fix: resolve Snyk violations, Go stdlib vulns, and broken list repos test

[dangrondahl]

Why

The Snyk dependency test and integration tests are failing on main.

Fixes

1. Bump go.opentelemetry.io/otel packages v1.40.0 → v1.41.0

Fixes SNYK-GOLANG-GOOPENTELEMETRYIOOTELBAGGAGE-15928416 (High) — resource exhaustion via baggage header parsing. Also bumps transitive deps grpc-gateway and genproto.

2. Bump Go 1.25.0 → 1.25.9

Fixes stdlib vulnerabilities in crypto/tls, crypto/x509, archive/tar, archive/zip, html/template, net/http.

3. Renew expired Snyk ignore for x/crypto/ssh/agent

SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-12668891 — no upstream fix available (latest golang.org/x/crypto is v0.49.0). The previous ignore expired 2025-11-17, causing Snyk to fail. Extended to 2026-10-08.

4. Set GOTOOLCHAIN=auto in Dockerfile

The golang:1.25-alpine3.21 image ships Go 1.25.5 and there is no golang:1.25.9 image. GOTOOLCHAIN=auto lets Go download 1.25.9 at build time.

5. Handle nil latest_activity in kosli list repos

Server PR #5177 (2026-04-02) removed the latest_activity computation for performance. The field now returns nil, which caused fmt.Sprintf to print %!s(<nil>) in the table output. This was failing TestListReposCommandTestSuite consistently.

Test plan

• Snyk dependency test passes
• Integration tests pass
• Docker build passes
• Lint passes

[claude]

Claude finished @dangrondahl's task in 1m 44s —— View job

---

PR Review: fix: upgrade dependencies to resolve Snyk vulnerabilities

• Phase 1: Static analysis (go build, go vet, go mod tidy)
• Phase 2: Code review of changed files
• Phase 3: Post review summary

---

Static Analysis

All clean — go build ./..., go vet ./..., and go mod tidy pass with no issues or drift.

Review Summary

Overall: Looks good. This is a well-structured dependency upgrade PR with a sensible bug fix included. Five clean, atomic commits with clear messages.

Dependency upgrades (go.mod/go.sum) — Straightforward bumps:

• go.opentelemetry.io/otel v1.40.0 → v1.41.0 (fixes resource exhaustion via baggage headers)
• grpc-gateway/v2 v2.27.7 → v2.28.0, genproto updated
• Go 1.25.0 → 1.25.9 (stdlib security fixes)

All transitive — no direct API surface changes needed.

Dockerfile — GOTOOLCHAIN=auto is the correct approach. The base image stays at golang:1.25-alpine and the toolchain directive in go.mod (go 1.25.9) triggers the auto-download. Clean solution that avoids pinning the Docker image tag to a patch version.

.snyk — Renewed ignore with improved reason text documenting that v0.49.0 is still affected. 6-month expiry (Oct 2026) is reasonable for a re-evaluation window.

listRepos.go — The nil guard on latest_activity fixes a real bug (nil value in fmt.Sprintf format). Left one non-blocking inline comment about applying the same pattern to the other map[string]any fields for consistency.

listRepos_test.go — Test regex patterns relaxed from .*Trail Started at.* to .* at the end, which correctly accommodates repos with no latest_activity. The tests still validate the important parts (name, URL, provider).

What's done well

• Clean commit history — each commit addresses one logical change
• Snyk ignore includes context about why it's being ignored and which version was checked
• Bug fix for nil latest_activity is included proactively rather than as a separate follow-up
• GOTOOLCHAIN=auto is a maintainable approach for Dockerfile Go version management