fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-61723	High	stdlib	go1.24.8
CVE-2025-61725	High	stdlib	go1.24.8
CVE-2025-61729	High	stdlib	go1.24.11
CVE-2025-58187	High	stdlib	go1.24.9
CVE-2025-58188	High	stdlib	go1.24.8
CVE-2025-58185	Medium	stdlib	go1.24.8
CVE-2025-47912	Medium	stdlib	go1.24.8
CVE-2025-58186	Medium	stdlib	go1.24.8
CVE-2025-61724	Medium	stdlib	go1.24.8
CVE-2025-58189	Medium	stdlib	go1.24.8
CVE-2025-58183	Medium	stdlib	go1.24.8
CVE-2025-61727	Medium	stdlib	go1.24.11
GHSA-j5w8-q4qc-rx2x	Medium	golang.org/x/crypto	v0.45.0
GHSA-f6x5-jh6r-wrfv	Medium	golang.org/x/crypto	v0.45.0

Changes Made

• Updated Go version from 1.24 to 1.24.11 in go.mod (fixes 12 stdlib CVEs)
• Updated golang.org/x/crypto from v0.39.0 to v0.45.0 (fixes 2 GHSAs)
• Ran go mod tidy to update dependencies

References

• CVE-2025-61723
• CVE-2025-61725
• CVE-2025-61729
• CVE-2025-58187
• CVE-2025-58188
• CVE-2025-58185
• CVE-2025-47912
• CVE-2025-58186
• CVE-2025-61724
• CVE-2025-58189
• CVE-2025-58183
• CVE-2025-61727
• GHSA-j5w8-q4qc-rx2x
• GHSA-f6x5-jh6r-wrfv

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-01-22T16:50:00Z

Summary

The Docker build failed due to a Go version mismatch between the CI workflow configuration and the go.mod requirements.

Root Cause

The go.mod file requires go >= 1.24.11 (updated as part of CVE remediation), but the CI workflow (.github/workflows/ci.yml) specifies GO_VERSION: '1.24.4'. When Docker builds the image using golang:1.24.4, the go mod download command fails because Go 1.24.4 cannot satisfy the go.mod requirement.

Error Details

go: go.mod requires go >= 1.24.11 (running go 1.24.4; GOTOOLCHAIN=local)

Recommendation

Update the GO_VERSION in .github/workflows/ci.yml from '1.24.4' to '1.24.11' to match the go.mod requirement. This is a necessary change to complete the CVE remediation.

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T16:57:00Z

Summary

The push job failed when trying to install a specific development version of the up CLI that is no longer available.

Root Cause

The CI workflow references up CLI version v0.39.0-384.g0a0c8634 which returns a 404 error from the download endpoint. This specific dev version is no longer available.

Error Details

##[group]Run upbound/action-up@v1
with:
  skip-login: true
  channel: main
  version: v0.39.0-384.g0a0c8634
...
##[error]Unexpected HTTP response: 404

Recommendation

All core checks passed (build amd64/arm64, lint, unit-test). The package was successfully pushed to the registry.

For CVE fix PRs, this failure in the composition tests setup is not critical. Options:

1. Update the workflow to use a stable up CLI version
2. Merge the PR with human approval since core checks passed

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T17:05:00Z

Summary

The push job failed in the composition test step. All core CI checks passed and the package was successfully pushed to the registry.

Root Cause

The composition test failed with:

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

This error indicates the OpenAI function exceeded its maximum iteration limit during the test. This is a test-specific issue unrelated to CVE fixes.

Passing Checks

• ✅ lint - Code passes linting
• ✅ unit-test - Unit tests pass
• ✅ build (amd64) - Package builds successfully
• ✅ build (arm64) - Package builds successfully
• ✅ Package pushed to xpkg.upbound.io/upbound/function-openai:v0.0.0-20260122135925-69a835d502e6

Recommendation

Human approval recommended - All security-critical checks passed. The CVE fixes (Go 1.24.11, golang.org/x/crypto v0.45.0) are validated by the passing build/test steps. The composition test failure should be investigated separately.

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T14:05:00Z

Summary

The push check failed during composition test execution (up test run tests/*). The OpenAI-based function did not complete within the configured maximum iterations.

Root Cause

The test invokes a pipeline step "make-gpt-do-it" that uses the OpenAI function. The error "agent not finished before max iterations" indicates the function's agent loop exceeded its iteration budget before completing the task.

This is an application-level test failure, not related to CVE remediation or infrastructure issues.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

Tests Summary:
Total Tests Executed: 1
Passed tests:         0
Failed tests:         1

Recommendation

Human review required. This failure cannot be resolved through automated CVE remediation. Possible actions:

• Review and adjust the function's iteration limit configuration
• Optimize the function's agent logic to complete within fewer iterations
• Modify the test case to be less complex
• Investigate if this is an intermittent failure due to OpenAI API response variability

---

_{This analysis was generated by the build-failure-analyze skill.}

[ulucinar]

Build Failure Analysis

Check: push Status: Failed Analyzed: 2026-01-22T14:05:00Z

Summary

The push check failed during composition test execution (up test run tests/*). The OpenAI-based function did not complete within the configured maximum iterations.

Root Cause

The test invokes a pipeline step "make-gpt-do-it" that uses the OpenAI function. The error "agent not finished before max iterations" indicates the function's agent loop exceeded its iteration budget before completing the task.

This is an application-level test failure, not related to CVE remediation or infrastructure issues.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

Tests Summary:
Total Tests Executed: 1
Passed tests:         0
Failed tests:         1

Recommendation

Human review required. This failure cannot be resolved through automated CVE remediation. Possible actions:

• Review and adjust the function's iteration limit configuration
• Optimize the function's agent logic to complete within fewer iterations
• Modify the test case to be less complex
• Investigate if this is an intermittent failure due to OpenAI API response variability

This analysis was generated by the build-failure-analyze skill.

Retrying solved the issue. Probably the model could not converge in the previous run, a sporadic.