all: upgrade immediately to at least Go1.22.7 due to 3 high severity vulnerabilities: CVE-2024-34158, CVE-2024-34155 and CVE-2024-24791

[odeke-em]

This code constraints itself to Go1.22.4 but there are some 3 critical vulnerabilities that were fixed in Go1.22.7

1. "Stack exhaustion in Parse in go/build/constraint" https://pkg.go.dev/vuln/GO-2024-3107 at gnovm/pkg/gnolang/go2gno.go:77
2. "Stack exhaustion in all Parse functions in go/parser" https://pkg.go.dev/vuln/GO-2024-3105 at gnovm/pkg/gnolang/go2gno.go:77 gnovm/pkg/gnolang/nodes.go:1137
3. "Denial of service due to improper 100-continue handling in net/http" https://pkg.go.dev/vuln/GO-2024-2963 at tm2/pkg/p2p/upnp/upnp.go:275 tm2/pkg/p2p/upnp/upnp.go:201

Please upgrade ASAP. Kindly cc-ing @jaekwon

[kristovatlas]

Thanks for the report, @odeke-em. We're looking into it.

[kristovatlas]

@jaekwon wants to make sure that there haven't been any language updates between 1.22.4 and 1.22.7 that could break things before we bump the constraint.

[odeke-em]

@kristovatlas @jaekwon Go doesn't make radical language changes between same major version but point releases. The release notes for Go1.22.X are all posted here https://go.dev/doc/devel/release#go1.22.0 and they are security fixes