qwexvf/aegis-cli

v0.17.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 22d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 13d

qwexvf/aegis-cli v0.17.1 upgrades the Go toolchain to 1.26.3, patching CVE-2026-4918 and CVE-2026-4971. It also adds retract detection for CapVersionUnpublished.

Why it matters: Patch to v0.17.1 to fix CVE-2026-4918 and CVE-2026-4971 in Go stdlib. New retract detection helps identify unsupported versions in dependency chains.

Summary

AI summary

Upgrade Go toolchain to 1.26.3 fixes two stdlib CVEs and adds retract detection for CapVersionUnpublished.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Upgrades Go toolchain to version 1.26.3, fixing CVE-2026-4918 and CVE-2026-4971. Upgrades Go toolchain to version 1.26.3, fixing CVE-2026-4918 and CVE-2026-4971. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Adds Go `retract` detection: CapVersionUnpublished fires for versions listed in go.mod's retract section. Adds Go `retract` detection: CapVersionUnpublished fires for versions listed in go.mod's retract section. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Security

Upgrade Go toolchain to 1.26.3 — fixes two stdlib CVEs:

GO-2026-4918: Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (net/http)
GO-2026-4971: Panic on NUL byte in net.Dial / LookupPort on Windows (net)

govulncheck ./... reports no vulnerabilities on this release.

Also in this release

Go retract detection — CapVersionUnpublished fires when the installed version of a Go module appears in that module's own retract list in go.mod. Requires dep.Version propagation through the heuristics pipeline (all callers updated).

Security Fixes

GO-2026-4918 — Infinite loop in HTTP/2 transport with bad SETTINGS_MAX_FRAME_SIZE (net/http)
GO-2026-4971 — Panic on NUL byte in net.Dial / LookupPort on Windows (net)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →

Related context

Related tools

Related CVEs

CVE-2026-4918 NVD KEV EPSS
CVE-2026-4971 NVD KEV EPSS