Skip to content

fix(cve): GO-2026-5026 - update golang.org/x/net v0.53.0 → v0.55.0#3452

Merged
tekton-robot merged 1 commit into
mainfrom
fix/GO-2026-5026-x-net-main-attempt-1
Jun 2, 2026
Merged

fix(cve): GO-2026-5026 - update golang.org/x/net v0.53.0 → v0.55.0#3452
tekton-robot merged 1 commit into
mainfrom
fix/GO-2026-5026-x-net-main-attempt-1

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented May 28, 2026

CVE Details

Field Value
GO Advisory GO-2026-5026
Package golang.org/x/net/idna
Current Version v0.53.0
Fixed Version v0.55.0

GO-2026-5026: Failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna. Callers of idna.ToASCII, idna.ToUnicode, and idna.Lookup may be vulnerable to label spoofing if they do not additionally verify that labels are valid host name labels.

Fix Summary

  • Update golang.org/x/net from v0.53.0 to v0.55.0
  • Also updates golang.org/x/crypto v0.50.0 → v0.51.0 as transitive dependency
  • Run go mod tidy && go mod verify && go mod vendor

Test Results

Tests passed

Command: go test -short -count=1 ./pkg/... ./cmd/...
Status: PASSED - all packages passed

Breaking Changes

None. This is a patch-level dependency update to indirect dependencies.

Verification Steps

  • Review go.mod and go.sum changes
  • Review vendor/ directory changes for golang.org/x/net
  • Run full test suite in CI
  • Confirm govulncheck reports no remaining GO-2026-5026 findings

Risk Assessment

Low — patch-level update to indirect dependency with no API changes. Tests pass locally.

🤖 Automated fix by CVE Fixer Bot

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label May 28, 2026
@tekton-robot tekton-robot requested a review from pratap0007 May 28, 2026 06:20
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 28, 2026
@jkhelil
Copy link
Copy Markdown
Member Author

jkhelil commented May 28, 2026

/release-note-none

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 28, 2026
@jkhelil jkhelil force-pushed the fix/GO-2026-5026-x-net-main-attempt-1 branch from 0628774 to ef2c364 Compare May 28, 2026 08:20
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 28, 2026
@jkhelil @claude
fix(cve): GO-2026-5026 - update golang.org/x/net v0.53.0 → v0.55.0
98e937b 
- Update golang.org/x/net from v0.53.0 to v0.55.0
- Fixes GO-2026-5026: failure to reject ASCII-only Punycode-encoded labels in idna
- Also updates golang.org/x/crypto v0.50.0 → v0.51.0 as transitive dependency

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jkhelil jkhelil force-pushed the fix/GO-2026-5026-x-net-main-attempt-1 branch from ef2c364 to 98e937b Compare June 1, 2026 04:45
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 1, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented Jun 2, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pramodbindal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 2, 2026
@pramodbindal
Copy link
Copy Markdown
Member

pramodbindal commented Jun 2, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 2, 2026
@tekton-robot tekton-robot merged commit c5b1051 into main Jun 2, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pramodbindal pramodbindal pramodbindal approved these changes

@anithapriyanatarajan anithapriyanatarajan Awaiting requested review from anithapriyanatarajan

@pratap0007 pratap0007 Awaiting requested review from pratap0007

Assignees

@pramodbindal pramodbindal

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkhelil @tekton-robot @pramodbindal