chore(deps): update module golang.org/x/net to v0.45.0 [security] (release-0.32)

[redhat-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
golang.org/x/net	indirect	minor	v0.33.0 -> v0.45.0

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22870
• https://go-review.googlesource.com/q/project:net
• https://go.dev/cl/654697
• https://go.dev/issue/71984
• https://pkg.go.dev/vuln/GO-2025-3503
• https://security.netapp.com/advisory/ntap-20250509-0007
• http://www.openwall.com/lists/oss-security/2025/03/07/2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

• https://go.dev/cl/654697
• https://go.dev/issue/71984

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
• https://security.netapp.com/advisory/ntap-20250516-0007

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Quadratic parsing complexity in golang.org/x/net/html

CVE-2025-47911 / GHSA-w4gw-w5jq-g9jh / GO-2026-4440

More information

Details

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

• https://go.dev/cl/709876
• https://github.com/golang/vulndb/issues/4440
• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Infinite parsing loop in golang.org/x/net

CVE-2025-58190 / GO-2026-4441

More information

Details

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Severity

Unknown

References

• https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
• https://github.com/golang/vulndb/issues/4441
• https://go.dev/cl/709875

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[redhat-renovate-bot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
golang.org/x/crypto	v0.31.0 -> v0.42.0
golang.org/x/sys	v0.28.0 -> v0.36.0
golang.org/x/term	v0.27.0 -> v0.35.0
golang.org/x/text	v0.21.0 -> v0.29.0
go	1.18 -> 1.24.0

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign phoracek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

@redhat-renovate-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-e2e-ovs-cni	06d5296	link	true	/test pull-e2e-ovs-cni-0.32

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a significant upgrade of core golang.org/x modules, primarily golang.org/x/net, to incorporate critical security patches and leverage newer Go language features. It also includes substantial internal refactoring of HTTP/2 components for better maintainability and performance, alongside improvements to HTML parsing robustness. Furthermore, system-level interactions are enhanced with new syscall bindings and updated constants for broader platform compatibility and functionality.

Highlights

• Dependency Updates: Updated golang.org/x/net to v0.45.0, along with golang.org/x/crypto, golang.org/x/sys, golang.org/x/term, and golang.org/x/text to their latest versions.
• Security Fixes: Addressed multiple security vulnerabilities in golang.org/x/net, including HTTP proxy bypass (CVE-2025-22870), cross-site scripting (CVE-2025-22872), quadratic parsing complexity (CVE-2025-47911), and infinite parsing loops (CVE-2025-58190).
• Go Version Upgrade: The minimum Go language version required has been updated to 1.24.0.
• HTTP/2 Refactoring: Refactored HTTP/2 server and client implementations to remove custom timer and synchronization abstractions, directly utilizing standard time package functions and introducing a new internal httpcommon package for shared logic.
• HTML Parsing Improvements: Enhanced HTML parsing logic in golang.org/x/net/html to improve error handling, prevent excessive element nesting, and correctly interpret self-closing tags with unquoted attributes.
• System Call Enhancements: Introduced new system call wrappers for readv, preadv, writev, pwritev on Darwin, Dup3 on Dragonfly, and Auxv for ELF auxiliary vector access on Linux, along with various constant updates across different Unix-like systems.
• Terminal Interaction Updates: The golang.org/x/term package now includes a History interface for managing command history and refined input handling during password entry and paste operations.

