Skip to content

chore(deps): bump golang.org/x/crypto from 0.33.0 to 0.45.0 in /studio#79

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/studio/golang.org/x/crypto-0.45.0
Closed

chore(deps): bump golang.org/x/crypto from 0.33.0 to 0.45.0 in /studio#79
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/studio/golang.org/x/crypto-0.45.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps golang.org/x/crypto from 0.33.0 to 0.45.0.

Commits
  • 4e0068c go.mod: update golang.org/x dependencies
  • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
  • f91f7a7 ssh/agent: prevent panic on malformed constraint
  • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
  • bcf6a84 acme: pass context to request
  • b4f2b62 ssh: fix error message on unsupported cipher
  • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
  • 122a78f go.mod: update golang.org/x dependencies
  • c0531f9 all: eliminate vet diagnostics
  • 0997000 all: fix some comments
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies go Pull requests that update go code labels Apr 27, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 27, 2026 04:21
@dependabot dependabot Bot added dependencies go Pull requests that update go code labels Apr 27, 2026
github-actions[bot]
github-actions Bot previously approved these changes Apr 27, 2026
View reviewed changes
@github-actions github-actions Bot added this pull request to the merge queue Apr 29, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Apr 29, 2026
@github-actions github-actions Bot added this pull request to the merge queue Apr 30, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Apr 30, 2026
@github-actions github-actions Bot added this pull request to the merge queue May 1, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks May 1, 2026
@github-actions github-actions Bot added this pull request to the merge queue May 2, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks May 2, 2026
@dependabot
chore(deps): bump golang.org/x/crypto from 0.33.0 to 0.45.0 in /studio
c808881 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.33.0 to 0.45.0.
- [Commits](golang/crypto@v0.33.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/studio/golang.org/x/crypto-0.45.0 branch from 587945b to c808881 Compare May 2, 2026 23:26
@pbertsch pbertsch mentioned this pull request May 2, 2026
Merged
5 tasks
pbertsch added a commit that referenced this pull request May 2, 2026
@pbertsch
chore(deps): bump vulnerable dependencies (8 GHSAs) (#88)
d5d3039 
Resolves all 8 open Dependabot security alerts in one shot.

Go (studio/go.mod):
  golang.org/x/crypto: 0.33.0 → 0.45.0
    - GHSA-#17 (high): DoS via slow/incomplete key exchange
    - GHSA-#19 (med):  unbounded memory consumption
    - GHSA-#20 (med):  panic on malformed message
  golang.org/x/net:    0.35.0 → 0.47.0  (0.45.0 of crypto requires net 0.47.0)
    - GHSA-#16 (med):  HTTP Proxy bypass via IPv6 zone IDs
    - GHSA-#18 (med):  XSS

npm (studio/frontend):
  vite: ^5.4.0 → ^8.0.10
    - GHSA-#15 (med): path traversal in optimized deps .map handling
    - Pulls esbuild ^0.25 transitively, which also clears GHSA-#14

npm (vscode):
  @vscode/vsce: ^2.24.0 → ^3.9.0
    - vsce 3.x dropped its uuid dependency entirely, clearing GHSA-#12
      (uuid <14 missing buffer bounds check) without forcing a uuid
      override on every consumer.

All builds + tests pass: go build, go test, vscode tsc compile, vite
build (Studio frontend). Closes Dependabot PRs #78, #79, #80, #81 (this
covers their scope cleanly in one PR).
@pbertsch
Copy link
Copy Markdown
Contributor

pbertsch commented May 2, 2026

Superseded by #88 which bundles all 8 vulnerable-dep bumps into one chore PR (with a higher golang.org/x/net pin to satisfy crypto 0.45's transitive constraint, and vite ^8 to clear the path-traversal alert that ^6 didn't reach).

@pbertsch pbertsch closed this May 2, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 2, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/go_modules/studio/golang.org/x/crypto-0.45.0 branch May 2, 2026 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pbertsch