[PR #85] [MERGED] Update Go dependencies for security fixes #998

Closed
opened 2026-06-20 13:30:57 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/fosrl/gerbil/pull/85
Author: @marcschaeferger
Created: 6/4/2026
Status: Merged
Merged: 6/4/2026
Merged by: @oschwartz10612

Base: mainHead: fix/security-update-go-deps


📝 Commits (1)

  • 44622a8 fix(deps): update Go dependencies for security fixes

📊 Changes

2 files changed (+75 additions, -60 deletions)

View changed files

📝 go.mod (+20 -20)
📝 go.sum (+55 -40)

📄 Description

Description

This pull request updates several dependencies in the go.mod file to newer versions, primarily focusing on the Prometheus and OpenTelemetry libraries, as well as other indirect dependencies. These updates help ensure the project benefits from the latest features, security patches, and bug fixes.

Dependency updates:

Prometheus and monitoring libraries:

  • Upgraded github.com/prometheus/client_golang from v1.20.5 to v1.23.2, along with related indirect dependencies: client_model to v0.6.2, common to v0.66.1, and procfs to v0.16.1. [1] [2]

OpenTelemetry libraries:

  • Updated all go.opentelemetry.io/otel dependencies from v1.43.0 to v1.44.0, including exporters, metric, sdk, and trace packages. [1] [2]

Other dependency updates:

  • Upgraded golang.org/x/crypto to v0.52.0, golang.org/x/net to v0.55.0, golang.org/x/sys to v0.45.0, and golang.org/x/text to v0.37.0. [1] [2]
  • Updated github.com/grpc-ecosystem/grpc-gateway/v2 to v2.29.0 and google.golang.org/grpc to v1.81.1.
  • Updated google.golang.org/genproto dependencies to their latest versions.
  • Added go.yaml.in/yaml/v2 v2.4.2 as an indirect dependency.

Security Report

   7C     2H     4M     0L  golang.org/x/crypto 0.49.0
pkg:golang/golang.org/x/crypto@0.49.0

    x CRITICAL CVE-2026-46595
      https://scout.docker.com/v/CVE-2026-46595
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x CRITICAL CVE-2026-42508
      https://scout.docker.com/v/CVE-2026-42508
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x CRITICAL CVE-2026-39834
      https://scout.docker.com/v/CVE-2026-39834
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x CRITICAL CVE-2026-39833
      https://scout.docker.com/v/CVE-2026-39833
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x CRITICAL CVE-2026-39832
      https://scout.docker.com/v/CVE-2026-39832
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x CRITICAL CVE-2026-39831
      https://scout.docker.com/v/CVE-2026-39831
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x CRITICAL CVE-2026-39830
      https://scout.docker.com/v/CVE-2026-39830
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x HIGH CVE-2026-46597
      https://scout.docker.com/v/CVE-2026-46597
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x HIGH CVE-2026-39829
      https://scout.docker.com/v/CVE-2026-39829
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x MEDIUM CVE-2026-39827
      https://scout.docker.com/v/CVE-2026-39827
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x MEDIUM CVE-2026-39828
      https://scout.docker.com/v/CVE-2026-39828
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x MEDIUM CVE-2026-46598
      https://scout.docker.com/v/CVE-2026-46598
      Affected range : <0.52.0
      Fixed version  : 0.52.0

    x MEDIUM CVE-2026-39835
      https://scout.docker.com/v/CVE-2026-39835
      Affected range : <0.52.0
      Fixed version  : 0.52.0


   1C     1H     5M     0L  golang.org/x/net 0.52.0
pkg:golang/golang.org/x/net@0.52.0

    x CRITICAL CVE-2026-39821
      https://scout.docker.com/v/CVE-2026-39821
      Affected range : <0.55.0
      Fixed version  : 0.55.0

    x HIGH CVE-2026-33814
      https://scout.docker.com/v/CVE-2026-33814
      Affected range : <0.53.0
      Fixed version  : 0.53.0

    x MEDIUM CVE-2026-25680
      https://scout.docker.com/v/CVE-2026-25680
      Affected range : <0.55.0
      Fixed version  : 0.55.0

    x MEDIUM CVE-2026-42506
      https://scout.docker.com/v/CVE-2026-42506
      Affected range : <0.55.0
      Fixed version  : 0.55.0

    x MEDIUM CVE-2026-42502
      https://scout.docker.com/v/CVE-2026-42502
      Affected range : <0.55.0
      Fixed version  : 0.55.0

    x MEDIUM CVE-2026-27136
      https://scout.docker.com/v/CVE-2026-27136
      Affected range : <0.55.0
      Fixed version  : 0.55.0

    x MEDIUM CVE-2026-25681
      https://scout.docker.com/v/CVE-2026-25681
      Affected range : <0.55.0
      Fixed version  : 0.55.0
 

   0C     0H     0M     1L  golang.org/x/sys 0.42.0
pkg:golang/golang.org/x/sys@0.42.0

    x LOW CVE-2026-39824
      https://scout.docker.com/v/CVE-2026-39824
      Affected range : <0.44.0
      Fixed version  : 0.44.0

Note:

NO AI usage


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/gerbil/pull/85 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 6/4/2026 **Status:** ✅ Merged **Merged:** 6/4/2026 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `fix/security-update-go-deps` --- ### 📝 Commits (1) - [`44622a8`](https://github.com/fosrl/gerbil/commit/44622a883fac096fc91c8f889cd50c32b5523926) fix(deps): update Go dependencies for security fixes ### 📊 Changes **2 files changed** (+75 additions, -60 deletions) <details> <summary>View changed files</summary> 📝 `go.mod` (+20 -20) 📝 `go.sum` (+55 -40) </details> ### 📄 Description ## Description This pull request updates several dependencies in the `go.mod` file to newer versions, primarily focusing on the Prometheus and OpenTelemetry libraries, as well as other indirect dependencies. These updates help ensure the project benefits from the latest features, security patches, and bug fixes. Dependency updates: **Prometheus and monitoring libraries:** * Upgraded `github.com/prometheus/client_golang` from v1.20.5 to v1.23.2, along with related indirect dependencies: `client_model` to v0.6.2, `common` to v0.66.1, and `procfs` to v0.16.1. [[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L7-R15) [[2]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L28-R48) **OpenTelemetry libraries:** * Updated all `go.opentelemetry.io/otel` dependencies from v1.43.0 to v1.44.0, including exporters, metric, sdk, and trace packages. [[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L7-R15) [[2]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L28-R48) **Other dependency updates:** * Upgraded `golang.org/x/crypto` to v0.52.0, `golang.org/x/net` to v0.55.0, `golang.org/x/sys` to v0.45.0, and `golang.org/x/text` to v0.37.0. [[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L7-R15) [[2]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L28-R48) * Updated `github.com/grpc-ecosystem/grpc-gateway/v2` to v2.29.0 and `google.golang.org/grpc` to v1.81.1. * Updated `google.golang.org/genproto` dependencies to their latest versions. * Added `go.yaml.in/yaml/v2 v2.4.2` as an indirect dependency. ## Security Report ``` 7C 2H 4M 0L golang.org/x/crypto 0.49.0 pkg:golang/golang.org/x/crypto@0.49.0 x CRITICAL CVE-2026-46595 https://scout.docker.com/v/CVE-2026-46595 Affected range : <0.52.0 Fixed version : 0.52.0 x CRITICAL CVE-2026-42508 https://scout.docker.com/v/CVE-2026-42508 Affected range : <0.52.0 Fixed version : 0.52.0 x CRITICAL CVE-2026-39834 https://scout.docker.com/v/CVE-2026-39834 Affected range : <0.52.0 Fixed version : 0.52.0 x CRITICAL CVE-2026-39833 https://scout.docker.com/v/CVE-2026-39833 Affected range : <0.52.0 Fixed version : 0.52.0 x CRITICAL CVE-2026-39832 https://scout.docker.com/v/CVE-2026-39832 Affected range : <0.52.0 Fixed version : 0.52.0 x CRITICAL CVE-2026-39831 https://scout.docker.com/v/CVE-2026-39831 Affected range : <0.52.0 Fixed version : 0.52.0 x CRITICAL CVE-2026-39830 https://scout.docker.com/v/CVE-2026-39830 Affected range : <0.52.0 Fixed version : 0.52.0 x HIGH CVE-2026-46597 https://scout.docker.com/v/CVE-2026-46597 Affected range : <0.52.0 Fixed version : 0.52.0 x HIGH CVE-2026-39829 https://scout.docker.com/v/CVE-2026-39829 Affected range : <0.52.0 Fixed version : 0.52.0 x MEDIUM CVE-2026-39827 https://scout.docker.com/v/CVE-2026-39827 Affected range : <0.52.0 Fixed version : 0.52.0 x MEDIUM CVE-2026-39828 https://scout.docker.com/v/CVE-2026-39828 Affected range : <0.52.0 Fixed version : 0.52.0 x MEDIUM CVE-2026-46598 https://scout.docker.com/v/CVE-2026-46598 Affected range : <0.52.0 Fixed version : 0.52.0 x MEDIUM CVE-2026-39835 https://scout.docker.com/v/CVE-2026-39835 Affected range : <0.52.0 Fixed version : 0.52.0 1C 1H 5M 0L golang.org/x/net 0.52.0 pkg:golang/golang.org/x/net@0.52.0 x CRITICAL CVE-2026-39821 https://scout.docker.com/v/CVE-2026-39821 Affected range : <0.55.0 Fixed version : 0.55.0 x HIGH CVE-2026-33814 https://scout.docker.com/v/CVE-2026-33814 Affected range : <0.53.0 Fixed version : 0.53.0 x MEDIUM CVE-2026-25680 https://scout.docker.com/v/CVE-2026-25680 Affected range : <0.55.0 Fixed version : 0.55.0 x MEDIUM CVE-2026-42506 https://scout.docker.com/v/CVE-2026-42506 Affected range : <0.55.0 Fixed version : 0.55.0 x MEDIUM CVE-2026-42502 https://scout.docker.com/v/CVE-2026-42502 Affected range : <0.55.0 Fixed version : 0.55.0 x MEDIUM CVE-2026-27136 https://scout.docker.com/v/CVE-2026-27136 Affected range : <0.55.0 Fixed version : 0.55.0 x MEDIUM CVE-2026-25681 https://scout.docker.com/v/CVE-2026-25681 Affected range : <0.55.0 Fixed version : 0.55.0 0C 0H 0M 1L golang.org/x/sys 0.42.0 pkg:golang/golang.org/x/sys@0.42.0 x LOW CVE-2026-39824 https://scout.docker.com/v/CVE-2026-39824 Affected range : <0.44.0 Fixed version : 0.44.0 ``` ## Note: NO AI usage --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-20 13:30:57 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gerbil#998