chore(deps): bump Go to 1.25.9 [security] (release-2.1)#963
Merged
phisco merged 2 commits intocrossplane:release-2.1from Apr 16, 2026
Merged
chore(deps): bump Go to 1.25.9 [security] (release-2.1)#963phisco merged 2 commits intocrossplane:release-2.1from
phisco merged 2 commits intocrossplane:release-2.1from
Conversation
govulncheck reports five reachable stdlib vulnerabilities on this branch at the current Go 1.24.4 toolchain, in crypto/x509, crypto/tls, html/ template and net/url. Go 1.24 went end-of-life on 2026-02-10 when 1.26.0 shipped and did not receive the April 2026 security batch, so the fixes only exist in Go 1.25.9 and 1.26.2. The latest 1.24 release (1.24.13) predates the batch and does not resolve these. This commit therefore does a minor-version bump to 1.25.9 rather than a patch bump, in both the Earthfile toolchain and the go.mod directive. golangci-lint is bumped from v2.2.1 (built with Go 1.24) to v2.11.4 (first Go-1.25-built release was v2.9.0); without that, the lint job errors with "the Go language version used to build golangci-lint is lower than the targeted Go version". Signed-off-by: Philippe Scorsolini <5697904+phisco@users.noreply.github.com>
phisco
force-pushed
the
chore/bump-go-1.25.9-release-2.1
branch
from
2f5fe6c to
ad90f78
Compare
5 tasks
Bumping golangci-lint (see previous commit) surfaces new checks against
previously-passing code. This commit resolves them in a single pass:
- gocritic deprecatedComment: inserts a blank line between the
description paragraph and `// Deprecated:` notices so they form a
dedicated paragraph (gocritic, staticcheck SA1019 and godoc tooling
all read the notice this way).
- godoclint package-godoc-duplication: removes the duplicate
`// Package X` comments from `event_test.go` and
`namespaced_reference.go`; the canonical comment stays on the
package's primary file.
- staticcheck SA1019: adds targeted //nolint:staticcheck comments on
the handful of legitimate internal uses of the now-properly-marked
deprecated types (switch branch, type assertion in the PCU reconciler,
test-only fields that exercise the legacy path).
golangci-lint's --fix also modernises a number of idioms enabled by the
Go 1.25 bump, mainly `interface{}` → `any` (usegeneric/intrange rules)
and `strings.Split` → `strings.SplitSeq` (Go 1.24+ iterator form) in
`pkg/parser`. These are auto-applied and saved back to the tree by the
Earthfile's +lint target, so they have to land on disk or `check-diff`
flags the difference.
Signed-off-by: Philippe Scorsolini <5697904+phisco@users.noreply.github.com>
jbw976
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of your changes
Mirrors #961 for release-2.1, adapted for Earthly.
govulncheckreports 5 reachable stdlib vulnerabilities on this branchwith the current Go 1.24.4 toolchain:
Go 1.24 went end-of-life on 2026-02-10 (when 1.26.0 shipped) and did
not receive the April 2026 security batch — those fixes only landed in
1.25.9 and 1.26.2. The latest 1.24 release (1.24.13, 2026-02-04) does
not resolve these, so this PR does a minor version bump to 1.25.9
rather than a patch bump.
This differs from crossplane's release-2.1 bump
(crossplane/crossplane#7305), which was patch-level (1.25.6 → 1.25.9)
because that branch was already on the 1.25 line.
Commits
Bump Go to 1.25.9 to fix stdlib CVEs —
Earthfile `GO_VERSION=1.24.4 → 1.25.9`, `go.mod` `go 1.24.0 →
1.25.9`, and golangci-lint `v2.2.1 → v2.11.4` (v2.2.1 was built
with Go 1.24 and refuses to lint `go 1.25.9` targets).
Apply golangci-lint v2.11.4 compliance fixes — bumping
golangci-lint surfaces new checks against existing code. Resolved
in a single pass:
description paragraph and `// Deprecated:` notices so they form
a dedicated paragraph.
`// Package X` comment from `event_test.go` and
`namespaced_reference.go`; the canonical comment stays on the
package's primary file.
comments on the legitimate internal uses of the now-properly-marked
deprecated types.
idioms enabled by the Go 1.25 bump (`interface{}` → `any`,
`strings.Split` → `strings.SplitSeq`, small whitespace
adjustments). Earthfile's `+lint` target saves these back to
the tree, so they have to land on disk or `check-diff` flags
the difference.
Downstream impact
Bumping the `go` directive in `go.mod` to 1.25.9 forces consumers
of release-2.1 to Go ≥ 1.25. If that's too disruptive for a patch
release, we can drop the `go.mod` change (and the golangci-lint bump,
which only becomes necessary because of it); our CI binaries would
still pick up the Go fixes, but consumers would need to upgrade their
own toolchain to actually benefit.
Fixes #
I have:
Added or updated unit tests.Linked a PR or a [docs tracking issue] to [document this change].Added `backport release-x.y` labels to auto-backport this PR.