fix(deps): update module golang.org/x/net to v0.36.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
golang.org/x/net	v0.23.0 -> v0.36.0

GitHub Vulnerability Alerts

CVE-2025-22870

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

---

Non-linear parsing of case-insensitive content in golang.org/x/net/html

CVE-2024-45338 / GHSA-w32m-9786-jp63 / GO-2024-3333

More information

Details

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Severity

Unknown

References

• https://go.dev/cl/637536
• https://go.dev/issue/70906
• https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22870
• https://go-review.googlesource.com/q/project:net
• https://go.dev/cl/654697
• https://go.dev/issue/71984
• https://pkg.go.dev/vuln/GO-2025-3503
• http://www.openwall.com/lists/oss-security/2025/03/07/2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

• https://go.dev/cl/654697
• https://go.dev/issue/71984

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.19 -> 1.24.1
golang.org/x/crypto	v0.21.0 -> v0.35.0
golang.org/x/sync	v0.1.0 -> v0.11.0
golang.org/x/sys	v0.18.0 -> v0.30.0
golang.org/x/text	v0.14.0 -> v0.22.0

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
golang/golang.org/x/[email protected] ➜ v0.35.0	None	0	4.18 MB
golang/golang.org/x/[email protected] ➜ v0.36.0	None	0	6.63 MB
golang/golang.org/x/[email protected] ➜ v0.11.0	None	0	60.3 kB

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	CI
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫
Native code	golang/golang.org/x/[email protected]	Location: Package overview	🚫

View full report↗︎

Next steps

Why is native code a concern?

Contains native code (e.g., compiled binaries or shared libraries). Including native code can obscure malicious behavior.

Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore golang/golang.org/x/[email protected]
• @SocketSecurity ignore golang/golang.org/x/[email protected]