chore: update Go version and dependencies

[creativeprojects]

Fixes for CVE-2025-58181 & CVE-2025-47914

[coderabbitai]

Walkthrough

The pull request updates the Go toolchain from version 1.25.4 to 1.25.5 and bumps multiple Go module dependencies to newer versions. One module dependency is replaced (xanzy/go-gitlab removed, gitlab.com/gitlab-org/api/client-go added), whilst others receive patch, minor, or point-release version increments.

Changes

Cohort / File(s)	Summary
Go module and dependency updates go.mod	Go toolchain bumped to 1.25.5; 15+ module dependencies updated including golang.org/x/* packages (sys, term, text, crypto, oauth2, time), go-selfupdate, godbus/dbus, hashicorp/go-version, google.golang.org/protobuf; xanzy/go-gitlab replaced with gitlab.com/gitlab-org/api/client-go; google/go-github major version bump (v30 → v74)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Notable version changes warrant verification, particularly the significant google/go-github bump from v30.1.0 to v74.0.0
• Confirm the module replacement (xanzy/go-gitlab → gitlab.com/gitlab-org/api/client-go) does not introduce breaking changes or require code adjustments
• Verify all indirect dependency updates align with intended transitive dependency management

Possibly related PRs

• chore: upgrade packages #543: Overlapping dependency updates to golang.org/x/sys, golang.org/x/term, and golang.org/x/text packages in go.mod.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the Go toolchain version and multiple dependencies as shown in the go.mod file modifications.
Description check	✅ Passed	The description references specific CVE fixes (CVE-2025-58181 & CVE-2025-47914) which are directly related to the dependency updates in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrade-go-selfupdate-cve-2025

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 787f651 and c04e949.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-02-04T14:38:07.701Z

Learnt from: creativeprojects
Repo: creativeprojects/resticprofile PR: 425
File: schedule/handler_windows.go:97-118
Timestamp: 2025-02-04T14:38:07.701Z
Learning: The shell.SplitArguments function in the resticprofile project returns only []string and does not return any error.

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and test (1.25, windows-latest)

🔇 Additional comments (6)

go.mod (6)

3-3: Go version patch update is straightforward.

Upgrading from Go 1.25.4 to 1.25.5 (patch release) is a low-risk change that typically addresses security and stability improvements. No code changes are required.

---

27-29: Security patches for golang.org/x modules are appropriate.

Updates to golang.org/x/sys, golang.org/x/term, golang.org/x/text, golang.org/x/crypto, golang.org/x/oauth2, golang.org/x/time, and golang.org/x/exp represent standard security and stability improvements. These are low-risk updates that follow Go security practices.

Also applies to: 75-78

---

44-44: Other dependency updates follow safe versioning patterns.

Updates to godbus/dbus/v5 (v5.1.0 → v5.2.0), hashicorp/go-version (v1.7.0 → v1.8.0), and code.gitea.io/sdk/gitea (v0.22.0 → v0.22.1) are minor or patch versions that maintain API compatibility. These are low-risk updates.

Also applies to: 50-50, 35-35

---

10-10: Unable to verify CVE-2025 fix claim without access to release notes or internal security documentation.

Despite extensive searches of public CVE databases and GitHub security advisories, no public record of a CVE-2025 vulnerability affecting go-selfupdate could be found. Confirmation requires checking the v1.5.2 release notes on GitHub or accessing the repository's security advisory documentation directly.

---

45-45: No action required. This dependency is indirect and resticprofile does not directly use the go-github API, so major version breaking changes in the library do not affect this codebase.

Likely an incorrect or invalid review comment.

---

72-72: The gitlab.com/gitlab-org/api/client-go v1.9.1 dependency addition is correct.

The xanzy/go-gitlab package has been officially migrated to gitlab.com/gitlab-org/api/client-go with full backwards compatibility and no breaking changes expected. No stale xanzy references remain in the codebase, and this dependency change requires no code modifications since it is purely transitive.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR attempts to update the Go toolchain version and refresh various project dependencies. However, there is a critical issue with the specified Go version.

Key Changes:

• Updates Go version from 1.25.4 to 1.25.5 (both are invalid versions)
• Updates github.com/creativeprojects/go-selfupdate from v1.5.1 to v1.5.2
• Refreshes multiple transitive dependencies including major version bumps for go-github (v30→v74) and replacement of xanzy/go-gitlab with the official GitLab API client

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates Go version directive and direct/indirect dependency versions
go.sum	Updates checksums for all modified dependencies and their transitive dependencies

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.00%. Comparing base (2c47715) to head (c04e949).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #591   +/-   ##
=======================================
  Coverage   81.00%   81.00%           
=======================================
  Files         137      137           
  Lines       11083    11083           
=======================================
  Hits         8977     8977           
  Misses       1680     1680           
  Partials      426      426           

Flag	Coverage Δ
unittests	81.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud