From b565f3e00a3bfec708730fbc39a636f997e3991e Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Sat, 27 Jun 2026 04:27:56 -0700
Subject: [PATCH] fix(deps): update module golang.org/x/image to v0.43.0
 [security] (#38219)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) |
[`v0.42.0` →
`v0.43.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.42.0...refs/tags/v0.43.0)
|
![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fimage/v0.43.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fimage/v0.42.0/v0.43.0?slim=true)
|

---

### Panic on VP8 alpha channel size mismatch in x/image/webp in
golang.org/x/image
[CVE-2026-46601](https://nvd.nist.gov/vuln/detail/CVE-2026-46601) /
[GO-2026-5061](https://pkg.go.dev/vuln/GO-2026-5061)

<details>
<summary>More information</summary>

#### Details
The webp decoder can panic when processing a VP8 chunk with dimensions
that do not match the canvas size.

#### Severity
Unknown

#### References
- [https://go.dev/cl/787681](https://go.dev/cl/787681)
- [https://go.dev/issue/79869](https://go.dev/issue/79869)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5061) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Lack of limit on tile sizes in x/image/tiff in golang.org/x/image
[CVE-2026-46602](https://nvd.nist.gov/vuln/detail/CVE-2026-46602) /
[GO-2026-5062](https://pkg.go.dev/vuln/GO-2026-5062)

<details>
<summary>More information</summary>

#### Details
The TIFF decoder does not set a limit on the size of tiles in tiled
images, permitting a malicious or corrupt image containing a very large
tile to cause unbounded memory consumption.

#### Severity
Unknown

#### References
- [https://go.dev/cl/788422](https://go.dev/cl/788422)
- [https://go.dev/issue/79905](https://go.dev/issue/79905)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5062) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Panic decoding image with out-of-bounds strip offset in x/image/tiff
in golang.org/x/image
[CVE-2026-46604](https://nvd.nist.gov/vuln/detail/CVE-2026-46604) /
[GO-2026-5066](https://pkg.go.dev/vuln/GO-2026-5066)

<details>
<summary>More information</summary>

#### Details
The TIFF decoder can panic when decoding an invalid image with an
out-of-bounds strip offset.

#### Severity
Unknown

#### References
- [https://go.dev/cl/788421](https://go.dev/cl/788421)
- [https://go.dev/issue/80122](https://go.dev/issue/80122)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5066) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 9d23a99410..d0e663de93 100644
--- a/go.mod
+++ b/go.mod
@@ -104,7 +104,7 @@ require (
 	gitlab.com/gitlab-org/api/client-go/v2 v2.38.0
 	go.yaml.in/yaml/v4 v4.0.0-rc.5
 	golang.org/x/crypto v0.53.0
-	golang.org/x/image v0.42.0
+	golang.org/x/image v0.43.0
 	golang.org/x/mod v0.37.0
 	golang.org/x/net v0.56.0
 	golang.org/x/oauth2 v0.36.0
diff --git a/go.sum b/go.sum
index 1de4df2d2c..05c8a2a22e 100644
--- a/go.sum
+++ b/go.sum
@@ -780,8 +780,8 @@ golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
 golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
-golang.org/x/image v0.42.0 h1:1gSs6ehNWXLbkHBIPcWztk3D/6aIA/8hauiAYtlodVY=
-golang.org/x/image v0.42.0/go.mod h1:rrpelvGFt+kLPAjPM4HeWPgrl0FtafueU//e5N0qk/Q=
+golang.org/x/image v0.43.0 h1:FLxcP4ec2350nTfOC8ysKtqYSIFbk/QGjw1ZHNP4tsY=
+golang.org/x/image v0.43.0/go.mod h1:rrpelvGFt+kLPAjPM4HeWPgrl0FtafueU//e5N0qk/Q=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=