Skip to content

chore(deps): update golang#48

Open
scality-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang
Open

chore(deps): update golang#48
scality-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang

Conversation

@scality-renovate

@scality-renovate scality-renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
go (source) golang patch 1.26.41.26.5
golang stage digest 792443bae5a231
mcr.microsoft.com/devcontainers/go final digest 232b16d638cb8e

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@scality-renovate
scality-renovate Bot requested a review from a team as a code owner June 29, 2026 04:06
@scality-renovate scality-renovate Bot added dependencies Pull requests that update a dependency file digest docker go Pull requests that update go code labels Jun 29, 2026
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

Dependency Bump Evaluation

Packages:

  • golang (build stage): digest 792443b -> f96cc55 (same golang:1.26 tag)
  • mcr.microsoft.com/devcontainers/go (devcontainer): digest 232b16d -> 638cb8e (same 1.26-trixie tag)

Bump type: Docker digest rotation (no semver change)

Changes:

  • Picks up the latest rebuild of both Go Docker images, which typically includes OS-level security patches and minor updates to the base layer
  • Go toolchain version remains 1.26 -- no compiler or stdlib changes

Breaking changes: None -- same Go version, same tags, only the underlying OS packages are refreshed

Security concerns: None -- digest rotations are the standard mechanism for receiving OS-level security patches in pinned Docker images. This is a positive security update.

Impact on codebase: No impact. The Dockerfile uses a multi-stage build: the golang:1.26 builder compiles a statically linked binary (CGO_ENABLED=0), which is then copied to a distroless/static:nonroot runtime image. OS-layer changes in the builder do not affect the final artifact. The devcontainer change only affects the development environment.

CI status: lint passed, test passed, build in progress

Recommendation: SAFE TO MERGE (once CI passes)

-- Claude Code

@scality-renovate scality-renovate Bot changed the title chore(deps): update golang:1.26 docker digest to 32c0e6e chore(deps): update golang:1.26 docker digest to f96cc55 Jun 30, 2026
@scality-renovate scality-renovate Bot changed the title chore(deps): update golang:1.26 docker digest to f96cc55 chore(deps): update golang Jul 2, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Dependency Bump Evaluation

Version change: Go 1.26.4 → 1.26.5 (patch)
Semver bump type: patch

Changes:

  • Security fix in crypto/tls: omit PSK in ECH outer client hello (#80175)
  • Security fix in os: Root escape via symlink plus trailing slash — CVE-2026-39822 (#79027)
  • Runtime bug fixes: moveSliceNoCap, AVX-512 SIGILL in GC span-scan, version parsing, concurrent map read/write on ppc64le, SIGSEGV in fork pre-exec with -race on darwin/arm64
  • os/signal: signal.NotifyContext error cause now correctly matches context.Canceled (#79499)
  • Tooling: go get fix with GOFIPS140, test caching fix with testing.T.Chdir
  • Docker base image digest updates (golang, devcontainers/go)

Breaking changes: None

Security concerns: Contains two security fixes (CVE-2026-39822 for os.Root path traversal, and a crypto/tls ECH/PSK fix). This codebase does not use os.Root/os.OpenRoot or crypto/tls directly, so neither vulnerability is exploitable through this adapter. Still, updating promptly is good practice.

Impact on codebase:

  • signal.NotifyContext is used in cmd/main.go — the bug fix (#79499) ensures the returned error cause correctly matches context.Canceled, which improves correctness of signal-driven shutdown
  • No usage of os.Root, os.OpenRoot, os.DirFS, or crypto/tls found
  • No other affected APIs detected

Recommendation: SAFE TO MERGE

Notes: Patch-only Go release with security and bug fixes, no breaking changes. All CI checks pass (lint ✅, test ✅, build ✅). The signal.NotifyContext fix is a minor correctness improvement for the adapter's shutdown path. Merge promptly to pick up the security fixes.

— Claude Code

@scality-renovate
scality-renovate Bot force-pushed the renovate/golang branch 2 times, most recently from d182e9e to bc40f30 Compare July 14, 2026 04:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file digest docker go Pull requests that update go code patch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants