Skip to content

fix(deps): bump x/crypto to 0.52.0 and x/net to 0.55.0#9

Merged
cbullinger merged 1 commit into
mainfrom
fix/dependabot-crypto-net
Jul 15, 2026
Merged

fix(deps): bump x/crypto to 0.52.0 and x/net to 0.55.0#9
cbullinger merged 1 commit into
mainfrom
fix/dependabot-crypto-net

Conversation

@cbullinger

Copy link
Copy Markdown
Collaborator

Summary

Resolves all 14 open Dependabot alerts by bumping two indirect dependencies:

  • golang.org/x/crypto 0.46.0 → 0.52.0 — clears 13 SSH-related CVEs (4 critical, 2 high, 4 medium... 13 total)
  • golang.org/x/net 0.48.0 → 0.55.0 — clears HTML-parser DoS (medium)

go mod tidy also advanced transitive x/sys, x/text, x/sync.

Scope

Only go.mod and go.sum changed. Both modules are // indirect — no source imports them directly, so there are no code changes.

Verification

  • go build ./...
  • go vet ./...
  • pre-commit secret scan ✅

Resolves 14 open Dependabot alerts (13 golang.org/x/crypto SSH CVEs
incl. 4 critical, 1 golang.org/x/net HTML-parser DoS). Both are
indirect dependencies; no source changes required. go mod tidy also
advanced transitive x/sys, x/text, x/sync.

@dacharyc dacharyc left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TY for staying on top of the dependency bump dance!

@cbullinger cbullinger merged commit 02a6907 into main Jul 15, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants