fix(security): upgrade Go to 1.25.6 to address archive/zip CVE (#698)

plural-copilot[bot] · michaeljguarino · claude · web-flow · commit 74cf4c5c076e · 2026-02-01T16:38:24.000-05:00
Upgrades Go from 1.25.5 to 1.25.6 to fix the security vulnerability
in the archive/zip package that could cause excessive CPU consumption
when building archive index (CVE in golang stdlib).

Changes:
- Update go.mod to require Go 1.25.6
- Update Dockerfile base images from golang:1.25-alpine3.21 to
  golang:1.25.6-alpine3.22 (alpine3.21 not available for Go 1.25.6)
- Update dockerfiles/Dockerfile.cloud similarly

Co-authored-by: Michael Guarino &lt;mjg@plural.sh&gt;
Co-authored-by: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ FROM ubuntu:22.10 AS user
 # Create a nonroot user for final image
 RUN useradd -u 10001 nonroot
 
-FROM golang:1.25-alpine3.21 AS builder
+FROM golang:1.25.6-alpine3.22 AS builder
 
 WORKDIR /workspace
 
@@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
     -X "github.com/pluralsh/plural-cli/pkg/common.Date=${APP_DATE}"' \
     -o plural ./cmd/plural
 
-FROM golang:1.25-alpine3.21 AS final
+FROM golang:1.25.6-alpine3.22 AS final
 
 WORKDIR /
 
diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud
@@ -1,4 +1,4 @@
-FROM golang:1.25-alpine3.21 AS builder
+FROM golang:1.25.6-alpine3.22 AS builder
 
 WORKDIR /workspace
 
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/pluralsh/plural-cli
 
-go 1.25.5
+go 1.25.6
 
 require (
 	cloud.google.com/go/compute v1.49.1

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.25-alpine3.21 AS builder`
	`1`	`+FROM golang:1.25.6-alpine3.22 AS builder`
`2`	`2`
`3`	`3`	`WORKDIR /workspace`
`4`	`4`