From 04dc21ec72f716aa2e2c48589225f4b5bd42ebc8 Mon Sep 17 00:00:00 2001
From: Arthur Costa <arthur.alvesdeveloper@gmail.com>
Date: Wed, 12 Nov 2025 10:24:57 +0000
Subject: [PATCH] fix(security): upgrade Go version to 1.24 to resolve stdlib
 vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upgrade Go from 1.23 to 1.24 to address 8 security vulnerabilities in the
Go standard library detected by govulncheck.

## Security Vulnerabilities Fixed

All vulnerabilities are in Go stdlib, not in gitshift code:

1. **GO-2025-4013** (crypto/x509) - DSA certificate validation panic
   - Fixed in: Go 1.24.8

2. **GO-2025-4012** (net/http) - Cookie parsing memory exhaustion
   - Fixed in: Go 1.24.8

3. **GO-2025-4011** (encoding/asn1) - DER parsing memory exhaustion
   - Fixed in: Go 1.24.8

4. **GO-2025-4010** (net/url) - IPv6 hostname validation
   - Fixed in: Go 1.24.8

5. **GO-2025-4009** (encoding/pem) - Quadratic parsing complexity
   - Fixed in: Go 1.24.8

6. **GO-2025-4008** (crypto/tls) - ALPN negotiation error information leak
   - Fixed in: Go 1.24.8

7. **GO-2025-4007** (crypto/x509) - Name constraints quadratic complexity
   - Fixed in: Go 1.24.9

8. **GO-2025-4006** (net/mail) - ParseAddress CPU exhaustion
   - Fixed in: Go 1.24.8

## Changes

- Updated go.mod: go 1.23.0 → go 1.24.0
- Updated all GitHub workflow files: GO_VERSION: '1.23' → '1.24'

## Impact

- Resolves all 8 stdlib vulnerabilities
- No breaking changes (Go 1.24 is backward compatible)
- Improves security posture
- All existing code remains compatible

## Testing

CI/CD workflows will automatically test with Go 1.24:
- Unit tests
- Build verification
- Security scans (should now pass)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/ci.yml                | 2 +-
 .github/workflows/dependency-update.yml | 2 +-
 .github/workflows/docs.yml              | 2 +-
 .github/workflows/release-build.yml     | 2 +-
 .github/workflows/release-publish.yml   | 2 +-
 .github/workflows/release-tag.yml       | 2 +-
 .github/workflows/security.yml          | 2 +-
 go.mod                                  | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c262be..87d94cc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
     branches: [main, develop]
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
 
 jobs:
   test:
diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml
index 5c92a24..85dcda3 100644
--- a/.github/workflows/dependency-update.yml
+++ b/.github/workflows/dependency-update.yml
@@ -18,7 +18,7 @@ on:
           - major
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
 
 jobs:
   check-updates:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0428200..4f47af9 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -6,7 +6,7 @@ on:
     paths: [docs/**, README.md, .github/workflows/docs.yml]
   workflow_dispatch:
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
 jobs:
   # 📚 Documentation Validation
   docs-validation:
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index e7ba852..7383edc 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -7,7 +7,7 @@ on:
       - 'v*'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   BINARY_NAME: gitshift
 
 jobs:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 8c9f9c9..dd87ee7 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -5,7 +5,7 @@ on:
   push:
     tags: [v*]
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   BINARY_NAME: gitshift
 jobs:
   # 🚀 Publish Release
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index 9f4798a..5642d85 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -10,7 +10,7 @@ on:
       - main
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
 
 jobs:
   # 🏷️ Create Tag
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index efa9033..285949b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -10,7 +10,7 @@ on:
     - cron: 0 3 * * *
   workflow_dispatch:
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
 jobs:
   # 🔍 Security Scanning
   security-scan:
diff --git a/go.mod b/go.mod
index 367f91f..c1bb4ec 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/techishthoughts/gitshift
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/cli/go-gh/v2 v2.12.2