Skip to content

chore(deps): update module golang.org/x/net to v0.55.0 [security] (release-v1.40)#5012

Open
marvin-tigera wants to merge 1 commit into
release-v1.40from
renovate/release-v1.40-go-golang.org-x-net-vulnerability
Open

chore(deps): update module golang.org/x/net to v0.55.0 [security] (release-v1.40)#5012
marvin-tigera wants to merge 1 commit into
release-v1.40from
renovate/release-v1.40-go-golang.org-x-net-vulnerability

Conversation

@marvin-tigera

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/net v0.50.0v0.55.0 age confidence

Go Net HTML parser is vulnerable to denial of service

CVE-2026-25680 / GHSA-5cv4-jp36-h3mw

More information

Details

In Go Net (golang.org/x/net) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


  • If you want to rebase/retry this PR, check this box

@marvin-tigera marvin-tigera requested a review from a team as a code owner July 13, 2026 18:32
@marvin-tigera marvin-tigera added dependencies Pull requests that update a dependency file docs-not-required release-note-not-required labels Jul 13, 2026
@marvin-tigera

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: api/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.13 -> 1.25.0
golang.org/x/text v0.34.0 -> v0.37.0

@marvin-tigera marvin-tigera added docs-not-required dependencies Pull requests that update a dependency file labels Jul 13, 2026
@marvin-tigera marvin-tigera added this to the v1.40.14 milestone Jul 13, 2026
@marvin-tigera marvin-tigera force-pushed the renovate/release-v1.40-go-golang.org-x-net-vulnerability branch from f0fddee to 7f234d8 Compare July 13, 2026 20:24
@marvin-tigera marvin-tigera force-pushed the renovate/release-v1.40-go-golang.org-x-net-vulnerability branch from 7f234d8 to 828c0d2 Compare July 13, 2026 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docs-not-required release-note-not-required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant