Skip to content

Fix Nix Go toolchain and x/net CVEs#508

Merged
robzolkos merged 1 commit into
mainfrom
fix/nix-go1264-xnet-cves
Jun 29, 2026
Merged

Fix Nix Go toolchain and x/net CVEs#508
robzolkos merged 1 commit into
mainfrom
fix/nix-go1264-xnet-cves

Conversation

@robzolkos

@robzolkos robzolkos commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fix the current Nix install failure and clear the Trivy x/net findings on main:

  • update flake.lock to a nixpkgs revision where go_1_26 is Go 1.26.4
  • bump golang.org/x/net to v0.55.0 and golang.org/x/term to v0.43.0
  • recompute nix/package.nix vendorHash for the updated module graph

Closes #504. Unblocks PR #450 by removing the go.mod Trivy findings.

Validation

  • GOWORK=off go test ./...
  • GOWORK=off make tidy-check
  • GOWORK=off make provenance-check
  • docker run --rm -v "$PWD":/src aquasec/trivy:0.70.0 fs /src --severity HIGH,CRITICAL --ignore-unfixed --format table --scanners vuln --skip-dirs /src/.ruby-lsp confirms go.mod has 0 findings
  • Nix build via pinned nixos/nix Docker image with --cores 1 --max-jobs 1 succeeds and uses cached Go 1.26.4

Note: full local Trivy without --skip-dirs /src/.ruby-lsp reports local editor Ruby LSP files that are not part of the tracked repo/CI checkout.


Summary by cubic

Fixes Nix install failures by pinning nixpkgs so go_1_26 resolves to Go 1.26.4 and updates golang.org/x/net to clear CVEs. Trivy is clean and Nix builds succeed; closes #504 and unblocks #450.

  • Dependencies
    • Update flake.lock to use Go 1.26.4 for go_1_26.
    • Bump golang.org/x/net to v0.55.0 and golang.org/x/term to v0.43.0.
    • Recompute vendorHash in nix/package.nix.

Written for commit 0eb7a9a. Summary will update on new commits.

Review in cubic

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the Nix installation path failing due to an older pinned Go toolchain and resolves Trivy findings by updating golang.org/x/net (and x/term) to patched versions, keeping the Nix build inputs consistent with the updated Go module graph.

Changes:

  • Update the pinned nixpkgs revision in flake.lock to a version that provides Go 1.26.4 for go_1_26.
  • Bump golang.org/x/net to v0.55.0 and golang.org/x/term to v0.43.0 (and update go.sum accordingly).
  • Recompute the Nix buildGoModule vendorHash to match the updated dependency graph.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
nix/package.nix Updates vendorHash to match the new Go module closure for Nix builds.
flake.lock Pins nixpkgs to a revision expected to provide Go 1.26.4 via go_1_26.
go.mod Bumps golang.org/x/net and golang.org/x/term to patched versions.
go.sum Updates checksums to match the bumped x/net and x/term versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Re-trigger cubic

@robzolkos robzolkos merged commit 546ac1c into main Jun 29, 2026
27 checks passed
@robzolkos robzolkos deleted the fix/nix-go1264-xnet-cves branch June 29, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Nix installation fails: locked nixpkgs provides Go 1.26.0 but go.mod requires 1.26.4

2 participants