getcompanion-ai/computer-host
1
0
Fork 0
mirror of https://github.com/getcompanion-ai/computer-host.git synced 2026-04-14 22:03:17 +00:00
Code Issues 6 Projects Releases Packages Wiki Activity Actions

should move off Go 1.26.1 due to reachable stdlib vulns #5

New issue
Open
opened 2026-04-09 04:29:02 +00:00 by harivansh-afk · 0 comments
harivansh-afk commented 2026-04-09 04:29:02 +00:00
Owner
Copy link

A govulncheck pass against the current module and toolchain reports standard-library vulnerabilities in the Go version this repo targets today.

What I hit locally:

  • go.mod currently declares go 1.26.1
  • govulncheck ./... reported the following reachable stdlib advisories:
    • GO-2026-4947 in crypto/x509, fixed in Go 1.26.2
    • GO-2026-4946 in crypto/x509, fixed in Go 1.26.2
    • GO-2026-4870 in crypto/tls, fixed in Go 1.26.2
    • GO-2026-4866 in crypto/x509, fixed in Go 1.26.2

Representative traces from the scan reached:

  • main.go:71
  • internal/firecracker/api.go:230

Expected behavior:

  • The public host daemon repo should target a Go toolchain version with these standard-library fixes.

Suggested follow-up:

  • Bump the declared Go version and CI/runtime toolchain to 1.26.2 or newer.
  • Add govulncheck to the validation path so future stdlib advisories are caught quickly.
A `govulncheck` pass against the current module and toolchain reports standard-library vulnerabilities in the Go version this repo targets today. What I hit locally: - `go.mod` currently declares `go 1.26.1` - `govulncheck ./...` reported the following reachable stdlib advisories: - `GO-2026-4947` in `crypto/x509`, fixed in Go `1.26.2` - `GO-2026-4946` in `crypto/x509`, fixed in Go `1.26.2` - `GO-2026-4870` in `crypto/tls`, fixed in Go `1.26.2` - `GO-2026-4866` in `crypto/x509`, fixed in Go `1.26.2` Representative traces from the scan reached: - `main.go:71` - `internal/firecracker/api.go:230` Expected behavior: - The public host daemon repo should target a Go toolchain version with these standard-library fixes. Suggested follow-up: - Bump the declared Go version and CI/runtime toolchain to `1.26.2` or newer. - Add `govulncheck` to the validation path so future stdlib advisories are caught quickly.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: getcompanion-ai/computer-host#5
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?