Upgrade baton-sdk to v0.7.4 and Go to 1.25.x

[gontzess]

Summary

• Upgrade baton-sdk from v0.2.45 to v0.7.4
• Upgrade Go from 1.21.x to 1.25.2
• Add WithDefaultCapabilitiesConnectorBuilder for capabilities without config
• Update config to use struct-based field.Configuration API
• Remove main.yaml workflow (replaced by verify.yaml from baton-admin)

Test plan

• Build passes
• Tests pass
• Verify CI passes

[coderabbitai]

Warning

Rate limit exceeded

@gontzess has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Go toolchain upgraded from 1.22.2 to 1.25.2 with significant dependency version bumps including baton-sdk (v0.2.45 to v0.7.3), spf13/viper (v1.18.2 to v1.19.0), and protobuf (v1.34.1 to v1.36.5). Indirect dependencies substantially refactored with AWS SDK, OpenTelemetry, and other ecosystem components modernized.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Go toolchain: 1.22.2 → 1.25.2. Direct dependencies updated: baton-sdk v0.7.3, viper v1.19.0, protobuf v1.36.5. Indirect dependencies refactored: AWS SDK v2 components upgraded, jose v3 → v4, grpc-gateway, OpenTelemetry, and x/packages modernized across crypto, networking, and telemetry libraries. (+85/-62 lines)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hops through the module garden with glee,
Dependencies sprouting from v-one to v-three,
Baton and viper, protobuf too,
Toolchain bounces from old paths to new,
Modernization whiskers all aquiver! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Upgrade baton-sdk to v0.7.4 and Go to 1.25.x' accurately reflects the main changes in the PR: upgrading baton-sdk and Go versions. However, the title specifies v0.7.4 while the actual upgrade is to v0.7.3, creating a minor discrepancy.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 110: The go.mod currently pins golang.org/x/oauth2 to v0.26.0 which is
vulnerable; update the module requirement to golang.org/x/oauth2 v0.27.0
(replace the existing golang.org/x/oauth2 v0.26.0 entry), then run dependency
hygiene (e.g., go get golang.org/x/[email protected] and go mod tidy) to update
go.sum and ensure the new version is resolved; finally run the test suite/build
to validate no regressions.
- Line 107: Update the module version for golang.org/x/crypto from v0.34.0 to
v0.47.0 in go.mod to include fixes for CVE-2025-22869, CVE-2025-47913,
CVE-2025-58181 and CVE-2025-47914; change the dependency entry referencing
golang.org/x/crypto to v0.47.0 and then run the Go tooling (eg. go get
golang.org/x/[email protected] && go mod tidy) to update go.sum and ensure the new
version is propagated throughout the build.
- Line 3: Update the module toolchain and vulnerable deps: change the Go version
directive from "go 1.25.2" to "go 1.25.6" and update the dependency versions for
golang.org/x/crypto and golang.org/x/oauth2 in go.mod (replace x/crypto v0.34.0
with v0.45.0 or later—prefer v0.47.0—and replace x/oauth2 v0.26.0 with v0.27.0
or later), then run "go mod tidy" and "go get" to ensure the lockfile/module
graph is updated and rebuild to verify no breakage (look for the go directive
and module lines referring to golang.org/x/crypto and golang.org/x/oauth2).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Go 1.25.2 release date stability January 2026

💡 Result:

• Go 1.25.2 release date: October 7, 2025. It’s an official minor (patch) release for the Go 1.25 stable branch and includes security fixes plus bug fixes. [1]
• Stability (as of January 2026): Go 1.25.x is a supported stable release line, but 1.25.2 is not the latest patch anymore. By mid‑January 2026 the latest 1.25 patch listed is Go 1.25.6 (released January 15, 2026), so for best stability/security in January 2026 you should generally use the newest 1.25.x patch available rather than 1.25.2. [2]

Sources:
[1] Go release history (go1.25.2 entry) https://golang.google.cn/doc/devel/release
[2] Go 1.25 branch latest patch info https://endoflife.date/go

---

🌐 Web query:

golang.org/x/crypto v0.34.0 vulnerabilities security

💡 Result:

golang.org/x/crypto v0.34.0 is affected by these known, fixed vulnerabilities (Go vulnerability database):

• CVE-2025-22869 / GO-2025-3487 (in golang.org/x/crypto/ssh): SSH servers implementing file transfer can be DoS’d via slow/incomplete key exchange. Fixed in v0.35.0 (v0.34.0 is affected). [1]
• CVE-2025-58181 / GO-2025-4134 (in golang.org/x/crypto/ssh): GSSAPI auth request parsing can cause unbounded memory consumption (DoS). Fixed in v0.45.0 (v0.34.0 is affected). [2]
• CVE-2025-47914 / GO-2025-4135 (in golang.org/x/crypto/ssh/agent): malformed agent messages can trigger a panic (out-of-bounds read). Fixed in v0.45.0 (v0.34.0 is affected). [3]

Recommendation: upgrade to >= v0.45.0 (covers the above), or preferably the current latest v0.47.0 (published Jan 12, 2026). [4]

Sources

1. https://pkg.go.dev/vuln/GO-2025-3487
2. https://pkg.go.dev/vuln/GO-2025-4134
3. https://pkg.go.dev/vuln/GO-2025-4135
4. https://pkg.go.dev/golang.org/x/crypto

---

🌐 Web query:

golang.org/x/oauth2 v0.26.0 vulnerabilities OSV

💡 Result:

golang.org/x/oauth2 v0.26.0 is affected by the following OSV vulnerability:

• GO-2025-3488 (aliases: CVE-2025-22868, GHSA-6v2p-p543-phr9) — Unexpected memory consumption during token parsing (DoS risk) when parsing a malicious malformed token. Affects golang.org/x/oauth2/jws (Verify). Fixed in v0.27.0 (all versions < 0.27.0 are affected). [1][2]

Recommendation: upgrade to golang.org/x/oauth2 v0.27.0 or later. [1][2]

Sources: [1] OSV entry GO-2025-3488, [2] Go vulnerability report GO-2025-3488.

---

Upgrade Go to 1.25.6 and address critical security vulnerabilities in x/crypto and x/oauth2.

Go 1.25.2 is outdated; the latest 1.25 patch as of January 2026 is 1.25.6 (released January 15, 2026). More critically, the current dependency versions contain HIGH severity vulnerabilities:

• golang.org/x/crypto v0.34.0: Contains CVE-2025-22869, CVE-2025-58181, and CVE-2025-47914 (SSH DoS and panic on malformed input). Upgrade to v0.45.0 or later (v0.47.0 latest as of January 12, 2026).
• golang.org/x/oauth2 v0.26.0: Contains CVE-2025-22868 (unbounded memory consumption during token parsing). Upgrade to v0.27.0 or later.

🤖 Prompt for AI Agents

In `@go.mod` at line 3, Update the module toolchain and vulnerable deps: change
the Go version directive from "go 1.25.2" to "go 1.25.6" and update the
dependency versions for golang.org/x/crypto and golang.org/x/oauth2 in go.mod
(replace x/crypto v0.34.0 with v0.45.0 or later—prefer v0.47.0—and replace
x/oauth2 v0.26.0 with v0.27.0 or later), then run "go mod tidy" and "go get" to
ensure the lockfile/module graph is updated and rebuild to verify no breakage
(look for the go directive and module lines referring to golang.org/x/crypto and
golang.org/x/oauth2).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

golang.org/x/crypto v0.34.0 security vulnerabilities GO-2025-3487 GO-2025-4116 patched version

💡 Result:

For golang.org/x/crypto v0.34.0:

• GO-2025-3487 (CVE-2025-22869) is fixed in v0.35.0 (affected: < v0.35.0). [1]
• GO-2025-4116 (CVE-2025-47913) is fixed in v0.43.0 (affected: < v0.43.0). [2]

Patched version that covers both vulnerabilities: upgrade to golang.org/x/crypto v0.43.0 or later. [2]

Sources: [1] https://pkg.go.dev/vuln/GO-2025-3487, [2] https://pkg.go.dev/vuln/GO-2025-4116

---

🌐 Web query:

golang.org/x/crypto latest version 2025 security updates

💡 Result:

Latest golang.org/x/crypto version (as of Jan 27, 2026)

• v0.47.0 (published Jan 12, 2026) is currently the latest version on pkg.go.dev. [1][2]

2025 security-related updates (what to upgrade to)

In 2025, the Go Security team tagged these notable security-fix versions:

• v0.35.0 (tagged Feb 24, 2025) — fixes CVE-2025-22869 (DoS in golang.org/x/crypto/ssh related to slow/incomplete key exchange / file transfer protocols). Upgrade to >= v0.35.0. [3][4]
• v0.43.0 (released Oct 8, 2025) — fixes CVE-2025-47913 (panic/termination in certain SSH agent response handling in golang.org/x/crypto/ssh/agent). Upgrade to >= v0.43.0. [2][7]
• v0.45.0 (tagged Nov 19, 2025) — fixes two issues:
  • CVE-2025-58181 (unbounded memory consumption in golang.org/x/crypto/ssh when parsing GSSAPI auth requests) [5][6]
  • CVE-2025-47914 (panic / out-of-bounds read in golang.org/x/crypto/ssh/agent due to missing message size validation) [5][6]

Practical recommendation

• If you want “latest and patched”: go get golang.org/x/crypto@latest (currently v0.47.0). [1][2]
• If you’re pinning specifically for the late-2025 security fixes: ensure >= v0.45.0. [5][6]

---

🏁 Script executed:

#!/bin/bash
# Search for golang.org/x/crypto in the repository to understand context
git ls-files | grep -E "go\.(mod|sum)$"

Repository: ConductorOne/baton-formal

Length of output: 82

---

Upgrade golang.org/x/crypto from v0.34.0 to v0.47.0 to address multiple critical security vulnerabilities.

The current version v0.34.0 is affected by 4 critical security vulnerabilities in the SSH and SSH agent packages:

• CVE-2025-22869 (GO-2025-3487): Denial of service via slow/incomplete key exchange – fixed in v0.35.0
• CVE-2025-47913 (GO-2025-4116): Panic in SSH agent response handling – fixed in v0.43.0
• CVE-2025-58181: Unbounded memory consumption in SSH GSSAPI auth – fixed in v0.45.0
• CVE-2025-47914: Out-of-bounds read panic in SSH agent – fixed in v0.45.0

Upgrade to v0.47.0 (latest, released Jan 12, 2026) to address all known vulnerabilities.

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 107-107: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 107-107: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[HIGH] 107-107: golang.org/x/crypto 0.34.0: Unbounded memory consumption in golang.org/x/crypto/ssh

(GO-2025-4134)

---

[HIGH] 107-107: golang.org/x/crypto 0.34.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4135)

---

[HIGH] 107-107: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

(GHSA-f6x5-jh6r-wrfv)

---

[HIGH] 107-107: golang.org/x/crypto 0.34.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 107-107: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

(GHSA-j5w8-q4qc-rx2x)

🤖 Prompt for AI Agents

In `@go.mod` at line 107, Update the module version for golang.org/x/crypto from
v0.34.0 to v0.47.0 in go.mod to include fixes for CVE-2025-22869,
CVE-2025-47913, CVE-2025-58181 and CVE-2025-47914; change the dependency entry
referencing golang.org/x/crypto to v0.47.0 and then run the Go tooling (eg. go
get golang.org/x/[email protected] && go mod tidy) to update go.sum and ensure the
new version is propagated throughout the build.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GO-2025-3488 golang.org/x/oauth2 vulnerability

💡 Result:

GO-2025-3488 (aliases: CVE-2025-22868, GHSA-6v2p-p543-phr9) is a denial-of-service (DoS) issue in golang.org/x/oauth2, specifically golang.org/x/oauth2/jws.Verify: a malformed token can trigger unexpected / excessive memory consumption during parsing. [1][2]

• Affected: golang.org/x/oauth2 versions < v0.27.0 (the vulnerable code path is in oauth2/jws). [1][2]
• Fixed in: v0.27.0. [1][2]
• Mitigation: upgrade:

  go get golang.org/x/[email protected]
  go mod tidy

  (or otherwise ensure your build uses golang.org/x/oauth2 >= v0.27.0). [1][2]
• Upstream references (fix + discussion): Go change list and issue tracker. [1][2]

Sources
[1] https://osv.dev/vulnerability/GO-2025-3488
[2] https://pkg.go.dev/vuln/GO-2025-3488

---

🌐 Web query:

GHSA-6v2p-p543-phr9 vulnerability

💡 Result:

GHSA-6v2p-p543-phr9 is a Go vulnerability in golang.org/x/oauth2 (alias CVE-2025-22868 / GO-2025-3488) where an attacker can supply a malformed token that triggers unexpected/excessive memory consumption during parsing (DoS risk). It’s scored CVSS 7.5 (High). [1][2][3]

Affected: golang.org/x/oauth2 before v0.27.0 (notably golang.org/x/oauth2/jws, e.g., jws.Verify). [1][2]
Fixed: upgrade to golang.org/x/oauth2 v0.27.0 or later. [1][2]

Practical remediation (Go modules):

go get golang.org/x/[email protected]
go mod tidy

Sources: [1] [2] [3]

---

🏁 Script executed:

#!/bin/bash
# Check Go vulnerability database for golang.org/x/oauth2
# Using pkg.go.dev JSON API to get version information
curl -s "https://api.pkg.go.dev/golang.org/x/oauth2?tab=versions" || echo "API call attempt (may require different approach)"

# Also search for recent security advisories in Go ecosystem
rg "oauth2" . --type go -l | head -5

Repository: ConductorOne/baton-formal

Length of output: 333

---

Upgrade golang.org/x/oauth2 to v0.27.0 to fix critical DoS vulnerability.

golang.org/x/oauth2 v0.26.0 is affected by CVE-2025-22868 (GO-2025-3488 / GHSA-6v2p-p543-phr9), a high-severity denial-of-service vulnerability where a malformed token can trigger excessive memory consumption during parsing in jws.Verify. Upgrade to v0.27.0 or later:

golang.org/x/oauth2 v0.27.0

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 110-110: golang.org/x/oauth2 0.26.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 110-110: golang.org/x/oauth2 0.26.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In `@go.mod` at line 110, The go.mod currently pins golang.org/x/oauth2 to v0.26.0
which is vulnerable; update the module requirement to golang.org/x/oauth2
v0.27.0 (replace the existing golang.org/x/oauth2 v0.26.0 entry), then run
dependency hygiene (e.g., go get golang.org/x/[email protected] and go mod tidy) to
update go.sum and ensure the new version is resolved; finally run the test
suite/build to validate no regressions.