Upgrade baton-sdk to v0.7.4 and Go to 1.25.x #30
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. WalkthroughGo toolchain upgraded from 1.22.2 to 1.25.2 with significant dependency version bumps including baton-sdk (v0.2.45 to v0.7.3), spf13/viper (v1.18.2 to v1.19.0), and protobuf (v1.34.1 to v1.36.5). Indirect dependencies substantially refactored with AWS SDK, OpenTelemetry, and other ecosystem components modernized. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In `@go.mod`:
- Line 110: The go.mod currently pins golang.org/x/oauth2 to v0.26.0 which is
vulnerable; update the module requirement to golang.org/x/oauth2 v0.27.0
(replace the existing golang.org/x/oauth2 v0.26.0 entry), then run dependency
hygiene (e.g., go get golang.org/x/[email protected] and go mod tidy) to update
go.sum and ensure the new version is resolved; finally run the test suite/build
to validate no regressions.
- Line 107: Update the module version for golang.org/x/crypto from v0.34.0 to
v0.47.0 in go.mod to include fixes for CVE-2025-22869, CVE-2025-47913,
CVE-2025-58181 and CVE-2025-47914; change the dependency entry referencing
golang.org/x/crypto to v0.47.0 and then run the Go tooling (eg. go get
golang.org/x/[email protected] && go mod tidy) to update go.sum and ensure the new
version is propagated throughout the build.
- Line 3: Update the module toolchain and vulnerable deps: change the Go version
directive from "go 1.25.2" to "go 1.25.6" and update the dependency versions for
golang.org/x/crypto and golang.org/x/oauth2 in go.mod (replace x/crypto v0.34.0
with v0.45.0 or later—prefer v0.47.0—and replace x/oauth2 v0.26.0 with v0.27.0
or later), then run "go mod tidy" and "go get" to ensure the lockfile/module
graph is updated and rebuild to verify no breakage (look for the go directive
and module lines referring to golang.org/x/crypto and golang.org/x/oauth2).
| go 1.22.0 | ||
|
|
||
| toolchain go1.22.2 | ||
| go 1.25.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Go 1.25.2 release date stability January 2026
💡 Result:
- Go 1.25.2 release date: October 7, 2025. It’s an official minor (patch) release for the Go 1.25 stable branch and includes security fixes plus bug fixes. [1]
- Stability (as of January 2026): Go 1.25.x is a supported stable release line, but 1.25.2 is not the latest patch anymore. By mid‑January 2026 the latest 1.25 patch listed is Go 1.25.6 (released January 15, 2026), so for best stability/security in January 2026 you should generally use the newest 1.25.x patch available rather than 1.25.2. [2]
Sources:
[1] Go release history (go1.25.2 entry) https://golang.google.cn/doc/devel/release
[2] Go 1.25 branch latest patch info https://endoflife.date/go
🌐 Web query:
golang.org/x/crypto v0.34.0 vulnerabilities security
💡 Result:
golang.org/x/crypto v0.34.0 is affected by these known, fixed vulnerabilities (Go vulnerability database):
- CVE-2025-22869 / GO-2025-3487 (in
golang.org/x/crypto/ssh): SSH servers implementing file transfer can be DoS’d via slow/incomplete key exchange. Fixed in v0.35.0 (v0.34.0 is affected). [1] - CVE-2025-58181 / GO-2025-4134 (in
golang.org/x/crypto/ssh): GSSAPI auth request parsing can cause unbounded memory consumption (DoS). Fixed in v0.45.0 (v0.34.0 is affected). [2] - CVE-2025-47914 / GO-2025-4135 (in
golang.org/x/crypto/ssh/agent): malformed agent messages can trigger a panic (out-of-bounds read). Fixed in v0.45.0 (v0.34.0 is affected). [3]
Recommendation: upgrade to >= v0.45.0 (covers the above), or preferably the current latest v0.47.0 (published Jan 12, 2026). [4]
Sources
- https://pkg.go.dev/vuln/GO-2025-3487
- https://pkg.go.dev/vuln/GO-2025-4134
- https://pkg.go.dev/vuln/GO-2025-4135
- https://pkg.go.dev/golang.org/x/crypto
🌐 Web query:
golang.org/x/oauth2 v0.26.0 vulnerabilities OSV
💡 Result:
golang.org/x/oauth2 v0.26.0 is affected by the following OSV vulnerability:
- GO-2025-3488 (aliases: CVE-2025-22868, GHSA-6v2p-p543-phr9) — Unexpected memory consumption during token parsing (DoS risk) when parsing a malicious malformed token. Affects
golang.org/x/oauth2/jws(Verify). Fixed in v0.27.0 (all versions < 0.27.0 are affected). [1][2]
Recommendation: upgrade to golang.org/x/oauth2 v0.27.0 or later. [1][2]
Sources: [1] OSV entry GO-2025-3488, [2] Go vulnerability report GO-2025-3488.
Upgrade Go to 1.25.6 and address critical security vulnerabilities in x/crypto and x/oauth2.
Go 1.25.2 is outdated; the latest 1.25 patch as of January 2026 is 1.25.6 (released January 15, 2026). More critically, the current dependency versions contain HIGH severity vulnerabilities:
- golang.org/x/crypto v0.34.0: Contains CVE-2025-22869, CVE-2025-58181, and CVE-2025-47914 (SSH DoS and panic on malformed input). Upgrade to v0.45.0 or later (v0.47.0 latest as of January 12, 2026).
- golang.org/x/oauth2 v0.26.0: Contains CVE-2025-22868 (unbounded memory consumption during token parsing). Upgrade to v0.27.0 or later.
🤖 Prompt for AI Agents
In `@go.mod` at line 3, Update the module toolchain and vulnerable deps: change
the Go version directive from "go 1.25.2" to "go 1.25.6" and update the
dependency versions for golang.org/x/crypto and golang.org/x/oauth2 in go.mod
(replace x/crypto v0.34.0 with v0.45.0 or later—prefer v0.47.0—and replace
x/oauth2 v0.26.0 with v0.27.0 or later), then run "go mod tidy" and "go get" to
ensure the lockfile/module graph is updated and rebuild to verify no breakage
(look for the go directive and module lines referring to golang.org/x/crypto and
golang.org/x/oauth2).
| golang.org/x/text v0.16.0 // indirect | ||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20240506185236-b8a5c65736ae // indirect | ||
| google.golang.org/grpc v1.63.2 // indirect | ||
| golang.org/x/crypto v0.34.0 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
golang.org/x/crypto v0.34.0 security vulnerabilities GO-2025-3487 GO-2025-4116 patched version
💡 Result:
For golang.org/x/crypto v0.34.0:
- GO-2025-3487 (CVE-2025-22869) is fixed in v0.35.0 (affected: < v0.35.0). [1]
- GO-2025-4116 (CVE-2025-47913) is fixed in v0.43.0 (affected: < v0.43.0). [2]
Patched version that covers both vulnerabilities: upgrade to golang.org/x/crypto v0.43.0 or later. [2]
Sources: [1] https://pkg.go.dev/vuln/GO-2025-3487, [2] https://pkg.go.dev/vuln/GO-2025-4116
🌐 Web query:
golang.org/x/crypto latest version 2025 security updates
💡 Result:
Latest golang.org/x/crypto version (as of Jan 27, 2026)
- v0.47.0 (published Jan 12, 2026) is currently the latest version on pkg.go.dev. [1][2]
2025 security-related updates (what to upgrade to)
In 2025, the Go Security team tagged these notable security-fix versions:
- v0.35.0 (tagged Feb 24, 2025) — fixes CVE-2025-22869 (DoS in
golang.org/x/crypto/sshrelated to slow/incomplete key exchange / file transfer protocols). Upgrade to >= v0.35.0. [3][4] - v0.43.0 (released Oct 8, 2025) — fixes CVE-2025-47913 (panic/termination in certain SSH agent response handling in
golang.org/x/crypto/ssh/agent). Upgrade to >= v0.43.0. [2][7] - v0.45.0 (tagged Nov 19, 2025) — fixes two issues:
- CVE-2025-58181 (unbounded memory consumption in
golang.org/x/crypto/sshwhen parsing GSSAPI auth requests) [5][6] - CVE-2025-47914 (panic / out-of-bounds read in
golang.org/x/crypto/ssh/agentdue to missing message size validation) [5][6]
- CVE-2025-58181 (unbounded memory consumption in
Practical recommendation
- If you want “latest and patched”:
go get golang.org/x/crypto@latest(currently v0.47.0). [1][2] - If you’re pinning specifically for the late-2025 security fixes: ensure >= v0.45.0. [5][6]
🏁 Script executed:
#!/bin/bash
# Search for golang.org/x/crypto in the repository to understand context
git ls-files | grep -E "go\.(mod|sum)$"Repository: ConductorOne/baton-formal
Length of output: 82
Upgrade golang.org/x/crypto from v0.34.0 to v0.47.0 to address multiple critical security vulnerabilities.
The current version v0.34.0 is affected by 4 critical security vulnerabilities in the SSH and SSH agent packages:
- CVE-2025-22869 (GO-2025-3487): Denial of service via slow/incomplete key exchange – fixed in v0.35.0
- CVE-2025-47913 (GO-2025-4116): Panic in SSH agent response handling – fixed in v0.43.0
- CVE-2025-58181: Unbounded memory consumption in SSH GSSAPI auth – fixed in v0.45.0
- CVE-2025-47914: Out-of-bounds read panic in SSH agent – fixed in v0.45.0
Upgrade to v0.47.0 (latest, released Jan 12, 2026) to address all known vulnerabilities.
