RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

Topics: Go Infrastructure Full archive →

The Wire · Showcase

GO PATCHES HTTP/2 BYPASS IN REVERSEPROXY, COMPILER GAINS FUSION MATH

By RepoJournal · Filed · About Go

ReverseProxy was forwarding h2c upgrade headers that let clients bypass your handlers entirely, and it's getting fixed today.

The net/http/httputil package had a surprising security gap: it would forward Upgrade: h2c headers from clients to backends, allowing HTTP/1 connections to switch to unencrypted HTTP/2 and slip past the proxy's middleware [1]. That's getting rejected outright now. On the compiler front, Go is shipping instruction-level parallelism improvements to md5 [2] and rewriting x-y*z arithmetic to fused multiply-subtract for GOAMD64=v3 [3], both targeting the performance bottlenecks that were waiting on optimizer changes. Meanwhile, the toolchain is getting smarter about error reporting: binary-only packages will now fail at load time instead of mysteriously at build time [4], and gopls is adding Move Declaration as a code action for refactoring [5]. The crypto/ssh package is also fixing a subtle audit gap where RSA signature verification could report the wrong algorithm to callbacks [6]. Across the ecosystem, you're getting better debugging visibility in gopls with package-level symbol inspection [7], faster type analysis with RTA refactoring [8], and stricter inlay hints that recognize common error-ignore patterns [9].

Action items

References

  1. [1] net/http/httputil: don't forward Upgrade: h2c headers golang/go
  2. [2] crypto/md5: improve instruction-level parallelism golang/go
  3. [3] cmd/compile: rewrite x-y*z to fused multiply subtract for GOAMD64=v3 golang/go
  4. [4] cmd/go: identify error for binary-only packages when loading golang/go
  5. [5] gopls/internal/golang: add Move Declaration skeleton golang/tools
  6. [6] ssh: report verified signature format to callback golang/crypto
  7. [7] gopls/internal/debug: show Package.Scope symbols golang/tools
  8. [8] go/callgraph/rta: use typesinternal.ForEachElement golang/tools
  9. [9] gopls/internal/golang: InlayHint: permit "ignore error" alternatives golang/tools

Quick answers

What shipped in Go on July 18, 2026?
ReverseProxy was forwarding h2c upgrade headers that let clients bypass your handlers entirely, and it's getting fixed today. In total, 22 commits landed.
Who contributed to Go on July 18, 2026?
7 developers shipped this update, including Damien Neil, Michael Matloob, Josh Bleecher Snyder, qiulaidongfeng, Akira, Madeline Kalil, and Alan Donovan.
What were the notable Go updates?
net/http/httputil: don't forward Upgrade: h2c headers, crypto/md5: improve instruction-level parallelism, and cmd/compile: rewrite x-y*z to fused multiply subtract for GOAMD64=v3.

More from @golang

Daily updates, in your inbox

Follow Go

Go and the standard library — backend infrastructure at scale We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire