Skip to content

build(deps): bump Go to 1.25.11 for stdlib security fixes#2642

Merged
jjbustamante merged 2 commits into
mainfrom
deps/go-1.25.11
Jun 23, 2026
Merged

build(deps): bump Go to 1.25.11 for stdlib security fixes#2642
jjbustamante merged 2 commits into
mainfrom
deps/go-1.25.11

Conversation

@jjbustamante

@jjbustamante jjbustamante commented Jun 23, 2026

Copy link
Copy Markdown
Member

Summary

Bumps the go directive in go.mod from 1.25.10 to 1.25.11. The build, test, and release workflows install Go via go-version-file: go.mod, so this directive controls the stdlib version compiled into the release binary. This resolves the stdlib CVEs flagged by grype that no module bump can address:

Dockerfile (golang:1.25) and benchmark.yml (go-version: 1.25) already track the latest 1.25 patch, so no change is needed there.

Output

Before

After

Documentation

  • Should this change be documented?
    • Yes, see #___
    • No

Related

Resolves the stdlib rows in the latest grype scan against main.

@jjbustamante @claude
build(deps): bump Go directive to 1.25.11 for stdlib security fixes
69f96e2 
CI build/test/release jobs install Go via go-version-file: go.mod, so the
go directive controls the stdlib version compiled into the release binary.
Bumping 1.25.10 -> 1.25.11 resolves the stdlib CVEs flagged by grype that
neither the dependabot module bumps nor go module updates can address:

- CVE-2026-42504 (GO-2026-5036), GO-2026-5038 (High)
- CVE-2026-27145 (GO-2026-5037), CVE-2026-42507 (GO-2026-5039) (Medium)

Dockerfile (golang:1.25) and benchmark.yml (go-version: 1.25) already
track the latest 1.25 patch, so no change is needed there.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Signed-off-by: Juan Bustamante <[email protected]>
@jjbustamante jjbustamante requested review from a team as code owners June 23, 2026 15:34
@github-actions github-actions Bot added this to the 0.41.0 milestone Jun 23, 2026
@github-actions github-actions Bot added the type/chore Issue that requests non-user facing changes. label Jun 23, 2026
@jjbustamante jjbustamante self-assigned this Jun 23, 2026
@jjbustamante jjbustamante merged commit 7f2f74e into main Jun 23, 2026
18 checks passed
@jjbustamante jjbustamante deleted the deps/go-1.25.11 branch June 23, 2026 16:16
@jjbustamante jjbustamante mentioned this pull request Jun 23, 2026
Closed
@jjbustamante jjbustamante modified the milestones: 0.41.0, 0.40.7 Jun 23, 2026
This was referenced Jun 23, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jjbustamante jjbustamante

Labels

type/chore Issue that requests non-user facing changes.

Projects

None yet

Milestone

0.40.7

Development

Successfully merging this pull request may close these issues.

1 participant

@jjbustamante