From 05a0436fc5c4e90d7162c5e2fbead764f79e7be4 Mon Sep 17 00:00:00 2001
From: Manas Srivastava <mastermanas805@gmail.com>
Date: Thu, 4 Jun 2026 01:27:53 +0530
Subject: [PATCH] fix(ci): bump Go toolchain to 1.25.11 (clears
 GO-2026-5039/5037 stdlib vulns)

The govulncheck and osv-scan required checks fail on both master and
Dependabot PR #22 due to two Go stdlib vulnerabilities present in the
go1.25.10 toolchain that CI builds with:

  - GO-2026-5039 (net/textproto): arbitrary inputs included in errors
    without escaping. Fixed in go1.25.11.
  - GO-2026-5037 (crypto/x509): inefficient candidate hostname parsing.
    Fixed in go1.25.11.

These are stdlib vulns, not module deps, so they are unrelated to the
actions-group bump in #22. govulncheck.yml resolves its toolchain from
go.mod (go-version-file + check-latest), so bumping the toolchain
directive to go1.25.11 clears both checks and unblocks master and #22.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index da9d133..be46365 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/InstaNode-dev/cli
 
 go 1.25
 
-toolchain go1.25.10
+toolchain go1.25.11
 
 require (
 	github.com/spf13/cobra v1.10.2