chore: Dependency Upgrades

[abhisek]

• chore: Add flake.lock
• chore: Go dependency upgrades

---

[safedep]

SafeDep Report Summary

⚠ 1 packages are identified as suspicious, human review is recommended.

Package Details

Package	Malware	Vulnerability	Risky License	Report
github.com/clipperhouse/stringish @ v0.1.1 go go.mod	⚠️	✔️	✔️	🔗
buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go @ v1.36.10-20250912141014-52f32327d4b0.1 go go.mod	✔️	✔️	✔️	🔗
buf.build/gen/go/safedep/api/protocolbuffers/go @ v1.36.10-20251028144432-4ab0fd2eaf3f.1 go go.mod	✔️	✔️	✔️	🔗
buf.build/go/protovalidate @ v1.0.0 go go.mod	✔️	✔️	✔️	🔗
cloud.google.com/go @ v0.123.0 go go.mod	✔️	✔️	✔️	🔗
cloud.google.com/go/auth @ v0.17.0 go go.mod	✔️	✔️	✔️	🔗
cloud.google.com/go/compute/metadata @ v0.9.0 go go.mod	✔️	✔️	✔️	🔗
cloud.google.com/go/iam @ v1.5.3 go go.mod	✔️	✔️	✔️	🔗
cloud.google.com/go/monitoring @ v1.24.3 go go.mod	✔️	✔️	✔️	🔗
cloud.google.com/go/storage @ v1.57.0 go go.mod	✔️	✔️	✔️	🔗
github.com/CycloneDX/cyclonedx-go @ v0.9.3 go go.mod	✔️	✔️	✔️	🔗
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp @ v1.30.0 go go.mod	✔️	✔️	✔️	🔗
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric @ v0.54.0 go go.mod	✔️	✔️	✔️	🔗
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping @ v0.54.0 go go.mod	✔️	✔️	✔️	🔗
github.com/antlr4-go/antlr/v4 @ v4.13.1 go go.mod	✔️	✔️	✔️	🔗
github.com/clipperhouse/uax29/v2 @ v2.3.0 go go.mod	✔️	✔️	✔️	🔗
github.com/cncf/xds/go @ v0.0.0-20251022180443-0feb69152e9f go go.mod	✔️	✔️	✔️	🔗
github.com/envoyproxy/go-control-plane/envoy @ v1.35.0 go go.mod	✔️	✔️	✔️	🔗
github.com/go-jose/go-jose/v4 @ v4.1.3 go go.mod	✔️	✔️	✔️	🔗
github.com/google/cel-go @ v0.26.1 go go.mod	✔️	✔️	✔️	🔗
github.com/google/pprof @ v0.0.0-20251007162407-5df77e3f7d1d go go.mod	✔️	✔️	✔️	🔗
github.com/googleapis/gax-go/v2 @ v2.15.0 go go.mod	✔️	✔️	✔️	🔗
github.com/grpc-ecosystem/grpc-gateway/v2 @ v2.27.3 go go.mod	✔️	✔️	✔️	🔗
github.com/jedib0t/go-pretty/v6 @ v6.6.9 go go.mod	✔️	✔️	✔️	🔗
github.com/mattn/go-runewidth @ v0.0.19 go go.mod	✔️	✔️	✔️	🔗
github.com/posthog/posthog-go @ v1.6.12 go go.mod	✔️	✔️	✔️	🔗
github.com/prometheus/client_golang @ v1.23.2 go go.mod	✔️	✔️	✔️	🔗
github.com/prometheus/common @ v0.67.2 go go.mod	✔️	✔️	✔️	🔗
github.com/prometheus/procfs @ v0.19.1 go go.mod	✔️	✔️	✔️	🔗
github.com/safedep/code @ v0.0.0-20251026052134-aa08f823b4ad go go.mod	✔️	✔️	✔️	🔗
github.com/safedep/dry @ v0.0.0-20251025050813-25b3d2836927 go go.mod	✔️	✔️	✔️	🔗
github.com/spf13/pflag @ v1.0.10 go go.mod	✔️	✔️	✔️	🔗
github.com/spiffe/go-spiffe/v2 @ v2.6.0 go go.mod	✔️	✔️	✔️	🔗
github.com/stoewer/go-strcase @ v1.3.1 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/auto/sdk @ v1.2.1 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/contrib/detectors/gcp @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc @ v0.63.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp @ v0.63.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel/exporters/otlp/otlptrace @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel/metric @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel/sdk @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel/sdk/metric @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/otel/trace @ v1.38.0 go go.mod	✔️	✔️	✔️	🔗
go.opentelemetry.io/proto/otlp @ v1.8.0 go go.mod	✔️	✔️	✔️	🔗
go.yaml.in/yaml/v2 @ v2.4.3 go go.mod	✔️	✔️	✔️	🔗
go.yaml.in/yaml/v3 @ v3.0.4 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/crypto @ v0.43.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/exp @ v0.0.0-20251023183803-a4bb9ffd2546 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/mod @ v0.29.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/net @ v0.46.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/oauth2 @ v0.32.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/sys @ v0.37.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/term @ v0.36.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/text @ v0.30.0 go go.mod	✔️	✔️	✔️	🔗
golang.org/x/time @ v0.14.0 go go.mod	✔️	✔️	✔️	🔗
google.golang.org/api @ v0.253.0 go go.mod	✔️	✔️	✔️	🔗
google.golang.org/genproto @ v0.0.0-20251022142026-3a174f9686a8 go go.mod	✔️	✔️	✔️	🔗
google.golang.org/genproto/googleapis/api @ v0.0.0-20251022142026-3a174f9686a8 go go.mod	✔️	✔️	✔️	🔗
google.golang.org/genproto/googleapis/rpc @ v0.0.0-20251022142026-3a174f9686a8 go go.mod	✔️	✔️	✔️	🔗
google.golang.org/grpc @ v1.76.0 go go.mod	✔️	✔️	✔️	🔗
google.golang.org/protobuf @ v1.36.10 go go.mod	✔️	✔️	✔️	🔗
sigs.k8s.io/yaml @ v1.6.0 go go.mod	✔️	✔️	✔️	🔗

_{This report is generated by SafeDep Github App}

[Copilot]

Pull Request Overview

This PR updates project dependencies and tooling to their latest versions. The changes include upgrading the Go version from 1.25.1 to 1.25.2 and updating numerous direct and indirect dependencies to more recent releases.

Key Changes:

• Go version upgraded from 1.25.1 to 1.25.2
• Direct dependencies updated (e.g., cyclonedx-go, go-pretty, posthog-go, golang.org/x/net)
• Indirect dependencies updated across Google Cloud, OpenTelemetry, Prometheus, and other packages

Reviewed Changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates Go version and all direct/indirect dependency versions
.tool-versions	Updates golang toolchain version to match go.mod

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.01%. Comparing base (1d747df) to head (66d078e).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #51   +/-   ##
=======================================
  Coverage   20.01%   20.01%           
=======================================
  Files          22       22           
  Lines        1239     1239           
=======================================
  Hits          248      248           
  Misses        972      972           
  Partials       19       19           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

vet Summary Report

This report is generated by vet

Policy Checks

• ✅ Vulnerability
• ✅ Malware
• ✅ License
• ❌ Popularity
• ❌ Maintenance
• ✅ Security Posture
• ✅ Threats

⚠️ 1 packages are identified as suspicious. Human review is recommended.

