[cherry-pick v20251206] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0#8552
Open
djsly wants to merge 1 commit into
Open
[cherry-pick v20251206] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0#8552djsly wants to merge 1 commit into
djsly wants to merge 1 commit into
Conversation
Backport of the patch from #8551 to official/v20251206 for IcM 796913379. Fixes CVE-2026-39820 (net/mail DoS) and CVE-2026-39817 (cmd/go pack traversal). Go 1.24 reached EOL Feb 2026 with no security backports — Go 1.25.10 is the only release stream with these fixes. golang.org/x/net v0.51.0+ requires go 1.25.0 so the Go bump is forced. IcM: 796913379 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
djsly
requested review from
AbelHu,
Devinwong,
awesomenix,
cameronmeissner,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
phealy,
r2k1,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This cherry-pick backports security updates to the official/v20251206 branch by raising the minimum Go toolchain version and refreshing key Go ecosystem dependencies to address the CVEs referenced in IcM 796913379.
Changes:
- Bumps the
goversion across all Go modules in this branch to1.25.10. - Updates
golang.org/x/nettov0.55.0(and corresponding transitivex/*libs) with refreshedgo.sumentries. - Updates GitHub Actions workflows to use Go
1.25for CI jobs.
Reviewed changes
Copilot reviewed 12 out of 15 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
go.mod |
Raises the root module’s Go version and bumps indirect golang.org/x/* dependencies. |
go.sum |
Updates checksums for bumped golang.org/x/* dependency graph. |
e2e/go.mod |
Raises e2e module Go version; bumps x/crypto and transitive x/* versions. |
e2e/go.sum |
Updates checksums for the e2e module dependency graph. |
aks-node-controller/go.mod |
Raises aks-node-controller module Go version; bumps x/sys. |
aks-node-controller/go.sum |
Updates checksums for the aks-node-controller dependency graph. |
hack/tools/go.mod |
Raises hack/tools module Go version. |
vhdbuilder/lister/go.mod |
Raises vhdbuilder/lister module Go version (and removes the prior toolchain directive). |
vhdbuilder/prefetch/go.mod |
Raises vhdbuilder/prefetch module Go version. |
.github/workflows/check-coverage.yml |
Updates CI Go version to 1.25. |
.github/workflows/go-test.yml |
Updates CI Go version to 1.25. |
.github/workflows/golangci-lint.yml |
Updates CI Go version to 1.25. |
.github/workflows/shellcheck.yml |
Updates CI Go version to 1.25. |
.github/workflows/shellspec.yaml |
Updates CI Go version to 1.25. |
.github/workflows/validate-components.yml |
Updates CI Go version to 1.25 for both jobs. |
| module github.com/Azure/agentbaker | ||
|
|
||
| go 1.23.0 | ||
| go 1.25.10 |
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
| uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
Comment on lines
10
to
+12
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
Comment on lines
46
to
+49
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: '1.24' | ||
| go-version: '1.25' |
djsly
changed the title
Devinwong
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cherry-pick of #8551 to
official/vv20251206.Bumps the Go toolchain and
golang.org/x/netto address upstream CVEs:net/mail(stdlib)cmd/gopacksubcommand directory traversalcmd/go(stdlib)golang.org/x/netWhy bump to Go 1.25 (and not a 1.24.x patch)
Go 1.24 reached EOL in February 2026 and does NOT receive security backports.
go1.25.10is the only release stream that contains these fixes.golang.org/x/net v0.51.0+also requiresgo 1.25.0in its owngo.mod, so the Go bump is required regardless.Verification
go mod tidysucceeds for every module in the branch.go build ./...clean across every module.go 1.25runners.Release plan
Once merged, two tags are pushed off the resulting commit:
v0.v20251206.<N+1>(AgentBaker module)aks-node-controller/v0.v20251206.<N+1>(aks-node-controller submodule)🤖 Generated with GitHub Copilot CLI