Update dependencies and address CVEs

[jjngx]

Proposed changes

This PR updates dependencies and addresses security issues (CVEs):

https://pkg.go.dev/vuln/GO-2025-3503
https://pkg.go.dev/vuln/GO-2025-3488
https://pkg.go.dev/vuln/GO-2025-3487

Before update:

➜  nginx-prometheus-exporter git:(main) govulncheck -show verbose -mode binary  nginx-prometheus-exporter
Scanning your binary for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the binary against the vulnerabilities...

The package pattern matched the following root package:
  github.com/nginx/nginx-prometheus-exporter
Govulncheck scanned the following 25 modules and the go1.24.0 standard library:
  github.com/nginx/nginx-prometheus-exporter@v1.4.2-0.20250307061232-2871b8d6d868
  github.com/alecthomas/kingpin/v2@v2.4.0
  github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137
  github.com/beorn7/perks@v1.0.1
  github.com/cespare/xxhash/v2@v2.3.0
  github.com/coreos/go-systemd/v22@v22.5.0
  github.com/jpillora/backoff@v1.0.0
  github.com/klauspost/compress@v1.17.11
  github.com/mdlayher/vsock@v1.2.1
  github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822
  github.com/mwitkow/go-conntrack@v0.0.0-20190716064945-2f068394615f
  github.com/nginx/nginx-plus-go-client/v2@v2.3.0
  github.com/prometheus/client_golang@v1.21.1
  github.com/prometheus/client_model@v0.6.1
  github.com/prometheus/common@v0.62.0
  github.com/prometheus/exporter-toolkit@v0.14.0
  github.com/xhit/go-str2duration/v2@v2.1.0
  golang.org/x/crypto@v0.32.0
  golang.org/x/net@v0.34.0
  golang.org/x/oauth2@v0.25.0
  golang.org/x/sync@v0.10.0
  golang.org/x/sys@v0.29.0
  golang.org/x/text@v0.21.0
  google.golang.org/protobuf@v1.36.1
  gopkg.in/yaml.v2@v2.4.0

=== Symbol Results ===

Vulnerability #1: GO-2025-3503
    HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2025-3503
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.34.0
    Fixed in: golang.org/x/net@v0.36.0
    Vulnerable symbols found:
      #1: httpproxy.config.useProxy
      #2: httpproxy.domainMatch.match
      #3: proxy.Dial
      #4: proxy.FromEnvironment
      #5: proxy.FromEnvironmentUsing
      Use '-show traces' to see the other 3 found symbols

Vulnerability #2: GO-2025-3488
    Unexpected memory consumption during token parsing in golang.org/x/oauth2
  More info: https://pkg.go.dev/vuln/GO-2025-3488
  Module: golang.org/x/oauth2
    Found in: golang.org/x/oauth2@v0.25.0
    Fixed in: golang.org/x/oauth2@v0.27.0
    Vulnerable symbols found:
      #1: jws.Verify

Vulnerability #3: GO-2025-3487
    Potential denial of service in golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2025-3487
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.32.0
    Fixed in: golang.org/x/crypto@v0.35.0
    Vulnerable symbols found:
      #1: ssh.Client.Dial
      #2: ssh.Client.DialContext
      #3: ssh.Client.DialTCP
      #4: ssh.Client.Listen
      #5: ssh.Client.ListenTCP
      Use '-show traces' to see the other 48 found symbols

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 3 vulnerabilities from 3 modules.
This scan found no other vulnerabilities in packages you import or modules you
require.

After the update:

➜  nginx-prometheus-exporter git:(chore/update-dependencies) ✗ govulncheck -show verbose -mode binary  nginx-prometheus-exporter
Scanning your binary for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the binary against the vulnerabilities...

The package pattern matched the following root package:
  github.com/nginx/nginx-prometheus-exporter
Govulncheck scanned the following 25 modules and the go1.24.0 standard library:
  github.com/nginx/nginx-prometheus-exporter@v1.4.2-0.20250307061232-2871b8d6d868+dirty
  github.com/alecthomas/kingpin/v2@v2.4.0
  github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137
  github.com/beorn7/perks@v1.0.1
  github.com/cespare/xxhash/v2@v2.3.0
  github.com/coreos/go-systemd/v22@v22.5.0
  github.com/jpillora/backoff@v1.0.0
  github.com/klauspost/compress@v1.17.11
  github.com/mdlayher/vsock@v1.2.1
  github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822
  github.com/mwitkow/go-conntrack@v0.0.0-20190716064945-2f068394615f
  github.com/nginx/nginx-plus-go-client/v2@v2.3.0
  github.com/prometheus/client_golang@v1.21.1
  github.com/prometheus/client_model@v0.6.1
  github.com/prometheus/common@v0.62.0
  github.com/prometheus/exporter-toolkit@v0.14.0
  github.com/xhit/go-str2duration/v2@v2.1.0
  golang.org/x/crypto@v0.35.0
  golang.org/x/net@v0.36.0
  golang.org/x/oauth2@v0.27.0
  golang.org/x/sync@v0.11.0
  golang.org/x/sys@v0.30.0
  golang.org/x/text@v0.22.0
  google.golang.org/protobuf@v1.36.1
  gopkg.in/yaml.v2@v2.4.0

No vulnerabilities found.

Note that the security fixes in the indirect dependencies require bumping Go version to v1.23

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING guide
• I have proven my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have ensured the README is up to date
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch on my own fork

[ns-rtorre]

Hi @javorszky @vepatel do you have any plans for tagging a new version anytime soon after this and other interesting PRs? Thanks a lot!

[jjngx]

Hi @javorszky @vepatel do you have any plans for tagging a new version anytime soon after this and other interesting PRs? Thanks a lot!

Hi @ns-rtorre , yes we do plan to add a new tag very soon.