Skip to content

fix(deps): bump go to 1.26.4 to address stdlib CVEs#931

Merged
mbevc1 merged 1 commit into
mainfrom
fix/bump-go-stdlib-cves
Jun 3, 2026
Merged

fix(deps): bump go to 1.26.4 to address stdlib CVEs#931
mbevc1 merged 1 commit into
mainfrom
fix/bump-go-stdlib-cves

Conversation

@dangrondahl
Copy link
Copy Markdown
Contributor

@dangrondahl dangrondahl commented Jun 3, 2026
edited by mbevc1
Loading

Summary

Bumps the Go directive in `go.mod` from 1.26.3 → 1.26.4 to resolve Snyk-flagged Go stdlib vulnerabilities:

  • `SNYK-GOLANG-STDCRYPTOX509-17135840` (crypto/x509)
  • `SNYK-GOLANG-STDMIME-17135844` (mime)
  • `SNYK-GOLANG-STDNETTEXTPROTO-17135843` (net/textproto)

All three are fixed in Go 1.26.4.

Test plan

  • CI passes (Snyk Dependency Test green)
  • No code changes required; stdlib upgrade only

@dangrondahl
fix(deps): bump go to 1.26.4 to address stdlib CVEs
d8bb2e9 
Resolves Snyk findings:
- SNYK-GOLANG-STDCRYPTOX509-17135840
- SNYK-GOLANG-STDMIME-17135844
- SNYK-GOLANG-STDNETTEXTPROTO-17135843
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented Jun 3, 2026
edited
Loading

Claude finished @dangrondahl's task in 1m 21s —— View job

PR Review: Bump Go to 1.26.4

  • Run static analysis (build, vet, mod tidy)
  • Review code changes
  • Check CI/discussion context
  • Post review summary

Change: go.mod directive 1.26.31.26.4 — a one-line, code-only dependency bump to address three Snyk-flagged stdlib CVEs (crypto/x509, mime, net/textproto). No functional code changes.

Static Analysis

Check Result
go build ./... Failed — runner has Go 1.26.3, module requires 1.26.4
go vet ./... Skipped (build prerequisite failed)
go mod tidy N/A (no dependency graph changes expected)

The build failure is a CI environment issue, not a code issue. .go-version contains 1.26, and GitHub Actions' actions/go-versions manifest hasn't published 1.26.4 yet, so the runner installs 1.26.3. With GOTOOLCHAIN=local (default), Go refuses to build.

Review

The go.mod change is correct and minimal. No go.sum changes are needed since this is a stdlib-only bump. No toolchain directive is present in go.mod, which is fine — but means CI must have the exact patch version available.

Options to unblock:

  1. Wait for actions/go-versions to publish 1.26.4, then re-run CI. Simplest path.
  2. Add toolchain go1.26.4 to go.mod to enable auto-download (requires CI not setting GOTOOLCHAIN=local).
  3. Pin .go-version to 1.26.4 as a temporary workaround (per @mbevc1's suggestion), though this loses automatic minor-version tracking.

Positives

  • Clean, minimal change scoped to the exact fix needed
  • Good PR description with specific Snyk IDs for traceability
  • Correct use of conventional commit format

mbevc1
mbevc1 requested changes Jun 3, 2026
View reviewed changes
Comment thread .go-version Outdated
mbevc1
mbevc1 reviewed Jun 3, 2026
View reviewed changes
Comment thread .github/workflows/claude-pr-review.yml Outdated

env:
# Allow Go to auto-download the toolchain pinned in go.mod (.go-version stays loose at minor).
GOTOOLCHAIN: auto
Copy link
Copy Markdown
Contributor

@mbevc1 mbevc1 Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is default since Go 1.21 🤔

https://go.dev/doc/toolchain

Copy link
Copy Markdown
Contributor Author

@dangrondahl dangrondahl Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that I also saw 🧐

Copy link
Copy Markdown
Contributor Author

@dangrondahl dangrondahl Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think I should revert to not having the env var spelled out and just do a rerun?

@mbevc1
Copy link
Copy Markdown
Contributor

mbevc1 commented Jun 3, 2026
edited
Loading

I think resolving 1.26.4 as latest was not updated upstream yet...

