Skip to content

Raise minimum Go to 1.24; fix govulncheck#199

Merged
apstndb merged 2 commits into
mainfrom
chore/go-1.24-minimum
Jun 9, 2026
Merged

Raise minimum Go to 1.24; fix govulncheck#199
apstndb merged 2 commits into
mainfrom
chore/go-1.24-minimum

Conversation

@apstndb

@apstndb apstndb commented Jun 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • go.mod: minimum Go 1.24 — required by the security-bumped indirect dependencies (golang.org/x/sys@v0.40.0, go.opentelemetry.io/otel@v1.40.0, github.com/go-jose/go-jose/v4@v4.1.4 each declare go 1.24.0; CVE fixes cannot land on Go 1.23). Aligns with Go’s three-minor support window (1.24+ with 1.26 current).
  • README: documents Go 1.24+ requirement.
  • Dependencies: bump reachable transitive modules to close govulncheck findings (see advisories below).
  • CI: govulncheck uses floating Go 1.25 (latest patched 1.25.x); remove continue-on-error.

Advisories addressed (govulncheck symbol results)

Advisory Module / area Fix
GO-2026-4945 github.com/go-jose/go-jose/v4 v4.0.5 → v4.1.4
GO-2026-4394 go.opentelemetry.io/otel/sdk v1.36.0 → v1.40.0
GO-2026-5037, GO-2026-5039 Go stdlib (crypto/x509, net/textproto) govulncheck job on patched Go 1.25.x

Release notes (v0.7.0 stable)

Upgrading from v0.6.x / v0.7.0-alpha:

v0.6.x / v0.7.0-alpha v0.7.0
Minimum Go 1.23 1.24 (required by patched go-jose, OpenTelemetry SDK, and x/sys transitive versions)

Alpha adopters on Go 1.23 must upgrade their toolchain before v0.7.0.

Test plan

  • make check
  • govulncheck ./... (Go 1.25.11 locally): no symbol vulnerabilities

Drop Go 1.23 support (outside the current three-minor support window).
Bump patched indirect dependencies (go-jose, OpenTelemetry SDK) reachable
via cloud.google.com/go/spanner. Run govulncheck on Go 1.25.11 without
continue-on-error. Document Go 1.24+ in README.

Co-authored-by: Cursor <cursoragent@cursor.com>
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@apstndb apstndb left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid security/maintenance PR. I verified the key justification: the Go 1.24 bump is not just a support-window policy choice — it's forced by the patched dependencies. golang.org/x/sys@v0.40.0, go.opentelemetry.io/otel@v1.40.0, and github.com/go-jose/go-jose/v4@v4.1.4 all declare go 1.24.0 (the versions they replace declared 1.23/1.21), so you cannot take these CVE fixes while staying on go 1.23. Worth stating that concrete reason in the PR/release notes; it removes any "is dropping 1.23 optional?" debate. The README / AGENTS.md / gospanner README updates are consistent, and dropping the now-stale toolchain go1.23.2 pin is fine.

Removing continue-on-error is reasonable: the govulncheck job is gated on push/schedule (not pull_request), so it won't block PR merges — it surfaces new advisories as a red scheduled/push run, which is the intended alerting.

One CI point inline (the pinned scanner toolchain), plus a docs suggestion.

Comment thread .github/workflows/go.yml Outdated
Comment thread go.mod
Use floating 1.25 instead of pinning 1.25.11 so stdlib CVE fixes in
future 1.25.x releases do not require manual workflow bumps.

Co-authored-by: Cursor <cursoragent@cursor.com>
@apstndb apstndb merged commit 39b88c4 into main Jun 9, 2026
5 checks passed
@apstndb apstndb deleted the chore/go-1.24-minimum branch June 9, 2026 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant