fix: bump Go from 1.25.9 to 1.25.10 to resolve Snyk vulnerabilities

[dangrondahl]

Summary

• Bump Go version in go.mod from 1.25.9 to 1.25.10
• Fixes 6 CVEs in Go stdlib (std/html/template, std/net, std/net/http) that cause the Snyk Dependency Test CI job to fail

CVEs resolved: CVE-2026-27142, CVE-2026-33811, CVE-2026-33814, CVE-2026-39823, CVE-2026-39826, CVE-2026-39836

Test plan

• Snyk Dependency Test CI job passes
• All other CI jobs pass (build, lint, tests)

[claude]

Claude finished @dangrondahl's task in 3m 6s —— View job

---

Review of PR #869

• Run static analysis (go build, go vet, go mod tidy)
• Review the diff
• Post review feedback

---

Static Analysis

All checks pass:

• go build ./... — compiles cleanly
• go vet ./... — no issues
• go mod tidy — go.mod and go.sum are already clean (no diff)

Code Review

Diff: Single line change in go.mod — go 1.25.9 → go 1.25.10.

This is a minimal, well-scoped patch version bump. Nothing else to flag:

• No edge cases or bugs — this is a toolchain directive, not application logic.
• No security concerns — the change resolves 6 CVEs, which is the right move.
• No test impact — the Go version bump doesn't change any application behavior, only patches stdlib vulnerabilities.
• go.sum is unchanged — confirmed via go mod tidy && git diff --exit-code, meaning no dependency graph changes.

Good Work

Clean, minimal PR — one line, clear commit message, CVEs listed in the description. This is exactly how a version-bump PR should look.

Verdict: LGTM. Ship it once CI is green.