fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
GO-2026-5006	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5023	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5017	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5020	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5005	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5021	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5019	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5018	Critical	golang.org/x/crypto	v0.52.0
GO-2026-5026	Critical	golang.org/x/net	v0.55.0
GO-2026-5013	High	golang.org/x/crypto	v0.52.0
GO-2026-4918	High	golang.org/x/net	v0.55.0
CVE-2026-42504	High	stdlib	go1.25.11
GO-2026-5038	High	stdlib	go1.25.11
GO-2026-5033	Medium	golang.org/x/crypto	v0.52.0
GO-2026-5014	Medium	golang.org/x/crypto	v0.52.0
GO-2026-5015	Medium	golang.org/x/crypto	v0.52.0
GO-2026-5016	Medium	golang.org/x/crypto	v0.52.0
GO-2026-5028	Medium	golang.org/x/net	v0.55.0
GO-2026-5025	Medium	golang.org/x/net	v0.55.0
GO-2026-5027	Medium	golang.org/x/net	v0.55.0
GO-2026-5029	Medium	golang.org/x/net	v0.55.0
GO-2026-5030	Medium	golang.org/x/net	v0.55.0
CVE-2026-42507	Medium	stdlib	go1.25.11
GO-2026-5039	Medium	stdlib	go1.25.11
GO-2026-5024	Low	golang.org/x/sys	v0.45.0
CVE-2026-27145	Unknown	stdlib	go1.25.11
GO-2026-5037	Unknown	stdlib	go1.25.11

Changes Made

• Updated go directive in go.mod from 1.25.10 to 1.25.11
• Updated golang.org/x/crypto from v0.46.0 to v0.52.0 (indirect dependency)
• Updated golang.org/x/net from v0.48.0 to v0.55.0 (indirect dependency)
• Updated golang.org/x/sys from v0.39.0 to v0.45.0 (indirect dependency, via go mod tidy)
• Ran go mod tidy to update go.sum
• Updated GO_VERSION in .github/workflows/ci.yml from 1.25.10 to 1.25.11

References

• GO-2026-5006
• GO-2026-5023
• GO-2026-5017
• GO-2026-5020
• GO-2026-5013
• GO-2026-5005
• GO-2026-5021
• GO-2026-5019
• GO-2026-5018
• GO-2026-5033
• GO-2026-5014
• GO-2026-5015
• GO-2026-5016
• GO-2026-5026
• GO-2026-5028
• GO-2026-5025
• GO-2026-5027
• GO-2026-5029
• GO-2026-5030
• GO-2026-4918
• GO-2026-5024
• CVE-2026-42504
• GO-2026-5038
• CVE-2026-42507
• GO-2026-5039
• CVE-2026-27145
• GO-2026-5037

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-06-05T08:40:00Z

Summary

The build failed while downloading the Crossplane CLI v2.3.0 from the stable channel.

Root Cause

This is a transient CI infrastructure failure. The Crossplane CLI install script was unable to fetch version v2.3.0, likely due to temporary network connectivity issues or service unavailability.

Error Details

Failed to download Crossplane CLI. Please make sure version v2.3.0 exists on channel stable.
##[error]Process completed with exit code 1.

Recommendation

Retry the workflow. This is a transient failure that should resolve on retry. Use:

gh run rerun 27004732822 --failed --repo upbound/function-claude

---

_{This analysis was generated by the build-failure-analyze skill.}

[upbound-bot]

Build Failure Analysis

Check: build (arm64)
Status: Cancelled
Analyzed: 2026-06-05T08:40:00Z

Summary

This job was cancelled due to the fail-fast strategy when the build (amd64) job failed.

Root Cause

The workflow uses fail-fast: true in the build matrix strategy. When the amd64 build failed (due to a Crossplane CLI download issue), GitHub Actions automatically cancelled this arm64 build to save CI resources.

Error Details

No independent failure - job was cancelled as a consequence of the amd64 build failure.

Recommendation

No action needed for this check. Fix the amd64 build failure (or retry the workflow), and this job will run successfully when the workflow is re-executed.

---

_{This analysis was generated by the build-failure-analyze skill.}