Malicious Package Analysis

Malicious package analysis was performed using SafeDep Cloud API

Malicious Package Analysis Report

Ecosystem	Package	Version	Status	Report
ECOSYSTEM_GO	golang.org/x/term	0.36.0	✅	🔗
ECOSYSTEM_GO	github.com/googleapis/gax-go/v2	2.15.0	✅	🔗
ECOSYSTEM_GO	google.golang.org/genproto/googleapis/rpc	0.0.0-20251022142026-3a174f9686a8	✅	🔗
ECOSYSTEM_GO	github.com/mattn/go-runewidth	0.0.19	✅	🔗
ECOSYSTEM_GO	github.com/spiffe/go-spiffe/v2	2.6.0	✅	🔗
ECOSYSTEM_GO	github.com/CycloneDX/cyclonedx-go	0.9.3	✅	🔗
ECOSYSTEM_GO	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	0.54.0	✅	🔗
ECOSYSTEM_GO	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	0.63.0	✅	🔗
ECOSYSTEM_GO	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	1.30.0	✅	🔗
ECOSYSTEM_GO	github.com/prometheus/client_golang	1.23.2	✅	🔗
ECOSYSTEM_GO	cloud.google.com/go/auth	0.17.0	✅	🔗
ECOSYSTEM_GO	sigs.k8s.io/yaml	1.6.0	✅	🔗
ECOSYSTEM_GO	github.com/posthog/posthog-go	1.6.12	✅	🔗
ECOSYSTEM_GO	golang.org/x/mod	0.29.0	✅	🔗
ECOSYSTEM_GO	buf.build/go/protovalidate	1.0.0	✅	🔗
ECOSYSTEM_GO	cloud.google.com/go/compute/metadata	0.9.0	✅	🔗
ECOSYSTEM_GO	github.com/antlr4-go/antlr/v4	4.13.1	✅	🔗
ECOSYSTEM_GO	github.com/safedep/code	0.0.0-20251026052134-aa08f823b4ad	✅	🔗
ECOSYSTEM_GO	go.opentelemetry.io/proto/otlp	1.8.0	✅	🔗
ECOSYSTEM_GO	go.opentelemetry.io/auto/sdk	1.2.1	✅	🔗
ECOSYSTEM_GO	github.com/prometheus/common	0.67.2	✅	🔗
ECOSYSTEM_GO	github.com/cncf/xds/go	0.0.0-20251022180443-0feb69152e9f	✅	🔗
ECOSYSTEM_GO	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	0.63.0	✅	🔗
ECOSYSTEM_GO	google.golang.org/genproto/googleapis/api	0.0.0-20251022142026-3a174f9686a8	✅	🔗
ECOSYSTEM_GO	github.com/google/cel-go	0.26.1	✅	🔗
ECOSYSTEM_GO	github.com/clipperhouse/uax29/v2	2.3.0	✅	🔗
ECOSYSTEM_GO	github.com/google/pprof	0.0.0-20251007162407-5df77e3f7d1d	✅	🔗
ECOSYSTEM_GO	github.com/prometheus/procfs	0.19.1	✅	🔗
ECOSYSTEM_GO	cloud.google.com/go/iam	1.5.3	✅	🔗
ECOSYSTEM_GO	github.com/spf13/pflag	1.0.10	✅	🔗
ECOSYSTEM_GO	github.com/jedib0t/go-pretty/v6	6.6.9	✅	🔗
ECOSYSTEM_GO	golang.org/x/time	0.14.0	✅	🔗
ECOSYSTEM_GO	golang.org/x/oauth2	0.32.0	✅	🔗
ECOSYSTEM_GO	github.com/go-jose/go-jose/v4	4.1.3	✅	🔗
ECOSYSTEM_GO	golang.org/x/net	0.46.0	✅	🔗
ECOSYSTEM_GO	buf.build/gen/go/safedep/api/protocolbuffers/go	1.36.10-20251028144432-4ab0fd2eaf3f.1	✅	🔗
ECOSYSTEM_GO	google.golang.org/grpc	1.76.0	✅	🔗
ECOSYSTEM_GO	github.com/clipperhouse/stringish	0.1.1	⚠️	🔗
ECOSYSTEM_GO	cloud.google.com/go/storage	1.57.0	✅	🔗
ECOSYSTEM_GO	cloud.google.com/go	0.123.0	✅	🔗
ECOSYSTEM_GO	cloud.google.com/go/monitoring	1.24.3	✅	🔗
ECOSYSTEM_GO	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	0.54.0	✅	🔗
ECOSYSTEM_GO	google.golang.org/protobuf	1.36.10	✅	🔗
ECOSYSTEM_GO	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go	1.36.10-20250912141014-52f32327d4b0.1	✅	🔗
ECOSYSTEM_GO	golang.org/x/crypto	0.43.0	✅	🔗
ECOSYSTEM_GO	go.opentelemetry.io/contrib/detectors/gcp	1.38.0	✅	🔗
ECOSYSTEM_GO	golang.org/x/sys	0.37.0	✅	🔗
ECOSYSTEM_GO	golang.org/x/exp	0.0.0-20251023183803-a4bb9ffd2546	✅	🔗
ECOSYSTEM_GO	github.com/stoewer/go-strcase	1.3.1	✅	🔗
ECOSYSTEM_GO	go.yaml.in/yaml/v2	2.4.3	✅	🔗
ECOSYSTEM_GO	github.com/grpc-ecosystem/grpc-gateway/v2	2.27.3	✅	🔗
ECOSYSTEM_GO	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.38.0	✅	🔗

