Problem
The Security Scanning CI job (govulncheck) is failing on all PRs due to known vulnerabilities in Go standard library packages. These are not introduced by any PR — they exist on main and affect all branches.
Vulnerabilities
| ID |
Package |
Summary |
| GO-2026-4986 |
net/mail |
Address parsing vulnerability |
| GO-2026-4982 |
html/template |
Template injection |
| GO-2026-4980 |
net/http/httputil |
Reverse proxy issue |
| GO-2026-4977 |
net |
DNS resolution issue |
| GO-2026-4976 |
net |
Related network issue |
| GO-2026-4971 |
net/http |
HTTP handling |
| GO-2026-4918 |
html/template |
Template escaping |
Impact
Fix
Bump the Go toolchain in go.mod to the latest patch release that includes fixes for these CVEs. Check https://go.dev/doc/devel/release for the appropriate version.
go get go@latest
go mod tidy
Also update the Go version in .github/workflows/ci.yml if pinned.
Acceptance Criteria
Problem
The Security Scanning CI job (
govulncheck) is failing on all PRs due to known vulnerabilities in Go standard library packages. These are not introduced by any PR — they exist onmainand affect all branches.Vulnerabilities
Impact
Fix
Bump the Go toolchain in
go.modto the latest patch release that includes fixes for these CVEs. Check https://go.dev/doc/devel/release for the appropriate version.Also update the Go version in
.github/workflows/ci.ymlif pinned.Acceptance Criteria
govulncheck ./...passes cleanly onmain