fix(cve): update Go to 1.25.10 to address stdlib security vulnerabilities

jkhelil · claude · tekton-robot · commit a9cb7e47c871 · 2026-05-11T10:10:19.000+02:00
Updates Go toolchain from 1.25.8 to 1.25.10 to fix the following
security vulnerabilities in the Go standard library:

- GO-2026-4986: Quadratic string concatenation in net/mail (1.25.10)
- GO-2026-4982: XSS via meta content URL escaping in html/template (1.25.10)
- GO-2026-4980: XSS via escaper bypass in html/template (1.25.10)
- GO-2026-4977: Quadratic string concatenation in net/mail (1.25.10)
- GO-2026-4971: Panic on NUL byte in net.Dial/LookupPort (1.25.10)
- GO-2026-4947: Excessive work in crypto/x509 chain building (1.25.9)
- GO-2026-4946: Inefficient policy validation in crypto/x509 (1.25.9)
- GO-2026-4918: HTTP/2 infinite loop in net/http (1.25.10)
- GO-2026-4870: TLS security issue in crypto/tls (1.25.9)
- GO-2026-4865: XSS in html/template (1.25.9)

All vulnerabilities are in the Go standard library and are resolved
by upgrading to Go 1.25.10 (minimum patch version covering all issues).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/tektoncd/operator
 
-go 1.25.8
+go 1.25.10
 
 require (
 	github.com/Masterminds/semver v1.5.0
