Skip to content

fix(deps): bump Go 1.25.11 -> 1.25.12 for CVE-2026-39822, CVE-2026-42505#577

Merged
joe0BAB merged 2 commits into
mainfrom
fix/go-1.25.12-security
Jul 9, 2026
Merged

fix(deps): bump Go 1.25.11 -> 1.25.12 for CVE-2026-39822, CVE-2026-42505#577
joe0BAB merged 2 commits into
mainfrom
fix/go-1.25.12-security

Conversation

@Benehiko

@Benehiko Benehiko commented Jul 9, 2026

Copy link
Copy Markdown
Member

What

Bump Go 1.25.111.25.12 (latest patch on the 1.25 line) to pick up the Go security release.

Why

The release fixes two vulnerabilities:

Staying on the 1.25 line (vs. jumping to 1.26.5) keeps the go directive minor unchanged, so published modules (store, client, x) do not force consumers onto Go 1.26.

Changes

  • go.work + all module go.mod (client, plugin, plugins/credentialhelper, plugins/pass, store, x): go 1.25.111.25.12
  • store/docker-bake.hcl: bumped the stale standalone fallback default GO_VERSION from 1.241.25.12

CI (go-version-file: go.work) and Docker builds (GO_VERSION derived from go.work via the Makefile) pick up the new version automatically.

Verification

All 6 workspace modules build clean (go build ./... per module).

🤖 Generated with Claude Code



Go security release addresses:
- CVE-2026-39822: os.Root escape via symlink plus trailing slash
- CVE-2026-42505: crypto/tls Encrypted Client Hello privacy leak

Updates the go directive in go.work and all module go.mod files
(client, plugin, plugins/credentialhelper, plugins/pass, store, x).
CI (go-version-file: go.work) and Docker builds (GO_VERSION from
go.work via Makefile) pick this up automatically. Also bumps the
stale standalone fallback default in store/docker-bake.hcl from
1.24 to 1.25.12.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

Reviewed: Go version bump 1.25.111.25.12 across all 6 workspace modules and store/docker-bake.hcl standalone fallback fix.

Findings: None.

All modules (go.work, client/go.mod, plugin/go.mod, plugins/credentialhelper/go.mod, plugins/pass/go.mod, store/go.mod, x/go.mod) are updated consistently to go 1.25.12. The store/docker-bake.hcl correction from the stale "1.24" default to "1.25.12" is correct and improves consistency. No logic errors, missing updates, or version mismatches introduced by the + lines.

go work vendor records each local module's go directive in
vendor/modules.txt; regenerate so the Go Work Check CI gate
(go work sync/vendor clean) passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@joe0BAB joe0BAB merged commit 3139665 into main Jul 9, 2026
18 checks passed
@joe0BAB joe0BAB deleted the fix/go-1.25.12-security branch July 9, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants