Skip to content

fix(deps): bump golang.org/x/crypto to v0.54.0 for CVE-2026-46595 (GO-2026-5023)#197

Draft
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1784125654-bump-x-crypto
Draft

fix(deps): bump golang.org/x/crypto to v0.54.0 for CVE-2026-46595 (GO-2026-5023)#197
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1784125654-bump-x-crypto

Conversation

@devin-ai-integration

Copy link
Copy Markdown
Contributor

Summary

Bumps the transitive dependency golang.org/x/crypto from v0.30.0 to v0.54.0 (>= the advisory's fixed v0.52.0) to clear Go advisory GO-2026-5023 / CVE-2026-46595 from the published abctl binary. golang.org/x/crypto remains an // indirect dependency.

-go 1.23.4
+go 1.25.0
...
-golang.org/x/crypto v0.30.0 // indirect
+golang.org/x/crypto v0.54.0 // indirect

Reachability (not exploitable in abctl)

The vulnerable code path in GO-2026-5023 is in golang.org/x/crypto/ssh server-side authentication (ssh.NewServerConn / server permission-callback enforcement). abctl does not import golang.org/x/crypto/ssh anywhere — verified via go list -deps ./..., which pulls in only the openpgp, bcrypt, scrypt, pbkdf2, chacha20poly1305 (and their internal) subpackages for Helm chart/provenance and TLS. So the actual exploitability in abctl is effectively nil; this bump exists to clear the advisory match on the published binary, not to close a reachable exploit.

Cascading changes

golang.org/x/crypto@v0.52.0+ requires go >= 1.25.0, so go mod tidy cascaded:

  • go directive upgraded 1.23.41.25.0
  • sibling golang.org/x/* modules bumped (net, sys, term, text, tools, mod, sync)
  • .github/workflows/airbox-release.yml Go version pin bumped 1.241.25 so release builds use a compatible toolchain. The other workflows (go.yml, release.yml) already use go-version: 'stable', which resolves to the latest 1.25.x — no change needed.

Declarative-First Evaluation

N/A — this is a dependency/version bump in a Go CLI, not a declarative (YAML manifest-only) Airbyte connector change.

Test Coverage

No new test is added: this is a dependency-version-only change with no new runtime behavior to cover. Verified locally with Go 1.25.12:

  • go build ./... succeeds
  • go test ./... passes (all packages ok)
  • go.mod/go.sum embed golang.org/x/crypto v0.54.0 (indirect)

Note on release

The actual release/publish of a patched abctl binary is a separate maintainer action beyond this PR — merging this only updates the source. A maintainer must cut a new release for the fix to reach the published binary. The Go toolchain upgrade to 1.25 is the main item worth maintainer review.

Related to https://github.com/airbytehq/oncall/issues/13109:

Link to Devin session: https://app.devin.ai/sessions/1e5af4641778465fac71d8d89e702975

…-2026-5023)

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot added the hyd-fix Hydra: ai-fix stage has run label Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

hyd-fix Hydra: ai-fix stage has run

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants