Update Go to 1.24.6 to resolve vulnerability reports #452
Description
Problem
A customer's internal artifact repository has flagged vulnerabilities in transitive dependencies (SQL and Git packages) of the Terraform provider. While these packages are not actually used by the provider, the artifact repository is blocking downloads based on these vulnerability reports.
The provider is currently using Go 1.24.2, and updating to Go 1.24.6 (the latest patch release) will clear these vulnerability reports.
Proposed Solution
Update Go from 1.24.2 to 1.24.6 across the codebase.
Required Changes
-
Update go.mod (line 3): Change go 1.24.2 to go 1.24.6
-
Update .github/workflows/test.yml (lines 29, 102, and 135): Change go-version: "1.24.2" to go-version: "1.24.6"
-
Run go mod tidy to update dependencies
Impact
- Risk: Minimal - this is a patch release update (1.24.2 to 1.24.6) that typically includes only bug fixes and security updates
- Benefit: Clears vulnerability reports in artifact repositories, allowing customers to download the provider without security policy violations
- Testing: Existing CI tests will verify compatibility
Alternatives Considered
- Vendor dependencies - Would require customers to build from source
- Scanner exceptions - Would require each customer to configure exceptions
- Binary verification - Complex and does not solve the download blocking issue
Updating Go is the cleanest and most effective solution.