chore(deps): bump golang.org/x/crypto to 0.35.0 (4 CRIT + 4 HIGH CVE fixes)#19
Merged
KooshaPari merged 2 commits intomainfrom Apr 24, 2026
Merged
Conversation
Fixes 4 CRITICAL Dependabot alerts (< 0.31.0) across the 4 backend Go modules. Transitively upgrades golang.org/x/sys to 0.28.0 and golang.org/x/text to 0.21.0 via go mod tidy. Modules updated: - backend/byteport: v0.29.0 -> v0.31.0 (direct) - backend/nvms: v0.28.0 -> v0.31.0 (indirect) - backend/nvms/Demonstrator: v0.28.0 -> v0.31.0 (indirect) - backend/nvms/Provisioner: v0.28.0 -> v0.31.0 (indirect) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
the
size:S
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (10 files)
Reviewed by nemotron-3-super-120b-a12b-20230311:free · 2,223,367 tokens |
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| golang.org/x/sys v0.27.0 // indirect | ||
| golang.org/x/text v0.19.0 // indirect | ||
| gorm.io/gorm v1.25.12 // indirect | ||
| golang.org/x/crypto v0.31.0 // indirect |
There was a problem hiding this comment.
Suggestion: golang.org/x/crypto v0.31.0 is still in a known vulnerable range (the HIGH advisory mentioned in the PR notes affects versions < 0.35.0). Pinning to this version leaves the module exposed; upgrade to a non-vulnerable release (>= v0.35.0, ideally latest) to fully remediate known crypto CVEs. [security]
Severity Level: Critical 🚨
- ⚠️ Provisioner Spin HTTP component uses vulnerable x/crypto dependency.
- ⚠️ Handles decrypted user Git access tokens and repository archives.
- ⚠️ Dependabot HIGH advisory for x/crypto remains unresolved here.Steps of Reproduction ✅
1. Open the Provisioner module manifest at `backend/nvms/Provisioner/go.mod` and observe
line 18: `golang.org/x/crypto v0.31.0 // indirect`, which pins the module to version
0.31.0 (confirmed via Read of this file).
2. From the `backend/nvms/Provisioner` directory, running `go list -m golang.org/x/crypto`
(or inspecting `go.sum`) would resolve `golang.org/x/crypto` to v0.31.0 for this Spin HTTP
component, meaning all its transitive users in this module graph link against that
vulnerable version.
3. Follow the Provisioner's main entrypoint in `backend/nvms/Provisioner/main.go`: the
`init()` function at ~line 152 registers a Spin HTTP handler that reads a request body
into a `models.Project`, then calls `lib.DecryptSecret(project.User.Git.Token)` at line
172 to decrypt a user's Git access token and then downloads and processes a repository
ZIP.
4. Because this Provisioner component handles sensitive user secrets and repository
content while its module graph still includes `golang.org/x/crypto` v0.31.0 (a version
explicitly called out in the PR description as remaining within the HIGH-severity advisory
range `< v0.35.0`), any transitive dependency that relies on affected `x/crypto`
primitives will continue to operate with a known-vulnerable crypto implementation until
the version is raised to `>= v0.35.0`.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** backend/nvms/Provisioner/go.mod
**Line:** 18:18
**Comment:**
*Security: `golang.org/x/crypto v0.31.0` is still in a known vulnerable range (the HIGH advisory mentioned in the PR notes affects versions `< 0.35.0`). Pinning to this version leaves the module exposed; upgrade to a non-vulnerable release (>= `v0.35.0`, ideally latest) to fully remediate known crypto CVEs.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Supersedes 0.31.0 bump. 0.35.0 is the first patched version covering both the critical GHSA-v778-237x-gjrc and the high-severity GHSA-hcg3-q754-cr77 advisories across all 4 go.mod manifests: - backend/byteport/go.mod - backend/nvms/go.mod - backend/nvms/Demonstrator/go.mod - backend/nvms/Provisioner/go.mod Resolves Dependabot alerts: CRIT: #16, #20, #22, #24 (GHSA-v778-237x-gjrc) HIGH: #18, #21, #23, #25 (GHSA-hcg3-q754-cr77) Verified via go build ./... in each module. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KooshaPari
changed the title
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
golang.org/x/cryptofromv0.31.0tov0.35.0across all 4 Go modules in the repo.v0.35.0is the first patched version covering both:0.31.00.35.0The prior
0.31.0bump only addressed the critical alerts; this supersedes it to also close the 4 high-severity alerts in a single bump.Manifests touched
backend/byteport/go.modbackend/nvms/go.modbackend/nvms/Demonstrator/go.modbackend/nvms/Provisioner/go.modVerification
go build ./...exits 0 in each module (pre-existing fermyon SDK export-comment warning is unrelated, not fatal).Test plan
go build ./...in all four modulesCloses Dependabot alerts: #16 #18 #20 #21 #22 #23 #24 #25
Note
Medium Risk
Primarily dependency and Go toolchain version bumps; risk is limited but could surface build/runtime compatibility issues across the multiple backend modules due to updated
x/cryptoand related transitive packages.Overview
Upgrades backend Go dependencies to address security/maintenance updates.
backend/byteportnow usesgolang.org/x/crypto v0.35.0(direct) and refreshes transitive versions (golang.org/x/sys v0.30.0,golang.org/x/text v0.22.0) with updatedgo.sum.Aligns the
nvmsmodules on newer Go versions/toolchain.backend/nvms,nvms/Demonstrator, andnvms/Provisionerbumpgoto1.23.0andtoolchaintogo1.23.4, and update indirect deps (x/cryptotov0.35.0,x/systov0.30.0);Provisioneralso drops some no-longer-needed indirect entries from its module files.Reviewed by Cursor Bugbot for commit 4a25a1c. Bugbot is set up for automated code reviews on this repo. Configure here.