Skip to content

fix(deps): vuln minor: golang.org/x/net, golang.org/x/sys #298

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1784037966
Draft

fix(deps): vuln minor: golang.org/x/net, golang.org/x/sys #298
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/go/1-1784037966

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

  • . (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
golang.org/x/net v0.38.0 v0.57.0 minor Transitive 2 CRITICAL, 2 HIGH, 13 MEDIUM, 1 UNKNOWN
golang.org/x/sys v0.39.0 v0.47.0 minor Transitive 1 UNKNOWN

Security Details

🚨 Critical & High Severity (4 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/net GO-2026-5026 critical Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.38.0 0.55.0 View
golang.org/x/net CVE-2026-39821 critical Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.38.0 - View
golang.org/x/net GO-2026-4918 high Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.38.0 0.53.0 View
golang.org/x/net CVE-2026-33814 high Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.38.0 - View
ℹ️ Other Vulnerabilities (15)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/net CVE-2026-25681 medium Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.38.0 - View
golang.org/x/net GO-2026-5027 medium Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.38.0 0.55.0 View
golang.org/x/net CVE-2026-42502 medium Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.38.0 - View
golang.org/x/net CVE-2026-27136 medium Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.38.0 - View
golang.org/x/net GO-2026-5030 medium Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.38.0 0.55.0 View
golang.org/x/net GO-2026-5029 medium Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.38.0 0.55.0 View
golang.org/x/net GO-2026-5025 medium Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.38.0 0.55.0 View
golang.org/x/net CVE-2026-42506 medium Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.38.0 - View
golang.org/x/net GO-2026-5028 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.38.0 0.55.0 View
golang.org/x/net CVE-2026-25680 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.38.0 - View
golang.org/x/net GHSA-5cv4-jp36-h3mw MODERATE Go Net HTML parser is vulnerable to denial of service v0.38.0 0.55.0 View
golang.org/x/net GO-2026-4440 MODERATE Quadratic parsing complexity in golang.org/x/net/html v0.38.0 0.45.0 View
golang.org/x/net GHSA-w4gw-w5jq-g9jh MODERATE golang.org/x/net/html has a Quadratic Parsing Complexity issue v0.38.0 - View
golang.org/x/net GO-2026-4441 unknown Infinite parsing loop in golang.org/x/net v0.38.0 0.45.0 View
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.39.0 0.44.0 -

Pausing automation
Set the case status to Blocked in Case Management to pause ADMS automation for this dependency. ADMS will skip updating it in the manifest while its case is Blocked — other dependencies in this PR (or future PRs) are unaffected. ADMS never changes a Blocked case's status automatically; move it back to Open (or another active status) yourself when you're ready to resume. See the case link in the table above.

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jul 14, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 7 Pipeline jobs failed

DataDog/extendeddaemonset | tests   View in Datadog   GitLab

validation | e2e (v1.22.12)   View in Datadog   GitHub Actions

DataDog/extendeddaemonset | generate_code   View in Datadog   GitLab

View all 7 failed jobs.

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: cf1d648 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants