Skip to content

Commit 043fd71

Browse files
grempeclaude
andcommitted
Bump mise toolchain and Go module dependencies
mise tools (.tool-versions): - go 1.26.3 -> 1.26.4 (fixes CVE-2026-42504 net/textproto error injection, CVE-2026-42507 mime CPU exhaustion, CVE-2026-27145 crypto/x509 VerifyHostname DoS — all on the CLI's HTTPS client path) - goreleaser 2.15.2 -> 2.16.0 (brews: deprecated; we already use homebrew_casks — goreleaser check validates clean) - cosign 3.0.6 -> 3.1.1 (bundle-format default; verify-blob unchanged) - syft 1.42.4 -> 1.45.1 - caddy 2.11.2 -> 2.11.4 (security patches) Go modules: - bubbletea v2.0.7, koanf v2.3.5, x/crypto v0.53.0, x/mod v0.37.0, x/term v0.44.0 (direct) - btcec v2.5.0, btcutil v1.2.0, fsnotify v1.10.1, x/sys v0.46.0, new chainhash/v2 module via btcec (indirect) No breaking changes per upstream changelogs. Verified with tests between each update group, task precommit-full (fmt, lint, race, fuzz seeds, govulncheck clean, all-platform builds), and task fuzz-deep across all 64 targets with no new reproducers. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent fdb8d04 commit 043fd71

4 files changed

Lines changed: 110 additions & 150 deletions

File tree

.tool-versions

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2,18 +2,18 @@
22
# Bump intentionally after vetting the upstream changelog; do not let
33
# the stdlib (or any other tool below) drift under the project via `latest`.
44
#
5-
# Go 1.26.3 is the minimum: 1.26.2 carries two stdlib vulnerabilities
6-
# (GO-2026-4971 panic in net.Dial/LookupPort on Windows NUL bytes;
7-
# GO-2026-4918 infinite loop in net/http/internal/http2 on bad
8-
# SETTINGS_MAX_FRAME_SIZE) surfaced by `task vuln-check`. Prior 1.26.1
9-
# carried six stdlib vulnerabilities (5 in crypto/x509, 1 in html/template).
10-
# Re-run `task vuln-check` after every Go bump.
11-
go 1.26.3
12-
goreleaser 2.15.2
13-
cosign 3.0.6
5+
# Go 1.26.4 is the current pin (`task vuln-check` clean as of 2026-06-11).
6+
# 1.26.3 was the previous security floor: 1.26.2 carried two stdlib
7+
# vulnerabilities (GO-2026-4971 panic in net.Dial/LookupPort on Windows
8+
# NUL bytes; GO-2026-4918 infinite loop in net/http/internal/http2 on bad
9+
# SETTINGS_MAX_FRAME_SIZE); 1.26.1 carried six (5 in crypto/x509, 1 in
10+
# html/template). Re-run `task vuln-check` after every Go bump.
11+
go 1.26.4
12+
goreleaser 2.16.0
13+
cosign 3.1.1
1414
shellcheck 0.11.0
15-
syft 1.42.4
16-
caddy 2.11.2
15+
syft 1.45.1
16+
caddy 2.11.4
1717
# Go quality and vulnerability tooling consumed by `task lint` (staticcheck +
1818
# gosec) and `task vuln-check` (govulncheck). Pinning via mise — rather than
1919
# `go install ...@latest` — keeps these reproducible across machines and

CHANGELOG.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
### Security
11+
- **Go toolchain 1.26.3 → 1.26.4.** Picks up three stdlib CVE fixes
12+
that all sit on this CLI's HTTPS client path: CVE-2026-42504
13+
(net/textproto — attacker-controlled server could inject unescaped
14+
content into errors surfaced by net/http clients reading MIME
15+
headers), CVE-2026-42507 (mime — CPU exhaustion decoding malicious
16+
MIME headers), and CVE-2026-27145 (crypto/x509 — quadratic
17+
`VerifyHostname` cost on large DNS SAN lists during TLS
18+
verification). `task vuln-check` is clean on 1.26.4.
19+
20+
### Changed
21+
- **Toolchain pins bumped in `.tool-versions`** after vetting each
22+
upstream changelog: goreleaser 2.15.2 → 2.16.0 (XZ archive support,
23+
secret-redaction hardening in 2.15.3; the newly-deprecated `brews:`
24+
config section does not affect us — `.goreleaser.yaml` already uses
25+
`homebrew_casks`, and `goreleaser check` validates clean), cosign
26+
3.0.6 → 3.1.1 (Sigstore bundle format now the default; legacy
27+
detached-signature `verify-blob` used by `truestamp upgrade` and
28+
`install.sh` keeps working in v3 — flag removals land in cosign v4),
29+
syft 1.42.4 → 1.45.1, caddy 2.11.2 → 2.11.4 (upstream security
30+
patches; dev-docs server only). shellcheck and websocat were already
31+
current.
32+
- **Go module dependencies updated across the board**: bubbletea
33+
v2.0.7 (mouse-handling race fixes that directly benefit
34+
`truestamp console`), koanf v2.3.5, x/crypto v0.53.0, x/mod v0.37.0,
35+
x/term v0.44.0, and notable indirects btcec v2.5.0 + btcutil v1.2.0
36+
(first releases on btcsuite's post-module-split graph — the new
37+
`chainhash/v2` module enters the graph via btcec; the breaking
38+
`*/v2.0.0` btcsuite line was deliberately *not* taken), fsnotify
39+
v1.10.1, x/sys v0.46.0. No breaking changes per upstream release
40+
notes. Verified with the full test suite between each update group,
41+
`task precommit-full`, and `task fuzz-deep` across all 64 fuzz
42+
targets with no new reproducers.
43+
- **Go lint/vuln tooling pinned via mise** (`staticcheck`, `gosec`,
44+
`govulncheck` in `.tool-versions`) instead of `go install ...@latest`,
45+
keeping `task lint` and `task vuln-check` reproducible across
46+
machines and Go toolchain bumps (#19).
47+
1048
## [0.8.1] — 2026-05-27
1149

1250
### Fixed

go.mod

Lines changed: 21 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
module github.com/truestamp/truestamp-cli
22

3-
go 1.26.3
3+
go 1.26.4
44

55
require (
66
charm.land/bubbles/v2 v2.1.0
7-
charm.land/bubbletea/v2 v2.0.6
7+
charm.land/bubbletea/v2 v2.0.7
88
charm.land/huh/v2 v2.0.3
99
charm.land/lipgloss/v2 v2.0.3
1010
github.com/btcsuite/btcd v0.25.0
@@ -20,47 +20,50 @@ require (
2020
github.com/knadh/koanf/providers/env/v2 v2.0.0
2121
github.com/knadh/koanf/providers/file v1.2.1
2222
github.com/knadh/koanf/providers/posflag v1.0.1
23-
github.com/knadh/koanf/v2 v2.3.4
23+
github.com/knadh/koanf/v2 v2.3.5
2424
github.com/oklog/ulid/v2 v2.1.1
2525
github.com/spf13/cobra v1.10.2
2626
github.com/spf13/pflag v1.0.10
27-
golang.org/x/crypto v0.52.0
28-
golang.org/x/mod v0.36.0
29-
golang.org/x/term v0.43.0
27+
golang.org/x/crypto v0.53.0
28+
golang.org/x/mod v0.37.0
29+
golang.org/x/term v0.44.0
3030
gopkg.in/natefinch/lumberjack.v2 v2.2.1
3131
)
3232

3333
require (
3434
github.com/atotto/clipboard v0.1.4 // indirect
35-
github.com/btcsuite/btcd/btcec/v2 v2.3.5 // indirect
36-
github.com/btcsuite/btcd/btcutil v1.1.5 // indirect
37-
github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f // indirect
38-
github.com/charmbracelet/ultraviolet v0.0.0-20260416155717-489999b90468 // indirect
35+
github.com/btcsuite/btcd/btcec/v2 v2.5.0 // indirect
36+
github.com/btcsuite/btcd/btcutil v1.2.0 // indirect
37+
github.com/btcsuite/btcd/chainhash/v2 v2.0.0 // indirect
38+
github.com/btcsuite/btclog v1.0.0 // indirect
39+
github.com/charmbracelet/ultraviolet v0.0.0-20260608091853-35bcb7319efa // indirect
3940
github.com/charmbracelet/x/ansi v0.11.7 // indirect
4041
github.com/charmbracelet/x/exp/ordered v0.1.0 // indirect
41-
github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
42+
github.com/charmbracelet/x/exp/strings v0.1.0 // indirect
4243
github.com/charmbracelet/x/term v0.2.2 // indirect
4344
github.com/charmbracelet/x/termios v0.1.1 // indirect
4445
github.com/charmbracelet/x/windows v0.2.2 // indirect
4546
github.com/clipperhouse/displaywidth v0.11.0 // indirect
4647
github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
47-
github.com/decred/dcrd/crypto/blake256 v1.0.0 // indirect
48-
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
48+
github.com/decred/dcrd/crypto/blake256 v1.1.0 // indirect
49+
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1 // indirect
4950
github.com/dustin/go-humanize v1.0.1 // indirect
50-
github.com/fsnotify/fsnotify v1.9.0 // indirect
51-
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
51+
github.com/fsnotify/fsnotify v1.10.1 // indirect
52+
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
5253
github.com/inconshreveable/mousetrap v1.1.0 // indirect
54+
github.com/kcalvinalvin/anet v0.0.0-20251112173137-d8ddc1f6dbee // indirect
5355
github.com/knadh/koanf/maps v0.1.2 // indirect
5456
github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
55-
github.com/mattn/go-runewidth v0.0.23 // indirect
57+
github.com/mattn/go-runewidth v0.0.24 // indirect
5658
github.com/mitchellh/copystructure v1.2.0 // indirect
5759
github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
5860
github.com/mitchellh/reflectwalk v1.0.2 // indirect
5961
github.com/muesli/cancelreader v0.2.2 // indirect
6062
github.com/pelletier/go-toml/v2 v2.3.1 // indirect
6163
github.com/rivo/uniseg v0.4.7 // indirect
64+
github.com/stretchr/testify v1.11.1 // indirect
6265
github.com/x448/float16 v0.8.4 // indirect
6366
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
64-
golang.org/x/sync v0.20.0 // indirect
65-
golang.org/x/sys v0.45.0 // indirect
67+
golang.org/x/sync v0.21.0 // indirect
68+
golang.org/x/sys v0.46.0 // indirect
6669
)

0 commit comments

Comments
 (0)