hashicorp · kswap · Jan 12, 2026 · Aug 1, 2024 · Aug 1, 2024 · Aug 2, 2024
@@ -12,3 +12,15 @@
 
     [HashiCorp engineers only. Community PRs should not add a changelog entry.]::
     [Changelog entries should use present tense, e.g. "Add support for..."]::
+
+## PCI review checklist
+
+<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
+
+- [ ] I have documented a clear reason for, and description of, the change I am making.
+
+- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
+
+- [ ] If applicable, I've documented the impact of any changes to security controls.
+
+  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.
@@ -82,7 +82,7 @@ jobs:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
       - name: Set up QEMU for cross-arch builds (only for Docker)
         if: ${{ matrix.gotags == 'fips' }}
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # V3.6.0
       - name: Build (runner)
         if: ${{ !(matrix.gotags == 'fips') }}
         env:

@@ -30,9 +30,9 @@ jobs:
       with:
         go-version: ${{ needs.get-go-version.outputs.go-version }}
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
       with:
-        version: v1.60.1
+        version: v2.8.0
         args: |
           --verbose
         only-new-issues: false
@@ -49,8 +49,10 @@ jobs:
     strategy:
       matrix:
         consul-version:
-          - 1.20.2
-          - 1.20.2+ent
+          - 1.21.5
+          - 1.21.8+ent
+          - 1.22.2
+          - 1.22.2+ent
     env:
       TEST_RESULTS_DIR: /tmp/test-results
       GOTESTSUM_VERSION: 1.8.2

@@ -1 +1 @@
-1.23.6
+1.25.5
@@ -1,15 +1,19 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+version: "2"
+
 linters:
-  disable-all: true
   enable:
-    - gofmt
     - govet
     - unconvert
     - staticcheck
     - ineffassign
     - unparam
+
+formatters:
+  enable:
+    - gofmt
     - goimports
 
 run:

@@ -25,9 +25,10 @@ binary {
 	osv          = true
 	oss_index    = false
 	nvd          = false
+
 	triage {
 		suppress {
-			vulnerabilites = [
+			vulnerabilities = [
 				"GO-2022-0635", // github.com/aws/[email protected]
 			]
 		}

@@ -1,3 +1,13 @@
+## 0.9.3 (Jan 12, 2026)
+SECURITY
+* Upgrade `golang.org/x/crypto` to `v0.45.0` to address [GO-2025-4134] and [GO-2025-4116]
+
+IMPROVEMENTS
+* Bump Go version to `1.25.5`
+* Bump `golang.org/x/net` to `v0.47.0`
+* Bump `golang.org/x/sys` to `v0.38.0`
+* Bump `golang.org/x/text` to `v0.31.0`  
+
 ## 0.9.2 (Jun 13, 2025)
 BUG FIXES
 * Fix bug where health-sync race condition overrides consul-dataplane critical status after a sigterm

@@ -50,14 +50,14 @@ func (e *Cmd) Run() {
 	defer close(e.doneCh)
 	defer close(e.startedCh)
 
-	if err := e.Cmd.Start(); err != nil {
+	if err := e.Start(); err != nil {
 		e.log.Error("starting process", "error", err.Error())
 		// Closed channels (in defers) indicate the command failed to start.
 		return
 	}
 	e.startedCh <- struct{}{}
 
-	if err := e.Cmd.Wait(); err != nil {
+	if err := e.Wait(); err != nil {
 		if _, ok := err.(*exec.ExitError); !ok {
 			// Do not log if it is only a non-zero exit code.
 			e.log.Error("waiting for process to finish", "error", err.Error())

@@ -1,6 +1,6 @@
 module github.com/hashicorp/consul-ecs
 
-go 1.23.6
+go 1.25.5
 
 require (
 	github.com/aws/aws-sdk-go v1.55.5
@@ -64,11 +64,11 @@ require (
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.3 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect

@@ -277,8 +277,8 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -291,17 +291,17 @@ golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -330,15 +330,15 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

@@ -45,7 +45,7 @@ func (c *Command) init() {
 	c.flagSet = flag.NewFlagSet("", flag.ContinueOnError)
 	c.flagSet.DurationVar(&c.shutdownDelay, flagShutdownDelay, 0,
 		`Continue running for this long after receiving SIGTERM. Must be a duration (e.g. "10s").`)
-	logging.Merge(c.flagSet, c.LogOpts.Flags())
+	logging.Merge(c.flagSet, c.Flags())
 
 	c.started = make(chan struct{}, 1)
 	c.sigs = make(chan os.Signal, 1)

@@ -9,6 +9,20 @@ import (
 	"testing"
 )
 
+const (
+	expEntAnonTokenPolicy = `
+partition_prefix "" {
+  namespace_prefix "" {
+    node_prefix "" {
+      policy = "read"
+    }
+    service_prefix "" {
+      policy = "read"
+    }
+  }
+}`
+)
+
 func TestUpsertConsulResourcesEnt(t *testing.T) {
 	testUpsertConsulResources(t, map[string]iamAuthTestCase{
 		"recreate the partition": {

@@ -25,18 +25,6 @@ import (
 const (
 	testPartitionName = "test-partition"
 
-	expEntAnonTokenPolicy = `
-partition_prefix "" {
-  namespace_prefix "" {
-    node_prefix "" {
-      policy = "read"
-    }
-    service_prefix "" {
-      policy = "read"
-    }
-  }
-}`
-
 	expOSSAnonTokenPolicy = `
     node_prefix "" {
       policy = "read"

@@ -41,7 +41,7 @@ type Command struct {
 
 func (c *Command) init() {
 	c.flagSet = flag.NewFlagSet("", flag.ContinueOnError)
-	logging.Merge(c.flagSet, c.LogOpts.Flags())
+	logging.Merge(c.flagSet, c.Flags())
 
 	c.started = make(chan struct{}, 1)
 	c.sigs = make(chan os.Signal, 1)

@@ -4,6 +4,7 @@
 package netdial
 
 import (
+	"fmt"
 	"net"
 
 	"github.com/mitchellh/cli"
@@ -23,7 +24,9 @@ func (c *Command) Run(args []string) int {
 	if err != nil {
 		return 2
 	}
-	conn.Close()
+	if err := conn.Close(); err != nil {
+		fmt.Printf("Warning: failed to close connection: %v\n", err)
+	}
 
 	return 0
 }

@@ -33,9 +33,15 @@ func TestNetDial(t *testing.T) {
 				require.NoError(t, err)
 				args = append(args, l.Addr().String())
 				if c.code != 0 {
-					l.Close()
+					if err := l.Close(); err != nil {
+						t.Logf("Failed to close listener: %v", err)
+					}
 				} else {
-					t.Cleanup(func() { l.Close() })
+					t.Cleanup(func() {
+						if err := l.Close(); err != nil {
+							t.Logf("Failed to close listener in cleanup: %v", err)
+						}
+					})
 				}
 			}
 

@@ -130,11 +130,19 @@ func AuthMethodInit(t *testing.T, consulClient *api.Client, expectedServiceName,
 	require.NoError(t, err)
 
 	t.Cleanup(func() {
-		os.Unsetenv("AWS_ACCESS_KEY_ID")
-		os.Unsetenv("AWS_SECRET_ACCESS_KEY")
+		if err := os.Unsetenv("AWS_ACCESS_KEY_ID"); err != nil {
+			t.Logf("Failed to unset AWS_ACCESS_KEY_ID: %v", err)
+		}
+		if err := os.Unsetenv("AWS_SECRET_ACCESS_KEY"); err != nil {
+			t.Logf("Failed to unset AWS_SECRET_ACCESS_KEY: %v", err)
+		}
 	})
-	os.Setenv("AWS_ACCESS_KEY_ID", "fake-key-id")
-	os.Setenv("AWS_SECRET_ACCESS_KEY", "fake-secret-key")
+	if err := os.Setenv("AWS_ACCESS_KEY_ID", "fake-key-id"); err != nil {
+		t.Fatalf("Failed to set AWS_ACCESS_KEY_ID: %v", err)
+	}
+	if err := os.Setenv("AWS_SECRET_ACCESS_KEY", "fake-secret-key"); err != nil {
+		t.Fatalf("Failed to set AWS_SECRET_ACCESS_KEY: %v", err)
+	}
 
 	return fakeAws
 }
@@ -67,22 +67,29 @@ func writeXML(w http.ResponseWriter, val interface{}) {
 	str, err := xml.MarshalIndent(val, "", " ")
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
-		fmt.Fprint(w, err.Error())
+		if _, writeErr := fmt.Fprint(w, err.Error()); writeErr != nil {
+			fmt.Printf("Failed to write error response: %v\n", writeErr)
+		}
 		return
 	}
 	w.Header().Add("Content-Type", "text/xml")
 	w.WriteHeader(http.StatusOK)
-	fmt.Fprint(w, string(str))
+	if _, writeErr := fmt.Fprint(w, string(str)); writeErr != nil {
+		fmt.Printf("Failed to write XML response: %v\n", writeErr)
+	}
 }
 
 func writeError(w http.ResponseWriter, code int, r *http.Request) {
 	w.WriteHeader(code)
 	msg := fmt.Sprintf("%s %s", r.Method, r.URL)
-	fmt.Fprintf(w, `<ErrorResponse xmlns="https://fakeaws/">
+	if _, writeErr := fmt.Fprintf(w, `<ErrorResponse xmlns="https://fakeaws/">
   <Error>
 	<Message>Fake AWS Server Error: %s</Message>
   </Error>
-</ErrorResponse>`, msg)
+</ErrorResponse>`, msg); writeErr != nil {
+		// Log write error but don't fail the test
+		fmt.Printf("Failed to write error response: %v\n", writeErr)
+	}
 }
 
 type Fixture struct {

@@ -16,7 +16,7 @@ var (
 	//
 	// Version must conform to the format expected by
 	// github.com/hashicorp/go-version for tests to work.
-	Version = "0.9.2"
+	Version = "0.9.3"
 
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
@@ -42,5 +42,5 @@ func GetHumanVersion() string {
 	}
 
 	// Strip off any single quotes added by the git information.
-	return "v" + strings.Replace(version, "'", "", -1)
+	return "v" + strings.ReplaceAll(version, "'", "")
 }