chore(deps): bump github.com/moby/spdystream to v0.5.1 (CVE-2026-35469)

[lexfrei]

Bumps the transitive dependency github.com/moby/spdystream from v0.5.0 to v0.5.1 to patch CVE-2026-35469 (HIGH).

What

The SPDY/3 frame parser in spdystream <= v0.5.0 allocates memory based on attacker-controlled counts and lengths from SETTINGS and header frames. A remote peer that can send SPDY frames to a service can crash the process with a single crafted control frame (memory amplification → OOM). v0.5.1 adds bounds checks on numSettings, header counts, and per-field sizes, plus configurable limits via new functional options.

Why this is a clean bump

• Pulled in transitively via talm → siderolabs/talos → hydrophone → k8s.io/client-go → k8s.io/apimachinery → moby/spdystream (go mod why).
• v0.5.1 is a pure patch release: only the security fixes plus opt-in functional options (NewConnectionWithOptions, WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, WithMaxHeaderCount). No breaking API changes.
• MVS picks v0.5.1 without needing a replace; no parent dep requires a different version.
• Diff is two lines in go.mod + the matching go.sum hashes.

Verification

• go build ./... — OK
• go vet ./... — OK
• go test ./... — all packages pass

Closes Dependabot alert #45.

[coderabbitai]

Warning

Rate limit exceeded

@lexfrei has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 31 minutes and 16 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ee4963b3-cbd1-4034-83af-b0b825585d03

📥 Commits

Reviewing files that changed from the base of the PR and between 04fbd6c and 4b6bb9e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/spdystream-cve-2026-35469

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the github.com/moby/spdystream dependency from v0.5.0 to v0.5.1 to address a security vulnerability (CVE-2024-45336). The reviewer suggests evaluating whether direct dependencies, such as k8s.io/client-go, expose the new configuration options introduced in this version—like WithMaxControlFramePayloadSize—to further harden the application against memory amplification attacks.

[gemini-code-assist]

While bumping the version to v0.5.1 addresses the immediate vulnerability (CVE-2024-45336, incorrectly referenced as CVE-2026-35469 in the PR title) through new internal bounds checks, the new version also introduces configurable limits (WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, etc.) to prevent similar memory amplification attacks. Although this is an indirect dependency, it is recommended to evaluate if any direct dependencies (like k8s.io/client-go) expose these new configuration options to further harden the application against OOM attacks in high-load scenarios.

[kvaps]

LGTM. Clean transitive bump.

The go mod why chain (talm → siderolabs/talos → hydrophone → k8s.io/client-go → k8s.io/apimachinery → moby/spdystream) is correctly identified, MVS picks v0.5.1 without replace, no breaking API change in the patch release. Diff is exactly two lines in go.mod plus the matching go.sum hashes — nothing else moved. Build/vet/test all pass per PR description.

Ship it.