The repo pins Go 1.23, which is past EOL and no longer receives standard library security fixes (several published stdlib CVEs affect binaries built with it, including a critical crypto/tls issue fixed in Go 1.24.13/1.25.7). The Alpine base also carries an outdated libcrypto3 with a published critical fix.
- Bump the
go directive in go.mod and the golang: builder image to 1.26.x
- Refresh the runtime base image
- Rebuild and release
The repo pins Go 1.23, which is past EOL and no longer receives standard library security fixes (several published stdlib CVEs affect binaries built with it, including a critical crypto/tls issue fixed in Go 1.24.13/1.25.7). The Alpine base also carries an outdated
libcrypto3with a published critical fix.godirective in go.mod and thegolang:builder image to 1.26.x