Skip to content

chore: bump go directive and fix trivy CVEs in go.mod#51

Merged
keegancsmith merged 2 commits into
mainfrom
egg-change/go-version-trivy-fixes
May 1, 2026
Merged

chore: bump go directive and fix trivy CVEs in go.mod#51
keegancsmith merged 2 commits into
mainfrom
egg-change/go-version-trivy-fixes

Conversation

@keegancsmith

Copy link
Copy Markdown
Member

This PR was generated by Sourcegraph Batch Changes.

Changes

  • Bumps the go directive:
    • To go 1.25.9 for modules currently below 1.26
    • To go 1.26.2 for modules already on 1.26.x
  • Removes any toolchain directive (toolchain selection is handled automatically)
  • Runs go mod tidy to keep go.sum consistent with the new directive
  • Fixes all CVEs reported by trivy fs go.mod by upgrading specific transitive
    dependencies to their minimum safe versions

Why

Ensures a consistent, secure Go toolchain version across all first-party
github.com/sourcegraph/* modules that are depended on by sourcegraph/sourcegraph.

Hatched by a Sourcegraph egg.

The batch-generated change wrote a patch release into the go directive, which the Go toolchain rejects before the build even starts. Normalizing the module directive back to a supported minor version while teaching CI to use the intended 1.25.9 toolchain preserves the version bump without leaving the workflow pinned to Go 1.18.

Test Plan: env GOTOOLCHAIN=go1.25.9 go build -v ./...
Test Plan: env GOTOOLCHAIN=go1.25.9 go test -v -race -coverprofile=coverage.out -covermode=atomic ./...

Amp-Thread-ID: https://ampcode.com/threads/T-019dd891-5404-72eb-b551-9428404e4990
Co-authored-by: Amp <amp@ampcode.com>
@keegancsmith keegancsmith merged commit f77ed82 into main May 1, 2026
1 check passed
@keegancsmith keegancsmith deleted the egg-change/go-version-trivy-fixes branch May 1, 2026 04:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants