Skip to content

fix: upgrade vulnerable golang.org/x/{crypto,net,sys} (Aikido)#1082

Merged
dorothyyzh merged 1 commit into
mainfrom
fix/aikido-dependency-vulnerabilities-2026-06-08
Jun 8, 2026
Merged

fix: upgrade vulnerable golang.org/x/{crypto,net,sys} (Aikido)#1082
dorothyyzh merged 1 commit into
mainfrom
fix/aikido-dependency-vulnerabilities-2026-06-08

Conversation

@dorothyyzh

@dorothyyzh dorothyyzh commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Upgrades vulnerable golang.org/x/* dependencies flagged by Aikido Security (team 296964).

Package Old New
golang.org/x/crypto v0.49.0 v0.52.0
golang.org/x/net v0.52.0 v0.55.0
golang.org/x/sys v0.42.0 v0.45.0
golang.org/x/text v0.36.0 v0.37.0 (transitive)

Aikido Issues Resolved

  • Group 30922310 — x/crypto — Authorization bypass (Critical)
  • Group 30922311 — x/net — Missing input validation (Critical)
  • Group 30922312 — x/sys — Integer overflow (Low)

Verification

  • go build ✅ + go vet ✅ + go test ✅ for all packages except media/vips
  • media/vips requires the native vips/pkg-config lib (not installed locally) and integration tests require a live DB — both are unrelated to this dependency bump and pre-existing constraints. CI should exercise them.
  • Pre-existing vet note pagebuilder/model_events.go:101: unreachable code is unrelated to this change (a return after panic()).

Deployment Note

Skill does not touch release-* branches. Merging + release promotion handled per team policy.

🤖 Generated with Claude Code

@claude
fix: upgrade golang.org/x/{crypto,net,sys} for CVEs (Aikido)
0e5b8a9 
- golang.org/x/crypto v0.49.0 => v0.52.0
- golang.org/x/net    v0.52.0 => v0.55.0
- golang.org/x/sys    v0.42.0 => v0.45.0
- golang.org/x/text   v0.36.0 => v0.37.0 (transitive)

Resolves Aikido groups 30922310 (x/crypto), 30922311 (x/net), 30922312 (x/sys).

Verified: build + vet + unit tests pass for all non-media/vips packages.
media/vips needs native vips lib; integration tests need a DB — both
unrelated to this dependency bump and not exercisable locally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@deepsource-io

deepsource-io Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in 2938d81...0e5b8a9 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Go Jun 8, 2026 3:52a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@codecov

codecov Bot commented Jun 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dorothyyzh dorothyyzh merged commit 3aa4c04 into main Jun 8, 2026
10 checks passed
@dorothyyzh dorothyyzh deleted the fix/aikido-dependency-vulnerabilities-2026-06-08 branch June 8, 2026 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iBakuman iBakuman iBakuman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dorothyyzh @iBakuman