Skip to content

Commit 5977b85

Browse files
committed
chore(deps): bump Go 1.26.4, x/text v0.39.0, fix CI security scanners
- go directive: 1.26.3 → 1.26.4 (fixes OSV GO-2026-5037, GO-2026-5039) - golang.org/x/text: v0.38.0 → v0.39.0 (fixes Trivy CVE-2026-56852) - CI workflows: go-version '1.26' → '~1.26' for automatic patch pickup - osv-scanner.toml: ignore GO-2026-4970, GO-2026-5856 (fixed in 1.26.5, not yet available in MegaLinter container; govulncheck warning is non-fatal)
1 parent c54c94c commit 5977b85

7 files changed

Lines changed: 26 additions & 16 deletions

File tree

.github/workflows/go.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
- name: Set up Go
2929
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
3030
with:
31-
go-version: "1.26"
31+
go-version: "~1.26"
3232

3333
- name: Download dependencies
3434
run: go mod download
@@ -47,7 +47,7 @@ jobs:
4747
- name: Set up Go
4848
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
4949
with:
50-
go-version: "1.26"
50+
go-version: "~1.26"
5151

5252
- name: Static Analysis
5353
run: go vet ./...
@@ -74,7 +74,7 @@ jobs:
7474
- name: Set up Go
7575
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
7676
with:
77-
go-version: "1.26"
77+
go-version: "~1.26"
7878

7979
- name: Generate known files from Linguist
8080
run: go generate ./pkg/filetype/...
@@ -99,7 +99,7 @@ jobs:
9999
- name: Set up Go
100100
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
101101
with:
102-
go-version: "1.26"
102+
go-version: "~1.26"
103103

104104
- name: Unit test
105105
run: go test -v -cover -coverprofile coverage.out ./...

.github/workflows/golangci-lint.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
golangci:
1717
strategy:
1818
matrix:
19-
go: ["1.26"]
19+
go: ["~1.26"]
2020
os: [ubuntu-latest, macos-latest, windows-latest]
2121
permissions:
2222
# Optional: Allow write access to checks to allow the action to annotate code in the PR.

.github/workflows/linguist.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
- name: Go Setup
3434
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
3535
with:
36-
go-version: "1.26"
36+
go-version: "~1.26"
3737

3838
- name: Fetch latest Linguist SHA
3939
id: fetch-sha

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
- name: Set up Go
3434
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
3535
with:
36-
go-version: "1.26"
36+
go-version: "~1.26"
3737

3838
- name: Update SchemaStore catalog
3939
run: |

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ require (
5454
golang.org/x/net v0.56.0 // indirect
5555
golang.org/x/sync v0.21.0 // indirect
5656
golang.org/x/sys v0.46.0 // indirect
57-
golang.org/x/text v0.38.0 // indirect
58-
golang.org/x/tools v0.45.0 // indirect
57+
golang.org/x/text v0.39.0 // indirect
58+
golang.org/x/tools v0.47.0 // indirect
5959
gopkg.in/warnings.v0 v0.1.2 // indirect
6060
)

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -126,10 +126,10 @@ golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
126126
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
127127
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
128128
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
129-
golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
130-
golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
131-
golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
132-
golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
129+
golang.org/x/text v0.39.0 h1:UbZz4pLOvn600D6Oh6GGEI6VAmndrEBLv8/6BEXzyus=
130+
golang.org/x/text v0.39.0/go.mod h1:3UwRclnC2g0TU9x8PZiyfOajCd1zaUNHF9cvqcQZ+ZM=
131+
golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
132+
golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
133133
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
134134
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
135135
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

osv-scanner.toml

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,14 @@
1+
# osv-scanner configuration
2+
# https://google.github.io/osv-scanner/configuration/
3+
4+
# Go stdlib vulnerabilities fixed in 1.26.4+. MegaLinter's container ships
5+
# Go 1.26.3 and sets GOTOOLCHAIN=local. Remove these once the container updates.
16
[[IgnoredVulns]]
2-
id = "GHSA-h67p-54hq-rp68"
3-
reason = "js-yaml 3.14.2 is a transitive dependency of Docusaurus; waiting for upstream fix"
4-
ignoreUntil = "2026-10-07T00:00:00Z"
7+
id = "GO-2026-4970"
8+
reason = "Go stdlib — waiting for MegaLinter container to ship 1.26.4+"
9+
ignoreUntil = "2026-10-16T00:00:00Z"
10+
11+
[[IgnoredVulns]]
12+
id = "GO-2026-5856"
13+
reason = "Go stdlib — waiting for MegaLinter container to ship 1.26.4+"
14+
ignoreUntil = "2026-10-16T00:00:00Z"

0 commit comments

Comments
 (0)