Skip to content

build(deps): bump golang.org/x/net to v0.55.0#1308

Merged
rdimitrov merged 1 commit into
modelcontextprotocol:mainfrom
rdimitrov:bump-x-net-v0.55.0
May 25, 2026
Merged

build(deps): bump golang.org/x/net to v0.55.0#1308
rdimitrov merged 1 commit into
modelcontextprotocol:mainfrom
rdimitrov:bump-x-net-v0.55.0

Conversation

@rdimitrov
Copy link
Copy Markdown
Member

@rdimitrov rdimitrov commented May 25, 2026

Summary

  • Bumps golang.org/x/net from v0.53.0 to v0.55.0 to fix GO-2026-5026 (failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna).
  • govulncheck flagged the vuln via auth.DefaultHTTPKeyFetcher.FetchKeyhttp.Client.Doidna.ToASCII at internal/api/handlers/v0/auth/http.go:191.
  • Also brings in associated x/crypto, x/sys, x/text bumps via go mod tidy.

This unblocks open dependabot PRs (e.g. #1298) that are failing CI on the same govulncheck finding despite not touching the root module.

Test plan

  • go build ./...
  • govulncheck no longer reports GO-2026-5026 locally
  • CI passes

🤖 Generated with Claude Code

@rdimitrov @claude
build(deps): bump golang.org/x/net to v0.55.0
8e71df5 
Fixes govulncheck failure for GO-2026-5026 (failure to reject ASCII-only
Punycode-encoded labels in golang.org/x/net/idna). The vulnerable call
path is reached from auth.DefaultHTTPKeyFetcher.FetchKey via
http.Client.Do -> idna.ToASCII.

Also pulls in associated x/crypto, x/sys, x/text bumps via go mod tidy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rdimitrov rdimitrov merged commit 66cc039 into modelcontextprotocol:main May 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rdimitrov