From d2852006e0d7dd7e294ed1d81c32002946b8f600 Mon Sep 17 00:00:00 2001 From: lex0c Date: Sat, 27 Jun 2026 23:54:19 -0300 Subject: [PATCH] fix(security): require Go 1.26.4 to patch html/template XSS The new govulncheck gate flagged the go.mod `go 1.26.1` directive: that toolchain's html/template has three reachable escaper-bypass XSS bugs (GO-2026-4865, GO-2026-4980, GO-2026-4982), fixed in 1.26.2/1.26.3. This is reachable in prod, not just CI noise: `gitcortex report` renders git data into HTML via html/template (report.GenerateProfile -> template.Execute), so release binaries built on 1.26.1 shipped the vulnerable escaper. Bumping the directive makes setup-go install a patched toolchain everywhere (go-version-file: go.mod) and turns the govulncheck gate green. Co-Authored-By: Claude Opus 4.8 (1M context) --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0cac464..97a94af 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/lex0c/gitcortex -go 1.26.1 +go 1.26.4 require github.com/spf13/cobra v1.10.2