Skip to content

chore(deps): bump Go to 1.25.9 [security] (release-2.0)#964

Merged
phisco merged 2 commits into
crossplane:release-2.0from
phisco:chore/bump-go-1.25.9-release-2.0
Apr 16, 2026
Merged

chore(deps): bump Go to 1.25.9 [security] (release-2.0)#964
phisco merged 2 commits into
crossplane:release-2.0from
phisco:chore/bump-go-1.25.9-release-2.0

Conversation

@phisco

@phisco phisco commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

Description of your changes

Mirrors #961 for release-2.0, adapted for Earthly.

govulncheck reports 5 reachable stdlib vulnerabilities on this branch
with the current Go 1.24.4 toolchain:

ID Package
GO-2026-4947 crypto/x509 (chain-building DoS)
GO-2026-4946 crypto/x509 (policy validation)
GO-2026-4870 crypto/tls (KeyUpdate DoS)
GO-2026-4865 html/template (XSS)
GO-2026-4601 net/url

Go 1.24 went end-of-life on 2026-02-10 (when 1.26.0 shipped) and did
not receive the April 2026 security batch — those fixes only landed in
1.25.9 and 1.26.2. The latest 1.24 release (1.24.13, 2026-02-04) does
not resolve these, so this PR does a minor version bump to 1.25.9
rather than a patch bump.

This differs from crossplane's release-2.0 bump
(crossplane/crossplane#7304), which was patch-level (1.25.6 → 1.25.9)
because that branch was already on the 1.25 line.

Commits

  1. Bump Go to 1.25.9 to fix stdlib CVEs
    Earthfile `GO_VERSION=1.24.4 → 1.25.9`, `go.mod` `go 1.24.0 →
    1.25.9`, and golangci-lint `v2.2.1 → v2.11.4` (v2.2.1 was built
    with Go 1.24 and refuses to lint `go 1.25.9` targets).

  2. Apply golangci-lint v2.11.4 compliance fixes — bumping
    golangci-lint surfaces new checks against existing code. Resolved
    in a single pass:

    • gocritic deprecatedComment: inserts a blank line between the
      description paragraph and `// Deprecated:` notices so they form
      a dedicated paragraph.
    • godoclint package-godoc duplication: removes the duplicate
      `// Package X` comment from `event_test.go` and
      `namespaced_reference.go`; the canonical comment stays on the
      package's primary file.
    • staticcheck SA1019: adds targeted `//nolint:staticcheck`
      comments on the legitimate internal uses of the now-properly-marked
      deprecated types.
    • `golangci-lint run --fix` auto-fixes: modernises a number of
      idioms enabled by the Go 1.25 bump (`interface{}` → `any`,
      `strings.Split` → `strings.SplitSeq`, small whitespace
      adjustments). Earthfile's `+lint` target saves these back to
      the tree, so they have to land on disk or `check-diff` flags
      the difference.

Downstream impact

Bumping the `go` directive in `go.mod` to 1.25.9 forces consumers
of release-2.0 to Go ≥ 1.25. If that's too disruptive for a patch
release, we can drop the `go.mod` change (and the golangci-lint bump,
which only becomes necessary because of it); our CI binaries would
still pick up the Go fixes, but consumers would need to upgrade their
own toolchain to actually benefit.

Fixes #

I have:

  • Read and followed Crossplane's contribution process.
  • Run `earthly +reviewable` to ensure this PR is ready for review.
  • Added or updated unit tests.
  • Linked a PR or a [docs tracking issue] to [document this change].
  • Added `backport release-x.y` labels to auto-backport this PR.

@phisco phisco requested a review from a team as a code owner April 15, 2026 16:05
@phisco phisco requested review from jbw976 and removed request for a team April 15, 2026 16:05
@coderabbitai

coderabbitai Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc8d0633-3581-43d4-99bd-7f97d061bcb3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

govulncheck reports five reachable stdlib vulnerabilities on this branch
at the current Go 1.24.4 toolchain, in crypto/x509, crypto/tls, html/
template and net/url. Go 1.24 went end-of-life on 2026-02-10 when
1.26.0 shipped and did not receive the April 2026 security batch, so
the fixes only exist in Go 1.25.9 and 1.26.2. The latest 1.24 release
(1.24.13) predates the batch and does not resolve these.

This commit therefore does a minor-version bump to 1.25.9 rather than
a patch bump, in both the Earthfile toolchain and the go.mod directive.
golangci-lint is bumped from v2.2.1 (built with Go 1.24) to v2.11.4
(first Go-1.25-built release was v2.9.0); without that, the lint job
errors with "the Go language version used to build golangci-lint is
lower than the targeted Go version".

Signed-off-by: Philippe Scorsolini <5697904+phisco@users.noreply.github.com>
@phisco phisco force-pushed the chore/bump-go-1.25.9-release-2.0 branch from 651c100 to 5bd586d Compare April 15, 2026 16:22
Bumping golangci-lint (see previous commit) surfaces new checks against
previously-passing code. This commit resolves them in a single pass:

- gocritic deprecatedComment: inserts a blank line between the
  description paragraph and `// Deprecated:` notices so they form a
  dedicated paragraph (gocritic, staticcheck SA1019 and godoc tooling
  all read the notice this way).
- godoclint package-godoc-duplication: removes the duplicate
  `// Package X` comments from `event_test.go` and
  `namespaced_reference.go`; the canonical comment stays on the
  package's primary file.
- staticcheck SA1019: adds targeted //nolint:staticcheck comments on
  the handful of legitimate internal uses of the now-properly-marked
  deprecated types (switch branch, type assertion in the PCU reconciler,
  test-only fields that exercise the legacy path).

golangci-lint's --fix also modernises a number of idioms enabled by the
Go 1.25 bump, mainly `interface{}` → `any` (usegeneric/intrange rules)
and `strings.Split` → `strings.SplitSeq` (Go 1.24+ iterator form) in
`pkg/parser`. These are auto-applied and saved back to the tree by the
Earthfile's +lint target, so they have to land on disk or `check-diff`
flags the difference.

Signed-off-by: Philippe Scorsolini <5697904+phisco@users.noreply.github.com>
(cherry picked from commit dee1db5)
@phisco phisco merged commit 1e747d7 into crossplane:release-2.0 Apr 16, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants