Raise minimum Go to 1.24; fix govulncheck#199
Conversation
Drop Go 1.23 support (outside the current three-minor support window). Bump patched indirect dependencies (go-jose, OpenTelemetry SDK) reachable via cloud.google.com/go/spanner. Run govulncheck on Go 1.25.11 without continue-on-error. Document Go 1.24+ in README. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
apstndb
left a comment
There was a problem hiding this comment.
Solid security/maintenance PR. I verified the key justification: the Go 1.24 bump is not just a support-window policy choice — it's forced by the patched dependencies. golang.org/x/sys@v0.40.0, go.opentelemetry.io/otel@v1.40.0, and github.com/go-jose/go-jose/v4@v4.1.4 all declare go 1.24.0 (the versions they replace declared 1.23/1.21), so you cannot take these CVE fixes while staying on go 1.23. Worth stating that concrete reason in the PR/release notes; it removes any "is dropping 1.23 optional?" debate. The README / AGENTS.md / gospanner README updates are consistent, and dropping the now-stale toolchain go1.23.2 pin is fine.
Removing continue-on-error is reasonable: the govulncheck job is gated on push/schedule (not pull_request), so it won't block PR merges — it surfaces new advisories as a red scheduled/push run, which is the intended alerting.
One CI point inline (the pinned scanner toolchain), plus a docs suggestion.
Use floating 1.25 instead of pinning 1.25.11 so stdlib CVE fixes in future 1.25.x releases do not require manual workflow bumps. Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
go.mod: minimum Go 1.24 — required by the security-bumped indirect dependencies (golang.org/x/sys@v0.40.0,go.opentelemetry.io/otel@v1.40.0,github.com/go-jose/go-jose/v4@v4.1.4each declarego 1.24.0; CVE fixes cannot land on Go 1.23). Aligns with Go’s three-minor support window (1.24+ with 1.26 current).continue-on-error.Advisories addressed (govulncheck symbol results)
github.com/go-jose/go-jose/v4go.opentelemetry.io/otel/sdkcrypto/x509,net/textproto)Release notes (v0.7.0 stable)
Upgrading from v0.6.x / v0.7.0-alpha:
go-jose, OpenTelemetry SDK, andx/systransitive versions)Alpha adopters on Go 1.23 must upgrade their toolchain before v0.7.0.
Test plan
make checkgovulncheck ./...(Go 1.25.11 locally): no symbol vulnerabilities