From 195f2e3f7ebce51500cccdfe326f7f441d2b76d8 Mon Sep 17 00:00:00 2001
From: Baodi Shi <baodi@apache.org>
Date: Fri, 16 Jan 2026 16:36:23 +0800
Subject: [PATCH 1/2] fix: patch Go stdlib CVEs in pulsarctl (update to go
 1.25.5)

- Update go.mod from go 1.25.0 to go 1.25.5
- Fix 13 CVEs in Go stdlib:
  - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
  - CVE-2025-61729 (HIGH): crypto/x509 denial of service
  - CVE-2025-47910 (MEDIUM): net/http CrossOriginProtection bypass
  - CVE-2025-47912 (MEDIUM): net/url insufficient IPv6 validation
  - CVE-2025-58185 (MEDIUM): encoding/asn1 memory exhaustion
  - CVE-2025-58186 (MEDIUM): net/http cookie parsing limit
  - CVE-2025-58187 (MEDIUM): crypto/x509 quadratic complexity
  - CVE-2025-58188 (MEDIUM): crypto/x509 panic with DSA keys
  - CVE-2025-58189 (MEDIUM): crypto/tls ALPN error info leak
  - CVE-2025-61723 (MEDIUM): encoding/pem quadratic complexity
  - CVE-2025-61724 (MEDIUM): net/textproto excessive CPU
  - CVE-2025-61725 (MEDIUM): net/mail excessive CPU
  - CVE-2025-61727 (MEDIUM): crypto/x509 wildcard SANs restriction

Fixed in Go 1.25.5

Related: streamnative/eng-support-tickets#3619
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index cc814f6ca..39b40d190 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/streamnative/pulsarctl
 
-go 1.25.0
+go 1.25.5
 
 require (
 	github.com/apache/pulsar-client-go v0.18.0-candidate-1.0.20251222030102-3bb7d4eff361

From 451e1130fd58ba906ff74587607bb5d9c3d5438f Mon Sep 17 00:00:00 2001
From: Baodi Shi <baodi@apache.org>
Date: Fri, 16 Jan 2026 16:47:54 +0800
Subject: [PATCH 2/2] fix: update setup-go action to v5 for Go 1.25
 compatibility

- Update actions/setup-go from v1 to v5 in ci-trivy.yml
- setup-go@v1 does not support Go 1.25.x versions
- This fixes the 'Set up Go 1.25' step failure in CI
---
 .github/workflows/ci-trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci-trivy.yml b/.github/workflows/ci-trivy.yml
index 8f1233259..7697c8ca1 100644
--- a/.github/workflows/ci-trivy.yml
+++ b/.github/workflows/ci-trivy.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Go 1.25
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v5
         with:
           go-version: 1.25
         id: go