From 5bb20fcb42c47fd70732835584d8e18f51f66df6 Mon Sep 17 00:00:00 2001 From: CMGS Date: Mon, 29 Jun 2026 14:59:55 +0800 Subject: [PATCH] =?UTF-8?q?chore(deps):=20bump=20go=20directive=201.25.6?= =?UTF-8?q?=20=E2=86=92=201.26.4=20(clears=202=20stdlib=20vulns)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI builds via `go-version-file: go.mod`, so the toolchain version is the `go` directive. govulncheck flagged two reachable Go stdlib vulnerabilities fixed in go1.26.4: - GO-2026-5039 net/textproto (unescaped inputs in errors) — reached via utils.DoAPI → textproto.ReadMIMEHeader on the local hypervisor API socket. - GO-2026-5037 crypto/x509 (inefficient hostname parsing) — reached via snapshot Export → x509 Verify/VerifyHostname. Both low severity (trusted local peer / registry TLS), but bumping the build toolchain clears them. After: govulncheck reports 0 vulnerabilities. build/vet/lint (darwin+linux) + race tests green on go1.26.4. --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 26f31d29..22706a53 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cocoonstack/cocoon -go 1.25.6 +go 1.26.4 require ( github.com/cocoonstack/cocoon-agent v0.1.1-0.20260505130343-db13d35d7b13