RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

  1. Fri 1 may
  2. Sat 2 may
  3. Sun 3 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Fri 15 may
  15. Sat 16 may
  16. Sun 17 may
  17. Mon 18 may
  18. Tue 19 may
  19. Wed 20 may
  20. Thu 21 may
  21. Sat 23 may
  22. Tue 26 may
  23. Wed 27 may
  24. Thu 28 may
  25. Fri 29 may
  26. Sat 30 may
  27. Sun 31 may
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

GO RUNTIME MEMORY TRAP DOCUMENTED AS FREEZE APPROACHES

By RepoJournal · Filed · About Go

Image decoders can allocate memory proportional to untrusted headers before validating pixel data, a security footgun that just got official guidance.

The Go team documented a critical memory allocation pattern in image.Decode that catches developers off guard [1]. When decoding untrusted images, the function allocates buffers based on width and height from the image header before validating the actual pixel data, creating a denial-of-service vector. The fix isn't in the code, it's in the docs: use image.DecodeConfig to validate headers first, which reads only metadata without full buffer allocation [1]. This lands as the freeze tightens, with HTTP/3 tests now disabled ahead of the next release [2]. Compiler work continues in parallel, with splitload type preservation fixes on 386 and AMD64 ensuring pointers don't silently convert to integers [3]. On the tooling front, VS Code Go now adds follow-cursor support to package outlines with configurable sorting [4], while pkg.go.dev fixed a deployment issue where missing Go CLI binaries broke external link resolution [5]. The mobile team aligned Objective-C setter selectors with sanitized property names, keeping bindings consistent with Cocoa conventions [6].

Action items

References

  1. [1] image, image/gif: document DecodeConfig before Decode for untrusted input golang/go
  2. [2] net/http: disable HTTP/3 tests prior to freeze golang/go
  3. [3] cmd/compile: preserve pointerness during splitload golang/go
  4. [4] extension: support follow cursor and sorting in package outline golang/vscode-go
  5. [5] internal/frontend: fall back to process env when go env fails golang/pkgsite
  6. [6] bind: align Objective-C setter selectors with sanitized property names golang/mobile

FAQ

What changed in Go on May 15, 2026?
Image decoders can allocate memory proportional to untrusted headers before validating pixel data, a security footgun that just got official guidance.
What should Go teams do about it?
Review image decode usage in your codebase; validate headers with DecodeConfig before Decode on untrusted input • Upgrade to the next Go release once HTTP/3 tests land; the freeze is now active • Update VS Code Go extension to use new package outline features
Which Go repositories shipped on May 15, 2026?
golang/go, golang/vscode-go, golang/pkgsite, golang/mobile

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.