fix(deps): bump golang.org/x/net to v0.55.0 for GO-2026-5026

[kanywst]

Summary

• govulncheck flagged GO-2026-5026 (idna fails to reject ASCII-only Punycode-encoded labels) on golang.org/x/net@v0.53.0, reached from internal/server/identity/step_ca.go:311 via http.Client.Do → idna.ToASCII. Fixed in v0.55.0.
• Bumps golang.org/x/net v0.53.0 → v0.55.0 and the sibling x/crypto / x/sys / x/term / x/text modules to versions go mod tidy selected.
• Unblocks the govulncheck CI check on chore(deps): bump the go-minor-and-patch group with 2 updates #66 and chore(deps): bump the npm-minor-and-patch group across 1 directory with 5 updates #67 — both dependabot PRs fail with the same finding because the vuln DB picked it up after their initial runs.

Test plan

• go build ./... clean locally
• govulncheck ./... locally: "Your code is affected by 0 vulnerabilities"
• CI govulncheck job green
• After merge: rebase chore(deps): bump the go-minor-and-patch group with 2 updates #66 and chore(deps): bump the npm-minor-and-patch group across 1 directory with 5 updates #67 (or wait for dependabot rerun) and confirm green

Summary by CodeRabbit

Chores

• Updated Go module dependencies to newer versions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d367515-e84d-4927-989c-c1097a7d69d3

📥 Commits

Reviewing files that changed from the base of the PR and between 9f3bd8b and e1be1a8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

---

📝 Walkthrough

Walkthrough

Go module dependencies for golang.org/x packages are updated to newer versions. Direct dependency golang.org/x/sys is bumped to v0.45.0, and indirect dependencies golang.org/x/crypto, golang.org/x/net, golang.org/x/term, and golang.org/x/text are updated to their respective newer patch versions.

Changes

Golang.org/x dependency version updates

Layer / File(s)	Summary
golang.org/x module versions go.mod	Direct dependency golang.org/x/sys is updated from v0.44.0 to v0.45.0. Indirect dependencies are bumped: golang.org/x/crypto v0.50.0 → v0.51.0, golang.org/x/net v0.53.0 → v0.55.0, golang.org/x/term v0.42.0 → v0.43.0, and golang.org/x/text v0.36.0 → v0.37.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 In go.mod lands so wide and free,
Where versions dance like carrot spree,
The x-ray modules now shine bright,
From sys to text, all patched just right!
A bump, a hop, the deps align—
Dependency bliss, oh so fine! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately identifies the main change: bumping golang.org/x/net to v0.55.0 and references the specific vulnerability being fixed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/x-net-go-2026-5026

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates several Go dependencies in go.mod and go.sum, including golang.org/x/sys, golang.org/x/crypto, golang.org/x/net, golang.org/x/term, golang.org/x/text, golang.org/x/tools, and golang.org/x/mod to their latest minor/patch versions. I have no feedback to provide as there are no issues identified in these dependency updates.