Skip to content

chore(deps): bump Go to 1.25.9 [security]#961

Merged
phisco merged 1 commit into
crossplane:mainfrom
phisco:chore/bump-go-1.25.9
Apr 15, 2026
Merged

chore(deps): bump Go to 1.25.9 [security]#961
phisco merged 1 commit into
crossplane:mainfrom
phisco:chore/bump-go-1.25.9

Conversation

@phisco

@phisco phisco commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

Description of your changes

Mirrors crossplane/crossplane#7306 for crossplane-runtime.

govulncheck reports ten reachable stdlib vulnerabilities on main with
the current Go 1.25.5 toolchain, spanning crypto/x509, crypto/tls,
html/template, archive/tar, net/url and os. All are fixed in Go
1.25.9.

Since the pinned nixos-25.11 revision only exposes Go 1.25.5, this PR
adds a dedicated nixpkgs-unstable input and overlays pkgs.go and
pkgs.go_1_25 with unstable's go_1_25 (1.25.9). The go_1_25
override is needed so gomod2nix.buildGoApplication can find a Go
toolchain satisfying go.mod's minimum.

Re-running govulncheck ./... with the new toolchain reports "No
vulnerabilities found".

Differences from crossplane/crossplane#7306

  • No apis/go.mod to bump — crossplane-runtime has a single module.
  • The overlay uses inherit (…) go_1_25; and _final: _prev: to pass
    statix check and deadnix --fail in the nix-lint flake check.
    These lints aren't wired into crossplane's CI upstream, so the
    original PR's naive form merged without issue; here they would fail
    nix flake check locally.

Fixes #

I have:

Note: release-2.1, release-2.0 and release-1.20 still use Earthly,
so they need to be handled separately rather than via auto-backport.

govulncheck reports ten reachable stdlib vulnerabilities on main at the
current Go 1.25.5 toolchain, spanning crypto/x509, crypto/tls, html/
template, archive/tar, net/url and os. All are fixed in Go 1.25.9.

The pinned nixos-25.11 revision only exposes Go 1.25.5, so this commit
adds a dedicated nixpkgs-unstable input and overlays pkgs.go and
pkgs.go_1_25 with unstable's go_1_25 (1.25.9). The go_1_25 override is
needed because gomod2nix selects a Go toolchain by scanning pkgs.go_*
attributes for one satisfying go.mod's minimum; without it the checks
would fail to find a compatible version.

Signed-off-by: Philippe Scorsolini <5697904+phisco@users.noreply.github.com>
@phisco phisco requested a review from a team as a code owner April 15, 2026 10:36
@phisco phisco requested a review from bobh66 April 15, 2026 10:36
@coderabbitai

coderabbitai Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

The flake.nix configuration file is updated to introduce a new input source for the unstable nixpkgs repository and configure the Nix overlays to use Go 1.25 from that unstable channel alongside the existing gomod2nix overlay.

Changes

Cohort / File(s) Summary
Flake Configuration
flake.nix
Added nixpkgs-unstable input pointing to the unstable nixpkgs channel and integrated it into the outputs function. Created a custom overlay that overrides the go package to use go_1_25 from nixpkgs-unstable, applied alongside the existing gomod2nix.overlays.default.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and descriptively summarizes the main change—bumping Go to 1.25.9 for security fixes—and stays well within the 72-character limit.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the security vulnerabilities, the rationale for the Go upgrade, and implementation details.
Breaking Changes ✅ Passed PR exclusively modifies infrastructure and configuration files with no changes to Go source code or public APIs.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
flake.nix (1)

9-9: Consider documenting the exit criteria for nixpkgs-unstable usage.

Could you add a brief TODO near this input/overlay explaining when it should be removed (e.g., once nixos-25.11 provides go_1_25 >= 1.25.9)? It would make future dependency hygiene and backport decisions easier.

Also applies to: 42-48

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@flake.nix` at line 9, Add a short TODO comment next to the nixpkgs-unstable
input (the nixpkgs-unstable.url line and the related input/overlay block around
lines referenced) documenting the exit criteria for keeping this overlay: state
that it should be removed once the stable channel (e.g., nixos-25.11) ships
go_1_25 at or above version 1.25.9 (or when upstream provides the needed
package), and include the rationale and a target version to guide future
maintainers.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@flake.nix`:
- Line 9: Add a short TODO comment next to the nixpkgs-unstable input (the
nixpkgs-unstable.url line and the related input/overlay block around lines
referenced) documenting the exit criteria for keeping this overlay: state that
it should be removed once the stable channel (e.g., nixos-25.11) ships go_1_25
at or above version 1.25.9 (or when upstream provides the needed package), and
include the rationale and a target version to guide future maintainers.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 32dc118f-2658-4c80-b786-29bc185c6845

📥 Commits

Reviewing files that changed from the base of the PR and between a6564dd and 010b147.

⛔ Files ignored due to path filters (2)
  • flake.lock is excluded by !**/*.lock and included by none
  • go.mod is excluded by none and included by none
📒 Files selected for processing (1)
  • flake.nix

@phisco phisco merged commit 465ef87 into crossplane:main Apr 15, 2026
10 checks passed
@github-actions

Copy link
Copy Markdown

Backport failed for release-2.2, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-2.2
git worktree add -d .worktree/backport-961-to-release-2.2 origin/release-2.2
cd .worktree/backport-961-to-release-2.2
git switch --create backport-961-to-release-2.2
git cherry-pick -x 010b1470d75eb6d99e5b79b471357c403f80d499

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants