Skip to content

Bump CI Go to 1.25.12 for GO-2026-5856#339

Merged
AndreyVMarkelov merged 1 commit into
masterfrom
fix/bump-go-1-25-12
Jul 8, 2026
Merged

Bump CI Go to 1.25.12 for GO-2026-5856#339
AndreyVMarkelov merged 1 commit into
masterfrom
fix/bump-go-1-25-12

Conversation

@AndreyVMarkelov

@AndreyVMarkelov AndreyVMarkelov commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

CI govulncheck is failing on all open PRs (and master) due to a Go standard-library vulnerability, before build/test/vet even run.

  • Vuln: GO-2026-5856 — Encrypted Client Hello privacy leak in crypto/tls
  • Found in: crypto/tls@go1.25.11 (what setup-go resolves "1.25" to)
  • Fixed in: crypto/tls@go1.25.12

The call traces govulncheck reports (cmd/share_link_raw.go, internal/output/output.go) are unrelated to any in-flight feature work — this is purely a toolchain CVE.

This pins go-version to 1.25.12 (the patched release) across the CI, CodeQL, and release workflows. go.mod's go 1.25.0 language floor is left unchanged.

setup-go resolved "1.25" to 1.25.11, which carries GO-2026-5856
(Encrypted Client Hello privacy leak in crypto/tls). This fails
govulncheck on every PR before build/test/vet run. Pin the Go version
to 1.25.12, which contains the fix, across the CI, CodeQL, and release
workflows.
@AndreyVMarkelov AndreyVMarkelov merged commit 978ed41 into master Jul 8, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant