k6 v2.0.0 ships with golang.org/x/net@v0.53.0, which is vulnerable to CVE-2026-39821 (CWE-287, Improper Authentication, CVSS 9.3 Critical). The fix is available in v0.54.0 or higher.
Could you bump the dependency or take a look at the fix PR below?
Fix PR:
#6039
k6 v2.0.0 ships with golang.org/x/net@v0.53.0, which is vulnerable to CVE-2026-39821 (CWE-287, Improper Authentication, CVSS 9.3 Critical). The fix is available in v0.54.0 or higher.
Could you bump the dependency or take a look at the fix PR below?
Fix PR:
#6039