From df627ff8966f4c04ccd0e437341c9ce7168a749a Mon Sep 17 00:00:00 2001 From: Feng Ruohang Date: Fri, 12 Jun 2026 21:23:40 +0800 Subject: [PATCH] fix: bump Go toolchain to 1.26.4 Update the module Go directive and release Docker build images from Go 1.26.2 to Go 1.26.4 so local, CI, hotfix, and release builds use the same patched toolchain. Keep ordinary Go module requirements and replacements unchanged; this intentionally avoids a third-party dependency refresh while allowing container system packages to refresh through the newer golang Alpine base image and existing apk resolution. Update the security advisory index to record the Go 1.26.4 toolchain bump alongside the earlier Go 1.26.2 security update. Verified with go build ./..., go vet ./cmd/, and focused cmd tests. go mod tidy -diff was attempted as a read-only dependency drift check but could not complete because proxy.golang.org timed out while fetching uncached transitive test modules. Co-authored-by: Codex --- Dockerfile.goreleaser | 2 +- Dockerfile.hotfix | 2 +- Dockerfile.release | 2 +- Dockerfile.release.old_cpu | 2 +- docs/security/advisories.md | 2 +- go.mod | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser index 9d570194b..a76c4e522 100644 --- a/Dockerfile.goreleaser +++ b/Dockerfile.goreleaser @@ -1,4 +1,4 @@ -FROM golang:1.26.2-alpine AS build +FROM golang:1.26.4-alpine AS build ARG TARGETARCH diff --git a/Dockerfile.hotfix b/Dockerfile.hotfix index 2049f1dec..4b10897f8 100644 --- a/Dockerfile.hotfix +++ b/Dockerfile.hotfix @@ -1,4 +1,4 @@ -FROM golang:1.26.2-alpine as build +FROM golang:1.26.4-alpine as build ARG TARGETARCH ARG RELEASE diff --git a/Dockerfile.release b/Dockerfile.release index da56b0135..ed2168e0f 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -1,4 +1,4 @@ -FROM golang:1.26.2-alpine AS build +FROM golang:1.26.4-alpine AS build ARG TARGETARCH ARG RELEASE diff --git a/Dockerfile.release.old_cpu b/Dockerfile.release.old_cpu index 81b77ccef..1fad8487f 100644 --- a/Dockerfile.release.old_cpu +++ b/Dockerfile.release.old_cpu @@ -1,4 +1,4 @@ -FROM golang:1.26.2-alpine AS build +FROM golang:1.26.4-alpine AS build ARG TARGETARCH ARG RELEASE diff --git a/docs/security/advisories.md b/docs/security/advisories.md index d6884e373..1af6676d1 100644 --- a/docs/security/advisories.md +++ b/docs/security/advisories.md @@ -19,7 +19,7 @@ This document summarizes fork-specific security fixes and closely related upgrad | :-- | :-- | :-- | | `CVE-2026-34986` | `68e0ba997` | Upgrades `go-jose` to `v4.1.4`. | | `CVE-2026-39883` | `1869bd30b`, `e4fa06394` | Updates OpenTelemetry dependencies. | -| Upstream Go security fixes | `db4c0fd5e` | Bumps the Go toolchain to `1.26.2`. | +| Upstream Go security fixes | `db4c0fd5e`, Go 1.26.4 update | Bumps the Go toolchain through `1.26.4`. | ## Operationally significant security-related fixes diff --git a/go.mod b/go.mod index c2993b64f..a8f09db9b 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/minio/minio -go 1.26.2 +go 1.26.4 // Use Georg Mangold's maintained Console fork while keeping upstream import paths. replace github.com/minio/console => github.com/georgmangold/console v1.9.1