Release Steampipe v2.4.0 (#4945)

.claude/commands/fix-vulnerabilities.md

@@ -0,0 +1,55 @@
+---
+description: Check and fix Dependabot security vulnerabilities
+allowed-tools: Bash(gh api:*), Bash(gh release:*), Bash(yarn:*), Bash(go:*), Bash(make:*), Bash(git branch:*), Bash(git checkout:*), Bash(git log:*), Bash(git add:*), Bash(gh pr create:*), Skill(commit), Skill(push)
+---
+
+Remediate security vulnerabilities reported by Dependabot. Follow these steps:
+
+## Step 1: Determine the base branch
+
+1. Get the repository owner/name from `gh repo view --json owner,name`
+2. Get the latest release: `gh release list --limit 1`
+3. Derive the release branch by replacing the patch version with `x` (e.g., `v1.4.2` → `v1.4.x`)
+4. Verify the branch exists: `git branch -r | grep <branch>`
+
+**Ask the user**: "The latest release is `{tag}` and the release branch is `{branch}`. Should I use this as the base branch, or use `develop` instead?"
+
+## Step 2: Check for vulnerabilities
+
+1. Run `gh api repos/{owner}/{repo}/dependabot/alerts --paginate` to list open alerts
+2. Filter by state=open and sort by severity (critical/high first)
+3. Present a summary table: Alert #, Package, Ecosystem, Severity, CVE, Fix Version
+
+**Ask the user**: Which vulnerabilities to fix (all high, specific ones, all)?
+
+## Step 3: Apply fixes
+
+### For npm dependencies:
+1. Check current version: `yarn why <package>`
+2. Check existing patterns: `git log --oneline --grep="vulnerab"`
+3. Direct deps → update version in `package.json`
+4. Transitive deps → add to `resolutions` in `package.json`
+5. Run `yarn install`
+6. Verify: `yarn why <package>`
+
+### For Go dependencies:
+1. Run `go get <package>@<version>`
+2. Run `go mod tidy`
+
+**Important**: For major version changes, ask user confirmation first.
+
+## Step 4: Build and test
+
+1. Go: Run `make` and `go test ./...`
+2. npm: Run `yarn build` in the UI directory
+3. Report failures before proceeding
+
+## Step 5: Commit, push, and create PR
+
+1. Checkout base branch and create: `fix/vulnerability-updates-{base-branch}`
+2. Stage relevant files only (package.json, yarn.lock, go.mod, go.sum)
+3. Use `/commit` with message listing packages, versions, and CVEs
+4. Use `/push` to push the branch
+5. Create PR: `gh pr create --base {base-branch}` with summary of fixes
+
+Return the PR URL when done.

.github/workflows/01-steampipe-release.yaml

@@ -111,7 +111,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: 1.24
+          go-version: 1.26
 
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0

.github/workflows/10-test-lint.yaml

@@ -26,16 +26,17 @@ jobs:
           path: pipe-fittings
           ref: v1.6.x
 
-      - name: Set up Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      # this is required, check golangci-lint-action docs
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: 1.24
+          go-version: '1.26'
+          cache: false # setup-go v4 caches by default, do not change this parameter, check golangci-lint-action doc: https://github.com/golangci/golangci-lint-action/pull/704
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         continue-on-error: true # we dont want to enforce just yet
         with:
-          version: v1.52.2
-          args: --timeout=15m --config=.golangci.yml
-          skip-pkg-cache: true
-          skip-build-cache: true
+          version: latest
+          args: --timeout=10m
+          working-directory: steampipe
+          skip-cache: true

.github/workflows/11-test-acceptance.yaml

@@ -29,7 +29,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: 1.24
+          go-version: 1.26
 
       - name: Fetching Go Cache Paths
         id: go-cache-paths
@@ -127,7 +127,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: 1.24
+          go-version: 1.26
 
       - name: Prepare for downloads
         id: prepare-for-downloads

.golangci.yml

@@ -1,20 +1,20 @@
+version: "2"
+
 linters:
-  disable-all: true
+  default: none
   enable:
     # default rules
     - errcheck
-    - gosimple
     - govet
     - ineffassign
     - staticcheck
-    - typecheck
     - unused
     # other rules
     - asasalint
     - asciicheck
     - bidichk
+    - depguard
     - durationcheck
-    - exportloopref
     - forbidigo
     - gocritic
     - gocheckcompilerdirectives
@@ -25,20 +25,48 @@ linters:
     - reassign
     - sqlclosecheck
     - unconvert
+  settings:
+    nolintlint:
+      require-explanation: true
+      require-specific: true
 
-linters-settings:
-  nolintlint:
-    require-explanation: true
-    require-specific: true
+    staticcheck:
+      checks:
+        - "all"
+        - "-ST*"    # stylecheck: not previously enabled (merged into staticcheck in v2)
+        - "-QF*"    # quickfix suggestions: not previously enabled (merged into staticcheck in v2)
 
-  gocritic:
-    disabled-checks:
-      - ifElseChain       # style
-      - singleCaseSwitch  # style & it's actually not a bad idea to use single case switch in some cases
-      - assignOp          # style
-      - commentFormatting # style
+    gosec:
+      excludes:
+        - G101      # false positives on non-credential string constants
+        - G602      # false positives on range loops and safe slice access
+        - G706      # false positives on logging config/environment values
+
+    forbidigo:
+      forbid:
+        - pattern: "^(fmt\\.Print(|f|ln)|print|println)$"
+        - pattern: "^(fmt\\.Fprint(|f|ln)|print|println)$"
+
+    gocritic:
+      disabled-checks:
+        - ifElseChain       # style
+        - singleCaseSwitch  # style & it's actually not a bad idea to use single case switch in some cases
+        - assignOp          # style
+        - commentFormatting # style
+
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/pkg/errors"
+              desc: Should be replaced by standard lib errors package
+  exclusions:
+    presets:
+      - std-error-handling    # errcheck: unchecked Close/Remove/print calls
+      - common-false-positives # gosec: G103, G204, G304 false positives
+      - legacy                 # gosec: G104, G301, G302, G307
+    paths:
+      - "tests/acceptance"
 
 run:
   timeout: 5m
-  skip-dirs:
-    - "tests/acceptance"

CHANGELOG.md

@@ -1,3 +1,7 @@
+## v2.4.0 [2026-02-27]
+_Whats new_
+- Compiled with Go 1.26.
+
 ## v2.3.6 [2026-02-20]
 _Bug fixes_
 - Fix `date` and `timestamptz` display formatting in query results. ([#4450](https://github.com/turbot/steampipe/issues/4450))

go.mod

@@ -1,6 +1,6 @@
 module github.com/turbot/steampipe/v2
 
-go 1.24.0
+go 1.26.0
 
 replace (
 	github.com/c-bata/go-prompt => github.com/turbot/go-prompt v0.2.6-steampipe.0.0.20221028122246-eb118ec58d50
@@ -41,7 +41,7 @@ require (
 	github.com/thediveo/enumflag/v2 v2.0.7
 	github.com/turbot/go-kit v1.3.0
 	github.com/turbot/pipe-fittings/v2 v2.7.3
-	github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2
+	github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0
 	github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed
 	github.com/zclconf/go-cty v1.16.3 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394

go.sum

@@ -1262,8 +1262,8 @@ github.com/turbot/pipe-fittings/v2 v2.7.3 h1:DacY/pc8zERJYXszkomJCOi1YDK3e2chJ1H
 github.com/turbot/pipe-fittings/v2 v2.7.3/go.mod h1:VYqcgGrYDLsGxn1r4dOkkEh5/KDEgJgUU+nf0SAODY0=
 github.com/turbot/pipes-sdk-go v0.12.1 h1:mF9Z9Mr6F0uqlWjd1mQn+jqT24GPvWDFDrFTvmkazHc=
 github.com/turbot/pipes-sdk-go v0.12.1/go.mod h1:iQE0ebN74yqiCRrfv7izxVMRcNlZftPWWDPsMFwejt4=
-github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2 h1:4SSI20DCC0N3ItU1HGytCaxaekQMKpYuMOySezQ32zQ=
-github.com/turbot/steampipe-plugin-sdk/v5 v5.13.2/go.mod h1:qmfaXKt9z+TgUaFoKkKzwZAwYA5h2Mf/3yuoc+P6otY=
+github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0 h1:CyufzeM2BMbA2nJRuujucchp9NZ6BEeYA2phhdMXsW4=
+github.com/turbot/steampipe-plugin-sdk/v5 v5.14.0/go.mod h1:VHKUVPx29JEHXjuY9Kj/fdabceHdGQB1kaH4Dik/XY8=
 github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed h1:1ROP+kYJ0vaJu04qpQO5V2PVrUqG7VZmYXzcyP/yDT0=
 github.com/turbot/terraform-components v0.0.0-20250114051614-04b806a9cbed/go.mod h1:QJMOFtDVHtXLCJr6luh4oFgk6dtdCImDh7XbIXxnGsc=
 github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=

pkg/constants/db.go

@@ -28,7 +28,7 @@ const (
 // constants for installing db and fdw images
 const (
 	DatabaseVersion = "14.19.0"
-	FdwVersion      = "2.1.5"
+	FdwVersion      = "2.2.0"
 
 	// PostgresImageRef is the OCI Image ref for the database binaries
 	PostgresImageRef    = "ghcr.io/turbot/steampipe/db:14.19.0"