security: update golang.org/x/crypto and golang.org/x/net

[chris-mercer]

Security: Update Go standard library extensions

Multiple vulnerabilities in golang.org/x/crypto and golang.org/x/net affect the current codebase, confirmed by govulncheck.

Changes

Module	From	To	Vulns Fixed
golang.org/x/crypto	v0.17.0	v0.31.0	GO-2025-4135 (ssh/agent DoS), GO-2025-4134 (ssh unbounded mem), GO-2025-4116 (ssh/agent DoS), GO-2025-3487 (DoS)
golang.org/x/net	v0.18.0	v0.33.0	GO-2026-4441 (infinite parse loop), GO-2026-4440 (quadratic parsing), GO-2025-3595 (XSS), GO-2025-3503 (proxy bypass via IPv6 zone ID)
golang.org/x/sys	v0.16.0	v0.28.0	Transitive dependency
golang.org/x/sync	v0.5.0	v0.10.0	Transitive dependency
golang.org/x/text	v0.14.0	v0.21.0	Transitive dependency

Verification

• go build ./... ✅ (on Go 1.24 branch)
• go mod tidy — clean

References

• GO-2025-4135
• GO-2025-4134
• GO-2026-4441
• GO-2025-3595

---

Road to Olympia — Core-Geth Modernization Push (2/24)

Developed by White B0x Inc. for Ethereum Classic DAO LLC

🤖 Generated with Claude Code

[chris-mercer]

Closing — superseded by #10, which now upgrades Go 1.21 → 1.26 and cascades all x/ dependencies to newer versions than this PR targeted:

• x/crypto v0.31 → v0.49 (this PR) vs v0.49 (security: fixes EOL runtime vulnerabilities. Go 1.21 → 1.26, blst v0.3.11 → v0.3.16 #10)
• x/net v0.33 → v0.52 (security: fixes EOL runtime vulnerabilities. Go 1.21 → 1.26, blst v0.3.11 → v0.3.16 #10)
• x/sys v0.28 → v0.42 (security: fixes EOL runtime vulnerabilities. Go 1.21 → 1.26, blst v0.3.11 → v0.3.16 #10)
• x/sync v0.10 → v0.20 (security: fixes EOL runtime vulnerabilities. Go 1.21 → 1.26, blst v0.3.11 → v0.3.16 #10)
• x/text v0.21 → v0.35 (security: fixes EOL runtime vulnerabilities. Go 1.21 → 1.26, blst v0.3.11 → v0.3.16 #10)

All 8 CVEs addressed by this PR's dep bumps are covered by #10's higher versions.