From 5378726802855a5398c4c1d5977ccb32a02c57c3 Mon Sep 17 00:00:00 2001 From: humoflife Date: Tue, 14 Apr 2026 13:58:22 -0700 Subject: [PATCH] fix: upgrade Go to 1.26.2 to resolve stdlib CVEs Fixes 5 actively-called vulnerabilities in go1.26.1 stdlib: - GO-2026-4866: crypto/x509 auth bypass via name constraints - GO-2026-4870: crypto/tls DoS via unauthenticated TLS 1.3 KeyUpdate - GO-2026-4947: crypto/x509 unexpected work during chain building - GO-2026-4946: crypto/x509 inefficient policy validation - GO-2026-4865: html/template XSS (JsBraceDepth context tracking) Also fixes 2 imported-but-not-called vulns (GO-2026-4864, GO-2026-4869). Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: humoflife --- .github/workflows/ci.yml | 2 +- Dockerfile | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d91eb74..8d107a0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ on: env: # Common versions - GO_VERSION: '1.25.0' + GO_VERSION: '1.26.2' GOLANGCI_VERSION: 'v2.11.4' DOCKER_BUILDX_VERSION: 'v0.24.0' diff --git a/Dockerfile b/Dockerfile index 36b633a..43e70f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ # We use the latest Go 1.x version unless asked to use something else. # The GitHub Actions CI job sets this argument for a consistent Go version. -ARG GO_VERSION=1 +ARG GO_VERSION=1.26.2 # Setup the base environment. The BUILDPLATFORM is set automatically by Docker. # The --platform=${BUILDPLATFORM} flag tells Docker to build the function using diff --git a/go.mod b/go.mod index a2efd88..155e70b 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/crossplane-contrib/function-environment-configs -go 1.25.0 +go 1.26.2 require ( github.com/alecthomas/kong v1.15.0