RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

The Wire · Showcase

HTTP/2 FLOW CONTROL VALIDATION HARDENS NET/HTTP, BUILD PIPELINE DROPS 1.19 COMPAT

By RepoJournal · Filed · About Go

Go's HTTP/2 implementation now validates server SETTINGS frames against stream flow limits, closing a potential vector for limit violations [ref:2].

The net/http/internal/http2 package received two significant updates that tighten correctness and clarity. First, the test harness was simplified by dropping the synctestTest helper and calling synctest.Test directly [1], consolidating test infrastructure and improving maintainability. More critically, SETTINGS frame handling now enforces validation that server-sent flow control limit adjustments don't cause open streams to exceed their bounds [2], fixing issue #80035. On the build side, the CI pipeline removed -compat=1.19 flags since the minimum supported version is now 1.26 [4], keeping build configuration aligned with reality. The stdlib also clarified WriteRune documentation to explicitly specify return values are in bytes, not runes [3], addressing subtle API ambiguity. pkg.go.dev patched OpenAPI validation errors [5] that were breaking client generation and incorrectly exposing unexported fields, while gopls integration across pkgsite is now modernized [6]. Six new vulnerability reports entered the database [7], and the Go security documentation now has a working redirect for the decisions page [8].

Action items

References

  1. [1] net/http/internal/http2: call synctest.Test directly golang/go
  2. [2] net/http/internal/http2: verify SETTINGS from server against flow limits golang/go
  3. [3] bytes, strings: clarify WriteRune return values golang/go
  4. [4] internal/task: remove -compat=1.19 since minimum version is 1.26 golang/build
  5. [5] internal/api: fix OpenAPI validation errors golang/pkgsite
  6. [6] all: modernize with gopls golang/pkgsite
  7. [7] data/reports: add 6 reports golang/vulndb
  8. [8] Add redirect for security/decisions golang/website

FAQ

What changed in Go on June 17, 2026?
Go's HTTP/2 implementation now validates server SETTINGS frames against stream flow limits, closing a potential vector for limit violations .
What should Go teams do about it?
Review HTTP/2 SETTINGS handling if you manage proxies or load balancers using Go • Update build configs to remove any remaining 1.19 compat flags if present • Check vulndb for the six new reports affecting your dependencies
Which Go repositories shipped on June 17, 2026?
golang/go, golang/build, golang/pkgsite, golang/vulndb, golang/website

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.