chore(deps): bump golang.org/x/crypto

[wgkingk]

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to a newer version for improved compatibility.
  • Upgraded direct and indirect Go dependencies for enhanced stability and security.
  • Updated the build environment/base image used for building to match the newer toolchain.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Bumps Go toolchain to 1.24, updates several golang.org/x/* dependencies (notably golang.org/x/crypto), adds a replace for k8s.io/client-go, and updates the Docker builder image to use Go 1.24.

Changes

Cohort / File(s)	Summary
Toolchain & Dependencies go.mod	Update Go toolchain to 1.24.0 and add toolchain go1.24.11; upgrade golang.org/x/crypto v0.38.0→v0.45.0 and indirect golang.org/x/* deps (net, sys, term, text); add/adjust replace for k8s.io/client-go → v0.24.4.
Build image Dockerfile	Change builder base image ARG BUILDER_IMAGE from golang:1.23-bullseye → golang:1.24-trixie. Build steps and test invocation unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify compatibility of upgraded golang.org/x/* packages (especially x/crypto) with existing code and CI.
• Confirm the k8s.io/client-go replace directive and target version are intentional.
• Validate Docker build and any image-specific toolchain differences on golang:1.24-trixie.

Possibly related PRs

• update golang.org/x/crypto and golang.org/x/net to fix cves #16 — similar changes updating Go toolchain and golang.org/x/* dependencies and the Dockerfile.

Suggested reviewers

• davidwtf

Poem

🐇 I nudged the go.mod, gave modules a spin,

swapped builder's boots, let new toolchains in.
Dependencies danced, versions all in a row,
I nibbled the bytes and set builds to go! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title focuses on bumping golang.org/x/crypto, but the PR contains broader dependency updates across multiple packages (golang.org/x/net, golang.org/x/sys, golang.org/x/term, golang.org/x/text) and Go toolchain upgrades (1.23.0 to 1.24.0), plus Docker image updates.	Revise the title to reflect the comprehensive nature of the changes, such as 'chore(deps): upgrade Go toolchain and dependencies' or 'chore(deps): bump Go to 1.24 and update x packages'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix_cve

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 537cf32 and 6990f44.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• Dockerfile (1 hunks)
• go.mod (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• go.mod
• Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: Analyze (go)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

go.mod (1)

1-90: Recommend testing the build and test suite post-merge.

These dependency upgrades, particularly the Go toolchain bump to 1.24 and the golang.org/x/crypto security update, should be validated through a full build and test run to catch any latent compatibility issues before merging to main.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f4efc52 and 6a64064.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

🔇 Additional comments (3)

go.mod (3)

3-5: Verify Go 1.24 compatibility with the project.

The Go toolchain has been bumped to 1.24.0 (with go1.24.11 as the recommended toolchain). Ensure this version aligns with your project's compatibility requirements and CI/CD configurations.

---

22-22: Verify golang.org/x/crypto v0.45.0 addresses intended CVE fixes.

The crypto package is being bumped from v0.38.0 to v0.45.0—a significant jump spanning multiple versions. Confirm that this upgrade addresses the specific security vulnerabilities intended by this PR (referenced in branch name "fix_cve"), and check the release notes for any breaking API changes.

---

73-73: Verify indirect golang.org/x dependencies are compatible.

The indirect dependencies in the golang.org/x namespace have been updated to support the crypto package upgrade. Ensure that these transitive dependency updates (net v0.47.0, sys v0.38.0, term v0.37.0, text v0.31.0) don't introduce breaking changes or API incompatibilities with the rest of the codebase.

Also applies to: 75-77

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a64064 and 537cf32.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• Dockerfile (1 hunks)
• go.mod (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

go.mod (1)

3-5: Verify Go toolchain alignment in CI, clarify CVE relevance to codebase usage.

The golang.org/x/crypto v0.45.0 bump addresses CVE-2025-58181 and CVE-2025-47914, both SSH-specific vulnerabilities (GSSAPI mechanism bounds and SSH agent message validation). However, this codebase doesn't use SSH or SSH/agent—only crypto/tls, crypto modules, and bcrypt—so these CVEs may not be applicable here.

The critical issue: your CI workflow (.github/workflows/build.yml) doesn't specify a Go version and will use ubuntu-latest's default, which likely doesn't match the declared toolchain go1.24.11. Either pin the Go version in CI (e.g., via actions/setup-go@v4 with go-version: 1.24.11) or clarify the version strategy. Also, the Makefile and CI don't run integration tests—only go test ./... in the Makefile—so verify that target directly instead of relying on CI.