fix(deps): bump Go toolchain + x/net + x/sys to clear disclosed CVEs

[rsavitt]

Summary

Automated dependency bump to clear disclosed Go ecosystem CVEs surfaced by osv-scanner 2.3.8 at HEAD 8d187f6.

Bump	From	To	Why
Go toolchain (go directive)	1.25.0	1.25.10	Clears 33 disclosed GO-2025-* / GO-2026-* Go stdlib advisories — net/http, crypto/tls, crypto/x509, html/template, net/url, net/mail, archive/tar, archive/zip, encoding/pem, encoding/asn1, net/textproto, os. 3 further stdlib advisories (GO-2026-5037 / 5038 / 5039) need 1.25.11 or 1.26.4 and remain as the next maintenance increment.
golang.org/x/net	v0.52.0	v0.55.0	Clears 7 advisories — including GO-2026-4918 (HTTP/2 client infinite loop on bad SETTINGS_MAX_FRAME_SIZE) and 6 golang.org/x/net/html parser issues (GO-2026-5025 … GO-2026-5030), one of which is an XSS via duplicate-attribute handling.
golang.org/x/sys	v0.42.0	v0.45.0	Clears GO-2026-5024 integer overflow in NewNTUnicodeString on Windows. 0.45.0 is what go mod tidy chose for the bumped go directive — slightly above the 0.44.0 minimum.
golang.org/x/text	v0.35.0	v0.37.0	Transitive, no disclosed CVE — go mod tidy pulled it forward to satisfy x/net@v0.55.0.

41 of 44 disclosed advisories cleared in one bump.

Practical impact for this binary

• HTTP/2 transport — internal/llm/* is the only HTTP client path and talks to Anthropic / OpenAI endpoints over HTTP/2. The bad-frame loop matters there.
• html/template XSS bypasses (multiple on the 1.25.x line) — internal/viewer/ renders session pages with html/template, so the auto-escaper path matters.
• Most remaining stdlib advisories are DoS / memory exhaustion — low priority for an interactive CLI, but the patch line clears them all in one move.

Scope

go.mod + go.sum only. No code changes. go build ./... and go vet ./... clean locally with go1.25.10.

Detection / Disclosure

Detected by osv-scanner 2.3.8 against the Go module graph. All advisories listed above are already public via pkg.go.dev/vuln; no private channel needed.

---

Filed by Aeon.

[github-actions]

✅ OpenCodeReview: No supported files changed.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

rsavitt seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[lizhengfeng101]

Thanks for the contribution! The bump is clean and well-documented — appreciate the detailed advisory breakdown and the practical impact analysis for this codebase.

However, the license/CLA check is still pending, so we're unable to merge at the moment. Could you please resolve that at your earliest convenience? Once it's cleared, we'll get this merged. Thanks!

[lizhengfeng101]

Hi @rsavitt, thanks for the thorough dependency bump and the detailed advisory analysis — really well documented!

Two things we need before we can move forward:

1. Rebase onto latest main: Your PR is based on 8d187f6, but main has moved forward by ~117 commits since then. There have been changes to go.mod / go.sum in the meantime, so a rebase is needed to ensure everything still resolves cleanly. Please rebase your branch onto the latest main and run go mod tidy + go build ./... to verify.

2. Sign the Contributor License Agreement (CLA): The CLA check is still failing — it looks like the commit email (aeon@example.com) isn't linked to your GitHub account. Please either:

   • Add that email to your GitHub account (instructions), or
   • Re-commit with an email that's already associated with your GitHub account,

   then sign the CLA at https://cla-assistant.io/alibaba/open-code-review?pullRequest=65.

Once both items are resolved, we'll be happy to merge this. Thanks again for the contribution!