, stopping here — push and PR are handled by a separate CI step.

---

### Phase 11: Manual Review Plan

**Priority 1 — Go Standard Library Vulnerabilities (require toolchain upgrade)**

6 vulnerabilities in the standard library fixed in Go 1.26.3 / 1.26.4. These **cannot** be addressed by module dependency updates — the Go toolchain itself must be upgraded in CI and in `go.mod`.

| ID | Package | Fixed in | Description |
|----|---------|----------|-------------|
| GO-2026-5039 | net/textproto | go1.26.4 | Arbitrary inputs in errors without escaping |
| GO-2026-5037 | crypto/x509 | go1.26.4 | Inefficient candidate hostname parsing |
| GO-2026-4986 | net/mail | go1.26.3 | Quadratic string concatenation in consumeComment |
| GO-2026-4977 | net/mail | go1.26.3 | Quadratic string concatenation in consumePhrase |
| GO-2026-4971 | net | go1.26.3 | Panic on NUL byte in Dial/LookupPort (Windows only) |
| GO-2026-4918 | net/http | go1.26.3 | Infinite loop in HTTP/2 transport |

**Recommendation:** Update the CI workflow Go version from `1.26.2` to `1.26.4`, and update `go 1.26.2` in `go.mod` to `go 1.26.4`. This is a patch upgrade within the same minor series and should be low-risk.

---

**Priority 2 — Many transitive Go packages not in go.mod (55 packages)**

These packages showed as outdated in `go list -m -u all` but are not explicitly listed in `go.mod`. They are resolved by Go's MVS algorithm from the direct dependencies we've already updated. No action needed — running `go mod tidy` (which already ran) is sufficient.

Examples of what's being managed transitively: `github.com/Azure/azure-sdk-for-go/*`, `cloud.google.com/go/compute/metadata`, `github.com/klauspost/compress`, `golang.org/x/tools`, etc.

---

**Summary:**

| Category | Count | Status |
|----------|-------|--------|
| Go modules updated | 13 | ✓ Applied |
| Node security fix (dompurify) | 1 | ✓ Applied |
| Node package updated (@redocly/cli) | 1 | ✓ Applied |
| Excluded (golang/protobuf) | 1 | Skipped per CLAUDE.md |
| Needs plan (Go stdlib vulns) | 6 | See Priority 1 above |

**Build:** PASSED | **Tests:** PASSED | **Lint:** PASSED (0 issues)

@claude
deps: bump Go and Node dependencies
d46064b 
Go:
- github.com/coreos/go-oidc/v3 v3.18.0 -> v3.19.0
- github.com/AzureAD/microsoft-authentication-library-for-go v1.7.1 -> v1.7.2
- github.com/aws/smithy-go v1.27.1 -> v1.27.2
- github.com/bytedance/sonic v1.15.1 -> v1.15.2
- github.com/fsnotify/fsnotify v1.9.0 -> v1.10.1
- github.com/go-openapi/swag/jsonname v0.26.0 -> v0.26.1
- github.com/mattn/go-sqlite3 v1.14.44 -> v1.14.46
- github.com/onsi/gomega v1.39.1 -> v1.42.0
- github.com/pelletier/go-toml/v2 v2.3.1 -> v2.4.0
- github.com/quic-go/quic-go v0.59.1 -> v0.60.0
- go.mongodb.org/mongo-driver/v2 v2.6.0 -> v2.7.0
- golang.org/x/arch v0.27.0 -> v0.28.0
- golang.org/x/exp pseudo-version updated

Node/pnpm:
- @redocly/cli ^2.33.2 -> ^2.34.0

Security fixes:
- dompurify <=3.4.10 -> ^3.4.11 (moderate, pnpm override; fixes advisory in @redocly/cli transitive dep)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ericfitz-deps-bot ericfitz-deps-bot Bot added the dependencies Pull requests that update a dependency file label Jun 19, 2026
@ericfitz ericfitz merged commit 24b2af5 into main Jun 19, 2026
7 checks passed
@ericfitz ericfitz deleted the deps/auto-bump/main/27807162385 branch June 19, 2026 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ericfitz