Skip to content

fix(deps): remediate Go 1.26.5 toolchain for plural CLI#775

Open
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/remediate-go1265-oras-1751987597000
Open

fix(deps): remediate Go 1.26.5 toolchain for plural CLI#775
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/remediate-go1265-oras-1751987597000

Conversation

@plural-copilot

@plural-copilot plural-copilot Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR remediates owned, fixable vulnerabilities affecting the plural CLI binary and supports downstream remediation for the mgmt/console service.

Plural Service: mgmt/console

Vulnerabilities remediated

Go stdlib via toolchain bump to Go 1.26.5

  • GO-2026-5856 / CVE-2026-42505 in crypto/tls (was via Go 1.26.4; fixed by building with Go 1.26.5)
  • GO-2026-4970 / CVE-2026-39822 in os (was via Go 1.26.4; fixed by building with Go 1.26.5)

ORAS dependency

The checked-out source already resolves oras.land/oras-go/v2 at v2.6.1 in go.mod / go.sum, so no additional ORAS dependency change was required in this PR.

Changes

  • bumped go.mod from Go 1.26.4 to 1.26.5
  • updated containerized build/test helper images from Go 1.26.4 to 1.26.5 in:
    • Dockerfile
    • test.Dockerfile
    • hack/lib.sh
    • hack/gen-client-mocks.sh

Validation

  • confirmed oras.land/oras-go/v2 resolves to v2.6.1 in go.mod / go.sum
  • verified Dockerized Go 1.26.5 image availability
  • successfully built the repository test container from test.Dockerfile after the Go image bump
  • attempted direct Dockerized go build / go test with golang:1.26.5; those commands were inconclusive in this environment due to image PATH/entrypoint quirks and long-running module download/build behavior, so the successful container build is the captured validation artifact

Notes

This PR intentionally does not attempt to address unrelated non-fixable findings such as openpgp issues without a fixed version.

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Create a remediation PR in pluralsh/plural-cli for owned, fixable vulnerabilities affecting the plural CLI binary used by the mgmt/console service....
🔗 Run history View run history

@greptile-apps

greptile-apps Bot commented Jul 8, 2026

Copy link
Copy Markdown

Greptile Summary

This PR bumps the Go toolchain from 1.26.4 to 1.26.5 across all relevant build artifacts to remediate two stdlib CVEs (crypto/tls and os) that are fixed by the newer toolchain version.

  • go.mod: go directive updated to 1.26.5; no toolchain directive is present, so the change is minimal and correct.
  • Dockerfile / test.Dockerfile: Both builder and final stages updated to the matching golang:1.26.5 base images, keeping the containerized build consistent with the module requirement.
  • hack/lib.sh / hack/gen-client-mocks.sh: Default and explicit CONTAINERIZE_IMAGE references updated to golang:1.26.5, ensuring dev/CI helper scripts use the same toolchain.

Confidence Score: 5/5

All five changed files consistently target the same version bump with no logic changes; safe to merge.

Every file that referenced the Go 1.26.4 toolchain has been updated to 1.26.5 in lockstep — the module directive, both Dockerfiles, and both helper scripts. No dependency graph changes, no logic changes, and no inconsistencies between files were found.

No files require special attention.

Important Files Changed

Filename Overview
go.mod Go directive bumped from 1.26.4 to 1.26.5; no toolchain directive present; change is minimal and correct
Dockerfile Both builder and final stages updated from golang:1.26.4-alpine3.22 to golang:1.26.5-alpine3.22; consistent and complete
test.Dockerfile Base image updated from golang:1.26.4-bookworm to golang:1.26.5-bookworm; straightforward
hack/lib.sh Default CONTAINERIZE_IMAGE fallback updated from golang:1.26.4 to golang:1.26.5
hack/gen-client-mocks.sh Explicit CONTAINERIZE_IMAGE updated from golang:1.26.4 to golang:1.26.5

Reviews (1): Last reviewed commit: "fix(deps): bump Go toolchain to 1.26.5" | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants