From 86fa7303c4542409bd9b27cac59a313070783971 Mon Sep 17 00:00:00 2001
From: Gerard Snaauw <gerard.snaauw@nedap.com>
Date: Mon, 3 Nov 2025 11:28:38 +0100
Subject: [PATCH 1/2] V5.4 update Go to v1.25.3

---
 Dockerfile                   |  4 ++--
 docs/pages/release_notes.rst | 17 +++++++++++++++++
 go.mod                       |  2 +-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0c388b205..75b2c108f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.24.6-alpine AS builder
+FROM golang:1.25.3-alpine AS builder
 
 ARG TARGETARCH
 ARG TARGETOS
@@ -21,7 +21,7 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
 
 # alpine
-FROM alpine:3.22.0
+FROM alpine:3.22.2
 RUN apk update \
   && apk add --no-cache \
              tzdata \
diff --git a/docs/pages/release_notes.rst b/docs/pages/release_notes.rst
index 496b34447..13dc23087 100644
--- a/docs/pages/release_notes.rst
+++ b/docs/pages/release_notes.rst
@@ -3,6 +3,23 @@
 Release notes
 #############
 
+*************************
+Hazelnut update (v5.4.20)
+*************************
+
+Release date: 2025-11-03
+
+- Update Go version to fix https://pkg.go.dev/vuln/GO-2025-4007,
+  https://pkg.go.dev/vuln/GO-2025-4008,
+  https://pkg.go.dev/vuln/GO-2025-4009,
+  https://pkg.go.dev/vuln/GO-2025-4010,
+  https://pkg.go.dev/vuln/GO-2025-4011,
+  https://pkg.go.dev/vuln/GO-2025-4012,
+  https://pkg.go.dev/vuln/GO-2025-4013, and
+  https://pkg.go.dev/vuln/GO-2025-4014
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.19...v5.4.20
+
 *************************
 Hazelnut update (v5.4.19)
 *************************
diff --git a/go.mod b/go.mod
index 7d2cc9473..db4f1a022 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/nuts-foundation/nuts-node
 
 // This is the minimal version, the actual go version is determined by the images in the Dockerfile
 // This version is used in automated tests such as the 'Scheduled govulncheck' action
-go 1.24.6
+go 1.25.3
 
 require (
 	github.com/alicebob/miniredis/v2 v2.33.0

From 4c44691cbacfc9f46781fe0eb0f7776903dc356b Mon Sep 17 00:00:00 2001
From: Wout Slakhorst <wout.slakhorst@nedap.com>
Date: Wed, 5 Nov 2025 12:23:39 +0100
Subject: [PATCH 2/2] also update circleci image

---
 .circleci/config.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 86402119c..04f48112e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,7 +13,7 @@ jobs:
   build:
     parallelism: 8
     docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.25
     steps:
       - checkout
 
@@ -37,7 +37,7 @@ jobs:
 
   report:
     docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.25
     steps:
       - checkout
       - attach_workspace: