chore(deps): bump Go to 1.25.9 [security]#961
Conversation
govulncheck reports ten reachable stdlib vulnerabilities on main at the current Go 1.25.5 toolchain, spanning crypto/x509, crypto/tls, html/ template, archive/tar, net/url and os. All are fixed in Go 1.25.9. The pinned nixos-25.11 revision only exposes Go 1.25.5, so this commit adds a dedicated nixpkgs-unstable input and overlays pkgs.go and pkgs.go_1_25 with unstable's go_1_25 (1.25.9). The go_1_25 override is needed because gomod2nix selects a Go toolchain by scanning pkgs.go_* attributes for one satisfying go.mod's minimum; without it the checks would fail to find a compatible version. Signed-off-by: Philippe Scorsolini <5697904+phisco@users.noreply.github.com>
📝 WalkthroughWalkthroughThe Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
flake.nix (1)
9-9: Consider documenting the exit criteria fornixpkgs-unstableusage.Could you add a brief TODO near this input/overlay explaining when it should be removed (e.g., once
nixos-25.11providesgo_1_25 >= 1.25.9)? It would make future dependency hygiene and backport decisions easier.Also applies to: 42-48
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@flake.nix` at line 9, Add a short TODO comment next to the nixpkgs-unstable input (the nixpkgs-unstable.url line and the related input/overlay block around lines referenced) documenting the exit criteria for keeping this overlay: state that it should be removed once the stable channel (e.g., nixos-25.11) ships go_1_25 at or above version 1.25.9 (or when upstream provides the needed package), and include the rationale and a target version to guide future maintainers.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@flake.nix`:
- Line 9: Add a short TODO comment next to the nixpkgs-unstable input (the
nixpkgs-unstable.url line and the related input/overlay block around lines
referenced) documenting the exit criteria for keeping this overlay: state that
it should be removed once the stable channel (e.g., nixos-25.11) ships go_1_25
at or above version 1.25.9 (or when upstream provides the needed package), and
include the rationale and a target version to guide future maintainers.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 32dc118f-2658-4c80-b786-29bc185c6845
⛔ Files ignored due to path filters (2)
flake.lockis excluded by!**/*.lockand included by nonego.modis excluded by none and included by none
📒 Files selected for processing (1)
flake.nix
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release-2.2
git worktree add -d .worktree/backport-961-to-release-2.2 origin/release-2.2
cd .worktree/backport-961-to-release-2.2
git switch --create backport-961-to-release-2.2
git cherry-pick -x 010b1470d75eb6d99e5b79b471357c403f80d499 |
Description of your changes
Mirrors crossplane/crossplane#7306 for crossplane-runtime.
govulncheckreports ten reachable stdlib vulnerabilities onmainwiththe current Go 1.25.5 toolchain, spanning
crypto/x509,crypto/tls,html/template,archive/tar,net/urlandos. All are fixed in Go1.25.9.
Since the pinned
nixos-25.11revision only exposes Go 1.25.5, this PRadds a dedicated
nixpkgs-unstableinput and overlayspkgs.goandpkgs.go_1_25with unstable'sgo_1_25(1.25.9). Thego_1_25override is needed so
gomod2nix.buildGoApplicationcan find a Gotoolchain satisfying
go.mod's minimum.Re-running
govulncheck ./...with the new toolchain reports "Novulnerabilities found".
Differences from crossplane/crossplane#7306
apis/go.modto bump — crossplane-runtime has a single module.inherit (…) go_1_25;and_final: _prev:to passstatix checkanddeadnix --failin thenix-lintflake check.These lints aren't wired into crossplane's CI upstream, so the
original PR's naive form merged without issue; here they would fail
nix flake checklocally.Fixes #
I have:
./nix.sh flake checkto ensure this PR is ready for review.Added or updated unit tests.Linked a PR or a docs tracking issue to document this change.backport release-x.ylabels to auto-backport this PR.Note:
release-2.1,release-2.0andrelease-1.20still use Earthly,so they need to be handled separately rather than via auto-backport.