Skip to content

fix(build): bump go toolchain to 1.24.6#4

Merged
htcom-code merged 1 commit into
mainfrom
fix/go-toolchain-vuln
Jul 5, 2026
Merged

fix(build): bump go toolchain to 1.24.6#4
htcom-code merged 1 commit into
mainfrom
fix/go-toolchain-vuln

Conversation

@htcom-code

@htcom-code htcom-code commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Problem

The govulncheck CI gate fails on main and on every open PR (#1#3). This is unrelated to the Dependabot bumps — the root cause is a stale Go toolchain.

go.mod pins go 1.24.0, so CI (setup-go with go-version-file: go.mod) installs a vulnerable standard library:

Vulnerability Description Fixed in
GO-2025-3956 os/exec LookPath unexpected paths go1.24.6
GO-2025-3750 os O_CREATE|O_EXCL handling (Windows) go1.24.4

Change

Bump the go directive in go.mod to 1.24.6 so builds link against the patched standard library.

Verification

  • Local govulncheck ./...No vulnerabilities found. (exit 0)

Once this is merged, rebasing the Dependabot PRs will make their govulncheck gate pass as well.

- go1.24.0 stdlib is affected by GO-2025-3956 (os/exec LookPath)
  and GO-2025-3750 (os O_CREATE|O_EXCL), failing the govulncheck gate
- raising the go directive builds against the patched stdlib and
  clears both standard-library vulnerabilities

#security #govulncheck

Co-Authored-By: htjulia <htjulia1@gmail.com>
@htcom-code htcom-code merged commit 2cc0f5a into main Jul 5, 2026
7 checks passed
@htcom-code htcom-code deleted the fix/go-toolchain-vuln branch July 5, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant