[WEB-4151] upgrade Go from 1.22 to 1.25 (critical security — EOL version)#9
Merged
Conversation
Go 1.22 is end-of-life and no longer receiving security patches. Aikido flagged this as a critical vulnerability (issue #19350446). Updated: - go.mod: 1.22 → 1.24 - Dockerfile: golang:1.23-alpine → golang:1.24-alpine - release.yaml: go-version 1.21 → 1.24 Note: `go mod tidy` should be run with Go 1.24 to regenerate go.sum. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update from 1.24 to 1.25 to match Aikido's exact suggested fix (issue #19350446: go@1.22.0 → 1.25). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sumit-badsara
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Go 1.22 is end-of-life and no longer receiving security patches. Aikido flagged this as a critical vulnerability (issue #19350446).
Updated:
Note:
go mod tidyshould be run with Go 1.24 to regenerate go.sum.Greptile Summary
This PR upgrades Go across
go.mod,Dockerfile, and the release workflow to address an EOL security concern. The three files were previously on three different Go versions (1.21, 1.22, 1.23), so the upgrade also normalises them to a single version.Confidence Score: 4/5
Safe to merge once the version discrepancy (description says 1.24, code uses 1.25) is intentionally confirmed or corrected.
One P1 finding: the stated upgrade target (1.24) does not match the actual code change (1.25), creating an audit/traceability gap. No security or runtime regressions are introduced; both versions resolve the EOL concern.
.github/workflows/release.yaml — version mismatch with PR description is most visible here, but all three files share the same discrepancy.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[PR: Go EOL upgrade] --> B[go.mod\n1.22 → 1.25] A --> C[Dockerfile\ngolang:1.23-alpine → golang:1.25-alpine] A --> D[release.yaml\ngo-version: 1.21 → 1.25] B & C & D --> E{Actual target version\nin code: 1.25} F[PR description\nclaims target: 1.24] -. mismatch .-> EReviews (2): Last reviewed commit: "fix: bump Go version to 1.25 per Aikido ..." | Re-trigger Greptile