Skip to content

bump: go and go-getter versions#26713

Merged
dduzgun-security merged 2 commits intomainfrom
bump/go-and-go-getter
Sep 8, 2025
Merged

bump: go and go-getter versions#26713
dduzgun-security merged 2 commits intomainfrom
bump/go-and-go-getter

Conversation

@dduzgun-security
Copy link
Copy Markdown
Contributor

@dduzgun-security dduzgun-security commented Sep 5, 2025

Description

  • Pick up the Go toolchain update for 1.24.7. Resolves CVE-2025-47910 vulnerability in net/http CrossOriginProtection.AddInsecureBypassPattern option.
  • Bump go-getter to v1.8.0 which now uses aws-sdk-go (v2).

Testing & Reproduction steps

Links

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.
  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

@dduzgun-security dduzgun-security requested review from a team as code owners September 5, 2025 21:55
pkazmierczak
pkazmierczak approved these changes Sep 8, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@pkazmierczak pkazmierczak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @dduzgun-security! Let's make sure this gets backported, too.

@dduzgun-security dduzgun-security self-assigned this Sep 8, 2025
@dduzgun-security dduzgun-security added theme/dependencies Pull requests that update a dependency file backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/ent/1.9.x+ent labels Sep 8, 2025
@dduzgun-security dduzgun-security merged commit 8a96929 into main Sep 8, 2025
50 checks passed
@dduzgun-security dduzgun-security deleted the bump/go-and-go-getter branch September 8, 2025 15:10
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Sep 8, 2025
Merged
7 tasks
dduzgun-security added a commit that referenced this pull request Sep 8, 2025
@dduzgun-security
bump: go and go-getter versions (#26713)
db783fc
dduzgun-security added a commit that referenced this pull request Sep 8, 2025
@hc-github-team-nomad-core @dduzgun-security
Backport of bump: go and go-getter versions into release/1.10.x (#26722)
498b820 
* no-op commit due to failed cherry-picking

* bump: go and go-getter versions (#26713)

---------

Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
tgross added a commit that referenced this pull request Sep 8, 2025
@tgross
Revert "bump: go and go-getter versions (#26713)"
7438a67 
This reverts commit 8a96929.
@tgross tgross mentioned this pull request Sep 8, 2025
Merged
tgross added a commit that referenced this pull request Sep 9, 2025
@tgross
Revert go-getter update (#26731)
0b69999 
The `go-getter` update in #26713 is not passing tests upstream (apparently hashicorp/go-getter#548 is the origin of the problem but that PR did not ever run tests). The issue being fixed isn't a critical vulnerability, so in the interest of preparing us for the next release, revert the `go-getter` change but keep the Go toolchain update.

We'll skip go-getter 1.8.0 and pick up the next patch version once its issues are fixed.
Reverts commit 8a96929.
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Sep 9, 2025
Merged
tgross added a commit that referenced this pull request Sep 9, 2025
@tgross
Revert go-getter update (#26731)
c805733 
The `go-getter` update in #26713 is not passing tests upstream (apparently hashicorp/go-getter#548 is the origin of the problem but that PR did not ever run tests). The issue being fixed isn't a critical vulnerability, so in the interest of preparing us for the next release, revert the `go-getter` change but keep the Go toolchain update.

We'll skip go-getter 1.8.0 and pick up the next patch version once its issues are fixed.
Reverts commit 8a96929.
tgross added a commit that referenced this pull request Sep 9, 2025
@hc-github-team-nomad-core @tgross
Backport of: Revert go-getter update (#26731) (#26739)
6d6d045 
The `go-getter` update in #26713 is not passing tests upstream (apparently hashicorp/go-getter#548 is the origin of the problem but that PR did not ever run tests). The issue being fixed isn't a critical vulnerability, so in the interest of preparing us for the next release, revert the `go-getter` change but keep the Go toolchain update.

We'll skip go-getter 1.8.0 and pick up the next patch version once its issues are fixed.
Reverts commit 8a96929.

Co-authored-by: Tim Gross <tgross@hashicorp.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 7, 2026

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pkazmierczak pkazmierczak pkazmierczak approved these changes

Assignees

@dduzgun-security dduzgun-security

Labels

backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent theme/dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dduzgun-security @pkazmierczak