Skip to content

chore(security): bump x/sys for Windows GO-2026-5024#2

Merged
tzone85 merged 1 commit into
mainfrom
harden/bump-x-sys-windows-vuln
Jun 11, 2026
Merged

chore(security): bump x/sys for Windows GO-2026-5024#2
tzone85 merged 1 commit into
mainfrom
harden/bump-x-sys-windows-vuln

Conversation

@tzone85

@tzone85 tzone85 commented Jun 11, 2026

Copy link
Copy Markdown
Owner

Summary

  • Bumps golang.org/x/sys v0.42.0 → v0.44.0
  • Clears GO-2026-5024 (integer overflow in NewNTUnicodeString, Windows-only).
  • Reported by govulncheck as a module-level finding ("packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities") — indirect via modernc.org/libc and gated by runtime.GOOS == "windows".

Why now

v0.1.0 declared native Windows + WSL2 support (commit d41dbd3). Once a platform is documented, every vuln on that platform is in scope for the release-gating govulncheck job.

Test plan

  • go build ./...
  • go test -race ./... — all 21 packages green
  • govulncheck ./...0 vulnerabilities (was 1 module-level)
  • golangci-lint run — 0 issues

Clears GO-2026-5024 (integer overflow in NewNTUnicodeString,
golang.org/x/sys/windows). Indirect-only and Windows-only, but
v0.1.0 declared Windows native support so the finding now lands
on a documented target.

govulncheck ./... reports 0 vulnerabilities after the bump.
@tzone85 tzone85 merged commit cf56633 into main Jun 11, 2026
2 checks passed
@tzone85 tzone85 deleted the harden/bump-x-sys-windows-vuln branch June 11, 2026 09:19
tzone85 added a commit that referenced this pull request Jun 11, 2026
Adds an Unreleased section to CHANGELOG.md covering the five
sequential PRs that landed today:
- #2 chore(security): bump x/sys for GO-2026-5024
- #3 fix(api): validate tenant id at route boundary
- #4 fix(ingest): reject option-shaped --base-ref
- #5 fix(mempalace): validate Kind/Tenant/Key against path traversal
- #6 chore(supply-chain): pin govulncheck + base images by digest

Updates README Status to mention the hardening pass and replaces a
stale `§9` design-spec cross-reference with the section's actual
name (per the project's doc-style rule against the § symbol).

No code changes, no behaviour changes — pure documentation refresh
for the audit story.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant