Skip to content

chore(go): bump Go to 1.26.4 to resolve stdlib CVEs#149

Merged
lidavidm merged 2 commits into
mainfrom
chore/bump-go-1.26.4
Jun 11, 2026
Merged

chore(go): bump Go to 1.26.4 to resolve stdlib CVEs#149
lidavidm merged 2 commits into
mainfrom
chore/bump-go-1.26.4

Conversation

@zeroshade

@zeroshade zeroshade commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Builds the driver on Go 1.26.4 by bumping the go directive in go/go.mod. The release build job installs Go via setup-go with go-version-file: go/go.mod, so this one-line change rebuilds the shipped libadbc_driver_snowflake artifact on 1.26.4.

Validation of #138

Checked every CVE in #138 against current dependency versions via the OSV / Go vulnerability database:

  • All third-party dependencies are already fixed at the versions shipped in chore: update workflows, dependencies #139 (golang.org/x/crypto, x/net, x/sys, go.opentelemetry.io/otel, apache/thrift, aws-sdk-go-v2).
  • The only remaining items were the go/stdlib CVEs, because the build used the go 1.26.1 directive. Go 1.26.1 leaves all 15 stdlib CVEs from [Go] minor CVEs in ADBC driver #138 open (7 fixed in 1.26.2, 8 in 1.26.3).

Building on Go 1.26.4 clears all 15 stdlib CVEs from #138, plus 3 newer stdlib fixes that shipped in 1.26.4 (CVE-2026-27145, CVE-2026-42504, CVE-2026-42507). stdlib@1.26.4 reports zero known vulnerabilities.

Closes #138

@zeroshade
chore(go): bump Go to 1.26.4 to resolve stdlib CVEs
b700b9c 
Builds on Go 1.26.4 (resolved via setup-go go-version-file from go/go.mod) to clear the go/stdlib CVEs reported in #138. All third-party dependencies flagged in #138 were already addressed in #139.
@zeroshade zeroshade requested a review from lidavidm as a code owner June 11, 2026 19:19
zeroshade added a commit to adbc-drivers/dev that referenced this pull request Jun 11, 2026
@zeroshade
chore: bump Go to 1.26.4 (#194)
f5aa769 
## Summary

Bumps the manylinux builder image's Go toolchain from **1.26.1** to
**1.26.4** in `adbc_drivers_dev/.env`.

The `Docker Compose Build` workflow tags images as
`ghcr.io/adbc-drivers/dev:${MANYLINUX}-go${GO}`, so merging this (and
running the build with `push=true`) publishes a new
`manylinux2014-go1.26.4` image alongside the existing `go1.26.1` one.

## Why

`adbc-drivers/snowflake#149` bumps the Snowflake driver's `go/go.mod` to
`go 1.26.4` to clear stdlib CVEs. The shipped `.so` is compiled
**inside** the manylinux container, whose Go is pinned here. With the
container still on 1.26.1, the in-container build runs as `--user 1001`,
sees the `go 1.26.4` directive, and (under the default
`GOTOOLCHAIN=auto`) tries to auto-download the 1.26.4 toolchain into
`GOPATH=/go` — which it cannot create:

```
go: could not create module cache: mkdir /go: permission denied
```

Bumping the baked-in toolchain to 1.26.4 makes `GOTOOLCHAIN=auto`
resolve to the local toolchain (no download), so the build succeeds
**and** the artifact is genuinely compiled on 1.26.4.

## Follow-up

After this merges and the `manylinux2014-go1.26.4` image is pushed, the
consuming driver repos pick it up when their `pixi.lock` is re-pinned to
this commit.
lidavidm
lidavidm reviewed Jun 11, 2026
View reviewed changes

@lidavidm lidavidm left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll need to pixi add the new dev

@zeroshade
chore(go): update pixi.lock for the Go 1.26.4 dev builder
5e48861 
Runs pixi update adbc-drivers-dev (pixi v0.63.2) to repin the dev tooling lock to adbc-drivers/dev@3abd1e7 (GO=1.26.4), which selects the ghcr.io/adbc-drivers/dev:manylinux2014-go1.26.4 builder image.

This makes the in-container Go toolchain match the 'go 1.26.4' directive in go.mod, so the c-shared build no longer triggers a toolchain auto-download into the non-writable GOPATH=/go (mkdir /go: permission denied).
@zeroshade zeroshade force-pushed the chore/bump-go-1.26.4 branch from a8a6584 to 5e48861 Compare June 11, 2026 22:51
@zeroshade

zeroshade commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Good call — regenerated go/pixi.lock via pixi update adbc-drivers-dev (with pixi v0.63.2 to match CI's pinned version and keep the lockfile at format v6) instead of hand-editing. It now pins adbc-drivers/dev@3abd1e7 (which includes the merged GO=1.26.4 bump from adbc-drivers/dev#194) and selects the ghcr.io/adbc-drivers/dev:manylinux2014-go1.26.4 builder image, so the in-container toolchain matches the go 1.26.4 directive.

For context: the new builder image is published, and an earlier run on this branch with the equivalent pin built all four platforms + tests + validate green (the mkdir /go: permission denied failure is gone). 3abd1e7 differs from that pin only by dev-repo workflow action bumps, so it's functionally identical.

@lidavidm lidavidm merged commit 6d58211 into main Jun 11, 2026
15 checks passed
@lidavidm lidavidm deleted the chore/bump-go-1.26.4 branch June 11, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lidavidm lidavidm lidavidm left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Go] minor CVEs in ADBC driver

2 participants

@zeroshade @lidavidm