feat: upgrade to Go 1.25.5 and fix 21 security vulnerabilities#96
Merged
richardwooding merged 3 commits intomainfrom Jan 8, 2026
Merged
feat: upgrade to Go 1.25.5 and fix 21 security vulnerabilities#96richardwooding merged 3 commits intomainfrom
richardwooding merged 3 commits intomainfrom
Conversation
This PR upgrades the project from Go 1.24.0 to Go 1.25.5 and updates golang.org/x/crypto from v0.37.0 to v0.45.0, fixing all 21 security vulnerabilities detected by OSV Scanner. Vulnerabilities Fixed: - 16 Go stdlib vulnerabilities (GO-2025-3563, GO-2025-3749, GO-2025-3750, GO-2025-3751, GO-2025-3849, GO-2025-3956, GO-2025-4007, GO-2025-4008, GO-2025-4009, GO-2025-4010, GO-2025-4011, GO-2025-4012, GO-2025-4013, GO-2025-4014, GO-2025-4155, GO-2025-4175) - 3 golang.org/x/crypto vulnerabilities: * GO-2025-4135 (CVE-2025-47914): SSH Agent message size validation * GO-2025-4134 (CVE-2025-58181): SSH GSSAPI unbounded memory * GO-2025-4116 (CVE-2025-47913): SSH client panic on SSHAGENTSUCCESS - 2 uncalled stdlib vulnerabilities (GO-2025-4006, GO-2025-4015) Changes: - go.mod: Update go directive from 1.24.0 to 1.25.5 - go.mod: Update golang.org/x/crypto from v0.37.0 to v0.45.0 - Updated all GitHub Actions workflows to use Go 1.25.x - CI matrix now tests against Go 1.24.x and 1.25.x for compatibility - All tests pass with 92.1% coverage References: - Go 1.25 Release: https://go.dev/blog/go1.25 - GO-2025-4135: https://pkg.go.dev/vuln/GO-2025-4135 - GO-2025-4134: https://pkg.go.dev/vuln/GO-2025-4134 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The linting job was failing because golangci-lint v2.2.1 was built with Go 1.24 and cannot lint projects targeting Go 1.25.5. Changes: - Update golangci-lint-action from v7 to v9 - Update golangci-lint version from v2.2.1 to v2.6 golangci-lint v2.6 is built with Go 1.25 and can successfully lint Go 1.25.5 projects. References: - golangci/golangci-lint#5873 - https://github.com/golangci/golangci-lint-action 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove Go 1.24.x from CI test matrix (only Go 1.25.x required now) - Fix perfsprint linting errors in benchmark_test.go and output_length_test.go by replacing string concatenation in loops with strings.Builder This completes the Go 1.25.5 upgrade by removing backward compatibility with Go 1.24.x, which is no longer needed since go.mod requires 1.25.5. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades cel2sql from Go 1.24.0 to Go 1.25.5 and updates golang.org/x/crypto from v0.37.0 to v0.45.0, fixing all 21 security vulnerabilities detected by OSV Scanner.
Vulnerabilities Fixed
Go Stdlib Vulnerabilities (16 total)
Fixed by upgrading from Go 1.24.0 → 1.25.5:
golang.org/x/crypto Vulnerabilities (3 total)
Fixed by upgrading from v0.37.0 → v0.45.0:
Uncalled Vulnerabilities (2 total)
Changes Made
Core Dependencies
go.mod: Updated go directive from1.24.0→1.25.5go.mod: Updatedgolang.org/x/cryptofromv0.37.0→v0.45.0golang.org/x/sync,golang.org/x/sys,golang.org/x/textGitHub Actions Workflows
Updated all workflows to use Go 1.25.x:
.github/workflows/ci.yml: Test matrix now['1.24.x', '1.25.x'](maintains 1.24 compatibility).github/workflows/security.yml: Updated all 3 jobs (govulncheck, osv-scanner, gosec).github/workflows/golangci-lint.yml: Updated to 1.25.x.github/workflows/fuzz.yml: Updated both fuzz testing jobs.github/workflows/dependency-update.yml: Updated to 1.25.x.github/workflows/release.yml: Updated to 1.25.xTesting
✅ All tests pass with 92.1% coverage
✅ Tested locally with Go 1.25.4
✅ CI/CD will verify against both Go 1.24.x and 1.25.x
✅ OSV Scanner should now pass with exit code 0
References
Backward Compatibility
🤖 Generated with Claude Code