Skip to content

chore(deps): update module golang.org/x/net to v0.53.0 [security]#19

Merged
alaudabot merged 2 commits into
alauda-v1.1.0from
renovate/go-golang.org-x-net-vulnerability
May 10, 2026
Merged

chore(deps): update module golang.org/x/net to v0.53.0 [security]#19
alaudabot merged 2 commits into
alauda-v1.1.0from
renovate/go-golang.org-x-net-vulnerability

Conversation

@alaudaa-renovate
Copy link
Copy Markdown

@alaudaa-renovate alaudaa-renovate Bot commented May 10, 2026

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/net v0.48.0 -> v0.53.0 age confidence

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

CVE-2026-33814 / GO-2026-4918

More information

Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate
Copy link
Copy Markdown
Author

alaudaa-renovate Bot commented May 10, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: image/git-init/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/AlaudaDevops/pipeline v1.0.3-alauda.1
verifying github.com/AlaudaDevops/pipeline@v1.0.3-alauda.1: checksum mismatch
	downloaded: h1:f1T8c1qbcDyglpn1AYsc9DFbYl0cyU7wSBq3WOtM5Hk=
	go.sum:     h1:pybo+0jl4ds4/xPOitXDFkLojhfGsDl9CsJpnKtgLwI=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

@l-qing
chore(image/git-init): update vendored Go dependencies
306f518 
- bump indirect Go module versions in go.mod and go.sum
- refresh vendored x/net, x/sys, x/term, and x/text sources
- align module metadata with the updated dependency set
@alaudabot alaudabot merged commit 5664130 into alauda-v1.1.0 May 10, 2026
2 checks passed
@alaudabot alaudabot deleted the renovate/go-golang.org-x-net-vulnerability branch May 10, 2026 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@yuzichen12123 yuzichen12123

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alaudabot @yuzichen12123 @l-qing