这是indexloc提供的服务,不要输入任何密码
Skip to content

fix: set go.mod version to actual min version #699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 27 commits into from
Jun 10, 2025

Conversation

anuraaga
Copy link
Contributor

@anuraaga anuraaga commented Jun 9, 2025

As we see in #694, the actual minimum supported version is 1.23, but with go 1.24 in the mod, dependent effectively require 1.24. The CI in this repo passes I think because toolchain causes Go 1.23 to just automatically download 1.24 and run it, effectively making the 1.23 CI workflow the same as 1.24.

The root cause of the go version is a transitive dependency on go-jose, go-jose/go-jose#184. I would encourage adding to that issue to explain how problematic that is. In the meantime, while keeping to 4.0.5 (the version after the CVE) can't completely protect downstream users from tools like dependabot, at least it can protect them from go mod tidy which is harder to have ignore rules for.

Also, we use 1.23.0 instead of 1.23 because it corresponds to the first released version of Go 1.23, while the latter includes prereleases.

@jonathanedey jonathanedey self-requested a review June 10, 2025 13:08
@lahirumaramba lahirumaramba self-assigned this Jun 10, 2025
@lahirumaramba lahirumaramba changed the base branch from master to dev June 10, 2025 14:04
Copy link
Contributor

@jonathanedey jonathanedey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thank you @anuraaga for helping to resolve this!

@jonathanedey jonathanedey merged commit a1b2188 into firebase:dev Jun 10, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants