Patch CVE-2026-39821 by updating golang.org/x/net to v0.55.0

[amir-yogev-gh]

CVE Fix

Vulnerabilities Addressed

CVE ID	Severity	Package	Old Version	New Version
CVE-2026-39821	CRITICAL	golang.org/x/net/idna	v0.46.0	v0.55.0

Strategy Justification

CVE-2026-39821 — golang.org/x/net/idna

#	Strategy	Result	Details
1	Direct update (minor)	Success	go get golang.org/x/net@v0.55.0 — matches backend version

Additional Dependency Changes

Updating golang.org/x/net also upgraded its companion modules:

Package	Old Version	New Version
golang.org/x/crypto	v0.43.0	v0.51.0
golang.org/x/sys	v0.37.0	v0.45.0
golang.org/x/text	v0.30.0	v0.37.0

Validation

• Dependencies: Updated to fixed version (v0.55.0 verified via go list -m)
• Binary scan: PASS — govulncheck binary mode confirms CVE-2026-39821 absent from compiled binary
• Build: PASS (go build ./...)
• Tests: Pre-existing failure in auth/redirect_test.go (not related to this change); config tests pass

Rollback

To revert this change:

git revert <commit-sha>

Updated the Go auth proxy dependency set in proxy/go.mod by upgrading golang.org/x/net from v0.46.0 to v0.55.0 to address CVE-2026-39821, and aligning related golang.org/x/* indirect modules: golang.org/x/crypto (v0.43.0→v0.51.0), golang.org/x/sys (v0.37.0→v0.45.0), and golang.org/x/text (v0.30.0→v0.37.0).

Affected area: proxy/ only.
No shared UI components, platform-specific app code, container build, E2E tests, or CI/workflow configuration changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 7671fce0-21a0-4bdd-95d1-f8cfe51653be

📥 Commits

Reviewing files that changed from the base of the PR and between cf4709a and fa1e947.

⛔ Files ignored due to path filters (1)

• proxy/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• proxy/go.mod

---

Walkthrough

Four indirect golang.org/x/* dependencies in proxy/go.mod are version-bumped: x/crypto to 0.51.0, x/net to 0.55.0, x/sys to 0.45.0, and x/text to 0.37.0. x/exp is unchanged.

Changes

Dependency version bumps

Layer / File(s)	Summary
golang.org/x/ version pins* proxy/go.mod	x/crypto (0.43→0.51), x/net (0.46→0.55), x/sys (0.37→0.45), and x/text (0.30→0.37) indirect requirements are pinned to newer versions; x/exp is unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

proxy

Suggested reviewers

• celdrake

Poem

Four modules marched in, versions held high,
x/crypto, x/net, waving goodbye
to old pinned releases, now sharper and new.
x/sys and x/text got fresh tags too.
go.mod smiles, its lockstep precise —
indirect deps bumped, clean and concise. 🔒

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Generated-Files-Not-Hand-Edited	⚠️ Warning	HEAD modifies generated assets (translation.json and many libs/types/* model files), which this check forbids unless regenerated.	Regenerate the affected files with npm run gen-types or npm run i18n, then commit the generated output instead of hand-editing them.
I18n-Compliance	⚠️ Warning	CreateAuthProviderForm adds hardcoded user-visible aria-label="Enabled help text" instead of wrapping it in t().	Wrap that string with t() and add the translation key to the locale files.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main security-related change: patching CVE-2026-39821 by upgrading golang.org/x/net.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	proxy/go.mod only updates module versions; scans found no API keys, tokens, passwords, private keys, embedded creds, or secret-like literals.
No-Weak-Crypto	✅ Passed	PR only updates go.mod/go.sum dependency pins; no added weak ciphers, custom crypto, or non-constant-time secret comparisons in the changed files.
No-Injection-Vectors	✅ Passed	PR only bumps Go module versions in proxy/go.mod; no code paths with eval/exec, unsafe HTML, or unsafe YAML loading were introduced.
Container-Privileges	✅ Passed	Repo-wide scan found no privileged:true, hostPID/Network/IPC, allowPrivilegeEscalation:true, SYS_ADMIN, or runAsUser:0 in manifests; only build-stage root in Containerfiles.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only updates dependency pins in proxy/go.mod; no logging code or sensitive-data-bearing log statements were changed.
Resource-Leaks	✅ Passed	Changed proxy Go files only toggle UI config and add a JSON handler; no opened files, response bodies, connections, or unmanaged goroutines were added.
Unchecked-Errors	✅ Passed	PASS: This PR only updates proxy/go.mod dependency pins; no proxy/*.go files were changed, so the unchecked-error rule isn’t triggered.
Ai-Attribution	✅ Passed	The commit message includes an acceptable AI attribution trailer: "Assisted-by: Claude"; no AI-related Co-Authored-By trailer was found.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands.}