Update Go for security reasons

[jrm5100]

I have Miller in a docker image which was run through Docker Scout. It pointed out a few CVEs in the Go stdlib, including two critical ones:

• CVE-2023-24540
• CVE-2023-24538

These were fixed in Go 1.19.9/1.20.4 and 1.19.8/1.20.3 respectively (as were several CVEs rated lower than critical).

I'll caveat this by admitting that I haven't looked at much Go code before (or written any) and I am not sure if these specific CVEs or any of the other less urgent ones are at all relevant or potentially exploitable. From what I understand 1.19 is a major version difference from 1.18 but with minimal language differences. Is it worth attempting to update the version of Go used by Miller?

[johnkerl]

@jrm5100 thank you for the report!

Figuring out whether the CVEs are exploitable in Miller is a bit of a project; it's much easier to just move to 1.19.

Miller itself doesn't ask much of compiler versions: e.g. I have 1.21 on my laptop for all dev work and this works fine.

The only reason I haven't been totally cutting-edge about the version in Miller go.mod is that some platforms here https://github.com/johnkerl/miller/blob/main/README-versions.md don't all support building on Go's latest. So it might build for me on my laptop and build fine in CI, but, not for some particular distro.

That said: (a) Go 1.21 is out; 1.18 goes back a ways; moving to 1.19 isn't a move to the bleeding edge; (b) a CVE is enough reason to risk the chance of breaking the Miller port on some distro somewhere (until they also move up to Go 1.19).

[johnkerl]

#1441 is merged. I'll also soon make a 6.10 release with this in it.

[johnkerl]

Thanks again!!!