Skip to content

fix(deps): rebuild helm 3.18 with Go 1.26.4 to fix stdlib CVEs#95

Merged
alaudabot merged 2 commits into
alauda-3.18.6from
fix/go-1264-containerd-vuln
Jun 8, 2026
Merged

fix(deps): rebuild helm 3.18 with Go 1.26.4 to fix stdlib CVEs#95
alaudabot merged 2 commits into
alauda-3.18.6from
fix/go-1264-containerd-vuln

Conversation

@l-qing

@l-qing l-qing commented Jun 7, 2026

Copy link
Copy Markdown

Summary

This PR bumps the Go toolchain version in go.mod from 1.26.3 to 1.26.4 on the alauda-3.18.6 release line.

CVEs Fixed

Go stdlib (fixed by building with Go 1.26.4)

  • CVE-2026-42504 (HIGH) — Go stdlib vulnerability fixed in Go 1.26.4
  • CVE-2026-27145 (MEDIUM) — Go stdlib vulnerability fixed in Go 1.26.4
  • CVE-2026-42507 (MEDIUM) — Go stdlib vulnerability fixed in Go 1.26.4

containerd (already resolved)

  • CVE-2026-46680 (HIGH) — already fixed; github.com/containerd/containerd is already at v1.7.32 on this branch, no change needed.

Out of Scope (intentional)

  • CVE-2026-35206 (helm.sh/helm/v3 → 3.20.2) — intentionally ignored downstream in the AlaudaDevops/catalog helm v3.18 image via --ignorefile. This PR stays on the 3.18 line and does NOT jump to 3.20.

Mechanism

The release workflow (reusable-release-alauda.yaml) uses go-version-file: go.mod with actions/setup-go@v5, so bumping the go directive in go.mod is sufficient to pick up Go 1.26.4 in the next release build.

Diff

Minimal: single-line change to the go directive in go.mod. No dependency churn. go mod verify passes and go build ./cmd/helm succeeds locally with Go 1.26.4.

Downstream

Consumed by AlaudaDevops/catalog helm v3.18 image (currently pinned to v3.18.7-alauda-42).

l-qing and others added 2 commits June 7, 2026 16:41
@l-qing
fix(deps): bump Go to 1.26.4 to fix stdlib CVEs
858dc8c 
Build with Go 1.26.4 to fix:
- CVE-2026-42504 (HIGH) in Go stdlib
- CVE-2026-27145 (MEDIUM) in Go stdlib
- CVE-2026-42507 (MEDIUM) in Go stdlib

containerd is already at v1.7.32 (CVE-2026-46680 already fixed).
The helm-self CVE-2026-35206 is intentionally out of scope
(ignored downstream in catalog).

Go version mechanism: go-version-file: go.mod (reusable-release-alauda.yaml)
ci: bump Go to 1.26.4 to match go.mod toolchain requirement
dfd5472
@alaudabot alaudabot merged commit 4bf52f6 into alauda-3.18.6 Jun 8, 2026
3 checks passed
@alaudabot alaudabot deleted the fix/go-1264-containerd-vuln branch June 8, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot approved these changes

@yuzichen12123 yuzichen12123 yuzichen12123 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@l-qing @alaudabot @yuzichen12123