Skip to content

chore(deps): update golang#31

Open
scality-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang
Open

chore(deps): update golang#31
scality-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang

Conversation

@scality-renovate

@scality-renovate scality-renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
go (source) golang patch 1.26.41.26.5
golang stage digest 792443bd52df9c
mcr.microsoft.com/devcontainers/go final digest 232b16d638cb8e

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

Dependency Bump Evaluation

Version change: Go 1.26.41.26.5 (patch) + Docker image digest updates

Changes:

  • Security fix (CVE-2026-39822): os.Root escape via symlink plus trailing slash
  • Security fix: crypto/tls — omit PSK in ECH outer client hello
  • Bug fix: os/signalsignal.NotifyContext error cause does not match context.Canceled
  • Bug fixes: runtime (SIGILL in GC AVX-512 scan, SIGSEGV in fork+race on darwin/arm64, concurrent map access on ppc64le, version parsing, moveSliceNoCap)
  • Bug fixes: cmd/go (FIPS mode, test caching with T.Chdir), net (test-only)

Breaking changes: None

Security concerns: This update is itself a critical security fix for this project.

Impact on codebase:

  • os.Root (CVE-2026-39822) — HIGH: os.Root is the core sandboxing mechanism. Every filesystem adapter (content reader/writer/hasher, metadata reader/writer, entry remover, event sources) is scoped through *os.Root. The design explicitly relies on os.Root to confine symlink resolution to the source tree (DESIGN.md). This CVE directly undermines that security boundary.
  • os/signal — LOW: signal.NotifyContext is used in cmd/main.go:49 for graceful shutdown. The error-cause fix is minor but improves correctness of context cancellation checks.
  • crypto/tls — NONE: Not used by this project.
  • Runtime fixes — LOW: Generic runtime stability improvements that benefit any Go binary.

Recommendation: SAFE TO MERGE

Notes: This is a security-critical update. CVE-2026-39822 allows escaping the os.Root sandbox via a symlink with a trailing slash — the exact scenario this project guards against in its symlink-following logic. Merge promptly once CI is green.

— Claude Code

@scality-renovate scality-renovate Bot changed the title chore(deps): update golang:1.26 docker digest to 32c0e6e chore(deps): update golang:1.26 docker digest to f96cc55 Jun 30, 2026
@scality-renovate scality-renovate Bot changed the title chore(deps): update golang:1.26 docker digest to f96cc55 chore(deps): update golang Jul 2, 2026
@scality-renovate scality-renovate Bot force-pushed the renovate/golang branch 3 times, most recently from c376268 to d16037b Compare July 14, 2026 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant