Skip to content

build: update Go toolchain for CVE-2025-68121#412

Merged
antonmedv merged 1 commit into
antonmedv:masterfrom
dkarter:fix/update-go-for-cve-2025-68121
May 8, 2026
Merged

build: update Go toolchain for CVE-2025-68121#412
antonmedv merged 1 commit into
antonmedv:masterfrom
dkarter:fix/update-go-for-cve-2025-68121

Conversation

@dkarter

@dkarter dkarter commented May 8, 2026

Copy link
Copy Markdown
Contributor

Motivation

Trivy reports the released Linux binary from antonmedv/fx 39.2.0 as a Go binary affected by stdlib CVE-2025-68121 with CRITICAL severity.

The affected binary path from the downstream image scan is mise/installs/fx/39.2.0/fx. The released binary appears to have been built with Go v1.23.6; Trivy lists fixed Go stdlib versions as 1.24.13, 1.25.7, or 1.26.0-rc.3.

Summary of Changes

  • Update the module toolchain directive from go1.23.6 to stable fixed Go go1.25.7.
  • Leave the module language version at go 1.23.0.
  • Future release builds that run scripts/build.mjs with standard Go toolchain selection will build with the fixed Go toolchain.

Dependencies/Special Considerations

None.

@dkarter dkarter marked this pull request as ready for review May 8, 2026 07:08
@antonmedv antonmedv merged commit 8a5feb3 into antonmedv:master May 8, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants