fix: Upgrade Go to 1.26.2 to fix XSS vulnerability (#728)

plural-copilot[bot] · michaeljguarino · claude · web-flow · commit 216d6f94ca97 · 2026-04-11T18:56:39.000-04:00
* Upgrade Go from 1.26.1 to 1.26.2 to fix XSS vulnerability

This addresses the html/template XSS vulnerability (CVE) in Go stdlib 1.26.1.
The vulnerability was caused by improper context tracking across template
branches in JS template literals, which could lead to incorrect escaping.

Updated Go version in:
- go.mod
- Dockerfile (main deployment-operator image)
- dockerfiles/Dockerfile.tests (test image)
- dockerfiles/mcpserver/terraform-server/Dockerfile (MCP server image)

All 339 unit tests pass with Go 1.26.2.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* more go bumps

* bump helm vsn

---------

Co-authored-by: Michael Guarino &lt;mjg@plural.sh&gt;
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/publish-sentinel-harness.yaml b/.github/workflows/publish-sentinel-harness.yaml
@@ -195,6 +195,6 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
         build-args: |
-          GO_VERSION=1.26.1
+          GO_VERSION=1.26.2
           SENTINEL_HARNESS_BASE_IMAGE_REPO=ghcr.io/pluralsh/sentinel-harness-base
           SENTINEL_HARNESS_BASE_IMAGE_TAG=${{ needs.publish-base-image.outputs.version }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-FROM golang:1.26.1-alpine3.22 AS builder
+FROM golang:1.26.2-alpine3.22 AS builder
 
-ARG HELM_VERSION=v3.20.1
+ARG HELM_VERSION=v3.20.2
 ARG TARGETARCH
 
 # Install curl
diff --git a/dockerfiles/Dockerfile.tests b/dockerfiles/Dockerfile.tests
@@ -1,4 +1,4 @@
-FROM golang:1.26.1-bookworm
+FROM golang:1.26.2-bookworm
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
diff --git a/dockerfiles/agent-harness/base.Dockerfile b/dockerfiles/agent-harness/base.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.26.1-alpine AS builder
+FROM golang:1.26.2-alpine AS builder
 
 ARG TARGETARCH
 ARG TARGETOS  
diff --git a/dockerfiles/harness/base.Dockerfile b/dockerfiles/harness/base.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.26.1-alpine3.22 as builder
+FROM golang:1.26.2-alpine3.22 as builder
 
 ARG TARGETARCH
 ARG TARGETOS
diff --git a/dockerfiles/mcpserver/terraform-server/Dockerfile b/dockerfiles/mcpserver/terraform-server/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.26.1-alpine AS builder
+FROM golang:1.26.2-alpine AS builder
 
 WORKDIR /workspace
 
diff --git a/dockerfiles/sentinel-harness/base.Dockerfile b/dockerfiles/sentinel-harness/base.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.26.1-alpine AS builder
+FROM golang:1.26.2-alpine AS builder
 
 ARG TARGETARCH
 ARG TARGETOS  
@@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 \
     -o /sentinel-harness \
     cmd/sentinel-harness/main.go
 
-FROM golang:1.26.1-alpine AS final
+FROM golang:1.26.2-alpine AS final
 
 ARG TARGETARCH
 ARG TARGETOS
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/pluralsh/deployment-operator
 
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/DataDog/dd-trace-go/contrib/k8s.io/client-go/v2 v2.6.0
@@ -14,6 +14,7 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.41.5
 	github.com/aws/aws-sdk-go-v2/config v1.32.13
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.13
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21
 	github.com/aws/aws-sdk-go-v2/service/eks v1.81.2
 	github.com/cert-manager/cert-manager v1.19.3
 	github.com/elastic/crd-ref-docs v0.2.0
@@ -57,15 +58,15 @@ require (
 	golang.org/x/time v0.13.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/gotestsum v1.13.0
-	helm.sh/helm/v3 v3.18.6
+	helm.sh/helm/v3 v3.20.2
 	k8s.io/api v0.35.2
 	k8s.io/apiextensions-apiserver v0.35.2
 	k8s.io/apimachinery v0.35.2
-	k8s.io/cli-runtime v0.34.0
+	k8s.io/cli-runtime v0.35.1
 	k8s.io/client-go v0.35.2
 	k8s.io/klog/v2 v2.140.0
-	k8s.io/kubectl v0.34.0
-	k8s.io/metrics v0.34.0
+	k8s.io/kubectl v0.35.1
+	k8s.io/metrics v0.35.1
 	sigs.k8s.io/cluster-api v1.12.1
 	sigs.k8s.io/controller-runtime v0.22.4
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240903085516-38546806f2fa
@@ -145,7 +146,6 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/ashanbrown/forbidigo/v2 v2.3.0 // indirect
 	github.com/ashanbrown/makezero/v2 v2.1.0 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
@@ -191,13 +191,13 @@ require (
 	github.com/ckaznocha/intrange v0.3.1 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/containerd/containerd v1.7.29 // indirect
+	github.com/containerd/containerd v1.7.30 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.1 // indirect
 	github.com/creack/pty v1.1.24 // indirect
 	github.com/curioswitch/go-reassign v0.3.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/daixiang0/gci v0.13.7 // indirect
 	github.com/dave/dst v0.27.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -352,15 +352,13 @@ require (
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/moricho/tparallel v0.3.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/nishanths/exhaustive v0.12.0 // indirect
@@ -396,7 +394,7 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/rs/zerolog v1.34.0 // indirect
-	github.com/rubenv/sql-migrate v1.8.0 // indirect
+	github.com/rubenv/sql-migrate v1.8.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryancurrah/gomodguard v1.4.1 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
diff --git a/go.sum b/go.sum
diff --git a/terratest/go.mod b/terratest/go.mod

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.26.1-bookworm`
	`1`	`+FROM golang:1.26.2-bookworm`
`2`	`2`
`3`	`3`	`RUN apt-get update && apt-get install -y --no-install-recommends \`
`4`	`4`	`ca-certificates \`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.26.1-alpine AS builder`
	`1`	`+FROM golang:1.26.2-alpine AS builder`
`2`	`2`
`3`	`3`	`ARG TARGETARCH`
`4`	`4`	`ARG TARGETOS`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.26.1-alpine3.22 as builder`
	`1`	`+FROM golang:1.26.2-alpine3.22 as builder`
`2`	`2`
`3`	`3`	`ARG TARGETARCH`
`4`	`4`	`ARG TARGETOS`