fix(deps): OADP-7565: bump Go toolchain to 1.25.8 and update x/* dependencies

[kaovilai]

Summary

• Update Go toolchain from toolchain go1.25.4 to toolchain go1.25.8 to address multiple CVEs
• Bump golang.org/x/crypto to v0.49.0 and golang.org/x/net to v0.52.0 for security fixes
• Bump go.opentelemetry.io/otel/sdk from v1.38.0 to v1.42.0 (fixes GHSA-9h8m-3fm2-qjrq: arbitrary code execution via PATH hijacking)
• Transitive bumps: x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0, x/sync v0.20.0
• Run npm audit fix in app/ to resolve npm audit failures

CVEs Addressed

Go Toolchain (1.25.8)

CVE	Component
GO-2026-4337	crypto/tls
GO-2026-4340	crypto/tls
GO-2026-4341	net/url
GO-2026-4342	archive/zip
CVE-2026-25679	net/url (IPv6 host parsing)
CVE-2026-27137	crypto/x509 (email constraints)

golang.org/x/* Dependencies

CVE	Component	Fix Version
GHSA-vvgc-356p-c3xw	golang.org/x/net (XSS in HTML tokenizer)	v0.38.0+ → v0.52.0
GHSA-j5w8-q4qc-rx2x	golang.org/x/crypto (ssh DoS)	v0.45.0+ → v0.49.0
GHSA-f6x5-jh6r-wrfv	golang.org/x/crypto (ssh/agent panic)	v0.45.0+ → v0.49.0

Other Vulnerable Dependencies

CVE	Component	Change
GHSA-9h8m-3fm2-qjrq	go.opentelemetry.io/otel/sdk (PATH hijacking)	v1.38.0 → v1.42.0

Jira

• OADP-7565

Test plan

• go build ./... passes
• CI pipeline passes

Note

Responses generated with Claude

Summary by CodeRabbit

• Chores
  • Updated Go language toolchain and dependencies including OpenTelemetry, gRPC, and Protobuf libraries to latest stable versions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dabe4835-4849-4e29-9880-73f52a922cfd

📥 Commits

Reviewing files that changed from the base of the PR and between 98a6de0 and 2fbd4f5.

⛔ Files ignored due to path filters (2)

• app/package-lock.json is excluded by !**/package-lock.json
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

✅ Files skipped from review due to trivial changes (1)

• go.mod

---

📝 Walkthrough

Walkthrough

Go module dependency pins updated: Go directive/toolchain set to 1.25.0/ go1.25.8 and multiple direct and indirect module versions bumped (notably OpenTelemetry, golang.org/x/, google.golang.org/). No source code changes outside go.mod.

Changes

Cohort / File(s)	Summary
Go module & dependency pins go.mod	Updated go directive to 1.25.0, toolchain to go1.25.8; upgraded OpenTelemetry modules (e.g., go.opentelemetry.io/otel v1.38.0→v1.42.0), golang.org/x/* modules (crypto, mod, net, oauth2, sync, sys, term, text), google.golang.org/grpc and google.golang.org/protobuf, plus various indirect dependency version bumps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through go.mod with nimble feet,
nudged versions forward, tidy and neat.
Dependencies bloom, the build takes flight,
I munch on bytes beneath moonlight. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main changes: bumping Go toolchain to 1.25.8 and updating x/* dependencies, which directly matches the changeset focused on dependency version upgrades.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oadp-snyk]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Copilot]

Pull request overview

Updates the project’s Go toolchain and golang.org/x/* dependencies to pick up upstream security fixes, primarily via go.mod/go.sum version bumps.

Changes:

• Bump Go toolchain from go1.25.4 to go1.25.8.
• Update golang.org/x/crypto and golang.org/x/net (plus related transitive x/* modules) to newer patched versions.
• Regenerate go.sum accordingly.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Updates the toolchain and golang.org/x/* dependency versions.
go.sum	Updates module checksums to match the dependency bumps.

[coderabbitai]

🧹 Nitpick comments (1)

go.mod (1)

3-5: Optional follow-up: pin CI/build images to Go 1.25.8 as well.

To avoid drift between local and CI behavior, ensure pipeline/runtime images are also on go1.25.8.

Also applies to: 61-69

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 3 - 5, The CI/build images and any runtime Docker/base
images need to be pinned to the same Go toolchain version declared in go.mod
(toolchain go1.25.8) to avoid drift; update your CI pipeline configs (e.g.,
GitHub Actions workflows, Dockerfiles, builder images, and any buildkite/tekton
templates) to use `golang:1.25.8` (or the equivalent image/tag that matches
toolchain go1.25.8) wherever a Go version is specified so the environment
matches the go.mod toolchain entry.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@go.mod`:
- Around line 3-5: The CI/build images and any runtime Docker/base images need
to be pinned to the same Go toolchain version declared in go.mod (toolchain
go1.25.8) to avoid drift; update your CI pipeline configs (e.g., GitHub Actions
workflows, Dockerfiles, builder images, and any buildkite/tekton templates) to
use `golang:1.25.8` (or the equivalent image/tag that matches toolchain
go1.25.8) wherever a Go version is specified so the environment matches the
go.mod toolchain entry.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c4d3aa62-449c-4924-9d94-93e0861d2fa2

📥 Commits

Reviewing files that changed from the base of the PR and between b68c22a and abd440e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (oadp-dev@b68c22a). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             oadp-dev      #14   +/-   ##
===========================================
  Coverage            ?   77.93%           
===========================================
  Files               ?      548           
  Lines               ?    31459           
  Branches            ?        0           
===========================================
  Hits                ?    24517           
  Misses              ?     4884           
  Partials            ?     2058           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 56-59: The OTLP exporter module versions in go.mod are out of sync
with the core OpenTelemetry modules; update
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (and any other
otlp exporter entries) to v1.42.0 to match go.opentelemetry.io/otel,
go.opentelemetry.io/otel/sdk and go.opentelemetry.io/otel/trace; locate the
entries for otlptracegrpc (and other otlp exporter modules) and change their
version strings from v1.38.0 to v1.42.0 so all stable OTel modules have exact
version parity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3aac446a-a55d-47df-8325-c065268be69d

📥 Commits

Reviewing files that changed from the base of the PR and between abd440e and 98a6de0.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod