Pin Go toolchain to 1.25.9 and bump x/net to 0.51.0

Clears 11 govulncheck findings on release/5.1:
- 10 in the Go standard library (crypto/x509 auth bypass and panics,
  crypto/tls TLS 1.3 KeyUpdate DoS, archive/tar unbounded allocation,
  html/template XSS, os.Root filesystem escape, net/url IPv6 parse) —
  fixed by 1.25.9
- 1 in golang.org/x/net (HTTP/2 frame panic, GO-2026-4559) —
  fixed by 0.51.0

CI uses go-version-file: go.mod with setup-go@v5, which honors the
toolchain directive, so workflow builds will pick up 1.25.9.

Verified govulncheck reports no vulnerabilities and full Go test
suite outcome is unchanged from the v5.1.28 baseline (the
TestSetupScriptTokenLifecycleIntegration_PVE failures are pre-existing
on release/5.1 and unrelated to the bump).
This commit is contained in:
rcourtman 2026-04-30 10:05:46 +01:00
parent 570fd31548
commit 94b5bb1b28
2 changed files with 5 additions and 3 deletions

4
go.mod
View file

@ -2,6 +2,8 @@ module github.com/rcourtman/pulse-go-rewrite
go 1.25.0
toolchain go1.25.9
require (
github.com/IGLOU-EU/go-wildcard/v2 v2.1.0
github.com/coreos/go-oidc/v3 v3.17.0
@ -98,7 +100,7 @@ require (
go.opentelemetry.io/otel/trace v1.43.0 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/net v0.50.0 // indirect
golang.org/x/net v0.51.0 // indirect
golang.org/x/text v0.34.0 // indirect
golang.org/x/time v0.14.0 // indirect
google.golang.org/protobuf v1.36.11 // indirect

4
go.sum
View file

@ -235,8 +235,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=