Skip to content

go 1.22.9#4136

Closed
jmnote wants to merge 1 commit intoprometheus:mainfrom
jmnote:bump-go
Closed

go 1.22.9#4136
jmnote wants to merge 1 commit intoprometheus:mainfrom
jmnote:bump-go

Conversation

@jmnote
Copy link

@jmnote jmnote commented Nov 26, 2024

Signed-off-by: Jmnote <opcore@gmail.com>
@grobinson-grafana
Copy link
Collaborator

I think we are building with Go 1.23 42eb536

@jmnote
Copy link
Author

jmnote commented Nov 28, 2024

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

@grobinson-grafana
Copy link
Collaborator

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

@jmnote
Copy link
Author

jmnote commented Nov 28, 2024

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

Ah, I see. But go.mod still remains as go 1.22.0.
https://github.com/prometheus/alertmanager/blob/main/go.mod

@grobinson-grafana
Copy link
Collaborator

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

Ah, I see. But go.mod still remains as go 1.22.0. https://github.com/prometheus/alertmanager/blob/main/go.mod

If I understand, go.mod is not supposed to contain patch releases. It tells the Go build tool the oldest version of Go that someone can use to compile the project, and older versions won't work, because there are missing features.

It doesn't mean that is the version of Go that is used or must be used though. We build official releases against Go 1.23.2. You can also use 1.22.9. The version in go.mod gives you that choice to use either 1.22 or 1.23.

If I am wrong please correct me though.

@jmnote
Copy link
Author

jmnote commented Nov 28, 2024

@grobinson-grafana

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

Ah, I see. But go.mod still remains as go 1.22.0. https://github.com/prometheus/alertmanager/blob/main/go.mod

If I understand, go.mod is not supposed to contain patch releases. It tells the Go build tool the oldest version of Go that someone can use to compile the project, and older versions won't work, because there are missing features.

It doesn't mean that is the version of Go that is used or must be used though. We build official releases against Go 1.23.2. You can also use 1.22.9. The version in go.mod gives you that choice to use either 1.22 or 1.23.

If I am wrong please correct me though.

Thanks for the detailed explanation. I will close this PR.

@jmnote jmnote closed this Nov 28, 2024
@jmnote jmnote deleted the bump-go branch November 28, 2024 15:35
@jmnote jmnote restored the bump-go branch November 28, 2024 15:47
@jmnote
Copy link
Author

jmnote commented Nov 28, 2024

@grobinson-grafana

Now that I think about it, there are some parts I don't quite understand. Currently, go.mod says go 1.22.0. Is that correct? And if we leave it as is, will the vulnerability in the security report be fixed?

@jmnote jmnote reopened this Nov 28, 2024
@grobinson-grafana
Copy link
Collaborator

@grobinson-grafana

Now that I think about it, there are some parts I don't quite understand. Currently, go.mod says go 1.22.0. Is that correct? And if we leave it as is, will the vulnerability in the security report be fixed?

I believe that report is based on the Alertmanager 0.27 release that was made back in February, 2024. It's completely unrelated to go.mod. It depends on the version of Go we use to build the release. #4071 updates this version to Go 1.23.2 When Alertmanager 0.28 is released, there will be a new version of Alertmanager that should have most of these fixed.

@jmnote
Copy link
Author

jmnote commented Nov 29, 2024

@grobinson-grafana
Now that I think about it, there are some parts I don't quite understand. Currently, go.mod says go 1.22.0. Is that correct? And if we leave it as is, will the vulnerability in the security report be fixed?

I believe that report is based on the Alertmanager 0.27 release that was made back in February, 2024. It's completely unrelated to go.mod. It depends on the version of Go we use to build the release. #4071 updates this version to Go 1.23.2 When Alertmanager 0.28 is released, there will be a new version of Alertmanager that should have most of these fixed.

Thank you for confirming. I will close this PR again.

@jmnote jmnote closed this Nov 29, 2024
@jmnote jmnote deleted the bump-go branch November 29, 2024 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Go stdlib vuln - please upgrade go version

2 participants