Bump golang.org/x/net to v0.53.0 to fix CVE-2026-33814

[alexandrule]

Fixes an infinite loop in HTTP/2 SETTINGS frame processing when
SETTINGS_MAX_FRAME_SIZE is 0. Also bumps x/crypto to v0.50.0 and
x/text to v0.36.0 as co-released transitive updates.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates Golang x/* module dependencies to newer versions (and corresponding go.sum entries), likely for security fixes and compatibility improvements.

Changes:

• Bumped golang.org/x/crypto to v0.50.0
• Bumped golang.org/x/net to v0.53.0
• Bumped indirect golang.org/x/text to v0.36.0 and updated go.sum

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates required/indirect golang.org/x/* dependency versions.
go.sum	Refreshes checksums to match updated go.mod module versions.

Comments suppressed due to low confidence (1)

go.mod:3

• The go directive is set to 1.26.3, which is very likely not a valid/available Go toolchain version and can break builds (e.g., CI or developers pinned to released Go versions). Update it to a released Go version used by this repo (typically go 1.xx.y or go 1.xx) and align CI/toolchain configuration accordingly.

go 1.26.3

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexandrule]

Hi! Do you know if there is any plan to merge this and publish a new Thruster release soon?
We’re currently seeing these Go CVEs reported against the bundled thrust binary, and this update would help us close the security findings on our side.