Skip to content

fix: bump deps to clear govulncheck for v0.9#319

Merged
vloothuis merged 3 commits intodevelopfrom
fix/security-vulns-v0.9
Apr 7, 2026
Merged

fix: bump deps to clear govulncheck for v0.9#319
vloothuis merged 3 commits intodevelopfrom
fix/security-vulns-v0.9

Conversation

@vloothuis
Copy link
Copy Markdown
Contributor

@vloothuis vloothuis commented Apr 7, 2026

Summary

  • Bumps golang.org/x/crypto, github.com/cloudflare/circl, github.com/go-git/go-git/v5 to versions that clear GO-2025-4116, GO-2025-3754, GO-2026-4550, GO-2026-4473.
  • Bumps Go toolchain from 1.24.13 to 1.25.8 to clear stdlib vulns GO-2026-4601 and GO-2026-4602. CI workflow Go versions bumped 1.24 → 1.25.
  • Adds scripts/govulncheck-filtered.sh and wires it into the release/security workflows. The script ignores OSVs that have no upstream fix yet (currently only GO-2026-4923, the bbolt index-out-of-range panic reached transitively via blevesearch — tracking bucket: add count guard for branch pages in Stats etcd-io/bbolt#1171). All other findings still fail the build.

Unblocks the v0.9 release run that failed at https://github.com/sourcehaven-bv/rela/actions/runs/24078691193.

Test plan

  • go test -race ./... passes locally
  • just lint passes locally
  • ./scripts/govulncheck-filtered.sh reports no actionable vulnerabilities locally
  • CI green on PR

@vloothuis vloothuis enabled auto-merge (squash) April 7, 2026 11:30
@vloothuis vloothuis merged commit 6a242d1 into develop Apr 7, 2026
12 checks passed
@vloothuis vloothuis deleted the fix/security-vulns-v0.9 branch April 7, 2026 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vloothuis