Skip to content

chore: update dependencies to fix security vulnerabilities#19

Merged
markwylde merged 4 commits intomainfrom
chore/update-dependencies
Dec 12, 2025
Merged

chore: update dependencies to fix security vulnerabilities#19
markwylde merged 4 commits intomainfrom
chore/update-dependencies

Conversation

@markwylde
Copy link
Member

@markwylde markwylde commented Dec 12, 2025

Summary

Updates all dependencies to their latest versions and fixes two moderate security vulnerabilities in golang.org/x/crypto/ssh.

Security Fixes

  • golang.org/x/crypto/ssh: Fixes unbounded memory consumption vulnerability
  • golang.org/x/crypto/ssh/agent: Fixes panic due to malformed messages

Dependency Updates

  • golang.org/x/crypto: v0.39.0 → v0.46.0
  • golang.org/x/net: v0.41.0 → v0.48.0
  • golang.org/x/sys: v0.33.0 → v0.39.0
  • golang.zx2c4.com/wireguard: 2023-02-23 → 2025-05-21
  • golang.zx2c4.com/wintun: 2021-11-04 → 2023-01-26

Breaking Changes Fixed

The wireguard package update included breaking changes to the tun.Device interface:

  • Added BatchSize() method to MemoryTUN
  • Updated Read() and Write() methods to support batch operations
  • Updated all test cases to use the new batch interface
  • Fixed format string security warnings in logger tests

Testing

  • ✅ All tests passing
  • ✅ Build successful
  • ✅ No breaking changes to public API

@markwylde
chore: update dependencies to fix security vulnerabilities
49f75b6 
Update golang.org/x/crypto from v0.39.0 to v0.46.0 to resolve:
- CVE for unbounded memory consumption in ssh
- CVE for panic in ssh/agent due to malformed messages

Also update related dependencies:
- golang.org/x/net: v0.41.0 -> v0.48.0
- golang.org/x/sys: v0.33.0 -> v0.39.0
- golang.zx2c4.com/wireguard: 2023-02-23 -> 2025-05-21
- golang.zx2c4.com/wintun: 2021-11-04 -> 2023-01-26
@markwylde
fix: update tun.Device implementation for wireguard compatibility
bf8226e 
Update MemoryTUN to implement the new batch-based tun.Device interface
required by wireguard v0.0.0-20250521234502:
- Add BatchSize() method returning 1
- Update Read() to use batch interface ([][]byte, []int)
- Update Write() to support batch operations
- Update all test cases to use new batch interface
@markwylde
fix: resolve format string security warnings in logger tests
6d937a2 
Add format specifiers to logger test calls to resolve:
- non-constant format string in call to log()
- non-constant format string in call to Infof()
@markwylde
fix: add timeout to DialWireGuard test to prevent hanging
b2f4da0 
The TestTunnel_DialWireGuard test was hanging in CI when attempting
to connect to unknown IPs. Added a 2-second timeout context to prevent
indefinite hanging on connection attempts.
@markwylde markwylde merged commit 2a90f96 into main Dec 12, 2025
3 checks passed
@markwylde markwylde deleted the chore/update-dependencies branch December 12, 2025 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markwylde