Address security vulnerabilities

[n0033]

In go version that is currently used (1.21.3) there are some security vulnerabilities in net/http package:

• https://osv.dev/vulnerability/GHSA-qppj-fm5r-hxr3
• https://osv.dev/vulnerability/GHSA-4v7x-pqxf-cx7m

Also golang.org/x/crypto has following vulnerability:

• https://osv.dev/vulnerability/GHSA-v778-237x-gjrc

This MR:

• bumps go version used in project from 1.21.3 to 1.25.6
• updates the golang.org/x/crypto from v0.12.0 to v0.47.0

Some validations:

go test

❯ go test -count=1  ./...
?       github.com/zapier/prom-aggregation-gateway      [no test files]
?       github.com/zapier/prom-aggregation-gateway/cmd  [no test files]
?       github.com/zapier/prom-aggregation-gateway/config       [no test files]
ok      github.com/zapier/prom-aggregation-gateway/metrics      0.423s
ok      github.com/zapier/prom-aggregation-gateway/routers      0.828s

go run

❯ go run .
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /metrics                  --> github.com/zapier/prom-aggregation-gateway/metrics.(*Aggregate).HandleRender-fm (3 handlers)
[GIN-debug] POST   /metrics                  --> github.com/zapier/prom-aggregation-gateway/metrics.(*Aggregate).HandleInsert-fm (3 handlers)
[GIN-debug] POST   /metrics/*labels          --> github.com/zapier/prom-aggregation-gateway/metrics.(*Aggregate).HandleInsert-fm (3 handlers)
[GIN-debug] PUT    /metrics                  --> github.com/zapier/prom-aggregation-gateway/metrics.(*Aggregate).HandleInsert-fm (3 handlers)
[GIN-debug] PUT    /metrics/*labels          --> github.com/zapier/prom-aggregation-gateway/metrics.(*Aggregate).HandleInsert-fm (3 handlers)
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /healthy                  --> github.com/zapier/prom-aggregation-gateway/routers.handleHealthCheck (1 handlers)
[GIN-debug] GET    /ready                    --> github.com/zapier/prom-aggregation-gateway/routers.handleHealthCheck (1 handlers)
[GIN-debug] GET    /metrics                  --> github.com/zapier/prom-aggregation-gateway/routers.setupLifecycleRouter.convertHandler.func1 (1 handlers)
2026/01/26 20:13:49 api server listening at :80
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on :80
2026/01/26 20:13:49 lifecycle server listening at :8888
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on :8888

metric push

❯ echo 'http_requests_total{method="post",code="200"} 1027' | curl --data-binary @- http://localhost/metrics/
❯ echo 'http_requests_total{method="post",code="200"} 1027' | curl --data-binary @- http://localhost/metrics/

# TYPE http_requests_total untyped
http_requests_total{code="200",method="post"} 2054

[benclapp]

Thanks for the PR @n0033! It's been a few years since the last commit to this project. Looks like a few of the CI pipelines have new failures unrelated to your changes, which LGTM.

I'll look at getting CI patched up in the next day or so, then we can look at getting this PR merged!

[benclapp]

Hey @n0033 , things should be in a good place to re-attempt CI for this PR now! This failure should now be fixed on main https://github.com/zapier/prom-aggregation-gateway/actions/runs/22165817100/job/64092752198?pr=102

For the build-image job, this is now running fine on main. You will also need to bump the go image version in the Dockerfile as part of this PR if you don't mind?

Keen to get this merged in and released!

[n0033]

Hey @n0033 , things should be in a good place to re-attempt CI for this PR now! This failure should now be fixed on main https://github.com/zapier/prom-aggregation-gateway/actions/runs/22165817100/job/64092752198?pr=102

For the build-image job, this is now running fine on main. You will also need to bump the go image version in the Dockerfile as part of this PR if you don't mind?

Keen to get this merged in and released!

I have updated the go version in .tool-versions and Dockerfile to 1.25.7

[benclapp]

Awesome, LGTM! Thanks for your patience