build(deps): Bump golang.org/x/crypto from 0.0.0-20220525230936-793ad666bf5e to 0.50.0#880
Conversation
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20220525230936-793ad666bf5e to 0.50.0. - [Commits](https://github.com/golang/crypto/commits/v0.50.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit bc491f2. Configure here.
| module github.com/tendermint/tendermint | ||
|
|
||
| go 1.17 | ||
| go 1.25.0 |
There was a problem hiding this comment.
Go version jump from 1.17 to 1.25.0 changes runtime behavior
High Severity
The go directive jumps from 1.17 to 1.25.0 as a side effect of bumping golang.org/x/crypto to v0.50.0. This is an 8-major-version leap that silently introduces Go 1.25's container-aware GOMAXPROCS default, which changes parallelism from using all host CPUs to respecting cgroup CPU limits. For Tendermint nodes running in containers/Kubernetes, this could significantly reduce default parallelism and degrade performance. A lower x/crypto version (e.g. v0.31.0, requiring only Go 1.20) would address the security vulnerability with a far smaller blast radius.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit bc491f2. Configure here.
Bumps golang.org/x/crypto from 0.0.0-20220525230936-793ad666bf5e to 0.50.0.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Medium Risk
Dependency upgrades touch security-critical
golang.org/x/cryptoand also raise the module Go version, which can change build semantics and transitive resolution across the project.Overview
Updates the module to Go
1.25.0and refreshes several core Go dependencies, notably bumpinggolang.org/x/cryptotov0.50.0alongsidegolang.org/x/netandgolang.org/x/sync.Modernizes related tooling/libs (
github.com/google/go-cmpand indirectgolang.org/x/*modules), adjusts theretractdirective formatting ingo.mod, and regeneratesgo.sumaccordingly.Reviewed by Cursor Bugbot for commit bc491f2. Bugbot is set up for automated code reviews on this repo. Configure here.