Skip to content

Commit 216d6f9

Browse files
plural-copilot[bot]michaeljguarinoclaude
authored
fix: Upgrade Go to 1.26.2 to fix XSS vulnerability (#728)
* Upgrade Go from 1.26.1 to 1.26.2 to fix XSS vulnerability This addresses the html/template XSS vulnerability (CVE) in Go stdlib 1.26.1. The vulnerability was caused by improper context tracking across template branches in JS template literals, which could lead to incorrect escaping. Updated Go version in: - go.mod - Dockerfile (main deployment-operator image) - dockerfiles/Dockerfile.tests (test image) - dockerfiles/mcpserver/terraform-server/Dockerfile (MCP server image) All 339 unit tests pass with Go 1.26.2. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * more go bumps * bump helm vsn --------- Co-authored-by: Michael Guarino <mjg@plural.sh> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 36f79ee commit 216d6f9

10 files changed

Lines changed: 33 additions & 69 deletions

File tree

.github/workflows/publish-sentinel-harness.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,6 @@ jobs:
195195
cache-from: type=gha
196196
cache-to: type=gha,mode=max
197197
build-args: |
198-
GO_VERSION=1.26.1
198+
GO_VERSION=1.26.2
199199
SENTINEL_HARNESS_BASE_IMAGE_REPO=ghcr.io/pluralsh/sentinel-harness-base
200200
SENTINEL_HARNESS_BASE_IMAGE_TAG=${{ needs.publish-base-image.outputs.version }}

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
1-
FROM golang:1.26.1-alpine3.22 AS builder
1+
FROM golang:1.26.2-alpine3.22 AS builder
22

3-
ARG HELM_VERSION=v3.20.1
3+
ARG HELM_VERSION=v3.20.2
44
ARG TARGETARCH
55

66
# Install curl

dockerfiles/Dockerfile.tests

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.26.1-bookworm
1+
FROM golang:1.26.2-bookworm
22

33
RUN apt-get update && apt-get install -y --no-install-recommends \
44
ca-certificates \

dockerfiles/agent-harness/base.Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.26.1-alpine AS builder
1+
FROM golang:1.26.2-alpine AS builder
22

33
ARG TARGETARCH
44
ARG TARGETOS

dockerfiles/harness/base.Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.26.1-alpine3.22 as builder
1+
FROM golang:1.26.2-alpine3.22 as builder
22

33
ARG TARGETARCH
44
ARG TARGETOS

dockerfiles/mcpserver/terraform-server/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.26.1-alpine AS builder
1+
FROM golang:1.26.2-alpine AS builder
22

33
WORKDIR /workspace
44

dockerfiles/sentinel-harness/base.Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.26.1-alpine AS builder
1+
FROM golang:1.26.2-alpine AS builder
22

33
ARG TARGETARCH
44
ARG TARGETOS
@@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 \
2525
-o /sentinel-harness \
2626
cmd/sentinel-harness/main.go
2727

28-
FROM golang:1.26.1-alpine AS final
28+
FROM golang:1.26.2-alpine AS final
2929

3030
ARG TARGETARCH
3131
ARG TARGETOS

go.mod

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/pluralsh/deployment-operator
22

3-
go 1.26.1
3+
go 1.26.2
44

55
require (
66
github.com/DataDog/dd-trace-go/contrib/k8s.io/client-go/v2 v2.6.0
@@ -14,6 +14,7 @@ require (
1414
github.com/aws/aws-sdk-go-v2 v1.41.5
1515
github.com/aws/aws-sdk-go-v2/config v1.32.13
1616
github.com/aws/aws-sdk-go-v2/credentials v1.19.13
17+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21
1718
github.com/aws/aws-sdk-go-v2/service/eks v1.81.2
1819
github.com/cert-manager/cert-manager v1.19.3
1920
github.com/elastic/crd-ref-docs v0.2.0
@@ -57,15 +58,15 @@ require (
5758
golang.org/x/time v0.13.0
5859
gopkg.in/yaml.v3 v3.0.1
5960
gotest.tools/gotestsum v1.13.0
60-
helm.sh/helm/v3 v3.18.6
61+
helm.sh/helm/v3 v3.20.2
6162
k8s.io/api v0.35.2
6263
k8s.io/apiextensions-apiserver v0.35.2
6364
k8s.io/apimachinery v0.35.2
64-
k8s.io/cli-runtime v0.34.0
65+
k8s.io/cli-runtime v0.35.1
6566
k8s.io/client-go v0.35.2
6667
k8s.io/klog/v2 v2.140.0
67-
k8s.io/kubectl v0.34.0
68-
k8s.io/metrics v0.34.0
68+
k8s.io/kubectl v0.35.1
69+
k8s.io/metrics v0.35.1
6970
sigs.k8s.io/cluster-api v1.12.1
7071
sigs.k8s.io/controller-runtime v0.22.4
7172
sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240903085516-38546806f2fa
@@ -145,7 +146,6 @@ require (
145146
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
146147
github.com/ashanbrown/forbidigo/v2 v2.3.0 // indirect
147148
github.com/ashanbrown/makezero/v2 v2.1.0 // indirect
148-
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
149149
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
150150
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
151151
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
@@ -191,13 +191,13 @@ require (
191191
github.com/ckaznocha/intrange v0.3.1 // indirect
192192
github.com/cloudwego/base64x v0.1.4 // indirect
193193
github.com/cloudwego/iasm v0.2.0 // indirect
194-
github.com/containerd/containerd v1.7.29 // indirect
194+
github.com/containerd/containerd v1.7.30 // indirect
195195
github.com/containerd/errdefs v1.0.0 // indirect
196196
github.com/containerd/log v0.1.0 // indirect
197197
github.com/containerd/platforms v1.0.0-rc.1 // indirect
198198
github.com/creack/pty v1.1.24 // indirect
199199
github.com/curioswitch/go-reassign v0.3.0 // indirect
200-
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
200+
github.com/cyphar/filepath-securejoin v0.6.1 // indirect
201201
github.com/daixiang0/gci v0.13.7 // indirect
202202
github.com/dave/dst v0.27.3 // indirect
203203
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -352,15 +352,13 @@ require (
352352
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
353353
github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
354354
github.com/mitchellh/reflectwalk v1.0.2 // indirect
355-
github.com/moby/spdystream v0.5.0 // indirect
356355
github.com/moby/term v0.5.2 // indirect
357356
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
358357
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
359358
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
360359
github.com/moricho/tparallel v0.3.2 // indirect
361360
github.com/muesli/termenv v0.16.0 // indirect
362361
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
363-
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
364362
github.com/nakabonne/nestif v0.3.1 // indirect
365363
github.com/ncruces/go-strftime v0.1.9 // indirect
366364
github.com/nishanths/exhaustive v0.12.0 // indirect
@@ -396,7 +394,7 @@ require (
396394
github.com/rivo/uniseg v0.4.7 // indirect
397395
github.com/rogpeppe/go-internal v1.14.1 // indirect
398396
github.com/rs/zerolog v1.34.0 // indirect
399-
github.com/rubenv/sql-migrate v1.8.0 // indirect
397+
github.com/rubenv/sql-migrate v1.8.1 // indirect
400398
github.com/russross/blackfriday/v2 v2.1.0 // indirect
401399
github.com/ryancurrah/gomodguard v1.4.1 // indirect
402400
github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect

0 commit comments

Comments
 (0)