Skip to content

build(deps): bump golang.org/x/sys from 0.41.0 to 0.46.0#3

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang.org/x/sys-0.46.0
Open

build(deps): bump golang.org/x/sys from 0.41.0 to 0.46.0#3
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang.org/x/sys-0.46.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown

Bumps golang.org/x/sys from 0.41.0 to 0.46.0.

Commits
  • d58dcfa unix: add GPIO constants and structs
  • 397d5f8 unix: update to Linux kernel 7.0
  • 0a387f7 cpu: detect zbc extension on riscv64
  • 758f71c cpu: add LLACQ_SCREL, SCQ, DBAR_HINTS detection for loong64
  • 99666ae unix: merge Linux readv/writev implementation with Darwin/OpenBSD
  • e4444cb windows: add NtSetEaFile, NtQueryEaFile and NtQueryInformationFile
  • 04396e8 unix: add Readv, Writev, Preadv, Pwritev for OpenBSD
  • fb1facd windows: avoid uint16 overflow in NewNTUnicodeString
  • 94ad893 windows: add GetIfTable2Ex, GetIpInterface{Entry,Table}, GetUnicastIpAddressT...
  • 54fe89f cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.41.0 to 0.46.0.
- [Commits](golang/sys@v0.41.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 3, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang.org/​x/​sys@​v0.41.0 ⏵ v0.46.084100100100100

View full report

@clawsweeper

clawsweeper Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 2, 2026, 8:57 PM ET / 00:57 UTC.

Summary
This PR updates the direct Go dependency golang.org/x/sys from v0.41.0 to v0.46.0 in go.mod and refreshes the matching go.sum checksums.

Reproducibility: not applicable. this is a dependency maintenance PR, not a reported runtime bug. The reviewed evidence is the current go.mod pin, the PR diff, and the platform-specific x/sys call sites.

Review metrics: 2 noteworthy metrics.

  • Go module diff: 2 files changed, +3/-3. The patch is limited to the module manifest and checksum file.
  • Dependency scope: 1 direct production dependency updated. The bumped module supplies Unix and Windows syscall wrappers used by runtime code.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Risk before merge

  • [P1] The updated module is used by platform-specific filesystem, ACL, and lock helpers, so supported OS CI should complete before merge.

Maintainer options:

  1. Decide the mitigation before merge
    Merge the narrow go.mod and go.sum update after the normal Go module CI checks pass.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • [P2] No repair lane is needed; this is a clean Dependabot module bump awaiting ordinary CI and maintainer merge review.

Security
Cleared: Cleared: the diff only updates a known Go module version and checksums, and the Socket comment reported no vulnerability alert for the updated direct dependency.

Review details

Best possible solution:

Merge the narrow go.mod and go.sum update after the normal Go module CI checks pass.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency maintenance PR, not a reported runtime bug. The reviewed evidence is the current go.mod pin, the PR diff, and the platform-specific x/sys call sites.

Is this the best way to solve the issue?

Yes: for a Go module version bump, changing go.mod plus go.sum is the narrow maintainable implementation. The merge decision should wait for the supported-platform CI results.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 469b01ac2b20.

Label changes

Label changes:

  • add P3: This is a low-risk routine dependency maintenance PR with a small bounded diff.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency updates are outside the contributor real-behavior proof gate for this review.

Label justifications:

  • P3: This is a low-risk routine dependency maintenance PR with a small bounded diff.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency updates are outside the contributor real-behavior proof gate for this review.
Evidence reviewed

What I checked:

  • No AGENTS.md policy found: The checkout search found no target repository AGENTS.md or maintainer notes to apply to this dependency review. (469b01ac2b20)
  • Current main still uses old dependency: Current main has golang.org/x/sys v0.41.0 in the direct require block, so the PR is not implemented on main. (go.mod:7, 469b01ac2b20)
  • PR branch only bumps module files: The PR commit changes go.mod and go.sum from v0.41.0 to v0.46.0, with 3 additions and 3 deletions total. (go.mod:7, f49c7ef8f25e)
  • Dependency is used by platform-specific runtime code: Source search found golang.org/x/sys/unix and golang.org/x/sys/windows imports in audit locking, owner-only file handling, ACL tests, and Windows config replacement paths. (internal/owneronly/open_unix.go:10, 469b01ac2b20)
  • PR state and checks: GitHub reports the PR as mergeable, with Socket Security checks completed successfully and Ubuntu/macOS CI still in progress at review time. (f49c7ef8f25e)
  • Feature history provenance: Git blame and commit metadata show the existing x/sys requirement and central syscall wrapper files were introduced with the initial audited relay implementation. (go.mod:7, 469b01ac2b20)

Likely related people:

  • steipete: GitHub commit metadata maps the initial audited relay commit to steipete, and git blame shows that commit introduced the current go.mod x/sys requirement plus the Unix/Windows syscall wrapper files touched by this dependency. (role: introduced dependency and platform syscall surface; confidence: high; commits: 469b01ac2b20; files: go.mod, go.sum, internal/audit/lock_unix.go)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants