fix: bump extras/dagger golang.org/x/net to v0.53.0#3252
fix: bump extras/dagger golang.org/x/net to v0.53.0#3252chainloop-platform[bot] wants to merge 1 commit into
Conversation
Kusari Analysis Results:Caution Flagged Issues Detected While the code analysis found zero issues in the modified files (extras/dagger/go.mod and extras/dagger/go.sum), the dependency analysis identified a critical concern that we strongly recommend addressing before merging. The PR updates golang.org/x/net from v0.44.0 to v0.53.0 to resolve CVE-2026-33814, but v0.53.0 still carries 6 active vulnerabilities: three XSS vulnerabilities (CVE-2026-25681, CVE-2026-27136, CVE-2026-42506, CVE-2026-42502) in HTML parsing and rendering, a DoS vulnerability via excessive CPU usage during HTML parsing (CVE-2026-25680), and a privilege escalation issue in the idna package via failure to reject ASCII-only Punycode-encoded labels (CVE-2026-39821). These vulnerabilities present meaningful risk, particularly the XSS and privilege escalation issues which could have direct business impact if exploited. The fix is straightforward: update golang.org/x/net to v0.56.0 instead of v0.53.0, which fully resolves all known active advisories. Action item: run 'go get golang.org/x/net@v0.56.0' in the extras/dagger directory and update the go.sum accordingly before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Dependency path: golang.org/x/net (direct dependency) The vulnerabilityFixReport identifies v0.56.0 as the version that resolves all active vulnerabilities. Update to v0.56.0 instead of v0.53.0: This is a direct dependency update so the fix is straightforward.
Found this helpful? Give it a 👍 or 👎 reaction! |
Summary
Updated the optional
extras/daggermodule to use the firstgolang.org/x/netrelease that fixes GO-2026-4918, and raised that module's Go directive so the patched dependency can resolve cleanly.Vulnerability Fixed
GO-2026-4918-golang.org/x/net(HIGH): when processing HTTP/2 SETTINGS frames, the transport can loop indefinitely writing CONTINUATION frames after receivingSETTINGS_MAX_FRAME_SIZE=0, causing client-side denial of service.Changes Made
golang.org/x/netinextras/dagger/go.modfromv0.44.0tov0.53.0, the first fixed release for this advisory.extras/daggermodulegodirective from1.24.0to1.25.0becausegolang.org/x/net v0.53.0declaresgo 1.25.0.extras/dagger/go.sumwith thev0.53.0checksums.Verification
Ran
syft dir:. -o cyclonedx-json=/tmp/chainloop-sbom.jsonandgrype sbom:/tmp/chainloop-sbom.json --only-fixed -o jsonagainst the patched repository. Classification:resolved. A targeted follow-up check confirmedGO-2026-4918-golang.org/x/netis no longer reported. Caveat: the scan still reports other unrelated fixed advisories inextras/dagger, including newergolang.org/x/netissues fixed afterv0.53.0.Risk Assessment
View the risk assessment in Chainloop