Build with patched Go toolchain#59
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Go version to 1.26.2 in both the Dockerfile and go.mod. Feedback indicates that Go 1.26.2 is not an official release, which will likely cause build failures and toolchain issues. It is recommended to use a fully qualified image name in the Dockerfile if this is a custom toolchain and to use the 'toolchain' directive in go.mod to maintain compatibility with standard Go tools while pinning the specific version.
| @@ -1,4 +1,4 @@ | |||
| FROM golang:1.25.5 AS builder | |||
| FROM golang:1.26.2 AS builder | |||
There was a problem hiding this comment.
The image golang:1.26.2 is not available on the official Docker Hub (the current stable Go version is 1.24). If this refers to a custom-built patched toolchain image, it is best practice to use a fully qualified image name (including the registry, e.g., ghcr.io/your-org/golang:1.26.2) to ensure the build is portable and reproducible across different environments. If this is a typo, please use a valid official Go version.
| module github.com/tbxark/mcp-proxy | ||
|
|
||
| go 1.24.0 | ||
| go 1.26.2 |
There was a problem hiding this comment.
The Go version 1.26.2 is not an official release. Using a non-existent version in the go directive will cause the Go toolchain to fail for most users. In Go 1.21 and later, the go directive should specify the minimum language version (e.g., 1.24), while the toolchain directive should be used to pin a specific toolchain version. This maintains compatibility with standard Go tools and IDEs while still enforcing the use of your patched toolchain for builds. Additionally, ensure you run go mod tidy to synchronize the module files.
| go 1.26.2 | |
| go 1.24 | |
| toolchain go1.26.2 |
|
Thanks for the review. |
1 participant
Summary
golang:1.25.5togolang:1.26.2Why
govulncheck ./...reported reachable public Go standard-library vulnerabilities when scanning the current tree, including crypto/x509, crypto/tls, and net/url findings fixed in Go 1.26.1/1.26.2. Building with Go 1.26.2 removes those reachable findings.Verification
go test ./...$(go env GOPATH)/bin/govulncheck ./...now reports 0 reachable vulnerabilities