build(deps): bump golang.org/x/net to v0.55.0#1905
Conversation
Fixes CVE-2026-39821 (GO-2026-5026): golang.org/x/net/idna ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only label, which can lead to privilege escalation in programs performing hostname-based checks. x/net v0.55.0 implements UTS 46 revision 33 which fixes the underlying specification bug. 'go mod tidy' updates the transitive golang.org/x/* modules (crypto, mod, sync, sys, text, tools) to satisfy x/net's minimum requirements. Verified with 'go build ./...' and 'go mod tidy' (stable).
|
Welcome @vtatai! It looks like this is your first PR to pingcap/tidb-dashboard 🎉 |
|
Victor Tatai seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
[LGTM Timeline notifier]Timeline:
|
There was a problem hiding this comment.
Maybe this dependency should also be updated:
$ govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-4233
HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
More info: https://pkg.go.dev/vuln/GO-2025-4233
Module: github.com/quic-go/quic-go
Found in: github.com/quic-go/quic-go@v0.55.0
Fixed in: github.com/quic-go/quic-go@v0.57.0
Example traces found:
#1: cmd/tidb-dashboard/main.go:292:22: tidb.main calls http.Server.Serve, which eventually calls http3.ConfigureTLSConfig
#2: pkg/apiserver/diagnose/inspection.go:38:104: diagnose.CompareDiagnose calls http3.Error.Error
Your code is affected by 1 vulnerability from 1 module.
This scan also found 1 vulnerability in packages you import and 18
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
And with the above dependency update this remains:
$ govulncheck -show verbose ./... | grep 'Fixed in' | sort -u
Fixed in: golang.org/x/crypto@v0.52.0
Fixed in: golang.org/x/image@v0.38.0
Fixed in: golang.org/x/image@v0.39.0
Fixed in: golang.org/x/image@v0.41.0
Fixed in: google.golang.org/grpc@v1.79.3
Note that these are all vulnerabilities in functions that are not used, so this is way less critical/important. However it might be good to update these to avoid setting off scanners and/or accidentally introducing issues when changing code. For the gRPC one: probably best to keep that out of this PR as gRPC updates require more testing and are more likely to cause issues.
|
@dveeden: adding LGTM is restricted to approvers and reviewers in OWNERS files. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dveeden, nolouch The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes CVE-2026-39821 (GO-2026-5026): golang.org/x/net/idna ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only label, which can lead to privilege escalation in programs performing hostname-based checks.
x/net v0.55.0 implements UTS 46 revision 33 which fixes the underlying specification bug. 'go mod tidy' updates the transitive golang.org/x/* modules (crypto, mod, sync, sys, text, tools) to satisfy x/net's minimum requirements.
Verified with 'go build ./...' and 'go mod tidy' (stable).