Skip to content

Commit d32fd20

Browse files
alexluongclaude
andauthored
fix(deps): bump Go toolchain to 1.26.4 to patch stdlib CVEs (#983)
* fix(deps): bump Go toolchain to 1.26.4 to patch stdlib CVEs The v1.0.6 release binary is compiled with Go 1.26.0 stdlib, which a security scanner flags for 29 stdlib vulnerabilities (issue #979). Because GOTOOLCHAIN=auto honors the go.mod directive, bumping it to 1.26.4 forces the release build to compile against the patched stdlib. Fixes #979 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: install Go 1.26.4 directly in release and unit-test workflows Match the go.mod directive so CI builds/tests on the patched toolchain instead of relying on GOTOOLCHAIN auto-download. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 7562289 commit d32fd20

3 files changed

Lines changed: 3 additions & 3 deletions

File tree

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ jobs:
3838
- name: Set up Go
3939
uses: actions/setup-go@v5
4040
with:
41-
go-version: 1.23.0
41+
go-version: 1.26.4
4242
- name: Run GoReleaser
4343
uses: goreleaser/goreleaser-action@v4
4444
with:

.github/workflows/unit-tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
- name: Set up Go
1717
uses: actions/setup-go@v5
1818
with:
19-
go-version: '1.23.0'
19+
go-version: '1.26.4'
2020

2121
- name: Install gotestsum
2222
run: go install gotest.tools/gotestsum@latest

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/hookdeck/outpost
22

3-
go 1.26.0
3+
go 1.26.4
44

55
require (
66
cloud.google.com/go/pubsub v1.50.2

0 commit comments

Comments
 (0)