Skip to content

fix(deps): bump golang.org/x/crypto to v0.52.0#8

Merged
emretinaztepe merged 1 commit into
mainfrom
bugfix/x-crypto-cve-bump
May 26, 2026
Merged

fix(deps): bump golang.org/x/crypto to v0.52.0#8
emretinaztepe merged 1 commit into
mainfrom
bugfix/x-crypto-cve-bump

Conversation

@emretinaztepe

Copy link
Copy Markdown

Summary

  • Bump golang.org/x/crypto from v0.48.0 to v0.52.0 to patch 7 CVEs in ssh and knownhosts flagged by govulncheck (GO-2026-5013, 5015, 5017, 5018, 5019, 5020, 5021).
  • Bump Go directive from 1.24.0 to 1.25.0 (required by x/crypto v0.52.0).
  • go mod tidy byproducts: promoted golang.org/x/crypto, github.com/golang-jwt/jwt/v5, github.com/gorilla/websocket from indirect to direct (they're imported directly by wardgate code). x/sys indirect bumped to v0.45.0 to match.

Why

The Fleet repo's hardened CI (Go Vuln Scan (wardgate) job in ci.yml) now runs govulncheck against this submodule on every push/PR, and the v0.48.0 pin trips 7 high-severity findings. Bumping unblocks Fleet CI on dev/main.

Verification

Locally, on this branch:

  • govulncheck ./... → No vulnerabilities found
  • go build ./... → clean
  • Pre-existing go vet warnings about IPv6 net.Dial format strings in internal/{imap,smtp}/client.go are unchanged — unrelated to this bump.

Follow-up

After this merges to main, the Fleet submodule pointer needs to be bumped in a follow-up PR on binalyze/Binalyze.Fleet so its Go Vuln Scan (wardgate) job sees the fix.

Patches 7 vulnerabilities in golang.org/x/crypto/ssh and knownhosts
flagged by govulncheck (GO-2026-5013, 5015, 5017, 5018, 5019, 5020,
5021).

go.mod required bumping the Go directive from 1.24.0 to 1.25.0 because
x/crypto v0.52.0 sets that as its minimum. go mod tidy also promoted
golang-jwt/jwt/v5, gorilla/websocket and x/crypto from indirect to
direct require, since they're imported directly by wardgate code.
-e
Signed-off-by: Emre Tinaztepe <emre@binalyze.com>
@emretinaztepe
emretinaztepe merged commit 0b09d9a into main May 26, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant