From 0edcf29f8618b2d0549ac3fbb421c15f7447dcc5 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Tue, 14 Apr 2026 16:01:03 -0700 Subject: [PATCH 1/3] chore: upgrade Go toolchain from 1.23.4 to 1.25 Resolves CVE-2025-68121 (CRITICAL, crypto/tls certificate validation during TLS session resumption) and multiple HIGH/MEDIUM Go stdlib CVEs across all zoekt binaries. Also pulls latest zoekt submodule (dec971a, bump dependencies #9) which updates go.mod to go 1.25.0. Co-Authored-By: Claude Opus 4.6 (1M context) --- Dockerfile | 2 +- vendor/zoekt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 66bc3489c..aaa319c8f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ ARG NEXT_PUBLIC_LANGFUSE_BASE_URL ARG NEXT_PUBLIC_BUILD_COMMIT_SHA FROM node:24-alpine3.23 AS node-alpine -FROM golang:1.23.4-alpine3.19 AS go-alpine +FROM golang:1.25-alpine AS go-alpine # ---------------------------------- # ------ Build Zoekt ------ diff --git a/vendor/zoekt b/vendor/zoekt index 4a1108012..dec971ae6 160000 --- a/vendor/zoekt +++ b/vendor/zoekt @@ -1 +1 @@ -Subproject commit 4a110801260d0ba5138c66d39f8cc1f0394af1a9 +Subproject commit dec971ae64e960288e93c81e16f2ae0922653bd0 From bf87d88bc148fbf50f26b115ab8959dc6aafb548 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Tue, 14 Apr 2026 16:01:43 -0700 Subject: [PATCH 2/3] docs: add CHANGELOG entry for Go toolchain upgrade Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e105f22da..63f6bfda5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Deprecated `GOOGLE_VERTEX_THINKING_BUDGET_TOKENS` environment variable in favor of per-model `thinkingBudget` config. [#1110](https://github.com/sourcebot-dev/sourcebot/pull/1110) - Removed `GOOGLE_VERTEX_INCLUDE_THOUGHTS` environment variable. Thoughts are now always included. [#1110](https://github.com/sourcebot-dev/sourcebot/pull/1110) - Renamed and consolidated PostHog chat events (`wa_chat_thread_created` -> `ask_thread_created`, `wa_chat_message_sent` -> `ask_message_sent`, `wa_chat_tool_used` -> `tool_used`), added unified `tool_used` tracking across the ask agent and MCP server, and removed the redundant `api_code_search_request` event. [#1111](https://github.com/sourcebot-dev/sourcebot/pull/1111) +- Upgraded Go toolchain from 1.23.4 to 1.25, resolving CVE-2025-68121 (CRITICAL) and multiple HIGH/MEDIUM Go stdlib CVEs. [#1112](https://github.com/sourcebot-dev/sourcebot/pull/1112) ## [4.16.8] - 2026-04-09 From f80962fefce7d9466fe26d874da41a9fa7884331 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Tue, 14 Apr 2026 16:02:40 -0700 Subject: [PATCH 3/3] changelog --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63f6bfda5..e105f22da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Deprecated `GOOGLE_VERTEX_THINKING_BUDGET_TOKENS` environment variable in favor of per-model `thinkingBudget` config. [#1110](https://github.com/sourcebot-dev/sourcebot/pull/1110) - Removed `GOOGLE_VERTEX_INCLUDE_THOUGHTS` environment variable. Thoughts are now always included. [#1110](https://github.com/sourcebot-dev/sourcebot/pull/1110) - Renamed and consolidated PostHog chat events (`wa_chat_thread_created` -> `ask_thread_created`, `wa_chat_message_sent` -> `ask_message_sent`, `wa_chat_tool_used` -> `tool_used`), added unified `tool_used` tracking across the ask agent and MCP server, and removed the redundant `api_code_search_request` event. [#1111](https://github.com/sourcebot-dev/sourcebot/pull/1111) -- Upgraded Go toolchain from 1.23.4 to 1.25, resolving CVE-2025-68121 (CRITICAL) and multiple HIGH/MEDIUM Go stdlib CVEs. [#1112](https://github.com/sourcebot-dev/sourcebot/pull/1112) ## [4.16.8] - 2026-04-09