go.mod: vulnerabilities: bump go version to 1.23.12 for (#2077)

FilWisher · web-flow · commit cef941bf854b · 2025-10-23T16:24:05.000+02:00
`govulncheck` detects some vulnerabilities from the current builds that are resolved by bumping the minor Go version to `.12`. I have kept the major version the same. On current `main`: $ go build -o athens ./cmd/proxy/main.go $ govulncheck -mode binary ./athens === Symbol Results === Vulnerability #1: GO-2025-3956 Unexpected paths returned from LookPath in os/exec More info: https://pkg.go.dev/vuln/GO-2025-3956 Standard library Found in: os/exec@go1.23.5 Fixed in: os/exec@go1.23.12 Vulnerable symbols found: #1: exec.LookPath Vulnerability #2: GO-2025-3849 Incorrect results returned from Rows.Scan in database/sql More info: https://pkg.go.dev/vuln/GO-2025-3849 Standard library Found in: database/sql@go1.23.5 Fixed in: database/sql@go1.23.12 Vulnerable symbols found: #1: sql.Row.Scan #2: sql.Rows.Scan Vulnerability #3: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.23.5 Fixed in: net/http@go1.23.10 Vulnerable symbols found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm Vulnerability #4: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.23.5 Fixed in: net/http/internal@go1.23.8 Vulnerable symbols found: #1: internal.chunkedReader.Read Your code is affected by 4 vulnerabilities from the Go standard library. This scan also found 0 vulnerabilities in packages you import and 2 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After version bump: $ go build -o athens ./cmd/proxy/main.go $ govulncheck -mode=binary ./athens === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 2 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details.
diff --git a/Dockerfile.test b/Dockerfile.test
@@ -1,4 +1,4 @@
-ARG GOLANG_VERSION=1.23.5
+ARG GOLANG_VERSION=1.23.12
 FROM golang:$GOLANG_VERSION
 
 RUN echo $GOLANG_VERSION
diff --git a/appveyor.yml b/appveyor.yml
@@ -10,7 +10,7 @@ environment:
   GOPROXY: https://proxy.golang.org
   SKIP_UNTIL_113: true
 
-stack: go 1.23.5
+stack: go 1.23.12
 
 test_script:
   - go version
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
       context: .
       dockerfile: cmd/proxy/Dockerfile
       args:
-        GOLANG_VERSION: "1.23.5"
+        GOLANG_VERSION: "1.23.12"
     environment:
       - ATHENS_MONGO_STORAGE_URL=mongodb://mongo:27017
       - TIMEOUT=20 # in case the mongo dependency takes longer to start up
@@ -20,7 +20,7 @@ services:
       context: .
       dockerfile: Dockerfile.test
       args:
-        GOLANG_VERSION: "1.23.5"
+        GOLANG_VERSION: "1.23.12"
     command: ["./scripts/test_unit.sh"]
     environment:
       - GO_ENV=test
@@ -36,7 +36,7 @@ services:
       context: .
       dockerfile: Dockerfile.test
       args:
-        GOLANG_VERSION: "1.23.5"
+        GOLANG_VERSION: "1.23.12"
     command: ["./scripts/test_e2e.sh"]
   azurite:
     image: arafato/azurite:2.6.5
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/gomods/athens
 
-go 1.23.5
+go 1.23.12
 
 require (
 	cloud.google.com/go/storage v1.45.0

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-ARG GOLANG_VERSION=1.23.5`
	`1`	`+ARG GOLANG_VERSION=1.23.12`
`2`	`2`	`FROM golang:$GOLANG_VERSION`
`3`	`3`
`4`	`4`	`RUN echo $GOLANG_VERSION`