Skip to content

Update dependencies and resolve mongo-driver advisory#20

Merged
umputun merged 1 commit into
masterfrom
deps/update-latest
Jun 30, 2026
Merged

Update dependencies and resolve mongo-driver advisory#20
umputun merged 1 commit into
masterfrom
deps/update-latest

Conversation

@paskal

@paskal paskal commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Updates all dependencies to their latest versions across both modules (root and _examples/status) and resolves the open Dependabot alert.

Security

Resolves Dependabot alert GHSA-cp6g-7hqx-qxhp (medium) — a heap out-of-bounds read in mongo-go-driver's GSSAPI error handling — by raising go.mongodb.org/mongo-driver from v1.17.4 to v1.17.9 (patched in 1.17.7).

Root module

  • go directive 1.241.25.0
  • github.com/stretchr/testify v1.10.0v1.11.1
  • go.mongodb.org/mongo-driver v1.17.4v1.17.9
  • golang.org/x/text v0.28.0v0.38.0
  • modernc.org/sqlite v1.38.2v1.53.0
  • transitive bumps; golang.org/x/exp no longer required

_examples/status module

  • go directive 1.241.25.0
  • github.com/stretchr/testify v1.10.0v1.11.1
  • modernc.org/sqlite v1.35.0v1.53.0
  • transitive bumps

Other changes

  • CI go-version 1.241.25 to match the raised go directive.
  • Embedded test-module template in the generator integration test updated to the same versions.
  • Replaced the deprecated parser.ParseDir (deprecated as of Go 1.25) with a directory walk over parser.ParseFile, preserving the existing package-grouping behaviour.

Verification (local, Go 1.26)

  • gofmt -l . clean, go vet, go build clean
  • go test -race passes for both modules
  • golangci-lint run (v2.12.2): 0 issues in both modules
  • govulncheck ./...: no vulnerabilities found in either module

Resolve Dependabot alert GHSA-cp6g-7hqx-qxhp (medium): heap out-of-bounds
read in mongo-go-driver GSSAPI error handling, by raising
go.mongodb.org/mongo-driver from v1.17.4 to v1.17.9 (>= 1.17.7 patched).

Root module updates:
- go directive 1.24 -> 1.25.0
- github.com/stretchr/testify v1.10.0 -> v1.11.1
- go.mongodb.org/mongo-driver v1.17.4 -> v1.17.9
- golang.org/x/text v0.28.0 -> v0.38.0
- modernc.org/sqlite v1.38.2 -> v1.53.0
- plus transitive bumps; golang.org/x/exp no longer required

_examples/status module updates:
- go directive 1.24 -> 1.25.0
- github.com/stretchr/testify v1.10.0 -> v1.11.1
- modernc.org/sqlite v1.35.0 -> v1.53.0
- plus transitive bumps

Bump CI go-version 1.24 -> 1.25 to match the raised go directive, and
update the embedded test-module template in the generator integration
test to the same versions.

Replace the deprecated parser.ParseDir (deprecated as of Go 1.25) with a
directory walk over parser.ParseFile, preserving the existing
package-grouping behaviour.
@paskal paskal requested a review from umputun as a code owner June 30, 2026 17:08
@umputun umputun merged commit 75f49d4 into master Jun 30, 2026
4 checks passed
@umputun umputun deleted the deps/update-latest branch June 30, 2026 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants