Bump target Go version to 1.20 (#1118)

* Bump minimum Go version to 1.18

This change bumps the minimum Go version to 1.18 to take advantage of a
number of fixes to the language, while matching the minimum version for
a number of key dependencies which have been moving away from Go 1.15.

This change drops support for Go 1.15 in the Exercism CLI.

* Bump minimum go version to 1.19

* fix: update build tags to Go 1.18 syntax

```
~> go1.18.10 fix ./...
```

* Replace calls to deprecated io/ioutil pkg

* fix(deps): update module github.com/spf13/viper to v1.15.0

This change bumps spf13/viper to address reported vulnerabilities in
yaml.v2

```
~>  govulncheck -test ./...
Scanning your code and 210 packages across 21 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2022-0956
    Excessive resource consumption in gopkg.in/yaml.v2
  More info: https://pkg.go.dev/vuln/GO-2022-0956
  Module: gopkg.in/yaml.v2
    Found in: gopkg.in/[email protected]
    Fixed in: gopkg.in/[email protected]
    Example traces found:
      #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal

Vulnerability #2: GO-2021-0061
    Denial of service in gopkg.in/yaml.v2
  More info: https://pkg.go.dev/vuln/GO-2021-0061
  Module: gopkg.in/yaml.v2
    Found in: gopkg.in/[email protected]
    Fixed in: gopkg.in/[email protected]
    Example traces found:
      #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal

Vulnerability #3: GO-2020-0036
    Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2
  More info: https://pkg.go.dev/vuln/GO-2020-0036
  Module: gopkg.in/yaml.v2
    Found in: gopkg.in/[email protected]
    Fixed in: gopkg.in/[email protected]
    Example traces found:
      #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal

```

* deps: update module github.com/spf13/cobra to v1.7.0

* deps: update module github.com/stretchr/testify to v1.8.4

* workflows/ci.yml: Add multiple Go versions to testing matrix

This change officially removes Go 1.15 from the testing matrix and adds the Go versions used
for supporting the Exercism CLI. Namely Go 1.19, 1.20, and 1.21.x.

* Bump minimum Go version to 1.20

* Bump Go tooling to use 1.20.x for release and testing.
```
Scanning your code and 207 packages across 19 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute

Vulnerability #2: GO-2023-2041
    Improper handling of HTML-like comments in script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2041
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute

Vulnerability #3: GO-2023-1987
    Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
      #1: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext
      #2: cli/cli.go:199:23: cli.extractBinary calls io.Copy, which eventually calls tls.Conn.Read
      #3: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which calls tls.Conn.Write
      #4: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Dialer.DialContext

Vulnerability #4: GO-2023-1878
    Insufficient sanitization of Host header in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-1878
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
      #1: api/client.go:68:25: api.Client.Do calls http.Client.Do
      #2: cmd/troubleshoot.go:206:32: cmd.apiPing.Call calls http.Client.Get

Vulnerability #5: GO-2023-1840
    Unsafe behavior in setuid/setgid binaries in runtime
  More info: https://pkg.go.dev/vuln/GO-2023-1840
  Standard library
    Found in: [email protected]
    Fixed in: [email protected]
    Example traces found:
      #1: debug/debug.go:80:12: debug.DumpResponse calls log.Fatal, which eventually calls runtime.Caller
      #2: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Callers
      #3: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.CallersFrames
      #4: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Frames.Next
      #5: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.GC
      #6: workspace/exercise_metadata.go:66:24: workspace.ExerciseMetadata.Write calls json.Marshal, which eventually calls runtime.GOMAXPROCS
      #7: config/config.go:57:18: config.Dir calls os.Getenv, which eventually calls runtime.GOROOT
      #8: cli/cli.go:202:29: cli.extractBinary calls os.File.Seek, which eventually calls runtime.KeepAlive
      #9: cli/cli.go:135:2: cli.CLI.Upgrade calls os.File.Close, which eventually calls runtime.SetFinalizer
      #10: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which eventually calls runtime.Stack
      #11: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.TypeAssertionError.Error
      #12: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.defaultMemProfileRate
      #13: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.efaceOf
      #14: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.findfunc
      #15: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.float64frombits
      #16: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.forcegchelper
      #17: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta
      #18: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.plainError.Error
      #19: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.throw

Vulnerability #6: GO-2023-1753
    Improper handling of empty HTML attributes in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-1753
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute

Vulnerability #7: GO-2023-1752
    Improper handling of JavaScript whitespace in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-1752
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute

Vulnerability #8: GO-2023-1751
    Improper sanitization of CSS values in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-1751
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute
```

.github/workflows/ci.yml

@@ -17,7 +17,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: ["1.15"]
+        go-version:
+          - '1.20.x'
+          - '1.21.x'
         os: [ubuntu-latest, windows-latest, macOS-latest]
 
     steps:

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.19'
+          go-version: '1.20.x'
 
       - name: Import GPG Key
         id: import_gpg

CONTRIBUTING.md

@@ -8,7 +8,7 @@ Exercism would be impossible without people like you being willing to spend time
 
 ## Dependencies
 
-You'll need Go version 1.11 or higher. Follow the directions on http://golang.org/doc/install
+You'll need Go version 1.20 or higher. Follow the directions on http://golang.org/doc/install
 
 ## Development
 

api/api.go

@@ -2,7 +2,7 @@ package api
 
 import (
 	"bytes"
-	"io/ioutil"
+	"os"
 
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
@@ -17,7 +17,7 @@ var (
 )
 
 func readFileAsUTF8String(filename string) (*string, error) {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}

cli/asset.go

@@ -3,7 +3,7 @@ package cli
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 )
 
@@ -28,7 +28,7 @@ func (a *Asset) download() (*bytes.Reader, error) {
 	}
 	defer res.Body.Close()
 
-	bs, err := ioutil.ReadAll(res.Body)
+	bs, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}

cli/cli.go

@@ -8,8 +8,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
+	"os"
 	"runtime"
 	"strings"
 	"time"
@@ -161,8 +161,8 @@ func (c *CLI) fetchLatestRelease() error {
 	return nil
 }
 
-func extractBinary(source *bytes.Reader, os string) (binary io.ReadCloser, err error) {
-	if os == "windows" {
+func extractBinary(source *bytes.Reader, platform string) (binary io.ReadCloser, err error) {
+	if platform == "windows" {
 		zr, err := zip.NewReader(source, int64(source.Len()))
 		if err != nil {
 			return nil, err
@@ -191,7 +191,7 @@ func extractBinary(source *bytes.Reader, os string) (binary io.ReadCloser, err e
 			if err != nil {
 				return nil, err
 			}
-			tmpfile, err := ioutil.TempFile("", "temp-exercism")
+			tmpfile, err := os.CreateTemp("", "temp-exercism")
 			if err != nil {
 				return nil, err
 			}

cmd/cmd_test.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"io"
-	"io/ioutil"
 	"os"
 	"testing"
 
@@ -63,7 +62,7 @@ type CommandTest struct {
 // The method takes a *testing.T as an argument, that way the method can
 // fail the test if the creation of the temporary directory fails.
 func (test *CommandTest) Setup(t *testing.T) {
-	dir, err := ioutil.TempDir("", "command-test")
+	dir, err := os.MkdirTemp("", "command-test")
 	defer os.RemoveAll(dir)
 	assert.NoError(t, err)
 
@@ -104,8 +103,8 @@ func newCapturedOutput() capturedOutput {
 	return capturedOutput{
 		oldOut: Out,
 		oldErr: Err,
-		newOut: ioutil.Discard,
-		newErr: ioutil.Discard,
+		newOut: io.Discard,
+		newErr: io.Discard,
 	}
 }
 

cmd/configure_test.go

@@ -1,11 +1,9 @@
 //go:build !windows
-// +build !windows
 
 package cmd
 
 import (
 	"bytes"
-	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -344,7 +342,7 @@ func TestConfigureDefaultWorkspaceWithoutClobbering(t *testing.T) {
 	ts := httptest.NewServer(endpoint)
 	defer ts.Close()
 
-	tmpDir, err := ioutil.TempDir("", "no-clobber")
+	tmpDir, err := os.MkdirTemp("", "no-clobber")
 	defer os.RemoveAll(tmpDir)
 	assert.NoError(t, err)
 
@@ -379,7 +377,7 @@ func TestConfigureExplicitWorkspaceWithoutClobberingNonDirectory(t *testing.T) {
 	co.override()
 	defer co.reset()
 
-	tmpDir, err := ioutil.TempDir("", "no-clobber")
+	tmpDir, err := os.MkdirTemp("", "no-clobber")
 	defer os.RemoveAll(tmpDir)
 	assert.NoError(t, err)
 
@@ -396,7 +394,7 @@ func TestConfigureExplicitWorkspaceWithoutClobberingNonDirectory(t *testing.T) {
 	}
 
 	// Create a file at the workspace directory's location
-	err = ioutil.WriteFile(filepath.Join(tmpDir, "workspace"), []byte("This is not a directory"), os.FileMode(0755))
+	err = os.WriteFile(filepath.Join(tmpDir, "workspace"), []byte("This is not a directory"), os.FileMode(0755))
 	assert.NoError(t, err)
 
 	flags := pflag.NewFlagSet("fake", pflag.PanicOnError)

cmd/download.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	netURL "net/url"
 	"os"
@@ -202,8 +201,8 @@ func newDownload(flags *pflag.FlagSet, usrCfg *viper.Viper) (*download, error) {
 		return nil, decodedAPIError(res)
 	}
 
-	body, _ := ioutil.ReadAll(res.Body)
-	res.Body = ioutil.NopCloser(bytes.NewReader(body))
+	body, _ := io.ReadAll(res.Body)
+	res.Body = io.NopCloser(bytes.NewReader(body))
 
 	if err := json.Unmarshal(body, &d.payload); err != nil {
 		return nil, decodedAPIError(res)

cmd/download_test.go

@@ -3,7 +3,6 @@ package cmd
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -169,7 +168,7 @@ func TestDownload(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		tmpDir, err := ioutil.TempDir("", "download-cmd")
+		tmpDir, err := os.MkdirTemp("", "download-cmd")
 		defer os.RemoveAll(tmpDir)
 		assert.NoError(t, err)
 
@@ -197,7 +196,7 @@ func TestDownload(t *testing.T) {
 		assertDownloadedCorrectFiles(t, targetDir)
 
 		dir := filepath.Join(targetDir, "bogus-track", "bogus-exercise")
-		b, err := ioutil.ReadFile(workspace.NewExerciseFromDir(dir).MetadataFilepath())
+		b, err := os.ReadFile(workspace.NewExerciseFromDir(dir).MetadataFilepath())
 		assert.NoError(t, err)
 		var metadata workspace.ExerciseMetadata
 		err = json.Unmarshal(b, &metadata)
@@ -229,7 +228,7 @@ func TestDownloadToExistingDirectory(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		tmpDir, err := ioutil.TempDir("", "download-cmd")
+		tmpDir, err := os.MkdirTemp("", "download-cmd")
 		defer os.RemoveAll(tmpDir)
 		assert.NoError(t, err)
 
@@ -281,7 +280,7 @@ func TestDownloadToExistingDirectoryWithForce(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		tmpDir, err := ioutil.TempDir("", "download-cmd")
+		tmpDir, err := os.MkdirTemp("", "download-cmd")
 		defer os.RemoveAll(tmpDir)
 		assert.NoError(t, err)
 
@@ -363,7 +362,7 @@ func assertDownloadedCorrectFiles(t *testing.T, targetDir string) {
 
 	for _, file := range expectedFiles {
 		t.Run(file.desc, func(t *testing.T) {
-			b, err := ioutil.ReadFile(file.path)
+			b, err := os.ReadFile(file.path)
 			assert.NoError(t, err)
 			assert.Equal(t, file.contents, string(b))
 		})
@@ -383,7 +382,7 @@ func TestDownloadError(t *testing.T) {
 	ts := httptest.NewServer(handler)
 	defer ts.Close()
 
-	tmpDir, err := ioutil.TempDir("", "submit-err-tmp-dir")
+	tmpDir, err := os.MkdirTemp("", "submit-err-tmp-dir")
 	defer os.RemoveAll(tmpDir)
 	assert.NoError(t, err)
 

cmd/submit_symlink_test.go

@@ -1,10 +1,8 @@
 //go:build !windows
-// +build !windows
 
 package cmd
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -25,12 +23,12 @@ func TestSubmitFilesInSymlinkedPath(t *testing.T) {
 	ts := fakeSubmitServer(t, submittedFiles)
 	defer ts.Close()
 
-	tmpDir, err := ioutil.TempDir("", "symlink-destination")
+	tmpDir, err := os.MkdirTemp("", "symlink-destination")
 	defer os.RemoveAll(tmpDir)
 	assert.NoError(t, err)
 	dstDir := filepath.Join(tmpDir, "workspace")
 
-	srcDir, err := ioutil.TempDir("", "symlink-source")
+	srcDir, err := os.MkdirTemp("", "symlink-source")
 	defer os.RemoveAll(srcDir)
 	assert.NoError(t, err)
 
@@ -53,7 +51,7 @@ func TestSubmitFilesInSymlinkedPath(t *testing.T) {
 	}
 
 	file := filepath.Join(dir, "file.txt")
-	err = ioutil.WriteFile(filepath.Join(dir, "file.txt"), []byte("This is a file."), os.FileMode(0755))
+	err = os.WriteFile(filepath.Join(dir, "file.txt"), []byte("This is a file."), os.FileMode(0755))
 	assert.NoError(t, err)
 
 	err = runSubmit(cfg, pflag.NewFlagSet("symlinks", pflag.PanicOnError), []string{file})