chore(all): update module golang.org/x/net to v0.36.0 [SECURITY] #5218
Conversation
|
product-auto-label
bot
added
the
samples
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
This pull request updates the golang.org/x/net module from version v0.34.0 to v0.36.0 in two go.mod files. This update is marked as a security update by Mend Renovate due to CVE-2025-22870. The vulnerability involves improper matching of hosts against proxy patterns, potentially leading to requests bypassing proxies when they should not.
Highlights
- Dependency Update: The pull request updates the
golang.org/x/netmodule to version v0.36.0. - Security Patch: This update addresses CVE-2025-22870, a security vulnerability related to proxy pattern matching.
Changelog
- run/h2c/go.mod
- Updated
golang.org/x/netfrom v0.34.0 to v0.36.0.
- Updated
- run/testing/go.mod
- Updated
golang.org/x/netfrom v0.34.0 to v0.36.0.
- Updated
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Trivia time!
What is the purpose of the go.mod file in a Go project?
Click here for the answer
The `go.mod` file defines the module's module path and its dependency requirements, which are used for reproducible builds.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This PR updates the golang.org/x/net module to v0.36.0 to address CVE-2025-22870. The changes involve updating the go.mod files in the run/h2c and run/testing directories. Overall, the update seems straightforward.
Summary of Findings
- Security Vulnerability: The primary purpose of this update is to address CVE-2025-22870, which involves improper handling of IPv6 zone IDs in proxy matching. It's crucial to ensure that this update effectively mitigates the vulnerability.
Merge Readiness
The pull request updates a dependency to address a security vulnerability. Given the nature of the fix, it is recommended to merge this pull request after verifying that the updated version resolves the reported vulnerability and doesn't introduce any regressions. I am unable to directly approve the pull request, and users should have others review and approve this code before merging.
run/testing/go.mod
Outdated
| @@ -6,7 +6,7 @@ require ( | |||
| github.com/GoogleCloudPlatform/golang-samples v0.0.0-00010101000000-000000000000 | |||
| github.com/GoogleCloudPlatform/golang-samples/run/grpc-ping v0.0.0-20240724083556-7f760db013b7 | |||
| github.com/GoogleCloudPlatform/golang-samples/run/grpc-server-streaming v0.0.0-20240724083556-7f760db013b7 | |||
| golang.org/x/net v0.34.0 | |||
| golang.org/x/net v0.36.0 | |||
There was a problem hiding this comment.
This line updates the golang.org/x/net dependency. Ensure that all dependent modules are compatible with this new version.
require golang.org/x/net v0.36.0
renovate-bot
force-pushed
the
renovate/go-golang.org-x-net-vulnerability
branch
from
e9c1595 to
3bc53af
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This PR contains the following updates:
v0.34.0->v0.36.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.