Skip to content

build(deps): bump golang.org/x/net to v0.55.0#1905

Open
vtatai wants to merge 1 commit into
pingcap:8.5-cp-masterfrom
vtatai:upstream-xnet-bump
Open

build(deps): bump golang.org/x/net to v0.55.0#1905
vtatai wants to merge 1 commit into
pingcap:8.5-cp-masterfrom
vtatai:upstream-xnet-bump

Conversation

@vtatai

@vtatai vtatai commented Jun 11, 2026

Copy link
Copy Markdown

Fixes CVE-2026-39821 (GO-2026-5026): golang.org/x/net/idna ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only label, which can lead to privilege escalation in programs performing hostname-based checks.

x/net v0.55.0 implements UTS 46 revision 33 which fixes the underlying specification bug. 'go mod tidy' updates the transitive golang.org/x/* modules (crypto, mod, sync, sys, text, tools) to satisfy x/net's minimum requirements.

Verified with 'go build ./...' and 'go mod tidy' (stable).

Fixes CVE-2026-39821 (GO-2026-5026): golang.org/x/net/idna ToASCII and
ToUnicode incorrectly accept Punycode-encoded labels that decode to an
ASCII-only label, which can lead to privilege escalation in programs
performing hostname-based checks.

x/net v0.55.0 implements UTS 46 revision 33 which fixes the underlying
specification bug. 'go mod tidy' updates the transitive golang.org/x/*
modules (crypto, mod, sync, sys, text, tools) to satisfy x/net's
minimum requirements.

Verified with 'go build ./...' and 'go mod tidy' (stable).
@ti-chi-bot ti-chi-bot Bot requested a review from yibin87 June 11, 2026 23:36
@ti-chi-bot

ti-chi-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Welcome @vtatai! It looks like this is your first PR to pingcap/tidb-dashboard 🎉

@pingcap-cla-assistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


Victor Tatai seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@ti-chi-bot ti-chi-bot Bot added the size/M label Jun 11, 2026
@ti-chi-bot ti-chi-bot Bot added the lgtm label Jun 12, 2026
@ti-chi-bot

ti-chi-bot Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

[LGTM Timeline notifier]

Timeline:

  • 2026-06-12 02:18:17.378133085 +0000 UTC m=+1099198.448450495: ☑️ agreed by nolouch.

@ti-chi-bot ti-chi-bot Bot added the approved label Jun 12, 2026

@dveeden dveeden left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this dependency should also be updated:

$ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-4233
    HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
  More info: https://pkg.go.dev/vuln/GO-2025-4233
  Module: github.com/quic-go/quic-go
    Found in: github.com/quic-go/quic-go@v0.55.0
    Fixed in: github.com/quic-go/quic-go@v0.57.0
    Example traces found:
      #1: cmd/tidb-dashboard/main.go:292:22: tidb.main calls http.Server.Serve, which eventually calls http3.ConfigureTLSConfig
      #2: pkg/apiserver/diagnose/inspection.go:38:104: diagnose.CompareDiagnose calls http3.Error.Error

Your code is affected by 1 vulnerability from 1 module.
This scan also found 1 vulnerability in packages you import and 18
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

And with the above dependency update this remains:

$ govulncheck -show verbose ./... | grep 'Fixed in' | sort -u
    Fixed in: golang.org/x/crypto@v0.52.0
    Fixed in: golang.org/x/image@v0.38.0
    Fixed in: golang.org/x/image@v0.39.0
    Fixed in: golang.org/x/image@v0.41.0
    Fixed in: google.golang.org/grpc@v1.79.3

Note that these are all vulnerabilities in functions that are not used, so this is way less critical/important. However it might be good to update these to avoid setting off scanners and/or accidentally introducing issues when changing code. For the gRPC one: probably best to keep that out of this PR as gRPC updates require more testing and are more likely to cause issues.

@ti-chi-bot

ti-chi-bot Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

@dveeden: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

Maybe this dependency should also be updated:

$ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-4233
   HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
 More info: https://pkg.go.dev/vuln/GO-2025-4233
 Module: github.com/quic-go/quic-go
   Found in: github.com/quic-go/quic-go@v0.55.0
   Fixed in: github.com/quic-go/quic-go@v0.57.0
   Example traces found:
     #1: cmd/tidb-dashboard/main.go:292:22: tidb.main calls http.Server.Serve, which eventually calls http3.ConfigureTLSConfig
     #2: pkg/apiserver/diagnose/inspection.go:38:104: diagnose.CompareDiagnose calls http3.Error.Error

Your code is affected by 1 vulnerability from 1 module.
This scan also found 1 vulnerability in packages you import and 18
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ti-chi-bot

ti-chi-bot Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dveeden, nolouch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants