Skip to content

Upgrade Go to 1.26.2 and fix vulnerabilities#640

Open
austintalbot wants to merge 2 commits into
homeport:mainfrom
austintalbot:fix/vulnerabilities
Open

Upgrade Go to 1.26.2 and fix vulnerabilities#640
austintalbot wants to merge 2 commits into
homeport:mainfrom
austintalbot:fix/vulnerabilities

Conversation

@austintalbot

@austintalbot austintalbot commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary: Vulnerability Fixes and Go Version Upgrade

Description

This PR addresses 16 vulnerabilities in the Go standard library by upgrading the Go version to the latest stable release and updating project dependencies to their latest versions.

Scan Results Comparison

Before (Go 1.25.0)

osv-scanner identified 16 vulnerabilities in the Go standard library:

Total 1 package affected by 16 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 16 Unknown) from 1 ecosystem.
16 vulnerabilities can be fixed.

+------------------------------+------+-----------+---------+---------+---------------+--------+
| OSV URL                      | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
+------------------------------+------+-----------+---------+---------+---------------+--------+
| https://osv.dev/GO-2025-4007 |      | Go        | stdlib  | 1.25.0  | 1.25.3        | go.mod |
| https://osv.dev/GO-2025-4008 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4009 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4010 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4011 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4012 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4013 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4155 |      | Go        | stdlib  | 1.25.0  | 1.25.5        | go.mod |
| https://osv.dev/GO-2025-4175 |      | Go        | stdlib  | 1.25.0  | 1.25.5        | go.mod |
| https://osv.dev/GO-2026-4337 |      | Go        | stdlib  | 1.25.0  | 1.25.7        | go.mod |
| https://osv.dev/GO-2026-4340 |      | Go        | stdlib  | 1.25.0  | 1.25.6        | go.mod |
| https://osv.dev/GO-2026-4601 |      | Go        | stdlib  | 1.25.0  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4602 |      | Go        | stdlib  | 1.25.0  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4870 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4946 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4947 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
+------------------------------+------+-----------+---------+---------+---------------+--------+

After (Go 1.26.2)

osv-scanner and trivy confirm all vulnerabilities are resolved:

osv-scanner: No issues found
trivy: 0 Vulnerabilities detected

Key Changes

  • Go Upgrade: Updated go.mod from 1.25.0 to 1.26.2.
  • Dependency Updates:
    • github.com/goccy/go-yaml: v1.18.0 -> v1.19.2
    • github.com/onsi/ginkgo/v2: v2.28.1 -> v2.28.2
    • google.golang.org/protobuf: v1.36.7 -> v1.36.11
    • github.com/mattn/go-isatty: v0.0.21 -> v0.0.22
  • Verification: All tests passed successfully on the new Go version.

Copilot AI review requested due to automatic review settings April 27, 2026 14:36
Copilot AI reviewed Apr 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the project’s Go version and updates selected dependencies to address reported vulnerabilities (notably in the Go stdlib) and keep the module ecosystem current.

Changes:

  • Bump go.mod Go version to 1.26.2
  • Update dependency versions (e.g., ginkgo, protobuf, go-yaml, go-isatty) and refresh go.sum accordingly

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
go.mod Updates the Go version and bumps/records updated module requirements.
go.sum Refreshes module checksums to match the updated dependency graph.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
module github.com/homeport/dyff

go 1.25.0
go 1.26.2

Copilot AI Apr 27, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The go directive sets the module’s language version/minimum Go version but does not ensure consumers/CI actually use Go 1.26.2 (and typically won’t enforce a patch-level toolchain). Since the stated goal is to remediate stdlib CVEs by upgrading to 1.26.2, consider pinning the toolchain (e.g., adding a toolchain go1.26.2 directive) and/or aligning CI to that exact version so builds don’t silently run on a different Go release.

Suggested change
go 1.26.2
go 1.26.2
toolchain go1.26.2

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@austintalbot