Skip to content

Bump x/crypto and x/net to patch critical CVEs#842

Merged
karthikiyer56 merged 2 commits into
mainfrom
karthik/bump-crypto-net-cves
Jul 7, 2026
Merged

Bump x/crypto and x/net to patch critical CVEs#842
karthikiyer56 merged 2 commits into
mainfrom
karthik/bump-crypto-net-cves

Conversation

@karthikiyer56

Copy link
Copy Markdown
Contributor

Summary

  • Bumps golang.org/x/crypto v0.45.0 → v0.52.0, fixing CVE-2026-46595 (Critical).
  • Bumps golang.org/x/net v0.47.0 → v0.55.0, fixing CVE-2026-39821 (Critical).
  • Both were flagged as vulnerable indirect dependencies in the stellar-rpc binary.
  • go mod tidy pulled the transitive x/* bumps required by the upgrades (mod, sync, sys, text).
  • The go directive moves 1.251.25.0 — the minimum declared by the upgraded modules; still Go 1.25, so the 1.25 CI/Docker pins are unaffected.
  • No source changes; all packages type-check clean against the new versions.

Upgrades two vulnerable indirect dependencies to their fixed versions:

- golang.org/x/crypto v0.45.0 -> v0.52.0 (CVE-2026-46595, Critical)
- golang.org/x/net    v0.47.0 -> v0.55.0 (CVE-2026-39821, Critical)

go mod tidy pulled the required transitive x/* bumps (mod, sync, sys,
text) and raised the go directive to 1.25.0, the minimum declared by the
upgraded modules. Still Go 1.25, so the 1.25 CI/Docker pins are unaffected.
Copilot AI review requested due to automatic review settings July 7, 2026 03:21
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​mod@​v0.29.0 ⏵ v0.35.096100100100100

View full report

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Go module dependencies to remediate critical security vulnerabilities flagged via indirect dependencies in the stellar-rpc binary.

Changes:

  • Bumped golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0.
  • Updated transitive golang.org/x/* modules pulled in by go mod tidy (notably x/mod, x/sync, x/sys, x/text, and x/term in go.sum).
  • Adjusted the go directive in go.mod from 1.25 to 1.25.0 to match updated module requirements.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates go directive and bumps golang.org/x/* module versions to address critical CVEs.
go.sum Refreshes checksums to match the upgraded golang.org/x/* module set from go mod tidy.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@karthikiyer56 karthikiyer56 requested a review from a team July 7, 2026 04:28
@karthikiyer56 karthikiyer56 enabled auto-merge (squash) July 7, 2026 14:22
@karthikiyer56 karthikiyer56 merged commit d06e657 into main Jul 7, 2026
17 checks passed
@karthikiyer56 karthikiyer56 deleted the karthik/bump-crypto-net-cves branch July 7, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants