From 48f92c587d6caf2730885aff35d0f75ff59b94a7 Mon Sep 17 00:00:00 2001
From: Divyanshu Agrawal <diagrawa@redhat.com>
Date: Tue, 23 Jun 2026 09:26:18 +0000
Subject: [PATCH] fix(cve): CVE-2026-42499, CVE-2026-39820 - update Go 1.25.9
 to 1.25.10

- Update Go stdlib from 1.25.9 to 1.25.10
- Addresses CVE-2026-42499: Quadratic string concatenation in consumePhrase in net/mail
- Addresses CVE-2026-39820: Quadratic string concatenation in consumeComment in net/mail
- Both vulnerabilities allow DoS via pathological email address inputs

Resolves: SRVKP-12511, SRVKP-12514

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index b9f8d5e17..9fffe227b 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/tektoncd/cli
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7