Bump golang.org/x/net from 0.30.0 to 0.38.0 in /cmd

[dependabot]

Bumps golang.org/x/net from 0.30.0 to 0.38.0.

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by Bito

This PR updates dependencies in the /cmd directory, specifically upgrading golang.org/x/net from v0.30.0 to v0.38.0 along with related packages (golang.org/x/sys, golang.org/x/text, and golang.org/x/term). The changes include corresponding updates to go.sum to maintain proper checksums for the new dependency versions.

Unit tests added: False

Estimated effort to review (1-5, lower is better): 1

[bito-code-review]

Code Review Agent Run #2b9153

Actionable Suggestions - 0

Security Concerns - 17

• Vulnerability 1
  • Dependency Name: golang.org/x/oauth2
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3488
  • Vulnerability Description: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
  • Fixed in Version: v0.27.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/oauth2 v0.x.x
    + golang.org/x/oauth2 v0.27.0
    

• Vulnerability 2
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2687
  • Vulnerability Description: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
  • Fixed in Version: v0.23.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.x.x
    + golang.org/x/net v0.38.0
    

• Vulnerability 3
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3333
  • Vulnerability Description: An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.
  • Fixed in Version: v0.33.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.x.x
    + golang.org/x/net v0.38.0
    

• Vulnerability 4
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3503
  • Vulnerability Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component.
  • Fixed in Version: v0.36.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.x.x
    + golang.org/x/net v0.38.0
    

• Vulnerability 5
  • Dependency Name: golang.org/x/net
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3595
  • Vulnerability Description: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing.
  • Fixed in Version: v0.38.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - golang.org/x/net v0.x.x
    + golang.org/x/net v0.38.0
    

• Vulnerability 6
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2687
  • Vulnerability Description: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
  • Fixed in Version: v1.21.9
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 7
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2887
  • Vulnerability Description: The various Is methods did not work as expected for IPv4-mapped IPv6 addresses.
  • Fixed in Version: v1.21.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 8
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2888
  • Vulnerability Description: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations.
  • Fixed in Version: v1.21.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 9
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2963
  • Vulnerability Description: The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational status.
  • Fixed in Version: v1.21.12
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 10
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3105
  • Vulnerability Description: Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
  • Fixed in Version: v1.22.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 11
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3106
  • Vulnerability Description: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
  • Fixed in Version: v1.22.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 12
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2024-3107
  • Vulnerability Description: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
  • Fixed in Version: v1.22.7
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 13
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3373
  • Vulnerability Description: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
  • Fixed in Version: v1.22.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 14
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3420
  • Vulnerability Description: The HTTP client drops sensitive headers after following a cross-domain redirect but incorrectly restores them for subsequent same-domain redirects.
  • Fixed in Version: v1.22.11
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 15
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3447
  • Vulnerability Description: Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture.
  • Fixed in Version: v1.22.12
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 16
  • Dependency Name: stdlib
  • Dependency Version: None
  • Vulnerability Name: GO-2025-3563
  • Vulnerability Description: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines.
  • Fixed in Version: v1.23.8
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - go 1.x.x
    + go 1.23.8
    

• Vulnerability 17
  • Dependency Name: google.golang.org/protobuf
  • Dependency Version: None
  • Vulnerability Name: GO-2024-2611
  • Vulnerability Description: The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON.
  • Fixed in Version: v1.33.0
  • Code Suggestion:

    
    @@ -1,1 +1,1 @@
    - google.golang.org/protobuf v1.x.x
    + google.golang.org/protobuf v1.33.0
    

Review Details

• Files reviewed - 2 · Commit Range: dd408d1..dd408d1

  • cmd/go.mod
  • cmd/go.sum
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • SNYK (Security Vulnerability) - ✔︎ Successful
  • GOVULNCHECK (Security Vulnerability) - ✔︎ Successful
  • OWASP (Security Vulnerability) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change

Files Impacted

Other Improvements - Dependency Updates

- go.mod - Upgraded multiple dependency versions including golang.org/x/net (0.30.0 to 0.38.0), golang.org/x/sys (0.30.0 to 0.31.0), golang.org/x/text (0.19.0 to 0.23.0) and updated the replace directive with minor formatting changes, while also adding a new dependency for gopkg.in/yaml.v2. - go.sum - Recomputed module hashes and checksums to reflect the updated dependency versions in go.mod, ensuring consistency of dependency integrity checks.