Skip to content

fix(deps): bump golang.org/x/net to v0.55.0 to address GO-2026-5026#32153

Merged
gjenkins8 merged 1 commit into
helm:mainfrom
TerryHowe:fix/bump-x-net-go-2026-5026-main
May 27, 2026
Merged

fix(deps): bump golang.org/x/net to v0.55.0 to address GO-2026-5026#32153
gjenkins8 merged 1 commit into
helm:mainfrom
TerryHowe:fix/bump-x-net-go-2026-5026-main

Conversation

@TerryHowe

Copy link
Copy Markdown
Contributor

Summary

Bumps golang.org/x/net from v0.53.0 to v0.55.0 to fix GO-2026-5026 / CVE-2026-39821.

Vulnerability

The ToASCII and ToUnicode functions in the golang.org/x/net/idna package incorrectly accept Punycode-encoded labels that decode to ASCII-only labels. For example, ToUnicode("xn--example-.com") returns "example.com" instead of an error. This allows privilege escalation by bypassing hostname-based security checks.

Helm's call chain that triggers the finding:

  • registry.LoggingTransport.RoundTriphttp.Transport.RoundTripidna.ToASCII
  • repotest.OCIServer.Runregistry.Registry.ListenAndServeidna.Profile.ToASCII

Changes

The golang.org/x/ packages share a coordinated release cycle, so the following were updated together:

Module Before After
golang.org/x/net v0.53.0 v0.55.0
golang.org/x/sys v0.44.0 v0.45.0

Upgrades golang.org/x/net from v0.53.0 to v0.55.0 to fix CVE-2026-39821
(GO-2026-5026), where idna.ToASCII/ToUnicode incorrectly accept Punycode-
encoded labels that decode to ASCII-only labels, enabling privilege escalation
via hostname check bypass.

Coordinated x/ upgrade pulled in by the module graph:
- golang.org/x/sys v0.44.0 => v0.45.0

Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Copilot AI review requested due to automatic review settings May 22, 2026 22:12
@pull-request-size pull-request-size Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 22, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Helm’s Go module dependencies to remediate GO-2026-5026 / CVE-2026-39821 by bumping the affected golang.org/x/net module (and aligning golang.org/x/sys accordingly). This is a targeted dependency update in the Go module manifests (go.mod / go.sum) and fits the codebase’s standard Go module dependency management.

Changes:

  • Bump golang.org/x/net from v0.53.0v0.55.0 (indirect) to pick up the IDNA ToASCII / ToUnicode fix.
  • Bump golang.org/x/sys from v0.44.0v0.45.0 (indirect).
  • Update go.sum entries to match the new module versions/hashes.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates indirect requirements for golang.org/x/net and golang.org/x/sys to patched versions.
go.sum Refreshes checksum entries to correspond to the bumped module versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TerryHowe TerryHowe added the Has One Approval This PR has one approval. It still needs a second approval to be merged. label May 23, 2026
@gjenkins8 gjenkins8 merged commit 63a5d1b into helm:main May 27, 2026
6 checks passed
@promptless-for-oss

Copy link
Copy Markdown

📝 Documentation Updated

I've created a docs PR to add this security fix to the changelog: helm/helm-www#2118

The changelog entry documents the golang.org/x/net bump to v0.55.0 addressing GO-2026-5026 / CVE-2026-39821.

@scottrigby scottrigby added the dependencies Pull requests that update a dependency file label Jun 12, 2026
@scottrigby scottrigby added this to the 4.2.1 milestone Jun 12, 2026
@scottrigby scottrigby added needs-pick Indicates that a PR needs to be cherry-picked into the next release candidate. picked Indicates that a PR has been cherry-picked into the next release candidate. and removed needs-pick Indicates that a PR needs to be cherry-picked into the next release candidate. Has One Approval This PR has one approval. It still needs a second approval to be merged. labels Jun 12, 2026
Luzifer pushed a commit to luzifer-docker/action-env that referenced this pull request Jun 16, 2026
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [helm/helm](https://github.com/helm/helm) | patch | `4.2.0` → `4.2.1` |

---

### Release Notes

<details>
<summary>helm/helm (helm/helm)</summary>

### [`v4.2.1`](https://github.com/helm/helm/releases/tag/v4.2.1): Helm v4.2.1

[Compare Source](helm/helm@v4.2.0...v4.2.1)

Helm v4.2.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

- Join the discussion in [Kubernetes Slack](https://kubernetes.slack.com):
  - for questions and just to hang out
  - for discussing PRs, code, and bugs
- Hang out at the Public Developer Call: Thursday, 9:30 Pacific via [Zoom](https://zoom.us/j/696660622)
- Test, debug, and contribute charts: [ArtifactHub/packages](https://artifacthub.io/packages/search?kind=0)

#### Notable Changes

- Fixed data race detected by -race flag when concurrent goroutines (upgrade + rollback, install + uninstall) both call GetWaiterWithOptions on the same FailingKubeClient instance [#&#8203;31925](helm/helm#31925)
- Fixed helm command success messages writing to stderr instead of stdout. Now correctly outputing to stdout [#&#8203;32056](helm/helm#32056)
- Fixed Helm 4 emitting "unable to find exact version" when using version range constraints [#&#8203;31757](helm/helm#31757)
- Fixed a race condition in WaitForDelete where the status observer canceled the watch too early, causing intermittent failures when running a full test suite [#&#8203;32081](helm/helm#32081)
- Bumped golang.org/x/net to v0.55.0 to address GO-2026-5026 [#&#8203;32153](helm/helm#32153)
- Fixed SDK errors by upgrading dependencies: cli-utils 1.2.1, controller-runtime 0.24.1 and k8s 1.36.1 [#&#8203;32128](helm/helm#32128)
- Dependency updates

#### Installation and Upgrading

Download Helm v4.2.1. The common platform binaries are here:

- [MacOS amd64](https://get.helm.sh/helm-v4.2.1-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-darwin-amd64.tar.gz.sha256sum) / 2a21c9f368d608bcf6eb794ebc06514eb6b529a846b60fe4a43dea7bcce65228)
- [MacOS arm64](https://get.helm.sh/helm-v4.2.1-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-darwin-arm64.tar.gz.sha256sum) / 896472d2ec0740c60f64a9df0fc30d478beee38a1a2a6ed91aa6e6ee177c1575)
- [Linux amd64](https://get.helm.sh/helm-v4.2.1-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-amd64.tar.gz.sha256sum) / 479dca836e5b45e8bd222400c5591b0e3a647378f03ff96597180db97c17fdae)
- [Linux arm](https://get.helm.sh/helm-v4.2.1-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-arm.tar.gz.sha256sum) / 49e8f7856de6eab170dc09671cfb0578cc455d820df5b0f54e6453058dc0e3f3)
- [Linux arm64](https://get.helm.sh/helm-v4.2.1-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-arm64.tar.gz.sha256sum) / 596b9a73d366c1e72ce67d595c22805480e30914593aafbc9f547694e72814db)
- [Linux i386](https://get.helm.sh/helm-v4.2.1-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-386.tar.gz.sha256sum) / e038eab680f22b1cebe68fd0536cf2397b0c10798dcb23c28e500e0804ec1a55)
- [Linux loong64](https://get.helm.sh/helm-v4.2.1-linux-loong64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-loong64.tar.gz.sha256sum) / 8ae26f15638d951c4ed21d0d3018b8800a137646e5e5151a3856cf324c2852ae)
- [Linux ppc64le](https://get.helm.sh/helm-v4.2.1-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-ppc64le.tar.gz.sha256sum) / 6f34eca5e314e941577a07be6c8b356f66b9cdefbed1175da1e7916368febcfc)
- [Linux s390x](https://get.helm.sh/helm-v4.2.1-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-s390x.tar.gz.sha256sum) / e6355691887d4185b7e077f058483c04f353229feb7d4a72edc3ebe0b8738a6a)
- [Linux riscv64](https://get.helm.sh/helm-v4.2.1-linux-riscv64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-riscv64.tar.gz.sha256sum) / 16a4299f14ff1ffa79bb22115051911c662fa2ecdd90e85b65d7d143e8de9d02)
- [Windows amd64](https://get.helm.sh/helm-v4.2.1-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v4.2.1-windows-amd64.zip.sha256sum) / 6e7fa7839444b8ddc407c5bcdb1edd1024f57d09c2db971dec511ee2f2616eb0)
- [Windows arm64](https://get.helm.sh/helm-v4.2.1-windows-arm64.zip) ([checksum](https://get.helm.sh/helm-v4.2.1-windows-arm64.zip.sha256sum) / ae4c9acd0d9acd1f9e9da2f60105f793f65fd49ab7c03c6c7d13804c3b885657)

This release was signed with `208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155` and can be found at [@&#8203;scottrigby](https://github.com/scottrigby) [keybase account](https://keybase.io/r6by). Please use the attached signatures for verifying this release using `gpg`.

The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4) on any system with `bash`.

#### What's Next

- 4.2.2 and 3.21.2 are the next patch releases scheduled for July 8, 2026
- 4.3.0 and 3.22.0 are the next minor releases scheduled for September 9, 2026

#### Changelog

- fix: protect FailingKubeClient.RecordedWaitOptions from data race ([#&#8203;31925](helm/helm#31925)) [`d591a19`](helm/helm@d591a19) (Terry Howe)
- fix: route registry client output to stdout instead of stderr ([#&#8203;32056](helm/helm#32056)) [`2a9fcae`](helm/helm@2a9fcae) (Terry Howe)
- chore(deps): bump oras.land/oras-go/v2 from 2.6.0 to 2.6.1 [`ffa5bd6`](helm/helm@ffa5bd6) (dependabot\[bot])
- chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 [`9f9dbaf`](helm/helm@9f9dbaf) (dependabot\[bot])
- chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 [`64a2891`](helm/helm@64a2891) (dependabot\[bot])
- chore(deps): bump golang.org/x/text from 0.37.0 to 0.38.0 [`e54a4a2`](helm/helm@e54a4a2) (dependabot\[bot])
- chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 [`acb762b`](helm/helm@acb762b) (dependabot\[bot])
- chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 [`768586d`](helm/helm@768586d) (dependabot\[bot])
- fix(version): avoid false range detection on prerelease x/X [`eabfae5`](helm/helm@eabfae5) (Benoit Tigeot)
- fix(version): version range || can has no space [`e3fd51f`](helm/helm@e3fd51f) (Benoit Tigeot)
- feat: report in debug the version we select with version range arg [`1e47395`](helm/helm@1e47395) (Benoit Tigeot)
- fix: prevent warning when using version range constraints [`a33e239`](helm/helm@a33e239) (Benoit Tigeot)
- fix(kube): always propagate context.Canceled in WaitForDelete [`fa06d44`](helm/helm@fa06d44) (Terry Howe)
- fix(kube): prevent spurious early exit in WaitForDelete during informer sync [`360d483`](helm/helm@360d483) (Terry Howe)
- chore(deps): bump github.com/tetratelabs/wazero from 1.11.0 to 1.12.0 [`7651edf`](helm/helm@7651edf) (dependabot\[bot])
- chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 [`b132e7e`](helm/helm@b132e7e) (dependabot\[bot])
- fix(deps): bump golang.org/x/net to v0.55.0 to address GO-2026-5026 [`eee491a`](helm/helm@eee491a) (Terry Howe)
- chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 [`3e3c575`](helm/helm@3e3c575) (dependabot\[bot])
- chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 [`c4ce2bb`](helm/helm@c4ce2bb) (dependabot\[bot])
- chore(deps): bump actions/stale from 10.2.0 to 10.3.0 [`3892dc2`](helm/helm@3892dc2) (dependabot\[bot])
- chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 [`c4bbb62`](helm/helm@c4bbb62) (dependabot\[bot])
- chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 [`a0d7f16`](helm/helm@a0d7f16) (dependabot\[bot])
- chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 [`8a3de05`](helm/helm@8a3de05) (dependabot\[bot])
- fix(upstream): upgrade to cli-utils 1.2.1, controller-runtime 0.24.1 and k8s 1.36.1 [`57a4803`](helm/helm@57a4803) (Matheus Pimenta)
- chore(deps): bump github.com/fluxcd/cli-utils from 1.2.0 to 1.2.1 [`b33ae02`](helm/helm@b33ae02) (dependabot\[bot])

**Full Changelog**: <helm/helm@v4.2.0...v4.2.1>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://git.luzifer.io/luzifer-docker/action-env/pulls/172
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file picked Indicates that a PR has been cherry-picked into the next release candidate. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants