Upgrade Go to 1.26.2 to fix crypto/x509 CVE (#722)

plural-copilot[bot] · michaeljguarino · web-flow · commit 3be6d6bdbcc8 · 2026-04-11T11:59:47.000-04:00
This commit upgrades the Go version from 1.26.1 to 1.26.2 to address the
crypto/x509 vulnerability (CVE affecting certificate chain validation).

The vulnerability causes denial of service via inefficient certificate
chain validation when certificates contain a very large number of
policy mappings.

Changes:
- Updated go.mod: go directive from 1.26.1 to 1.26.2
- Updated Dockerfile: golang base images from 1.26.1-alpine3.22 to 1.26.2-alpine3.22

Testing:
- go mod tidy: completed successfully with no dependency changes
- go build: binary compiled successfully (117MB)
- go test: all unit tests passed
- docker build: image built successfully (749MB) and tested

Fix Version: 1.26.2
Previous Version: 1.26.1
Package: stdlib

Co-authored-by: Michael Guarino &lt;mjg@plural.sh&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ FROM ubuntu:22.10 AS user
 # Create a nonroot user for final image
 RUN useradd -u 10001 nonroot
 
-FROM golang:1.26.1-alpine3.22 AS builder
+FROM golang:1.26.2-alpine3.22 AS builder
 
 WORKDIR /workspace
 
@@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
     -X \"github.com/pluralsh/plural-cli/pkg/common.Date=${APP_DATE}\"" \
     -o plural ./cmd/plural
 
-FROM golang:1.26.1-alpine3.22 AS final
+FROM golang:1.26.2-alpine3.22 AS final
 
 WORKDIR /
 
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/pluralsh/plural-cli
 
-go 1.26.1
+go 1.26.2
 
 require (
 	cloud.google.com/go/compute v1.54.0
