chore(deps): update golang.org/x/crypto to v0.52.0 (#1027)

Updates `golang.org/x/crypto` from `v0.50.0` to `v0.52.0` (and `golang.org/x/net` from `v0.53.0` to `v0.54.0` as a transitive bump). ## Why `make security-check` (govulncheck) reported **7 vulnerabilities**, all in `golang.org/x/crypto/ssh` at `v0.50.0`, reachable through the git action cache fetch path (`act/runner/action_cache.go` → `git.Remote.FetchContext`): | ID | Issue | | --- | --- | | GO-2026-5013 | Byte arithmetic underflow/panic in `ssh` | | GO-2026-5015 | Server panic during `CheckHostKey`/`Authenticate` | | GO-2026-5017 | Client can cause server deadlock on unexpected responses | | GO-2026-5018 | Pathological RSA/DSA parameters may cause DoS | | GO-2026-5019 | Bypass of FIDO/U2F physical interaction | | GO-2026-5020 | Infinite loop on large channel writes | | GO-2026-5021 | Auth bypass via unenforced `@revoked` status in `knownhosts` | All are fixed in `v0.52.0`. Reviewed-on: https://gitea.com/gitea/runner/pulls/1027 Reviewed-by: techknowlogick <9+techknowlogick@noreply.gitea.com>
2026-06-13 13:24:23 +02:00 · 2026-06-11 16:55:01 +00:00
parent 822af5029f
commit 740a3d4db4
2 changed files with 8 additions and 8 deletions
--- a/go.mod
+++ b/go.mod
@@ -104,8 +104,8 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/crypto v0.52.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect