Skip to content

chore(deps): bump x/net 0.54.0 -> 0.55.0 and x/crypto 0.51.0 -> 0.52.0 (govulncheck fix)#4496

Merged
ValClarkson merged 1 commit into
CrunchyData:mainfrom
ValClarkson:fix/govulncheck-xnet-0.55-xcrypto-0.52
May 22, 2026
Merged

chore(deps): bump x/net 0.54.0 -> 0.55.0 and x/crypto 0.51.0 -> 0.52.0 (govulncheck fix)#4496
ValClarkson merged 1 commit into
CrunchyData:mainfrom
ValClarkson:fix/govulncheck-xnet-0.55-xcrypto-0.52

Conversation

@ValClarkson
Copy link
Copy Markdown
Contributor

@ValClarkson ValClarkson commented May 22, 2026

Summary

Fixes the govulncheck workflow, which is currently red on main and on every PR (including the otherwise-green #4495 that I just opened). The blocking finding is a single Symbol-level vulnerability in our test helpers that triggers an exit-code-3 from govulncheck.

Vulnerability #1: GO-2026-5026
    Invoking failure to reject ASCII-only Punycode-encoded labels in
    golang.org/x/net/idna
    Module: golang.org/x/net
    Found in: golang.org/x/net@v0.54.0
    Fixed in: golang.org/x/net@v0.55.0
    Example traces found:
      #1: internal/testing/require/kubernetes.go:93:37:
          require.KubernetesAtLeast calls
          discovery.DiscoveryClient.ServerVersion, which eventually
          calls idna.ToASCII

Source: https://github.com/CrunchyData/postgres-operator/actions/runs/26296222805/job/77409431501#step:5:180

The same scan additionally reports 18 module-level (uncalled) vulnerabilities, which this bump clears as a side-effect:

  • 5 more golang.org/x/net/html vulns (GO-2026-5025 / 5027 / 5028 / 5029 / 5030) — also fixed in x/net v0.55.0
  • 13 golang.org/x/crypto/ssh* vulns (GO-2026-5005 / 5006 / 5013 / 5014 / 5015 / 5016 / 5017 / 5018 / 5019 / 5020 / 5021 / 5023 / 5033) — fixed in x/crypto v0.52.0

Changes

  • golang.org/x/net v0.54.0 -> v0.55.0
  • golang.org/x/crypto v0.51.0 -> v0.52.0
  • golang.org/x/sys v0.44.0 -> v0.45.0 (pulled in transitively by go mod tidy)

No other modules moved. Diff is 6 lines in go.mod and 12 lines in go.sum.

Compatibility

All k8s.io/* and controller-runtime modules we depend on accept x/net >= v0.49.0, so this is well within range:

  • k8s.io/api@v0.36.1, apimachinery@v0.36.1, client-go@v0.36.1 — require x/net >= v0.49.0
  • sigs.k8s.io/controller-runtime@v0.24.1 — requires x/net >= v0.49.0

Both bumps are minor patch releases on the golang.org/x/* track, no API changes.

Local verification

  • go mod tidy produced only the three lines listed above
  • go build ./cmd/postgres-operator succeeds

Test plan

  • govulncheck job goes green
  • go-test, golangci-lint, kubernetes-api, kubernetes-k3d, e2e-k3d-chainsaw, e2e-k3d-kuttl jobs stay green
  • Trivy vulnerabilities job still green

Follow-up

The same patch should be back-ported to REL_5_8, which is on the identical vulnerable versions (x/net v0.54.0, x/crypto v0.51.0).

Refs

Made with Cursor

@ValClarkson @cursoragent
chore(deps): bump x/net 0.54.0 -> 0.55.0 and x/crypto 0.51.0 -> 0.52.0
57ed645 
Fixes the govulncheck failure that is currently red on main and on every
PR. The blocking finding is a Symbol-level vulnerability in our test
helpers:

  Vulnerability #1: GO-2026-5026
    Invoking failure to reject ASCII-only Punycode-encoded labels in
    golang.org/x/net/idna
    Module: golang.org/x/net
    Found in: golang.org/x/net@v0.54.0
    Fixed in: golang.org/x/net@v0.55.0
    Example traces found:
      #1: internal/testing/require/kubernetes.go:93:37:
          require.KubernetesAtLeast calls
          discovery.DiscoveryClient.ServerVersion, which eventually
          calls idna.ToASCII

The same scan also reports 18 module-level (uncalled) vulnerabilities,
which this bump clears as a side-effect:

  * 5 more golang.org/x/net/html vulns:
      GO-2026-5025/5027/5028/5029/5030  (fixed in x/net v0.55.0)
  * 13 golang.org/x/crypto/ssh* vulns:
      GO-2026-5005/5006/5013/5014/5015/5016/5017/5018/5019/5020/
      GO-2026-5021/5023/5033                (fixed in x/crypto v0.52.0)

Compatibility check:
  * k8s.io/api, k8s.io/apimachinery, k8s.io/client-go @ v0.36.1
    each require x/net >= v0.49.0   (we go to v0.55.0)
  * sigs.k8s.io/controller-runtime  @ v0.24.1
    requires x/net >= v0.49.0       (we go to v0.55.0)

Both bumps are minor patch releases on the golang.org/x/* track, with
no breaking changes. 'go mod tidy' additionally bumped x/sys
v0.44.0 -> v0.45.0 to satisfy the new x/crypto/x/net requirement.

This patch should also be back-ported to REL_5_8, which is on the same
vulnerable versions.

Refs: https://pkg.go.dev/vuln/GO-2026-5026
  https://pkg.go.dev/vuln/GO-2026-5005
  https://pkg.go.dev/vuln/GO-2026-5023
Co-authored-by: Cursor <cursoragent@cursor.com>
@ValClarkson ValClarkson mentioned this pull request May 22, 2026
Merged
ValClarkson added a commit that referenced this pull request May 22, 2026
@ValClarkson @cursoragent
chore(deps): bump x/net 0.54.0 -> 0.55.0 and x/crypto 0.51.0 -> 0.52.0
ff00ebf 
Backport of the same fix opened against main in #4496.

Fixes the govulncheck failure that is currently red on REL_5_8. The
blocking finding is a Symbol-level vulnerability in our test helpers:

  Vulnerability #1: GO-2026-5026
    Invoking failure to reject ASCII-only Punycode-encoded labels in
    golang.org/x/net/idna
    Module: golang.org/x/net
    Found in: golang.org/x/net@v0.54.0
    Fixed in: golang.org/x/net@v0.55.0
    Example traces found:
      #1: internal/testing/require/kubernetes.go:
          require.KubernetesAtLeast calls
          discovery.DiscoveryClient.ServerVersion, which eventually
          calls idna.ToASCII

The same scan also reports 18 module-level (uncalled) vulnerabilities,
which this bump clears as a side-effect:

  * 5 more golang.org/x/net/html vulns:
      GO-2026-5025/5027/5028/5029/5030  (fixed in x/net v0.55.0)
  * 13 golang.org/x/crypto/ssh* vulns:
      GO-2026-5005/5006/5013/5014/5015/5016/5017/5018/5019/5020/
      GO-2026-5021/5023/5033                (fixed in x/crypto v0.52.0)

Compatibility check:
  * k8s.io/api, k8s.io/apimachinery, k8s.io/client-go @ v0.36.1
    each require x/net >= v0.49.0   (we go to v0.55.0)
  * sigs.k8s.io/controller-runtime  @ v0.24.1
    requires x/net >= v0.49.0       (we go to v0.55.0)

Both bumps are minor patch releases on the golang.org/x/* track, with
no breaking changes. 'go mod tidy' additionally bumped x/sys
v0.44.0 -> v0.45.0 to satisfy the new x/crypto/x/net requirement.

Refs: https://pkg.go.dev/vuln/GO-2026-5026
  https://pkg.go.dev/vuln/GO-2026-5005
  https://pkg.go.dev/vuln/GO-2026-5023
Co-authored-by: Cursor <cursoragent@cursor.com>
@ValClarkson ValClarkson merged commit f0ce347 into CrunchyData:main May 22, 2026
18 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crunchyheath crunchyheath crunchyheath approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ValClarkson @crunchyheath