Skip to content

[release-2.8] deps: bump Go to 1.26.4 to address Snyk findings#2492

Merged
c-julin merged 1 commit into
release-2.8from
tb/snyk-go-1.26.4-release-2.8
Jun 11, 2026
Merged

[release-2.8] deps: bump Go to 1.26.4 to address Snyk findings#2492
c-julin merged 1 commit into
release-2.8from
tb/snyk-go-1.26.4-release-2.8

Conversation

@twmb

@twmb twmb commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

What

Backport of #2490 to release-2.8. Bumps backend/go.mod go directive to 1.26.4.

Why

Clears two stdlib HIGH Snyk findings still flagged on the release-2.8 branch (console(release-2.8):backend/go.mod):

Both fixed in go1.26.4. No go.sum changes.

🤖 Generated with Claude Code

Bumps backend/go.mod go directive to 1.26.4 to clear two stdlib HIGH
findings still present on the release-2.8 branch:

- CVE-2026-27145 / GO-2026-5037 - crypto/x509 resource exhaustion
- CVE-2026-42504 / GO-2026-5038 - net/mime resource exhaustion

Both fixed in go1.26.4. Backport of the master fix (#2490).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@c-julin c-julin merged commit 4f430a9 into release-2.8 Jun 11, 2026
4 of 6 checks passed
@c-julin c-julin deleted the tb/snyk-go-1.26.4-release-2.8 branch June 11, 2026 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants