chore: upgrade packages CVE-2025-58181 & CVE-2025-47914

[creativeprojects]

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to version 1.25.5.
  • Refreshed dependencies for improved stability and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Go toolchain upgraded from 1.25.0 to 1.25.5. Direct dependencies updated across go-selfupdate, pterm, and spf13/cobra. Indirect dependencies refreshed, including golang.org/x packages (net, time, crypto, sys, term, text), google/go-github, and hashicorp/go-version. gitlab/go-gitlab removed; gitlab.com/gitlab-org/api/client-go added.

Changes

Cohort / File(s)	Summary
Dependency & Toolchain Updates go.mod	Go version 1.25.0 → 1.25.5; direct dependencies (go-selfupdate v1.5.1 → v1.5.2, pterm v0.12.81 → v0.12.82, spf13/cobra v1.10.1 → v1.10.2); indirect dependencies including golang.org/x packages (net, time, crypto, sys, term, text), google/go-github (v30.1.0 → v74.0.0), hashicorp/go-version (v1.7.0 → v1.8.0); gitlab/go-gitlab removed, gitlab.com/gitlab-org/api/client-go v1.9.1 added

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify Go 1.25.5 compatibility and any deprecations
• Check google/go-github major version bump (v30 → v74) for breaking changes
• Validate gitlab migration from gitlab/go-gitlab to gitlab.com/gitlab-org/api/client-go
• Ensure all indirect dependency updates align with the dependency graph

Possibly related PRs

• upgrade Go version to 1.25 and update dependencies #2: Updates Go toolchain and overlapping dependency versions (Go 1.25 and golang.org/x packages), suggesting related maintenance across codebases.

Poem

🐰 Hop hop, the deps do dance and play,
From versions old to fresh and new today,
With gitlab's path now brightly redrawn,
Our toolchain hops to 1.25.5 at dawn!
The rabbit cheers—all upgrades are done! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the primary purpose of the PR—upgrading packages to address specific CVE vulnerabilities. It is concise, specific, and clearly indicates the main change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrade-x-crypto

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 253139d and dba64f2.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Agent
• GitHub Check: Build and test (1.25, macos-latest)
• GitHub Check: Build and test (1.25, windows-latest)

🔇 Additional comments (3)

go.mod (3)

3-3: Verify CVE-2025-58181 is addressed by these upgrades.

The PR title mentions CVE-2025-58181, but I found no public information about this CVE in security databases. I can confirm that golang.org/x/crypto is patched as of v0.45.0 for CVE-2025-47914, which the upgrade to v0.46.0 (line 49) addresses. However, I cannot verify that the upgrades in this PR specifically target CVE-2025-58181.

Please confirm that the specific package versions selected address CVE-2025-58181, and provide a link to the security advisory if available.

---

33-33: google/go-github is an indirect dependency with no direct usage in the codebase.

The go.mod entry shows github.com/google/go-github/v74 v74.0.0 // indirect, indicating this is a transitive dependency. The codebase contains no direct imports or usages of google/go-github, so the version upgrade requires no code changes. While the underlying library has breaking changes between versions, they do not impact this project since the code does not directly depend on the affected APIs.

Likely an incorrect or invalid review comment.

---

48-48: No API compatibility changes needed—GitLab client is an indirect dependency.

The gitlab.com/gitlab-org/api/client-go v1.9.1 is an indirect dependency (likely from github.com/creativeprojects/go-selfupdate), not directly used in this repository's code. There are no imports or usages of the GitLab client library in the codebase, and no migration work is required.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR aims to upgrade various Go packages to address security vulnerabilities CVE-2025-58181 and CVE-2025-47914. The changes include upgrading the Go compiler version and updating multiple direct and indirect dependencies.

Key changes:

• Go version upgrade from 1.25.0 to 1.25.5
• Multiple package version updates including security-related golang.org/x packages
• Major dependency upgrades including google/go-github (v30 → v74) and package replacement of xanzy/go-gitlab with gitlab.com/gitlab-org/api/client-go

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File	Description
go.mod	Updates Go version to 1.25.5, upgrades direct dependencies (go-selfupdate, pterm, cobra, golang.org/x/net, golang.org/x/time), and updates indirect dependencies including major version changes for google/go-github and package replacement for gitlab client
go.sum	Updates checksums for all upgraded packages, adds new entries for replacement packages, and removes obsolete dependency entries

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.35%. Comparing base (253139d) to head (dba64f2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main       #3      +/-   ##
==========================================
+ Coverage   50.70%   53.35%   +2.65%     
==========================================
  Files          15       15              
  Lines        1992     1612     -380     
==========================================
- Hits         1010      860     -150     
+ Misses        847      617     -230     
  Partials      135      135              

Flag	Coverage Δ
unittests	53.35% <ø> (+2.65%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.