The Wire · Showcase
VULNDB INGESTS 86 NEW VULNERABILITY REPORTS OVERNIGHT
By RepoJournal · Filed · About Go
The vulnerability database shipped 86 new security advisories in four separate CLs, covering first-party Go issues and third-party dependency vulnerabilities that your supply chain scanner needs to know about.
Vulndb landed four major report batches [1][2][3][4] registering everything from GO-2026-5932 through GO-2026-5916, plus two critical first-party issues that fix golang/go#4970 and golang/go#5856 [4]. This is the scale of intake you expect during a vulnerability disclosure season. Meanwhile, Go 1.27 RC2 landed in gopls tooling [5], meaning your LSP completion benchmarks already run against the release candidate. On the idna front, both golang/net and golang/text rejected a long-standing UTS 46 specification bug that incorrectly permitted Punycode labels encoding pure ASCII strings like "xn--example-.com" [6][7]. This closes golang/go#78760. In gopls internals, completion benchmarks now enforce empty-range semantics [8], and the nilness analyzer learned to skip cgo magic functions that clobber SSA assumptions [9].
Action items
- → Run govulncheck against your dependencies against the new 86-report database before your next security audit cycle golang/vulndb [plan]
- → Verify your IDNA domain parsing rejects all-ASCII xn-- prefixed labels after updating golang/net and golang/text golang/net [plan]
- → Update gopls to the latest if you run completion benchmarks in your test suite golang/tools [monitor]
References
- [1] data/reports: add 17 reports golang/vulndb
- [2] data/reports: add 23 reports golang/vulndb
- [3] data/reports: add 45 reports golang/vulndb
- [4] data/reports: add 2 first-party reports golang/vulndb
- [5] internal/stdlib: update stdlib index for Go 1.27 Release Candidate 2 golang/tools
- [6] idna: reject all-ASCII xn-- labels on all Go versions golang/net
- [7] internal/export/idna: always treat Punycode encoding pure ASCII as an error golang/text
- [8] gopls/internal/test: Completion benchmarks use empty range golang/tools
- [9] go/analysis/passes/nilness: skip magic cgo functions golang/tools
FAQ
- What changed in Go on July 8, 2026?
- The vulnerability database shipped 86 new security advisories in four separate CLs, covering first-party Go issues and third-party dependency vulnerabilities that your supply chain scanner needs to know about.
- What should Go teams do about it?
- Run govulncheck against your dependencies against the new 86-report database before your next security audit cycle • Verify your IDNA domain parsing rejects all-ASCII xn-- prefixed labels after updating golang/net and golang/text • Update gopls to the latest if you run completion benchmarks in your test suite
- Which Go repositories shipped on July 8, 2026?
- golang/vulndb, golang/tools, golang/net, golang/text