Skip to content

Commit 330a128

Browse files
committed
fix(ci): resolve new govulncheck advisories
Govulncheck began failing on four newly-published advisories in existing dependencies (unrelated to any code change): - GO-2026-5004 (github.com/jackc/pgx/v5): SQL injection via the non-default simple protocol with dollar-quoted literals. Fixed by upgrading pgx/v5 v5.9.0 -> v5.9.2. - GO-2026-5617 / GO-2026-5668 / GO-2026-5746 (github.com/docker/docker): docker cp / archive host-path issues. docker/docker has no patched release (only moby/moby/v2), so these join the existing docker/docker exclusions in the CI allowlist. Dependency upgrade tracked by #151. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01WnKgCRfMvFcZAkoVbr8k79
1 parent c8e74a0 commit 330a128

4 files changed

Lines changed: 12 additions & 5 deletions

File tree

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"@mantle/engine": patch
3+
---
4+
5+
Resolve new govulncheck advisories. Upgrade `github.com/jackc/pgx/v5` to v5.9.2, which fixes GO-2026-5004 (SQL injection via the non-default simple protocol with dollar-quoted literals). Add the three unfixable docker/docker `docker cp`/archive advisories (GO-2026-5617, GO-2026-5668, GO-2026-5746) to the CI govulncheck exclusion list, alongside the existing docker exclusions — docker/docker has no patched release (only moby/moby/v2), tracked by #151.

.github/workflows/engine-ci.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,8 +63,10 @@ jobs:
6363
run: |
6464
# Known unfixable vulnerabilities — excluded from enforcement:
6565
#
66-
# Indirect test-only dependency (docker/docker via testcontainers); no upstream fix:
66+
# Indirect test-only dependency (docker/docker via testcontainers); no upstream fix
67+
# (docker/docker and moby/moby have no fixed release; only moby/moby/v2 is patched):
6768
# GO-2026-4887, GO-2026-4883
69+
# GO-2026-5617, GO-2026-5668, GO-2026-5746 (docker cp / archive host-path issues)
6870
#
6971
# Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
7072
# Reachable in go < 1.25.9 via the listed call chains:
@@ -85,7 +87,7 @@ jobs:
8587
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
8688
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
8789
echo "govulncheck IDs found: ${ALL_IDS:-none}"
88-
KNOWN='GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947|GO-2026-4918|GO-2026-4945|GO-2026-5013|GO-2026-5015|GO-2026-5017|GO-2026-5018|GO-2026-5019|GO-2026-5020|GO-2026-5021|GO-2026-5026'
90+
KNOWN='GO-2026-4887|GO-2026-4883|GO-2026-5617|GO-2026-5668|GO-2026-5746|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947|GO-2026-4918|GO-2026-4945|GO-2026-5013|GO-2026-5015|GO-2026-5017|GO-2026-5018|GO-2026-5019|GO-2026-5020|GO-2026-5021|GO-2026-5026'
8991
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE "^($KNOWN)$" || true)
9092
for ID in $ACTIONABLE_IDS; do
9193
echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"

packages/engine/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ require (
2323
github.com/golang-jwt/jwt/v5 v5.3.1
2424
github.com/google/cel-go v0.27.0
2525
github.com/googleapis/gax-go/v2 v2.15.0
26-
github.com/jackc/pgx/v5 v5.9.0
26+
github.com/jackc/pgx/v5 v5.9.2
2727
github.com/microsoft/go-mssqldb v1.10.0
2828
github.com/pressly/goose/v3 v3.27.0
2929
github.com/prometheus/client_golang v1.23.2

packages/engine/go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -253,8 +253,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
253253
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
254254
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
255255
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
256-
github.com/jackc/pgx/v5 v5.9.0 h1:T/dI+2TvmI2H8s/KH1/lXIbz1CUFk3gn5oTjr0/mBsE=
257-
github.com/jackc/pgx/v5 v5.9.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
256+
github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
257+
github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
258258
github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
259259
github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
260260
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=

0 commit comments

Comments
 (0)