fix(deps): bump Go 1.25.11 -> 1.25.12 for CVE-2026-39822, CVE-2026-42505#577
Merged
Conversation
Go security release addresses: - CVE-2026-39822: os.Root escape via symlink plus trailing slash - CVE-2026-42505: crypto/tls Encrypted Client Hello privacy leak Updates the go directive in go.work and all module go.mod files (client, plugin, plugins/credentialhelper, plugins/pass, store, x). CI (go-version-file: go.work) and Docker builds (GO_VERSION from go.work via Makefile) pick this up automatically. Also bumps the stale standalone fallback default in store/docker-bake.hcl from 1.24 to 1.25.12. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docker-agent
reviewed
Jul 9, 2026
docker-agent
left a comment
Contributor
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
Reviewed: Go version bump 1.25.11 → 1.25.12 across all 6 workspace modules and store/docker-bake.hcl standalone fallback fix.
Findings: None.
All modules (go.work, client/go.mod, plugin/go.mod, plugins/credentialhelper/go.mod, plugins/pass/go.mod, store/go.mod, x/go.mod) are updated consistently to go 1.25.12. The store/docker-bake.hcl correction from the stale "1.24" default to "1.25.12" is correct and improves consistency. No logic errors, missing updates, or version mismatches introduced by the + lines.
go work vendor records each local module's go directive in vendor/modules.txt; regenerate so the Go Work Check CI gate (go work sync/vendor clean) passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
joe0BAB
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bump Go
1.25.11→1.25.12(latest patch on the 1.25 line) to pick up the Go security release.Why
The release fixes two vulnerabilities:
os: root escape via symlink plus trailing slash. Opening a file in anos.Rootimproperly followed symlinks to locations outside the root when the final path component is a symlink and the path ends in/.crypto/tls: Encrypted Client Hello privacy leak. The ECH implementation disclosed pre-shared key identities, enabling network observers to de-anonymize server hostnames despite encryption.Staying on the 1.25 line (vs. jumping to 1.26.5) keeps the
godirective minor unchanged, so published modules (store,client,x) do not force consumers onto Go 1.26.Changes
go.work+ all modulego.mod(client,plugin,plugins/credentialhelper,plugins/pass,store,x):go 1.25.11→1.25.12store/docker-bake.hcl: bumped the stale standalone fallback defaultGO_VERSIONfrom1.24→1.25.12CI (
go-version-file: go.work) and Docker builds (GO_VERSIONderived fromgo.workvia theMakefile) pick up the new version automatically.Verification
All 6 workspace modules build clean (
go build ./...per module).🤖 Generated with Claude Code