Skip to content

fix: upgrade golang.org/x/net to v0.55.0 (release/2.29)#25778

Merged
f0ssel merged 1 commit into
release/2.29from
seth/ent-100-upgrade-xnet-v0.55.0-release-2.29
May 30, 2026
Merged

fix: upgrade golang.org/x/net to v0.55.0 (release/2.29)#25778
f0ssel merged 1 commit into
release/2.29from
seth/ent-100-upgrade-xnet-v0.55.0-release-2.29

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 28, 2026

Upgrades golang.org/x/net from v0.53.0 to v0.55.0 on the release/2.29 branch to fix 5 x/net/html CVEs discovered in IronBank scan.

CVEs Fixed

CVE Description
CVE-2026-25680 DoS via cubic complexity algorithm in HTML tree construction
CVE-2026-25681 Incorrect handling of character references in DOCTYPE nodes (XSS)
CVE-2026-27136 Incorrect handling of namespaced elements in foreign content (XSS)
CVE-2026-42502 Incorrect handling of HTML elements in foreign content (XSS)
CVE-2026-42506 Failure to reject ASCII-only Punycode-encoded labels (privilege escalation)

Changes

  • golang.org/x/net v0.53.0 -> v0.55.0
  • golang.org/x/crypto v0.50.0 -> v0.51.0 (transitive)
  • golang.org/x/sys v0.43.0 -> v0.45.0 (transitive)
  • golang.org/x/term v0.42.0 -> v0.43.0 (transitive)
  • golang.org/x/text v0.36.0 -> v0.37.0 (transitive)

Linear: ENT-100

Generated by Coder Agents on behalf of @Shelnutt2

@Shelnutt2 Shelnutt2 requested a review from f0ssel May 28, 2026 10:17
@Shelnutt2 Shelnutt2 changed the title fix(go.mod): upgrade golang.org/x/net to v0.55.0 (release/2.29) fix: upgrade golang.org/x/net to v0.55.0 (release/2.29) May 28, 2026
@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.29 Needs to be cherry-picked to the 2.29 release branch labels May 28, 2026
@Shelnutt2 @f0ssel
fix(go.mod): upgrade golang.org/x/net to v0.55.0
f9b95f7 
Fixes 5 x/net/html CVEs (CVE-2026-25680, CVE-2026-25681, CVE-2026-27136,
CVE-2026-42502, CVE-2026-42506) discovered in IronBank scan.

Also bumps transitive x/ dependencies:
- x/crypto v0.50.0 -> v0.51.0
- x/sys v0.43.0 -> v0.45.0
- x/term v0.42.0 -> v0.43.0
- x/text v0.36.0 -> v0.37.0
@f0ssel f0ssel force-pushed the seth/ent-100-upgrade-xnet-v0.55.0-release-2.29 branch from d366834 to f9b95f7 Compare May 30, 2026 19:57
@f0ssel
Copy link
Copy Markdown
Member

f0ssel commented May 30, 2026

pushed to fix merge conflicts

@f0ssel f0ssel merged commit 3868714 into release/2.29 May 30, 2026
25 checks passed
@f0ssel f0ssel deleted the seth/ent-100-upgrade-xnet-v0.55.0-release-2.29 branch May 30, 2026 20:08
@github-actions github-actions Bot locked and limited conversation to collaborators May 30, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.29 Needs to be cherry-picked to the 2.29 release branch dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel