Skip to content

chore: bump go and dependencies for v1-dev#2517

Open
fseldow wants to merge 5 commits into
notaryproject:v1-devfrom
fseldow:xinhl/bump-go-deps-v1dev
Open

chore: bump go and dependencies for v1-dev#2517
fseldow wants to merge 5 commits into
notaryproject:v1-devfrom
fseldow:xinhl/bump-go-deps-v1dev

Conversation

@fseldow
Copy link
Copy Markdown
Contributor

@fseldow fseldow commented May 11, 2026

What this PR does

Bumps Go version and dependencies for the v1-dev branch to align with release-1.4.

Changes:

  • Go version: 1.24 → 1.26 (go.mod, CI workflows, Dockerfile)
  • golangci-lint config: migrated to v2 format
  • Trivy version: 0.58 → 0.70 (Makefile, scan-vulns workflow)
  • Updated actions/cache to v4.3.0
  • Updated codecov ignore paths
  • Updated golang.org/x/* dependencies (crypto, net, sync, sys, term, text)

Why

CI workflows on v1-dev were pinned to older Go and tool versions. This brings them in line with the release-1.4 bump (#2507).

Signed-off-by: Xinhe Li xinhl@microsoft.com

@fseldow
chore: bump go and dependencies for v1-dev
472cae8 
Signed-off-by: Xinhe Li <xinhl@microsoft.com>
fseldow added 4 commits May 14, 2026 07:14
@fseldow
ci: upgrade golangci-lint to v2.11 for go 1.26 compat
498e986 
Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow
chore: bump deps to fix govulncheck CVEs
9851108 
- go.opentelemetry.io/otel/sdk v1.38.0 → v1.40.0 (GO-2026-4394)
- github.com/theupdateframework/go-tuf/v2 v2.2.0 → v2.4.1 (GO-2026-4377, GO-2026-4349, GO-2026-4348)
- github.com/sigstore/sigstore v1.9.6 → v1.10.4 (GO-2026-4358)
- github.com/sigstore/rekor v1.4.2 → v1.5.0 (GO-2026-4355, GO-2026-4354)
- github.com/sigstore/fulcio v1.7.1 → v1.8.5 (GO-2026-4311, GO-2025-4193)
- github.com/sigstore/cosign/v2 v2.6.1 → v2.6.2 (GO-2026-4309)

Remaining unfixed: GO-2026-4529 (cosign, no fix), GO-2025-4192 (timestamp-authority, no fix)

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow
chore: bump docker/cli, otel, stdlib for remaining trivy CVEs
fc2d223 
- github.com/docker/cli v29.0.3 → v29.2.0 (CVE-2025-15558)
- go.opentelemetry.io/otel v1.40.0 → v1.43.0 (CVE-2026-29181)
- go.opentelemetry.io/otel/sdk v1.40.0 → v1.43.0 (CVE-2026-39883)
- go 1.26.0 → 1.26.3 (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820,
  CVE-2026-39836, CVE-2026-42499)
- Dockerfile golang:1.26.2 → 1.26.3

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow
chore: bump go-jose and grpc for remaining CVEs
41d2cdc 
- github.com/go-jose/go-jose/v4 v4.1.3 → v4.1.4 (CVE-2026-34986)
- github.com/go-jose/go-jose/v3 v3.0.4 → v3.0.5 (CVE-2026-34986)
- google.golang.org/grpc v1.78.0 → v1.79.3 (CVE-2026-33186, CRITICAL)

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fseldow