From b7c7161c9e2ba1a366f205cc0b85989f5471a6cc Mon Sep 17 00:00:00 2001 From: abtreece Date: Tue, 26 May 2026 21:34:06 -0500 Subject: [PATCH 1/2] chore: bump Go toolchain to 1.26.3 Patches 5 HIGH stdlib CVEs flagged by Trivy in Docker security-scan (CVE-2026-33811, 33814, 39820, 39836, 42499). All dependabot PRs were failing security-scan against the v1.26.2 stdlib. Updates go.mod toolchain, .tool-versions, Dockerfile.build, 5 workflow setup-go pins, and matching docs (README, development, docker, installation). --- .github/workflows/codecov.yml | 2 +- .github/workflows/cross-platform.yml | 2 +- .github/workflows/e2e-tests.yml | 2 +- .github/workflows/integration-tests.yml | 8 ++++---- .github/workflows/release.yml | 2 +- .tool-versions | 2 +- CHANGELOG | 1 + README.md | 2 +- docker/Dockerfile.build | 2 +- docs/development.md | 12 ++++++------ docs/docker.md | 2 +- docs/installation.md | 4 ++-- go.mod | 2 +- 13 files changed, 22 insertions(+), 21 deletions(-) diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 07b608ea5..d20a9ef7f 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -22,7 +22,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Run go test for coverage run: go test -vet=off ./... -race -coverprofile=coverage.out -covermode=atomic diff --git a/.github/workflows/cross-platform.yml b/.github/workflows/cross-platform.yml index 4a932bd12..3dc91f3e9 100644 --- a/.github/workflows/cross-platform.yml +++ b/.github/workflows/cross-platform.yml @@ -24,7 +24,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Run unit tests run: go test -mod=vendor ./pkg/... ./cmd/... diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 065d903be..07709633f 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -17,7 +17,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Run E2E Tests run: go test -v -tags=e2e -timeout 15m ./test/e2e/... diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 4c0ba9361..b063457db 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -26,7 +26,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Build and Install run: | @@ -107,7 +107,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Build and Install run: | @@ -176,7 +176,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Build and Install run: | @@ -235,7 +235,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: "1.26.2" + go-version: "1.26.3" - name: Build and Install run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a725adc31..47e2c0ecf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.26.2' + go-version: '1.26.3' - name: Set up QEMU uses: docker/setup-qemu-action@v4 diff --git a/.tool-versions b/.tool-versions index 05a23a62c..8fb890341 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1 +1 @@ -golang 1.26.2 +golang 1.26.3 diff --git a/CHANGELOG b/CHANGELOG index e7633d803..09b543eab 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,7 @@ * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/dynamodb from 1.55.0 to 1.57.3 (#596) * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/acm from 1.38.1 to 1.38.3 (#597) * chore: bump Go from 1.25 to 1.26 in build infra (Dockerfile, workflows) +* chore: bump Go toolchain to 1.26.3 to patch stdlib CVEs (CVE-2026-33811, 33814, 39820, 39836, 42499) ### v0.41.1 (2026-04-22) diff --git a/README.md b/README.md index 962718eaf..54defef7c 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ See [Docker documentation](docs/docker.md) for complete usage including Docker C ### Building from Source -Go 1.26.2 is required to build confd. The module uses `go 1.26` for language compatibility and `toolchain go1.26.2` to pin the expected patch-level toolchain. +Go 1.26.3 is required to build confd. The module uses `go 1.26` for language compatibility and `toolchain go1.26.3` to pin the expected patch-level toolchain. ```bash git clone https://github.com/abtreece/confd.git diff --git a/docker/Dockerfile.build b/docker/Dockerfile.build index 951e2fb11..2a1973b55 100644 --- a/docker/Dockerfile.build +++ b/docker/Dockerfile.build @@ -1,7 +1,7 @@ # Multi-stage build Dockerfile for CI testing # Builds confd from source and produces a minimal runtime image -FROM golang:1.26.2-alpine AS builder +FROM golang:1.26.3-alpine AS builder # Install build dependencies RUN apk add --no-cache git make diff --git a/docs/development.md b/docs/development.md index 05550636d..eb9118d9d 100644 --- a/docs/development.md +++ b/docs/development.md @@ -20,11 +20,11 @@ This guide covers setting up a development environment, building, testing, and d | Tool | Version | Purpose | |------|---------|---------| -| Go | 1.26.2 | Build and test | +| Go | 1.26.3 | Build and test | | golangci-lint | latest | Linting | | make | any | Build automation | -The `go.mod` file keeps the language version at `go 1.26` and pins the expected patch-level compiler with `toolchain go1.26.2`. Keep `.tool-versions`, CI `setup-go` entries, Docker build images, and documentation aligned with that toolchain version. +The `go.mod` file keeps the language version at `go 1.26` and pins the expected patch-level compiler with `toolchain go1.26.3`. Keep `.tool-versions`, CI `setup-go` entries, Docker build images, and documentation aligned with that toolchain version. ### Optional Tools @@ -43,9 +43,9 @@ brew install go golangci-lint goreleaser **Linux:** ```bash -# Go 1.26.2 -wget https://go.dev/dl/go1.26.2.linux-amd64.tar.gz -sudo tar -C /usr/local -xzf go1.26.2.linux-amd64.tar.gz +# Go 1.26.3 +wget https://go.dev/dl/go1.26.3.linux-amd64.tar.gz +sudo tar -C /usr/local -xzf go1.26.3.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin # golangci-lint @@ -71,7 +71,7 @@ This creates `bin/confd` with the Git SHA embedded via ldflags. ```bash ./bin/confd --version -# Output: confd 0.40.0-rc.1 (Git SHA: abc1234, Go Version: go1.26.2) +# Output: confd 0.40.0-rc.1 (Git SHA: abc1234, Go Version: go1.26.3) ``` ### Project Structure diff --git a/docs/docker.md b/docs/docker.md index a13567020..a60a0879f 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -321,7 +321,7 @@ CMD ["consul", "--node", "http://consul:8500", "--watch"] ### Multi-stage Build from Source ```dockerfile -FROM golang:1.26.2-alpine AS builder +FROM golang:1.26.3-alpine AS builder RUN apk add --no-cache git make WORKDIR /src diff --git a/docs/installation.md b/docs/installation.md index 5da105235..dc08312e8 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -147,7 +147,7 @@ RUN CONFD_ARCH=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \ #### Building from Source -Building from source requires the Go 1.26.2 toolchain. The module declares `go 1.26` for language compatibility and `toolchain go1.26.2` for the expected compiler patch version. +Building from source requires the Go 1.26.3 toolchain. The module declares `go 1.26` for language compatibility and `toolchain go1.26.3` for the expected compiler patch version. ```bash make build @@ -167,7 +167,7 @@ docker build -t confd:local -f docker/Dockerfile.build . Include confd in your own Docker image using a multi-stage build: ```dockerfile -FROM golang:1.26.2-alpine AS confd-builder +FROM golang:1.26.3-alpine AS confd-builder RUN apk add --no-cache git WORKDIR /src diff --git a/go.mod b/go.mod index 3ed72e56c..de4fc10d2 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/abtreece/confd go 1.26 -toolchain go1.26.2 +toolchain go1.26.3 require ( github.com/BurntSushi/toml v1.6.0 From bc27053507b66ded1aaf72f576762e104a5f5d67 Mon Sep 17 00:00:00 2001 From: abtreece Date: Tue, 26 May 2026 21:43:02 -0500 Subject: [PATCH 2/2] chore: spell out full CVE IDs in CHANGELOG entry Address Copilot review feedback on #617: list each CVE with the full CVE-2026- prefix so they're individually searchable. --- CHANGELOG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 09b543eab..c82c505e3 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,7 +6,7 @@ * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/dynamodb from 1.55.0 to 1.57.3 (#596) * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/acm from 1.38.1 to 1.38.3 (#597) * chore: bump Go from 1.25 to 1.26 in build infra (Dockerfile, workflows) -* chore: bump Go toolchain to 1.26.3 to patch stdlib CVEs (CVE-2026-33811, 33814, 39820, 39836, 42499) +* chore: bump Go toolchain to 1.26.3 to patch stdlib CVEs (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499) ### v0.41.1 (2026-04-22)