NethermindEth · brbrr · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -60,7 +60,7 @@ linters:
         - octalLiteral
         - whyNoLint
         - unnamedResult
-        # note(rdr): when lib is called x and then you do x = x.New(). Widely used in the repo. 
+        # note(rdr): when lib is called x and then you do x = x.New(). Widely used in the repo.
         #            Should we change it?
         - importShadow
       enabled-tags:
@@ -74,6 +74,10 @@ linters:
     gosec:
       excludes:
         - G115 #TODO: remove after fixing https://github.com/securego/gosec/issues/1212
+        # - G602 # false positive on validated slice bounds
+        # - G703 # false positive on controlled test paths
+        # - G704 # false positive on URLs from trusted config
+        # - G705 # false positive on already-escaped output
     govet:
       enable:
         - nilness
@@ -135,9 +139,13 @@ linters:
       - linters:
           - exhaustruct
         path-except: adapters/.+\.go
+      - linters:
+          - staticcheck
+        path: vm/state\.go
+        text: ST1003
       - linters:
           - lll
-        source: '^//go:generate '
+        source: "^//go:generate "
 formatters:
   enable:
     - gci

diff --git a/clients/feeder/timeouts.go b/clients/feeder/timeouts.go
@@ -6,6 +6,7 @@
 
 import (
 	"fmt"
+	"html"
 	"math"
 	"net/http"
 	"strings"
@@ -174,7 +175,7 @@
 			return
 		}
 		client.WithTimeouts(newTimeouts, fixed)
-		fmt.Fprintf(w, "Replaced timeouts with '%s' successfully\n", timeoutsStr)
+		fmt.Fprintf(w, "Replaced timeouts with '%s' successfully\n", html.EscapeString(timeoutsStr))
 	default:
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 	}