From 2d2fc2419c0c40e1ebfc2aafe04e14a7ff0eb817 Mon Sep 17 00:00:00 2001 From: Seth Shelnutt Date: Thu, 28 May 2026 10:12:37 +0000 Subject: [PATCH] fix(deps): upgrade golang.org/x/net to v0.55.0 (5 html CVEs) Upgrades golang.org/x/net from v0.53.0 to v0.55.0 on release/2.32 to address 5 CVEs in x/net/html: - CVE-2026-25680: DoS via cubic complexity in HTML tree construction - CVE-2026-25681: Incorrect handling of character references in DOCTYPE (XSS) - CVE-2026-27136: Incorrect handling of namespaced elements in foreign content (XSS) - CVE-2026-42502: Incorrect handling of HTML elements in foreign content (XSS) - CVE-2026-42506: Failure to reject ASCII-only Punycode-encoded labels (privilege escalation) Transitive dependency bumps: - golang.org/x/crypto v0.50.0 -> v0.51.0 - golang.org/x/sys v0.43.0 -> v0.45.0 - golang.org/x/term v0.42.0 -> v0.43.0 - golang.org/x/text v0.36.0 -> v0.37.0 Fixes: ENT-92 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index bcbbe02b3f332..343b13d4255dc 100644 --- a/go.mod +++ b/go.mod @@ -221,7 +221,7 @@ require ( golang.org/x/crypto v0.52.0 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f golang.org/x/mod v0.35.0 - golang.org/x/net v0.54.0 + golang.org/x/net v0.55.0 golang.org/x/oauth2 v0.36.0 golang.org/x/sync v0.20.0 golang.org/x/sys v0.45.0 diff --git a/go.sum b/go.sum index e6c2a392888fb..1a5d4bb86591a 100644 --- a/go.sum +++ b/go.sum @@ -1400,8 +1400,8 @@ golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= -golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= -golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= +golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8= +golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww= golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=