From 79082afb32a0c2fd90c6edd36ccfeaab5ff0e7e0 Mon Sep 17 00:00:00 2001 From: Jimmi Dyson Date: Tue, 16 Apr 2024 12:58:59 +0100 Subject: [PATCH] build: Specify go1.22.2 as toolchain to fix govulncheck issues Nix (and therefore devbox) has been slow in rolling out go1.22.2, which contains CVE fixes. Current version go1.22.1 causes govulncheck to report valid vulnerabilities in `net/http` package. go1.21 introduced toolchain management via `go.mod` file with `toolchain` directive. This commit specifies go1.22.2 as the toolchain to use and hence fixes the govulncheck issues. This does mean that go versions have to be managed in multiple places so this is a stop-gap until Nix releases go1.22.2 to nixpkgs-unstable channel. --- api/go.mod | 2 ++ common/go.mod | 2 ++ go.mod | 2 ++ 3 files changed, 6 insertions(+) diff --git a/api/go.mod b/api/go.mod index b85eb3aff..233861afa 100644 --- a/api/go.mod +++ b/api/go.mod @@ -5,6 +5,8 @@ module github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/ap go 1.21 +toolchain go1.22.2 + require ( github.com/nutanix-cloud-native/prism-go-client v0.3.4 github.com/onsi/gomega v1.32.0 diff --git a/common/go.mod b/common/go.mod index 3d9a55f98..b1daea83e 100644 --- a/common/go.mod +++ b/common/go.mod @@ -5,6 +5,8 @@ module github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/co go 1.21 +toolchain go1.22.2 + replace github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api => ../api require ( diff --git a/go.mod b/go.mod index 2850e530f..7dbe6f08b 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,8 @@ module github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix go 1.21 +toolchain go1.22.2 + replace ( github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api => ./api github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common => ./common