• ℹ️ 52 packages have been actively analyzed for malicious behaviour.
• 🟠 1 packages are identified as suspicious.

Note: Some of the package analysis jobs may still be running.Please check back later. Consider increasing the timeout for better coverage.

Changed Packages

Changed Packages

• ⚠️ [Go] github.com/antlr4-go/antlr/v4@4.13.1
• ✅ [Go] go.yaml.in/yaml/v2@2.4.3
• ✅ [Go] github.com/googleapis/gax-go/v2@2.15.0
• ✅ [Go] cloud.google.com/go/compute/metadata@0.9.0
• ✅ [Go] google.golang.org/grpc@1.76.0
• ✅ [Go] go.opentelemetry.io/auto/sdk@1.2.1
• ✅ [Go] github.com/go-jose/go-jose/v4@4.1.3
• ✅ [Go] github.com/envoyproxy/go-control-plane/envoy@1.35.0
• ✅ [Go] cloud.google.com/go/iam@1.5.3
• ⚠️ [Go] github.com/cncf/xds/go@0.0.0-20251022180443-0feb69152e9f
• ✅ [Go] google.golang.org/api@0.253.0
• ✅ [Go] github.com/prometheus/common@0.67.2
• ✅ [Go] buf.build/gen/go/safedep/api/protocolbuffers/go@1.36.10-20251028144432-4ab0fd2eaf3f.1
• ✅ [Go] cloud.google.com/go/storage@1.57.0
• ✅ [Go] github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric@0.54.0
• ✅ [Go] github.com/grpc-ecosystem/grpc-gateway/v2@2.27.3
• ✅ [Go] github.com/google/cel-go@0.26.1
• ✅ [Go] github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp@1.30.0
• ✅ [Go] google.golang.org/protobuf@1.36.10
• ✅ [Go] github.com/CycloneDX/cyclonedx-go@0.9.3
• ✅ [Go] go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@0.63.0
• ⚠️ [Go] github.com/stoewer/go-strcase@1.3.1
• ✅ [Go] cloud.google.com/go@0.123.0
• ✅ [Go] cloud.google.com/go/monitoring@1.24.3
• ✅ [Go] golang.org/x/oauth2@0.32.0
• ⚠️ [Go] github.com/safedep/code@0.0.0-20251026052134-aa08f823b4ad
• ✅ [Go] github.com/jedib0t/go-pretty/v6@6.6.9
• ✅ [Go] buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go@1.36.10-20250912141014-52f32327d4b0.1
• ✅ [Go] github.com/google/pprof@0.0.0-20251007162407-5df77e3f7d1d
• ✅ [Go] github.com/mattn/go-runewidth@0.0.19
• ✅ [Go] buf.build/go/protovalidate@1.0.0
• ✅ [Go] go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.38.0
• ✅ [Go] github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping@0.54.0
• ✅ [Go] golang.org/x/term@0.36.0
• ⚠️ [Go] github.com/clipperhouse/stringish@0.1.1
• ✅ [Go] github.com/spf13/pflag@1.0.10
• ✅ [Go] cloud.google.com/go/auth@0.17.0
• ✅ [Go] golang.org/x/crypto@0.43.0
• ✅ [Go] go.opentelemetry.io/proto/otlp@1.8.0
• ✅ [Go] github.com/spiffe/go-spiffe/v2@2.6.0
• ✅ [Go] go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@0.63.0
• ✅ [Go] golang.org/x/text@0.30.0
• ✅ [Go] golang.org/x/sys@0.37.0
• ✅ [Go] github.com/prometheus/client_golang@1.23.2
• ✅ [Go] golang.org/x/time@0.14.0
• ✅ [Go] golang.org/x/mod@0.29.0
• ✅ [Go] golang.org/x/net@0.46.0
• ✅ [Go] google.golang.org/genproto/googleapis/api@0.0.0-20251022142026-3a174f9686a8
• ✅ [Go] github.com/clipperhouse/uax29/v2@2.3.0
• ✅ [Go] google.golang.org/genproto/googleapis/rpc@0.0.0-20251022142026-3a174f9686a8
• ✅ [Go] go.opentelemetry.io/contrib/detectors/gcp@1.38.0
• ✅ [Go] github.com/prometheus/procfs@0.19.1
• ✅ [Go] sigs.k8s.io/yaml@1.6.0
• ✅ [Go] github.com/posthog/posthog-go@1.6.12
• ✅ [Go] stdlib@1.25.2
• ✅ [Go] google.golang.org/genproto@0.0.0-20251022142026-3a174f9686a8
• ✅ [Go] golang.org/x/exp@0.0.0-20251023183803-a4bb9ffd2546

Policy Violations

Packages Violating Policy

[Go] github.com/antlr4-go/antlr/v4@4.13.1 🔗

• ➡️ Found in manifest go.mod
• ⚠️ Component appears to be unmaintained

[Go] github.com/cncf/xds/go@0.0.0-20251022180443-0feb69152e9f 🔗

• ➡️ Found in manifest go.mod
• ⚠️ Component appears to be unmaintained

[Go] github.com/stoewer/go-strcase@1.3.1 🔗

• ➡️ Found in manifest go.mod
• ⚠️ Component appears to be unmaintained

[Go] github.com/safedep/code@0.0.0-20251026052134-aa08f823b4ad 🔗

• ➡️ Found in manifest go.mod
• ⚠️ Component popularity is low by Github stars count
• ⚡ Use an alternative package that is popular

[Go] github.com/clipperhouse/stringish@0.1.1 🔗

• ➡️ Found in manifest go.mod
• ⚠️ Component popularity is low by Github stars count
• ⚡ Use an alternative package that is popular

[devin-ai-integration]

Devin Review found 1 potential issue.

View issue and 4 additional flags in Devin Review.

[devin-ai-integration]

🔴 glibc version mismatch between build and runtime Docker stages causes binary incompatibility

The Dockerfile change introduces a glibc version mismatch that will cause the built binary to fail at runtime.

The change:

• Build stage changed from golang:1.25-bookworm (Debian 12, glibc 2.36) to golang:1.25-trixie (Debian 13, glibc 2.38+)
• Runtime stage remains debian:11-slim (Debian 11/Bullseye, glibc 2.31)

Why this is a problem:
The build uses CGO_ENABLED=1 (Dockerfile:18), which means the binary is dynamically linked against glibc. When a CGO-enabled binary is compiled against a newer glibc (2.38+ in Trixie), it may use symbols that don't exist in older glibc versions (2.31 in Bullseye).

Expected behavior: Container runs successfully
Actual behavior: Container will fail at startup with errors like:

/usr/local/bin/xbom: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.XX' not found

Impact: The Docker image will be completely broken - the xbom binary will not execute at all in the runtime container.

Recommendation: Either update the runtime stage to use a compatible Debian version (e.g., debian:13-slim or debian:trixie-slim), or revert the build stage back to golang:1.25-bookworm to maintain compatibility with debian:11-slim.

---

Was this helpful? React with 👍 or 👎 to provide feedback.