chore(deps): Bump x/crypto, x/net, grpc, pgx to address CVEs by ryands · Pull Request #139 · ConductorOne/baton-sql

ryands · 2026-06-17T22:32:24Z

Description

Bug fix
New feature

Bumps four dependencies to their latest released versions to resolve CVEs flagged by
dependency scanning. go.mod + go.sum + vendor/ only; no functional changes.
go build ./..., go vet ./..., and go test ./... pass; vendor/ re-synced via
go mod vendor.

golang.org/x/crypto v0.50.0 → v0.53.0 (all fixed in 0.52.0)

CVE-2026-39830 — https://pkg.go.dev/vuln/GO-2026-5017
CVE-2026-39831 — https://pkg.go.dev/vuln/GO-2026-5019
CVE-2026-39832 — https://pkg.go.dev/vuln/GO-2026-5006
CVE-2026-39833 — https://pkg.go.dev/vuln/GO-2026-5005
CVE-2026-39834 — https://pkg.go.dev/vuln/GO-2026-5020
CVE-2026-42508 — https://pkg.go.dev/vuln/GO-2026-5021
CVE-2026-46595 — https://pkg.go.dev/vuln/GO-2026-5023

golang.org/x/net v0.53.0 → v0.56.0 (fixed in 0.55.0)

CVE-2026-39821 — https://pkg.go.dev/vuln/GO-2026-5026

github.com/jackc/pgx/v5 v5.7.4 → v5.10.0

CVE-2026-33815 — https://pkg.go.dev/vuln/GO-2026-4771 (fixed 5.9.0)
CVE-2026-33816 — https://pkg.go.dev/vuln/GO-2026-4772 (fixed 5.9.0)
CVE-2026-41889 — GHSA-j88v-2chj-qfwx (fixed 5.9.2)

google.golang.org/grpc v1.81.0 → v1.81.1

CVE-2026-33186 — https://pkg.go.dev/vuln/GO-2026-4762 (fixed 1.79.3; already satisfied at v1.81.0, bumped to v1.81.1 for hygiene)

x/crypto and x/net were previously held back as indirect deps; promoting them to the
patched releases also clears several adjacent advisories fixed in the same release
(x/crypto 0.52.0, x/net 0.55.0).

Useful links:

ryands · 2026-06-17T22:36:54Z

Closing in favor of #138, which lands the same target versions for these deps
(pgx v5.10.0, grpc v1.81.1, x/crypto v0.53.0, x/net v0.56.0) and is maintainer-authored. Thanks for picking this up so quickly.

Leaving the CVE → fixed-version mapping here for the record.

golang.org/x/crypto → 0.53.0 (fixed in 0.52.0): CVE-2026-39830, -39831, -39832,
-39833, -39834, -42508, -46595
golang.org/x/net → 0.56.0 (fixed in 0.55.0): CVE-2026-39821
github.com/jackc/pgx/v5 → 5.10.0: CVE-2026-33815, -33816 (fixed 5.9.0),
CVE-2026-41889 (fixed 5.9.2)
google.golang.org/grpc: CVE-2026-33186 (fixed 1.79.3; already satisfied at 1.81.0)

Bump x/crypto, x/net, grpc, pgx to clear OSS CVEs

abb1334

ryands requested a review from a team June 17, 2026 22:32

ryands closed this Jun 17, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Bump x/crypto, x/net, grpc, pgx to address CVEs#139

chore(deps): Bump x/crypto, x/net, grpc, pgx to address CVEs#139
ryands wants to merge 1 commit into
ConductorOne:mainfrom
hightouchio:security/oss-cve-jun-2026

ryands commented Jun 17, 2026

Uh oh!

ryands commented Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

ryands commented Jun 17, 2026

Description

Useful links:

Uh oh!

ryands commented Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant