security: bump Go from 1.23 to 1.25.8 - fixes 5 stdlib vulnerabilities

Ajit Pratap Singh · claude · Ajit Pratap Singh · commit 1939d38bbc9e · 2026-03-17T12:52:11.000+05:30
Fixes:
- GO-2026-4602: FileInfo can escape from Root in os
- GO-2026-4601: Incorrect parsing of IPv6 host literals in net/url
- GO-2026-4340: crypto/tls vulnerability
- GO-2026-4337: crypto/tls vulnerability
- GO-2025-4175: crypto/x509 vulnerability

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -17,7 +17,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.26'
 
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v7
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.26'
     
     - name: Run tests
       run: go test -race ./...
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.21'  # Match project requirements in go.mod
+          go-version: '1.25'  # Match project requirements in go.mod
           cache: true
 
       - name: Run GoSec Security Scanner
@@ -182,7 +182,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.21'  # Match project requirements in go.mod
+          go-version: '1.25'  # Match project requirements in go.mod
           cache: true
 
       - name: Install govulncheck
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: ['1.23', '1.24']
+        go-version: ['1.25', '1.26']
 
     steps:
     - uses: actions/checkout@v4
@@ -34,7 +34,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        go: ['1.23', '1.24']
+        go: ['1.25', '1.26']
     env:
       # Prevent Go from auto-downloading toolchain which conflicts with setup-go cache
       GOTOOLCHAIN: local
@@ -71,7 +71,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.26'
         cache: true
 
     - name: Run tests with race detector
@@ -87,7 +87,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.26'
         cache: true
 
     - name: Run benchmarks
diff --git a/.github/workflows/vscode-publish.yml b/.github/workflows/vscode-publish.yml
@@ -50,7 +50,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.26'
 
       - name: Cross-compile binary
         env:
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -28,7 +28,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.25'
 
       - name: Build WASM
         run: |
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -6,7 +6,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 GoSQLX is a **production-ready**, **race-free**, high-performance SQL parsing SDK for Go that provides lexing, parsing, and AST generation with zero-copy optimizations. The library is designed for enterprise use with comprehensive object pooling for memory efficiency.
 
-**Requirements**: Go 1.23+ (upgraded from 1.21 when MCP server was added; `mark3labs/mcp-go` requires 1.23)
+**Requirements**: Go 1.25+ (upgraded from 1.23 to fix stdlib vulnerabilities; `mark3labs/mcp-go` requires 1.23)
 
 **Production Status**: ✅ Validated for production deployment (v1.6.0+, current: v1.12.0)
 - Thread-safe with zero race conditions (20,000+ concurrent operations tested)
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Stage 1: Build
-FROM golang:1.23-alpine AS builder
+FROM golang:1.25-alpine AS builder
 WORKDIR /app
 COPY go.mod go.sum ./
 RUN go mod download
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 ### Parse SQL at the speed of Go
 
-[![Go Version](https://img.shields.io/badge/Go-1.23+-00ADD8?style=for-the-badge&logo=go)](https://go.dev)
+[![Go Version](https://img.shields.io/badge/Go-1.25+-00ADD8?style=for-the-badge&logo=go)](https://go.dev)
 [![Release](https://img.shields.io/github/v/release/ajitpratap0/GoSQLX?style=for-the-badge&color=orange)](https://github.com/ajitpratap0/GoSQLX/releases)
 [![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg?style=for-the-badge)](LICENSE)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=for-the-badge)](http://makeapullrequest.com)
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/ajitpratap0/GoSQLX
 
-go 1.23.0
+go 1.25.8
 
 require (
 	github.com/fsnotify/fsnotify v1.9.0