Changelog

• go.mod
  • Updated golang.org/x/crypto to v0.42.0.
  • Updated golang.org/x/net to v0.45.0.
  • Updated golang.org/x/sys to v0.36.0.
  • Updated golang.org/x/term to v0.35.0.
  • Updated golang.org/x/text to v0.29.0.
  • Upgraded Go language version to 1.24.0.
• go.sum
  • Updated cryptographic checksums for various Go modules to reflect dependency changes.
• vendor/golang.org/x/net/context/context.go
  • Updated comments and type definitions to align with standard library context types.
• vendor/golang.org/x/net/context/go17.go
  • Removed file, as its functionality is now integrated or replaced by standard library context.
• vendor/golang.org/x/net/context/go19.go
  • Removed file, as its functionality is now integrated or replaced by standard library context.
• vendor/golang.org/x/net/context/pre_go17.go
  • Removed file, as its functionality is now integrated or replaced by standard library context.
• vendor/golang.org/x/net/context/pre_go19.go
  • Removed file, as its functionality is now integrated or replaced by standard library context.
• vendor/golang.org/x/net/html/atom/table.go
  • Updated HTML atom constants, reflecting changes in HTML parsing rules or new elements/attributes.
• vendor/golang.org/x/net/html/escape.go
  • Modified error message for unrecognized escape characters.
• vendor/golang.org/x/net/html/parse.go
  • Improved error messages for unknown scopes.
  • Added a panic for excessively deep HTML element stacks (512 limit).
  • Refined foreign content parsing logic to prevent infinite loops and incorrect self-closing tag interpretations.
• vendor/golang.org/x/net/html/render.go
  • Corrected a comment regarding newline handling.
• vendor/golang.org/x/net/html/token.go
  • Enhanced self-closing tag detection logic to correctly handle unquoted attribute values.
• vendor/golang.org/x/net/http2/config.go
  • Added StrictMaxConcurrentRequests field to http2Config.
  • Refactored configuration filling logic to use a new fillNetHTTPConfig function.
• vendor/golang.org/x/net/http2/config_go124.go
  • Removed file, as its functionality was merged into config.go and replaced by more granular Go version-specific files.
• vendor/golang.org/x/net/http2/config_go125.go
  • Added a new file to define http2ConfigStrictMaxConcurrentRequests for Go 1.25 and earlier.
• vendor/golang.org/x/net/http2/config_go126.go
  • Added a new file to define http2ConfigStrictMaxConcurrentRequests for Go 1.26 and later.
• vendor/golang.org/x/net/http2/config_pre_go124.go
  • Removed file, as its functionality was merged into config.go.
• vendor/golang.org/x/net/http2/frame.go
  • Refactored frame name and parser lookup from maps to arrays.
  • Added invalidHTTP1LookingFrameHeader helper.
  • Enhanced error messages for frame payload reading.
• vendor/golang.org/x/net/http2/gotrack.go
  • Added atomic boolean to disable goroutine debugging.
  • Removed inTests variable, simplifying test-related logic.
• vendor/golang.org/x/net/http2/headermap.go
  • Renamed to vendor/golang.org/x/net/internal/httpcommon/headermap.go.
  • Refactored header canonicalization and lowercasing logic.
• vendor/golang.org/x/net/http2/http2.go
  • Removed context import.
  • Updated comments.
  • Changed disableExtendedConnectProtocol default to true.
  • Removed synctestGroupInterface related fields and methods from bufferedWriter and Server structs.
• vendor/golang.org/x/net/http2/server.go
  • Removed synctestGroupInterface and timer abstractions, replacing them with direct time package calls.
  • Introduced a per-Server error channel pool.
  • Refactored request parameter handling to use httpcommon.ServerRequestParam.
• vendor/golang.org/x/net/http2/timer.go
  • Removed file, as direct time.Timer usage is now preferred.
• vendor/golang.org/x/net/http2/transport.go
  • Removed synctestGroupInterface and timer abstractions, replacing them with direct time package calls.
  • Introduced strictMaxConcurrentStreams field.
  • Added errClientConnForceClosed error.
  • Refactored request header encoding to use httpcommon package.
• vendor/golang.org/x/net/http2/write.go
  • Refactored header lowercasing to use httpcommon.LowerHeader.
• vendor/golang.org/x/net/http2/writesched.go
  • Added priority field to OpenStreamOptions.
• vendor/golang.org/x/net/http2/writesched_priority.go
  • Renamed to writesched_priority_rfc7540.go.
  • Updated internal types to reflect RFC 7540 specific priority scheduling.
• vendor/golang.org/x/net/http2/writesched_priority_rfc9128.go
  • Added a new file implementing RFC 9218 priority write scheduler.
• vendor/golang.org/x/net/http2/writesched_roundrobin.go
  • Corrected a comment typo from "priorizes" to "prioritizes".
• vendor/golang.org/x/net/internal/httpcommon/ascii.go
  • Added a new file containing ASCII-specific string utility functions.
• vendor/golang.org/x/net/internal/httpcommon/request.go
  • Added a new file containing shared HTTP request encoding and parsing logic for HTTP/2 and HTTP/3.
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go
  • Removed file, as its functionality was merged into pwd_plan9.go.
• vendor/golang.org/x/sys/plan9/pwd_plan9.go
  • Updated Getwd and Chdir to use syscall package directly.
• vendor/golang.org/x/sys/unix/affinity_linux.go
  • Replaced manual loop with clear function for CPUSet.Zero.
• vendor/golang.org/x/sys/unix/auxv.go
  • Added a new file to provide Auxv function for accessing ELF auxiliary vector on supported systems.
• vendor/golang.org/x/sys/unix/auxv_unsupported.go
  • Added a new file to provide a fallback Auxv function for unsupported systems.
• vendor/golang.org/x/sys/unix/mkerrors.sh
  • Updated script to include new ETHTOOL_FAMILY_NAME and ETHTOOL_FAMILY_VERSION defines.
• vendor/golang.org/x/sys/unix/syscall_darwin.go
  • Added Readv, Preadv, Writev, and Pwritev functions and associated race detection helpers for Darwin.
• vendor/golang.org/x/sys/unix/syscall_dragonfly.go
  • Added Dup3 function.
• vendor/golang.org/x/sys/unix/syscall_linux.go
  • Updated loops to use range for various Sockaddr types and anyToSockaddr.
  • Replaced manual min with built-in min function.
• vendor/golang.org/x/sys/unix/syscall_solaris.go
  • Corrected Listen syscall binding.
  • Added Ucred related functions for Solaris.
• vendor/golang.org/x/sys/unix/zerrors_linux.go
  • Updated various Linux constants, including AUDIT, BPF, DM_VERSION_EXTRA, ETHTOOL, FAN, FSCRYPT, F_CREATED_QUERY, F_DUPFD_QUERY, IPPROTO_SMC, IPV6, LANDLOCK, MAP_DROPPABLE, MSG_SOCK_DEVMEM, NFC_ATS_MAXSIZE, NFT_BITWISE_BOOL, PR_FUTEX_HASH, PR_SHADOW_STACK, PR_TIMER_CREATE_RESTORE_IDS, PTRACE_SET_SYSCALL_INFO, RTA_MAX, RTM_DELANYCAST, RTM_DELMULTICAST, RTM_NEWANYCAST, RTM_NEWMULTICAST, RTM_NEWVLAN, RTPROT_OVN, RWF_DONTCACHE, RWF_SUPPORTED, STATX_DIO_READ_ALIGN, TASKSTATS_VERSION, UBI_IOCECNFO, WGALLOWEDIP_A_MAX, XDP_TXMD_FLAGS_LAUNCH_TIME.
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go
  • Updated Linux 386 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
  • Updated Linux AMD64 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
  • Updated Linux ARM constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
  • Updated Linux ARM64 constants, including DM_MPATH_PROBE_PATHS, GCS_MAGIC, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
  • Updated Linux Loong64 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
  • Updated Linux MIPS constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
  • Updated Linux MIPS64 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
  • Updated Linux MIPS64LE constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
  • Updated Linux MIPSLE constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
  • Updated Linux PPC constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
  • Updated Linux PPC64 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
  • Updated Linux PPC64LE constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
  • Updated Linux RISCV64 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
  • Updated Linux S390X constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
  • Updated Linux SPARC64 constants, including DM_MPATH_PROBE_PATHS, IPV6_FLOWINFO_MASK, IPV6_FLOWLABEL_MASK, SCM_TS_OPT_ID, SO_PASSRIGHTS, SO_RCVPRIORITY, and added new SYS constants.
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
  • Added readv, preadv, writev, and pwritev syscall wrappers for Darwin AMD64.
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
  • Added assembly stubs for readv, preadv, writev, and pwritev syscalls on Darwin AMD64.
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
  • Added readv, preadv, writev, and pwritev syscall wrappers for Darwin ARM64.
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
  • Added assembly stubs for readv, preadv, writev, and pwritev syscalls on Darwin ARM64.
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
  • Updated Listen syscall binding.
  • Added getpeerucred, ucredGet, ucredGeteuid, ucredGetegid, ucredGetruid, ucredGetrgid, ucredGetsuid, ucredGetsgid, ucredGetpid, ucredFree syscall bindings for Solaris.
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
  • Added new SYS constants for SETXATTRAT, GETXATTRAT, LISTXATTRAT, REMOVEXATTRAT, OPEN_TREE_ATTR.
• vendor/golang.org/x/sys/unix/ztypes_linux.go
  • Updated Statx_t and FscryptAddKeyArg structs.
  • Added IfAddrlblmsg struct and related constants.
  • Updated various NFT and ETHTOOL constants.
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
  • Updated Stat_t and Taskstats structs to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
  • Updated Stat_t and Taskstats structs to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
  • Updated Stat_t and Taskstats structs to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
  • Updated Stat_t and Taskstats structs to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
  • Updated Taskstats struct to include new delay fields.
• vendor/golang.org/x/sys/windows/dll_windows.go
  • Updated comments for LoadDLL and NewLazyDLL to recommend NewLazySystemDLL for system DLLs.
• vendor/golang.org/x/sys/windows/security_windows.go
  • Improved ToAbsolute function for SECURITY_DESCRIPTOR by verifying pointers and setting them explicitly for GC visibility.
• vendor/golang.org/x/sys/windows/syscall_windows.go
  • Added WSADuplicateSocket syscall.
  • Corrected NTUnicodeString.Slice to handle byte lengths correctly.
• vendor/golang.org/x/sys/windows/types_windows.go
  • Added new constants for IP MTU discovery, WSACMSGHDR, IN_PKTINFO, IN6_PKTINFO, FileZeroDataInformation, and virtual key codes.
• vendor/golang.org/x/term/term_windows.go
  • Modified makeRaw to remove ENABLE_PROCESSED_OUTPUT flag for console input handles.
• vendor/golang.org/x/term/terminal.go
  • Introduced History interface for managing command history.
  • Updated NewTerminal to use the new History interface.
  • Refined handleKey and readLine logic for history navigation and paste mode.
• vendor/golang.org/x/text/language/parse.go
  • Corrected return value for CanonType.Parse to always return nil error.
• vendor/modules.txt
  • Updated module versions for golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, golang.org/x/term, golang.org/x/text.
  • Added golang.org/x/net/internal/httpcommon.

Activity

• The pull request was automatically generated by redhat-renovate-bot to update dependencies.
• The update addresses multiple security vulnerabilities in golang.org/x/net, including HTTP Proxy bypass (CVE-2025-22870), Cross-site Scripting (CVE-2025-22872), Quadratic parsing complexity (CVE-2025-47911), and Infinite parsing loop (CVE-2025-58190).
• Automerge is currently disabled, requiring manual review and approval.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates golang.org/x/net and its transitive dependencies, addressing several security vulnerabilities. A significant change is the update of the Go version in go.mod to 1.24.0. The vendored code reflects numerous changes from upstream, including security patches, bug fixes, and refactorings that leverage newer Go features. The changes appear sound and beneficial for the project's security and maintenance. I have one suggestion regarding a TODO in the updated code that has become actionable due to the Go version bump.

[gemini-code-assist]

The TODO comment here mentions using weak pointers once Go 1.24 is appropriate. Since this PR updates the module's Go version to 1.24.0, this improvement is now actionable. Using weak pointers could be a more robust way to handle the GC interaction mentioned in the comments. While this is an upstream change, it's a good opportunity for improvement that could be contributed back to golang.org/x/sys.