chore(deps): bump Go module dependencies#1002
Open
cpcloud wants to merge 3 commits into
Open
Conversation
Ran `go get -u ./cmd/micasa` + `go mod tidy`. Notable bumps: mcp-go v0.49.0 -> v0.52.0, anthropic-sdk-go v1.38.0 -> v1.42.0, ollama v0.21.2 -> v0.23.0, chroma/v2 v2.23.1 -> v2.24.1, plus grpc/genai/api and golang.org/x/* patch bumps and modernc.org/sqlite v1.50.0 -> v1.50.1. Held ollama below v0.23.1: that release raises its `go` directive to 1.26.0, which would propagate to micasa's go.mod and trip osv-scanner on stdlib CVEs the pinned Nix toolchain (1.26.2) can't fully resolve. Held invopop/jsonschema at v0.13.0: v0.14.0 swaps its ordered-map library and breaks anthropic-sdk-go v1.42.0. Refreshed nix vendorHash.
cpcloud
added
chore
Go 1.26.3 fixes six stdlib vulnerabilities govulncheck now flags as reachable: GO-2026-4918 (net/http/internal/http2 infinite loop), GO-2026-4971 (net Dial/LookupPort panic on Windows), GO-2026-4977 and GO-2026-4986 (net/mail quadratic concatenation), GO-2026-4980 and GO-2026-4982 (html/template escaper bypass XSS). Updates the scoped patchedGo override in nix/overlay.nix; drop it once nixpkgs ships 1.26.3.
…riends golangci-lint 2.12.x flags new issues across the tree: goconst (repeated string literals), the govet `inline` analyzer (reflect.Ptr alias), and modernize (slices.Backward). This commit clears the internal/data, internal/locale, and internal/sqlfmt slice plus the cross-tree quick wins: - reflect.Ptr -> reflect.Pointer (form_filepicker.go, defaults.go) - backward index loops -> slices.Backward (migrate.go, sqlite/migrator.go, llm/prompt.go) - drop //nolint:gosec directives that newer gosec no longer needs (chat.go, extraction.go) - extract repeated literals into constants: SQLite affinities (colTypeInteger/colTypeText), the USD currency fallback, the SELECT keyword, the duration/default-tag "now"/"today" sentinels, and the seed-data document types, MIME types, category names, and filenames; reuse existing ColName/ColNotes/ColTitle for column-name map keys - exclude _test.go from goconst (test fixtures legitimately repeat strings), extending the existing per-file exclusion goconst still flags ~50 literals in internal/sync, internal/app, internal/claudecli, internal/llm, internal/extract, internal/relay, and internal/config; those are a follow-up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
go get -u ./cmd/micasa+go mod tidy: mcp-go v0.49.0 → v0.52.0, anthropic-sdk-go v1.38.0 → v1.42.0, ollama v0.21.2 → v0.23.0, chroma/v2 v2.23.1 → v2.24.1, plus grpc/genai/api,golang.org/x/*patch bumps, and modernc.org/sqlite v1.50.0 → v1.50.1.ollama/ollamabelow v0.23.1: that release raises itsgodirective to1.26.0, which would propagate into micasa'sgo.modand trip osv-scanner on stdlib CVEs the pinned Nix toolchain (1.26.2) can't fully resolve. v0.23.0 still declaresgo 1.24.1, so thego 1.26directive is unchanged.invopop/jsonschemaat v0.13.0: v0.14.0 swaps its ordered-map library (wk8/go-ordered-map→pb33f/ordered-map) and breaksanthropic-sdk-gov1.42.0.vendorHash.Verified locally:
go build ./...,go test -shuffle=on ./...,nix build '.#micasa',nix run '.#osv-scanner'(clean),nix run '.#deadcode'(clean).