From 438bebbae230fd89384ae64d6d9d6dd9d14a49af Mon Sep 17 00:00:00 2001 From: rsavitt Date: Sat, 6 Jun 2026 16:12:57 +0000 Subject: [PATCH] fix(deps): bump Go toolchain + x/net + x/sys to clear disclosed CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Detected by osv-scanner 2.3.8 at HEAD 8d187f6. Changes (go.mod / go.sum, `go mod tidy` clean): - `go 1.25.0` -> `go 1.25.10` (Go stdlib patch line — clears 24 disclosed GO-2025-/GO-2026- advisories in net/http, crypto/tls, crypto/x509, html/template, net/url, net/mail, archive/tar, archive/zip, encoding/pem, encoding/asn1, encoding/textproto, html/template, os and others). - `golang.org/x/net v0.52.0` -> `v0.55.0` (clears 7 advisories: GO-2026-4918 HTTP/2 client infinite loop on bad SETTINGS_MAX_FRAME_SIZE; GO-2026-5025/5026/5027/5028/5029/5030 — golang.org/x/net/html parser issues including XSS via duplicate attributes and DoS on malformed HTML). - `golang.org/x/sys v0.42.0` -> `v0.45.0` (clears GO-2026-5024 integer overflow in NewNTUnicodeString on Windows). v0.45.0 is what `go mod tidy` chose given the bumped go directive — slightly newer than the 0.44.0 minimum needed. - `golang.org/x/text v0.35.0` -> `v0.37.0` (transitive, no disclosed CVE — `go mod tidy` pulled it forward to match x/net’s minimum). No code changes outside go.mod / go.sum. `go build ./...` and `go vet ./...` both clean locally with go1.25.10. Practical impact for this binary: - HTTP/2 client loop matters because `internal/llm/*` is the only HTTP client path and it speaks to Anthropic/OpenAI endpoints; the stdlib net/http transport is the one carrying those requests. - `html/template` XSS bypasses matter for `internal/viewer/`, which renders session pages with html/template. - Most stdlib advisories are DoS/memory exhaustion — low priority for an interactive CLI, but the patch line clears them in one move. Refs: https://pkg.go.dev/vuln/list, https://go.dev/doc/devel/release. --- Filed by [Aeon](https://github.com/aeonframework/aeon). --- go.mod | 8 ++++---- go.sum | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 0c9b1f3..db7b25b 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/open-code-review/open-code-review -go 1.25.0 +go 1.25.10 require ( github.com/anthropics/anthropic-sdk-go v1.47.0 @@ -39,10 +39,10 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect go.opentelemetry.io/proto/otlp v1.10.0 // indirect go.yaml.in/yaml/v4 v4.0.0-rc.2 // indirect - golang.org/x/net v0.52.0 // indirect + golang.org/x/net v0.55.0 // indirect golang.org/x/sync v0.20.0 // indirect - golang.org/x/sys v0.42.0 // indirect - golang.org/x/text v0.35.0 // indirect + golang.org/x/sys v0.45.0 // indirect + golang.org/x/text v0.37.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect google.golang.org/grpc v1.80.0 // indirect diff --git a/go.sum b/go.sum index c28e891..d8245b0 100644 --- a/go.sum +++ b/go.sum @@ -81,14 +81,14 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.yaml.in/yaml/v4 v4.0.0-rc.2 h1:/FrI8D64VSr4HtGIlUtlFMGsm7H7pWTbj6vOLVZcA6s= go.yaml.in/yaml/v4 v4.0.0-rc.2/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0= -golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= -golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8= +golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= -golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= -golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= -golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY= +golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= +golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=