Skip to content

Update Go to 1.24 and upgrade all dependencies#282

Merged
prudhvigodithi merged 4 commits intoopensearch-project:mainfrom
danielrubin1989:update-go-dependencies
Feb 10, 2026
Merged

Update Go to 1.24 and upgrade all dependencies#282
prudhvigodithi merged 4 commits intoopensearch-project:mainfrom
danielrubin1989:update-go-dependencies

Conversation

@danielrubin1989
Copy link
Contributor

@danielrubin1989 danielrubin1989 commented Feb 9, 2026

Description

This PR updates the Go version from 1.22.12 to 1.24 and upgrades all Go dependencies to their latest compatible versions.

Security Fixes

  • golang.org/x/crypto v0.32.0 → v0.47.0 — remediates CVE-2025-22869 (CVSS 7.5)
  • golang.org/x/net v0.34.0 → v0.49.0 — remediates CVE-2025-22870 (CVSS 4.4)

Other Dependency Updates

  • github.com/aws/aws-sdk-go v1.52.2 → v1.55.8
  • github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.0 → v2.38.2
  • github.com/hashicorp/terraform-plugin-go v0.26.0 → v0.29.0
  • github.com/hashicorp/go-plugin v1.6.2 → v1.7.0
  • github.com/hashicorp/hcl/v2 v2.23.0 → v2.24.0
  • google.golang.org/grpc v1.69.4 → v1.78.0
  • google.golang.org/protobuf v1.36.3 → v1.36.11
  • All golang.org/x/* packages updated to latest
  • Various other transitive dependency updates

CI Changes

  • Updated Go version in .github/workflows/test.yml from 1.22.1 to 1.24 (lint, test matrix, and release jobs)

Issues Resolved

Resolves #258
Supersedes #275 (which only updated golang.org/x/* packages — this PR is a superset that updates all dependencies)

Testing

  • go build ./... — passes
  • go mod verify — passes
  • go mod tidy — clean (no additional changes)

Check List

  • New functionality includes testing.
    • N/A - dependency update only, no functional changes
  • New functionality has been documented.
    • N/A - dependency update only
  • Commits are signed per the DCO using --signoff.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Update Go to 1.24 and upgrade all dependencies
904ee70 
- Bump Go version from 1.22.12 to 1.24
- Update golang.org/x/crypto to v0.47.0 (remediates CVE-2025-22869)
- Update golang.org/x/net to v0.49.0 (remediates CVE-2025-22870)
- Update all other Go dependencies to latest compatible versions
- Update CI workflow Go version from 1.22.1 to 1.24

Resolves opensearch-project#258
Supersedes opensearch-project#275

Signed-off-by: Gong-Guard <gong-guard@gong.dev>
Gong-Guard added 3 commits February 9, 2026 11:13
Update .golangci.yml for Go 1.24 and suppress pre-existing lint issues
2d6c85c 
- Bump golangci-lint Go version from 1.22.1 to 1.24
- Exclude SA1019 deprecation warnings for aws-sdk-go v1 (migration to
  v2 is a separate effort, tracked upstream)
- Exclude pre-existing govet printf warnings in resource_opensearch_user.go
  (non-constant format strings using string concatenation)

Signed-off-by: Gong-Guard <gong-guard@gong.dev>
Fix govet printf warnings in resource_opensearch_user.go
5380459 
Replace string concatenation in log.Printf calls with format verbs.
Go 1.24 treats non-constant format strings as a build error via govet.

- Line 143: use %s format verb for path
- Line 158: use %s format verb for response body
- Line 159: use %d format verb for status code

Signed-off-by: Gong-Guard <gong-guard@gong.dev>
Remove govet printf exclusion from .golangci.yml
468abf9 
The underlying code was fixed in the previous commit, so the
lint exclusion is no longer needed.

Signed-off-by: Gong-Guard <gong-guard@gong.dev>
prudhvigodithi
prudhvigodithi reviewed Feb 9, 2026
View reviewed changes
@prudhvigodithi
Copy link
Member

prudhvigodithi commented Feb 9, 2026

Thanks @danielrubin1989 overal LGTM.

@prudhvigodithi prudhvigodithi merged commit 77d4007 into opensearch-project:main Feb 10, 2026
5 checks passed
@github-project-automation github-project-automation bot moved this from 👀 In Review to ✅ Done in Engineering Effectiveness Board Feb 10, 2026
@danielrubin1989
Copy link
Contributor Author

danielrubin1989 commented Feb 11, 2026
edited
Loading

@prudhvigodithi Thanks for merging! Is there a planned timeline for the next release that would include these dependency updates and the security fixes for CVE-2025-22869 and CVE-2025-22870?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prudhvigodithi prudhvigodithi prudhvigodithi approved these changes

@peterzhuamazon peterzhuamazon Awaiting requested review from peterzhuamazon peterzhuamazon is a code owner

@jackson-theisen jackson-theisen Awaiting requested review from jackson-theisen jackson-theisen is a code owner

@phillbaker phillbaker Awaiting requested review from phillbaker phillbaker is a code owner

@rblcoder rblcoder Awaiting requested review from rblcoder rblcoder is a code owner

Assignees

No one assigned

Labels

None yet

Projects

Engineering Effectiveness Board
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

github.com/hashicorp/terraform-plugin-sdk/v2-v2.36.0: 2 vulnerabilities (highest severity is: 7.5)

2 participants

@danielrubin1989 @prudhvigodithi