fix(security): update module github.com/open-feature/flagd/core to v0.13.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/open-feature/flagd/core	v0.12.1 → v0.13.1

GitHub Vulnerability Alerts

GHSA-4c5f-9mj4-m247

Summary

In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.

CVE ID	Impacted Package	Severity	Description & Impact on flagd
CVE-2025-47907	database/sql	7.0 (High)	Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations.
CVE-2025-61725	net/mail	7.5 (High)	DoS: Inefficient complexity in ParseAddress. Attackers can provide crafted email strings with large domain literals to exhaust CPU if flagd parses email-formatted metadata.
CVE-2025-61723	encoding/pem	7.5 (High)	DoS: Quadratic complexity when parsing invalid PEM inputs. Relevant if flagd loads TLS certificates or keys via PEM files from untrusted sources.
CVE-2025-61729	crypto/x509	7.5 (High)	Resource Exhaustion: HostnameError.Error() lacks string concatenation limits. A malicious TLS certificate with thousands of hostnames could crash flagd during connection handshakes.
CVE-2025-58188	net/http	Medium	Request Smuggling: Improper header handling in HTTP/1.1. Could allow attackers to bypass security filters positioned in front of flagd sync or evaluation APIs.
CVE-2025-58187	archive/zip	Medium	DoS: Improper validation of malformed ZIP archives. Impacts flagd if configured to fetch and unpack zipped configuration bundles from remote providers.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: providers/flagd/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 27 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.5
golang.org/x/net	v0.45.0 -> v0.47.0
google.golang.org/grpc	v1.74.2 -> v1.75.0
github.com/cenkalti/backoff/v5	v5.0.2 -> v5.0.3
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.1 -> v2.27.2
github.com/hashicorp/go-memdb	v1.3.4 -> v1.3.5
github.com/open-feature/flagd-schemas	v0.2.9-0.20250707123415-08b4c52d3b86 -> v0.2.13
github.com/prometheus/client_golang	v1.22.0 -> v1.23.0
github.com/prometheus/procfs	v0.16.1 -> v0.17.0
github.com/santhosh-tekuri/jsonschema/v6	v6.0.1 -> v6.0.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.60.0 -> v0.62.0
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.35.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.35.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
go.opentelemetry.io/proto/otlp	v1.7.0 -> v1.7.1
golang.org/x/sync	v0.17.0 -> v0.18.0
golang.org/x/sys	v0.37.0 -> v0.38.0
golang.org/x/term	v0.36.0 -> v0.37.0
golang.org/x/text	v0.30.0 -> v0.31.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250603155806-513f23925822 -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250603155806-513f23925822 -> v0.0.0-20250825161204-c5933d9347a5

File name: tools/flagd-http-connector/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.5
github.com/open-feature/flagd-schemas	v0.2.9-0.20250707123415-08b4c52d3b86 -> v0.2.13
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
golang.org/x/mod	v0.28.0 -> v0.29.0
golang.org/x/net	v0.41.0 -> v0.47.0
golang.org/x/sys	v0.33.0 -> v0.38.0
golang.org/x/text	v0.30.0 -> v0.31.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250603155806-513f23925822 -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/grpc	v1.73.0 -> v1.75.0
google.golang.org/protobuf	v1.36.6 -> v1.36.8

[kuznero]

This is implemented in full in #815