Skip to content

Upgrade to go-1.25.8#8100

Merged
bbrks merged 2 commits intomainfrom
ci-go-vulncheck
Mar 9, 2026
Merged

Upgrade to go-1.25.8#8100
bbrks merged 2 commits intomainfrom
ci-go-vulncheck

Conversation

@torcolvin
Copy link
Collaborator

@torcolvin torcolvin commented Mar 9, 2026

Fixes for CVEs to silence govulncheck. These don't really affect Sync Gateway meaningfully.

Covers Sync Gateway tests only:

  • GO-2026-4603 URLs in meta content attribute actions are not escaped in html/template

No impact:

  • GO-2026-4602 FileInfo can escape from a Root in os Doesn't affect Sync Gateway since Sync Gateway doesn't collect metadata.

Low impact:

  • GO-2026-4601 Incorrect parsing of IPv6 host literals in net/url This is used by oidc code but it is very unlikely to configure a IPv6 literal and not DNS.

@torcolvin
Upgrade to go-1.25.7
f4fd2c2 
Fixes for CVEs to silence vuln checking:

Covers Sync Gateway tests only:

- GO-2026-4603 URLs in meta content attribute actions are not escaped in html/template

No impact:

- GO-2026-4602 FileInfo can escape from a Root in os
  Doesn't affect Sync Gateway since Sync Gateway doesn't collect metadata.

Low impact:

- GO-2026-4601 Incorrect parsing of IPv6 host literals in net/url
  This is used by oidc code but it is very unlikely to configure a IPv6 literal and not DNS.
@torcolvin torcolvin requested a review from bbrks March 9, 2026 14:45
Copilot AI review requested due to automatic review settings March 9, 2026 14:45
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Go toolchain patch version used by Sync Gateway’s CI and build manifest to address Go CVEs flagged by govulncheck.

Changes:

  • Bump GitHub Actions CI Go version from 1.25.7 to 1.25.8.
  • Bump manifest/default.xml Go version in product-config.json from 1.25.7 to 1.25.8.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
manifest/product-config.json Updates the default manifest’s go_version to 1.25.8 for production builds.
.github/workflows/ci.yml Updates CI to install/use Go 1.25.8 via actions/setup-go.

@torcolvin torcolvin changed the title Upgrade to go-1.25.7 Upgrade to go-1.25.8 Mar 9, 2026
@bbrks bbrks merged commit 92b6a1c into main Mar 9, 2026
68 of 69 checks passed
@bbrks bbrks deleted the ci-go-vulncheck branch March 9, 2026 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bbrks bbrks bbrks approved these changes

Assignees

@bbrks bbrks

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@torcolvin @bbrks