fix: bump Go toolchain from 1.25.7 to 1.25.8 to fix govulncheck vulnerabilities#296
Open
WentingWu666666 wants to merge 3 commits intodocumentdb:mainfrom
Open
Conversation
…rabilities Update Go version in both operator/src/go.mod and documentdb-kubectl-plugin/go.mod to resolve 5 stdlib vulnerabilities detected by govulncheck (GO-2026-4599 through GO-2026-4603): - GO-2026-4603: html/template - GO-2026-4602: os - GO-2026-4601: net/url (incorrect parsing of IPv6 host literals) - GO-2026-4600: crypto/x509 (malformed certificates) - GO-2026-4599: crypto/x509 (incorrect enforcement of email constraints) All fixed in go1.25.8. Signed-off-by: Wenting Wu <wentingwu@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
WentingWu666666
requested review from
alaye-ms and
hossain-rayhan
as code owners
Collaborator
Author
|
govulncheck passed on this branch confirmed that bumping Go to 1.25.8 fixes all 5 stdlib vulnerabilities (GO-2026-4599 through GO-2026-4603). Verification run: https://github.com/WentingWu666666/documentdb-kubernetes-operator/actions/runs/22868104837 |
xgerman
approved these changes
Mar 9, 2026
The test-unit and test-unit-coverage workflows hardcode GO_VERSION to 1.25.7, causing a version mismatch error when go.mod specifies 1.25.8: compile: version "go1.25.8" does not match go tool version "go1.25.7" Update both workflows to use GO_VERSION: '1.25.8'. Signed-off-by: Wenting Wu <wentingwu@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Go toolchain patch version in the repo’s two primary Go modules to remediate stdlib vulnerabilities reported by govulncheck.
Changes:
- Bump
operator/srcmodule Go version from1.25.7→1.25.8. - Bump
documentdb-kubectl-pluginmodule Go version from1.25.7→1.25.8.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| operator/src/go.mod | Updates module go directive to 1.25.8 for stdlib vuln remediation. |
| documentdb-kubectl-plugin/go.mod | Updates module go directive to 1.25.8 for stdlib vuln remediation. |
Also bump operator/cnpg-plugins/sidecar-injector/go.mod from 1.25.7 to 1.25.8 to ensure all Go modules in the repo are patched against the stdlib vulnerabilities. Signed-off-by: Wenting Wu <wentingwu@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
WentingWu666666
commented
Mar 9, 2026
Collaborator
Author
WentingWu666666
left a comment
WentingWu666666
left a comment
There was a problem hiding this comment.
Addressed both review comments CI workflow pins bumped to 1.25.8 and sidecar-injector go.mod also updated.
xgerman
approved these changes
Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bump Go version from 1.25.7 to 1.25.8 in both \operator/src/go.mod\ and \documentdb-kubectl-plugin/go.mod\ to resolve 5 stdlib vulnerabilities detected by govulncheck.
Vulnerabilities Fixed
All vulnerabilities are fixed in Go 1.25.8.
Details
Signed-off-by: Wenting Wu wentingwu@microsoft.com