Skip to content

SK-2871: fix outdated dependencies and security advisories#197

Open
Devesh-Skyflow wants to merge 1 commit into
release/26.6.25from
devesh/sk-2871-fix-outdated-dependencies
Open

SK-2871: fix outdated dependencies and security advisories#197
Devesh-Skyflow wants to merge 1 commit into
release/26.6.25from
devesh/sk-2871-fix-outdated-dependencies

Conversation

@Devesh-Skyflow

Copy link
Copy Markdown
Collaborator
  • Bump Go floor 1.23.0 -> 1.25.0 and pin toolchain go1.25.11 to pull in patched crypto/tls, crypto/x509 and html/template (CVE-2026-32283, CVE-2026-32280, CVE-2026-27142). 1.23/1.24 are EOL and never receive these fixes; 1.25 is the lowest security-supported line.
  • Upgrade golang.org/x/net v0.41.0 -> v0.56.0 (CVE-2026-33814, HIGH); x/sys, x/text, x/tools pulled forward by tidy.
  • Remove ghost dependency github.com/hetiansu5/urlquery (unimported).
  • Replace sirupsen/logrus with stdlib log/slog in utils/logger; public API (Debug/Info/Warn/Error/SetOutput/SetLogLevel, LogLevel constants) is unchanged. Only the log-line text format differs.

No source/API changes for consumers. Most consumers on the default GOTOOLCHAIN=auto pick up the new floor transparently.

- Bump Go floor 1.23.0 -> 1.25.0 and pin toolchain go1.25.11 to pull in
  patched crypto/tls, crypto/x509 and html/template (CVE-2026-32283,
  CVE-2026-32280, CVE-2026-27142). 1.23/1.24 are EOL and never receive
  these fixes; 1.25 is the lowest security-supported line.
- Upgrade golang.org/x/net v0.41.0 -> v0.56.0 (CVE-2026-33814, HIGH);
  x/sys, x/text, x/tools pulled forward by tidy.
- Remove ghost dependency github.com/hetiansu5/urlquery (unimported).
- Replace sirupsen/logrus with stdlib log/slog in utils/logger; public
  API (Debug/Info/Warn/Error/SetOutput/SetLogLevel, LogLevel constants)
  is unchanged. Only the log-line text format differs.

No source/API changes for consumers. Most consumers on the default
GOTOOLCHAIN=auto pick up the new floor transparently.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Gitleaks Findings: No secrets detected. Safe to proceed!

@github-actions

Copy link
Copy Markdown

GoSec Findings: No issues found, Good to merge.

@github-actions

Copy link
Copy Markdown

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.

@Devesh-Skyflow Devesh-Skyflow changed the base branch from main to release/26.6.25 June 25, 2026 03:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant