Skip to content

upgrade golang.org/x/crypto to 0.45.0 #35988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 20, 2025
Merged

upgrade golang.org/x/crypto to 0.45.0 #35988

merged 2 commits into from
Nov 20, 2025
+7 −7

Conversation

@lunny
Copy link
Member

@lunny lunny commented Nov 20, 2025

Backport #35985

@GiteaBot GiteaBot added this to the 1.25.2 milestone Nov 20, 2025
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 20, 2025
@lunny lunny added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/dependencies labels Nov 20, 2025
@lunny lunny mentioned this pull request Nov 20, 2025
Merged
@silverwind
Copy link
Member

silverwind commented Nov 20, 2025
edited
Loading

Odd, https://pkg.go.dev/vuln/GO-2025-4134 is marked as "all versions, no known fixed", see discussion in golang/vulndb#4143.

@johnsonjh
Copy link

johnsonjh commented Nov 20, 2025
edited
Loading

govulncheck is clearly incorrect and directly contradicts the security announcement from Google. Blocking this upgrade actually keeps you vulnerable to the two CVEs.

@silverwind
Copy link
Member

silverwind commented Nov 20, 2025

Yeah we should either wait for the vulndb fix or merge open PRs while ignoring vulncheck. There's currently still no way to suppress individual vulns (golang/go#59507).

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 20, 2025
@lunny
Copy link
Member Author

lunny commented Nov 20, 2025

I think we can merge this one while ignoring vulncheck. I have done that in #35985

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 20, 2025
@silverwind
Copy link
Member

silverwind commented Nov 20, 2025

vulncheck was fixed

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 20, 2025
@techknowlogick techknowlogick merged commit 5e7207d into go-gitea:release/v1.25 Nov 20, 2025
26 checks passed
@lunny lunny deleted the lunny/backport_35985 branch November 20, 2025 23:23
lunny added a commit that referenced this pull request Nov 22, 2025
@lunny @wxiaoguang
release notes for 1.25.2 (#35986)
eaa916a 
~Wait #35988~

---------

Signed-off-by: wxiaoguang <[email protected]>
Co-authored-by: wxiaoguang <[email protected]>
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 24, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/release/v1.25'
0a09b13 
* giteaofficial/release/v1.25: (77 commits)
  Add "site admin" back to profile menu (go-gitea#36010) (go-gitea#36013)
  release notes for 1.25.2 (go-gitea#35986)
  Allow empty commit when merging pull request with squash style (go-gitea#35989) (go-gitea#36003)
  Fix various permission & login related bugs (go-gitea#36002) (go-gitea#36004)
  upgrade golang.org/x/crypto to 0.45.0 (go-gitea#35988)
  Change project default column icon to 'star' (go-gitea#35967) (go-gitea#35979)
  Misc CSS fixes (go-gitea#35888) (go-gitea#35981)
  Fix container push tag overwriting (go-gitea#35936) (go-gitea#35954)
  Fix corrupted external render content (go-gitea#35946) (go-gitea#35950)
  Don't show unnecessary error message to end users for DeleteBranchAfterMerge (go-gitea#35937) (go-gitea#35941)
  Limit read bytes instead of ReadAll (go-gitea#35928) (go-gitea#35934)
  Load jQuery as early as possible to support custom scripts (go-gitea#35926) (go-gitea#35929)
  Allow to display embed images/pdfs when SERVE_DIRECT was enabled on MinIO storage (go-gitea#35882) (go-gitea#35917)
  Use correct form field for allowed force push users in branch protection API (go-gitea#35894) (go-gitea#35908)
  Make OAuth2 issuer configurable (go-gitea#35915) (go-gitea#35916)
  Fix go-gitea#35763: Add proper page title for project pages (go-gitea#35773) (go-gitea#35909)
  Display source code downloads last for release attachments (go-gitea#35897) (go-gitea#35903)
  Fix team member access check (go-gitea#35899) (go-gitea#35905)
  Fix conda null depend issue (go-gitea#35900) (go-gitea#35902)
  Fix avatar upload error handling (go-gitea#35887) (go-gitea#35890)
  ...

# Conflicts:
#	go.mod
#	go.sum
#	models/actions/run_test.go
#	models/fixtures/action_run.yml
#	models/fixtures/action_run_job.yml
#	models/fixtures/action_task.yml
#	models/fixtures/branch.yml
#	models/fixtures/repo_unit.yml
#	modules/git/tree_entry_gogit.go
#	modules/git/tree_gogit.go
#	routers/web/repo/actions/view.go
#	routers/web/repo/issue_comment.go
#	services/actions/workflow.go
#	services/doctor/actions_test.go
#	services/pull/comment.go
#	services/pull/pull.go
#	services/pull/temp_repo.go
#	templates/base/head_navbar.tmpl
#	templates/swagger/v1_json.tmpl
#	tests/integration/actions_schedule_test.go
#	tests/integration/git_lfs_ssh_test.go
#	tests/integration/pull_create_test.go
#	tests/integration/pull_merge_test.go
#	tests/sqlite.ini.tmpl
#	web_src/js/components/ContextPopup.vue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind approved these changes

+1 more reviewer

@Zettat123 Zettat123 Zettat123 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/dependencies topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Projects

None yet

Milestone

1.25.2

Development

Successfully merging this pull request may close these issues.

6 participants

@lunny @silverwind @johnsonjh @Zettat123 @techknowlogick @GiteaBot