From 330a128f3e2786773528dee2aa32ae5ec552b91f Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 2 Jul 2026 01:45:48 +0000 Subject: [PATCH] fix(ci): resolve new govulncheck advisories Govulncheck began failing on four newly-published advisories in existing dependencies (unrelated to any code change): - GO-2026-5004 (github.com/jackc/pgx/v5): SQL injection via the non-default simple protocol with dollar-quoted literals. Fixed by upgrading pgx/v5 v5.9.0 -> v5.9.2. - GO-2026-5617 / GO-2026-5668 / GO-2026-5746 (github.com/docker/docker): docker cp / archive host-path issues. docker/docker has no patched release (only moby/moby/v2), so these join the existing docker/docker exclusions in the CI allowlist. Dependency upgrade tracked by #151. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01WnKgCRfMvFcZAkoVbr8k79 --- .changeset/govulncheck-advisories.md | 5 +++++ .github/workflows/engine-ci.yml | 6 ++++-- packages/engine/go.mod | 2 +- packages/engine/go.sum | 4 ++-- 4 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 .changeset/govulncheck-advisories.md diff --git a/.changeset/govulncheck-advisories.md b/.changeset/govulncheck-advisories.md new file mode 100644 index 00000000..0de6b65a --- /dev/null +++ b/.changeset/govulncheck-advisories.md @@ -0,0 +1,5 @@ +--- +"@mantle/engine": patch +--- + +Resolve new govulncheck advisories. Upgrade `github.com/jackc/pgx/v5` to v5.9.2, which fixes GO-2026-5004 (SQL injection via the non-default simple protocol with dollar-quoted literals). Add the three unfixable docker/docker `docker cp`/archive advisories (GO-2026-5617, GO-2026-5668, GO-2026-5746) to the CI govulncheck exclusion list, alongside the existing docker exclusions — docker/docker has no patched release (only moby/moby/v2), tracked by #151. diff --git a/.github/workflows/engine-ci.yml b/.github/workflows/engine-ci.yml index a883fcb8..c6e08712 100644 --- a/.github/workflows/engine-ci.yml +++ b/.github/workflows/engine-ci.yml @@ -63,8 +63,10 @@ jobs: run: | # Known unfixable vulnerabilities — excluded from enforcement: # - # Indirect test-only dependency (docker/docker via testcontainers); no upstream fix: + # Indirect test-only dependency (docker/docker via testcontainers); no upstream fix + # (docker/docker and moby/moby have no fixed release; only moby/moby/v2 is patched): # GO-2026-4887, GO-2026-4883 + # GO-2026-5617, GO-2026-5668, GO-2026-5746 (docker cp / archive host-path issues) # # Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07). # Reachable in go < 1.25.9 via the listed call chains: @@ -85,7 +87,7 @@ jobs: # Emit each actionable vulnerability ID as a GHA error annotation for visibility. ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true) echo "govulncheck IDs found: ${ALL_IDS:-none}" - KNOWN='GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947|GO-2026-4918|GO-2026-4945|GO-2026-5013|GO-2026-5015|GO-2026-5017|GO-2026-5018|GO-2026-5019|GO-2026-5020|GO-2026-5021|GO-2026-5026' + KNOWN='GO-2026-4887|GO-2026-4883|GO-2026-5617|GO-2026-5668|GO-2026-5746|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947|GO-2026-4918|GO-2026-4945|GO-2026-5013|GO-2026-5015|GO-2026-5017|GO-2026-5018|GO-2026-5019|GO-2026-5020|GO-2026-5021|GO-2026-5026' ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE "^($KNOWN)$" || true) for ID in $ACTIONABLE_IDS; do echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency" diff --git a/packages/engine/go.mod b/packages/engine/go.mod index 7b72a26a..a36c58e1 100644 --- a/packages/engine/go.mod +++ b/packages/engine/go.mod @@ -23,7 +23,7 @@ require ( github.com/golang-jwt/jwt/v5 v5.3.1 github.com/google/cel-go v0.27.0 github.com/googleapis/gax-go/v2 v2.15.0 - github.com/jackc/pgx/v5 v5.9.0 + github.com/jackc/pgx/v5 v5.9.2 github.com/microsoft/go-mssqldb v1.10.0 github.com/pressly/goose/v3 v3.27.0 github.com/prometheus/client_golang v1.23.2 diff --git a/packages/engine/go.sum b/packages/engine/go.sum index 95463516..3725682f 100644 --- a/packages/engine/go.sum +++ b/packages/engine/go.sum @@ -253,8 +253,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.9.0 h1:T/dI+2TvmI2H8s/KH1/lXIbz1CUFk3gn5oTjr0/mBsE= -github.com/jackc/pgx/v5 v5.9.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= +github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw= +github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=