fix: 🔒 bump Go toolchain to 1.26.4 (CVE-2026-42504)#132
Open
GuilhermeBorges wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Go toolchain pinned by the go.mod toolchain directive to ensure builds use a patched Go stdlib version addressing the referenced CVE, without changing module semantics or dependencies.
Changes:
- Bump
toolchainingo.modfromgo1.26.2togo1.26.4.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
AlexandreYang
approved these changes
Jun 30, 2026
| go 1.25.6 | ||
|
|
||
| toolchain go1.26.2 | ||
| toolchain go1.26.4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bump the
go.modtoolchain directive fromgo1.26.2→go1.26.4.Why
The synthetics-worker PROD Grype scan flagged CVE-2026-42504 (High) in the Go
stdlib, fixed in ≥1.25.11 or ≥1.26.4.While
.go-versionis already1.25.11(patched), thego.modtoolchain go1.26.2directive forces builds up to 1.26.2 on any runner — which is < 1.26.4 and therefore still vulnerable on the 1.26.x line. Bumping the toolchain togo1.26.4ensures the released binary is built with a patched stdlib.golang.org/x/netis already atv0.55.0(covers CVE-2026-39821 + CVE-2026-33814), so no dependency change is needed here.Verification
go build ./...✅ (GOTOOLCHAIN=go1.26.4)go test ./...✅ all packages passFollow-up
Once this is released, the synthetics-worker
TRACEROUTE_VERSIONpin (currently 1.0.17) should be bumped to the new release to ship the patched binary.