Skip to content

go.mod: bump Go 1.25.11 → 1.25.12 (fix govulncheck GO-2026-5856)#365

Closed
Alexgodoroja wants to merge 0 commit into
mainfrom
chore/bump-go-1.25.13
Closed

go.mod: bump Go 1.25.11 → 1.25.12 (fix govulncheck GO-2026-5856)#365
Alexgodoroja wants to merge 0 commit into
mainfrom
chore/bump-go-1.25.13

Conversation

@Alexgodoroja

@Alexgodoroja Alexgodoroja commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Why

govulncheck is failing repo-wide (including on main/nightly) on GO-2026-5856, a vulnerability in the Go standard library crypto/tls — reached from pkg/telemetry/client.go, pkg/daemon/daemon.go, and cmd/pilotctl/main.go. It is fixed in crypto/tls@go1.25.12 (the current latest 1.25.x release).

What

Bump the go directive in go.mod from 1.25.111.25.12. Every workflow resolves its toolchain via go-version-file: go.mod, so this one line clears the finding across CI. No code changes.

Note

This is the actual cause of the red govulncheck on the catalogue-metadata PR (#364), which only touches catalogue.json and cannot fix a stdlib CVE. Once this merges, #364 (rebased) goes green.

🤖 Generated with Claude Code

@Alexgodoroja
Alexgodoroja requested a review from TeoSlayer as a code owner July 9, 2026 23:25
@Alexgodoroja
Alexgodoroja force-pushed the chore/bump-go-1.25.13 branch from 0a2145a to d48fd14 Compare July 9, 2026 23:27
@Alexgodoroja Alexgodoroja changed the title go.mod: bump Go 1.25.11 → 1.25.13 (fix govulncheck GO-2026-5856) go.mod: bump Go 1.25.11 → 1.25.12 (fix govulncheck GO-2026-5856) Jul 9, 2026
@Alexgodoroja
Alexgodoroja force-pushed the chore/bump-go-1.25.13 branch from d48fd14 to 5c25889 Compare July 9, 2026 23:33
@matthew-pilot
matthew-pilot force-pushed the chore/bump-go-1.25.13 branch from 5c25889 to 3c53809 Compare July 19, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants