CP-42280: Bump golang.org/x/net from 0.52.0 to 0.55.0#833
Open
evan-cz wants to merge 2 commits into
Open
Conversation
`govulncheck` on the develop branch reports two vulnerabilities in `golang.org/x/net@v0.52.0`, both reachable from this codebase via the webhook backfiller's HTTP client: - GO-2026-5026 — `golang.org/x/net/idna` fails to reject ASCII-only Punycode-encoded labels. Fixed in v0.55.0. Reached via `backfiller.AwaitCollectorService` → `http.Client.Do` → `idna.ToASCII`. - GO-2026-4918 — infinite loop in `net/http/internal/http2` on a malformed `SETTINGS_MAX_FRAME_SIZE`. Fixed in v0.53.0. Reached via the same call chain through the http2 transport. `x/net` is an indirect dep in both the main module and `/tests`, which is why Dependabot didn't open a PR for it on its own — it follows direct deps. Bumping it explicitly with `go get golang.org/x/net@v0.55.0` in both modules. The minimum-version-selection algorithm pulls along the related `x/` modules: golang.org/x/crypto v0.49.0 → v0.51.0 golang.org/x/net v0.52.0 → v0.55.0 golang.org/x/sys v0.42.0 → v0.45.0 golang.org/x/term v0.41.0 → v0.43.0 golang.org/x/text v0.35.0 → v0.37.0 This commit only addresses the `govulncheck` half of the CP-42280 work; the `grype`/anchore-scan-action findings against the built Docker image (Go 1.26.2 stdlib CVEs, apache/thrift, go-git, go-billy) are still pending and will land on this branch before merge. `govulncheck ./...` now reports `No vulnerabilities found`. `go build ./...` clean in both modules. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
evan-cz
force-pushed
the
CP-29639-bump-x-net-0.55.0
branch
from
58dec1f to
505e291
Compare
evan-cz
changed the title
…sites Go 1.26.2 has six high-severity stdlib CVEs (CVE-2026-39820, -42499, -39836, -33814, -33811, -42501) all fixed in 1.26.3. They show up in the `grype` scan of the agent's Docker image as findings against the embedded `cloudzero-agent` Go binary's stdlib. `scripts/ci-checks.sh` enforces Go version consistency across the repo; bumping requires updating every site it knows about together. The seven sites updated here are: - go.mod - tests/go.mod - .tools/go.mod - tests/integration/test_server/go.mod - docker/Dockerfile - tests/docker/Dockerfile.smoke-tests - tests/integration/test_server/Dockerfile `scripts/ci-checks.sh` now passes; `go build ./...` clean in every module. This commit only clears the stdlib CVEs attributable to the cloudzero-agent binary itself. The same CVEs (and others — apache/thrift, go-git, go-billy) also show up in the bundled `cloudzero-alloy` binary included in the image; those require a new alloy release and will be addressed separately. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
golang.org/x/netfrom v0.52.0 → v0.55.0 in both/and/testsmodules.govulncheckfindings (GO-2026-5026 and GO-2026-4918) that are reachable fromapp/domain/webhook/backfiller/backfiller.go:599viahttp.Client.Do.x/crypto,x/sys,x/term,x/textvia MVS — all indirect, no API surface impact.Dependabot did not open this PR because
x/netis an// indirectdep; Dependabot only opens PRs for direct deps.This PR only addresses the
govulncheckhalf of CP-42280. Thegrype/anchore-scan-action findings against the built Docker image (Go 1.26.2 stdlib CVEs,apache/thrift,go-git/v5,go-billy/v5) are still pending and will land on this branch before merge.Test plan
govulncheck ./...clean (No vulnerabilities found)go build ./...clean in both modulesgovulncheckjob passesMerge Docker manifests(grype) job passes — pending the additional fixes for CP-42280PR Generated with AI
Co-Authored-By: AI