Skip to content

chore: bump Go 1.24 and fix govulncheck vulnerabilities#31

Open
JayT106 wants to merge 3 commits intocrypto-org-chain:v0.38.xfrom
JayT106:fix/govulncheck
Open

chore: bump Go 1.24 and fix govulncheck vulnerabilities#31
JayT106 wants to merge 3 commits intocrypto-org-chain:v0.38.xfrom
JayT106:fix/govulncheck

Conversation

@JayT106
Copy link
Copy Markdown

@JayT106 JayT106 commented Mar 14, 2026
edited
Loading

Summary

  • Bump Go from 1.23.1 to 1.24.13 (Go 1.23 is EOL — no security patches available)
  • Upgrade go-git/go-git/v5 v5.12.0 → v5.16.5 (fixes GO-2026-4473, GO-2025-3368, GO-2025-3367)
  • Upgrade cloudflare/circl v1.3.7 → v1.6.3 (fixes GO-2026-4550, GO-2025-3754)
  • Upgrade golang.org/x/crypto v0.28.0 → v0.45.0 (fixes GO-2025-3487)
  • Go 1.24.13 stdlib fixes 15 additional vulnerabilities in crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, and net/url
  • Update all CI workflow files from Go 1.23 to Go 1.24

Resolves 18 of 21 govulncheck findings. The remaining 3 (GO-2026-4601, GO-2026-4602, GO-2026-4603) require Go 1.25.8+ which is too aggressive for a maintenance branch at this time.

@JayT106 @claude
chore: bump Go 1.24 and fix govulncheck vulnerabilities
82be98f 
Bump Go from 1.23.1 to 1.24.13 and upgrade vulnerable dependencies:
- go-git/go-git/v5: v5.12.0 → v5.16.5 (GO-2026-4473, GO-2025-3368, GO-2025-3367)
- cloudflare/circl: v1.3.7 → v1.6.3 (GO-2026-4550, GO-2025-3754)
- golang.org/x/crypto: v0.28.0 → v0.45.0 (GO-2025-3487)

The Go 1.24.13 stdlib also fixes 15 vulnerabilities in crypto/tls,
crypto/x509, encoding/asn1, encoding/pem, net/http, and net/url.

3 vulns remain (GO-2026-4601/4602/4603) requiring Go 1.25.8+ which is
too aggressive for a maintenance branch at this time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 14, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​crypto@​v0.28.0 ⏵ v0.45.074 +1100 +75100100100
Updatedgolang/​golang.org/​x/​net@​v0.30.0 ⏵ v0.47.075 +1100 +3100100100
Updatedgolang/​github.com/​go-git/​go-git/​v5@​v5.12.0 ⏵ v5.16.581 -1100 +75100100100
Updatedgolang/​github.com/​stretchr/​testify@​v1.9.0 ⏵ v1.10.096 +1100100100100
Updatedgolang/​golang.org/​x/​sync@​v0.8.0 ⏵ v0.18.099 +1100100100100

View full report

JayT106 and others added 2 commits March 13, 2026 20:34
@JayT106 @claude
fix: update Dockerfiles for Go 1.24
535e351 
- e2e Dockerfile: set GOTOOLCHAIN=auto so Go 1.23 base image
  auto-downloads Go 1.24.13 toolchain required by go.mod
- DOCKER/Dockerfile: bump golang base from 1.23-alpine to 1.24-alpine
- test/docker/Dockerfile: bump golang base from 1.23 to 1.24

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JayT106 @claude
chore: update CHANGELOG.md for Go 1.24 bump (cometbft#31)
0242670 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@JayT106 JayT106 self-assigned this Mar 14, 2026
@JayT106 JayT106 requested a review from songgaoye March 14, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@songgaoye songgaoye Awaiting requested review from songgaoye

At least 1 approving review is required to merge this pull request.

Assignees

@JayT106 JayT106

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JayT106