[cherry-pick v20260330] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0#8565
Closed
djsly wants to merge 1 commit into
Closed
Conversation
IcM 796913379 Backport of Azure#8551 to official/v20260330. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
djsly
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Backport security/toolchain updates onto official/v20260330, aligning the repo’s Go toolchain and key golang.org/x/* dependencies with the upstream fix from #8551.
Changes:
- Bump Go version directives across the main module and submodules to
go 1.25.10. - Update
golang.org/x/net(and relatedx/*deps) to newer versions in the main module and e2e/aks-node-controller modules. - Update GitHub Actions workflows to use Go
1.25, and fix an invalidfmt.Sprintf(... %w ...)usage in e2e config.
Reviewed changes
Copilot reviewed 15 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| go.mod | Bumps Go version; updates indirect golang.org/x/net, x/sys, x/text; reclassifies ignition as indirect. |
| go.sum | Updates checksums for updated golang.org/x/* and related transitive deps. |
| e2e/go.mod | Bumps Go version and updates golang.org/x/* deps (incl. x/crypto). |
| e2e/go.sum | Updates checksums consistent with e2e dependency bumps. |
| e2e/config/config.go | Replaces invalid %w in fmt.Sprintf with %v. |
| aks-node-controller/go.mod | Bumps Go version and golang.org/x/sys indirect version. |
| aks-node-controller/go.sum | Updates checksums for golang.org/x/net, x/sys, x/text. |
| vhdbuilder/prefetch/go.mod | Bumps Go version for the prefetch submodule. |
| vhdbuilder/lister/go.mod | Bumps Go version for the lister submodule. |
| image-fetcher/go.mod | Bumps Go version for the image-fetcher submodule. |
| hack/tools/go.mod | Bumps Go version for the tools module. |
| .github/workflows/validate-components.yml | Updates CI Go version to 1.25. |
| .github/workflows/shellspec.yaml | Updates CI Go version to 1.25. |
| .github/workflows/shellcheck.yml | Updates CI Go version to 1.25. |
| .github/workflows/golangci-lint.yml | Updates CI Go version to 1.25. |
| .github/workflows/go-test.yml | Updates CI Go version to 1.25. |
| .github/workflows/copilot-setup-steps.yml | Updates CI Go version to 1.25. |
| .github/workflows/check-coverage.yml | Updates CI Go version to 1.25. |
Comment on lines
1
to
4
| module github.com/Azure/agentbaker/vhdbuilder/lister | ||
|
|
||
| go 1.24.12 | ||
| go 1.25.10 | ||
|
|
Comment on lines
1
to
4
| module github.com/Azure/agentbaker/image-fetcher | ||
|
|
||
| go 1.24.12 | ||
| go 1.25.10 | ||
|
|
djsly
changed the title
Collaborator
Author
|
Closing in favor of #8575 (recreated from |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cherry-pick of #8551 to
official/vv20260330.Bumps the Go toolchain and
golang.org/x/netto address upstream CVEs:net/mail(stdlib)cmd/gopacksubcommand directory traversalcmd/go(stdlib)golang.org/x/netWhy bump to Go 1.25 (and not a 1.24.x patch)
Go 1.24 reached EOL in February 2026 and does NOT receive security backports.
go1.25.10is the only release stream that contains these fixes.golang.org/x/net v0.51.0+also requiresgo 1.25.0in its owngo.mod, so the Go bump is required regardless.Verification
go mod tidysucceeds for every module in the branch.go build ./...clean across every module.go 1.25runners.Release plan
Once merged, two tags are pushed off the resulting commit:
v0.v20260330.<N+1>(AgentBaker module)aks-node-controller/v0.v20260330.<N+1>(aks-node-controller submodule)🤖 Generated with GitHub Copilot CLI