OCPBUGS-96835: Bump golang.org/x/net to v0.55.0#10672
Conversation
This PR addresses CVE-2026-27136 (golang.org/x/net/html XSS vulnerability via duplicate HTML attribute mishandling) by updating golang.org/x/net from v0.49.0 to v0.55.0. The installer is an OpenShift-only component with no upstream equivalent. Analysis confirmed that the component does not import or use golang.org/x/net/html parser functions, so the risk is LOW (transitive dependency only). Update is applied for compliance with security scanning requirements. Related: OCPBUGS-96835 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@jkaurredhat: This pull request references Jira Issue OCPBUGS-96835, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
📝 WalkthroughWalkthroughThis PR updates go.mod to bump several golang.org/x dependency versions, including crypto, sync, sys, term, text, mod, net, and tools, while oauth2 and time remain unchanged. ChangesDependency version updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Related issues: None specified. Related PRs: None specified. Suggested labels: dependencies, go Suggested reviewers: None specified. Poem A rabbit hops through go.mod's field, 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@jkaurredhat: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
This PR addresses CVE-2026-27136 by updating golang.org/x/net from v0.49.0 to v0.55.0, which includes a fix for an XSS vulnerability in the HTML parser.
CVE Details
CVE-2026-27136: Cross-Site Scripting via HTML parsing bypass in golang.org/x/net/html
html.Parse(),html.ParseFragment()