From 401ada0db41893e66e0e8f5233974ec5e3b013ac Mon Sep 17 00:00:00 2001 From: Damien Degois Date: Thu, 4 Jun 2026 14:39:39 +0200 Subject: [PATCH] fix(security): bump Go toolchain to 1.26.4, add govulncheck pre-commit hook MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GO-2026-5039 (net/textproto) and GO-2026-5037 (crypto/x509) are reachable from proxy.redirectFollowingTransport / mustLogger and fixed in go1.26.4 — CI govulncheck fails on every branch since publication. The go directive stays at 1.26.3 so golangci-lint's isolated pre-commit env (GOTOOLCHAIN=local) can still load packages; the toolchain directive upgrades actual builds and CI (setup-go reads go-version-file: go.mod). The new local govulncheck hook surfaces future CVEs at commit time instead of in CI (requires golang.org/x/vuln/cmd/govulncheck). --- .pre-commit-config.yaml | 12 ++++++++++++ go.mod | 2 ++ 2 files changed, 14 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 91d4726..89b91bf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,3 +20,15 @@ repos: rev: v2.11.4 hooks: - id: golangci-lint + + - repo: local + hooks: + # Security: surface known stdlib/dependency CVEs before they land + # in a commit instead of failing later in CI's govulncheck job. + # Requires: go install golang.org/x/vuln/cmd/govulncheck@latest + - id: govulncheck + name: govulncheck + entry: govulncheck ./... + language: system + types: [go] + pass_filenames: false diff --git a/go.mod b/go.mod index 1c91be3..1fae99b 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/babs/mcp-auth-proxy go 1.26.3 +toolchain go1.26.4 + require ( github.com/alicebob/miniredis/v2 v2.37.0 github.com/coreos/go-oidc/v3 v3.18.0