Skip to content

chore: bump golang image to 1.26.3#2519

Merged
susanshi merged 7 commits into
notaryproject:release-1.4from
fseldow:xinhl/bump-go-1.26.3
May 21, 2026
Merged

chore: bump golang image to 1.26.3#2519
susanshi merged 7 commits into
notaryproject:release-1.4from
fseldow:xinhl/bump-go-1.26.3

Conversation

@fseldow
Copy link
Copy Markdown
Contributor

@fseldow fseldow commented May 12, 2026

What this PR does

Bumps the golang Docker image from 1.26.2 to 1.26.3 in the Dockerfile.

Changes:

  • httpserver/Dockerfile: golang:1.26.2 → golang:1.26.3 (with updated digest)

Signed-off-by: Xinhe Li xinhl@microsoft.com

@fseldow
chore: bump golang image to 1.26.3
ad4c367 
Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.53%. Comparing base (fc99108) to head (8047164).

Additional details and impacted files 
@@             Coverage Diff              @@
##           release-1.4    #2519   +/-   ##
============================================
  Coverage        74.53%   74.53%           
============================================
  Files              138      138           
  Lines             6901     6901           
============================================
  Hits              5144     5144           
  Misses            1387     1387           
  Partials           370      370

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fseldow
chore: bump kubectl to 1.30.14 to fix Go stdlib CVEs
db1a8f1 
The CRD image bundles kubectl, which at 1.30.6 was compiled with
Go 1.25.9 and triggers 5 HIGH CVEs (CVE-2026-33811 etc.).
kubectl 1.30.14 is compiled with Go 1.26.3 which resolves them.

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow
chore: bump dependencies to fix CVE-2026-32952 and CVE-2026-39984
b186670 
- go-ntlmssp: v0.0.0-20221128193559 -> v0.1.1 (CVE-2026-32952)
- timestamp-authority: v2.0.3 -> v2.0.6 (CVE-2026-39984)

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow
chore: bump KUBE_VERSION/KUBERNETES_VERSION to 1.36.1 (Go 1.26)
1894ba3 
kubectl 1.36.1 is compiled with Go 1.26, which resolves Go stdlib
CVEs (e.g. CVE-2026-33811) flagged by Trivy in the crd image.

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow fseldow force-pushed the xinhl/bump-go-1.26.3 branch from 3a76ec8 to 1894ba3 Compare May 19, 2026 05:16
@fseldow
chore: suppress Go stdlib CVEs in crd trivyignore
f93c4be 
kubectl 1.36.1 is compiled with Go 1.26.2; these CVEs are fixed
in Go 1.26.3. Will remove once k8s releases a patch with Go 1.26.3+.

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow fseldow closed this May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susanshi susanshi susanshi approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fseldow @susanshi