Upgrade golang.org/x/crypto from v0.38.0 to v0.48.0 to resolve
CVE-2025-47913 (GO-2025-4116), a denial-of-service vulnerability in
golang.org/x/crypto/ssh/agent where SSH clients receiving
SSH_AGENT_SUCCESS when expecting a typed response will panic and cause
early termination of the client process. The fix was introduced in
v0.43.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Also update golang.org/x/net and google.golang.org/grpc to fix vulnerabilities,
although cloudflared is using them in a way that is not exposed to those risks
Will no longer provide full hostname with path from provided
`--hostname` flag for cloudflared access to the Host header field.
This addresses certain issues caught from a security fix in go
1.19.11 and 1.20.6 in the net/http URL parsing.
limkevin.chao
Chung-Ting
Devin Carr
Areg Harutyunyan