Upgrade to go 1.18

[mbroshi-stripe]

Why?

We are currently pinned to a very old version of golang.org/x/net which contains a number of vulnerabilities, of which govulncheck reports two. The minimal version that address the vulnerabilities is golang.org/x/[email protected]. In order to upgrade to golang.org/x/[email protected], we must upgrade the Go version in go.mod to 1.18 (found by binary search).

What?

• Upgrades Go runtime to 1.18
• Upgrades golang.org/x/net to v0.23.0
• Only runs CI checks back to go 1.18.
• Removes special case code around running http.Client on older versions of Go
• Adds govulncheck CI test to beta branch

See Also

Output from govulncheck before change:

$ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
    ...

Vulnerability #2: GO-2023-1571
    Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2023-1571
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    ....

after change:

$ govulncheck ./...
=== Symbol Results ===

No vulnerabilities found.

[ramya-stripe]

Can you update the requirements section at https://github.com/stripe/stripe-go/blob/master/README.md#requirements as well?

[mbroshi-stripe]

Closing in favor of #1977