deps: upgrade all dependencies to latest#269
Merged
Merged
Conversation
Go: - go directive 1.26.4 -> 1.26.5 (fixes GO-2026-5856 crypto/tls ECH stdlib vuln) - github.com/github/copilot-sdk/go 1.0.5 -> 1.0.6 - golang.org/x/sync 0.21.0 -> 0.22.0 - golang.org/x/sys 0.46.0 -> 0.47.0 - golang.org/x/term 0.44.0 -> 0.45.0 (indirect) - golang.org/x/text 0.39.0 -> 0.40.0 (indirect) - modernc.org/libc 1.74.0 -> 1.74.1 (indirect) web (Astro site): - astro 7.0.6 -> 7.0.7 - @types/node 26.1.0 -> 26.1.1 - typescript kept at ^6.0.3 (astro @astrojs/check peer requires TS ^5||^6; TS7 unsupported) Verified: go build, go vet, gofmt, gofumpt, golangci-lint (0 issues), mage deadcode, govulncheck (no vulns), cross-compile (all targets), astro check + build. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Both ci.yml jobs and release.yml pinned go-version 1.26.x, so setup-go reused the cached 1.26.4 toolchain. The deps upgrade requires go 1.26.5 in go.mod, which carries the crypto/tls fix for GO-2026-5856. Reading the version from go.mod keeps CI and release builds aligned with the module and prevents this drift from recurring. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrades all dependencies to their latest allowed versions across both ecosystems (Go root module and the
web/Astro site).Go
godirective 1.26.4 → 1.26.5 — clears govulncheck GO-2026-5856 (Encrypted Client Hello privacy leak incrypto/tlsstdlib; fixed in go1.26.5)github.com/github/copilot-sdk/go1.0.5 → 1.0.6golang.org/x/sync0.21.0 → 0.22.0golang.org/x/sys0.46.0 → 0.47.0golang.org/x/term0.44.0 → 0.45.0 (indirect)golang.org/x/text0.39.0 → 0.40.0 (indirect)modernc.org/libc1.74.0 → 1.74.1 (indirect)web (Astro site)
astro7.0.6 → 7.0.7@types/node26.1.0 → 26.1.1typescriptheld at ^6.0.3 — the latest@astrojs/check(0.9.9) peer-requirestypescript@^5 || ^6; TypeScript 7 breaksastro check(@astrojs/language-serveris not TS7-compatible yet), so ^6.0.3 is the latest allowed version.Verification (local)
go build ./...✓go vet ./...✓gofmt/gofumptclean ✓golangci-lint run(v2.12.2) — 0 issues ✓mage deadcode— OK ✓govulncheck ./...— no vulnerabilities ✓astro check(0 errors) +astro build✓go test ./...passed prior to the toolchain bump; the authoritative suite runs on CI.No rollbacks — application code required no changes for the new versions.