Skip to content

ci(govulncheck): bump v1.1.1 -> v1.1.4 to unblock Go 1.25 toolchain#19

Merged
piotr-roslaniec merged 1 commit into
mainfrom
fix/ci-bump-govulncheck
May 23, 2026
Merged

ci(govulncheck): bump v1.1.1 -> v1.1.4 to unblock Go 1.25 toolchain#19
piotr-roslaniec merged 1 commit into
mainfrom
fix/ci-bump-govulncheck

Conversation

@piotr-roslaniec
Copy link
Copy Markdown
Contributor

@piotr-roslaniec piotr-roslaniec commented May 23, 2026

Summary

Follow-up to #18, same root cause.

`govulncheck v1.1.1` transitively imports `golang.org/x/tools@v0.21.1`, whose `internal/tokeninternal/tokeninternal.go:64` contains an array-length trick that evaluates to `-256` on Go 1.25 and fails to compile:

```
invalid array length -delta * delta (constant -256 of type int64)
```

This blocks any dep bump that pushes `go.mod` past `go 1.24.0`. PR #11 (golang.org/x/time v0.15.0) is the immediate trigger — its bump forces `go 1.25.0`. PR #18 already fixed the same issue for `gotestsum` (v1.12.0 → v1.13.0); this is the matching fix for the other `go install`-managed CI tool.

Why v1.1.4 specifically

  • v1.1.4: uses `x/tools v0.29.0` (no broken pattern), still requires only `go 1.22.0` minimum. Works on both Go 1.24 (current main) and Go 1.25 (post-chore(deps): bump golang.org/x/time from 0.9.0 to 0.15.0 #11).
  • v1.2.0+: requires `go 1.25.0` minimum in its own go.mod, which would prematurely force the toolchain floor on current main. Skipped.

Verification

  • `go install golang.org/x/vuln/cmd/govulncheck@v1.1.4` installs cleanly on Go 1.24.
  • v1.1.4's go.mod requires only `go 1.22.0`; no toolchain cascade.
  • govulncheck is invoked with `continue-on-error: true` in the workflow, so a successful binary install is what matters — no logic change.

Test plan

@piotr-roslaniec
ci(govulncheck): bump v1.1.1 -> v1.1.4 to unblock Go 1.25 toolchain
557d117 
govulncheck v1.1.1 transitively imports golang.org/x/tools@v0.21.1,
which contains an array-length trick in internal/tokeninternal/tokeninternal.go:64
that evaluates to -256 on Go 1.25 and fails to compile:

    invalid array length -delta * delta (constant -256 of type int64)

This blocks any dep bump that pushes go.mod past go 1.24.0 (e.g. PR #11's
golang.org/x/time v0.15.0, which requires go 1.25.0).

govulncheck v1.1.4 uses x/tools v0.29.0, which doesn't have that pattern.
v1.1.4 still requires only Go 1.22.0 minimum, so it works on both Go 1.24
(current main) and Go 1.25 (post-#11). Holding back from v1.2.0 because
v1.2.0+ requires Go 1.25.0 minimum, which would prematurely force the
toolchain floor before consumers are ready.

Pairs with #18's gotestsum v1.12.0 -> v1.13.0 bump for the same
underlying issue.
@piotr-roslaniec piotr-roslaniec merged commit c451fa1 into main May 23, 2026
3 checks passed
@piotr-roslaniec piotr-roslaniec deleted the fix/ci-bump-govulncheck branch May 23, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@piotr-roslaniec