Skip to content

chore(ci): bump go 1.25.10 -> 1.25.11 (fix stdlib vulns)#27

Merged
vanducng merged 1 commit into
mainfrom
chore/bump-go-1.25.11
Jun 13, 2026
Merged

chore(ci): bump go 1.25.10 -> 1.25.11 (fix stdlib vulns)#27
vanducng merged 1 commit into
mainfrom
chore/bump-go-1.25.11

Conversation

@vanducng

@vanducng vanducng commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the Go toolchain to 1.25.11 to clear the two stdlib vulnerabilities govulncheck flags on 1.25.10:

  • GO-2026-5039 — arbitrary inputs unescaped in net/textproto errors (reached via websocket.Dialer.DialContext).
  • GO-2026-5037 — inefficient candidate hostname parsing in crypto/x509.

Both are Fixed in go1.25.11. All CI jobs use go-version-file: go.mod, so the single go.mod bump applies the toolchain to build/test/lint/vuln/e2e/release. The Dockerfile's golang:1.25-alpine already tracks the latest 1.25.x.

Verified go build ./... clean on go1.25.11 locally. Expect the vuln check to go green here.

@vanducng
chore(ci): bump go 1.25.10 -> 1.25.11
5378086 
Resolves stdlib vulns flagged by govulncheck: GO-2026-5039 (net/textproto
error escaping) and GO-2026-5037 (crypto/x509 hostname parsing), both fixed
in go1.25.11. All CI jobs read go-version-file: go.mod, so this bumps the
toolchain everywhere (build/test/lint/vuln/e2e/release). Dockerfile uses
golang:1.25-alpine which already tracks the latest 1.25.x.
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@vanducng, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 47 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d5e7ca07-ecca-4d14-be2c-52872d22827d

📥 Commits

Reviewing files that changed from the base of the PR and between bad814a and 5378086.

📒 Files selected for processing (1)
  • go.mod
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/bump-go-1.25.11

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@vanducng vanducng merged commit 9d3186c into main Jun 13, 2026
6 checks passed
@vanducng vanducng deleted the chore/bump-go-1.25.11 branch June 13, 2026 07:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vanducng