Skip to content

chore(deps): bump the golang-x group across 1 directory with 7 updates#5292

Open
dependabot[bot] wants to merge 5 commits into
masterfrom
dependabot-go_modules-master-golang-x-e70c50f2d8
Open

chore(deps): bump the golang-x group across 1 directory with 7 updates#5292
dependabot[bot] wants to merge 5 commits into
masterfrom
dependabot-go_modules-master-golang-x-e70c50f2d8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 16, 2026
edited
Loading

Bumps the golang-x group with 1 update in the / directory: golang.org/x/crypto.

Updates golang.org/x/crypto from 0.48.0 to 0.50.0

Commits
  • 03ca0dc go.mod: update golang.org/x dependencies
  • 8400f4a ssh: respect signer's algorithm preference in pickSignatureAlgorithm
  • 81c6cb3 ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength
  • 982eaa6 go.mod: update golang.org/x dependencies
  • 159944f ssh,acme: clean up tautological/impossible nil conditions
  • a408498 acme: only require prompt if server has terms of service
  • cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
  • 2f26647 x509roots/fallback: update bundle
  • See full diff in compare view

Updates golang.org/x/mod from 0.32.0 to 0.34.0

Commits
  • 1ac721d go.mod: update golang.org/x dependencies
  • fb1fac8 all: upgrade go directive to at least 1.25.0 [generated]
  • 27761a2 go.mod: update golang.org/x dependencies
  • See full diff in compare view

Updates golang.org/x/net from 0.50.0 to 0.52.0

Commits
  • 316e20c go.mod: update golang.org/x dependencies
  • 9767a42 internal/http3: add support for plugging into net/http
  • 4a81284 http2: update docs to disrecommend this package
  • dec6603 dns/dnsmessage: reject too large of names early during unpack
  • 8afa12f http2: deprecate write schedulers
  • 38019a2 http2: add missing copyright header to export_test.go
  • 039b87f internal/http3: return error when Write is used after status 304 is set
  • 6267c6c internal/http3: add HTTP 103 Early Hints support to ClientConn
  • 591bdf3 internal/http3: add HTTP 103 Early Hints support to Server
  • 1faa6d8 internal/http3: avoid potential race when aborting RoundTrip
  • Additional commits viewable in compare view

Updates golang.org/x/sync from 0.19.0 to 0.20.0

Commits
  • ec11c4a errgroup: fix a typo in the documentation
  • 1a58307 all: modernize interface{} -> any
  • 3172ca5 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates golang.org/x/term from 0.40.0 to 0.42.0

Commits
  • 52b71d3 go.mod: update golang.org/x dependencies
  • 9d2dc07 go.mod: update golang.org/x dependencies
  • d954e03 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates golang.org/x/text from 0.34.0 to 0.36.0

Commits
  • 8577a70 go.mod: update golang.org/x dependencies
  • 7ca2c6d go.mod: update golang.org/x dependencies
  • 73d1ba9 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates golang.org/x/tools from 0.41.0 to 0.43.0

Commits
  • 24a8e95 go.mod: update golang.org/x dependencies
  • 3dd57fb gopls/internal/mcp: refactor unified diff generation
  • fcc014d cmd/digraph: fix package doc
  • 39f0f5c cmd/stress: add -failfast flag
  • 063c264 gopls/test/integration/misc: add diagnostics to flaky test
  • deb6130 gopls/internal/golang: fix hover panic in raw strings with CRLF
  • 5f1186b gopls/internal/analysis/driverutil: remove unnecessary new imports
  • ff45494 go/analysis: expose GoMod etc. to Pass.Module
  • 62daff4 go/analysis/passes/inline: fix panic in inlineAlias with instantiated generic...
  • fcb6088 x/tools: delete obsolete code
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Update to the dependencies label Mar 16, 2026
@github-actions github-actions Bot added the 🐹 golang Pull requests that update Go code label Mar 16, 2026
@Gno2D2 Gno2D2 added the review/triage-pending PRs opened by external contributors that are waiting for the 1st review label Mar 16, 2026
@Gno2D2
Copy link
Copy Markdown
Collaborator

Gno2D2 commented Mar 16, 2026
edited
Loading

🛠 PR Checks Summary

🔴 Pending initial approval by a review team member, or review from tech-staff

Manual Checks (for Reviewers):
  • IGNORE the bot requirements for this PR (force green CI check)
Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🔴 Pending initial approval by a review team member, or review from tech-staff

☑️ Contributor Actions:
  1. Fix any issues flagged by automated checks.
  2. Follow the Contributor Checklist to ensure your PR is ready for review.
    • Add new tests, or document why they are unnecessary.
    • Provide clear examples/screenshots, if necessary.
    • Update documentation, if required.
    • Ensure no breaking changes, or include BREAKING CHANGE notes.
    • Link related issues/PRs, where applicable.
☑️ Reviewer Actions:
  1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.
📚 Resources:
Debug
Automated Checks
Pending initial approval by a review team member, or review from tech-staff

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Not (🔴 Pull request author is a member of the team: tech-staff)

Then

🔴 Requirement not satisfied
└── 🔴 If
    ├── 🔴 Condition
    │   └── 🔴 Or
    │       ├── 🔴 At least one of these user(s) reviewed the pull request: [aronpark1007 davd-gzl jefft0 notJoon omarsy MikaelVallenet] (with state "APPROVED")
    │       ├── 🔴 At least 1 user(s) of the team tech-staff reviewed pull request
    │       └── 🔴 This pull request is a draft
    └── 🔴 Else
        └── 🔴 And
            ├── 🟢 This label is applied to pull request: review/triage-pending
            └── 🔴 On no pull request
Manual Checks
**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

  • Any user with comment edit permission

@thehowl
Copy link
Copy Markdown
Member

thehowl commented May 13, 2026

@dependabot recreate

@dependabot
chore(deps): bump the golang-x group across 1 directory with 7 updates
28313b5 
Bumps the golang-x group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `golang.org/x/crypto` from 0.48.0 to 0.50.0
- [Commits](golang/crypto@v0.48.0...v0.50.0)

Updates `golang.org/x/mod` from 0.32.0 to 0.34.0
- [Commits](golang/mod@v0.32.0...v0.34.0)

Updates `golang.org/x/net` from 0.50.0 to 0.52.0
- [Commits](golang/net@v0.50.0...v0.52.0)

Updates `golang.org/x/sync` from 0.19.0 to 0.20.0
- [Commits](golang/sync@v0.19.0...v0.20.0)

Updates `golang.org/x/term` from 0.40.0 to 0.42.0
- [Commits](golang/term@v0.40.0...v0.42.0)

Updates `golang.org/x/text` from 0.34.0 to 0.36.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.34.0...v0.36.0)

Updates `golang.org/x/tools` from 0.41.0 to 0.43.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.41.0...v0.43.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/mod
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/net
  dependency-version: 0.51.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/sync
  dependency-version: 0.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/term
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/text
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
- dependency-name: golang.org/x/tools
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot-go_modules-master-golang-x-e70c50f2d8 branch from 5aae546 to 28313b5 Compare May 13, 2026 16:23
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@thehowl
fix(ci): persist credentials in dependabot-tidy so push succeeds
0e63a15 
The `tidy_go_mods` job runs `make tidy`, commits the result, and pushes
it back to the dependabot PR's branch. After #5452 added
`persist-credentials: false` to the checkout step, the push step fails
with "could not read Username for 'https://github.com'" because the
`git-auto-commit-action` does a plain `git push` and relies on
credentials configured in the local repo by `actions/checkout`.

The job already requests `contents: write`; persisting credentials is
the intended behavior here.
@thehowl thehowl mentioned this pull request May 18, 2026
Merged
2 tasks
thehowl added 2 commits May 18, 2026 21:40
@thehowl
chore(ci): suppress zizmor artipacked for dependabot-tidy
7a1e6eb 
The checkout step intentionally persists credentials so the
git-auto-commit-action below can push back to the dependabot PR. Mark
the artipacked finding as ignored so stricter zizmor personas don't
report it.
@thehowl
Merge fix for dependabot-tidy push (test #5685 against #5292)
04b334d
moul pushed a commit that referenced this pull request May 19, 2026
@thehowl
fix(ci): persist credentials in dependabot-tidy so push succeeds (#5685)
626ff03 
## Summary

The `tidy_go_mods` job in `.github/workflows/meta-dependabot-tidy.yml`
runs `make tidy` on dependabot PRs that touch `go.mod`/`go.sum`, then
uses `stefanzweifel/git-auto-commit-action` to commit and push the
result back to the PR branch.

Since #5452 added `persist-credentials: false` to the `actions/checkout`
step, every run of this job that produces changes fails at the push
step:

```
fatal: could not read Username for 'https://github.com': No such device or address
Error: Invalid status code: 128
```

The auto-commit action does a plain `git push` and relies on the
credentials persisted into `.git/config` by `actions/checkout`. With
`persist-credentials: false`, no credentials are available and the push
fails with exit code 128. The `GITHUB_TOKEN` env var passed to the step
is not consumed by recent versions of the action for HTTPS auth.

Example failure:
https://github.com/gnolang/gno/actions/runs/25812055587/job/76559999785
(PR #5292).

This fix flips `persist-credentials` back to `true` (the default) and
adds a comment explaining why. The job already requests `contents:
write`, so persisting the token is the intended behavior here.

zizmor passes on the default persona (the one CI runs). The auditor
persona flags this as `artipacked` (low confidence), but that persona is
not enabled in CI.

## Test plan

- [ ] Wait for the next dependabot bump touching `go.mod`/`go.sum` and
confirm the `tidy_go_mods` check passes.
- [x] Alternatively, rebase #5292 (or similar) onto this fix and observe
the job succeed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🚀 ci dependencies Update to the dependencies 🐹 golang Pull requests that update Go code review/triage-pending PRs opened by external contributors that are waiting for the 1st review

Projects

💪 Bounties & Worx
Status: No status
🧙‍♂️Gno.land development
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Gno2D2 @thehowl