chore(deps): update Go toolchain to 1.24.11 and fix CVEs [security]

[flemzord]

Summary

• Update Go toolchain from 1.24.7 to 1.24.11 to fix 9 stdlib vulnerabilities
• Update golang.org/x/crypto from v0.43.0 to v0.45.0 to fix 2 vulnerabilities

Fixed Vulnerabilities

Go Standard Library (9 CVEs)

ID	Package	Description
GO-2025-4175	crypto/x509	Improper application of excluded DNS name constraints when verifying wildcard names
GO-2025-4155	crypto/x509	Excessive resource consumption when printing error string for host certificate validation
GO-2025-4013	crypto/x509	Panic when validating certificates with DSA public keys
GO-2025-4012	net/http	Lack of limit when parsing cookies can cause memory exhaustion
GO-2025-4011	encoding/asn1	Parsing DER payload can cause memory exhaustion
GO-2025-4010	net/url	Insufficient validation of bracketed IPv6 hostnames
GO-2025-4009	encoding/pem	Quadratic complexity when parsing some invalid inputs
GO-2025-4008	crypto/tls	ALPN negotiation error contains attacker controlled information
GO-2025-4007	crypto/x509	Quadratic complexity when checking name constraints

golang.org/x/crypto (2 CVEs)

ID	Package	Description
GO-2025-4135	ssh/agent	Malformed constraint may cause denial of service
GO-2025-4134	ssh	Unbounded memory consumption

Test Plan

• go build ./... passes
• go test ./... passes
• govulncheck ./... reports no vulnerabilities

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to the latest patch version
  • Updated all dependencies to newer versions for improved compatibility and security patches

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Go module dependencies and toolchain version have been updated across the project. The toolchain directive moves from go1.24.7 to go1.24.11, and six golang.org/x libraries receive minor version bumps for bug fixes and security patches.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Toolchain upgraded: go1.24.7 → go1.24.11. Public dependency: golang.org/x/text v0.30.0 → v0.31.0. Indirect dependencies updated: golang.org/x/crypto v0.43.0 → v0.45.0; golang.org/x/net v0.45.0 → v0.47.0; golang.org/x/sync v0.17.0 → v0.18.0; golang.org/x/sys v0.37.0 → v0.38.0; golang.org/x/tools v0.37.0 → v0.38.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 With toolchain and libraries all updated today,
Go versions hop forward in every which way,
From 1.24.7 to 1.24.11 we climb,
Security patches and fixes—all perfectly timed! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: updating Go toolchain and fixing CVEs through dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a0efe65 and 87b8e8b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

🔇 Additional comments (3)

go.mod (3)

3-5: Toolchain bump to go1.24.11 addresses nine standard library CVEs.

The Go toolchain update from 1.24.7 to 1.24.11 is a patch-level bump that resolves the nine CVEs listed in the PR objectives (crypto/x509, net/http, encoding/asn1, net/url, encoding/pem, crypto/tls). This is a straightforward security hardening measure with minimal risk given the patch-level scope.

---

29-29: golang.org/x/text updated as part of ecosystem patch cycle.

The minor version bump from v0.30.0 to v0.31.0 aligns with the broader ecosystem updates. No specific CVEs are noted for this package in the PR objectives, but the bump is consistent with the security-focused update strategy.

---

169-173: Indirect dependency updates properly address SSH-related CVEs.

The five indirect dependency updates are well-scoped:

• golang.org/x/crypto v0.45.0: Fixes two SSH-related CVEs (GO-2025-4135 and GO-2025-4134) — out-of-bounds read in SSH agent and unbounded memory consumption in GSSAPI authentication.
• golang.org/x/net, sync, sys, tools: Patch-level maintenance updates; all entries properly reflected in go.sum.

All changes are patch-level updates within the same major versions, minimizing breaking-change risk.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• GO-2025: Authentication required, not authenticated - You need to authenticate to access this operation.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}