Skip to content

chore(deps): bump golang.org/x/crypto to v0.52.0#672

Merged
kparkinson-ld merged 1 commit into
mainfrom
devin/1783638992-bump-x-crypto-0.52.0
Jul 10, 2026
Merged

chore(deps): bump golang.org/x/crypto to v0.52.0#672
kparkinson-ld merged 1 commit into
mainfrom
devin/1783638992-bump-x-crypto-0.52.0

Conversation

@kparkinson-ld

@kparkinson-ld kparkinson-ld commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates 21 critical Dependabot alerts (the recent SSH/x/crypto CVE cluster, patched in 0.52.0) across the three Go modules that carry the vulnerable golang.org/x/crypto (all indirect):

e2e/go-plugin/go.mod:    golang.org/x/crypto v0.49.0 → v0.52.0
e2e/go/go.mod:           golang.org/x/crypto v0.49.0 → v0.52.0
sdk/highlight-go/go.mod: golang.org/x/crypto v0.49.0 → v0.52.0

go mod tidy also carried the required transitive bumps (x/net 0.52→0.54, x/sys 0.42→0.45, x/text 0.35→0.37). The go directive stays at 1.25.0 in every module (0.52.0 needs Go ≥1.25, already satisfied) — no toolchain cascade. Manifest/lockfile changes only, no source changes.

No existing PR fully covered this — the closest (Dependabot #667) only reached x/crypto 0.51.0, which does not satisfy the advisory (needs ≥0.52.0).

How did you test this change?

Per module: go build ./... and go vet ./... pass for e2e/go-plugin and sdk/highlight-go. In e2e/go, the individual example apps compile; go build ./... reports a pre-existing main redeclared (echo.go/fiber.go share a package), which exists on main and is unrelated to this bump.

Are there any deployment considerations?

No. Dependency/lockfile bumps only; no migrations or data changes.

Link to Devin session: https://app.devin.ai/sessions/80cb21c20f43409c867eef56680a601b
Requested by: @kparkinson-ld


Note

Low Risk
Lockfile-only dependency bumps with no runtime code changes; risk is limited to transitive crypto/network library behavior in e2e and SDK builds.

Overview
Bumps indirect golang.org/x/crypto from v0.49.0 to v0.52.0 in e2e/go-plugin, e2e/go, and sdk/highlight-go, with matching go.sum updates, to address Dependabot/CVE advisories that require ≥0.52.0.

go mod tidy also refreshes related transitive pins: golang.org/x/net (0.52→0.54), x/sys (0.42→0.45), and x/text (0.35→0.37). No application source changes—only module manifests and lockfiles.

Reviewed by Cursor Bugbot for commit 5ff9d98. Bugbot is set up for automated code reviews on this repo. Configure here.

@kparkinson-ld kparkinson-ld requested a review from a team as a code owner July 9, 2026 23:18
@kparkinson-ld kparkinson-ld self-assigned this Jul 9, 2026
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@kparkinson-ld kparkinson-ld merged commit a8cb43d into main Jul 10, 2026
30 checks passed
@kparkinson-ld kparkinson-ld deleted the devin/1783638992-bump-x-crypto-0.52.0 branch July 10, 2026 01:43
abelonogov-ld added a commit that referenced this pull request Jul 16, 2026
* main:
  chore: release main (#675)
  fix(flutter): remove conflicting ios-client-sdk pin in SPM manifest (#674)
  chore(deps): remediate critical dependency alerts (#673)
  chore(deps): bump golang.org/x/crypto to v0.52.0 (#672)
  fix: stabilize flaky Next.js server instrumentation test (#671)
  chore: release main (#669)
  feat: add app_reload event with session preservation across reloads (React Native) (#670)
  fix: use secure RNG for React Native session ids (#668)
  ci: skip Build Yarn Turborepo job for non-yarn SDK-only changes (#665)

# Conflicts:
#	sdk/@launchdarkly/flutter/packages/observability/ios/launchdarkly_flutter_observability.podspec
#	sdk/@launchdarkly/flutter/packages/observability/ios/launchdarkly_flutter_observability/Package.swift
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants