RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

The Wire · Showcase

HTTP/2 TRAILER TRUNCATION BUG FIXED, HEADER LIMITS TIGHTENED ACROSS THE STACK

By RepoJournal · Filed · About Go

Go's HTTP/2 implementation was silently dropping trailer headers that exceeded limits instead of erroring, a behavior now corrected alongside new per-server header count controls.

The most critical fix lands in net/http/internal/http2 [1], where trailers exceeding MaxResponseHeaderBytes would vanish without warning. That's the kind of silent data loss that surfaces months later in production. Paired with this, net/http gains a new MaxHeaderValueCount setting [2] that lets you limit header quantity while keeping MaxHeaderBytes high for legitimate large headers like SSO cookies, a real pain point for OIDC-heavy deployments. Meanwhile, math/big patches an edge case in float formatting [3] where trailing-zero trimming could push the index past the mantissa bounds, and golang/sync hardens semaphore.Weighted to panic on negative weights [4] instead of silently corrupting internal state. The tools ecosystem saw goimports skip js/wasm test execution [6] to fix CI noise, and gopls regained semantic token backwards compatibility [7] with v0.11.0 clients. One revert [5] pulled a header timeout check for HTTP/2 to keep rc2 consistent with the minors branch until rc3.

Action items

References

  1. [1] net/http/internal/http2: do not silently truncate large trailers golang/go
  2. [2] net/http: add Server.MaxHeaderValueCount setting golang/go
  3. [3] math/big: fix edge case float formatting golang/go
  4. [4] semaphore: panic on negative weights golang/sync
  5. [5] Revert "net/http: apply header timeout to server's unencrypted HTTP/2 check" golang/go
  6. [6] cmd/goimports: skip TestCmd on js/wasm golang/tools
  7. [7] gopls/internal/test: have semtok work with [email protected] golang/tools

FAQ

What changed in Go on July 2, 2026?
Go's HTTP/2 implementation was silently dropping trailer headers that exceeded limits instead of erroring, a behavior now corrected alongside new per-server header count controls.
What should Go teams do about it?
Review HTTP/2 trailer handling in production services using net/http • Evaluate MaxHeaderValueCount for services with large cookie headers • Test semaphore.Weighted edge cases if you accept untrusted weight inputs
Which Go repositories shipped on July 2, 2026?
golang/go, golang/sync, golang/tools

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.