Skip to content

Bump Go from 1.24.5 to 1.26.1#2819

Merged
savil merged 2 commits intomainfrom
jl/fix-issue-2817
Apr 16, 2026
Merged

Bump Go from 1.24.5 to 1.26.1#2819
savil merged 2 commits intomainfrom
jl/fix-issue-2817

Conversation

@Lagoja
Copy link
Copy Markdown
Collaborator

@Lagoja Lagoja commented Apr 16, 2026

Summary

Test plan

  • go build ./... passes
  • nix build passes
  • CI tests pass

🤖 Generated with Claude Code

@Lagoja @claude
Bump Go from 1.24.5 to 1.26.1 to fix security vulnerabilities (#2817)
6a541fc 
Update go.mod, flake.nix (buildGo126Module), and flake.lock (nixpkgs-unstable)
to resolve 1 critical and 12 high-severity CVEs in Go 1.24.5.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Go toolchain and Nix build tooling to a newer Go release to address reported security vulnerabilities (issue #2817), while keeping CI workflows aligned by continuing to derive the Go version from go.mod.

Changes:

  • Bump Go version in go.mod from 1.24.5 to 1.26.1.
  • Update Nix flake build to use pkgs.buildGo126Module.
  • Refresh flake.lock to a newer nixpkgs revision consistent with the new Go builder.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
go.mod Updates the module’s Go version to 1.26.1 for toolchain/CVE remediation.
flake.nix Switches the Nix Go builder to buildGo126Module to match the bumped Go version.
flake.lock Advances the pinned nixpkgs revision/hash to support the updated Go builder.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

gcurtis
gcurtis approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@gcurtis gcurtis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also run a devbox update.

@savil savil merged commit e3599e6 into main Apr 16, 2026
@savil savil deleted the jl/fix-issue-2817 branch April 16, 2026 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gcurtis gcurtis gcurtis approved these changes

@mikeland73 mikeland73 Awaiting requested review from mikeland73

@savil savil Awaiting requested review from savil

@josh-d2 josh-d2 Awaiting requested review from josh-d2

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix security vulnerabilities in Devbox due to outdated version of Go (v1.24.5)

4 participants

@Lagoja @gcurtis @savil