Skip to content

fix(deps): bump Go toolchain to 1.26.4 for CVE-2026-42504#108

Merged
ashiramin merged 1 commit into
mainfrom
aa/fix-cve-2026-42504-go-1.26.4
Jun 8, 2026
Merged

fix(deps): bump Go toolchain to 1.26.4 for CVE-2026-42504#108
ashiramin merged 1 commit into
mainfrom
aa/fix-cve-2026-42504-go-1.26.4

Conversation

@ashiramin

@ashiramin ashiramin commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Automated triage of the failed Trivy scan run.

Auto-applied fixes (1)

CVE Severity Package From To File(s)
CVE-2026-42504 HIGH stdlib (Go toolchain) 1.26.3 1.26.4 docker/Dockerfile (×2), agent/go.mod, scaffold/go/go.mod, sdks/go/go.mod

The CVE is in the Go standard library compiled into the agent binary. Trivy reads the
stdlib version from the binary, which is set by the Go compiler installed via
GOLANG_VERSION in the Dockerfile. Patch-level bump on the same minor line (1.26.x),
lowest fixed version ≥ installed — minimal blast radius. The go directives in all
three modules are bumped to match (mirrors #101 which bumped them together to 1.26.3).

Verification

  • go build ./... in sdks/go passes on go1.26.4.
  • agent/ build error (.generated/proto/... missing) is pre-existing — that dir is
    gitignored codegen output, unrelated to this bump.
  • scaffold/go/go.mod is a Go template ({{.ProjectName}}); only the go directive changed.

Draft so a human marks ready. CI on this PR validates the bump before merge.

@ashiramin @claude
fix(deps): bump Go toolchain 1.26.3 → 1.26.4 for CVE-2026-42504
ba4612f 
Resolves HIGH CVE-2026-42504 in the Go stdlib (installed v1.26.3,
fixed in 1.26.4). Bumps GOLANG_VERSION in both Dockerfile stages and
the `go` directive in the agent, scaffold, and SDK modules.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ashiramin ashiramin marked this pull request as ready for review June 8, 2026 02:31
@ashiramin ashiramin requested a review from shawnburke June 8, 2026 02:31
shawnburke
shawnburke reviewed Jun 8, 2026
View reviewed changes
Comment thread docker/Dockerfile

# Install Go (needed by scaffold apps that build on top of this image)
ENV GOLANG_VERSION=1.26.3
ENV GOLANG_VERSION=1.26.4

@shawnburke shawnburke Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this in here twice? not sure what the rules are for multi-stage builds.

@ashiramin ashiramin Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I think for every stage it resets the env so need it for compile and runtime seperately

@ashiramin ashiramin merged commit 07d3261 into main Jun 8, 2026
17 checks passed
@ashiramin ashiramin deleted the aa/fix-cve-2026-42504-go-1.26.4 branch June 8, 2026 03:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shawnburke shawnburke shawnburke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashiramin @shawnburke