The Wire · Showcase
NET/HTTP STOPS RELYING ON REQUEST BODY IMMUTABILITY
By RepoJournal · Filed · About Go
The Go standard library is removing unsafe type assertions that break when middleware wraps server request bodies, fixing a class of connection reuse bugs.
Go's net/http package has been making unsafe assumptions about request body types [1]. Middleware layers routinely wrap or replace a server's Request.Body with custom implementations, but the response handler was casting to concrete types like *body or *expectContinueReader. This breaks when those assumptions don't hold, causing connection reuse to fail catastrophically. The fix removes all these type assertions and instead tracks the original body state in dedicated response fields, unblocking a test case that was previously failing due to improper early closure detection [1].
Across the ecosystem, the Go team is also tightening error handling semantics. A new gopls analyzer now flags inconsistent use of named error types, where both E and *E implement error but the codebase uses them interchangeably [2]. The standard library itself is being cleaned up to address these diagnostics [3], with two actual bugs fixed (incorrect bare uses of scanner.Error) in the process. This analyzer will eventually help developers catch subtle type assertion failures before they ship.
On the pkgsite front, module indexing is getting faster. The postgres layer now computes importer counts for modules as well as packages [4], and a targeted fix skips symbol insertion for modules that were repeatedly failing and clogging the task queue [5]. These changes unblock the module documentation pipeline without losing indexing quality.
The vulnerability database added two new entries [6] [7], and the website documented a security decision on malicious code [8]. The json/v2 encoder gained a new UnmarshalDecode example [9], and the vet analyzer improved its method reporting [10]. Additionally, FileServer now returns 404 instead of misdirecting requests with escaped slashes in the path [11].
Action items
- → Review your middleware if it wraps http.Request.Body - ensure it doesn't assume concrete types golang/go [plan]
- → Enable the new ptrtoerror analyzer in gopls and audit error type usage in your packages golang/tools [monitor]
- → Check vulndb for GO-2026-5970 and GO-2026-5942 - confirm they don't affect your dependencies golang/vulndb [monitor]
References
- [1] net/http: don't rely on server request body not changing golang/go
- [2] gopls/internal/analysis/ptrtoerror: detect inconsistent use of E/*E as error golang/tools
- [3] std: address ptrtoerror analyzer diagnostics golang/go
- [4] internal/postgres: compute module importer counts golang/pkgsite
- [5] internal/postgres: skip symbols for more modules golang/pkgsite
- [6] data/reports: add GO-2026-5970 golang/vulndb
- [7] data/reports: add GO-2026-5942 golang/vulndb
- [8] _content/doc/security: decision: malicious code golang/website
- [9] encoding/json/v2: add UnmarshalDecode example golang/go
- [10] cmd/vet: improve how stdversion analyzer refers to methods golang/go
- [11] net/http: return 404 when redirecting paths with escaped slashes golang/go