Skip to content

Bump go directive to 1.26.5 to clear GO-2026-5856#113

Merged
saivedant169 merged 2 commits into
mainfrom
fix/govulncheck-go-1265
Jul 9, 2026
Merged

Bump go directive to 1.26.5 to clear GO-2026-5856#113
saivedant169 merged 2 commits into
mainfrom
fix/govulncheck-go-1265

Conversation

@saivedant169

Copy link
Copy Markdown
Owner

CI is failing on the govulncheck step of the test job:

Vulnerability #1: GO-2026-5856
  Standard library
    Found in: crypto/tls@go1.26.4
    Fixed in: crypto/tls@go1.26.5

This is a crypto/tls vulnerability in the Go standard library, not a dependency. CI resolves the toolchain from the go directive in go.mod (go-version-file: go.mod in ci.yaml and release.yaml), so the scan builds against the affected standard library.

Bumps the directive from 1.26.4 to 1.26.5. Verified locally that govulncheck ./... reports no vulnerabilities under go1.26.5, and that the build passes with the current dependency set.

govulncheck flags GO-2026-5856, a crypto/tls vulnerability in the Go
standard library, found in go1.26.4 and fixed in go1.26.5. CI reads the
toolchain from the go directive via go-version-file, so the scan builds
against the affected standard library and fails. Bump the directive to
1.26.5. Verified locally that govulncheck reports no vulnerabilities
under go1.26.5.
The go directive bump to 1.26.5 outran the pinned golang:1.26.4-alpine
base image, so the docker and smoke jobs could no longer satisfy the
module's Go requirement. Bump the three Dockerfiles to golang:1.26.5-alpine
and update the documented minimum and the install-script version checks to
match. golang:1.26.5-alpine is published; the Go build succeeds under
1.26.5 with the current dependency set.
@saivedant169
saivedant169 merged commit 2181560 into main Jul 9, 2026
4 checks passed
@saivedant169
saivedant169 deleted the fix/govulncheck-go-1265 branch July 9, 2026 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant