Skip to content

Update deps and fix crypto/tls vulnerability#578

Merged
jpillora merged 2 commits intomasterfrom
feb2025
Feb 15, 2026
Merged

Update deps and fix crypto/tls vulnerability#578
jpillora merged 2 commits intomasterfrom
feb2025

Conversation

@jpillora
Copy link
Owner

@jpillora jpillora commented Feb 15, 2026

Summary

  • Update all golang.org/x/* dependencies to latest versions
  • Bump Go minimum version to 1.25.7 to fix crypto/tls vulnerability GO-2026-4337 (unexpected session resumption)
  • govulncheck reports zero vulnerabilities after these changes
  • All tests pass

Test plan

  • go test ./... passes
  • govulncheck ./... reports no vulnerabilities

🤖 Generated with Claude Code

@jpillora @claude
Bump Go to 1.25.7 to fix crypto/tls vulnerability GO-2026-4337
4941d7b 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 15, 2026 13:34
Copilot AI reviewed Feb 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to address GO-2026-4337 (crypto/tls unexpected session resumption) by raising the project’s minimum Go toolchain requirement.

Changes:

  • Bump the go version directive in go.mod from 1.25.1 to 1.25.7.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

go.mod Outdated
module github.com/jpillora/chisel

go 1.25.1
go 1.25.7
Copy link

Copilot AI Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The go directive is primarily a language/version compatibility marker and generally shouldn’t be used to pin a specific patch release for security fixes. If the intent is to require Go 1.25.7 (or later) for GO-2026-4337, consider setting go 1.25 and adding a toolchain go1.25.7 directive (or otherwise documenting/enforcing the required toolchain in CI/release), so consumers don’t build with an older patched toolchain inadvertently.

Suggested change
go 1.25.7
go 1.25
toolchain go1.25.7

Copilot uses AI. Check for mistakes.
@jpillora @claude
Use toolchain directive instead of pinning go directive to patch version
7740a50 
Separates language compatibility (go 1.25) from toolchain requirement
(toolchain go1.25.7) per Copilot review suggestion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jpillora jpillora merged commit 4df5fcf into master Feb 15, 2026
10 checks passed
@jpillora jpillora deleted the feb2025 branch February 15, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jpillora