fix(deps): bump golang.org/x/net to v0.55.0 to address GO-2026-5026#32153
Conversation
Upgrades golang.org/x/net from v0.53.0 to v0.55.0 to fix CVE-2026-39821 (GO-2026-5026), where idna.ToASCII/ToUnicode incorrectly accept Punycode- encoded labels that decode to ASCII-only labels, enabling privilege escalation via hostname check bypass. Coordinated x/ upgrade pulled in by the module graph: - golang.org/x/sys v0.44.0 => v0.45.0 Signed-off-by: Terry Howe <terrylhowe@gmail.com>
There was a problem hiding this comment.
Pull request overview
Updates Helm’s Go module dependencies to remediate GO-2026-5026 / CVE-2026-39821 by bumping the affected golang.org/x/net module (and aligning golang.org/x/sys accordingly). This is a targeted dependency update in the Go module manifests (go.mod / go.sum) and fits the codebase’s standard Go module dependency management.
Changes:
- Bump
golang.org/x/netfromv0.53.0→v0.55.0(indirect) to pick up the IDNAToASCII/ToUnicodefix. - Bump
golang.org/x/sysfromv0.44.0→v0.45.0(indirect). - Update
go.sumentries to match the new module versions/hashes.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Updates indirect requirements for golang.org/x/net and golang.org/x/sys to patched versions. |
| go.sum | Refreshes checksum entries to correspond to the bumped module versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
📝 Documentation Updated I've created a docs PR to add this security fix to the changelog: helm/helm-www#2118 The changelog entry documents the |
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [helm/helm](https://github.com/helm/helm) | patch | `4.2.0` → `4.2.1` | --- ### Release Notes <details> <summary>helm/helm (helm/helm)</summary> ### [`v4.2.1`](https://github.com/helm/helm/releases/tag/v4.2.1): Helm v4.2.1 [Compare Source](helm/helm@v4.2.0...v4.2.1) Helm v4.2.1 is a patch release. Users are encouraged to upgrade for the best experience. The community keeps growing, and we'd love to see you there! - Join the discussion in [Kubernetes Slack](https://kubernetes.slack.com): - for questions and just to hang out - for discussing PRs, code, and bugs - Hang out at the Public Developer Call: Thursday, 9:30 Pacific via [Zoom](https://zoom.us/j/696660622) - Test, debug, and contribute charts: [ArtifactHub/packages](https://artifacthub.io/packages/search?kind=0) #### Notable Changes - Fixed data race detected by -race flag when concurrent goroutines (upgrade + rollback, install + uninstall) both call GetWaiterWithOptions on the same FailingKubeClient instance [#​31925](helm/helm#31925) - Fixed helm command success messages writing to stderr instead of stdout. Now correctly outputing to stdout [#​32056](helm/helm#32056) - Fixed Helm 4 emitting "unable to find exact version" when using version range constraints [#​31757](helm/helm#31757) - Fixed a race condition in WaitForDelete where the status observer canceled the watch too early, causing intermittent failures when running a full test suite [#​32081](helm/helm#32081) - Bumped golang.org/x/net to v0.55.0 to address GO-2026-5026 [#​32153](helm/helm#32153) - Fixed SDK errors by upgrading dependencies: cli-utils 1.2.1, controller-runtime 0.24.1 and k8s 1.36.1 [#​32128](helm/helm#32128) - Dependency updates #### Installation and Upgrading Download Helm v4.2.1. The common platform binaries are here: - [MacOS amd64](https://get.helm.sh/helm-v4.2.1-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-darwin-amd64.tar.gz.sha256sum) / 2a21c9f368d608bcf6eb794ebc06514eb6b529a846b60fe4a43dea7bcce65228) - [MacOS arm64](https://get.helm.sh/helm-v4.2.1-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-darwin-arm64.tar.gz.sha256sum) / 896472d2ec0740c60f64a9df0fc30d478beee38a1a2a6ed91aa6e6ee177c1575) - [Linux amd64](https://get.helm.sh/helm-v4.2.1-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-amd64.tar.gz.sha256sum) / 479dca836e5b45e8bd222400c5591b0e3a647378f03ff96597180db97c17fdae) - [Linux arm](https://get.helm.sh/helm-v4.2.1-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-arm.tar.gz.sha256sum) / 49e8f7856de6eab170dc09671cfb0578cc455d820df5b0f54e6453058dc0e3f3) - [Linux arm64](https://get.helm.sh/helm-v4.2.1-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-arm64.tar.gz.sha256sum) / 596b9a73d366c1e72ce67d595c22805480e30914593aafbc9f547694e72814db) - [Linux i386](https://get.helm.sh/helm-v4.2.1-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-386.tar.gz.sha256sum) / e038eab680f22b1cebe68fd0536cf2397b0c10798dcb23c28e500e0804ec1a55) - [Linux loong64](https://get.helm.sh/helm-v4.2.1-linux-loong64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-loong64.tar.gz.sha256sum) / 8ae26f15638d951c4ed21d0d3018b8800a137646e5e5151a3856cf324c2852ae) - [Linux ppc64le](https://get.helm.sh/helm-v4.2.1-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-ppc64le.tar.gz.sha256sum) / 6f34eca5e314e941577a07be6c8b356f66b9cdefbed1175da1e7916368febcfc) - [Linux