Skip to content

fix(deps): update module golang.org/x/image to v0.41.0 [security]#284

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-golang.org-x-image-vulnerability
Open

fix(deps): update module golang.org/x/image to v0.41.0 [security]#284
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-golang.org-x-image-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/image v0.38.0v0.41.0 age confidence

golang.org/x/image/tiff has excessive resource consumption in PackBits decompression

CVE-2026-46599 / GHSA-q675-qj96-32m9

More information

Details

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
golang.org/x/text v0.35.0 -> v0.37.0

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Security Fix (Primary change)

  • CVE-2026-46599 / GHSA-q675-qj96-32m9: TIFF decoder (golang.org/x/image/tiff) does not limit the amount of PackBits-compressed data it decompresses. A maliciously crafted image that is small in both pixel dimensions and encoded size can force the decoder to expand massive amounts of data, causing a Denial-of-Service. CVSS score: 7.5 (High). Fixed in v0.41.0 by adding a decompression size limit.

Indirect dependency bump

  • golang.org/x/text updated from v0.35.0 → v0.37.0 (transitive dependency of golang.org/x/image). No API changes relevant to this project.

Breaking changes

  • None identified. The draw package API is stable across v0.38.0–v0.41.0. All existing symbols (ApproxBiLinear, Src, Scale, etc.) remain unchanged.

🎯 Impact Scope Investigation

Package usage in this codebase

  • golang.org/x/image/draw is imported at internal/gat/gat.go:25
  • Used at internal/gat/gat.go:326 via draw.ApproxBiLinear.Scale(dst, dst.Bounds(), img, img.Bounds(), draw.Src, nil) for resizing images before Sixel encoding
  • No other sub-packages from golang.org/x/image are imported (notably, golang.org/x/image/tiff is not imported)

CVE exposure

  • The project is not directly exposed to CVE-2026-46599: it registers only image/gif, image/jpeg, and image/png decoders (standard library); the vulnerable golang.org/x/image/tiff decoder is never loaded. Updating is still correct hygiene.

Impact on other dependencies

  • The bump to golang.org/x/text v0.37.0 is a minor patch with no public API changes relevant to this codebase.
  • No other dependencies are affected.

💡 Recommended Actions

  • No code changes required. The draw package API is unchanged; existing call sites compile and behave identically.
  • Merge the PR as-is. The update resolves a publicly disclosed vulnerability (even though this project is not directly exposed) and carries zero migration cost.
  • Optionally, run go test ./... post-merge to confirm no regressions (standard due diligence).

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants