Skip to content

fix: bump go directive to 1.25.7 to resolve stdlib CVEs#926

Open
willyguggenheim wants to merge 1 commit intodatabus23:masterfrom
willyguggenheim:fix/go-version-cve
Open

fix: bump go directive to 1.25.7 to resolve stdlib CVEs#926
willyguggenheim wants to merge 1 commit intodatabus23:masterfrom
willyguggenheim:fix/go-version-cve

Conversation

@willyguggenheim
Copy link

@willyguggenheim willyguggenheim commented Feb 7, 2026

Summary

  • Bump go directive in go.mod from 1.25.0 to 1.25.7 to ensure release binaries are compiled with a patched Go toolchain

Motivation

Go 1.25.0 is affected by several stdlib CVEs including CVE-2025-58183. When helm plugin install downloads the pre-built release binary, trivy flags it because the binary embeds the vulnerable Go stdlib. Bumping the go directive ensures the next release is compiled with Go 1.25.7 which includes all patches.

Test plan

  • go mod tidy runs clean
  • go build succeeds
  • All tests pass (4/4 packages)

@willyguggenheim
fix: bump go directive to 1.25.7 to resolve stdlib CVEs
54773e6 
Go 1.25.0 is affected by CVE-2025-58183 and other Go stdlib
vulnerabilities. Bumping to 1.25.7 ensures release binaries
are compiled with a patched toolchain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@willyguggenheim