chore(deps): bump github.com/go-resty/resty/v2 from 2.16.5 to 2.17.2

[dependabot]

Bumps github.com/go-resty/resty/v2 from 2.16.5 to 2.17.2.

Release notes

Sourced from github.com/go-resty/resty/v2's releases.

v2.17.2

Release Notes

Backport

• backport: header deepcopy fix by @​jeevatkm in go-resty/resty#1110

Release

• release: version bump to v2.17.2 and readme update by @​jeevatkm in go-resty/resty#1112

Full Changelog: go-resty/resty@v2.17.1...v2.17.2

v2.17.1

Release Notes

Bug Fixes

• fix: content type request header on http.NoBody type #1074 by @​jeevatkm in go-resty/resty#1079

Full Changelog: go-resty/resty@v2.17.0...v2.17.1

v2.17.0

Release Notes

Bug Fixes

• Fix off-by-one error in key/value resolution by @​mbsulliv in go-resty/resty#975
• Fix/missing content length header on empty post req by @​Libero-Dev in go-resty/resty#1003

Backport

• backport: potential wrong total time in trace info from PR #1017 by @​git-hulk in go-resty/resty#1018
• backport: negative trace substraction when using SetTimeout by @​nicolasbeauvais in go-resty/resty#1065

Release Updates

• For v2.17.0 release by @​jeevatkm in go-resty/resty#1066

New Contributors

• @​mbsulliv made their first contribution in go-resty/resty#975
• @​Libero-Dev made their first contribution in go-resty/resty#1003

Full Changelog: go-resty/resty@v2.16.5...v2.17.0

Commits

• b1b3aaa release: version bump to v2.17.2 and readme update (#1112)
• fb4a091 backport: header deepcopy fix (#1110)
• 52f3f39 Merge pull request #1079 from go-resty/fix-cnt-type-hdr-on-emptybody
• 16e2701 release: v2.17.1 readme update
• 203bf14 fix: content type request header on http.NoBody type #1074
• 061e449 chore: version bump to v2.17.1
• d4c3576 Merge pull request #1066 from go-resty/for-v2.17.0-release
• 6452271 chore: update readme for release v2.17.0
• 2eab959 ci: update go version 1.23.0
• 795d6c2 chore: update go.mod package versions
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated dependencies to latest stable versions for improved stability and performance.

[dependabot]

Labels

The following labels could not be found: go. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'tools'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Walkthrough

Dependency versions in go.mod were updated: github.com/go-resty/resty/v2 upgraded from v2.16.5 to v2.17.2, and golang.org/x/net indirect dependency updated from v0.39.0 to v0.43.0. No functional or API changes.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Updated go-resty/resty/v2 to v2.17.2 and golang.org/x/net to v0.43.0; no breaking API or functional changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: a dependency version bump of go-resty/resty/v2 from 2.16.5 to 2.17.2, which aligns with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/go_modules/github.com/go-resty/resty/v2-2.17.2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 8: Update the indirect dependency golang.org/x/net in go.mod from v0.43.0
to v0.45.0 or later (preferably v0.50.0) to remediate CVE-2025-47911; run `go
get golang.org/x/net@v0.50.0` (or `@v0.45.0+`) and then `go mod tidy` to update
the module requirements and lockfile so the project uses the patched html.Parse
implementation.
- Line 4: The go.mod currently pulls github.com/go-resty/resty/v2 which brings
an indirect golang.org/x/net at v0.43.0 that has DoS vulnerabilities; add an
explicit require in go.mod for golang.org/x/net at v0.45.0 or later to override
the transitive version, then refresh the module graph (update dependencies and
run module tidy) and verify the resolved version of golang.org/x/net is >=
v0.45.0 (check the module graph/list) so the vulnerable transitive version is no
longer used.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

github.com/go-resty/resty/v2 v2.17.2 security advisories vulnerabilities

💡 Result:

For github.com/go-resty/resty/v2 v2.17.2, I only found one published direct security advisory for Resty:

• CVE-2023-45286 / GHSA-xwh9-gc39-5298: race condition that can disclose HTTP request bodies across requests (notably when retries occur). Affected versions: >= 2.10.0 and < 2.11.0 (Snyk also notes >= 2.10.0-rc.1 and < 2.11.0). Patched in: 2.11.0.
  Therefore, v2.17.2 is not in the affected range. [1][2][3]

Sources: [1] GHSA-xwh9-gc39-5298, [2] https://pkg.go.dev/vuln/GO-2023-2328, [3] https://security.snyk.io/package/golang/github.com%2Fgo-resty%2Fresty%2Fv2

---

🌐 Web query:

golang.org/x/net v0.43.0 security advisories vulnerabilities

💡 Result:

For golang.org/x/net v0.43.0, the Go vulnerability database reports these known vulnerabilities that still affect that version (i.e., fixed only in later releases):

• CVE-2025-58190 / GO-2026-4441 — golang.org/x/net/html html.Parse* can enter an infinite parsing loop on certain inputs → DoS. Affected: < v0.45.0 (so v0.43.0 is affected). Fix: upgrade to v0.45.0+. [1]
• CVE-2025-47911 / GO-2026-4440 — golang.org/x/net/html html.Parse* can have quadratic parsing complexity on certain inputs → DoS. Affected: < v0.45.0 (so v0.43.0 is affected). Fix: upgrade to v0.45.0+. [2]

Notes (not affecting v0.43.0 because they were fixed earlier):

• CVE-2025-22872 / GO-2025-3595 affected < v0.38.0. [3]
• CVE-2024-45338 / GO-2024-3333 affected < v0.33.0. [4]

Sources: [1] [2] [3] [4]

---

🌐 Web query:

go-resty/resty v2.17.2 release notes changelog

💡 Result:

go-resty/resty v2.17.2 — release notes / changelog

Release date: Feb 14, 2026. [1]

What changed

• Backport: “header deepcopy fix” — Resty now clones request headers when creating the underlying http.Request (i.e., r.RawRequest.Header = r.Header.Clone()), preventing unintended header sharing/mutation. [2]
• Release maintenance: version bump to v2.17.2 and README update. [1]

Full changelog (compare)

• v2.17.1...v2.17.2 [1]

Sources: GitHub release v2.17.2 [1], PR #1110 diff (“header deepcopy fix”) [2].

---

Update golang.org/x/net to v0.45.0 or later to address critical DoS vulnerabilities.

While resty v2.17.2 is safe (released Feb 14, 2026 with header handling fixes and no active security advisories), the indirect dependency update to golang.org/x/net v0.43.0 introduces two known DoS vulnerabilities:

• CVE-2025-58190 / GO-2026-4441: infinite parsing loop in html.Parse* functions
• CVE-2025-47911 / GO-2026-4440: quadratic parsing complexity in html.Parse* functions

Both vulnerabilities are fixed in golang.org/x/net v0.45.0 and later. Update the transitive dependency to v0.45.0+ to address these issues.

🤖 Prompt for AI Agents

In `@go.mod` at line 4, The go.mod currently pulls github.com/go-resty/resty/v2
which brings an indirect golang.org/x/net at v0.43.0 that has DoS
vulnerabilities; add an explicit require in go.mod for golang.org/x/net at
v0.45.0 or later to override the transitive version, then refresh the module
graph (update dependencies and run module tidy) and verify the resolved version
of golang.org/x/net is >= v0.45.0 (check the module graph/list) so the
vulnerable transitive version is no longer used.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if golang.org/x/net v0.43.0 exists and get version info
echo "Checking golang.org/x/net v0.43.0 on Go module proxy..."
curl -s "https://proxy.golang.org/golang.org/x/net/@v/v0.43.0.info" 2>&1 | head -50

echo -e "\n\n--- Checking recent versions ---"
curl -s "https://proxy.golang.org/golang.org/x/net/@latest" 2>&1 | head -20

Repository: lokalise/go-lokalise-api

Length of output: 539

---

🌐 Web query:

golang.org/x/net v0.43.0 security vulnerabilities CVE

💡 Result:

golang.org/x/net v0.43.0 (released Aug 7, 2025) is affected by the following Go vulnerability/CVE:

• CVE-2025-47911 (Go vuln: GO-2026-4440) — golang.org/x/net/html html.Parse (and related parse APIs) can exhibit quadratic parsing complexity, enabling DoS with crafted HTML input. Affected: before v0.45.0 → v0.43.0 is vulnerable. Fix: upgrade to v0.45.0+. [1][4]

Commonly-associated x/net CVEs that do not affect v0.43.0 (already fixed in earlier versions):

• CVE-2025-22872 (GO-2025-3595) — affected before v0.38.0 → v0.43.0 not affected. [2]
• CVE-2025-22870 (GO-2025-3503) — affected before v0.36.0 → v0.43.0 not affected. [3]

---

Upgrade golang.org/x/net to v0.45.0 or later to fix a DoS vulnerability.

golang.org/x/net v0.43.0 contains CVE-2025-47911 (GO-2026-4440), which causes quadratic parsing complexity in html.Parse, allowing denial-of-service attacks with crafted HTML input. Upgrade to v0.45.0 or later; v0.50.0 is the latest available version and recommended.

🤖 Prompt for AI Agents

In `@go.mod` at line 8, Update the indirect dependency golang.org/x/net in go.mod
from v0.43.0 to v0.45.0 or later (preferably v0.50.0) to remediate
CVE-2025-47911; run `go get golang.org/x/net@v0.50.0` (or `@v0.45.0+`) and then
`go mod tidy` to update the module requirements and lockfile so the project uses
the patched html.Parse implementation.