Commit 443bc1a
authored
fix: upgrade golang.org/x/net to v0.55.0 (5 html CVEs) (#25772)
Upgrades `golang.org/x/net` from v0.53.0 to v0.55.0 on `release/2.32` to
address 5 CVEs in `x/net/html`:
| CVE | Severity | Description |
| --- | --- | --- |
| CVE-2026-25680 | Low | DoS via cubic complexity in HTML tree
construction |
| CVE-2026-25681 | Low | Incorrect handling of character references in
DOCTYPE (XSS) |
| CVE-2026-27136 | Low | Incorrect handling of namespaced elements in
foreign content (XSS) |
| CVE-2026-42502 | Low | Incorrect handling of HTML elements in foreign
content (XSS) |
| CVE-2026-42506 | Low | Failure to reject ASCII-only Punycode-encoded
labels (privilege escalation) |
Transitive dependency bumps:
- `golang.org/x/crypto` v0.50.0 -> v0.51.0
- `golang.org/x/sys` v0.43.0 -> v0.45.0
- `golang.org/x/term` v0.42.0 -> v0.43.0
- `golang.org/x/text` v0.36.0 -> v0.37.0
Fixes [ENT-92](https://linear.app/codercom/issue/ENT-92)
Supersedes [ENT-28](https://linear.app/codercom/issue/ENT-28)
> Generated with [Coder Agents](https://coder.com) by @Shelnutt21 parent 3fe6edd commit 443bc1a
2 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
221 | 221 | | |
222 | 222 | | |
223 | 223 | | |
224 | | - | |
| 224 | + | |
225 | 225 | | |
226 | 226 | | |
227 | 227 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1400 | 1400 | | |
1401 | 1401 | | |
1402 | 1402 | | |
1403 | | - | |
1404 | | - | |
| 1403 | + | |
| 1404 | + | |
1405 | 1405 | | |
1406 | 1406 | | |
1407 | 1407 | | |
| |||
0 commit comments