go 1.22.9

[jmnote]

go 1.22.9

• fixes: Go stdlib vuln - please upgrade go version #3839

https://artifacthub.io/packages/helm/prometheus-community/alertmanager?modal=security-report

[grobinson-grafana]

I think we are building with Go 1.23 42eb536

[jmnote]

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

[grobinson-grafana]

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

[jmnote]

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

Ah, I see. But go.mod still remains as go 1.22.0.
https://github.com/prometheus/alertmanager/blob/main/go.mod

[grobinson-grafana]

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

Ah, I see. But go.mod still remains as go 1.22.0. https://github.com/prometheus/alertmanager/blob/main/go.mod

If I understand, go.mod is not supposed to contain patch releases. It tells the Go build tool the oldest version of Go that someone can use to compile the project, and older versions won't work, because there are missing features.

It doesn't mean that is the version of Go that is used or must be used though. We build official releases against Go 1.23.2. You can also use 1.22.9. The version in go.mod gives you that choice to use either 1.22 or 1.23.

If I am wrong please correct me though.

[jmnote]

@grobinson-grafana

I think we are building with Go 1.23 42eb536

Good news. I will close this PR once that commit is merged into main. Can you tell me when it will be merged? Thank you.

It was merged ~1 month ago, October 16th (#4071).

Ah, I see. But go.mod still remains as go 1.22.0. https://github.com/prometheus/alertmanager/blob/main/go.mod

If I understand, go.mod is not supposed to contain patch releases. It tells the Go build tool the oldest version of Go that someone can use to compile the project, and older versions won't work, because there are missing features.

It doesn't mean that is the version of Go that is used or must be used though. We build official releases against Go 1.23.2. You can also use 1.22.9. The version in go.mod gives you that choice to use either 1.22 or 1.23.

If I am wrong please correct me though.

Thanks for the detailed explanation. I will close this PR.

[jmnote]

@grobinson-grafana

Now that I think about it, there are some parts I don't quite understand. Currently, go.mod says go 1.22.0. Is that correct? And if we leave it as is, will the vulnerability in the security report be fixed?

[grobinson-grafana]

@grobinson-grafana

Now that I think about it, there are some parts I don't quite understand. Currently, go.mod says go 1.22.0. Is that correct? And if we leave it as is, will the vulnerability in the security report be fixed?

I believe that report is based on the Alertmanager 0.27 release that was made back in February, 2024. It's completely unrelated to go.mod. It depends on the version of Go we use to build the release. #4071 updates this version to Go 1.23.2 When Alertmanager 0.28 is released, there will be a new version of Alertmanager that should have most of these fixed.

[jmnote]

@grobinson-grafana
Now that I think about it, there are some parts I don't quite understand. Currently, go.mod says go 1.22.0. Is that correct? And if we leave it as is, will the vulnerability in the security report be fixed?

I believe that report is based on the Alertmanager 0.27 release that was made back in February, 2024. It's completely unrelated to go.mod. It depends on the version of Go we use to build the release. #4071 updates this version to Go 1.23.2 When Alertmanager 0.28 is released, there will be a new version of Alertmanager that should have most of these fixed.

Thank you for confirming. I will close this PR again.