Skip to content

chore: bump Go to 1.26.5 (GO-2026-5856)#19

Merged
kshahbw merged 1 commit into
mainfrom
chore/bump-go-1.26.5
Jul 16, 2026
Merged

chore: bump Go to 1.26.5 (GO-2026-5856)#19
kshahbw merged 1 commit into
mainfrom
chore/bump-go-1.26.5

Conversation

@kshahbw

@kshahbw kshahbw commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps the go directive in go.mod from 1.26.4 to 1.26.5.

CI installs Go via go-version-file: go.mod, so it was pinned to 1.26.4 — which is affected by GO-2026-5856 (CVE-2026-42505), a crypto/tls ECH de-anonymization vulnerability fixed in go1.26.5. As a result the security job's govulncheck ./... step fails on every branch (main included — its last run predates the vuln landing in the govulncheck DB). This bumps to the patched release.

Patch-level bump — no language or API changes.

Why now

govulncheck failed the security job on unrelated PRs (e.g. #17). The flagged call sites (internal/api/client.go, internal/output/output.go, internal/testutil/golden.go) are all in the stdlib TLS path, not in any feature branch's changes — it's the pinned toolchain, so it's fixed here once for the whole repo.

Verification (local, under go1.26.5)

  • go build ./... — clean
  • go test ./... — all pass
  • govulncheck ./...no vulnerabilities in called code (GO-2026-5856 resolved)

🤖 Generated with Claude Code

CI installs Go via go-version-file: go.mod, which pinned 1.26.4. That
release is affected by GO-2026-5856 (CVE-2026-42505), a crypto/tls ECH
de-anonymization bug fixed in go1.26.5, so govulncheck fails the security
job on every branch. Bump the go directive to 1.26.5 to pull the patched
standard library. Patch-level bump, no language changes.

Verified: go build ./..., go test ./..., and govulncheck ./... (no called
vulnerabilities) all pass under 1.26.5.
@kshahbw
kshahbw requested review from a team as code owners July 16, 2026 14:10
@bwappsec

bwappsec commented Jul 16, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@kshahbw
kshahbw merged commit 8c6f299 into main Jul 16, 2026
8 checks passed
@kshahbw
kshahbw deleted the chore/bump-go-1.26.5 branch July 16, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants