Skip to content

fix: upgrade Go to 1.26.2 to patch stdlib vulnerabilities#9

Merged
bun913 merged 2 commits intomainfrom
fix/go-version
Apr 18, 2026
Merged

fix: upgrade Go to 1.26.2 to patch stdlib vulnerabilities#9
bun913 merged 2 commits intomainfrom
fix/go-version

Conversation

@bun913
Copy link
Copy Markdown
Owner

@bun913 bun913 commented Apr 18, 2026
edited
Loading

Background

govulncheck flagged four vulnerabilities in the Go 1.26.1 standard library —
three in crypto/x509 (GO-2026-4947, GO-2026-4946, GO-2026-4866) and one in
crypto/tls (GO-2026-4870) — all reachable through the preview server's
http.Server.Serve path and all fixed in Go 1.26.2.

While bumping the version, the CI workflows were also hardcoding
go-version: "1.26", which silently absorbs future patch drift. Pointing
setup-go at go.mod lets the pinned toolchain go1.26.2 directive serve
as the single source of truth for both local builds and CI.

Changes

  • Bump .tool-versions from golang 1.26.1 to golang 1.26.2 (local asdf)
  • Set go.mod to go 1.26 with toolchain go1.26.2
  • Read the Go version from go.mod in ci.yml and release.yml via setup-go's go-version-file

@bun913 bun913 self-assigned this Apr 18, 2026
@bun913
fix(ci): read Go version from go.mod instead of .tool-versions
e59e912 
actions/setup-go@v5 does not strip the tool-name prefix from .tool-versions
entries and treats "golang 1.26.2" as a literal version spec, which fails
to resolve. go.mod works because setup-go understands the `toolchain`
directive (pinned to go1.26.2), so both local and CI still share one source.
@bun913 bun913 merged commit 45e2383 into main Apr 18, 2026
1 check passed
@bun913 bun913 deleted the fix/go-version branch April 18, 2026 01:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bun913 bun913

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bun913