From 9ce720383662f020453922cb5ea3fb59eac56d85 Mon Sep 17 00:00:00 2001 From: Kush Date: Thu, 16 Jul 2026 10:09:44 -0400 Subject: [PATCH] chore: bump Go to 1.26.5 for GO-2026-5856 CI installs Go via go-version-file: go.mod, which pinned 1.26.4. That release is affected by GO-2026-5856 (CVE-2026-42505), a crypto/tls ECH de-anonymization bug fixed in go1.26.5, so govulncheck fails the security job on every branch. Bump the go directive to 1.26.5 to pull the patched standard library. Patch-level bump, no language changes. Verified: go build ./..., go test ./..., and govulncheck ./... (no called vulnerabilities) all pass under 1.26.5. --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index bd0cd0b..3ea3142 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/Bandwidth/cli -go 1.26.4 +go 1.26.5 require ( github.com/briandowns/spinner v1.23.2