fix: bump Go to 1.26.2 and deps to resolve govulncheck failures#2943
fix: bump Go to 1.26.2 and deps to resolve govulncheck failures#2943rootulp merged 2 commits intov0.39.x-celestiafrom
Conversation
Resolves all vulnerabilities currently flagged by govulncheck on v0.39.x-celestia: - Go 1.25.7 → 1.26.2 (stdlib: crypto/x509, crypto/tls, html/template) - go-git/v5 5.16.5 → 5.17.2 - google.golang.org/grpc 1.78.0 → 1.80.0 - golang.org/x/net 0.50.0 → 0.53.0 - cloudflare/circl 1.6.1 → 1.6.3 (indirect) Dockerfiles and proto-gen.sh updated to match. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
rootulp
requested review from
evan-forbes,
mcrakhman,
ninabarbakadze and
rach-id
as code owners
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| - Bump Go to 1.26.2 and update go-git, grpc, x/net, and cloudflare/circl to | ||
| resolve stdlib and dependency vulnerabilities flagged by govulncheck. |
There was a problem hiding this comment.
🟡 Changelog filename missing required issue/PR number prefix
The changelog file is named bump-go-1.26.2-and-deps.md but both CONTRIBUTING.md and CLAUDE.md require the format {issue-or-pr-number}-{description}.md. The file should be prefixed with the PR number (e.g., 2943-bump-go-1.26.2-and-deps.md). Other changelog entries in the repo follow this convention, e.g., .changelog/unreleased/improvements/2913-mempool-user-tx-latency-metric.md.
Prompt for agents
The changelog file needs to be renamed to include the PR number prefix per the CONTRIBUTING.md and CLAUDE.md conventions. The required format is {issue-or-pr-number}-{description}.md. Rename .changelog/unreleased/bug-fixes/bump-go-1.26.2-and-deps.md to .changelog/unreleased/bug-fixes/2943-bump-go-1.26.2-and-deps.md (assuming PR #2943). Also update the content to follow the required entry format: - [module] \#xxx description (@contributor). For example: - [deps] \#2943 Bump Go to 1.26.2 and update go-git, grpc, x/net, and cloudflare/circl to resolve stdlib and dependency vulnerabilities flagged by govulncheck.
Was this helpful? React with 👍 or 👎 to provide feedback.
| - Bump Go to 1.26.2 and update go-git, grpc, x/net, and cloudflare/circl to | ||
| resolve stdlib and dependency vulnerabilities flagged by govulncheck. |
There was a problem hiding this comment.
🟡 Changelog entry content missing required format (module tag, PR number, contributor)
The changelog entry does not follow the required format specified in CONTRIBUTING.md: - [module] \#xxx Some description of the change (@contributor). The current entry is missing the [module] tag, the \#xxx PR/issue reference, and the (@contributor) attribution. Compare with the properly formatted entry at .changelog/unreleased/improvements/2913-mempool-user-tx-latency-metric.md which uses - [mempool] \#2913 Add UserTxLatency histogram metric....
| - Bump Go to 1.26.2 and update go-git, grpc, x/net, and cloudflare/circl to | |
| resolve stdlib and dependency vulnerabilities flagged by govulncheck. | |
| - [deps] \#2943 Bump Go to 1.26.2 and update go-git, grpc, x/net, and | |
| cloudflare/circl to resolve stdlib and dependency vulnerabilities flagged by | |
| govulncheck. | |
Was this helpful? React with 👍 or 👎 to provide feedback.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Overriding approvals b/c CI fails on all the mergify backport PRs because of this |
1 participant
Summary
govulncheckonv0.39.x-celestia.%qformat strings onintvalues flagged by Go 1.26's strictergo vet(ws_handler_test.go,test/e2e/pkg/testnet.go).Vulnerabilities resolved
crypto/x509crypto/x509crypto/tlscrypto/x509html/templategithub.com/go-git/go-git/v5github.com/go-git/go-git/v5google.golang.org/grpcgolang.org/x/netgithub.com/cloudflare/circlFiles changed
go.mod/go.sum— Go version + dep bumpsDOCKER/Dockerfile,DOCKER/Dockerfile.testing,test/docker/Dockerfile,test/e2e/docker/Dockerfile,scripts/proto-gen.sh— Go base image bumpsrpc/jsonrpc/server/ws_handler_test.go,test/e2e/pkg/testnet.go— format string fixes for Go 1.26go vet.changelog/unreleased/bug-fixes/bump-go-1.26.2-and-deps.md— changelog entryTest plan
govulncheckpassesgolangci-lintpasses (format fixes pushed)TestStateOversizedBlockmay need retry)