RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

Topics: Go Infrastructure Full archive →

The Wire · Showcase

NET/HTTP STOPS RELYING ON REQUEST BODY IMMUTABILITY

By RepoJournal · Filed · About Go

The Go standard library is removing unsafe type assertions that break when middleware wraps server request bodies, fixing a class of connection reuse bugs.

Go's net/http package has been making unsafe assumptions about request body types [1]. Middleware layers routinely wrap or replace a server's Request.Body with custom implementations, but the response handler was casting to concrete types like *body or *expectContinueReader. This breaks when those assumptions don't hold, causing connection reuse to fail catastrophically. The fix removes all these type assertions and instead tracks the original body state in dedicated response fields, unblocking a test case that was previously failing due to improper early closure detection [1].

Across the ecosystem, the Go team is also tightening error handling semantics. A new gopls analyzer now flags inconsistent use of named error types, where both E and *E implement error but the codebase uses them interchangeably [2]. The standard library itself is being cleaned up to address these diagnostics [3], with two actual bugs fixed (incorrect bare uses of scanner.Error) in the process. This analyzer will eventually help developers catch subtle type assertion failures before they ship.

On the pkgsite front, module indexing is getting faster. The postgres layer now computes importer counts for modules as well as packages [4], and a targeted fix skips symbol insertion for modules that were repeatedly failing and clogging the task queue [5]. These changes unblock the module documentation pipeline without losing indexing quality.

The vulnerability database added two new entries [6] [7], and the website documented a security decision on malicious code [8]. The json/v2 encoder gained a new UnmarshalDecode example [9], and the vet analyzer improved its method reporting [10]. Additionally, FileServer now returns 404 instead of misdirecting requests with escaped slashes in the path [11].

Action items

References

  1. [1] net/http: don't rely on server request body not changing golang/go
  2. [2] gopls/internal/analysis/ptrtoerror: detect inconsistent use of E/*E as error golang/tools
  3. [3] std: address ptrtoerror analyzer diagnostics golang/go
  4. [4] internal/postgres: compute module importer counts golang/pkgsite
  5. [5] internal/postgres: skip symbols for more modules golang/pkgsite
  6. [6] data/reports: add GO-2026-5970 golang/vulndb
  7. [7] data/reports: add GO-2026-5942 golang/vulndb
  8. [8] _content/doc/security: decision: malicious code golang/website
  9. [9] encoding/json/v2: add UnmarshalDecode example golang/go
  10. [10] cmd/vet: improve how stdversion analyzer refers to methods golang/go
  11. [11] net/http: return 404 when redirecting paths with escaped slashes golang/go

Quick answers

What shipped in Go on July 15, 2026?
The Go standard library is removing unsafe type assertions that break when middleware wraps server request bodies, fixing a class of connection reuse bugs. In total, 16 commits landed.
Who contributed to Go on July 15, 2026?
6 developers shipped this update, including Damien Neil, Michael Pratt, Dmitri Shuralyov, Nicholas S. Husin, Alan Donovan, and Jonathan Amsterdam.
What were the notable Go updates?
net/http: don't rely on server request body not changing, gopls/internal/analysis/ptrtoerror: detect inconsistent use of E/*E as error, and std: address ptrtoerror analyzer diagnostics.

More from @golang

Daily updates, in your inbox

Follow Go

Go and the standard library — backend infrastructure at scale We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire