Release Flowpipe v1.2.2#1072
Merged
Merged
Conversation
Resolved conflicts in ui/form/package.json and ui/form/yarn.lock, keeping the security updates from v1.2.x including: - tar 7.5.7 - @remix-run/router 1.23.2 - lodash 4.17.23 - lodash-es 4.17.23 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Merge branch 'v1.2.x' into develop
Bumps [axios](https://github.com/axios/axios) from 1.14.0 to 1.15.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.14.0...v1.15.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.6.1 to 1.6.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.6.1...v1.6.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.13.0 to 5.17.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.13.0...v5.17.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.66.0 to 1.79.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.66.0...v1.79.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump pgx to v5.9.2 + Go to 1.26.1 (CVE-2026-41889) Force github.com/jackc/pgx/v5 from v5.6.0 to v5.9.2 to pick up the CVE-2026-41889 security fix. pgx is an indirect dependency (no flowpipe code calls it directly); v5.9.2 also requires Go >= 1.25, so the Go toolchain is bumped to 1.26.1 to match. Changes: - go.mod: go directive 1.24.0 -> 1.26.1 - go.mod/go.sum: github.com/jackc/pgx/v5 v5.6.0 -> v5.9.2 (// indirect), plus jackc/pgservicefile and jackc/puddle/v2 carried up by go mod tidy - .github/workflows/10-test-lint-test.yaml: go-version 1.24 -> 1.26.1 - .github/workflows/11-test-integration.yaml: go-version 1.24 -> 1.26.1 - .github/workflows/01-flowpipe-release.yaml: go-version 1.24 -> 1.26.1 Verified on Go 1.26.1: go build ./... clean; go vet clean; golangci-lint (v1.64.8 built with go1.26.1) 0 issues; make test1 (7 pkg pass) + test2 (8 pkg pass); integration estest suite pass (170s). The single test1 failure is internal/primitive TestSendEmail, which requires a MailHog SMTP server unavailable in the build environment - not a code regression. Refs #1063 * Fix golangci-lint for the Go 1.26.1 bump: migrate to golangci-lint v2 The Go 1.26.1 bump broke the "Lint and Test" job. golangci-lint-action v3.7.0 with version: latest resolves golangci-lint v1.64.8, the last v1.x release, which is built with go1.24. v1.64.8 hard-refuses (exit 3, at config load, before linting any code) a module that targets go 1.26.1: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.26.1) golangci-lint v1.x is end-of-life; no v1 binary will ever be go1.26 built. The fix is to move to golangci-lint v2 (built with a newer Go), matching the validated migration in the sibling repos for the same cross-repo pgx/Go remediation. Changes: - .github/workflows/10-test-lint-test.yaml: golangci-lint-action v3.7.0 -> v9.2.0 (v9 is required for golangci-lint v2); version latest -> v2.11.4 (pinned, go1.26-capable). - .golangci.yaml: migrated v1 -> v2 schema with the official golangci-lint v2 migrate tool. Behaviour-preserving settings keep the exact pre-bump lint baseline (0 issues), rather than newly enforcing rules the codebase was never linted against during a CVE-only bump: - staticcheck.checks excludes ST*/QF*/S1009 - v2 staticcheck absorbed stylecheck (ST*) and quickfix (QF*), neither enforced under v1.64.8. - gosec.excludes G101/G118/G202/G703/G705 - gosec findings the v2 ruleset reports on pre-existing code that v1.64.8 did not. - exclusions.rules nolintlint///nolint:gosec - keeps pre-existing //nolint:gosec source directives from being flagged unused once those gosec rules are excluded. Verified with golangci-lint v2.11.4 built with GOTOOLCHAIN=go1.26.1: 0 issues and config verify clean on both the PR head and the untouched v1.2.x base (the 41 v2 findings are identical on both -> all pre-existing, zero introduced by the bump diff). The same v9.2.0 + v2.11.4 + v2-config pattern has green Test Linting CI on the sibling powerpipe #1061 and tailpipe #608/#609 PRs. The "Integration Test" job failures on this PR are pre-existing timing flakiness on a loaded CI runner (the full estest longRunning suite passes 202/202 locally on both this PR head and the untouched v1.2.x base; the same base commit passed Integration Test in CI on 2026-04-15) - not a code defect and not addressed here; a CI re-run should clear it. Refs #1063 * Revert golangci-lint version pin to latest Keep the migrated .golangci.yaml v2 config (all gosec/staticcheck excludes) for true parity with the pre-bump v1 lint baseline; both produce 0 findings. CI 'latest' resolves the newest golangci-lint v2, which is required for the Go 1.26.1 bump. * Disable noisy govet inline analyzer (golangci-lint v2.12.2 false positives)
- Update Go to 1.26.1 and bump github.com/jackc/pgx/v5 to v5.9.2 to remediate CVE-2026-41889 (GHSA-j88v-2chj-qfwx) - merged via #1064. - Upgrade go.opentelemetry.io/otel/sdk to v1.43.0 with sibling otel/otel/metric/otel/trace modules in lockstep to remediate vulnerabilities (in build graph via docker testutil). - CHANGELOG entry for v1.2.2 covering all applied bumps.
SumitPopat
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge release branch
v1.2.xintomain. Brings the released security fixes (incl. pgx v5.9.2 for the pgx CVE) ontomain.