The Wire · Showcase
HTTP/2 FLOW CONTROL VALIDATION HARDENS NET/HTTP, BUILD PIPELINE DROPS 1.19 COMPAT
By RepoJournal · Filed · About Go
Go's HTTP/2 implementation now validates server SETTINGS frames against stream flow limits, closing a potential vector for limit violations [ref:2].
The net/http/internal/http2 package received two significant updates that tighten correctness and clarity. First, the test harness was simplified by dropping the synctestTest helper and calling synctest.Test directly [1], consolidating test infrastructure and improving maintainability. More critically, SETTINGS frame handling now enforces validation that server-sent flow control limit adjustments don't cause open streams to exceed their bounds [2], fixing issue #80035. On the build side, the CI pipeline removed -compat=1.19 flags since the minimum supported version is now 1.26 [4], keeping build configuration aligned with reality. The stdlib also clarified WriteRune documentation to explicitly specify return values are in bytes, not runes [3], addressing subtle API ambiguity. pkg.go.dev patched OpenAPI validation errors [5] that were breaking client generation and incorrectly exposing unexported fields, while gopls integration across pkgsite is now modernized [6]. Six new vulnerability reports entered the database [7], and the Go security documentation now has a working redirect for the decisions page [8].
Action items
- → Review HTTP/2 SETTINGS handling if you manage proxies or load balancers using Go golang/go [monitor]
- → Update build configs to remove any remaining 1.19 compat flags if present golang/build [plan]
- → Check vulndb for the six new reports affecting your dependencies golang/vulndb [monitor]
References
- [1] net/http/internal/http2: call synctest.Test directly golang/go
- [2] net/http/internal/http2: verify SETTINGS from server against flow limits golang/go
- [3] bytes, strings: clarify WriteRune return values golang/go
- [4] internal/task: remove -compat=1.19 since minimum version is 1.26 golang/build
- [5] internal/api: fix OpenAPI validation errors golang/pkgsite
- [6] all: modernize with gopls golang/pkgsite
- [7] data/reports: add 6 reports golang/vulndb
- [8] Add redirect for security/decisions golang/website
FAQ
- What changed in Go on June 17, 2026?
- Go's HTTP/2 implementation now validates server SETTINGS frames against stream flow limits, closing a potential vector for limit violations .
- What should Go teams do about it?
- Review HTTP/2 SETTINGS handling if you manage proxies or load balancers using Go • Update build configs to remove any remaining 1.19 compat flags if present • Check vulndb for the six new reports affecting your dependencies
- Which Go repositories shipped on June 17, 2026?
- golang/go, golang/build, golang/pkgsite, golang/vulndb, golang/website