fix: patch Go stdlib CVEs in pulsarctl (update to go 1.25.5) (#1969)

* fix: patch Go stdlib CVEs in pulsarctl (update to go 1.25.5)

- Update go.mod from go 1.25.0 to go 1.25.5
- Fix 13 CVEs in Go stdlib:
  - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
  - CVE-2025-61729 (HIGH): crypto/x509 denial of service
  - CVE-2025-47910 (MEDIUM): net/http CrossOriginProtection bypass
  - CVE-2025-47912 (MEDIUM): net/url insufficient IPv6 validation
  - CVE-2025-58185 (MEDIUM): encoding/asn1 memory exhaustion
  - CVE-2025-58186 (MEDIUM): net/http cookie parsing limit
  - CVE-2025-58187 (MEDIUM): crypto/x509 quadratic complexity
  - CVE-2025-58188 (MEDIUM): crypto/x509 panic with DSA keys
  - CVE-2025-58189 (MEDIUM): crypto/tls ALPN error info leak
  - CVE-2025-61723 (MEDIUM): encoding/pem quadratic complexity
  - CVE-2025-61724 (MEDIUM): net/textproto excessive CPU
  - CVE-2025-61725 (MEDIUM): net/mail excessive CPU
  - CVE-2025-61727 (MEDIUM): crypto/x509 wildcard SANs restriction

Fixed in Go 1.25.5

Related: streamnative/eng-support-tickets#3619

* fix: update setup-go action to v5 for Go 1.25 compatibility

- Update actions/setup-go from v1 to v5 in ci-trivy.yml
- setup-go@v1 does not support Go 1.25.x versions
- This fixes the 'Set up Go 1.25' step failure in CI

Author: shibd

.github/workflows/ci-trivy.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Go 1.25
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v5
         with:
           go-version: 1.25
         id: go

go.mod

@@ -1,6 +1,6 @@
 module github.com/streamnative/pulsarctl
 
-go 1.25.0
+go 1.25.5
 
 require (
 	github.com/apache/pulsar-client-go v0.18.0-candidate-1.0.20251222030102-3bb7d4eff361