chore: split go.mod directive so Dependabot can manage Go toolchain#320
Merged
chore: split go.mod directive so Dependabot can manage Go toolchain#320
Conversation
During Workstream B, govulncheck in CI tripped twice on stdlib CVEs: first on the GO-2025-* series (fixed in 1.25.2/1.25.3) and again on the GO-2026-* series (fixed up through 1.25.9). Each time required a manual go.mod bump to clear the gate. With only a single go X.Y.Z directive, Dependabot had no obvious knob to propose toolchain bumps against. Split the single directive into: go 1.25.0 # language floor (minimum features we require) toolchain go1.25.9 # preferred build toolchain Dependabot gomod support tracks the toolchain directive as a separate line item (dependabot/dependabot-core#10131, landed early 2025) and will now propose toolchain bumps as new Go patches release, alongside its existing weekly scan of require block dependencies. The language floor stays stable at 1.25.0 so consumers are not forced to upgrade their toolchain for non-security reasons. No code changes; go mod tidy produced no go.sum diff. Signed-off-by: Christopher Maher <chris@mahercode.io>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Split the single
go 1.25.9directive into a floor + toolchain pair so Dependabot can propose toolchain bumps on its own schedule without forcing every user's minimum supported Go version to the bleeding-edge patch.Why
During the supply-chain MVP work (#310) govulncheck tripped twice on stdlib CVEs and each fix required a manual
go.modbump:go 1.25.0→go 1.25.3to clearGO-2025-4007throughGO-2025-4011go 1.25.3→go 1.25.9to clearGO-2026-4947throughGO-2026-4337That whack-a-mole loop was predicted — the audit's Next up list pointed at Dependabot as the fix.
dependabot/dependabot-core#10131(landed early 2025) teaches Dependabot'sgomodecosystem to track thetoolchaindirective as a separate update line. With atoolchaindirective present, Dependabot will propose patch bumps on its existing weekly scan.Why the floor moves down
go X.Y.Zis both a language-feature floor and an implicit toolchain selector. Keeping it at1.25.0documents the actual language features we depend on; thetoolchainline carries the current preferred build version. Consumers who just need to compile with Go 1.25.0+ keep working; CI / release builds pick the toolchain explicitly.Test plan
go mod tidy— no go.sum diffmake vetclean