set go1.21 as minimum

[mohammed90]

With Go 1.21, the Go module behavior brings in:

At go 1.21 or higher:

The go line declares a required minimum version of Go to use with this module. The go line must be greater than or equal to the go line of all dependencies. The go command no longer attempts to maintain compatibility with the previous older version of Go. The go command is more careful about keeping checksums of go.mod files in the go.sum file.

Source

[mholt]

Wait but I thought we weren't supposed to upgrade things unless we really needed to :face_with_diagonal_mouth:

[mohammed90]

This is good at least for the last point:

The go command is more careful about keeping checksums of go.mod files in the go.sum file.

Notice how it cleaned up the go.sum file. Go 1.21 isn't a stretch because it's not EOL by the Go team.

[mholt]

So we're good to upgrade the Go version? That doesn't affect Caddy builds?

[mohammed90]

Yes, Caddy requires go 1.21 minimum anyways

[mholt]

@mohammed90 Since merging this, my inbox is flooded with bogus vuln notifications:

(Yeah, we're definitely not vulnerable to SQL injection.)

These tools need to go somewhere to die.

[mohammed90]

Dependabot is 🗑️ 🔥

You can dismiss them as "Vulnerable code is not actually used". Just shows how stupid those scanners are. The dep list didn't change, but somehow it was parsing the dep list differently.

[EdenSpire]

Hello,

Should I rebuild my Caddy Webdav with this commit? Any new bug fix in terms of Webdav features?

[mohammed90]

Should I rebuild my Caddy Webdav with this commit? Any new bug fix in terms of Webdav features?

Just build with this commit. I don't know if Matt is planning on adding any features in the near future.

[mholt]

Yeah, no immediate plans. As Mohammed said you can build with the latest commit and get the benefits. (I recommend always using the latest Go version.)