Upgrade golang.org/x/crypto from v0.38.0 to v0.48.0 to resolve
CVE-2025-47913 (GO-2025-4116), a denial-of-service vulnerability in
golang.org/x/crypto/ssh/agent where SSH clients receiving
SSH_AGENT_SUCCESS when expecting a typed response will panic and cause
early termination of the client process. The fix was introduced in
v0.43.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Also update golang.org/x/net and google.golang.org/grpc to fix vulnerabilities,
although cloudflared is using them in a way that is not exposed to those risks
To help accommodate web browser interactions with websockets, when a
streaming logs session is requested for the same actor while already
serving a session for that user in a separate request, the original
request will be closed and the new request start streaming logs
instead. This should help with rogue sessions holding on for too long
with no client on the other side (before idle timeout or connection
close).
limkevin.chao
Bas Westerbaan
Chung-Ting
Devin Carr
Nuno Diegues
Adam Chalmers
Areg Harutyunyan
Austin Cherry