[Snyk] Security upgrade golang from 1.18 to 1.26.0

[snyk-io]

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile-secretmessage

We recommend upgrading to golang:1.26.0, as this image has only 122 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	823
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	823
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	823
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	823
	Link Following SNYK-DEBIAN11-GIT-6846200	582

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Write

[snyk-io]

This upgrade spans multiple major Go versions (1.18 to 1.26.0). While Go maintains a strong backward compatibility promise, this range introduces several significant behavioral changes and deprecations that require verification.

Key Changes Requiring Attention:

• Language - for loop variable behavior (Go 1.22+): To prevent common bugs, variables declared in for loops are now created anew for each iteration. Code that relied on the previous behavior (where loop variables were created once and updated) may be impacted, especially in concurrent scenarios using goroutines that capture the loop variable.

• Standard Library - Security & Behavior:

  • os/exec (Go 1.19+): For security reasons, the os/exec package no longer respects relative paths during PATH lookups. This could affect applications that rely on executing binaries from the current directory.
  • net/http.ServeMux (Go 1.22+): The HTTP router was enhanced with more expressive patterns (methods, wildcards). This introduces minor backward-incompatibilities in how routing patterns are matched and prioritized.
  • time.Timer & time.Ticker (Go 1.23+): The implementation was changed to fix memory leaks. Timers and tickers are now garbage collected if unstopped, and their underlying channels are now unbuffered. This can alter behavior for code that incorrectly relied on the previously buffered channel.

• Platform & Runtime Support:

  • macOS Requirement (Go 1.25+): Support for macOS 11 Big Sur was dropped in Go 1.24, and Go 1.25 requires macOS 12 Monterey or newer.
  • Windows/ARM Port (Go 1.26): The broken 32-bit windows/arm port is fully removed in Go 1.26.
  • Container-aware GOMAXPROCS (Go 1.25+): On Linux, the runtime now considers cgroup CPU limits, which may alter the default GOMAXPROCS value in containerized environments.

Recommendation:
Given the number of subtle but important behavioral changes, a thorough testing cycle is essential. Pay special attention to concurrent code using loops, applications executing external commands, and HTTP server routing logic. Verify deployment environments meet the updated OS requirements.

Source: Go Release History

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.