Fix Nix Go toolchain and x/net CVEs#508
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes the Nix installation path failing due to an older pinned Go toolchain and resolves Trivy findings by updating golang.org/x/net (and x/term) to patched versions, keeping the Nix build inputs consistent with the updated Go module graph.
Changes:
- Update the pinned
nixpkgsrevision inflake.lockto a version that provides Go 1.26.4 forgo_1_26. - Bump
golang.org/x/nettov0.55.0andgolang.org/x/termtov0.43.0(and updatego.sumaccordingly). - Recompute the Nix
buildGoModulevendorHashto match the updated dependency graph.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| nix/package.nix | Updates vendorHash to match the new Go module closure for Nix builds. |
| flake.lock | Pins nixpkgs to a revision expected to provide Go 1.26.4 via go_1_26. |
| go.mod | Bumps golang.org/x/net and golang.org/x/term to patched versions. |
| go.sum | Updates checksums to match the bumped x/net and x/term versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the current Nix install failure and clear the Trivy x/net findings on main:
flake.lockto a nixpkgs revision wherego_1_26is Go 1.26.4golang.org/x/netto v0.55.0 andgolang.org/x/termto v0.43.0nix/package.nixvendorHashfor the updated module graphCloses #504. Unblocks PR #450 by removing the
go.modTrivy findings.Validation
GOWORK=off go test ./...GOWORK=off make tidy-checkGOWORK=off make provenance-checkdocker run --rm -v "$PWD":/src aquasec/trivy:0.70.0 fs /src --severity HIGH,CRITICAL --ignore-unfixed --format table --scanners vuln --skip-dirs /src/.ruby-lspconfirmsgo.modhas 0 findingsnixos/nixDocker image with--cores 1 --max-jobs 1succeeds and uses cached Go 1.26.4Note: full local Trivy without
--skip-dirs /src/.ruby-lspreports local editor Ruby LSP files that are not part of the tracked repo/CI checkout.Summary by cubic
Fixes Nix install failures by pinning
nixpkgssogo_1_26resolves to Go 1.26.4 and updatesgolang.org/x/netto clear CVEs. Trivy is clean and Nix builds succeed; closes #504 and unblocks #450.flake.lockto use Go 1.26.4 forgo_1_26.golang.org/x/netto v0.55.0 andgolang.org/x/termto v0.43.0.vendorHashinnix/package.nix.Written for commit 0eb7a9a. Summary will update on new commits.