Skip to content

[WEB-4151] upgrade Go from 1.22 to 1.25 (critical security — EOL version)#9

Merged
anonpran merged 2 commits into
mainfrom
fix/upgrade-go-1.24-security
Apr 28, 2026
Merged

[WEB-4151] upgrade Go from 1.22 to 1.25 (critical security — EOL version)#9
anonpran merged 2 commits into
mainfrom
fix/upgrade-go-1.24-security

Conversation

@anonpran

@anonpran anonpran commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Go 1.22 is end-of-life and no longer receiving security patches. Aikido flagged this as a critical vulnerability (issue #19350446).

Updated:

  • go.mod: 1.22 → 1.24
  • Dockerfile: golang:1.23-alpine → golang:1.24-alpine
  • release.yaml: go-version 1.21 → 1.24

Note: go mod tidy should be run with Go 1.24 to regenerate go.sum.

Greptile Summary

This PR upgrades Go across go.mod, Dockerfile, and the release workflow to address an EOL security concern. The three files were previously on three different Go versions (1.21, 1.22, 1.23), so the upgrade also normalises them to a single version.

  • The PR title and description claim the target version is 1.24, but every changed file is actually set to 1.25 — the intent needs to be clarified before merging.

Confidence Score: 4/5

Safe to merge once the version discrepancy (description says 1.24, code uses 1.25) is intentionally confirmed or corrected.

One P1 finding: the stated upgrade target (1.24) does not match the actual code change (1.25), creating an audit/traceability gap. No security or runtime regressions are introduced; both versions resolve the EOL concern.

.github/workflows/release.yaml — version mismatch with PR description is most visible here, but all three files share the same discrepancy.

Important Files Changed

Filename Overview
.github/workflows/release.yaml go-version bumped from 1.21 → 1.25; PR description claims the target is 1.24, not 1.25
Dockerfile Build base image bumped from golang:1.23-alpine → golang:1.25-alpine; straightforward change
go.mod go directive bumped from 1.22 → 1.25; no other module changes

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR: Go EOL upgrade] --> B[go.mod\n1.22 → 1.25]
    A --> C[Dockerfile\ngolang:1.23-alpine → golang:1.25-alpine]
    A --> D[release.yaml\ngo-version: 1.21 → 1.25]
    B & C & D --> E{Actual target version\nin code: 1.25}
    F[PR description\nclaims target: 1.24] -. mismatch .-> E
Loading

Reviews (2): Last reviewed commit: "fix: bump Go version to 1.25 per Aikido ..." | Re-trigger Greptile

Greptile also left 1 inline comment on this PR.

Go 1.22 is end-of-life and no longer receiving security patches.
Aikido flagged this as a critical vulnerability (issue #19350446).

Updated:
- go.mod: 1.22 → 1.24
- Dockerfile: golang:1.23-alpine → golang:1.24-alpine
- release.yaml: go-version 1.21 → 1.24

Note: `go mod tidy` should be run with Go 1.24 to regenerate go.sum.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comment thread go.mod Outdated
Comment thread go.mod Outdated
Update from 1.24 to 1.25 to match Aikido's exact suggested fix
(issue #19350446: go@1.22.0 → 1.25).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comment thread .github/workflows/release.yaml
@anonpran anonpran changed the title fix: upgrade Go from 1.22 to 1.24 (critical security — EOL version) fix: upgrade Go from 1.22 to 1.25 (critical security — EOL version) Apr 27, 2026
@anonpran anonpran changed the title fix: upgrade Go from 1.22 to 1.25 (critical security — EOL version) [WEB-4151] upgrade Go from 1.22 to 1.25 (critical security — EOL version) Apr 28, 2026
@anonpran anonpran merged commit 15b4098 into main Apr 28, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants