RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

  1. Fri 1 may
  2. Sat 2 may
  3. Sun 3 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Fri 15 may
  15. Sat 16 may
  16. Sun 17 may
  17. Mon 18 may
  18. Tue 19 may
  19. Wed 20 may
  20. Thu 21 may
  21. Sat 23 may
  22. Tue 26 may
  23. Wed 27 may
  24. Thu 28 may
  25. Fri 29 may
  26. Sat 30 may
  27. Sun 31 may
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

GOPLS PATCHES CRITICAL NETWORK BINDING VULNERABILITY; JSON FORMAT ENTERS EXPERIMENTAL PHASE

By RepoJournal · Filed · About Go

gopls just closed a security gap that could have exposed your debug server to the network, while the standard library gates the new JSON format tag behind an experiment flag.

gopls removed its -port debugging flag [1], which could implicitly bind to INADDR_ANY and expose the language server to network traffic—a vulnerability now explicitly rejected. The flag is deprecated in favor of explicit host binding (localhost recommended) via -listen=address. Meanwhile, encoding/json/v2 now gates the format tag option behind GOEXPERIMENT=jsonformat [2], a breaking change that requires opt-in to use custom field formatting. On the tooling front, gopls gained embedlit modernizer analysis [3] and published six modernizers for public use [4], while the modernize analysis suite expands to catch more outdated patterns. The HTTP/2 implementation in golang/net now wraps the stdlib version when building with Go 1.27+ [5], shifting the source of truth entirely into the standard library. pkg.go.dev's CLI got a usability overhaul with automatic pagination [6] and environment-aware platform detection [7]. A race condition in QUIC's streamForFrame was fixed [8], and golang/geo patched two integer overflow bugs in polyline decoding [9].

Action items

References

  1. [1] gopls/internal/cmd: remove gopls -port=int debugging flag golang/tools
  2. [2] encoding/json/v2: support `format` tag option behind goexperiment golang/go
  3. [3] gopls/internal/settings: add embedlit analyzer golang/tools
  4. [4] go/analysis/passes/modernize: publish modernizers golang/tools
  5. [5] http2: enable net/http wrapping when go >= 1.27 golang/net
  6. [6] cmd/internal/pkgsite-cli: implement auto-pagination golang/pkgsite
  7. [7] cmd/internal/pkgsite-cli: remove -goos and -goarch flags and use go env golang/pkgsite
  8. [8] quic: fix data race in streamForFrame golang/net
  9. [9] add FuzzDecodePolyline. Fix 2 overflow bugs revealed by the test. (#270) golang/geo

FAQ

What changed in Go on May 6, 2026?
gopls just closed a security gap that could have exposed your debug server to the network, while the standard library gates the new JSON format tag behind an experiment flag.
What should Go teams do about it?
Upgrade gopls immediately if running debug servers exposed to networks • Review code using encoding/json custom formats; add GOEXPERIMENT=jsonformat if needed • Test HTTP/2 client/server behavior if upgrading to Go 1.27
Which Go repositories shipped on May 6, 2026?
golang/tools, golang/go, golang/net, golang/pkgsite, golang/geo

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.