Skip to content

Bump Go toolchain to 1.25.11 to fix stdlib vulnerabilities#101

Merged
Oguzhan Unlu (oguzhanunlu) merged 1 commit into
developfrom
deps/bump-go-toolchain-security
Jun 8, 2026
Merged

Bump Go toolchain to 1.25.11 to fix stdlib vulnerabilities#101
Oguzhan Unlu (oguzhanunlu) merged 1 commit into
developfrom
deps/bump-go-toolchain-security

Conversation

@oguzhanunlu

Copy link
Copy Markdown
Member

What

govulncheck flagged 12 vulnerabilities affecting the code, all in the Go standard library (crypto/tls, crypto/x509, net, net/http, net/url, net/textproto, os) reachable transitively via the AWS SDK, Consul and Sentry deps. None are in third-party module code we call — all are fixed by upgrading the Go toolchain.

Changes

  • CI/CD go-version 1.24.111.25.11 (this is what produces the released binary, so it's the actual fix)
  • go.mod go directive 1.24.111.25.11
  • golang.org/x/sys 0.40.00.44.0 — clears the one remaining module-level advisory (GO-2026-5024, not called by our code)

Verification

  • govulncheck ./build/src/...No vulnerabilities found (was 12 affecting)
  • Cross-builds (linux/darwin/windows) succeed via make
  • make test passes — 75.2% coverage

govulncheck flagged 12 vulnerabilities affecting the code, all in the Go
standard library (crypto/tls, crypto/x509, net, net/http, net/url,
net/textproto, os) reachable via the AWS SDK, Consul and Sentry deps. All
are fixed by upgrading the toolchain from 1.24.11 to 1.25.11.

- CI/CD go-version 1.24.11 -> 1.25.11 (fixes the released binary)
- go.mod go directive 1.24.11 -> 1.25.11
- golang.org/x/sys 0.40.0 -> 0.44.0 (clears GO-2026-5024, not called)

govulncheck now reports no vulnerabilities; build (linux/darwin/windows)
and tests pass.
@oguzhanunlu Oguzhan Unlu (oguzhanunlu) merged commit 5bb9d36 into develop Jun 8, 2026
6 checks passed
@oguzhanunlu Oguzhan Unlu (oguzhanunlu) deleted the deps/bump-go-toolchain-security branch June 8, 2026 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants