egutierrez
a3ac58fb70
govulncheck reported 16 reachable vulnerabilities (re-audit finding N1, report 0006): 14 in github.com/nats-io/nats-server/v2@v2.10.22 -- the embedded NATS server, which is exposed to the internet in the chosen deployment -- and 2 in the Go standard library (GO-2026-5039 net/textproto, GO-2026-5037 crypto/x509). Changes: - go get github.com/nats-io/nats-server/v2@v2.11.15 (covers all 14 server CVEs; pulls nats.go v1.49.0, nkeys v0.4.15, jwt v2.8.1, klauspost/compress v1.18.4 and friends transitively). - go directive 1.25.0 -> 1.26.4 so the toolchain ships the two stdlib fixes. This is a go.mod/go.sum change justified purely by CVE remediation; it is the explicit exception to the "do not touch deps" rule for a CVE bump. Verification: - CGO_ENABLED=0 go build ./... && go vet ./... && go test -count=1 ./... -> green, including the 0003 multi-node cluster/JetStream e2e in pkg/embeddednats, so the server bump did not break the cluster or the durable plane. - govulncheck ./... -> "No vulnerabilities found" (0 reachable; the 13 that remain are in required-but-not-called modules). Refs: report 0006 N1, issue 0005a. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>