chore: upgrade packages CVE-2025-58181 & CVE-2025-47914

[creativeprojects]

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to version 1.24.11.
  • Updated external dependencies including GitLab API client, OAuth2, and cryptography packages to latest versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The Go module configuration is updated with a newer Go toolchain (1.24.7 to 1.24.11) and several external dependencies are bumped to their latest versions, including Gitea SDK, GitLab API client, crypto, oauth2, sys, and time packages.

Changes

Cohort / File(s)

Summary

Go module and dependency updates go.mod

Bumps Go toolchain from 1.24.7 to 1.24.11; updates external dependencies including code.gitea.io/sdk/gitea (v0.22.0→v0.22.1), gitlab.com/gitlab-org/api/client-go (v0.148.0→v1.9.1), golang.org/x/crypto (v0.42.0→v0.46.0), golang.org/x/oauth2 (v0.31.0→v0.34.0), golang.org/x/sys (v0.36.0→v0.39.0), golang.org/x/time (v0.12.0→v0.14.0), and github.com/hashicorp/go-version (v1.7.0→v1.8.0) with related indirect dependency adjustments

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify compatibility between the Go toolchain bump and codebase syntax/features
• Check GitLab API client major version upgrade (v0.148.0→v1.9.1) for breaking changes
• Confirm no conflicts or resolution issues across the updated dependency chain

Poem

🐰 Hop, hop—the versions do ascend,
With crypto guards and time to spend,
From Gitea to GitLab's dance so grand,
Our dependencies grow more planned,
Security blooms, the toolchain's strong—
This rabbit's heart beats upgrade-long! 🌱

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main purpose of the changeset: upgrading packages to address specific CVEs. It is concise, clear, and directly describes the primary change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrade-x-crypto

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7d55b9 and dec425a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: creativeprojects
Repo: creativeprojects/go-selfupdate PR: 44
File: .github/workflows/build.yml:16-17
Timestamp: 2024-10-12T21:53:51.558Z
Learning: As of October 2024, Go version 1.23 has been released and is valid for use in workflows.

📚 Learning: 2024-10-12T21:53:51.558Z

Learnt from: creativeprojects
Repo: creativeprojects/go-selfupdate PR: 44
File: .github/workflows/build.yml:16-17
Timestamp: 2024-10-12T21:53:51.558Z
Learning: As of October 2024, Go version 1.23 has been released and is valid for use in workflows.

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and test (1.24, windows-latest)

🔇 Additional comments (4)

go.mod (4)

3-3: Go toolchain patch upgrade is safe.

The upgrade from 1.24.7 to 1.24.11 is a conservative patch-level change within the same minor version and carries no breaking changes.

---

26-26: Indirect dependency updates are safe.

The minor version bumps to github.com/hashicorp/go-version (v1.7.0 → v1.8.0) and golang.org/x/time (v0.12.0 → v0.14.0) are routine transitive updates with no breaking implications.

Also applies to: 28-28

---

6-6: Both CVEs are addressed by golang.org/x/crypto v0.46.0, not golang.org/x/oauth2.

CVE-2025-58181 affects SSH servers parsing GSSAPI authentication requests which don't validate the number of mechanisms specified, while CVE-2025-47914 affects SSH Agent servers which do not validate the size of messages when processing new identity requests. Both are in the golang.org/x/crypto package and were fixed in golang.org/x/crypto v0.45.0. Since v0.46.0 is newer than v0.45.0, it includes both patches. The golang.org/x/oauth2 upgrade to v0.34.0 does not address these CVEs.

Likely an incorrect or invalid review comment.

---

11-11: The GitLab client upgrade from v0.148.0 to v1.9.1 is compatible with this codebase. Version 1.0 of the client-go library comes with a backwards-compatibility guarantee and is considered stable. The codebase uses only basic, stable APIs: gitlab.NewClient() for client creation and Releases.ListReleases() for API calls, both of which are fully compatible with v1.9.1. No usage of ListOptions or other breaking changes has been detected.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR upgrades multiple Go dependencies to address security vulnerabilities CVE-2025-58181 and CVE-2025-47914. The changes include updating the Go version and upgrading several direct and indirect dependencies.

Key changes:

• Upgraded Go version from 1.24.7 to 1.24.11
• Updated multiple golang.org/x/* packages (crypto, oauth2, sys, term, time)
• Upgraded third-party dependencies including code.gitea.io/sdk/gitea, gitlab.com/gitlab-org/api/client-go, and github.com/hashicorp/go-version

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates Go version and upgrades direct and indirect dependencies to address CVEs
go.sum	Updates dependency checksums to match the upgraded versions in go.mod

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.10%. Comparing base (d7d55b9) to head (dec425a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #50      +/-   ##
==========================================
+ Coverage   77.07%   78.10%   +1.02%     
==========================================
  Files          28       28              
  Lines        1435     1146     -289     
==========================================
- Hits         1106      895     -211     
+ Misses        279      201      -78     
  Partials       50       50              

Flag	Coverage Δ
unittests	78.10% <ø> (+1.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.