feat(RDODCP-312): Upstream sync v1.11.3 and dependabots updates

[samartha-pm]

🔄 Upstream Sync v1.11.3

📋 Summary

This PR synchronizes the OutSystems Chisel fork with upstream changes and includes dependency updates.
Note: Upstream unsigned commits have been GPG-signed to ensure OutSystems compliance. Commits were cherry-picked selectively to keep the history clean instead of including all upstream commits. (Refer commit history)

🔧 Changes Made

🚀 Updates from upstream

• Go Version Bump: Updated from Go 1.24.x to Go 1.25.1
• Dependencies Update: Updated all Go dependencies via Dependabot
• Environment Variable Fix: Fixed CHISEL_KEY environment variable being ignored when --keyfile flag is not set (#571)

🔐 Security Fix

• Dockerfile Update: Added RUN apk update && apk upgrade to resolve CVE-2025-9230 (HIGH severity)
  • Issue: OpenSSL vulnerability in Alpine base image (libcrypto3/libssl3 v3.5.1-r0)
  • Fix: Upgrades OpenSSL to v3.5.4-r0, eliminating HIGH severity vulnerabilities
  • Impact: Customer-blocking release required immediate security resolution

🔄 Dependency Updates

Updated the following dependencies to their latest versions:

• golang.org/x/crypto → v0.42.0 (latest)
• golang.org/x/net → v0.44.0 (latest)
• golang.org/x/sync → v0.17.0 (latest)
• golang.org/x/sys → v0.36.0 (latest, indirect)
• golang.org/x/text → v0.29.0 (latest, indirect)

✅ Tests

Security Scan Results:

• Before: 2 HIGH, 4 MEDIUM, 6 LOW vulnerabilities
• After: 0 HIGH, 0 MEDIUM, 6 LOW vulnerabilities ✅

Local Image Grype/Trivy scan reports shown no High/critical vulnerabities.

Local connection testing using PR commit hash with Cloud-Connector:

📁 Files Changed

• go.mod - Go version and dependency updates
• go.sum - Dependency checksums updated
• main.go - Environment variable handling improvements
• test/e2e/env_key_test.go - New comprehensive tests
• README.md - Documentation updates
• goreleaser.yml - Retained OutSystems version
• Dockerfile - Added security updates (apk upgrade) to fix OpenSSL vulnerability

[cssecautomation]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)

[laurahuysamen]

Is this testing our version of chisel or jpillora's version?

[samartha-pm]

good catch! but the tests are actually testing our OutSystems version.
We have a replace directive in go.mod that redirects all github.com/jpillora/chisel imports to use our local code instead. So even though the import paths show the upstream repo, Go automatically uses our OutSystems fork when running the tests.