chore: bump Go to 1.26.4 and update dependencies#219
Conversation
- Bump go directive 1.24.0 -> 1.26.4 in all modules (root + 3 examples), clearing the stdlib advisories flagged by osv-scanner for 1.24.0. - Bump golang.org/x/crypto 0.46.0 -> 0.52.0 (x/sys 0.39.0 -> 0.45.0 via tidy), clearing GO-2026-5013/5017/5018/5019/5020. Test-only dependency, but bumped for downstream scanner hygiene. - Fix 4 printf vet errors (buf -> buf.String()) surfaced by the stricter printf analyzer at the new go directive, in shared_directory_test.go and socket_test.go. - Update CI matrix (build + test jobs) to ^1.26. Verified: go vet ./... clean, library + all 3 example modules build, and the codesigned VM integration suite passes (boots real Linux guests). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| module github.com/Code-Hex/vz/v3 | ||
|
|
||
| go 1.24.0 | ||
| go 1.26.4 |
There was a problem hiding this comment.
This forces anyone who wants to use Code-Hex/vz to switch to go 1.26.4 or newer, which can be complicated in some cases (eg IT controlled environment, …).
Imo it’s up to the modules using Code-Hex/vz to ensure they are using up to date go versions with no known vulnerability rather than Code-Hex/vz forcing them to do so. If Code-Hex/vz starts doing this, this means it will have to constantly update go 1.26.4 to the latest version.
I’d stick to 1.25.0 for this line as 1.25 is still supported (but you have to use latest 1.25 when building)
There was a problem hiding this comment.
it's a nice question to be decided, my daily work is in a high regulated it env and everyone is pushing closing cves to the max, but its really something that needs feedback
2 participants
Summary
Bumps the Go toolchain and dependencies to clear the stdlib and
golang.org/x/cryptoadvisories reported byosv-scanner, and updates CI accordingly.1.24.0→1.26.4in all modules (root + 3 examples). Clears the stdlib advisories osv-scanner flagged against the declared1.24.0version.golang.org/x/crypto0.46.0 → 0.52.0 (x/sys0.39.0 → 0.45.0 via tidy). ClearsGO-2026-5013/5017/5018/5019/5020. This is a test-only dependency (imported only invirtualization_test.goandinternal/testhelper/ssh.go;go mod whyreports the main module doesn't need it), bumped for downstream scanner hygiene.go vetprintf fixes (buf→buf.String()) inshared_directory_test.goandsocket_test.go. These were latent (%qon abytes.Buffervalue) and are surfaced by the stricter printf analyzer once thegodirective is raised; without the fixgo vet ./...fails CI.build+testjobs) updated to^1.26.Verification
Run locally on macOS arm64 with go1.26.4:
go vet ./...— cleango build ./...— library + all 3 example modules buildgo test -exec "go run cmd/codesign" .) — passes, boots real Linux guestsNotes
🤖 Generated with Claude Code