From f56de59326e0432bb980b78771b321c544ac6207 Mon Sep 17 00:00:00 2001 From: Wenting Wu Date: Mon, 9 Mar 2026 14:13:33 -0400 Subject: [PATCH 1/3] fix: bump Go toolchain from 1.25.7 to 1.25.8 to fix govulncheck vulnerabilities Update Go version in both operator/src/go.mod and documentdb-kubectl-plugin/go.mod to resolve 5 stdlib vulnerabilities detected by govulncheck (GO-2026-4599 through GO-2026-4603): - GO-2026-4603: html/template - GO-2026-4602: os - GO-2026-4601: net/url (incorrect parsing of IPv6 host literals) - GO-2026-4600: crypto/x509 (malformed certificates) - GO-2026-4599: crypto/x509 (incorrect enforcement of email constraints) All fixed in go1.25.8. Signed-off-by: Wenting Wu Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- documentdb-kubectl-plugin/go.mod | 2 +- operator/src/go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/documentdb-kubectl-plugin/go.mod b/documentdb-kubectl-plugin/go.mod index 5a5574f9..2cad5c92 100644 --- a/documentdb-kubectl-plugin/go.mod +++ b/documentdb-kubectl-plugin/go.mod @@ -1,6 +1,6 @@ module github.com/documentdb/documentdb-operator/documentdb-kubectl-plugin -go 1.25.7 +go 1.25.8 require ( github.com/spf13/cobra v1.9.1 diff --git a/operator/src/go.mod b/operator/src/go.mod index f001b0f1..56eb39bc 100644 --- a/operator/src/go.mod +++ b/operator/src/go.mod @@ -1,6 +1,6 @@ module github.com/documentdb/documentdb-operator -go 1.25.7 +go 1.25.8 godebug default=go1.23 From 29aac7d2d0b530c2cb7f7fea585a803091f34ebf Mon Sep 17 00:00:00 2001 From: Wenting Wu Date: Mon, 9 Mar 2026 14:18:58 -0400 Subject: [PATCH 2/3] fix: update GO_VERSION in CI workflows to match go.mod 1.25.8 The test-unit and test-unit-coverage workflows hardcode GO_VERSION to 1.25.7, causing a version mismatch error when go.mod specifies 1.25.8: compile: version "go1.25.8" does not match go tool version "go1.25.7" Update both workflows to use GO_VERSION: '1.25.8'. Signed-off-by: Wenting Wu Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/test-unit-coverage.yml | 2 +- .github/workflows/test-unit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-unit-coverage.yml b/.github/workflows/test-unit-coverage.yml index ceb41389..66190ccf 100644 --- a/.github/workflows/test-unit-coverage.yml +++ b/.github/workflows/test-unit-coverage.yml @@ -14,7 +14,7 @@ permissions: pull-requests: write env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.25.8' jobs: coverage: diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml index aefea03c..4423b80b 100644 --- a/.github/workflows/test-unit.yml +++ b/.github/workflows/test-unit.yml @@ -18,7 +18,7 @@ permissions: contents: read env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.25.8' jobs: unit-test: From af7b2c56a47fbd09bab686d4cf517813c23bb676 Mon Sep 17 00:00:00 2001 From: Wenting Wu Date: Mon, 9 Mar 2026 14:21:16 -0400 Subject: [PATCH 3/3] fix: bump Go version in sidecar-injector go.mod to 1.25.8 Also bump operator/cnpg-plugins/sidecar-injector/go.mod from 1.25.7 to 1.25.8 to ensure all Go modules in the repo are patched against the stdlib vulnerabilities. Signed-off-by: Wenting Wu Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- operator/cnpg-plugins/sidecar-injector/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operator/cnpg-plugins/sidecar-injector/go.mod b/operator/cnpg-plugins/sidecar-injector/go.mod index ef73ec20..9c2e1bd3 100644 --- a/operator/cnpg-plugins/sidecar-injector/go.mod +++ b/operator/cnpg-plugins/sidecar-injector/go.mod @@ -1,6 +1,6 @@ module github.com/documentdb/cnpg-i-sidecar-injector -go 1.25.7 +go 1.25.8 require ( github.com/cloudnative-pg/api v1.25.1