Skip to content

fix(deps): bump Go 1.25.10 -> 1.25.11 for new stdlib CVEs#606

Merged
HerbHall merged 1 commit into
mainfrom
fix/govulncheck-go-1-25-11
Jun 2, 2026
Merged

fix(deps): bump Go 1.25.10 -> 1.25.11 for new stdlib CVEs#606
HerbHall merged 1 commit into
mainfrom
fix/govulncheck-go-1-25-11

Conversation

@HerbHall
Copy link
Copy Markdown
Owner

@HerbHall HerbHall commented Jun 2, 2026

Summary

A fresh govulncheck DB update (one day after #602) flagged two new stdlib vulnerabilities in go1.25.10, re-blocking the entire PR queue — main itself, the remaining Dependabot PRs (#588/#591/#596), and release #603 all fail Vulnerability Check:

Vuln Package Fixed in
GO-2026-5039 net/textproto go1.25.11
GO-2026-5037 crypto/x509 go1.25.11

Pure toolchain bump — no module changes. Bumps the go directive and the Dockerfile go-builder image in lockstep (CI reads go-version-file: go.mod; the Docker build pins the builder explicitly and fails on a version mismatch otherwise).

Verification (local)

  • go build ./... / go vet ./... — clean
  • GOTOOLCHAIN=go1.25.11 govulncheck ./..."No vulnerabilities found"

Once merged, rebasing #588/#591/#596 onto main clears their vuln check, and #603 (v0.6.5) can be cut.

🤖 Generated with Claude Code

@HerbHall @claude
fix(deps): bump Go 1.25.10 -> 1.25.11 for new stdlib CVEs
7f328aa 
A fresh govulncheck DB update flagged two new stdlib vulnerabilities in
go1.25.10, re-blocking the PR queue one day after #602:
- GO-2026-5039: net/textproto
- GO-2026-5037: crypto/x509
Both fixed in go1.25.11.

Bumps the go directive and the Dockerfile go-builder image in lockstep
(CI reads go-version-file: go.mod; the Docker build pins the builder
explicitly and would otherwise fail on the version mismatch).

Verified: go build, go vet, and `GOTOOLCHAIN=go1.25.11 govulncheck ./...`
reports "No vulnerabilities found".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 2, 2026 23:05
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Go toolchain patch version to address newly reported Go stdlib vulnerabilities, keeping CI (which installs Go via go.mod) and the Docker build (which pins the builder image) in sync.

Changes:

  • Bump go directive in go.mod from 1.25.10 to 1.25.11.
  • Bump Docker go-builder base image from golang:1.25.10-alpine to golang:1.25.11-alpine.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates the Go toolchain version used by CI via go-version-file: go.mod.
Dockerfile Pins the builder stage to Go 1.25.11 to match the go.mod directive and ensure patched stdlib in container builds.

@HerbHall HerbHall merged commit 30cfd68 into main Jun 2, 2026
18 checks passed
@HerbHall HerbHall deleted the fix/govulncheck-go-1-25-11 branch June 2, 2026 23:11
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HerbHall