From cef941bf854b9987a8a3e12ed8a6a16b35d376c9 Mon Sep 17 00:00:00 2001 From: William Fisher Date: Thu, 23 Oct 2025 15:24:05 +0100 Subject: [PATCH] go.mod: vulnerabilities: bump go version to 1.23.12 for (#2077) `govulncheck` detects some vulnerabilities from the current builds that are resolved by bumping the minor Go version to `.12`. I have kept the major version the same. On current `main`: $ go build -o athens ./cmd/proxy/main.go $ govulncheck -mode binary ./athens === Symbol Results === Vulnerability #1: GO-2025-3956 Unexpected paths returned from LookPath in os/exec More info: https://pkg.go.dev/vuln/GO-2025-3956 Standard library Found in: os/exec@go1.23.5 Fixed in: os/exec@go1.23.12 Vulnerable symbols found: #1: exec.LookPath Vulnerability #2: GO-2025-3849 Incorrect results returned from Rows.Scan in database/sql More info: https://pkg.go.dev/vuln/GO-2025-3849 Standard library Found in: database/sql@go1.23.5 Fixed in: database/sql@go1.23.12 Vulnerable symbols found: #1: sql.Row.Scan #2: sql.Rows.Scan Vulnerability #3: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.23.5 Fixed in: net/http@go1.23.10 Vulnerable symbols found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm Vulnerability #4: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.23.5 Fixed in: net/http/internal@go1.23.8 Vulnerable symbols found: #1: internal.chunkedReader.Read Your code is affected by 4 vulnerabilities from the Go standard library. This scan also found 0 vulnerabilities in packages you import and 2 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After version bump: $ go build -o athens ./cmd/proxy/main.go $ govulncheck -mode=binary ./athens === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 2 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. --- Dockerfile.test | 2 +- appveyor.yml | 2 +- docker-compose.yml | 6 +++--- go.mod | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile.test b/Dockerfile.test index 346fb6f9..46180044 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -1,4 +1,4 @@ -ARG GOLANG_VERSION=1.23.5 +ARG GOLANG_VERSION=1.23.12 FROM golang:$GOLANG_VERSION RUN echo $GOLANG_VERSION diff --git a/appveyor.yml b/appveyor.yml index 6310c2db..6f4b97e7 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -10,7 +10,7 @@ environment: GOPROXY: https://proxy.golang.org SKIP_UNTIL_113: true -stack: go 1.23.5 +stack: go 1.23.12 test_script: - go version diff --git a/docker-compose.yml b/docker-compose.yml index 535d1157..d754ddb7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,7 +5,7 @@ services: context: . dockerfile: cmd/proxy/Dockerfile args: - GOLANG_VERSION: "1.23.5" + GOLANG_VERSION: "1.23.12" environment: - ATHENS_MONGO_STORAGE_URL=mongodb://mongo:27017 - TIMEOUT=20 # in case the mongo dependency takes longer to start up @@ -20,7 +20,7 @@ services: context: . dockerfile: Dockerfile.test args: - GOLANG_VERSION: "1.23.5" + GOLANG_VERSION: "1.23.12" command: ["./scripts/test_unit.sh"] environment: - GO_ENV=test @@ -36,7 +36,7 @@ services: context: . dockerfile: Dockerfile.test args: - GOLANG_VERSION: "1.23.5" + GOLANG_VERSION: "1.23.12" command: ["./scripts/test_e2e.sh"] azurite: image: arafato/azurite:2.6.5 diff --git a/go.mod b/go.mod index 0aa7dff5..43564342 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/gomods/athens -go 1.23.5 +go 1.23.12 require ( cloud.google.com/go/storage v1.45.0