chore: bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#9917)

[menahyouyeah]

Bumps golang.org/x/crypto from 0.43.0 to 0.45.0.

• Commits

---

updated-dependencies:

• dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
  ...

Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[gemini-code-assist]

Summary of Changes

Hello @menahyouyeah, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a routine but comprehensive update of several golang.org/x dependencies, most notably golang.org/x/crypto. The changes span across various sub-packages, introducing a mix of security enhancements, performance optimizations, and code refactoring. A significant change involves the sha3 package, which now largely delegates to the standard library's crypto/sha3 for modern hashing algorithms. Additionally, improvements have been made to buffer handling in cryptographic primitives, input validation in SSH agent and GSSAPI, and efficiency in HTTP/2 protocol handling. These updates collectively aim to improve the stability, security, and performance of the codebase by incorporating the latest upstream developments.

Highlights

• Dependency Updates: Key golang.org/x modules, including crypto, term, net, and text, have been updated to their latest versions, incorporating various upstream improvements and fixes.
• SHA3 Package Refactoring: The sha3 sub-package within x/crypto has been significantly refactored to primarily wrap the standard library's crypto/sha3 for modern SHA3 and SHAKE functions, while preserving legacy Keccak implementations. This streamlines the codebase and leverages optimized standard library components.
• Security Enhancements: Several minor security-related fixes were introduced, such as buffer overlap checks in chacha20poly1305 and input validation in ssh/agent and ssh/gss parsing to prevent potential vulnerabilities.
• Performance Optimizations: The http2 package received performance improvements, notably in gzipReader using a sync.Pool for resource reuse and in writeQueue with a more efficient two-stage queue implementation.
• SSH Forwarding Improvements: The ssh package's TCP/Unix forwarding logic was enhanced for better handling of network addresses and hostnames, including a more robust Client.Listen method.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates golang.org/x/crypto from version 0.43.0 to 0.45.0, along with several other golang.org/x/... dependencies. The changes are from upstream and include a variety of security fixes, bug fixes, performance improvements, and code modernization. Notable changes include adding buffer overlap checks in chacha20poly1305, fixing bounds checks in the SSH agent and GSS-API handling, refactoring the sha3 package to use the standard library implementation, and performance optimizations in http2's gzip handling and write scheduler. All changes appear correct and beneficial, and the update is safe to merge.