go.mod targets Go 1.19 (end-of-life since August 2023)

[dolph]

Summary

go.mod declares:

module github.com/dolph/find-replace

go 1.19

Go 1.19 reached end-of-life in August 2023 — it has not received security patches for nearly three years. CI is pinned to that toolchain through go-version-file: go.mod in ci.yml, so any security fix in net/http, crypto/*, archive/*, etc. is not exercised by tests.

The current Go release at time of writing is 1.24.x.

Impact (Maintainer / Security: Medium)

• All golang.org/x/sys / runtime / stdlib CVEs since Aug 2023 go un-tested.
• govulncheck (see other issue) would flag this immediately.
• Some of the recommended fixes from the existing audit (e.g., unix.Renameat2 flags in TOCTOU race in RenameFile silently overwrites concurrently-created destination #4, errors.Join-style aggregation for log.Fatal from worker goroutines leaves the tree in a partially-modified state #6/Process exits 0 even when individual files failed to rewrite or rename #11) prefer newer Go features.

Suggested Fix

• Bump go.mod's go directive to 1.22 (oldest still-supported major at this writing — 1.21 hit EOL in August 2024; bumping to 1.22 keeps the floor on a supported release).
• Optionally also pin a toolchain go1.22.x directive if you want the build to fetch a specific toolchain when developers have an older one.
• Bump CI's setup-go to use go-version-file: go.mod (already the case) so the floor is automatically picked up.

Files

• go.mod:3