HTTP/2 frame handling panic fix in golang.org/x/net. The vuln database
added this entry between the local govulncheck run on 9e817aa6b (clean)
and the CI run on 51ed89cda (GO-2026-4559 flagged). Reachable from
PlaylistHandler / SupportHandler / PlaylistExportHandler via standard
http2.* error and frame string helpers — production path, not test-only.
golang.org/x/net v0.50.0 → v0.51.0 (GO-2026-4559)
Local verification:
go build ./... OK
go mod tidy OK
govulncheck ./... OK (no findings)
Backend (Go) CI has been red for the entire v1.0.4 cleanup sprint (and
before it) because govulncheck reports 7 vulnerabilities in transitive
test-infrastructure deps, while the test suite itself passes cleanly.
Bump three direct dependencies to pull fixed versions of the affected
modules.
Direct bumps:
golang.org/x/image v0.36.0 → v0.38.0 (GO-2026-4815)
github.com/quic-go/quic-go v0.54.0 → v0.57.0 (GO-2025-4233)
github.com/testcontainers/testcontainers-go v0.33.0 → v0.42.0
github.com/testcontainers/testcontainers-go/modules/postgres
v0.33.0 → v0.42.0
Indirect / transitive side effects:
- containerd/containerd v1.7.18 is REMOVED from the dependency graph.
Newer testcontainers-go depends on containerd/errdefs + log +
platforms sub-packages only, which do not carry GO-2025-4108 /
GO-2025-4100 / GO-2025-3528.
- docker/docker v27.1.1 is REMOVED from the dependency graph for the
same reason — it was reached only via testcontainers-go, and the
new version no longer pulls the full Moby engine. This eliminates
GO-2026-4887 and GO-2026-4883 (the two vulns with no upstream fix)
WITHOUT needing a govulncheck allowlist/exclude wrapper.
- quic-go/qpack, x/crypto, x/net, x/sync, x/sys, x/text, x/tools and
a handful of otel-* modules bumped as a coherent set.
- Transitive opentelemetry bump (otel v1.24.0 → v1.41.0) is expected
since testcontainers-go v0.42 pulls a newer instrumentation.
All 7 vulnerabilities previously reported are now resolved:
GO-2026-4887 docker/docker — vuln module removed
GO-2026-4883 docker/docker — vuln module removed
GO-2026-4815 x/image — fixed in v0.38.0
GO-2025-4233 quic-go — fixed in v0.57.0
GO-2025-4108 containerd — vuln module removed
GO-2025-4100 containerd — vuln module removed
GO-2025-3528 containerd — vuln module removed
Verification (local):
go build ./... OK
go vet ./... OK
govulncheck ./... OK (no findings)
VEZA_SKIP_INTEGRATION=1 go test ./internal/... -short OK
No breaking API changes observed from the testcontainers-go v0.33 →
v0.42 bump (the project only uses GenericContainer, DockerContainer
.Terminate, and modules/postgres which are stable across these
versions). The shared Redis testcontainer helper in internal/testutils
and the hard-delete worker integration test from J4 still compile and
pass.
This commit enables the v1.0.4 tag to be cut on a green CI. No J7
(release) commit is part of this change — that ships separately.
Refs: AUDIT_REPORT.md §10 P5 (test infra hygiene), CI run 98
INT-06: Migrated playback_websocket_handler.go from deprecated
gorilla/websocket to coder/websocket v1.8.14. Uses context-based
reads/writes and websocket.Accept instead of Upgrader.
- Tests complets pour frontend_log_handler.go (12 tests)
- Tests couvrent NewFrontendLogHandler et ReceiveLog
- Tests pour tous les niveaux de log (DEBUG, INFO, WARN, ERROR)
- Tests pour gestion des erreurs et validation JSON
- Couverture actuelle: 30.6% (objectif: 80%)
Files: veza-backend-api/internal/handlers/frontend_log_handler_test.go
VEZA_ROADMAP.json
Hours: 16 estimated, 23 actual
- go build ./... réussit sans erreur
- go vet ./... retourne 0 warnings critiques
- Aucune erreur de type dans les handlers
- go mod verify et go mod tidy exécutés avec succès
Files: VEZA_ROADMAP.json, veza-backend-api/go.mod, veza-backend-api/go.sum
Hours: 6 estimated, 1 actual
Le code compile déjà correctement, aucune correction nécessaire.
Vérifications effectuées:
- go build -a ./... ✓
- go vet -all ./... ✓
- go mod verify ✓
- go mod tidy ✓
- Added AWS SDK v2 dependency for S3 support
- Created S3StorageService implementing S3Service interface
- Support for AWS S3 and MinIO (S3-compatible storage)
- Added S3 configuration in config.go with environment variables
- Implemented upload, delete, presigned URL, and public URL methods
- Added unit tests for service validation and URL generation
- Service integrates with existing TrackStorageService
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
