diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c5170192..8250d0b5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -132,6 +132,8 @@ jobs: - name: Run golangci-lint uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + with: + version: v2.11.4 pre-commit: name: Pre-commit diff --git a/nix/overlay.nix b/nix/overlay.nix index 1c29e439..62325b74 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -8,23 +8,24 @@ _final: prev: let - # Scoped Go 1.26.2 override for micasa and its dev tools only. + # Scoped Go 1.26.3 override for micasa and its dev tools only. # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the # entire transitive closure from source (VHS → Chromium → PipeWire → # ffmpeg/gstreamer) because every Go derivation's input hash changes. # - # 1.26.2 fixes five stdlib vulnerabilities flagged by govulncheck: - # GO-2026-4865 (html/template JsBraceDepth XSS) - # GO-2026-4866 (crypto/x509 excludedSubtrees auth bypass) - # GO-2026-4870 (crypto/tls KeyUpdate DoS) - # GO-2026-4946 (crypto/x509 inefficient policy validation) - # GO-2026-4947 (crypto/x509 unexpected work during chain building) - # Drop this override once nixpkgs picks up Go 1.26.2. + # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck: + # GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop) + # GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows) + # GO-2026-4977 (net/mail consumePhrase DoS) + # GO-2026-4980 (html/template empty