Skip to content

chore: update dependencies to fix security vulnerabilities#19

Merged
markwylde merged 4 commits intomainfrom
chore/update-dependencies
Dec 12, 2025
Merged

chore: update dependencies to fix security vulnerabilities#19
markwylde merged 4 commits intomainfrom
chore/update-dependencies

Conversation

@markwylde
Copy link
Member

Summary

Updates all dependencies to their latest versions and fixes two moderate security vulnerabilities in golang.org/x/crypto/ssh.

Security Fixes

  • golang.org/x/crypto/ssh: Fixes unbounded memory consumption vulnerability
  • golang.org/x/crypto/ssh/agent: Fixes panic due to malformed messages

Dependency Updates

  • golang.org/x/crypto: v0.39.0 → v0.46.0
  • golang.org/x/net: v0.41.0 → v0.48.0
  • golang.org/x/sys: v0.33.0 → v0.39.0
  • golang.zx2c4.com/wireguard: 2023-02-23 → 2025-05-21
  • golang.zx2c4.com/wintun: 2021-11-04 → 2023-01-26

Breaking Changes Fixed

The wireguard package update included breaking changes to the tun.Device interface:

  • Added BatchSize() method to MemoryTUN
  • Updated Read() and Write() methods to support batch operations
  • Updated all test cases to use the new batch interface
  • Fixed format string security warnings in logger tests

Testing

  • ✅ All tests passing
  • ✅ Build successful
  • ✅ No breaking changes to public API

Update golang.org/x/crypto from v0.39.0 to v0.46.0 to resolve:
- CVE for unbounded memory consumption in ssh
- CVE for panic in ssh/agent due to malformed messages

Also update related dependencies:
- golang.org/x/net: v0.41.0 -> v0.48.0
- golang.org/x/sys: v0.33.0 -> v0.39.0
- golang.zx2c4.com/wireguard: 2023-02-23 -> 2025-05-21
- golang.zx2c4.com/wintun: 2021-11-04 -> 2023-01-26
Update MemoryTUN to implement the new batch-based tun.Device interface
required by wireguard v0.0.0-20250521234502:
- Add BatchSize() method returning 1
- Update Read() to use batch interface ([][]byte, []int)
- Update Write() to support batch operations
- Update all test cases to use new batch interface
Add format specifiers to logger test calls to resolve:
- non-constant format string in call to log()
- non-constant format string in call to Infof()
The TestTunnel_DialWireGuard test was hanging in CI when attempting
to connect to unknown IPs. Added a 2-second timeout context to prevent
indefinite hanging on connection attempts.
@markwylde markwylde merged commit 2a90f96 into main Dec 12, 2025
3 checks passed
@markwylde markwylde deleted the chore/update-dependencies branch December 12, 2025 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant