Skip to content

chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20)#989

Merged
jbw976 merged 1 commit into
release-1.20from
renovate/release-1.20-go-golang.org-x-net-vulnerability
May 21, 2026
Merged

chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20)#989
jbw976 merged 1 commit into
release-1.20from
renovate/release-1.20-go-golang.org-x-net-vulnerability

Conversation

@crossplane-renovate

@crossplane-renovate crossplane-renovate Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/net v0.48.0v0.53.0 age confidence

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

BIT-golang-2026-33814 / CVE-2026-33814 / GO-2026-4918

More information

Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@crossplane-renovate crossplane-renovate Bot requested a review from a team as a code owner May 8, 2026 08:32
@crossplane-renovate crossplane-renovate Bot requested review from phisco and removed request for a team May 8, 2026 08:32
@crossplane-renovate

crossplane-renovate Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.mod
Command failed: earthly --strict +go-generate
 Init 🚀
————————————————————————————————————————————————————————————————————————————————

           buildkitd | Found buildkit daemon as docker container (earthly-buildkitd)

 Build 🔧
————————————————————————————————————————————————————————————————————————————————

        +go-generate | --> FROM +base
        +go-generate | --> FROM +go-modules
         +go-modules | --> FROM +base
      golang:1.24.13 | --> Load metadata golang:1.24.13 linux/amd64
Warning: you are not logged into registry-1.docker.io, you may experience rate-limitting when pulling images
         +go-modules | --> FROM golang:1.24.13
         +go-modules | [----------] 100% FROM golang:1.24.13�[K
         +go-modules | [          ]   0% FROM golang:1.24.13�[K
         +go-modules | �[A[----------] 100% FROM golang:1.24.13�[K
         +go-modules | --> WORKDIR /crossplane
         +go-modules | --> COPY go.mod go.sum ./
         +go-modules | --> RUN go mod download
         +go-modules | go: go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local)
         +go-modules | ERROR Earthfile:48:2
         +go-modules |       The command
         +go-modules |           RUN go mod download
         +go-modules |       did not complete successfully. Exit code 1

================================== ❌ FAILURE ===================================

         +go-modules *failed* | Repeating the failure error...
         +go-modules *failed* | --> RUN go mod download
         +go-modules *failed* | go: go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local)
         +go-modules *failed* | ERROR Earthfile:48:2
         +go-modules *failed* |       The command
         +go-modules *failed* |           RUN go mod download
         +go-modules *failed* |       did not complete successfully. Exit code 1

Help: To debug your build, you can use the --interactive (-i) flag to drop into a shell of the failing RUN step: "earthly -i --strict +go-generate"

@crossplane-renovate crossplane-renovate Bot changed the title chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) - autoclosed May 11, 2026
@crossplane-renovate crossplane-renovate Bot deleted the renovate/release-1.20-go-golang.org-x-net-vulnerability branch May 11, 2026 09:07
@crossplane-renovate crossplane-renovate Bot changed the title chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) - autoclosed chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) May 12, 2026
@crossplane-renovate crossplane-renovate Bot reopened this May 12, 2026
@crossplane-renovate crossplane-renovate Bot force-pushed the renovate/release-1.20-go-golang.org-x-net-vulnerability branch 2 times, most recently from cf37c49 to 617df15 Compare May 12, 2026 09:01
@crossplane-renovate crossplane-renovate Bot changed the title chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) - autoclosed May 19, 2026
@crossplane-renovate crossplane-renovate Bot changed the title chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) - autoclosed chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) May 20, 2026
@crossplane-renovate crossplane-renovate Bot reopened this May 20, 2026
@crossplane-renovate crossplane-renovate Bot force-pushed the renovate/release-1.20-go-golang.org-x-net-vulnerability branch 3 times, most recently from 89b4d7d to 25c10e7 Compare May 20, 2026 20:27
jbw976 added a commit to jbw976/crossplane-runtime that referenced this pull request May 21, 2026
@jbw976
chore: bump Go to 1.25.10 and golangci-lint to v2.12.2 on release-1.20
e193eac 
The pending x/net v0.53.0 security backport (crossplane#989) requires Go 1.25
because x/net@v0.53.0 declares `go 1.25.0` in its go.mod. Bumping the
Earthfile's Go and golangci-lint pins keeps `go mod download` and the
lint target green once crossplane#989 lands, and completes the v1 -> v2
golangci-lint migration crossplane#977 deferred.

The install.sh URL is also moved from the deprecated `master` branch
to the canonical `https://golangci-lint.run/install.sh`. The `master`
script's checksum grep matches both the `.tar.gz` and `.tar.gz.sbom.json`
assets added in v2.12.0, breaking installs (see golangci/golangci-lint#6539).

.golangci.yml is migrated to v2 via `golangci-lint migrate`, with the
disable and test-exclusion lists aligned to main. The `run.go: "1.24"`
pin from f78224f is dropped; once crossplane#989 bumps go.mod's `go` directive,
golangci-lint reads it from go.mod by default.

The bulk of the source diff is `golangci-lint run --fix` output across
test files - removing redundant embedded field qualifiers, Go 1.22
range-over-int, and `maps.Copy`/`maps.Clone` substitutions. A handful
of hand fixes cover gocritic, godoclint, and govet findings; three
inline `//nolint:embeddedstructfieldcheck` suppressions cover structs
whose field order is load-bearing (one public API type, two fake mocks).

Signed-off-by: Jared Watts <jbw976@gmail.com>
@jbw976 jbw976 mentioned this pull request May 21, 2026
Merged
5 tasks
jbw976 added a commit to jbw976/crossplane-runtime that referenced this pull request May 21, 2026
@jbw976
chore: bump Go to 1.25.10 and golangci-lint to v2.12.2 on release-1.20
c57242d 
The pending x/net v0.53.0 security backport (crossplane#989) requires Go 1.25
because x/net@v0.53.0 declares `go 1.25.0` in its go.mod. Bumping the
Earthfile's Go and golangci-lint pins keeps `go mod download` and the
lint target green once crossplane#989 lands, and completes the v1 -> v2
golangci-lint migration crossplane#977 deferred.

The install.sh URL is also moved from the deprecated `master` branch
to the canonical `https://golangci-lint.run/install.sh`. The `master`
script's checksum grep matches both the `.tar.gz` and `.tar.gz.sbom.json`
assets added in v2.12.0, breaking installs (see golangci/golangci-lint#6539).

.golangci.yml is migrated to v2 via `golangci-lint migrate`, with the
disable and test-exclusion lists aligned to main. The `run.go: "1.24"`
pin from f78224f is dropped; once crossplane#989 bumps go.mod's `go` directive,
golangci-lint reads it from go.mod by default.

The bulk of the source diff is `golangci-lint run --fix` output across
test files - removing redundant embedded field qualifiers, Go 1.22
range-over-int, and `maps.Copy`/`maps.Clone` substitutions. A handful
of hand fixes cover gocritic, godoclint, and govet findings; three
inline `//nolint:embeddedstructfieldcheck` suppressions cover structs
whose field order is load-bearing (one public API type, two fake mocks).

Signed-off-by: Jared Watts <jbw976@gmail.com>
@jbw976

jbw976 commented May 21, 2026

Copy link
Copy Markdown
Member

This PR is blocked on #996

jbw976
jbw976 requested changes May 21, 2026
View reviewed changes

@jbw976 jbw976 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

requesting changes to block until #996 is merged

@crossplane-renovate crossplane-renovate Bot changed the title chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) - autoclosed May 21, 2026
@crossplane-renovate crossplane-renovate Bot changed the title chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) - autoclosed chore(deps): update module golang.org/x/net to v0.53.0 [security] (release-1.20) May 21, 2026
@crossplane-renovate crossplane-renovate Bot reopened this May 21, 2026
@crossplane-renovate crossplane-renovate Bot force-pushed the renovate/release-1.20-go-golang.org-x-net-vulnerability branch from 807f64e to 25c10e7 Compare May 21, 2026 14:52
@crossplane-renovate

crossplane-renovate Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 6 additional dependencies were updated

Details:

Package Change
golang.org/x/mod v0.30.0 -> v0.34.0
golang.org/x/sync v0.19.0 -> v0.20.0
golang.org/x/sys v0.39.0 -> v0.43.0
golang.org/x/term v0.38.0 -> v0.42.0
golang.org/x/text v0.32.0 -> v0.36.0
golang.org/x/tools v0.39.0 -> v0.43.0

@crossplane-renovate crossplane-renovate Bot force-pushed the renovate/release-1.20-go-golang.org-x-net-vulnerability branch from 25c10e7 to 807f64e Compare May 21, 2026 14:52
jbw976
jbw976 approved these changes May 21, 2026
View reviewed changes

@jbw976 jbw976 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're good now that #996 is merged and this is rebased on top ✅

@jbw976 jbw976 merged commit f2d4529 into release-1.20 May 21, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbw976 jbw976 jbw976 approved these changes

@phisco phisco Awaiting requested review from phisco phisco is a code owner automatically assigned from crossplane/crossplane-maintainers

Assignees

No one assigned

Labels

automated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jbw976