Skip to content

fix: 🔒 bump Go toolchain to 1.26.4 (CVE-2026-42504)#132

Open
GuilhermeBorges wants to merge 1 commit into
mainfrom
vuln-fix/go-toolchain-1.26.4-2026-06-24
Open

fix: 🔒 bump Go toolchain to 1.26.4 (CVE-2026-42504)#132
GuilhermeBorges wants to merge 1 commit into
mainfrom
vuln-fix/go-toolchain-1.26.4-2026-06-24

Conversation

@GuilhermeBorges

Copy link
Copy Markdown

What

Bump the go.mod toolchain directive from go1.26.2go1.26.4.

Why

The synthetics-worker PROD Grype scan flagged CVE-2026-42504 (High) in the Go stdlib, fixed in ≥1.25.11 or ≥1.26.4.

While .go-version is already 1.25.11 (patched), the go.mod toolchain go1.26.2 directive forces builds up to 1.26.2 on any runner — which is < 1.26.4 and therefore still vulnerable on the 1.26.x line. Bumping the toolchain to go1.26.4 ensures the released binary is built with a patched stdlib.

golang.org/x/net is already at v0.55.0 (covers CVE-2026-39821 + CVE-2026-33814), so no dependency change is needed here.

Verification

  • go build ./... ✅ (GOTOOLCHAIN=go1.26.4)
  • go test ./... ✅ all packages pass

Follow-up

Once this is released, the synthetics-worker TRACEROUTE_VERSION pin (currently 1.0.17) should be bumped to the new release to ship the patched binary.

@GuilhermeBorges GuilhermeBorges marked this pull request as ready for review June 29, 2026 12:51
Copilot AI review requested due to automatic review settings June 29, 2026 12:51
@GuilhermeBorges GuilhermeBorges requested review from a team as code owners June 29, 2026 12:51

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Go toolchain pinned by the go.mod toolchain directive to ensure builds use a patched Go stdlib version addressing the referenced CVE, without changing module semantics or dependencies.

Changes:

  • Bump toolchain in go.mod from go1.26.2 to go1.26.4.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread go.mod
go 1.25.6

toolchain go1.26.2
toolchain go1.26.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants