chore: bump version to fix CVE

[upils]

• Have you signed the CLA?

---

Bump the minimal go version to 1.25.8, fixing the following vulnerabilities, affecting go 1.24.6:

CVE-2025-68121 (CRITICAL)
CVE-2025-58183 (HIGH)
CVE-2025-61726 (HIGH)
CVE-2025-61728 (HIGH)
CVE-2025-61729 (HIGH)

go 1.24.13 cannot be used as it is not available yet in the snapstore.
go 1.26 cannot be used either as there is no stable snap of it in the snapstore.

govulncheck does not identify any vulnerabilities after this fix.
trivy does not identify any stdlib-related vulnerabilities after this fix.

golangci-lint is also bumped to v2.x to be compatible with go 1.25. To do so, the configuration is migrated to the v2 format, with the minimum amount of changes. Some checks are excluded to avoid unrelated fixes in this PR. They should be re-enabled in a follow-up PR and the code corrected.

[lczyk]

👍

this should also fix #250 since the fix for the problem there has been backported to go1.25.4 golang/go#75775

btw, because of this issue i've been using chisel compiled with go1.26 and i've seen no regressions due to golang version bump

[upils]

👍

this should also fix #250 since the fix for the problem there has been backported to go1.25.4 golang/go#75775

Correct!

btw, because of this issue i've been using chisel compiled with go1.26 and i've seen no regressions due to golang version bump

Nice to know the path to a future bump to go1.26 is clear!

[letFunny]

Looks good to me, thank you for working on it. I think we should create a backlog item to come back and fix the lints in the (near) future.

[niemeyer]

I'm merging this since it's about CVEs and has been hanging for a while, but we should talk about what kind of conversation happened to make sure changing the Go version of the project would go smoothly in the places we care about.

Thanks for pushing the fixes.