Skip to content

Update module golang.org/x/crypto to v0.45.0 [SECURITY] #756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update module golang.org/x/crypto to v0.45.0 [SECURITY] #756

renovate wants to merge 1 commit into from
+7 −7

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 20, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.32.0v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-22869

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Nov 20, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
golang.org/x/net v0.34.0 -> v0.47.0
go 1.21 -> 1.24.0

@codecov
Copy link

codecov bot commented Nov 20, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.73%. Comparing base (9495bef) to head (9f00f87).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #756      +/-   ##
==========================================
+ Coverage   81.72%   81.73%   +0.01%     
==========================================
  Files         108      108              
  Lines        6062     6062              
==========================================
+ Hits         4954     4955       +1     
+ Misses        712      711       -1     
  Partials      396      396
Flag Coverage Δ
go 81.73% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@theodorsm
Copy link
Member

theodorsm commented Nov 20, 2025

We are not using the SSH package provided by the crypto library, so we are not affected by these vulnerabilities. This also requires us to upgrade the minimum go version to 1.24.0, which we are not doing yet.

@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 48b603e to 1fa7fd2 Compare November 20, 2025 21:02
@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from aa9fb66 to fbbeef6 Compare December 3, 2025 23:02
@renovate
Copy link
Contributor Author

renovate bot commented Dec 11, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
golang.org/x/net v0.34.0 -> v0.47.0
go 1.21 -> 1.24.0

@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from f550ffc to 767d4bd Compare December 18, 2025 19:38
@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 44303d8 to f371b0e Compare December 20, 2025 23:44
@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 3 times, most recently from 2af41c6 to a5198b0 Compare January 10, 2026 12:29
@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 9 times, most recently from 8680ef7 to 048e794 Compare January 22, 2026 12:15
@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 048e794 to 1283a7c Compare January 28, 2026 22:37
@renovate renovate bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 1283a7c to 9f00f87 Compare January 30, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

req. go version bump

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theodorsm @philipch07