Security: v2.22.0 ships vulnerable golang.org/x/crypto (0.51.0) and golang.org/x/net (0.54.0) — please bump and release

[scobbe]

Summary

The latest release v2.22.0 (and current main, which is at the v2.22.0 release commit) pins versions of golang.org/x/crypto and golang.org/x/net that have known security advisories. Because these are compiled into the published binary, downstream users pulling gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.22.0 / :2.22.0-alpine inherit the findings, and there is no released image that resolves them yet. Requesting a dependency bump + patch release.

Affected dependencies (from go.mod @ v2.22.0)

Dependency	Pinned	Fixed in	Example advisory
golang.org/x/crypto	v0.51.0	v0.52.0	CVE-2026-46595 (authorization bypass; 13 advisories total)
golang.org/x/net	v0.54.0	v0.55.0	CVE-2026-39821 (DoS)

Both are // indirect, but they end up in the published binary, so dependency/binary scanners (govulncheck, Trivy, Aikido, etc.) flag the released images as Critical.

Request

• Bump golang.org/x/crypto to >= v0.52.0 and golang.org/x/net to >= v0.55.0
• Cut a release so the published gcr.io/cloud-sql-connectors/cloud-sql-proxy images pick up the fixes

Notes / related

• main has not been bumped post-v2.22.0, so these aren't yet addressed even at HEAD.
• The Renovate non-major dependency PR (deps: Update Non-major dependency updates #2607) / dashboard (Dependency Dashboard #437) hasn't picked these up.
• Related EOL dependency tracking: Relay on End of Life Software (aws-sdk-go) #2506 (aws-sdk-go v1).

Environment

• cloud-sql-proxy v2.22.0 (alpine variant), image gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.22.0-alpine, deployed as a Cloud SQL Auth Proxy sidecar.

[kgala2]

Thanks for opening this PR @scobbe, we will update all the dependencies and have a Go and Auth Proxy release next week.