s390x](https://get.helm.sh/helm-v4.2.1-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-s390x.tar.gz.sha256sum) / e6355691887d4185b7e077f058483c04f353229feb7d4a72edc3ebe0b8738a6a) - [Linux riscv64](https://get.helm.sh/helm-v4.2.1-linux-riscv64.tar.gz) ([checksum](https://get.helm.sh/helm-v4.2.1-linux-riscv64.tar.gz.sha256sum) / 16a4299f14ff1ffa79bb22115051911c662fa2ecdd90e85b65d7d143e8de9d02) - [Windows amd64](https://get.helm.sh/helm-v4.2.1-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v4.2.1-windows-amd64.zip.sha256sum) / 6e7fa7839444b8ddc407c5bcdb1edd1024f57d09c2db971dec511ee2f2616eb0) - [Windows arm64](https://get.helm.sh/helm-v4.2.1-windows-arm64.zip) ([checksum](https://get.helm.sh/helm-v4.2.1-windows-arm64.zip.sha256sum) / ae4c9acd0d9acd1f9e9da2f60105f793f65fd49ab7c03c6c7d13804c3b885657) This release was signed with `208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155` and can be found at [@​scottrigby](https://github.com/scottrigby) [keybase account](https://keybase.io/r6by). Please use the attached signatures for verifying this release using `gpg`. The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4) on any system with `bash`. #### What's Next - 4.2.2 and 3.21.2 are the next patch releases scheduled for July 8, 2026 - 4.3.0 and 3.22.0 are the next minor releases scheduled for September 9, 2026 #### Changelog - fix: protect FailingKubeClient.RecordedWaitOptions from data race ([#​31925](helm/helm#31925)) [`d591a19`](helm/helm@d591a19) (Terry Howe) - fix: route registry client output to stdout instead of stderr ([#​32056](helm/helm#32056)) [`2a9fcae`](helm/helm@2a9fcae) (Terry Howe) - chore(deps): bump oras.land/oras-go/v2 from 2.6.0 to 2.6.1 [`ffa5bd6`](helm/helm@ffa5bd6) (dependabot\[bot]) - chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 [`9f9dbaf`](helm/helm@9f9dbaf) (dependabot\[bot]) - chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 [`64a2891`](helm/helm@64a2891) (dependabot\[bot]) - chore(deps): bump golang.org/x/text from 0.37.0 to 0.38.0 [`e54a4a2`](helm/helm@e54a4a2) (dependabot\[bot]) - chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 [`acb762b`](helm/helm@acb762b) (dependabot\[bot]) - chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 [`768586d`](helm/helm@768586d) (dependabot\[bot]) - fix(version): avoid false range detection on prerelease x/X [`eabfae5`](helm/helm@eabfae5) (Benoit Tigeot) - fix(version): version range || can has no space [`e3fd51f`](helm/helm@e3fd51f) (Benoit Tigeot) - feat: report in debug the version we select with version range arg [`1e47395`](helm/helm@1e47395) (Benoit Tigeot) - fix: prevent warning when using version range constraints [`a33e239`](helm/helm@a33e239) (Benoit Tigeot) - fix(kube): always propagate context.Canceled in WaitForDelete [`fa06d44`](helm/helm@fa06d44) (Terry Howe) - fix(kube): prevent spurious early exit in WaitForDelete during informer sync [`360d483`](helm/helm@360d483) (Terry Howe) - chore(deps): bump github.com/tetratelabs/wazero from 1.11.0 to 1.12.0 [`7651edf`](helm/helm@7651edf) (dependabot\[bot]) - chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 [`b132e7e`](helm/helm@b132e7e) (dependabot\[bot]) - fix(deps): bump golang.org/x/net to v0.55.0 to address GO-2026-5026 [`eee491a`](helm/helm@eee491a) (Terry Howe) - chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 [`3e3c575`](helm/helm@3e3c575) (dependabot\[bot]) - chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 [`c4ce2bb`](helm/helm@c4ce2bb) (dependabot\[bot]) - chore(deps): bump actions/stale from 10.2.0 to 10.3.0 [`3892dc2`](helm/helm@3892dc2) (dependabot\[bot]) - chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 [`c4bbb62`](helm/helm@c4bbb62) (dependabot\[bot]) - chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 [`a0d7f16`](helm/helm@a0d7f16) (dependabot\[bot]) - chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 [`8a3de05`](helm/helm@8a3de05) (dependabot\[bot]) - fix(upstream): upgrade to cli-utils 1.2.1, controller-runtime 0.24.1 and k8s 1.36.1 [`57a4803`](helm/helm@57a4803) (Matheus Pimenta) - chore(deps): bump github.com/fluxcd/cli-utils from 1.2.0 to 1.2.1 [`b33ae02`](helm/helm@b33ae02) (dependabot\[bot]) **Full Changelog**: <helm/helm@v4.2.0...v4.2.1> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: https://git.luzifer.io/luzifer-docker/action-env/pulls/172
Summary
Bumps
golang.org/x/netfrom v0.53.0 to v0.55.0 to fix GO-2026-5026 / CVE-2026-39821.Vulnerability
The
ToASCIIandToUnicodefunctions in thegolang.org/x/net/idnapackage incorrectly accept Punycode-encoded labels that decode to ASCII-only labels. For example,ToUnicode("xn--example-.com")returns"example.com"instead of an error. This allows privilege escalation by bypassing hostname-based security checks.Helm's call chain that triggers the finding:
registry.LoggingTransport.RoundTrip→http.Transport.RoundTrip→idna.ToASCIIrepotest.OCIServer.Run→registry.Registry.ListenAndServe→idna.Profile.ToASCIIChanges
The
golang.org/x/packages share a coordinated release cycle, so the following were updated together:golang.org/x/netgolang.org/x/sys