Go: Spring Cleaning and HTTP Security Fixes

Transcript

Hey there, fellow Gophers! Welcome back to another episode of the Go podcast. I'm your host, and wow, do we have some satisfying cleanup work to talk about today - March 24th, 2026. You know that feeling when you finally organize your desk and everything just feels better? That's exactly what happened in the Go codebase today.

Let's jump right into the star of today's show - some serious spring cleaning in the HTTP/2 world. Nicholas Husin made a bold move by removing what he calls "inaccessible write schedulers" from the net/http/internal/http2 package. Now, this might sound technical, but here's the story: there were these RFC 7540 and random write schedulers that were essentially digital dust bunnies - over 1,200 lines of dead code just sitting there, not accessible from the standard library. Nicholas swept them right out, deleting entire files. It's like finally throwing away that box of cables you've been keeping "just in case" for five years. Sometimes the best code is no code at all.

But the cleanup didn't stop there! Our contributor qiulaidongfeng took on a massive modernization effort of the entire HTTP/2 package. Picture this: they ran go fix across the whole package and then went through by hand to make smart updates - like replacing custom string slice functions with the built-in slices.Contains. It's not glamorous work, but it's exactly the kind of maintenance that keeps a codebase healthy and readable. Nineteen files got touched in this modernization marathon.

Now, let's talk about something that could actually bite you in production. Michael Pratt tackled a gnarly race condition bug that was causing real crashes in Go programs. This was an upstream TSAN bug where threads running only garbage collection could end up using uninitialized memory. Michael didn't just patch it - he systematically updated prebuilt race detection libraries across multiple architectures. The attention to detail here is incredible - he even documented which platforms couldn't be updated due to builder limitations. This is the kind of unglamorous but absolutely critical work that keeps our programs stable.

Here's a fix that might matter to your day-to-day coding: Basavaraj PB solved an issue where UnixConn read methods were wrapping io.EOF instead of returning it directly. If you've ever written code that checks for io.EOF and wondered why it wasn't working with Unix connections, this was your culprit. The fix is elegant - just avoid wrapping when the error is exactly io.EOF. Simple, but it matters for API consistency.

We also had some nice testing improvements. qiulaidongfeng fixed an autocgo test that was failing when CGO_ENABLED was set during make.bash, and Julian Zhu added codegen checks for float conversion optimizations. These might seem small, but reliable tests are the foundation of everything we build.

The commit that really caught my attention though is Nicholas Husin's fix to make ResponseWriter.ReadFrom respect declared Content-Length headers. Here's why this matters: unlike the Write method, ReadFrom wasn't checking if you were writing more bytes than you declared. While not a security issue per se, it could lead to clients misinterpreting extra bytes as separate responses. It's a great example of consistency fixes that make APIs behave more predictably.

Today's Focus: If you're maintaining any Go code, take a page from today's contributors. Look for your own dead code - those unused functions or packages that seemed important once but aren't actually called anymore. Run go fix on older codebases to modernize them. And if you're working with HTTP handlers, double-check that your Content-Length headers match what you're actually writing.

These kinds of maintenance commits might not be flashy, but they're the backbone of a mature, reliable standard library. Every line of dead code removed is one less thing to maintain, and every consistency fix makes Go more predictable for all of us.

That's a wrap for today! Keep coding, keep cleaning, and we'll see you tomorrow for another dive into the world of Go. Happy coding, everyone!