Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: Specify go1.22.2 as toolchain to fix govulncheck issues #688

Merged
merged 1 commit into from
Apr 17, 2024
Merged

build: Specify go1.22.2 as toolchain to fix govulncheck issues #688

merged 1 commit into from
Apr 17, 2024

Conversation

jimmidyson
Copy link
Contributor

Nix (and therefore devbox) has been slow in rolling out go1.22.2, which
contains CVE fixes. Current version go1.22.1 causes govulncheck to
report valid vulnerabilities in net/http package. go1.21 introduced
toolchain management via go.mod file with toolchain directive. This
commit specifies go1.22.2 as the toolchain to use and hence fixes the
govulncheck issues.

This does mean that go versions have to be managed in multiple places so
this is a stop-gap until Nix releases go1.22.2 to nixpkgs-unstable
channel.

@jimmidyson jimmidyson changed the title build: Specify go1.22.2 as toolchain to fix govulncheck issues (#517) build: Specify go1.22.2 as toolchain to fix govulncheck issues Apr 17, 2024
@jimmidyson
build: Specify go1.22.2 as toolchain to fix govulncheck issues
98a61f9 
Nix (and therefore devbox) has been slow in rolling out go1.22.2, which
contains CVE fixes. Current version go1.22.1 causes govulncheck to
report valid vulnerabilities in `net/http` package. go1.21 introduced
toolchain management via `go.mod` file with `toolchain` directive. This
commit specifies go1.22.2 as the toolchain to use and hence fixes the
govulncheck issues.

This does mean that go versions have to be managed in multiple places so
this is a stop-gap until Nix releases go1.22.2 to nixpkgs-unstable
channel.
@jimmidyson jimmidyson enabled auto-merge (squash) April 17, 2024 13:30
@github-actions GitHub Actions
Copy link
Contributor

Unit test results

100 tests  ±0   100 ✅ ±0   0s ⏱️ ±0s
 24 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 98a61f9. ± Comparison against base commit 71a0ae6.

@github-actions GitHub Actions
Copy link
Contributor

e2e test results

33 tests  ±0   30 ✅ ±0   1m 50s ⏱️ +22s
 2 suites ±0    3 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 98a61f9. ± Comparison against base commit 71a0ae6.

@jimmidyson jimmidyson merged commit 32e759b into main Apr 17, 2024
11 checks passed
@jimmidyson jimmidyson deleted the jimmi/go-1.22.2-toolchain branch April 17, 2024 13:42
@mesosphere-actions-pr-bot mesosphere-actions-pr-bot bot mentioned this pull request Apr 17, 2024
Merged
jimmidyson pushed a commit that referenced this pull request Apr 17, 2024
@mesosphere-actions-pr-bot
release(main): v1.13.3 (#687)
106cd6f 
🤖 I have created a release *beep* *boop*
---


## 1.13.3 (2024-04-17)

<!-- Release notes generated using configuration in .github/release.yaml
at main -->

## What's Changed
### Other Changes
* ci: New org for devbox-install-action - missed in previous PR by
@jimmidyson in #686
* build: Specify go1.22.2 as toolchain to fix govulncheck issues by
@jimmidyson in #688


**Full Changelog**:
v1.13.2...v1.13.3

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: mesosphere-actions-pr-bot[bot] <157582460+mesosphere-actions-pr-bot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhrabovcin mhrabovcin mhrabovcin approved these changes

@dkoshkin dkoshkin Awaiting requested review from dkoshkin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jimmidyson @mhrabovcin