Bump golang.org/x/net from 0.30.0 to 0.36.0 in /cmd

[dependabot]

Bumps golang.org/x/net from 0.30.0 to 0.36.0.

Commits

• 85d1d54 go.mod: update golang.org/x dependencies
• cde1dda proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
• fe7f039 publicsuffix: spruce up code gen and speed up PublicSuffix
• 459513d internal/http3: move more common stream processing to genericConn
• aad0180 http2: fix flakiness from t.Log when GOOS=js
• b73e574 http2: don't log expected errors from writing invalid trailers
• 5f45c77 internal/http3: make read-data tests usable for server handlers
• 43c2540 http2, internal/httpcommon: reject userinfo in :authority
• 1d78a08 http2, internal/httpcommon: factor out server header logic for h2/h3
• 0d7dc54 quic: add Conn.ConnectionState
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by Bito

This PR updates dependency versions in the command directory, primarily bumping golang.org/x/net from v0.30.0 to v0.36.0 and updating golang.org/x/text. Obsolete dependency declarations and indirect references were removed to streamline module configuration, improving dependency management and module integrity.

Unit tests added: False

Estimated effort to review (1-5, lower is better): 1

[bito-code-review]

Code Review Agent Run #2a65f1

Actionable Suggestions - 0

Security Concerns - 15

• Vulnerability 1
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2687
  • Vulnerability Description: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
  • Fixed in Version: v0.23.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -golang.org/x/net vX.Y.Z
    +golang.org/x/net v0.23.0
    

• Vulnerability 2
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3333
  • Vulnerability Description: An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
  • Fixed in Version: v0.33.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -golang.org/x/net vX.Y.Z
    +golang.org/x/net v0.33.0
    

• Vulnerability 3
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3503
  • Vulnerability Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component.
  • Fixed in Version: v0.36.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -golang.org/x/net vX.Y.Z
    +golang.org/x/net v0.36.0
    

• Vulnerability 4
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2687
  • Vulnerability Description: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
  • Fixed in Version: v1.21.9
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.21.9
    

• Vulnerability 5
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2887
  • Vulnerability Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses.
  • Fixed in Version: v1.21.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.21.11
    

• Vulnerability 6
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2888
  • Vulnerability Description: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations.
  • Fixed in Version: v1.21.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.21.11
    

• Vulnerability 7
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2963
  • Vulnerability Description: The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational status.
  • Fixed in Version: v1.21.12
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.21.12
    

• Vulnerability 8
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3105
  • Vulnerability Description: Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
  • Fixed in Version: v1.22.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.22.7
    

• Vulnerability 9
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3106
  • Vulnerability Description: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
  • Fixed in Version: v1.22.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.22.7
    

• Vulnerability 10
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3107
  • Vulnerability Description: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
  • Fixed in Version: v1.22.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.22.7
    

• Vulnerability 11
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3373
  • Vulnerability Description: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
  • Fixed in Version: v1.22.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.22.11
    

• Vulnerability 12
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3420
  • Vulnerability Description: The HTTP client drops sensitive headers after following a cross-domain redirect but incorrectly restores them for subsequent same-domain redirects.
  • Fixed in Version: v1.22.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.22.11
    

• Vulnerability 13
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3447
  • Vulnerability Description: Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture.
  • Fixed in Version: v1.22.12
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -go 1.X.Y
    +go 1.22.12
    

• Vulnerability 14
  • Dependency Name: google.golang.org/protobuf
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2611
  • Vulnerability Description: The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON.
  • Fixed in Version: v1.33.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -google.golang.org/protobuf vX.Y.Z
    +google.golang.org/protobuf v1.33.0
    

• Vulnerability 15
  • Dependency Name: golang.org/x/oauth2
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3488
  • Vulnerability Description: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
  • Fixed in Version: v0.27.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    -golang.org/x/oauth2 vX.Y.Z
    +golang.org/x/oauth2 v0.27.0
    

Review Details

• Files reviewed - 2 · Commit Range: 4b25dac..4b25dac

  • cmd/go.mod
  • cmd/go.sum
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • OWASP (Security Vulnerability) - ✔︎ Successful
  • GOVULNCHECK (Security Vulnerability) - ✔︎ Successful
  • SNYK (Security Vulnerability) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change

Files Impacted

Other Improvements - Dependency Updates and Cleanup

- go.mod - Updated module dependencies by removing an outdated toolchain directive and an indirect YAML dependency, adding an explicit YAML dependency, and bumping golang.org/x/net to v0.36.0 and golang.org/x/text to v0.22.0 with adjusted replace settings. - go.sum - Removed obsolete checksum entries and updated checksums to align with the new versions of golang.org/x/net and golang.org/x/text, ensuring consistency with go.mod updates.

[dependabot]

Superseded by #36.