fix(deps): OADP-7565,OADP-7570,OADP-7573: bump Go toolchain to 1.25.8 and update x/* dependencies

[kaovilai]

Summary

• Update Go toolchain from go 1.22.0 / toolchain go1.22.11 to go 1.25.0 / toolchain go1.25.8 to address multiple CVEs
• Bump golang.org/x/crypto to v0.49.0 and golang.org/x/net to v0.52.0 for security fixes
• Bump go.opentelemetry.io/otel/sdk from v1.34.0 to v1.42.0 (fixes GHSA-9h8m-3fm2-qjrq: arbitrary code execution via PATH hijacking)
• Align OTel exporter modules (otlptracegrpc, otlptrace) to v1.42.0
• Transitive bumps: x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0, x/sync v0.20.0
• Remove GOEXPERIMENT=nocoverageredesign (experiment removed in Go 1.25)
• Upgrade actions/setup-go from v5.2.0 to v6.1.0 (v5 doesn't read toolchain directive from go.mod, causing compile: version mismatch in coverage tests)
• Run npm audit fix in app/ to resolve npm audit failures in CI

CVEs Addressed

Go Toolchain (1.25.8)

CVE	Component
GO-2026-4337	crypto/tls
GO-2026-4340	crypto/tls
GO-2026-4341	net/url
GO-2026-4342	archive/zip
CVE-2026-25679	net/url (IPv6 host parsing)
CVE-2026-27137	crypto/x509 (email constraints)

golang.org/x/* Dependencies

CVE	Component	Fix Version
GHSA-vvgc-356p-c3xw	golang.org/x/net (XSS in HTML tokenizer)	v0.38.0+ → v0.52.0
GHSA-j5w8-q4qc-rx2x	golang.org/x/crypto (ssh DoS)	v0.45.0+ → v0.49.0
GHSA-f6x5-jh6r-wrfv	golang.org/x/crypto (ssh/agent panic)	v0.45.0+ → v0.49.0

Other Vulnerable Dependencies

CVE	Component	Change
GHSA-9h8m-3fm2-qjrq	go.opentelemetry.io/otel/sdk (PATH hijacking)	v1.34.0 → v1.42.0

CI/Build Fixes

Component	Change
actions/setup-go	v5.2.0 → v6.1.0 (reads toolchain directive)
Makefile	Remove GOEXPERIMENT=nocoverageredesign
app/package-lock.json	npm audit fix

Jira

• OADP-7565
• OADP-7570 (CVE-2026-27137)
• OADP-7573 (CVE-2026-25679)

Test plan

• go build ./... passes
• go vet ./... passes
• CI pipeline passes

Note

Responses generated with Claude

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 570431af-0913-4347-a152-306d3c7892ef

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oadp-snyk]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Copilot]

Pull request overview

This PR updates the repository’s Go toolchain and golang.org/x/* dependencies to incorporate security fixes and address multiple CVEs.

Changes:

• Bump the Go version/toolchain to Go 1.25.x (via go.mod toolchain directive).
• Update golang.org/x/crypto and golang.org/x/net (and related x/* transitive deps) to newer fixed versions.
• Refresh go.sum checksums to match the updated module graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Updates Go toolchain/version directives and bumps golang.org/x/* requirements.
go.sum	Updates module checksums for the bumped golang.org/x/* versions.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (oadp-1.5@20bfabb). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             oadp-1.5      #13   +/-   ##
===========================================
  Coverage            ?   77.53%           
===========================================
  Files               ?      527           
  Lines               ?    30397           
  Branches            ?        0           
===========================================
  Hits                ?    23568           
  Misses              ?     4818           
  Partials            ?     2011           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.