deck currently declares go 1.25.7, which is affected by multiple Go standard library vulnerabilities.
Confirmed by running govulncheck ./... on both origin/main and tag v1.57.3 with GOTOOLCHAIN=go1.25.7.
Reachable findings:
- GO-2026-4947 in
crypto/x509 (fixed in go1.25.9)
- GO-2026-4946 in
crypto/x509 (fixed in go1.25.9)
- GO-2026-4870 in
crypto/tls (fixed in go1.25.9)
- GO-2026-4601 in
net/url (fixed in go1.25.8)
Minimal proposed fix:
- bump
go.mod from go 1.25.7 to go 1.25.9
- update the Docker builder image from
golang:1.25.7 to golang:1.25.9 with the matching pinned digest
Validation:
GOTOOLCHAIN=go1.25.7 govulncheck ./... reproduces the reachable stdlib vulnerabilities on origin/main and v1.57.3- patched branch removes the reachable findings
- local Docker build succeeds with the pinned
1.25.9 image
cc @Kong/team-deck
deck currently declares
go 1.25.7, which is affected by multiple Go standard library vulnerabilities.Confirmed by running
govulncheck ./...on bothorigin/mainand tagv1.57.3withGOTOOLCHAIN=go1.25.7.Reachable findings:
crypto/x509(fixed ingo1.25.9)crypto/x509(fixed ingo1.25.9)crypto/tls(fixed ingo1.25.9)net/url(fixed ingo1.25.8)Minimal proposed fix:
go.modfromgo 1.25.7togo 1.25.9golang:1.25.7togolang:1.25.9with the matching pinned digestValidation:
GOTOOLCHAIN=go1.25.7 govulncheck ./...reproduces the reachable stdlib vulnerabilities onorigin/mainandv1.57.31.25.9imagecc @Kong/team-deck