From 2c773f96abefb313d866f9005e62e030c235e247 Mon Sep 17 00:00:00 2001 From: Farjaad Rawasia Date: Tue, 7 Jul 2026 16:14:39 -0400 Subject: [PATCH 1/3] fix: bump toolchain to go1.26.5 to address stdlib security vulnerabilities --- src/go.mod | 4 ++-- src/go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/go.mod b/src/go.mod index a936859..155ae6f 100644 --- a/src/go.mod +++ b/src/go.mod @@ -2,7 +2,7 @@ module github.com/opslevel/opslevel-runner go 1.26.0 -toolchain go1.26.2 +toolchain go1.26.5 require ( github.com/contribsys/faktory v1.9.4 @@ -278,7 +278,7 @@ require ( golang.org/x/crypto v0.52.0 // indirect golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect golang.org/x/mod v0.35.0 // indirect - golang.org/x/net v0.54.0 // indirect + golang.org/x/net v0.55.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect golang.org/x/sync v0.20.0 // indirect golang.org/x/sys v0.45.0 // indirect diff --git a/src/go.sum b/src/go.sum index 623be3b..f7c0f86 100644 --- a/src/go.sum +++ b/src/go.sum @@ -674,8 +674,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= -golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= +golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8= +golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww= golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From b2f9f155d43b9e0fe1e77c9e2bb304ade8ce335d Mon Sep 17 00:00:00 2001 From: Farjaad Rawasia Date: Tue, 7 Jul 2026 16:16:29 -0400 Subject: [PATCH 2/3] chore: add changie for toolchain bump to go1.26.5 --- .changes/unreleased/Security-20260707-000000.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changes/unreleased/Security-20260707-000000.yaml diff --git a/.changes/unreleased/Security-20260707-000000.yaml b/.changes/unreleased/Security-20260707-000000.yaml new file mode 100644 index 0000000..8e07b26 --- /dev/null +++ b/.changes/unreleased/Security-20260707-000000.yaml @@ -0,0 +1,3 @@ +kind: Security +body: Bump Go toolchain from go1.26.2 to go1.26.5 (fixes GO-2026-4977, GO-2026-4986, GO-2026-4918, GO-2026-4971, GO-2026-4981, GO-2026-5037, GO-2026-5038, GO-2026-5026) +time: 2026-07-07T00:00:00.000000Z From f452366be38b111aca61af1d79b8397b0632e6fa Mon Sep 17 00:00:00 2001 From: Farjaad Rawasia Date: Tue, 7 Jul 2026 16:32:53 -0400 Subject: [PATCH 3/3] fix: bump toolchain to go1.26.4 (one week cooloff on go1.26.5) --- .changes/unreleased/Security-20260707-000000.yaml | 2 +- src/go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.changes/unreleased/Security-20260707-000000.yaml b/.changes/unreleased/Security-20260707-000000.yaml index 8e07b26..02863ec 100644 --- a/.changes/unreleased/Security-20260707-000000.yaml +++ b/.changes/unreleased/Security-20260707-000000.yaml @@ -1,3 +1,3 @@ kind: Security -body: Bump Go toolchain from go1.26.2 to go1.26.5 (fixes GO-2026-4977, GO-2026-4986, GO-2026-4918, GO-2026-4971, GO-2026-4981, GO-2026-5037, GO-2026-5038, GO-2026-5026) +body: Bump Go toolchain from go1.26.2 to go1.26.4 (fixes GO-2026-4977, GO-2026-4986, GO-2026-4918, GO-2026-4971, GO-2026-4981, GO-2026-5037, GO-2026-5038, GO-2026-5026) time: 2026-07-07T00:00:00.000000Z diff --git a/src/go.mod b/src/go.mod index 155ae6f..dcea291 100644 --- a/src/go.mod +++ b/src/go.mod @@ -2,7 +2,7 @@ module github.com/opslevel/opslevel-runner go 1.26.0 -toolchain go1.26.5 +toolchain go1.26.4 require ( github.com/contribsys/faktory v1.9.4