Skip to content

Bump golang-jwt, x/net, protobuf to clear Go-1.20-compatible CVEs#363

Merged
vikrantpuppala merged 1 commit into
mainfrom
vp/security-bump-go120-safe
May 21, 2026
Merged

Bump golang-jwt, x/net, protobuf to clear Go-1.20-compatible CVEs#363
vikrantpuppala merged 1 commit into
mainfrom
vp/security-bump-go120-safe

Conversation

@vikrantpuppala
Copy link
Copy Markdown
Collaborator

@vikrantpuppala vikrantpuppala commented May 21, 2026

Summary

Three dependency bumps surfaced by OSV-Scanner against go.mod. All stay within the existing go 1.20 directive — each fixed version declares go 1.17/1.18 in its own go.mod, so no Go-toolchain change is forced by this PR.

Dependency From To Severity CVE
golang-jwt/jwt/v5 5.2.1 5.2.2 HIGH 8.7 GO-2025-3553 / GHSA-mh63-6h87-95cp
google.golang.org/protobuf 1.28.1 1.33.0 HIGH 7.5 GO-2024-2611 / GHSA-8r3f-844c-mc37
golang.org/x/net 0.21.0 0.33.0 MED 5.3 + LOW GO-2024-2687 + GO-2024-3333

Why these specific patch versions

  • jwt/v5.2.2 is the backport of the fix; v5.3.0 forces go 1.21.
  • protobuf 1.33.0 is the lowest patched version; declares go 1.17.
  • x/net 0.33.0 is the highest x/net we can take while staying on go 1.20v0.36.0+ forces go 1.23. The remaining 4 x/net advisories (GO-2025-3503, GO-2025-3595, GO-2026-4440/4441/4918) will be cleared by a follow-up Go-toolchain bump.

Net OSV-Scanner result after this PR

HIGH:  5 -> 3   (apache/thrift, x/crypto, x/oauth2 remain — all require go >= 1.23)
MED:   5 -> 4
LOW:  60 -> 59  (55 of the LOWs are stdlib@1.20.x advisories that only clear
                 when the build toolchain itself is upgraded)

Test plan

  • go build ./... clean
  • go mod tidy no further changes
  • OSV-Scanner v2.3.8 confirms the predicted drop
  • go 1.20 directive in go.mod unchanged
  • Existing test suite (CI on this PR exercises this)

This pull request was AI-assisted by Isaac.

@vikrantpuppala
Bump golang-jwt, x/net, protobuf to clear Go-1.20-compatible CVEs
a6a5211 
Surfaced by OSV-Scanner against go.mod. These three bumps stay within
the existing `go 1.20` directive (each fixed version declares
`go 1.17`-`1.18` in its own go.mod) -- no Go-toolchain change needed.

  golang-jwt/jwt/v5      5.2.1   -> 5.2.2
    GO-2025-3553 / GHSA-mh63-6h87-95cp  (HIGH 8.7)
    Excess memory allocation in parseToken. Patched in the 5.2.x
    branch; v5.3.0 forced `go 1.21` so we take the backport.

  google.golang.org/protobuf  1.28.1 -> 1.33.0
    GO-2024-2611 / GHSA-8r3f-844c-mc37  (HIGH 7.5)
    Infinite-loop DoS in Unmarshal of arbitrary input. Fixed version
    still declares `go 1.17`.

  golang.org/x/net  0.21.0 -> 0.33.0
    GO-2024-2687 / GHSA-4v7x-pqxf-cx7m  (MED 5.3)  - HTTP/2 CONTINUATION flood
    GO-2024-3333                          (LOW)    - HTML tokenizer parse bug
    Fixed version still declares `go 1.18`. Stopping at v0.33.0
    because v0.36.0+ forces `go 1.23`; the remaining x/net advisories
    will be cleared by a follow-up Go-toolchain bump.

Net OSV-Scanner result after this PR:
  HIGH: 5 -> 3   (apache/thrift, x/crypto, x/oauth2 still need Go bump)
  MED:  5 -> 4
  LOW:  60 -> 59 (55 of the LOWs are stdlib@1.20.x advisories that
                  only clear when the build toolchain is upgraded)

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala merged commit e248c04 into main May 21, 2026
3 checks passed
@vikrantpuppala vikrantpuppala deleted the vp/security-bump-go120-safe branch May 21, 2026 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gopalldb gopalldb gopalldb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikrantpuppala @gopalldb