fix(security): remediate CVE vulnerabilities

[upbound-bot]

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA	Severity	Package	Fixed Version
CVE-2025-68121	Critical	stdlib	go1.24.13
CVE-2025-61732	High	stdlib	go1.24.13

Changes Made

• Updated Go version from 1.24.12 to 1.24.13 in go.mod

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-68121
• https://nvd.nist.gov/vuln/detail/CVE-2025-61732

Verification

• Rescanned with cve-scan skill after fixes
• All listed vulnerabilities resolved

[upbound-bot]

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-03-02T17:38:04Z

Summary

Docker build failed because the CI workflow uses Go 1.24.12, but go.mod requires Go 1.24.13 after CVE fixes.

Root Cause

The CVE remediation in this PR updated go.mod to require Go 1.24.13 to fix CVE-2025-68121 and CVE-2025-61732. However, the CI workflow (.github/workflows/ci.yml) has GO_VERSION: '1.24.12' hardcoded, which is passed to the Dockerfile as a build argument.

When the Docker build runs go mod download, Go reports: "go.mod requires go >= 1.24.13 (running go 1.24.12; GOTOOLCHAIN=local)"

Error Details

#14 0.063 go: go.mod requires go >= 1.24.13 (running go 1.24.12; GOTOOLCHAIN=local)
ERROR: failed to solve: process ... did not complete successfully: exit code: 1

Recommendation

Update the GO_VERSION environment variable in .github/workflows/ci.yml from '1.24.12' to '1.24.13' to match the Go version required by go.mod. This is a CI environment fix, not a code rollback - the CVE fixes must be preserved.

---

_{This analysis was generated by the build-failure-analyze skill.}