Skip to content

Bump Go from 1.25.7 to 1.26.1#12860

Merged
williammartin merged 2 commits intotrunkfrom
kw/bump-go-1.26
Mar 7, 2026
Merged

Bump Go from 1.25.7 to 1.26.1#12860
williammartin merged 2 commits intotrunkfrom
kw/bump-go-1.26

Conversation

@BagToad
Copy link
Member

@BagToad BagToad commented Mar 7, 2026
edited
Loading

Bump Go to 1.26.1 to resolve these vulnerabilities:

  • GO-2026-4603: html/template URL escaping
  • GO-2026-4602: os FileInfo root escape
  • GO-2026-4601: net/url IPv6 parsing
  • GO-2026-4600: crypto/x509 malformed cert panic
  • GO-2026-4599: crypto/x509 email constraint enforcement

Also bumps golangci-lint from v2.6.0 to v2.11.0, as v2.6.0 was built with Go 1.25 and cannot lint Go 1.26 code.

@BagToad
Bump Go from 1.25.7 to 1.26.1 to fix stdlib vulnerabilities
1524ea2 
Fixes 5 Go standard library vulnerabilities found by govulncheck:
- GO-2026-4603: html/template URL escaping
- GO-2026-4602: os FileInfo root escape
- GO-2026-4601: net/url IPv6 parsing
- GO-2026-4600: crypto/x509 malformed cert panic
- GO-2026-4599: crypto/x509 email constraint enforcement

Co-Authored-By: Copilot <[email protected]>
@BagToad BagToad requested a review from a team as a code owner March 7, 2026 04:22
@BagToad
Bump golangci-lint from v2.6.0 to v2.11.0 for Go 1.26 support
b18358b 
golangci-lint v2.6.0 was built with Go 1.25 and cannot lint code targeting
Go 1.26.1. Go 1.26 support was added in golangci-lint v2.9.0.

Co-authored-by: Copilot <[email protected]>
Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps the minimum Go version requirement in go.mod from 1.25.7 to 1.26.1, motivated by resolving five security vulnerabilities in the Go standard library (CVE-equivalent GO-2026-* advisories in html/template, os, net/url, and crypto/x509).

Changes:

  • Updates the go directive in go.mod from go 1.25.7 to go 1.26.1.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@williammartin williammartin merged commit 0219670 into trunk Mar 7, 2026
18 checks passed
@williammartin williammartin deleted the kw/bump-go-1.26 branch March 7, 2026 09:20
@BagToad BagToad mentioned this pull request Mar 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@williammartin williammartin williammartin approved these changes

@babakks babakks Awaiting requested review from babakks babakks is a code owner automatically assigned from cli/code-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BagToad @williammartin