chore(deps): upgrade to go1.24 and dependencies to patch vulnerabilities

[nomaed]

We use this package in a large org as part of our tooling and since it hasn't been updated for a long time, there are many vulnerabilities that have been detected and fixed since the last release.

After a scan with govulncheck, the following changes are in this PR:

• Upgraded to go1.24.6
• Upgraded go.mod: golang.org/x/crypto, golang.org/x/sys, golang.org/x/net and github.com/go-git/go-git/v5 and their dependencies
• Fixed 2 tests that relied on older descriptions of scanner.Init() and ioutils.TempFile()

Following these, govulncheck gives a clean bill of health.

Before

Scan summary for latest gomarkdoc binary:

	CVE-2021-43565 (7.5) in golang.org/x/crypto, fixed in 0.0.0-20211202192323-5770296d904e
	CVE-2022-27191 (7.5) in golang.org/x/crypto, fixed in 0.0.0-20220314234659-1baeb1ce4c0b
	CVE-2022-27664 (7.5) in golang.org/x/net, fixed in 0.0.0-20220906165146-f3363e06e74c
	CVE-2022-29526 (5.3) in golang.org/x/sys, fixed in 0.1.0
	CVE-2023-3978 (6.1) in golang.org/x/net, fixed in 0.13.0
	CVE-2023-39325 (7.5) in golang.org/x/net, fixed in 0.17.0
	CVE-2023-44487 (6.9) in golang.org/x/net, fixed in 0.17.0
	CVE-2023-48795 (5.9) in golang.org/x/crypto, fixed in 0.17.0
	CVE-2023-45288 (5.3) in golang.org/x/net, fixed in 0.23.0
	CVE-2021-38561 (7.5) in golang.org/x/text, fixed in 0.3.7
	CVE-2022-32149 (7.5) in golang.org/x/text, fixed in 0.3.8
	CVE-2024-45337 (9.1) in golang.org/x/crypto, fixed in 0.31.0
	CVE-2022-41717 (5.3) in golang.org/x/net, fixed in 0.4.0
	CVE-2022-41723 (7.5) in golang.org/x/net, fixed in 0.7.0
	CVE-2023-49568 (7.5) in github.com/go-git/go-git/v5, fixed in 5.11.0
	CVE-2023-49569 (9.8) in github.com/go-git/go-git/v5, fixed in 5.11.0
	CVE-2025-21613 (9.2) in github.com/go-git/go-git/v5, fixed in 5.13.0
	CVE-2025-21614 (7.5) in github.com/go-git/go-git/v5, fixed in 5.13.0

("Example traces found" sections removed to reduce the output)

$ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-3487
    Potential denial of service in golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2025-3487
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      [1 line removed]

Vulnerability #2: GO-2025-3368
    Argument Injection via the URL field in github.com/go-git/go-git
  More info: https://pkg.go.dev/vuln/GO-2025-3368
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/[email protected]
    Fixed in: github.com/go-git/go-git/[email protected]
    Example traces found:
      [106 lines removed]

Vulnerability #3: GO-2025-3367
    Clients vulnerable to DoS via maliciously crafted Git server replies in
    github.com/go-git/go-git
  More info: https://pkg.go.dev/vuln/GO-2025-3367
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/[email protected]
    Fixed in: github.com/go-git/go-git/[email protected]
    Example traces found:
      [106 lines removed]

Vulnerability #4: GO-2024-2466
    Denial of service in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2466
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/[email protected]
    Fixed in: github.com/go-git/go-git/[email protected]
    Example traces found:
      [6 lines removed]

Vulnerability #5: GO-2024-2456
    Path traversal and RCE in github.com/go-git/go-git/v5 and
    gopkg.in/src-d/go-git.v4
  More info: https://pkg.go.dev/vuln/GO-2024-2456
  Module: github.com/go-git/go-git/v5
    Found in: github.com/go-git/go-git/[email protected]
    Fixed in: github.com/go-git/go-git/[email protected]
    Example traces found:
      [6 lines removed]

Vulnerability #6: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      [1 line removed]

After

$ govulncheck ./...
=== Symbol Results ===

No vulnerabilities found.

[nomaed]

@princjef are you available to review this PR?

[nomaed]

@princjef pinging you again with hopes that you can take a look at this.

[Bad3r]

hi @nomaed,

do you plan to update the package to Go v1.25 or 1.24?
seems like the maintainer isn't going to be available any time soon, so I am using your fork.

[nomaed]

hi @nomaed,

do you plan to update the package to Go v1.25 or 1.24? seems like the maintainer isn't going to be available any time soon, so I am using your fork.

Not at the moment. I might do it some time in the future.

[nomaed]

For now and in case this PR is not going to be merged in, I updated all the recent vulnerable dependencies and upgraded to go1.24.6 in my fork.

To be able to use the fork, I also modified the package name (in a separate branch) and tagged the version, so it can be used as go install github.com/nomaed/gomarkdoc/cmd/[email protected]+cvepatch.2025.11.16 as a drop in replacement, or go get github.com/nomaed/[email protected]+cvepatch.2025.11.16 to add as a module.

• github.com/nomaed/gomarkdoc v1.1.1-0.20251116115436-d15311c69ae1

FYI @Bad3r if you're still interested.