RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

The Wire · Showcase

GOPLS CRASHES ON MALFORMED CACHE, CRYPTO HARDENS SSH AGAINST HOSTILE PEERS

By RepoJournal · Filed · About Go

The gopls language server has a mystery crash in its frob decoder that defenders are now treating as a hardware fault scenario, while the crypto team closes two SSH attack surfaces that silently drain memory and corrupt terminal output.

gopls is getting defensive. A "surplus bytes" error in frob decoding [1] that should be theoretically impossible is now being handled with explicit assertions and fallbacks, because field reports suggest it's happening anyway. That same cache rewrite is getting a stability pass across the board: a flaky module index initialization bug [2] is being fixed with explicit synchronization, the semantic token benchmarks are no longer panicking [3], and dead gob encoding code is being removed [4]. The vulncheck action parsing was also shadowed into invisibility [5], now fixed. On the crypto side, SSH agent forwarders are leaking 2 MiB per channel [6] because they ignore stderr stream data, letting receive windows go unreplenished. More critically, malicious SSH peers can send control characters and escape sequences in disconnect messages [7], which now get sanitized and escaped before display. The image library is also clarifying its threat model [8]: malicious images are defended against, but malicious fonts are not.

Action items

References

  1. [1] gopls: two mitigations for "surplus bytes" crash golang/tools
  2. [2] gopls/test/integration/mist: Fix flaky test golang/tools
  3. [3] gopls/internal/test: address out of bounds panic in BenchmarkSemanticTokens golang/tools
  4. [4] gopls/internal/cache: delete dead (gob) code golang/tools
  5. [5] gopls/internal/server: fix parsing vulncheck action golang/tools
  6. [6] ssh/agent: drain channel stderr in agent forwarders golang/crypto
  7. [7] ssh: sanitize client disconnect messages golang/crypto
  8. [8] font: document (lack of) security hardening in font packages golang/image

FAQ

What changed in Go on June 30, 2026?
The gopls language server has a mystery crash in its frob decoder that defenders are now treating as a hardware fault scenario, while the crypto team closes two SSH attack surfaces that silently drain memory and corrupt terminal output.
What should Go teams do about it?
Pull golang/tools with the gopls cache fixes before your next build, especially if you have flaky test reports • Update golang/crypto immediately if you use SSH agent forwarding; the 2 MiB leak per channel can degrade production systems under sustained connections • Review golang/image font usage; document any assumptions about font source trust in your codebase
Which Go repositories shipped on June 30, 2026?
golang/tools, golang/crypto, golang/image

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.