Commit d32fd20
fix(deps): bump Go toolchain to 1.26.4 to patch stdlib CVEs (#983)
* fix(deps): bump Go toolchain to 1.26.4 to patch stdlib CVEs
The v1.0.6 release binary is compiled with Go 1.26.0 stdlib, which a
security scanner flags for 29 stdlib vulnerabilities (issue #979).
Because GOTOOLCHAIN=auto honors the go.mod directive, bumping it to
1.26.4 forces the release build to compile against the patched stdlib.
Fixes #979
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* ci: install Go 1.26.4 directly in release and unit-test workflows
Match the go.mod directive so CI builds/tests on the patched toolchain
instead of relying on GOTOOLCHAIN auto-download.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 7562289 commit d32fd20
3 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
38 | 38 | | |
39 | 39 | | |
40 | 40 | | |
41 | | - | |
| 41 | + | |
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
19 | | - | |
| 19 | + | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
0 commit comments