Skip to content

docs: Clarify nil http.Client usage has no timeout #3910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
merchantmoh-debug wants to merge 2 commits into
base: master
Choose a base branch
from
Open

docs: Clarify nil http.Client usage has no timeout #3910

merchantmoh-debug wants to merge 2 commits into from
+4 −0

Conversation

@merchantmoh-debug
Copy link

@merchantmoh-debug merchantmoh-debug commented Jan 11, 2026

This PR adds a documentation comment to the NewClient function in github/github.go.

The comment warns users that passing a nil httpClient results in the use of a default http.Client which has no timeout. This can lead to resource exhaustion or "slowloris" style issues in production environments. It recommends providing a custom http.Client with an appropriate timeout.

This change aligns with security best practices (Sentinel) by making the default behavior's risks explicit without introducing breaking changes

google-labs-jules bot and others added 2 commits January 11, 2026 12:59
@google-labs-jules
doc: Add security warning to NewClient
179669a 
Adds a warning to the `NewClient` function documentation to inform developers that the default `http.Client` (created when passing `nil`) has no timeout, which can be a security risk in production environments.
@merchantmoh-debug
Merge pull request #1 from merchantmoh-debug/bolt-sentinel-client-imp…
7409d8e 
…rovement-10999790790030565127

Add security warning to NewClient documentation
@google-cla
Copy link

google-cla bot commented Jan 11, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@gmlewis gmlewis changed the title bclient-improvement docs: Clarify nil http.Client usage has no timeout Jan 11, 2026
gmlewis
gmlewis approved these changes Jan 11, 2026
View reviewed changes
Copy link
Collaborator

@gmlewis gmlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @merchantmoh-debug.
LGTM.
Merging.

@codecov
Copy link

codecov bot commented Jan 11, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.44%. Comparing base (4456d12) to head (7409d8e).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3910   +/-   ##
=======================================
  Coverage   92.44%   92.44%           
=======================================
  Files         203      203           
  Lines       14927    14927           
=======================================
  Hits        13799    13799           
  Misses        926      926           
  Partials      202      202

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@gmlewis
Copy link
Collaborator

gmlewis commented Jan 11, 2026

Sorry, I spoke too soon. I cannot merge this until the CLA is signed.
If you prefer to not sign the CLA, I will close the PR. Please let me know, @merchantmoh-debug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gmlewis gmlewis gmlewis approved these changes

Assignees

No one assigned

Labels

waiting for signed CLA

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@merchantmoh-debug @gmlewis