V5.4 fix vulnerabilities

.github/workflows/e2e-tests.yaml

@@ -75,6 +75,7 @@ jobs:
 
       - name: package cleanup
         uses: bots-house/ghcr-delete-image-action@v1.1.0
+        continue-on-error: true # action doesn't fail when this step fails
         if: ${{ github.actor != 'dependabot' }}
         with:
           owner: nuts-foundation
@@ -85,6 +86,7 @@ jobs:
 
       - name: package cleanup dependabot
         uses: bots-house/ghcr-delete-image-action@v1.1.0
+        continue-on-error: true # action doesn't fail when this step fails
         if: ${{ github.actor == 'dependabot' }}
         with:
           owner: nuts-foundation

.github/workflows/govulncheck.yaml

@@ -0,0 +1,27 @@
+# "Govulncheck reports known vulnerabilities that affect Go code.
+#  It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."
+#
+# For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+name: 'govulncheck'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'V*'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches:
+      - 'master'
+      - 'V*'
+
+jobs:
+  govulncheck_job:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: 'stable'
+          go-package: ./...

Dockerfile

@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.21.5-alpine as builder
+FROM golang:1.23.4-alpine as builder
 
 ARG TARGETARCH
 ARG TARGETOS
@@ -25,12 +25,11 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
 
 # alpine
-FROM alpine:3.18.2
+FROM alpine:3.21.2
 RUN apk update \
   && apk add --no-cache \
              tzdata \
-             curl \
-  && update-ca-certificates
+             curl
 COPY --from=builder /opt/nuts/nuts /usr/bin/nuts
 
 HEALTHCHECK --start-period=30s --timeout=5s --interval=10s \

go.mod

@@ -1,6 +1,8 @@
 module github.com/nuts-foundation/nuts-node
 
-go 1.21
+// This is the minimal version, the actual go version is determined by the images in the Dockerfile
+// This version is used in automated tests such as the 'Scheduled govulncheck' action
+go 1.23.4
 
 require (
 	github.com/alicebob/miniredis/v2 v2.33.0
@@ -98,7 +100,7 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.3.2 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect

go.sum

@@ -240,8 +240,9 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=