Skip to content

Bump Go toolchain to 1.26.4 to clear stdlib vuln (GO-2026-5037/5039) #77

Description

@Lillevang

Split out of #76 (self-upgrade retroactive spec) as a separate, independent item.

Context

The agent-init upgrade work in PR #73 introduced a net/http code path, which surfaced a pre-existing stdlib advisory flagged by check.sh: GO-2026-5037 / GO-2026-5039, fixed by moving the Go toolchain to 1.26.4. The advisory is not introduced by #73 — it was always present in the stdlib — but the new HTTP path makes the analyzer report it.

Task

  • Bump the Go toolchain to 1.26.4 (go.mod toolchain directive and any pinned version in CI / devcontainer).
  • Confirm check.sh runs clean afterward (advisory cleared).

Notes

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securitySecrets, credentials, sandbox postureenhancementNew feature or request

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions