fix(deps): upgrade golang.org/x/crypto to v0.45.0 (#131)

nexus49 · web-flow · commit c03d1f2b71aa · 2026-01-30T10:17:13.000+01:00
* fix(deps): upgrade golang.org/x/crypto to v0.45.0 Addresses GitHub security advisories: - golang.org/x/crypto/ssh/agent panic on malformed messages - golang.org/x/crypto/ssh unbounded memory consumption Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com> On-behalf-of: @SAP <bastian.echterhoelter@sap.com> * test: fix flaky TestWatchSingleFile_RealFile test - Increase initial wait from 30ms to 100ms for watcher setup - Use polling with retry logic instead of fixed sleep - Modernize for loops using range over int syntax Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com> On-behalf-of: @SAP <bastian.echterhoelter@sap.com> --------- Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
diff --git a/common/watcher/watcher_test.go b/common/watcher/watcher_test.go
@@ -388,23 +388,33 @@ func TestWatchSingleFile_RealFile(t *testing.T) {
 		watchDone <- watcher.WatchSingleFile(ctx, tempFile, 50) // 50ms debounce
 	}()
 
-	// Give the watcher time to start
-	time.Sleep(30 * time.Millisecond)
+	// Give the watcher time to start (longer delay for CI stability)
+	time.Sleep(100 * time.Millisecond)
 
 	// Modify the file to trigger an event
 	err = os.WriteFile(tempFile, []byte("modified"), 0644)
 	require.NoError(t, err)
 
-	// Give time for file change to be detected and debounced
-	time.Sleep(150 * time.Millisecond) // 50ms debounce + extra buffer
+	// Wait for file change to be detected with retry logic (more robust than fixed sleep)
+	detected := false
+	for range 30 { // Check for up to 600ms (30 * 20ms)
+		if len(handler.OnFileChangedCalls) > 0 {
+			detected = true
+			break
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+
+	// Cancel context to stop watcher gracefully
+	cancel()
 
-	// Wait for watch to finish (should timeout after remaining time)
+	// Wait for watch to finish
 	err = <-watchDone
-	assert.NoError(t, err) // Graceful termination (timeout) is not an error
+	assert.NoError(t, err) // Graceful termination is not an error
 
 	// Check that file change was detected
-	assert.True(t, len(handler.OnFileChangedCalls) >= 1, "Expected at least 1 file change call")
-	if len(handler.OnFileChangedCalls) > 0 {
+	assert.True(t, detected, "Expected at least 1 file change call")
+	if detected {
 		assert.Equal(t, tempFile, handler.OnFileChangedCalls[0])
 	}
 }
@@ -457,7 +467,7 @@ func TestWatchDirectory_RealDirectory(t *testing.T) {
 
 	// Wait for file change to be detected with retry logic
 	detected := false
-	for i := 0; i < 20; i++ { // Check for up to 400ms (20 * 20ms)
+	for range 20 { // Check for up to 400ms (20 * 20ms)
 		if len(handler.OnFileChangedCalls) > 0 {
 			detected = true
 			break
@@ -655,7 +665,7 @@ func TestWatchSingleFile_WithDebounceTimer(t *testing.T) {
 	time.Sleep(50 * time.Millisecond)
 
 	// Rapidly modify the file multiple times to test debounce timer cancellation
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		err = os.WriteFile(tempFile, []byte("modified"+string(rune(i))), 0644)
 		require.NoError(t, err)
 		time.Sleep(20 * time.Millisecond) // Less than debounce time
diff --git a/go.mod b/go.mod
@@ -107,13 +107,13 @@ require (
 	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.31.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.34.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
diff --git a/go.sum b/go.sum
@@ -241,8 +241,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -251,8 +251,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
 golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -266,10 +266,10 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
