update to go 1.26 (debug/buildinfo is a new default package)#458
update to go 1.26 (debug/buildinfo is a new default package)#458
Conversation
Soph
commented
Feb 22, 2026
Soph
commented
- Update Go from 1.25.6 to 1.26.0
- Update golangci-lint from 2.8.0 to 2.10.1 (required for Go 1.26 support)
- Rename buildinfo package to versioninfo (Go 1.26 added debug/buildinfo to stdlib, causing linter conflict)
- Add gosec exclusions for CLI-appropriate rules with hybrid approach:
- Global: G204/G702 (subprocess), G705 (XSS) - always irrelevant for CLI
- Targeted //nolint comments for G115, G703, G704 - preserves future detection
Entire-Checkpoint: 4983aa6be5ba
PR SummaryMedium Risk Overview Renames the internal build metadata package from Adjusts security linting: adds global Written by Cursor Bugbot for commit 698e604. Configure here. |
There was a problem hiding this comment.
Pull request overview
Updates the toolchain and lint configuration for Entire CLI to support Go 1.26, while avoiding a naming collision with Go’s new debug/buildinfo stdlib package and aligning security linting with CLI realities.
Changes:
- Bump Go to 1.26.0 and
golangci-lintto 2.10.1 acrossmise.tomlandgo.mod. - Rename the internal
buildinfopackage toversioninfoand update all imports + linker-Xldflags references. - Add global
gosecexcludes for CLI-irrelevant rules and add targeted//nolintsuppressions where needed.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| mise.toml | Updates Go/golangci-lint tool versions and switches build ldflags from buildinfo to versioninfo. |
| mise-tasks/dev/publish | Updates install ldflags to use versioninfo. |
| go.mod | Bumps Go version directive to 1.26.0. |
| cmd/entire/cli/versioninfo/versioninfo.go | Renames package declaration to versioninfo for ldflags + imports. |
| cmd/entire/cli/versioncheck/versioncheck.go | Adds targeted gosec suppressions for rename + outbound HTTP request. |
| cmd/entire/cli/trailers/trailers.go | Replaces fmt.Sprintf+WriteString with fmt.Fprintf into a builder. |
| cmd/entire/cli/telemetry/detached_unix.go | Removes now-unnecessary gosec suppression for subprocess invocation. |
| cmd/entire/cli/strategy/phase_wiring_test.go | Updates imports and assertions from buildinfo to versioninfo. |
| cmd/entire/cli/strategy/manual_commit_session.go | Switches stored CLI version source to versioninfo.Version. |
| cmd/entire/cli/strategy/manual_commit_condensation.go | Uses fmt.Fprintf for builder formatting to reduce allocations / satisfy lint. |
| cmd/entire/cli/strategy/common.go | Uses fmt.Fprintf in message building; removes gosec suppressions now handled globally. |
| cmd/entire/cli/strategy/auto_commit.go | Switches stored CLI version source to versioninfo.Version. |
| cmd/entire/cli/root.go | Updates telemetry/versioncheck/version output to use versioninfo. |
| cmd/entire/cli/git_operations.go | Removes gosec suppressions on git fetch subprocess usage (now globally excluded). |
| cmd/entire/cli/explain.go | Adds targeted gosec suppressions for uintptr→int fd conversions; removes subprocess nolint. |
| cmd/entire/cli/checkpoint/temporary.go | Removes gosec suppression on git branch -D subprocess usage (now globally excluded). |
| cmd/entire/cli/checkpoint/committed.go | Switches stored CLI version source to versioninfo.Version; builder formatting via fmt.Fprintf. |
| cmd/entire/cli/checkpoint/checkpoint_test.go | Updates tests to assert versioninfo.Version is persisted. |
| .goreleaser.yaml | Updates release ldflags to set versioninfo.Version/Commit. |
| .golangci.yaml | Adds global gosec excludes (G204/G702/G705) and keeps targeted suppressions elsewhere. |
| client := &http.Client{} | ||
| resp, err := client.Do(req) | ||
| resp, err := client.Do(req) //nolint:gosec // G704: intentional request to GitHub releases API |
There was a problem hiding this comment.
Consider configuring the http.Client with an explicit Timeout (you already have httpTimeout and a request context) instead of suppressing gosec on the outbound request. This keeps the linter useful and makes the timeout behavior self-documenting at the client level.
toothbrush
left a comment
toothbrush
left a comment
There was a problem hiding this comment.
Looks reasonable to me! Copilot's comment seems sensible but you haven't changed the behaviour in this PR so up to you whether you want to address it now.
As an aside, there are so many context.Background() around – we should do a sweep and fix that up.
2 participants
