Skip to content

chore(deps): bump golang.org/x/net from 0.35.0 to 0.38.0 in /studio#78

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/studio/golang.org/x/net-0.38.0
Closed

chore(deps): bump golang.org/x/net from 0.35.0 to 0.38.0 in /studio#78
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/studio/golang.org/x/net-0.38.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps golang.org/x/net from 0.35.0 to 0.38.0.

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • 99b3ae0 go.mod: update golang.org/x dependencies
  • 85d1d54 go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies go Pull requests that update go code labels Apr 27, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 27, 2026 04:21
github-actions[bot]
github-actions Bot previously approved these changes Apr 27, 2026
View reviewed changes
@github-actions github-actions Bot added this pull request to the merge queue Apr 29, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to a conflict with the base branch Apr 29, 2026
@github-actions github-actions Bot added this pull request to the merge queue Apr 30, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to a conflict with the base branch Apr 30, 2026
@github-actions github-actions Bot added this pull request to the merge queue May 1, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to a conflict with the base branch May 1, 2026
@github-actions github-actions Bot added this pull request to the merge queue May 2, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to a conflict with the base branch May 2, 2026
@dependabot
chore(deps): bump golang.org/x/net from 0.35.0 to 0.38.0 in /studio
94382fb 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.35.0 to 0.38.0.
- [Commits](golang/net@v0.35.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/studio/golang.org/x/net-0.38.0 branch from 9aaeee7 to 94382fb Compare May 2, 2026 23:26
@pbertsch pbertsch mentioned this pull request May 2, 2026
Merged
5 tasks
pbertsch added a commit that referenced this pull request May 2, 2026
@pbertsch
chore(deps): bump vulnerable dependencies (8 GHSAs) (#88)
d5d3039 
Resolves all 8 open Dependabot security alerts in one shot.

Go (studio/go.mod):
  golang.org/x/crypto: 0.33.0 → 0.45.0
    - GHSA-#17 (high): DoS via slow/incomplete key exchange
    - GHSA-#19 (med):  unbounded memory consumption
    - GHSA-#20 (med):  panic on malformed message
  golang.org/x/net:    0.35.0 → 0.47.0  (0.45.0 of crypto requires net 0.47.0)
    - GHSA-#16 (med):  HTTP Proxy bypass via IPv6 zone IDs
    - GHSA-#18 (med):  XSS

npm (studio/frontend):
  vite: ^5.4.0 → ^8.0.10
    - GHSA-#15 (med): path traversal in optimized deps .map handling
    - Pulls esbuild ^0.25 transitively, which also clears GHSA-#14

npm (vscode):
  @vscode/vsce: ^2.24.0 → ^3.9.0
    - vsce 3.x dropped its uuid dependency entirely, clearing GHSA-#12
      (uuid <14 missing buffer bounds check) without forcing a uuid
      override on every consumer.

All builds + tests pass: go build, go test, vscode tsc compile, vite
build (Studio frontend). Closes Dependabot PRs #78, #79, #80, #81 (this
covers their scope cleanly in one PR).
@pbertsch
Copy link
Copy Markdown
Contributor

pbertsch commented May 2, 2026

Superseded by #88 which bundles all 8 vulnerable-dep bumps into one chore PR (with a higher golang.org/x/net pin to satisfy crypto 0.45's transitive constraint, and vite ^8 to clear the path-traversal alert that ^6 didn't reach).

@pbertsch pbertsch closed this May 2, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 2, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/go_modules/studio/golang.org/x/net-0.38.0 branch May 2, 2026 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pbertsch