go.mod: vulnerabilities: bump go version to 1.23.12 for (#2077)

mirror of https://github.com/gomods/athens synced 2026-02-03 11:00:32 +00:00

`govulncheck` detects some vulnerabilities from the current builds that
are resolved by bumping the minor Go version to `.12`. I have kept the
major version the same.

On current `main`:

    $ go build -o athens ./cmd/proxy/main.go
    $ govulncheck -mode binary ./athens
    === Symbol Results ===

    Vulnerability #1: GO-2025-3956
        Unexpected paths returned from LookPath in os/exec
      More info: https://pkg.go.dev/vuln/GO-2025-3956
      Standard library
        Found in: os/exec@go1.23.5
        Fixed in: os/exec@go1.23.12
        Vulnerable symbols found:
          #1: exec.LookPath

    Vulnerability #2: GO-2025-3849
        Incorrect results returned from Rows.Scan in database/sql
      More info: https://pkg.go.dev/vuln/GO-2025-3849
      Standard library
        Found in: database/sql@go1.23.5
        Fixed in: database/sql@go1.23.12
        Vulnerable symbols found:
          #1: sql.Row.Scan
          #2: sql.Rows.Scan

    Vulnerability #3: GO-2025-3751
        Sensitive headers not cleared on cross-origin redirect in net/http
      More info: https://pkg.go.dev/vuln/GO-2025-3751
      Standard library
        Found in: net/http@go1.23.5
        Fixed in: net/http@go1.23.10
        Vulnerable symbols found:
          #1: http.Client.Do
          #2: http.Client.Get
          #3: http.Client.Head
          #4: http.Client.Post
          #5: http.Client.PostForm

    Vulnerability #4: GO-2025-3563
        Request smuggling due to acceptance of invalid chunked data in net/http
      More info: https://pkg.go.dev/vuln/GO-2025-3563
      Standard library
        Found in: net/http/internal@go1.23.5
        Fixed in: net/http/internal@go1.23.8
        Vulnerable symbols found:
          #1: internal.chunkedReader.Read

    Your code is affected by 4 vulnerabilities from the Go standard library.
    This scan also found 0 vulnerabilities in packages you import and 2
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

After version bump:

    $ go build -o athens ./cmd/proxy/main.go
    $ govulncheck -mode=binary ./athens 
    === Symbol Results ===

    No vulnerabilities found.

    Your code is affected by 0 vulnerabilities.
    This scan also found 0 vulnerabilities in packages you import and 2
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

This commit is contained in:

William Fisher

2025-10-23 15:24:05 +01:00

committed by

GitHub

parent 28bc9a806c

commit cef941bf85

4 changed files with 6 additions and 6 deletions

									
										docker-compose.yml
									
		+3
		-3
	
												View File
												
				@@ -5,7 +5,7 @@ services:

				      context: .

				      dockerfile: cmd/proxy/Dockerfile

				      args:

				        GOLANG_VERSION: "1.23.5"

				        GOLANG_VERSION: "1.23.12"

				    environment:

				      - ATHENS_MONGO_STORAGE_URL=mongodb://mongo:27017

				      - TIMEOUT=20 # in case the mongo dependency takes longer to start up

				@@ -20,7 +20,7 @@ services:

				      context: .

				      dockerfile: Dockerfile.test

				      args:

				        GOLANG_VERSION: "1.23.5"

				        GOLANG_VERSION: "1.23.12"

				    command: ["./scripts/test_unit.sh"]

				    environment:

				      - GO_ENV=test

				@@ -36,7 +36,7 @@ services:

				      context: .

				      dockerfile: Dockerfile.test

				      args:

				        GOLANG_VERSION: "1.23.5"

				        GOLANG_VERSION: "1.23.12"

				    command: ["./scripts/test_e2e.sh"]

				  azurite:

				    image: arafato/azurite:2.6.5