Skip to content

deps: upgrade all dependencies to latest#269

Merged
jongio merged 2 commits into
mainfrom
deps/upgrade-all
Jul 9, 2026
Merged

deps: upgrade all dependencies to latest#269
jongio merged 2 commits into
mainfrom
deps/upgrade-all

Conversation

@jongio

@jongio jongio commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Upgrades all dependencies to their latest allowed versions across both ecosystems (Go root module and the web/ Astro site).

Go

  • go directive 1.26.4 → 1.26.5 — clears govulncheck GO-2026-5856 (Encrypted Client Hello privacy leak in crypto/tls stdlib; fixed in go1.26.5)
  • github.com/github/copilot-sdk/go 1.0.5 → 1.0.6
  • golang.org/x/sync 0.21.0 → 0.22.0
  • golang.org/x/sys 0.46.0 → 0.47.0
  • golang.org/x/term 0.44.0 → 0.45.0 (indirect)
  • golang.org/x/text 0.39.0 → 0.40.0 (indirect)
  • modernc.org/libc 1.74.0 → 1.74.1 (indirect)

web (Astro site)

  • astro 7.0.6 → 7.0.7
  • @types/node 26.1.0 → 26.1.1
  • typescript held at ^6.0.3 — the latest @astrojs/check (0.9.9) peer-requires typescript@^5 || ^6; TypeScript 7 breaks astro check (@astrojs/language-server is not TS7-compatible yet), so ^6.0.3 is the latest allowed version.

Verification (local)

  • go build ./...
  • go vet ./...
  • gofmt / gofumpt clean ✓
  • golangci-lint run (v2.12.2) — 0 issues ✓
  • mage deadcode — OK ✓
  • govulncheck ./... — no vulnerabilities ✓
  • cross-compile (darwin/amd64, darwin/arm64, windows/amd64, windows/arm64) ✓
  • astro check (0 errors) + astro build
  • Full go test ./... passed prior to the toolchain bump; the authoritative suite runs on CI.

No rollbacks — application code required no changes for the new versions.

Go:
- go directive 1.26.4 -> 1.26.5 (fixes GO-2026-5856 crypto/tls ECH stdlib vuln)
- github.com/github/copilot-sdk/go 1.0.5 -> 1.0.6
- golang.org/x/sync 0.21.0 -> 0.22.0
- golang.org/x/sys 0.46.0 -> 0.47.0
- golang.org/x/term 0.44.0 -> 0.45.0 (indirect)
- golang.org/x/text 0.39.0 -> 0.40.0 (indirect)
- modernc.org/libc 1.74.0 -> 1.74.1 (indirect)

web (Astro site):
- astro 7.0.6 -> 7.0.7
- @types/node 26.1.0 -> 26.1.1
- typescript kept at ^6.0.3 (astro @astrojs/check peer requires TS ^5||^6; TS7 unsupported)

Verified: go build, go vet, gofmt, gofumpt, golangci-lint (0 issues),
mage deadcode, govulncheck (no vulns), cross-compile (all targets),
astro check + build.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@jongio jongio self-assigned this Jul 8, 2026
@jongio jongio added the deps Dependency updates label Jul 8, 2026
Both ci.yml jobs and release.yml pinned go-version 1.26.x, so setup-go
reused the cached 1.26.4 toolchain. The deps upgrade requires go 1.26.5
in go.mod, which carries the crypto/tls fix for GO-2026-5856. Reading the
version from go.mod keeps CI and release builds aligned with the module
and prevents this drift from recurring.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@jongio jongio merged commit 8f05805 into main Jul 9, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

deps Dependency updates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant