Skip to content

security: upgrade go-getter to v1.8.1 and Go to 1.24 #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cc-shekher wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security: upgrade go-getter to v1.8.1 and Go to 1.24 #327

cc-shekher wants to merge 1 commit into from

Conversation

@cc-shekher
Copy link

@cc-shekher cc-shekher commented Sep 22, 2025

Summary

Upgrades go-getter from v1.7.9 to v1.8.1 and Go from 1.23 to 1.24 to resolve security vulnerability with AWS SDK v1.

Security Impact

  • Before: Used deprecated AWS SDK v1 (security risk)
  • After: Uses supported AWS SDK v2 (secure)
  • Compatibility: No breaking changes to existing functionality

Changes

  • Upgraded github.com/hashicorp/go-getter from v1.7.9 to v1.8.1
  • Upgraded Go from 1.23.0 to 1.24 (required by go-getter v1.8.1)
  • Upgraded toolchain from go1.23.4 to go1.24.2
  • Updated CI pipeline to test Go 1.24 in addition to 1.21, 1.22, 1.23
  • Removed deprecated github.com/aws/aws-sdk-go v1.44.122
  • Added secure AWS SDK v2 packages
  • Updated related dependencies for compatibility

Files Changed

  • go.mod - Dependency and Go version updates
  • go.sum - Updated checksums
  • .github/workflows/test.yaml - Added Go 1.24 to CI test matrix

Testing

  • ✅ Build successful (go build ./...)
  • ✅ Application runs correctly
  • ✅ All existing functionality verified
  • ✅ CI pipeline updated for Go 1.24 support

Checklist

  • Security vulnerability resolved
  • No breaking changes to application functionality
  • Tests pass locally
  • CI pipeline updated for Go 1.24

@cc-shekher cc-shekher requested review from a team as code owners September 22, 2025 09:16
@cc-shekher cc-shekher requested review from alina-d-m and removed request for a team September 22, 2025 09:16
@CLAassistant
Copy link

CLAassistant commented Sep 22, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@snyk-io
Copy link

snyk-io bot commented Sep 22, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

code/snyk check is complete. No issues have been found. (View Details)

@cc-shekher
security: upgrade go-getter to v1.8.1 and Go to 1.24 to resolve AWS S…
3fb3231 
…DK v1 vulnerability

- Upgraded github.com/hashicorp/go-getter from v1.7.9 to v1.8.1
- Upgraded Go from 1.23.0 to 1.24 (required by go-getter v1.8.1)
- Upgraded toolchain from go1.23.4 to go1.24.2
- Updated CI pipeline to test Go 1.24 in addition to 1.21, 1.22, 1.23
- Migrated from deprecated AWS SDK v1 to supported AWS SDK v2
- Removed security vulnerability from unsupported AWS SDK v1 dependency
- Updated related dependencies for compatibility and security
- All tests pass and application functionality verified

Fixes security issue where go-getter v1.7.9 used deprecated AWS SDK v1
which is no longer supported. The upgrade to v1.8.1 automatically
migrates to AWS SDK v2, eliminating the security risk. The Go 1.24
upgrade is required by the newer go-getter version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alina-d-m alina-d-m Awaiting requested review from alina-d-m alina-d-m is a code owner automatically assigned from snyk/iac

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cc-shekher @CLAassistant