🧰 Tools
🪛 OSV Scanner (2.3.2)
[HIGH] 107-107: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto
(GO-2025-3487)
[HIGH] 107-107: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto/ssh/agent
(GO-2025-4116)
[HIGH] 107-107: golang.org/x/crypto 0.34.0: Unbounded memory consumption in golang.org/x/crypto/ssh
(GO-2025-4134)
[HIGH] 107-107: golang.org/x/crypto 0.34.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
(GO-2025-4135)
[HIGH] 107-107: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
[HIGH] 107-107: golang.org/x/crypto 0.34.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange
[HIGH] 107-107: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
🤖 Prompt for AI Agents
In `@go.mod` at line 107, Update the module version for golang.org/x/crypto from
v0.34.0 to v0.47.0 in go.mod to include fixes for CVE-2025-22869,
CVE-2025-47913, CVE-2025-58181 and CVE-2025-47914; change the dependency entry
referencing golang.org/x/crypto to v0.47.0 and then run the Go tooling (eg. go
get golang.org/x/[email protected] && go mod tidy) to update go.sum and ensure the
new version is propagated throughout the build.
| golang.org/x/crypto v0.34.0 // indirect | ||
| golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c // indirect | ||
| golang.org/x/net v0.35.0 // indirect | ||
| golang.org/x/oauth2 v0.26.0 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GO-2025-3488 golang.org/x/oauth2 vulnerability
💡 Result:
GO-2025-3488 (aliases: CVE-2025-22868, GHSA-6v2p-p543-phr9) is a denial-of-service (DoS) issue in golang.org/x/oauth2, specifically golang.org/x/oauth2/jws.Verify: a malformed token can trigger unexpected / excessive memory consumption during parsing. [1][2]
- Affected:
golang.org/x/oauth2versions < v0.27.0 (the vulnerable code path is inoauth2/jws). [1][2] - Fixed in: v0.27.0. [1][2]
- Mitigation: upgrade:
(or otherwise ensure your build uses
go get golang.org/x/[email protected] go mod tidy
golang.org/x/oauth2>= v0.27.0). [1][2] - Upstream references (fix + discussion): Go change list and issue tracker. [1][2]
Sources
[1] https://osv.dev/vulnerability/GO-2025-3488
[2] https://pkg.go.dev/vuln/GO-2025-3488
🌐 Web query:
GHSA-6v2p-p543-phr9 vulnerability
💡 Result:
GHSA-6v2p-p543-phr9 is a Go vulnerability in golang.org/x/oauth2 (alias CVE-2025-22868 / GO-2025-3488) where an attacker can supply a malformed token that triggers unexpected/excessive memory consumption during parsing (DoS risk). It’s scored CVSS 7.5 (High). [1][2][3]
Affected: golang.org/x/oauth2 before v0.27.0 (notably golang.org/x/oauth2/jws, e.g., jws.Verify). [1][2]
Fixed: upgrade to golang.org/x/oauth2 v0.27.0 or later. [1][2]
Practical remediation (Go modules):
go get golang.org/x/[email protected]
go mod tidySources: [1] [2] [3]
🏁 Script executed:
#!/bin/bash
# Check Go vulnerability database for golang.org/x/oauth2
# Using pkg.go.dev JSON API to get version information
curl -s "https://api.pkg.go.dev/golang.org/x/oauth2?tab=versions" || echo "API call attempt (may require different approach)"
# Also search for recent security advisories in Go ecosystem
rg "oauth2" . --type go -l | head -5Repository: ConductorOne/baton-formal
Length of output: 333
Upgrade golang.org/x/oauth2 to v0.27.0 to fix critical DoS vulnerability.
golang.org/x/oauth2 v0.26.0 is affected by CVE-2025-22868 (GO-2025-3488 / GHSA-6v2p-p543-phr9), a high-severity denial-of-service vulnerability where a malformed token can trigger excessive memory consumption during parsing in jws.Verify. Upgrade to v0.27.0 or later:
golang.org/x/oauth2 v0.27.0
🧰 Tools
🪛 OSV Scanner (2.3.2)
[HIGH] 110-110: golang.org/x/oauth2 0.26.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2
(GO-2025-3488)
[HIGH] 110-110: golang.org/x/oauth2 0.26.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
🤖 Prompt for AI Agents
In `@go.mod` at line 110, The go.mod currently pins golang.org/x/oauth2 to v0.26.0
which is vulnerable; update the module requirement to golang.org/x/oauth2
v0.27.0 (replace the existing golang.org/x/oauth2 v0.26.0 entry), then run
dependency hygiene (e.g., go get golang.org/x/[email protected] and go mod tidy) to
update go.sum and ensure the new version is resolved; finally run the test
suite/build to validate no regressions.
gontzess
changed the title
gontzess
force-pushed
the
task-sdk-upgrade-batch-4
branch
2 times, most recently
from
d2d5a13 to
70012f3
Compare
- Update baton-sdk dependency to v0.7.4 - Update Go version to 1.25.2 - Update field.Configuration API - Add WithDefaultCapabilitiesConnectorBuilder option - Update CI workflow to use go-version-file - Update golangci-lint-action to v8 - Update .golangci.yml to v2 format - Add tools/rules.go for ruleguard
gontzess
force-pushed
the
task-sdk-upgrade-batch-4
branch
from
70012f3 to
caddda8
Compare
Summary
Test plan