Setup go version spec 1.26
Attempting to resolve the latest version from the manifest...
matching 1.26...
Resolved as '1.26.3'
Attempting to download 1.26.3...
matching 1.26.3...
Acquiring 1.26.3 from https://github.com/actions/go-versions/releases/download/1.26.3-25533533231/go-1.26.3-linux-x64.tar.gz
Extracting Go...
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/48e75acd-9a72-482f-ac90-7484c3d4bad3 -f /home/runner/work/_temp/d9730bf5-250e-410f-9e70-a6a45b37741f
Successfully extracted go to /home/runner/work/_temp/48e75acd-9a72-482f-ac90-7484c3d4bad3
Adding to the cache ...
Successfully cached go to /opt/hostedtoolcache/go/1.26.3/x64
Added go to the path
Successfully set up Go version 1.26

@dangrondahl
Copy link
Copy Markdown
Contributor Author

dangrondahl commented Jun 3, 2026

I think resolving 1.26.4 as latest was not updated upstream yet...

Setup go version spec 1.26
Attempting to resolve the latest version from the manifest...
matching 1.26...
Resolved as '1.26.3'
Attempting to download 1.26.3...
matching 1.26.3...
Acquiring 1.26.3 from https://github.com/actions/go-versions/releases/download/1.26.3-25533533231/go-1.26.3-linux-x64.tar.gz
Extracting Go...
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/48e75acd-9a72-482f-ac90-7484c3d4bad3 -f /home/runner/work/_temp/d9730bf5-250e-410f-9e70-a6a45b37741f
Successfully extracted go to /home/runner/work/_temp/48e75acd-9a72-482f-ac90-7484c3d4bad3
Adding to the cache ...
Successfully cached go to /opt/hostedtoolcache/go/1.26.3/x64
Added go to the path
Successfully set up Go version 1.26

Ah that could of course explain it

@dangrondahl dangrondahl force-pushed the fix/bump-go-stdlib-cves branch from cd75e22 to d8bb2e9 Compare June 3, 2026 14:37
claude[bot]
claude Bot reviewed Jun 3, 2026
View reviewed changes
Comment thread go.mod
module github.com/kosli-dev/cli

go 1.26.3
go 1.26.4
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build failure: go build ./... fails on this PR because GitHub Actions resolves .go-version (1.26) to 1.26.3 — the actions/go-versions manifest hasn't published 1.26.4 yet. With GOTOOLCHAIN=local (the default in CI), Go refuses to build a module requiring a newer version than the installed toolchain:

go: go.mod requires go >= 1.26.4 (running go 1.26.3; GOTOOLCHAIN=local)

Two paths forward:

  1. Wait until actions/go-versions publishes 1.26.4, then re-run CI. This is the simplest option and the change itself is correct.
  2. Add a toolchain directive to go.mod (e.g. toolchain go1.26.4) so that Go's toolchain auto-download kicks in even when the runner ships an older patch. This decouples the module requirement from the CI runner's cached version. Note: this requires GOTOOLCHAIN to not be set to local in CI.

The go.mod change itself is sound — it's purely a CI timing issue.

@mbevc1
Copy link
Copy Markdown
Contributor

mbevc1 commented Jun 3, 2026

Seems there was an upstream issue confirming previous conversation here: actions/runner-images#14178

@mbevc1
Copy link
Copy Markdown
Contributor

mbevc1 commented Jun 3, 2026

Should be solved by actions/go-versions#137

@mbevc1 mbevc1 enabled auto-merge (squash) June 3, 2026 16:37
@mbevc1 mbevc1 merged commit 1030045 into main Jun 3, 2026
41 of 47 checks passed
@mbevc1 mbevc1 deleted the fix/bump-go-stdlib-cves branch June 3, 2026 16:44
@mbevc1
Copy link
Copy Markdown
Contributor

mbevc1 commented Jun 3, 2026

Released as https://github.com/kosli-dev/cli/releases/tag/v2.24.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@mbevc1 mbevc1 mbevc1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dangrondahl @mbevc1