fix(security): upgrade Go to 1.25.5 to address CVE in crypto/x509 (#695)

plural-copilot[bot] · michaeljguarino · web-flow · commit 22e2db1779a0 · 2026-01-28T17:20:17.000-05:00
Upgrade Go version from 1.25.1 to 1.25.5 to fix vulnerability:
- crypto/x509: Denial of Service due to excessive resource consumption
  via crafted certificate (HostnameError.Error() quadratic runtime)

Changes:
- Updated go.mod from go 1.25.1 to go 1.25.5
- Updated dockerfiles/Dockerfile.cloud from golang:1.22-alpine3.19 to golang:1.25-alpine3.21

The Dockerfile was already using golang:1.25-alpine3.21 which will
pull the latest patch version (1.25.5) containing the fix.

Co-authored-by: Michael Guarino &lt;mjg@plural.sh&gt;
diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud
@@ -1,4 +1,4 @@
-FROM golang:1.22-alpine3.19 AS builder
+FROM golang:1.25-alpine3.21 AS builder
 
 WORKDIR /workspace
 
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/pluralsh/plural-cli
 
-go 1.25.1
+go 1.25.5
 
 require (
 	cloud.google.com/go/compute v1.49.1

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.22-alpine3.19 AS builder`
	`1`	`+FROM golang:1.25-alpine3.21 AS builder`
`2`	`2`
`3`	`3`	`WORKDIR /workspace`
`4`	`4`