Skip to content

fix(deps): bump go toolchain to 1.25.11 for stdlib security fixes#72

Merged
bamaas merged 1 commit into
mainfrom
fix/bump-go-1-25-11
Jun 3, 2026
Merged

fix(deps): bump go toolchain to 1.25.11 for stdlib security fixes#72
bamaas merged 1 commit into
mainfrom
fix/bump-go-1-25-11

Conversation

@bamaas

@bamaas bamaas commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Pins the mise Go toolchain to 1.25.11, resolving two govulncheck failures the prior go = "1.25" pin let CI resolve to 1.25.10:

  • GO-2026-5037 — inefficient candidate hostname parsing in crypto/x509
  • GO-2026-5039 — arbitrary inputs unescaped in net/textproto errors

Both are fixed in go 1.25.11. mise run lint:vuln now reports 0 vulnerabilities. This unblocks main (currently red on lint:vuln) and any open PRs.

🤖 Generated with Claude Code

Resolves govulncheck failures GO-2026-5037 (crypto/x509) and GO-2026-5039
(net/textproto), both fixed in go 1.25.11. CI was resolving the prior
"1.25" pin to 1.25.10, leaving lint:vuln red on main.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bamaas bamaas enabled auto-merge (squash) June 3, 2026 04:42
@bamaas bamaas merged commit ccdfaa4 into main Jun 3, 2026
3 checks passed
@bamaas bamaas deleted the fix/bump-go-1-25-11 branch June 3, 2026 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant