Skip to content

Bump Go from 1.24.6 to 1.25.4 #1930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 21, 2025
Merged

Bump Go from 1.24.6 to 1.25.4 #1930

merged 2 commits into from
Nov 21, 2025

Conversation

@replicated-ci
Copy link
Contributor

@replicated-ci replicated-ci commented Nov 20, 2025
edited by Bishibop
Loading

Bump Go from 1.24.6 to 1.25.4

This PR upgrades the Go version from 1.24.6 to 1.25.4, bringing security fixes and new features.

Security Fixes

This upgrade addresses 10 stdlib CVEs that were fixed in Go 1.24.8+ and 1.25.x:

  • 6 HIGH severity vulnerabilities
  • 4 MEDIUM severity vulnerabilities

Related: https://github.com/replicated-collab/git-guardian-kots/issues/287

Code Changes Required

Go 1.25 introduced stricter go vet checks that caught an IPv6 compatibility issue:

Fixed: IPv6 address formatting in pkg/namespaces/namespace-pinger.go

  • Replaced fmt.Sprintf("%s:%d", ip, port) with net.JoinHostPort(ip.String(), strconv.Itoa(port))
  • This ensures proper IPv6 address formatting with brackets (e.g., [::1]:8080)
  • Affects both PingTCP() client connections and startTCPEchoServer() listener

Go 1.25 Release Notes

Full release notes: https://go.dev/doc/go1.25

Key changes:

  • Stricter TLS compliance (SHA-1 disabled in TLS 1.2)
  • Improved nil pointer panic detection (fixes compiler bug from Go 1.21)
  • DWARF 5 debug information
  • Experimental JSON v2 support
  • Enhanced generics type checking

cursor[bot]
cursor bot reviewed Nov 20, 2025
View reviewed changes
@Bishibop Bishibop changed the base branch from main to add-upgrade-go-action November 20, 2025 22:56
Base automatically changed from add-upgrade-go-action to main November 20, 2025 23:34
github-actions bot and others added 2 commits November 21, 2025 10:02
@github-actions @Bishibop
Bump Go to version from 1.24.6 to 1.25.4
cc373a6
@Bishibop
fix: use net.JoinHostPort for IPv6 compatibility
438c256 
Fix IPv6 address formatting in namespace-pinger.go by replacing
fmt.Sprintf with net.JoinHostPort, which correctly handles both
IPv4 and IPv6 addresses.

Changes:
- PingTCP: Use net.JoinHostPort for client connections
- startTCPEchoServer: Use net.JoinHostPort for server listener

This fixes go vet errors introduced by Go 1.25's stricter checks:
  address format "%s:%d" does not work with IPv6

IPv4 example: 192.168.1.1:8080
IPv6 example: [::1]:8080 (brackets added automatically)
@Bishibop Bishibop self-assigned this Nov 21, 2025
banjoh
banjoh approved these changes Nov 21, 2025
View reviewed changes
Copy link
Member

@banjoh banjoh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Bishibop Bishibop merged commit 73ac499 into main Nov 21, 2025
20 checks passed
@Bishibop Bishibop deleted the go-upgrade-1.25.4 branch November 21, 2025 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Bishibop Bishibop Bishibop left review comments

@cursor cursor[bot] cursor[bot] left review comments

@banjoh banjoh banjoh approved these changes

Assignees

@Bishibop Bishibop

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@replicated-ci @Bishibop @banjoh