From 69978c34cdc2511c3ef670fdf75091cbb859a26a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 05:34:29 +0000 Subject: [PATCH 1/2] build(deps): bump golang from 1.26.3-alpine to 1.26.4-alpine Bumps golang from 1.26.3-alpine to 1.26.4-alpine. --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.4-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ac2ec47..85e89c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Stage 1: Build -FROM golang:1.26.3-alpine AS builder +FROM golang:1.26.4-alpine AS builder ARG VERSION=dev ARG COMMIT=none From 1d80f6e587619f672b30b9c20f66f50276761666 Mon Sep 17 00:00:00 2001 From: Olof Mattsson Date: Tue, 9 Jun 2026 09:59:59 +0200 Subject: [PATCH 2/2] build(go): bump cli/go.mod to 1.26.4 to clear GO-2026-5037 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot's golang Dockerfile bump (1.26.3-alpine → 1.26.4-alpine) is exactly the upstream fix for the crypto/x509 hostname-parsing vuln (GO-2026-5037), but govulncheck on the CI runner reads its Go version from `actions/setup-go` with `go-version-file: cli/go.mod`, not from the Docker image. With the go directive still pinned at 1.26.3, the toolchain installed on the runner is 1.26.3 and govulncheck still flags the same vuln on every workflow run. Bumping the go directive lifts every CI job in lockstep (ci, security, live-tests, release all use `go-version-file: cli/go.mod`). Verified locally with go1.26.4: go build ./... clean go vet ./... clean govulncheck ./... No vulnerabilities found. Co-Authored-By: Claude Opus 4.7 --- cli/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/go.mod b/cli/go.mod index 27bc957..ca3f0d7 100644 --- a/cli/go.mod +++ b/cli/go.mod @@ -1,6 +1,6 @@ module github.com/omattsson/stackctl/cli -go 1.26.3 +go 1.26.4 require ( github.com/gorilla/websocket v1.5.3