From 45c1f218200d8a42b70569b6cc9d9e12b12270b0 Mon Sep 17 00:00:00 2001
From: dvcdsys <dvcdsys@gmail.com>
Date: Wed, 3 Jun 2026 13:16:25 +0100
Subject: [PATCH] fix(server): bump go directive to 1.25.11 to clear stdlib
 vulns
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

govulncheck (Security workflow) flagged two Go standard-library
vulnerabilities, both fixed in go1.25.11:

- GO-2026-5039 (net/textproto) — reached via githubapi.DeleteWebhook → io.ReadAll
- GO-2026-5037 (crypto/x509) — reached via tunnels.Installer.Install → io.Copy

CI installs Go from `server/go.mod` (go-version-file), so bumping the
directive to 1.25.11 is what moves the build onto the patched stdlib.
Verified locally with the 1.25.11 toolchain: `govulncheck ./...` now
reports 0 affecting vulnerabilities; build passes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 server/go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/go.mod b/server/go.mod
index d3cf3be..3d0a21d 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,6 +1,6 @@
 module github.com/dvcdsys/code-index/server
 
-go 1.25.10
+go 1.25.11
 
 require (
 	github.com/getkin/kin-openapi v0.135.0