Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(deps): update module golang.org/x/net to v0.38.0 [security] (release-1.6) #15102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kubevirt-bot merged 1 commit into from
Jul 11, 2025
Merged

fix(deps): update module golang.org/x/net to v0.38.0 [security] (release-1.6) #15102

kubevirt-bot merged 1 commit into from
Jul 11, 2025

Conversation

@dominikholler
Copy link
Contributor

@dominikholler dominikholler commented Jul 7, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/net v0.36.0 -> v0.38.0 age confidence

Release note

Update dependecy golang.org/x/net to v0.38.0

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@kvrenovatebot
Copy link
Contributor

kvrenovatebot commented Jul 7, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.35.0 -> v0.36.0
golang.org/x/sync v0.11.0 -> v0.12.0
golang.org/x/sys v0.30.0 -> v0.31.0
golang.org/x/term v0.29.0 -> v0.30.0
golang.org/x/text v0.22.0 -> v0.23.0
File name: staging/src/kubevirt.io/api/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
golang.org/x/text v0.22.0 -> v0.23.0
File name: staging/src/kubevirt.io/client-go/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated

Details:

Package Change
golang.org/x/sys v0.30.0 -> v0.31.0
golang.org/x/term v0.29.0 -> v0.30.0
golang.org/x/text v0.22.0 -> v0.23.0

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/XXL labels Jul 7, 2025
@kubevirt-bot kubevirt-bot requested review from enp0s3 and mhenriks July 7, 2025 19:31
@kubevirt-bot kubevirt-bot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Jul 7, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 7, 2025

/retest-required

xpivarc
xpivarc reviewed Jul 8, 2025
View reviewed changes
Copy link
Member

@xpivarc xpivarc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubevirt-bot
Copy link
Contributor

kubevirt-bot commented Jul 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xpivarc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2025
@jcanocan
Copy link
Contributor

jcanocan commented Jul 9, 2025

/lgtm

@kubevirt-bot kubevirt-bot added lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 9, 2025
@dominikholler dominikholler force-pushed the renovate/release-1.6-go-golang.org-x-net-vulnerability branch from 3dfd223 to c121484 Compare July 9, 2025 13:22
@kubevirt-bot kubevirt-bot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 9, 2025
@jcanocan
Copy link
Contributor

jcanocan commented Jul 10, 2025

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 10, 2025

/retest-required

@kubevirt-commenter-bot
Copy link

kubevirt-commenter-bot commented Jul 10, 2025

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 10, 2025

/retest-required

@kubevirt-commenter-bot
Copy link

kubevirt-commenter-bot commented Jul 10, 2025

✋🧢

/hold

Dear @dominikholler

⚠️ this pull request exceeds the number of retests that are allowed per individual commit.

🔎 Please check that the changes you committed are fine and that there are no infrastructure issues present!

Details Checklist:

💬 How we calculate the number of retests: The number of retest comments are the number of /test or /retest comments after the latest commit only.

👌 After all issues have been resolved, you can remove the hold on this pull request by commenting /unhold on it.

🙇 Thank you, your friendly referee automation, on behalf of the @sig-buildsystem and the KubeVirt community!

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 10, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 11, 2025

/unhold

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 11, 2025

/retest-required

@kubevirt-commenter-bot
Copy link

kubevirt-commenter-bot commented Jul 11, 2025

✋🧢

/hold

Dear @dominikholler

⚠️ this pull request exceeds the number of retests that are allowed per individual commit.

🔎 Please check that the changes you committed are fine and that there are no infrastructure issues present!

Details Checklist:

💬 How we calculate the number of retests: The number of retest comments are the number of /test or /retest comments after the latest commit only.

👌 After all issues have been resolved, you can remove the hold on this pull request by commenting /unhold on it.

🙇 Thank you, your friendly referee automation, on behalf of the @sig-buildsystem and the KubeVirt community!

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 11, 2025

/unhold

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 11, 2025

/retest-required

@kubevirt-commenter-bot
Copy link

kubevirt-commenter-bot commented Jul 11, 2025

✋🧢

/hold

Dear @dominikholler

⚠️ this pull request exceeds the number of retests that are allowed per individual commit.

🔎 Please check that the changes you committed are fine and that there are no infrastructure issues present!

Details Checklist:

💬 How we calculate the number of retests: The number of retest comments are the number of /test or /retest comments after the latest commit only.

👌 After all issues have been resolved, you can remove the hold on this pull request by commenting /unhold on it.

🙇 Thank you, your friendly referee automation, on behalf of the @sig-buildsystem and the KubeVirt community!

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2025
@dominikholler
Copy link
Contributor Author

dominikholler commented Jul 11, 2025

/unhold

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2025
@kubevirt-bot kubevirt-bot merged commit e4cdd5a into kubevirt:release-1.6 Jul 11, 2025
39 checks passed
@dominikholler dominikholler deleted the renovate/release-1.6-go-golang.org-x-net-vulnerability branch July 11, 2025 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xpivarc xpivarc xpivarc left review comments

@enp0s3 enp0s3 Awaiting requested review from enp0s3

@mhenriks mhenriks Awaiting requested review from mhenriks

Assignees

@jcanocan jcanocan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dominikholler @kvrenovatebot @kubevirt-bot @jcanocan @kubevirt-commenter-bot @xpivarc