MLE-28474: Upgrade Go packages to resolve security vulnerabilities#339
Merged
vitalykorolev merged 1 commit intoApr 27, 2026
Merged
Conversation
vitalykorolev
requested review from
Copilot,
pengzhouml,
rwinieski and
sumanthravipati
There was a problem hiding this comment.
Pull request overview
Upgrades Go dependencies (including x/crypto, x/net, oauth2, terratest, Docker/K8s libs) to address reported CVEs/policy findings, and updates test code to satisfy stricter Go 1.26 vet/format-string rules.
Changes:
- Bump Go toolchain version and update multiple direct/indirect Go dependencies in
go.mod/go.sum. - Replace non-constant
t.Logf/t.Fatalf/t.Errorfusages in many test files with constant format strings or non-fvariants. - Misc. test logging/error-call adjustments to align with Go 1.26 constraints.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/template/tls_param_template_test.go | Fix t.Logf usage to use constant format strings. |
| test/template/network_templ_test.go | Fix t.Logf usage to use constant format strings. |
| test/hugePages/huge_pages_test.go | Adjust test logging and error calls to avoid non-constant format strings. |
| test/e2e/tls_test.go | Adjust test logging/error calls; includes an incorrect t.Log message formatting. |
| test/e2e/separate_nodes_test.go | Replace non-constant t.Fatalf/t.Logf patterns with Go 1.26-safe calls. |
| test/e2e/scaling_test.go | Replace non-constant t.Fatalf/t.Logf patterns with Go 1.26-safe calls. |
| test/e2e/ready_test.go | Replace non-constant t.Fatalf/t.Logf patterns with Go 1.26-safe calls. |
| test/e2e/path_based_test.go | Replace non-constant t.Fatalf/t.Logf patterns with Go 1.26-safe calls. |
| test/e2e/marklogic_upgrade_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| test/e2e/install_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| test/e2e/group_cfg_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| test/e2e/failover_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| test/e2e/env_param_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| test/e2e/clustering_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| test/e2e/backup_restore_test.go | Replace non-constant t.Fatalf(err.Error()) with t.Fatal(...) in retry functions. |
| test/e2e/admin_secrets_test.go | Replace non-constant t.Logf/t.Fatalf patterns with Go 1.26-safe calls. |
| go.mod | Bump Go version to 1.26 and update dependency versions. |
| go.sum | Update dependency checksums for upgraded modules. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Upgraded the following packages to resolve CVEs reported by govulncheck and policy violations reported by BlackDuck: - golang.org/x/crypto v0.33.0 -> v0.50.0 (GO-2025-3487, GO-2025-4116, GO-2025-4134, GO-2025-4135) - golang.org/x/net v0.35.0 -> v0.53.0 (GO-2025-3503, GO-2025-3595, GO-2026-4440, GO-2026-4441) - golang.org/x/oauth2 v0.24.0 -> v0.36.0 (GO-2025-3488) - filippo.io/edwards25519 v1.1.0 -> v1.2.0 (GO-2026-4503) - github.com/jackc/pgx/v5 v5.7.1 -> v5.9.2 (GO-2026-4771, GO-2026-4772) - github.com/cloudflare/circl v1.5.0 -> v1.6.3 - github.com/docker/docker v28.0.4 -> v28.5.2 - github.com/moby/spdystream v0.2.0 -> v0.5.1 - github.com/gruntwork-io/terratest v0.48.2 -> v0.56.0 Fix non-constant format string in t.Logf calls across test files to comply with stricter vet checks in Go 1.26 (introduced by the terratest upgrade). All template tests pass locally. govulncheck reports no vulnerabilities.
vitalykorolev
force-pushed
the
MLE-28474_upgrade-packages-to-resolve-security-issues
branch
from
65d2b9f to
3f3b253
Compare
rwinieski
approved these changes
Apr 27, 2026
vitalykorolev
deleted the
MLE-28474_upgrade-packages-to-resolve-security-issues
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades Go dependencies to resolve security vulnerabilities reported by govulncheck and policy violations reported by BlackDuck (MarkLogic-Platform-Server-Kubernetes-Helm, develop_3.2.15).
Root cause
Multiple Go packages in go.mod contained known CVEs. govulncheck confirmed one vulnerability (GO-2025-3487 in golang.org/x/crypto) is reachable via code paths in this repository. The remaining CVEs are in imported packages.
Fix
Updated the following packages to their latest versions:
The terratest upgrade pulled in k8s.io v0.35.0 and Go toolchain 1.26. Go 1.26 enforces a stricter vet rule that treats non-constant format strings in t.Logf/t.Fatalf/t.Errorf as build errors. All occurrences across e2e and template test files have been fixed by replacing string concatenation with format verbs or switching to the non-f variants (t.Log, t.Fatal, t.Error).
Validation