fix(deps): update module golang.org/x/crypto to v0.43.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/crypto	v0.42.0 -> v0.43.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
golang.org/x/net	v0.44.0 -> v0.45.0
golang.org/x/sys	v0.36.0 -> v0.37.0
golang.org/x/text	v0.29.0 -> v0.30.0

[claude]

Pull Request Review: Update golang.org/x/crypto to v0.43.0

Summary

This PR updates golang.org/x/crypto from v0.42.0 to v0.43.0, along with transitive dependency updates to golang.org/x/net, golang.org/x/sys, and golang.org/x/text.

Code Quality ✅

• Clean dependency update: The changes are isolated to go.mod and go.sum files only
• No code changes required: The update appears to be backward compatible
• Proper semantic versioning: Minor version bump (0.42 → 0.43) suggests no breaking changes

Impact Analysis

The crypto package is used in this codebase specifically for SSH connections:

Usage location: fs/sftp/sftp.go:11

import "golang.org/x/crypto/ssh"

This is used for the SFTP backend filesystem driver, which creates SSH client connections using password authentication and custom host key callbacks.

Security Considerations ⚠️

Recommendation: While this appears to be a routine dependency update, I recommend:

1. Verify security fixes: Check the golang.org/x/crypto release notes for v0.43.0 to identify any security patches. Crypto library updates often include important security improvements.

2. Test SFTP functionality: Since the only direct usage is in the SFTP backend (fs/sftp/sftp.go), ensure:

   • SFTP connections still establish successfully
   • Authentication works correctly
   • File operations through SFTP backend function properly

3. Consider the insecure HostKeyCallback: Note that fs/sftp/sftp.go:33-35 uses an insecure host key callback that accepts any host key. This is a pre-existing security concern unrelated to this update but worth addressing:

   HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
       return nil  // Accepts any host key - vulnerable to MITM attacks
   }

Test Coverage 📊

Gap identified: There are no automated tests for the SFTP backend functionality. Consider adding integration tests for fs/sftp/ to catch potential regressions from dependency updates.

Current test coverage per CLAUDE.md:

• Limited test coverage overall (only fs/utils/env_test.go mentioned)
• No tests for fs/sftp/ directory

Performance Considerations ✅

No performance concerns expected. Crypto library updates typically improve performance or maintain compatibility.

Best Practices ✅

• Follows the repository's dependency management approach (Renovate automation)
• Automerge is enabled, which is appropriate for minor crypto updates
• Includes transitive dependency updates to maintain consistency

Recommendations

Before merging:

1. ✅ Let CI tests pass (if any SFTP-related tests exist)
2. ⚠️ Manually test SFTP backend if possible
3. 📖 Review golang.org/x/crypto v0.43.0 release notes for security fixes or breaking changes

Future improvements:

1. Add integration tests for fs/sftp/ functionality
2. Consider implementing proper SSH host key verification instead of accepting all keys
3. Expand test coverage as noted in CLAUDE.md

Verdict

LGTM with recommendations ✅

This is a standard dependency update that should be merged after CI validation. The changes are low-risk, but manual SFTP testing would provide additional confidence given the lack of automated test coverage for that component.

---

🤖 Review generated with Claude Code

[claude]

Pull Request Review - golang.org/x/crypto v0.43.0 Update

Summary

This PR updates golang.org/x/crypto from v0.42.0 to v0.43.0, along with transitive dependencies (golang.org/x/net, golang.org/x/sys, golang.org/x/text).

Code Quality ✅

• Clean dependency update: Only go.mod and go.sum files modified
• Proper semantic versioning: Minor version bump (0.42.0 → 0.43.0)
• Transitive dependencies updated appropriately:
  • golang.org/x/net: v0.44.0 → v0.45.0
  • golang.org/x/sys: v0.36.0 → v0.37.0
  • golang.org/x/text: v0.29.0 → v0.30.0

Security Considerations 🔒

Positive impact: Keeping golang.org/x/crypto up-to-date is critical for an FTP server that handles authentication and secure connections. This library is commonly updated to address security vulnerabilities.

Recommendation: Verify the changelog for golang.org/x/crypto v0.43.0 to understand what security fixes or improvements are included. Given this is a server handling authentication (see config/config.go usage of go-crypt), staying current is important.

Potential Issues 🔍

Low risk assessment:

• Minor version updates in the Go x/ namespace are typically backwards compatible
• No breaking API changes expected
• The FTP server uses golang.org/x/crypto for password hashing (via go-crypt dependency) and TLS/SSH operations (via ftpserverlib/sftpfs)

Testing notes:

• No direct usage of golang.org/x/crypto in application code (used via dependencies)
• Integration testing via CI should catch any issues
• Race detection tests (go test -race -v ./...) should run to verify no concurrency issues

Performance Considerations ⚡

Neutral impact expected. Cryptographic library updates may include:

• Performance optimizations in hash algorithms
• Assembly optimizations for specific architectures
• No performance regressions expected from minor version updates

Test Coverage 📋

Current situation:

• Limited test coverage in repository (only fs/utils/env_test.go)
• Dependency update doesn't require new tests
• CI pipeline tests should validate compatibility

Recommendation: Ensure CI tests pass, particularly:

• go test -race -v ./...
• golangci-lint run
• Integration tests with various storage backends (S3, GCS, SFTP, etc.)

Automerge Status 🤖

✅ Automerge is enabled and appropriate for this type of change
✅ Renovate bot is configured correctly
✅ Low-risk dependency update suitable for automated merging

Verdict

LGTM ✅ - This is a routine, low-risk security dependency update that should be merged once CI passes. The changes are minimal, well-scoped, and important for maintaining security posture.

---

Review conducted following CLAUDE.md guidelines and repository best practices.

[claude]

Code Review: Update golang.org/x/crypto to v0.43.0

Summary

This PR updates golang.org/x/crypto from v0.42.0 to v0.43.0, along with transitive dependencies (golang.org/x/net, golang.org/x/sys, golang.org/x/text).

✅ Code Quality and Best Practices

• Clean dependency update: The changes are limited to go.mod and go.sum files only, with no code modifications required
• Automated updates: Renovate bot is properly configured and follows semantic versioning
• Dependency management: The update follows Go module best practices

🔒 Security Assessment

Positive security implications:

• Security patches in golang.org/x/crypto are critical since this project uses the package for SSH authentication (see fs/sftp/sftp.go:11)
• Password hashing in config/config.go uses go-crypt which may indirectly benefit from crypto updates
• Regular dependency updates reduce exposure to known vulnerabilities

Usage context in codebase:

• fs/sftp/sftp.go:11: Uses golang.org/x/crypto/ssh for SFTP backend authentication
• Security-critical code: The SFTP implementation at fs/sftp/sftp.go:33-35 currently uses HostKeyCallback that accepts all host keys (returns nil). This is a separate security concern unrelated to this PR but worth addressing.

🐛 Potential Issues

• None identified: This is a minor version update (0.42 → 0.43) that should maintain backward compatibility
• The Go ecosystem's compatibility promise means patch/minor updates to golang.org/x/* packages rarely introduce breaking changes

⚡ Performance Considerations

• Minor version updates to golang.org/x/crypto often include performance optimizations for cryptographic operations
• No negative performance impact expected
• May include improvements to SSH/crypto operations used by the SFTP backend

🧪 Test Coverage

• CI Status: Should verify that all existing tests pass with the updated dependencies
• No new tests needed: Dependency updates don't require additional test coverage
• Integration testing: The Docker test workflow should validate SFTP functionality remains intact

📋 Recommendations

1. ✅ Approve and merge: This is a low-risk dependency update that should be merged
2. 🔐 Separate issue: Consider addressing the insecure HostKeyCallback in fs/sftp/sftp.go:33-35 that currently accepts any host key without verification (security vulnerability)
3. 🤖 Automation: The automerge configuration is appropriate for such dependency updates

Conclusion

LGTM ✅ - This is a straightforward, low-risk dependency update that improves security posture. No code changes required, and the update follows proper semantic versioning.

---

Review generated with Claude Code