The Wire · Showcase
HTTP/2 TRAILER TRUNCATION BUG FIXED, HEADER LIMITS TIGHTENED ACROSS THE STACK
By RepoJournal · Filed · About Go
Go's HTTP/2 implementation was silently dropping trailer headers that exceeded limits instead of erroring, a behavior now corrected alongside new per-server header count controls.
The most critical fix lands in net/http/internal/http2 [1], where trailers exceeding MaxResponseHeaderBytes would vanish without warning. That's the kind of silent data loss that surfaces months later in production. Paired with this, net/http gains a new MaxHeaderValueCount setting [2] that lets you limit header quantity while keeping MaxHeaderBytes high for legitimate large headers like SSO cookies, a real pain point for OIDC-heavy deployments. Meanwhile, math/big patches an edge case in float formatting [3] where trailing-zero trimming could push the index past the mantissa bounds, and golang/sync hardens semaphore.Weighted to panic on negative weights [4] instead of silently corrupting internal state. The tools ecosystem saw goimports skip js/wasm test execution [6] to fix CI noise, and gopls regained semantic token backwards compatibility [7] with v0.11.0 clients. One revert [5] pulled a header timeout check for HTTP/2 to keep rc2 consistent with the minors branch until rc3.
Action items
- → Review HTTP/2 trailer handling in production services using net/http golang/go [plan]
- → Evaluate MaxHeaderValueCount for services with large cookie headers golang/go [monitor]
- → Test semaphore.Weighted edge cases if you accept untrusted weight inputs golang/sync [plan]
References
- [1] net/http/internal/http2: do not silently truncate large trailers golang/go
- [2] net/http: add Server.MaxHeaderValueCount setting golang/go
- [3] math/big: fix edge case float formatting golang/go
- [4] semaphore: panic on negative weights golang/sync
- [5] Revert "net/http: apply header timeout to server's unencrypted HTTP/2 check" golang/go
- [6] cmd/goimports: skip TestCmd on js/wasm golang/tools
- [7] gopls/internal/test: have semtok work with [email protected] golang/tools
FAQ
- What changed in Go on July 2, 2026?
- Go's HTTP/2 implementation was silently dropping trailer headers that exceeded limits instead of erroring, a behavior now corrected alongside new per-server header count controls.
- What should Go teams do about it?
- Review HTTP/2 trailer handling in production services using net/http • Evaluate MaxHeaderValueCount for services with large cookie headers • Test semaphore.Weighted edge cases if you accept untrusted weight inputs
- Which Go repositories shipped on July 2, 2026?
- golang/go, golang/sync, golang/tools