Skip to content

Dependencies: Update golang.org/x/net#1425

Open
dveeden wants to merge 1 commit intopingcap:masterfrom
dveeden:update_x_net
Open

Dependencies: Update golang.org/x/net#1425
dveeden wants to merge 1 commit intopingcap:masterfrom
dveeden:update_x_net

Conversation

@dveeden
Copy link

@dveeden dveeden commented Feb 27, 2026 

dvaneeden@dve-carbon:~/dev/pingcap/kvproto$ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.ConnectionError.Error
      #2: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.ErrCode.String
      #3: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.FrameHeader.String
      #4: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.FrameType.String
      #5: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.ReadFrame
      #6: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteContinuation
      #7: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteData
      #8: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteHeaders
      #9: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WritePing
      #10: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteRSTStream
      #11: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteSettings
      #12: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteSettingsAck
      #13: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.Framer.WriteWindowUpdate
      #14: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.Setting.String
      #15: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.SettingID.String
      #16: pkg/pdpb/pdpb.pb.go:11178:36: pdpb.pDReportBucketsClient.CloseAndRecv calls grpc.clientStream.CloseSend, which eventually calls http2.SettingsFrame.ForeachSetting
      #17: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.StreamError.Error
      #18: pkg/kvrpcpb/kvrpcpb.pb.go:10973:86: kvrpcpb.BroadcastTxnStatusResponse.String calls proto.CompactTextString, which eventually calls http2.chunkWriter.Write
      #19: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.connError.Error
      #20: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.duplicatePseudoHeaderError.Error
      #21: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.headerFieldNameError.Error
      #22: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.headerFieldValueError.Error
      #23: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.pseudoHeaderError.Error
      #24: pkg/kvrpcpb/kvrpcpb.pb.go:47920:21: kvrpcpb.BroadcastTxnStatusResponse.Unmarshal calls fmt.Errorf, which eventually calls http2.writeData.String

Your code is affected by 1 vulnerability from 1 module.
This scan also found 1 vulnerability in packages you import and 5
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
dvaneeden@dve-carbon:~/dev/pingcap/kvproto$ go get -u golang.org/x/net
go: upgraded go 1.19 => 1.25.0
go: upgraded golang.org/x/mod v0.8.0 => v0.32.0
go: upgraded golang.org/x/net v0.17.0 => v0.51.0
go: upgraded golang.org/x/sys v0.13.0 => v0.41.0
go: upgraded golang.org/x/text v0.13.0 => v0.34.0
go: upgraded golang.org/x/tools v0.6.0 => v0.41.0
dvaneeden@dve-carbon:~/dev/pingcap/kvproto$ go mod tidy
go: downloading gopkg.in/yaml.v2 v2.2.3
go: downloading golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2
dvaneeden@dve-carbon:~/dev/pingcap/kvproto$ govulncheck ./...
=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
dvaneeden@dve-carbon:~/dev/pingcap/kvproto$

@dveeden dveeden requested review from 0xPoe and hawkingrei February 27, 2026 16:24
@dveeden dveeden added the dependencies Pull requests that update a dependency file label Feb 27, 2026
@ti-chi-bot ti-chi-bot bot requested a review from TszKitLo40 February 27, 2026 16:24
@ti-chi-bot
Copy link

ti-chi-bot bot commented Feb 27, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign liuzix for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot added the size/M label Feb 27, 2026
@pingcap-cla-assistant
Copy link

pingcap-cla-assistant bot commented Feb 27, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@dveeden
Copy link
Author

dveeden commented Feb 27, 2026

See also https://github.com/pingcap/kvproto/security/dependabot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hawkingrei hawkingrei Awaiting requested review from hawkingrei

@0xPoe 0xPoe Awaiting requested review from 0xPoe

@TszKitLo40 TszKitLo40 Awaiting requested review from TszKitLo40

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dveeden