fix: bump Go to 1.25.8 to resolve stdlib vulnerabilities (backport #2845)#2936
fix: bump Go to 1.25.8 to resolve stdlib vulnerabilities (backport #2845)#2936mergify[bot] wants to merge 1 commit intov0.39.x-celestiafrom
Conversation
## Summary - Bumps Go from 1.25.7 to 1.25.8 to fix 5 standard library vulnerabilities flagged by govulncheck in CI - Updates `go.mod` and `test/e2e/docker/Dockerfile` ### Vulnerabilities resolved | ID | Package | Description | |----|---------|-------------| | GO-2026-4603 | `html/template` | URLs in meta content attribute actions are not escaped | | GO-2026-4602 | `os` | FileInfo can escape from a Root | | GO-2026-4601 | `net/url` | Incorrect parsing of IPv6 host literals | | GO-2026-4600 | `crypto/x509` | Panic in name constraint checking for malformed certificates | | GO-2026-4599 | `crypto/x509` | Incorrect enforcement of email constraints | ## Test plan - [ ] CI govulncheck job passes - [ ] All existing tests pass with Go 1.25.8 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/celestiaorg/celestia-core/pull/2845" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> (cherry picked from commit 2cae1c2)
mergify
Bot
requested review from
evan-forbes,
mcrakhman,
ninabarbakadze and
rach-id
as code owners
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| - Bump Go version from 1.25.7 to 1.26.1 to fix 5 stdlib vulnerabilities | ||
| (GO-2026-4599, GO-2026-4600, GO-2026-4601, GO-2026-4602, GO-2026-4603). |
There was a problem hiding this comment.
🟡 Changelog filename missing required issue/PR number prefix
Both CONTRIBUTING.md and CLAUDE.md explicitly require changelog entry filenames to follow the pattern {issue-or-pr-number}-{description}.md. The file is named bump-go-1.26.1.md without an issue or PR number prefix. For example, the correct name would be 2936-bump-go-1.26.1.md (using the PR number). Other changelog entries in the repo consistently follow this pattern (e.g. 2913-mempool-user-tx-latency-metric.md in .changelog/unreleased/improvements/).
Prompt for agents
The changelog file at .changelog/unreleased/bug-fixes/bump-go-1.26.1.md needs to be renamed to include the issue or PR number as a prefix, per the conventions in CONTRIBUTING.md and CLAUDE.md. For example, if this is PR #2936, rename the file to 2936-bump-go-1.26.1.md. Additionally, the content should follow the prescribed format: - [module] \#xxx Description (@contributor). For a Go version bump, the module might be [build] or [deps].
Was this helpful? React with 👍 or 👎 to provide feedback.
| module github.com/cometbft/cometbft | ||
|
|
||
| go 1.25.7 | ||
| go 1.26.1 |
There was a problem hiding this comment.
🔴 Go version bump not applied to three other Dockerfiles, breaking their builds
The go.mod now requires go 1.26.1, but three other Dockerfiles still reference golang:1.25-alpine, which resolves to Go 1.25.x (less than the required 1.26.1). Since Go enforces the minimum version from the go directive in go.mod, these Docker images will either need to auto-download a newer toolchain at build time (wasteful and fragile) or will fail to build if toolchain auto-download is disabled. The affected files are: DOCKER/Dockerfile:3 (ARG GOLANG_BASE_IMAGE=golang:1.25-alpine), DOCKER/Dockerfile.testing:1 (FROM golang:1.25-alpine), and test/docker/Dockerfile:1 (FROM golang:1.25-alpine). Only test/e2e/docker/Dockerfile was updated.
Prompt for agents
The Go version was bumped to 1.26.1 in go.mod and test/e2e/docker/Dockerfile, but three other Dockerfiles still reference golang:1.25-alpine and need to be updated to golang:1.26-alpine (or golang:1.26.1-alpine for a pinned version):
1. DOCKER/Dockerfile line 3: Change ARG GOLANG_BASE_IMAGE=golang:1.25-alpine to ARG GOLANG_BASE_IMAGE=golang:1.26-alpine
2. DOCKER/Dockerfile.testing line 1: Change FROM golang:1.25-alpine to FROM golang:1.26-alpine
3. test/docker/Dockerfile line 1: Change FROM golang:1.25-alpine to FROM golang:1.26-alpine
Note: DOCKER/Dockerfile.testing and test/docker/Dockerfile use Alpine images but run apt-get (Debian commands), which is a separate pre-existing issue.
Was this helpful? React with 👍 or 👎 to provide feedback.
|
Closing: this backport only bumps Go to 1.26.1, which does not resolve the remaining govulncheck failures on v0.39.x-celestia. Opening a replacement PR that bumps Go to 1.26.2 along with go-git, grpc, x/net, and cloudflare/circl to a version set that passes govulncheck. |
## Summary - Bumps Go 1.25.7 → 1.26.2 and updates go-git, grpc, x/net, and cloudflare/circl to resolve all vulnerabilities currently flagged by `govulncheck` on `v0.39.x-celestia`. - Fixes two `%q` format strings on `int` values flagged by Go 1.26's stricter `go vet` (`ws_handler_test.go`, `test/e2e/pkg/testnet.go`). - Replaces #2936, which only bumped to 1.26.1 and did not resolve govulncheck. - Related: #2924 (backport audit tracking issue). ### Vulnerabilities resolved | ID | Package | Fixed in | |----|---------|----------| | GO-2026-4947 | `crypto/x509` | go1.26.2 | | GO-2026-4946 | `crypto/x509` | go1.26.2 | | GO-2026-4870 | `crypto/tls` | go1.26.2 | | GO-2026-4866 | `crypto/x509` | go1.26.2 | | GO-2026-4865 | `html/template` | go1.26.2 | | GO-2026-4910 | `github.com/go-git/go-git/v5` | v5.17.1 | | GO-2026-4909 | `github.com/go-git/go-git/v5` | v5.17.1 | | GO-2026-4762 | `google.golang.org/grpc` | v1.79.3 | | GO-2026-4559 | `golang.org/x/net` | v0.51.0 | | GO-2026-4550 | `github.com/cloudflare/circl` | v1.6.3 | ### Files changed - `go.mod` / `go.sum` — Go version + dep bumps - `DOCKER/Dockerfile`, `DOCKER/Dockerfile.testing`, `test/docker/Dockerfile`, `test/e2e/docker/Dockerfile`, `scripts/proto-gen.sh` — Go base image bumps - `rpc/jsonrpc/server/ws_handler_test.go`, `test/e2e/pkg/testnet.go` — format string fixes for Go 1.26 `go vet` - `.changelog/unreleased/bug-fixes/bump-go-1.26.2-and-deps.md` — changelog entry ## Test plan - [x] `govulncheck` passes - [x] Build (amd64, linux) and Build (arm, linux) pass - [ ] `golangci-lint` passes (format fixes pushed) - [ ] Tests pass (flake in `TestStateOversizedBlock` may need retry) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 participant
Summary
go.modandtest/e2e/docker/DockerfileVulnerabilities resolved
html/templateosnet/urlcrypto/x509crypto/x509Test plan
🤖 Generated with Claude Code
This is an automatic backport of pull request #2845 done by [Mergify](https://mergify.com).