Skip to content

fix(deps): bump go directive to 1.26.4 for stdlib vulns#72

Merged
kanywst merged 1 commit into
mainfrom
fix/go-1.26.4-stdlib-vulns
Jun 3, 2026
Merged

fix(deps): bump go directive to 1.26.4 for stdlib vulns#72
kanywst merged 1 commit into
mainfrom
fix/go-1.26.4-stdlib-vulns

Conversation

@kanywst
Copy link
Copy Markdown
Member

@kanywst kanywst commented Jun 3, 2026
edited by coderabbitai Bot
Loading

Why

The govulncheck CI job is failing on main (and therefore on every open PR, e.g. #70 / #71). The failures are unrelated to those dependency bumps — Go 1.26.3's standard library is affected by three vulnerabilities, all fixed in 1.26.4:

ID Package Fixed in
GO-2026-5037 crypto/x509 go1.26.4
GO-2026-5038 mime go1.26.4
GO-2026-5039 net/textproto go1.26.4

CI resolves its toolchain from go.mod via go-version-file, so bumping the go directive to 1.26.4 pulls in the patched stdlib and clears the job.

Verification

  • go vet ./... — clean
  • govulncheck ./...Your code is affected by 0 vulnerabilities.

Open dependabot PRs (#70, #71) should go green once rebased on this.

Summary by CodeRabbit

  • Chores
    • Updated minimum Go version requirement to 1.26.4.

@kanywst
fix(deps): bump go directive to 1.26.4 for stdlib vulns
7e2d784 
Go 1.26.3 stdlib is affected by GO-2026-5037 (crypto/x509),
GO-2026-5038 (mime), and GO-2026-5039 (net/textproto), all fixed
in 1.26.4. CI resolves its toolchain from go.mod (go-version-file),
so bumping the go directive picks up the patched stdlib and clears
the govulncheck job.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 3, 2026
edited
Loading

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7f2b561-191e-4c78-b243-159466b3b921

📥 Commits

Reviewing files that changed from the base of the PR and between 16192cd and 7e2d784.

📒 Files selected for processing (1)
  • go.mod
📝 Walkthrough

Walkthrough

The Go module version requirement is bumped from 1.26.3 to 1.26.4 in go.mod. No other module requirements or dependencies were modified.

Changes

Go Version Update

Layer / File(s) Summary
Go version upgrade to 1.26.4
go.mod		 The go version directive is updated from 1.26.3 to 1.26.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Poem

🐰 A hop, a skip, a version so bright,
From point-three to point-four, all feels right,
Go marches forward, steady and true,
Our module takes wings on the Go that is new! 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: bumping the Go directive to 1.26.4 to address standard library vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/go-1.26.4-stdlib-vulns

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go version in the go.mod file from 1.26.3 to 1.26.4. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@kanywst kanywst merged commit 35b4d26 into main Jun 3, 2026
27 checks passed
@kanywst kanywst deleted the fix/go-1.26.4-stdlib-vulns branch June 3, 2026 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kanywst