feat: upgrade to Go 1.25.5 and fix 21 security vulnerabilities (#96)

* feat: upgrade to Go 1.25.5 and fix 21 security vulnerabilities

This PR upgrades the project from Go 1.24.0 to Go 1.25.5 and updates
golang.org/x/crypto from v0.37.0 to v0.45.0, fixing all 21 security
vulnerabilities detected by OSV Scanner.

Vulnerabilities Fixed:
- 16 Go stdlib vulnerabilities (GO-2025-3563, GO-2025-3749, GO-2025-3750,
  GO-2025-3751, GO-2025-3849, GO-2025-3956, GO-2025-4007, GO-2025-4008,
  GO-2025-4009, GO-2025-4010, GO-2025-4011, GO-2025-4012, GO-2025-4013,
  GO-2025-4014, GO-2025-4155, GO-2025-4175)
- 3 golang.org/x/crypto vulnerabilities:
  * GO-2025-4135 (CVE-2025-47914): SSH Agent message size validation
  * GO-2025-4134 (CVE-2025-58181): SSH GSSAPI unbounded memory
  * GO-2025-4116 (CVE-2025-47913): SSH client panic on SSHAGENTSUCCESS
- 2 uncalled stdlib vulnerabilities (GO-2025-4006, GO-2025-4015)

Changes:
- go.mod: Update go directive from 1.24.0 to 1.25.5
- go.mod: Update golang.org/x/crypto from v0.37.0 to v0.45.0
- Updated all GitHub Actions workflows to use Go 1.25.x
- CI matrix now tests against Go 1.24.x and 1.25.x for compatibility
- All tests pass with 92.1% coverage

References:
- Go 1.25 Release: https://go.dev/blog/go1.25
- GO-2025-4135: https://pkg.go.dev/vuln/GO-2025-4135
- GO-2025-4134: https://pkg.go.dev/vuln/GO-2025-4134

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update golangci-lint to v2.6 for Go 1.25 support

The linting job was failing because golangci-lint v2.2.1 was built with
Go 1.24 and cannot lint projects targeting Go 1.25.5.

Changes:
- Update golangci-lint-action from v7 to v9
- Update golangci-lint version from v2.2.1 to v2.6

golangci-lint v2.6 is built with Go 1.25 and can successfully lint
Go 1.25.5 projects.

References:
- golangci/golangci-lint#5873
- https://github.com/golangci/golangci-lint-action

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: Remove Go 1.24.x support and fix perfsprint linting errors

- Remove Go 1.24.x from CI test matrix (only Go 1.25.x required now)
- Fix perfsprint linting errors in benchmark_test.go and output_length_test.go
  by replacing string concatenation in loops with strings.Builder

This completes the Go 1.25.5 upgrade by removing backward compatibility
with Go 1.24.x, which is no longer needed since go.mod requires 1.25.5.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

---------

Co-authored-by: Claude Sonnet 4.5 <[email protected]>

Author: richardwooding

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: ['1.23.x', '1.24.x']  # Include 1.23 as fallback
+        go-version: ['1.25.x']  # Go 1.25.5+ required
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
@@ -40,7 +40,7 @@ jobs:
       run: go test -race -coverprofile=coverage.out -covermode=atomic -v ./...
 
     - name: Upload coverage to Codecov
-      if: matrix.go-version == '1.24.x'  # Only upload once
+      if: matrix.go-version == '1.25.x'  # Only upload once
       uses: codecov/codecov-action@v4
       with:
         file: ./coverage.out
@@ -59,7 +59,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.24.x'
+        go-version: '1.25.x'
         cache: true
         check-latest: true
 

.github/workflows/dependency-update.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23.x'  # Use stable version for dependency updates
+          go-version: '1.25.x'  # Use stable version for dependency updates
           cache: true
           check-latest: true
 

.github/workflows/fuzz.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.25'
           cache: true
 
       - name: Download dependencies
@@ -83,7 +83,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.25'
           cache: true
 
       - name: Download dependencies

.github/workflows/golangci-lint.yml

@@ -26,12 +26,12 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24.x'  # Match project requirements
+          go-version: '1.25.x'  # Match project requirements
           cache: false
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.2.1
+          version: v2.6
           args: --timeout=5m

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23.x'  # Use stable version for releases
+          go-version: '1.25.x'  # Use stable version for releases
           cache: true
           check-latest: true
 

.github/workflows/security.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24.x'  # Use version that matches code requirements
+          go-version: '1.25.x'  # Use version that matches code requirements
           cache: true
           check-latest: true
 
@@ -44,7 +44,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24.x'  # Use version that matches code requirements
+          go-version: '1.25.x'  # Use version that matches code requirements
           cache: true
           check-latest: true
 
@@ -65,7 +65,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24.x'
+          go-version: '1.25.x'
           cache: true
           check-latest: true
 

benchmark_test.go

@@ -1,6 +1,7 @@
 package cel2sql_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/google/cel-go/cel"
@@ -322,10 +323,14 @@ func BenchmarkConvertLargeExpression(b *testing.B) {
 	env := setupSimpleBenchmarkEnv(b)
 
 	// Large AND expression
-	largeAnd := `age > 0`
+	var builder strings.Builder
+	builder.WriteString(`age > 0`)
 	for i := 1; i < 20; i++ {
-		largeAnd += ` && name != "test` + string(rune('0'+i)) + `"`
+		builder.WriteString(` && name != "test`)
+		builder.WriteRune(rune('0' + i))
+		builder.WriteString(`"`)
 	}
+	largeAnd := builder.String()
 
 	tests := []struct {
 		name       string

go.mod

@@ -1,6 +1,6 @@
 module github.com/spandigital/cel2sql/v3
 
-go 1.24.0
+go 1.25.5
 
 require (
 	github.com/google/cel-go v0.26.0
@@ -68,11 +68,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/grpc v1.73.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect

go.sum

@@ -158,8 +158,8 @@ go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v8
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -168,13 +168,13 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -184,14 +184,14 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

output_length_test.go

@@ -408,10 +408,12 @@ func TestLongStringConcatenations(t *testing.T) {
 			require.NoError(t, err)
 
 			// Build string concatenation expression
-			expr := "s"
+			var builder strings.Builder
+			builder.WriteString("s")
 			for i := 0; i < tt.stringCount; i++ {
-				expr += ` + "test"`
+				builder.WriteString(` + "test"`)
 			}
+			expr := builder.String()
 
 			ast, issues := env.Compile(expr)
 			require.NoError(t, issues.Err())