fix(security): remediate CVE vulnerabilities for release-0.4

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-61723	High	stdlib	go1.24.11
CVE-2025-61725	High	stdlib	go1.24.11
CVE-2025-61729	High	stdlib	go1.24.11
CVE-2025-58187	High	stdlib	go1.24.11
CVE-2025-58188	High	stdlib	go1.24.11
CVE-2025-58185	Medium	stdlib	go1.24.11
CVE-2025-47912	Medium	stdlib	go1.24.11
CVE-2025-58186	Medium	stdlib	go1.24.11
CVE-2025-61724	Medium	stdlib	go1.24.11
CVE-2025-58189	Medium	stdlib	go1.24.11
CVE-2025-58183	Medium	stdlib	go1.24.11
CVE-2025-61727	Medium	stdlib	go1.24.11

Changes Made

• Updated Go version from 1.24.4 to 1.24.11 in go.mod

References

• CVE-2025-61723
• CVE-2025-61725
• CVE-2025-61729
• CVE-2025-58187
• CVE-2025-58188
• CVE-2025-58185
• CVE-2025-47912
• CVE-2025-58186
• CVE-2025-61724
• CVE-2025-58189
• CVE-2025-58183
• CVE-2025-61727

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-01-22T13:48:36Z

Summary

Docker build failed due to Go version mismatch between go.mod (1.24.11) and CI workflow (1.24.4).

Root Cause

The CVE remediation updated go.mod to require go 1.24.11, but the CI workflow (.github/workflows/ci.yml) still specifies GO_VERSION: '1.24.4'. When Docker builds the image using golang:1.24.4, the go mod download command fails because Go 1.24.4 cannot satisfy the go >= 1.24.11 requirement in go.mod.

Error Details

go: go.mod requires go >= 1.24.11 (running go 1.24.4; GOTOOLCHAIN=local)
ERROR: failed to solve: process "/bin/sh -c bash -c '...' did not complete successfully: exit code: 1

Recommendation

Update the GO_VERSION environment variable in .github/workflows/ci.yml from 1.24.4 to 1.24.11 to match the go.mod requirement.

---

_{This analysis was generated by the build-failure-analyze skill.}