chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-3.4.x) #19429

renovate-sh-app · 2025-10-08T12:15:57Z

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/net	`v0.33.0` -> `v0.38.0`

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

CVSS Score: 4.4 / 10 (Medium)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/net vulnerable to Cross-site Scripting

CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595

More information

Details

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

| datasource | package | from | to | | ---------- | ---------------- | ------- | ------- | | go | golang.org/x/net | v0.33.0 | v0.38.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>

renovate-sh-app · 2025-10-08T12:16:00Z

ℹ Artifact update notice

File name: operator/api/loki/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

1 additional dependency was updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.19` -> `1.23.0`
`golang.org/x/text`	`v0.21.0` -> `v0.23.0`

File name: operator/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

5 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.22.0` -> `1.23.0`
`go (toolchain)`	`1.22.5` -> `1.24.8`
`golang.org/x/crypto`	`v0.31.0` -> `v0.36.0`
`golang.org/x/sync`	`v0.10.0` -> `v0.12.0`
`golang.org/x/sys`	`v0.28.0` -> `v0.31.0`
`golang.org/x/term`	`v0.27.0` -> `v0.30.0`
`golang.org/x/text`	`v0.21.0` -> `v0.23.0`

CLAassistant · 2025-10-08T12:16:16Z

All committers have signed the CLA.

github-actions · 2025-10-08T12:17:04Z

😢 zizmor failed with exit code 14.

Expand for full output

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/images.yml:44:7
   |
44 |       "uses": "actions/setup-node@v4"
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
86 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
   |       --------------------------------------------------------------------------- runtime artifacts usually published here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:141:7
    |
141 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
166 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:264:7
    |
264 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
289 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:387:7
    |
387 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
412 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/images.yml:510:7
    |
510 |       "uses": "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
535 |       "uses": "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       --------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:220:7
    |
220 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
248 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:293:7
    |
293 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
321 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:366:7
    |
366 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
394 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:445:7
    |
445 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
473 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:518:7
    |
518 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
546 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:597:7
    |
597 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
625 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:676:7
    |
676 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
704 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:848:7
    |
848 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
876 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/minor-release-pr.yml:927:7
    |
927 |       uses: "actions/setup-node@v4"
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
955 |       uses: "docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1"
    |       ------------------------------------------------------------------------- runtime artifacts usually published here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:62:7
     |
  62 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:220:7
     |
 220 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:293:7
     |
 293 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:366:7
     |
 366 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:445:7
     |
 445 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:518:7
     |
 518 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:597:7
     |
 597 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:676:7
     |
 676 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:753:7
     |
 753 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:848:7
     |
 848 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:927:7
     |
 927 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
    --> ./.github/workflows/patch-release-pr.yml:1003:7
     |
1003 |         uses: "actions/setup-node@v4"
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
1093 | / "on":
1094 | |   push:
1095 | |     branches:
1096 | |     - "release-[0-9]+.[0-9]+.x"
     | |_______________________________- generally used when publishing artifacts generated at runtime
     |
     = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/release.yml:44:7
    |
 44 |         uses: "actions/setup-node@v4"
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
435 | / "on":
436 | |   push:
437 | |     branches:
438 | |     - "release-[0-9]+.[0-9]+.x"
439 | |     - "k[0-9]+"
440 | |     - "main"
    | |____________- generally used when publishing artifacts generated at runtime
    |
    = note: audit confidence → Low

334 findings (9 ignored, 298 suppressed): 0 informational, 0 low, 0 medium, 27 high

renovate-sh-app bot requested a review from periklis as a code owner October 8, 2025 12:15

renovate-sh-app bot added the area/security label Oct 8, 2025

renovate-sh-app bot requested a review from xperimental as a code owner October 8, 2025 12:15

renovate-sh-app bot added automerge-security-update severity:UNKNOWN labels Oct 8, 2025

renovate-sh-app bot requested review from a team and JoaoBraveCoding as code owners October 8, 2025 12:15

renovate-sh-app bot added area/security automerge-security-update severity:UNKNOWN labels Oct 8, 2025

pull-request-size bot added the size/S label Oct 8, 2025

loki-gh-app bot added the sig/operator label Oct 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-3.4.x) #19429

chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-3.4.x) #19429

renovate-sh-app bot commented Oct 8, 2025 •

edited

Loading

Uh oh!

renovate-sh-app bot commented Oct 8, 2025

Uh oh!

CLAassistant commented Oct 8, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Oct 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-3.4.x) #19429

Are you sure you want to change the base?

chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-3.4.x) #19429

Conversation

renovate-sh-app bot commented Oct 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Details

Severity

References

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Details

Severity

References

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Details

Severity

References

golang.org/x/net vulnerable to Cross-site Scripting

Details

Severity

References

Configuration

Uh oh!

renovate-sh-app bot commented Oct 8, 2025

ℹ Artifact update notice

File name: operator/api/loki/go.mod

File name: operator/go.mod

Uh oh!

CLAassistant commented Oct 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Oct 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate-sh-app bot commented Oct 8, 2025 •

edited

Loading

CLAassistant commented Oct 8, 2025 •

edited

Loading