Skip to content

fix(build): pin Go toolchain to go1.26.4 for stdlib vuln patches#25

Merged
upsetbit merged 1 commit into
masterfrom
fix/go-1.26.4-stdlib-vulns
Jul 8, 2026
Merged

fix(build): pin Go toolchain to go1.26.4 for stdlib vuln patches#25
upsetbit merged 1 commit into
masterfrom
fix/go-1.26.4-stdlib-vulns

Conversation

@upsetbit

@upsetbit upsetbit commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

What

Pins the build toolchain to go1.26.4 via a toolchain directive in go.mod.

Why

govulncheck (run under the repo's pinned toolchain) reports two Go standard-library vulnerabilities present in go ≤ 1.26.3:

  • GO-2026-5039net/textproto: arbitrary inputs included in errors without escaping (reached via plane.Client.UploadAttachmentBlobtextproto.Reader.ReadMIMEHeader).
  • GO-2026-5037crypto/x509: inefficient candidate hostname parsing (reached via UploadAttachmentBlobx509 verification).

Both are fixed in go1.26.4. The release workflow builds binaries with actions/setup-go@v6 using go-version-file: go.mod, so pinning the toolchain here guarantees published artifacts link the patched standard library. (CI's dedicated govulncheck job already pins 1.26.4, which is why the merged Dependabot PRs stayed green — but the release build itself did not.)

Verification

  • just ci passes end-to-end, including govulncheckNo vulnerabilities found.
  • stdio tools/list smoke returns the expected 23 tools.

🤖 Generated with Claude Code

Addresses GO-2026-5039 (net/textproto) and GO-2026-5037 (crypto/x509),
both fixed in go1.26.4. The release builds via `go-version-file: go.mod`,
so pinning the toolchain here ensures published binaries link the patched
standard library.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@upsetbit upsetbit merged commit 2a73c51 into master Jul 8, 2026
6 checks passed
@upsetbit upsetbit deleted the fix/go-1.26.4-stdlib-vulns branch July 8, 2026 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant