Security: Fix CVE-2025-47907 by updating Go to 1.24.6

[Copilot]

Overview

This PR addresses a HIGH severity security vulnerability (CVE-2025-47907) in the Go standard library by updating the Go version from 1.24.5 to 1.24.6.

Vulnerability Details

CVE ID: CVE-2025-47907
Severity: HIGH
Component: Go stdlib (database/sql package)
Issue: Postgres Scan Race Condition
Reference: https://avd.aquasec.com/nvd/cve-2025-47907

The vulnerability was detected in the compiled helm-diff plugin binary during a Trivy security scan.

Changes

This PR makes minimal, surgical changes to resolve the vulnerability:

1. go.mod: Updated Go version from 1.24.5 to 1.24.6
2. Dockerfile.release: Updated base image from golang:1.22 to golang:1.24 for consistency

Testing

✅ All existing unit tests pass
✅ Binary builds successfully
✅ Linting and static checks pass
✅ Plugin functionality verified (helm diff version)
✅ No dependency updates required

Impact

• Security: Resolves CVE-2025-47907 in the Go standard library
• Compatibility: No breaking changes - this is a patch version update
• CI/CD: GitHub Actions workflows will automatically use the updated Go version via go-version-file: 'go.mod'
• Releases: Future releases built with GoReleaser will use the patched Go version

Verification

After this PR is merged, the next release of helm-diff will be built with Go 1.24.6, which will eliminate the security vulnerability from the distributed binaries.

Closes #<issue_number>

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Security: CVE-2025-47907 in Go stdlib v1.24.5 - Postgres Scan Race Condition</issue_title>
<issue_description>## Vulnerability Description

Trivy security scan detected a HIGH severity vulnerability in the helm-diff plugin binary.

CVE ID: CVE-2025-47907
Severity: HIGH
Component: stdlib (Go standard library)
Current Version: v1.24.5
Fixed Version: 1.23.12, 1.24.6

Vulnerability Details

Title: database/sql: Postgres Scan Race Condition
Reference: https://avd.aquasec.com/nvd/cve-2025-47907

Affected Binary

root/.local/share/helm/plugins/helm-diff/diff/bin/diff (gobinary)

Scan Output

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-47907 │ HIGH     │ fixed  │ v1.24.5           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────┘

Remediation

Please update the Go version used to build the helm-diff plugin to at least:

• Go 1.23.12 (if using 1.23.x series)
• Go 1.24.6 (if using 1.24.x series)

This will resolve the vulnerability in the Go standard library's database/sql package.

Environment

• Scanner: Trivy
• Detection Date: 2025-10-10
• Plugin Location: .local/share/helm/plugins/helm-diff/

Thank you for maintaining this plugin!</issue_description>

Comments on the Issue (you are @copilot in this section)

@yxxhero @jean-humann PR is welcome.

Fixes #867

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.