Skip to content

chore(deps): bump dependencies and pin Go toolchain to 1.26.4#492

Merged
ericfitz merged 2 commits into
mainfrom
chore/deps-bump-toolchain-1.26.4
Jun 23, 2026
Merged

chore(deps): bump dependencies and pin Go toolchain to 1.26.4#492
ericfitz merged 2 commits into
mainfrom
chore/deps-bump-toolchain-1.26.4

Conversation

@ericfitz

Copy link
Copy Markdown
Owner

Summary

Routine dependency maintenance on main plus a Go toolchain pin that resolves outstanding stdlib vulnerabilities.

Changes

Dependency bump (ea66021d):

  • Go: github.com/oapi-codegen/runtime v1.4.1 → v1.4.2 (patch)
  • Node/pnpm: @redocly/cli 2.31.4 → 2.34.0 (minor, dev tooling)

Go toolchain pin (2cc85e05):

  • Adds toolchain go1.26.4 to go.mod. With GOTOOLCHAIN=auto (local and CI via go-version-file: go.mod), builds now use go1.26.4, fixing:
    • GO-2026-5037 (crypto/x509: inefficient candidate hostname parsing)
    • GO-2026-5039 (net/textproto: unescaped input in errors)
  • govulncheck ./... now reports no vulnerabilities.

Verification

  • make build-server
  • make test-unit → 1096 passed, 0 failed ✅
  • make lint → 0 issues ✅
  • govulncheck ./... → no vulnerabilities ✅

🤖 Generated with Claude Code

ericfitz and others added 2 commits June 23, 2026 01:46
Go:
- github.com/oapi-codegen/runtime v1.4.1 -> v1.4.2 (patch)

Node/pnpm:
- @redocly/cli 2.31.4 -> 2.34.0 (minor, dev)

Held for manual review:
- Go stdlib GO-2026-5039 (net/textproto), GO-2026-5037 (crypto/x509):
  fixed in go1.26.4 toolchain; requires toolchain upgrade, not a dep bump
- github.com/golang/protobuf: excluded per CLAUDE.md (deprecated transitive)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds `toolchain go1.26.4` to go.mod. With GOTOOLCHAIN=auto (local and CI
via go-version-file: go.mod), builds now use go1.26.4, which fixes:
- GO-2026-5037 (crypto/x509: inefficient candidate hostname parsing)
- GO-2026-5039 (net/textproto: unescaped input in errors)

govulncheck ./... now reports no vulnerabilities.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ericfitz ericfitz merged commit b7d8f6a into main Jun 23, 2026
7 checks passed
@ericfitz ericfitz deleted the chore/deps-bump-toolchain-1.26.4 branch June 23, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant