Skip to content

fix: upgrade Go toolchain to 1.25.5 to address HIGH severity CVEs#3895

Open
yugannkt wants to merge 2 commits intoargoproj:masterfrom
yugannkt:fix/upgrade-go-1.25.5
Open

fix: upgrade Go toolchain to 1.25.5 to address HIGH severity CVEs#3895
yugannkt wants to merge 2 commits intoargoproj:masterfrom
yugannkt:fix/upgrade-go-1.25.5

Conversation

@yugannkt
Copy link
Contributor

@yugannkt yugannkt commented Jan 24, 2026

Fix: Upgrade Go toolchain to 1.25.5 to address HIGH severity CVEs

Summary

This PR upgrades the Go toolchain from version 1.24.1 to 1.25.5 to address HIGH severity CVEs in the Go standard library.

Fixes #3807

Motivation

Security scanning (Trivy) identified multiple HIGH severity vulnerabilities in Go stdlib packages (net/http, crypto, encoding) present in Go 1.24.x. These CVEs are fixed in Go 1.25.3+. This upgrade is critical for deployments in regulated environments and addresses security hardening requirements.

Changes Made

Core Files

  • go.mod: Updated Go directive from 1.24.1 to 1.25.5

CI/CD Workflows

  • .github/workflows/ci.yaml: Updated all 4 jobs (codegen, unit-tests, lint, e2e-tests) to use Go 1.25.5
  • .github/workflows/release.yml: Updated 2 occurrences (build-binaries, bom jobs)
  • .github/workflows/gh-pages.yaml: Updated deploy job

Documentation

  • docs/developer_guide.md: Updated minimum requirement from Golang 1.20+ to Golang 1.25.3+

Third-party Components

  • third_party/prometheus-nats-exporter-docker/amd64/Dockerfile: Updated base image from golang:1.20.2 to golang:1.25.5

@yugannkt yugannkt requested a review from whynowy as a code owner January 24, 2026 16:25
@yugannkt yugannkt force-pushed the fix/upgrade-go-1.25.5 branch from 155d8e1 to fec3501 Compare January 24, 2026 16:28
@yugannkt
fix: upgrade Go toolchain to 1.25.5 to address HIGH severity CVEs
b2811ca 
Fixes argoproj#3807

Upgraded Go from 1.24 to 1.25.5 to resolve HIGH severity vulnerabilities
in Go standard library (net/http, crypto, encoding packages).

Changes:
- Updated go.mod: go 1.24.1 -> go 1.25.5
- Updated GitHub Actions workflows (ci.yaml, release.yml, gh-pages.yaml)
- Updated developer_guide.md: Golang 1.20+ -> Golang 1.25.3+
- Updated third_party prometheus-nats-exporter Dockerfile

All dependencies verified compatible. Build and tests pass successfully.

Signed-off-by: Yugan <yugannkt@gmail.com>
@yugannkt yugannkt force-pushed the fix/upgrade-go-1.25.5 branch from fec3501 to b2811ca Compare January 24, 2026 16:32
whynowy
whynowy approved these changes Feb 6, 2026
View reviewed changes
Copy link
Member

@whynowy whynowy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whynowy whynowy whynowy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HIGH: Go stdlib CVEs - upgrade toolchain to 1.25.3+

2 participants

@yugannkt @whynowy