Bump Go version to 1.25 to fix govulncheck failures

avirak · avirak · commit 6bddc23f82a5 · 2026-03-07T06:24:58.000Z
Go 1.25.8 includes fixes for the following CVEs that are failing the Two vulncheck build for vpc-tunnel: - CVE-2026-25679: Incorrect parsing of IPv6 host literals in net/url - CVE-2026-27139: FileInfo can escape from a Root in os - CVE-2026-27142: URLs in meta content attribute actions not escaped in html/template - CVE-2026-27138: Panic in name constraint checking in crypto/x509 - CVE-2026-27137: Incorrect enforcement of email constraints in crypto/x509 Go 1.24 has no backported patches for these vulnerabilities.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -13,6 +13,6 @@ jobs:
       - name: setup go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.24.x'
+          go-version: '1.25.x'
       - name: build and unit test
         run: make build
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/aws/amazon-vpc-cni-plugins
 
-go 1.24
+go 1.25
 
 require (
 	github.com/Microsoft/go-winio v0.6.1
