Skip to content

MLE-29894: bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 to address CVEs#341

Merged
vitalykorolev merged 1 commit into
developfrom
MLE-29894_patch-golang-crypto-net-vulns
May 28, 2026
Merged

MLE-29894: bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 to address CVEs#341
vitalykorolev merged 1 commit into
developfrom
MLE-29894_patch-golang-crypto-net-vulns

Conversation

@vitalykorolev
Copy link
Copy Markdown
Collaborator

@vitalykorolev vitalykorolev commented May 27, 2026

Jira: MLE-29894

Summary

Bumps two indirect Go dependencies to remediate 13 CVEs flagged in the BlackDuck develop-branch scan.

Changes

  • golang.org/x/crypto: v0.50.0 -> v0.52.0 (fixes 12 CVEs: GO-2026-5005, GO-2026-5006, GO-2026-5013, GO-2026-5014, GO-2026-5015, GO-2026-5016, GO-2026-5017, GO-2026-5018, GO-2026-5019, GO-2026-5020, GO-2026-5021, GO-2026-5033)
  • golang.org/x/net: v0.53.0 -> v0.55.0 (fixes GO-2026-5026, idna ASCII-only Punycode rejection)

Verification

  • govulncheck ./... : No vulnerabilities found
  • go build ./... : clean
  • go test ./test/template/... : PASS
  • helm lint --with-subcharts charts/ : 0 chart(s) failed

Copilot AI review requested due to automatic review settings May 27, 2026 20:09
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates indirect Go dependencies to remediate reported vulnerabilities while keeping the module graph consistent.

Changes:

  • Bumps golang.org/x/crypto from v0.50.0 to v0.52.0.
  • Bumps golang.org/x/net from v0.53.0 to v0.55.0.
  • Updates related transitive golang.org/x/* checksums and indirect module versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates indirect Go dependency versions for the vulnerability remediation.
go.sum Refreshes checksums for the updated dependency graph.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vitalykorolev vitalykorolev force-pushed the MLE-29894_patch-golang-crypto-net-vulns branch 2 times, most recently from 06b8df5 to c74013b Compare May 28, 2026 14:48
MLE-29894: bump golang.org/x/crypto to v0.52.0 and golang.org/x/net t…
c2d9fbd 
…o v0.55.0 to address CVEs

Upgrades golang.org/x/crypto from v0.50.0 to v0.52.0 to fix 12 CVEs (6 High, 6 Medium) reported in GO-2026-5016 through GO-2026-5033. Also bumps golang.org/x/net from v0.53.0 to v0.55.0 to fix GO-2026-5026 (idna ASCII-only Punycode). Verified clean with govulncheck./...
@vitalykorolev vitalykorolev force-pushed the MLE-29894_patch-golang-crypto-net-vulns branch from c74013b to c2d9fbd Compare May 28, 2026 16:11
@vitalykorolev vitalykorolev merged commit 957be57 into develop May 28, 2026
3 checks passed
@vitalykorolev vitalykorolev deleted the MLE-29894_patch-golang-crypto-net-vulns branch May 28, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pengzhouml pengzhouml pengzhouml approved these changes

@rwinieski rwinieski Awaiting requested review from rwinieski

@sumanthravipati sumanthravipati Awaiting requested review from sumanthravipati

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vitalykorolev @pengzhouml