Skip to content

[Snyk] Security upgrade golang from 1.18 to 1.26rc1#17

Open
snyk-io[bot] wants to merge 1 commit intomasterfrom
snyk-fix-a2df1ad2135cf813ab2f10f3b5ecd0cc
Open

[Snyk] Security upgrade golang from 1.18 to 1.26rc1#17
snyk-io[bot] wants to merge 1 commit intomasterfrom
snyk-fix-a2df1ad2135cf813ab2f10f3b5ecd0cc

Conversation

@snyk-io
Copy link

@snyk-io snyk-io bot commented Dec 18, 2025

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • Dockerfile-secretmessage

We recommend upgrading to golang:1.26rc1, as this image has only 93 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Out-of-bounds Write
SNYK-DEBIAN11-GLIBC-5927133		   823  
high severity Out-of-bounds Write
SNYK-DEBIAN11-GLIBC-5927133		   823  
high severity Out-of-bounds Write
SNYK-DEBIAN11-GLIBC-5927133		   823  
high severity Out-of-bounds Write
SNYK-DEBIAN11-GLIBC-5927133		   823  
critical severity Link Following
SNYK-DEBIAN11-GIT-6846200		   584  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Write

@snyk-io
Copy link
Author

snyk-io bot commented Dec 18, 2025

Merge Risk: High

This major version upgrade for the Go language, from 1.18 to 1.26rc1, spans eight major releases and introduces significant changes to language semantics, the standard library, and runtime behavior. These changes require careful code review and testing to ensure compatibility.

Highlights:

  • Loop Variable Semantics: Go 1.22 changed how variables in for loops are handled. Each iteration now creates a new variable, which fixes a common bug but may break code (especially concurrent code) that relied on the previous behavior.
  • Timer/Ticker Behavior: Go 1.23 altered time.Timer and time.Ticker. They are now garbage collected if unused (even if not stopped) and use unbuffered channels, which can affect programs with specific timer logic.
  • Runtime & OS Changes: The upgrade introduces several environmental and tooling shifts. Go 1.25 makes GOMAXPROCS container-aware, potentially changing performance in containerized environments. Go 1.19 changed os/exec to no longer use relative paths for security reasons. Go 1.25 now requires macOS 12 Monterey or later.

Source: Go release documentation
Recommendation: Thoroughly review and test all code, paying special attention to for loops with goroutines, usage of time.Timer/Ticker, and applications deployed in containers. Update your go.mod file to go 1.26 and run go vet to identify potential issues related to these changes.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants