Conversation
This is a security update
There was a problem hiding this comment.
Pull request overview
Updates the Go builder base image in the project’s Docker build to incorporate upstream security fixes for the listed Go CVEs.
Changes:
- Bump Docker build stage image from
golang:1.25.7togolang:1.25.8.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # use newer golang because that's what I'm building with currently | ||
| FROM golang:1.25.7 AS build | ||
| FROM golang:1.25.8 AS build | ||
| # |
There was a problem hiding this comment.
Updating the builder image to Go 1.25.8 may not actually address the referenced Go CVEs because go.mod pins toolchain go1.24.1, and go mod download / go test / go build will auto-download and use that toolchain unless GOTOOLCHAIN=local is set or the toolchain directive is updated/removed. To ensure the build uses the patched compiler/runtime, align the go.mod toolchain with 1.25.8 (or set ENV GOTOOLCHAIN=local and rely on the container’s Go version).
| # | |
| # | |
| # ensure the Go toolchain from the image is used instead of any toolchain pinned in go.mod | |
| ENV GOTOOLCHAIN=local | |
| # |
There was a problem hiding this comment.
@copilot update the gomod toolchain with 1.25.8
This is a security update for CVE-2026-27142, CVE-2026-25679 and CVE-2026-27139