elastic · ycombinator · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -37,7 +37,7 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v2.1.0
+          version: v2.5.0
 
           # Give the job more time to execute.
           # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but,

@@ -1 +1 @@
-1.24.11
+1.25.4
@@ -16509,11 +16509,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.9.2/
 
 --------------------------------------------------------------------------------
 Dependency : github.com/google/cel-go
-Version: v0.25.0
+Version: v0.26.1
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.25.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.1/LICENSE:
 
 
                                  Apache License

@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm
+FROM golang:1.25.4-bookworm
 
 RUN \
     apt-get update \

diff --git a/changelog/fragments/1760385532-bump-golang-1.25.4.yaml b/changelog/fragments/1760385532-bump-golang-1.25.4.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: other
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update Go to 1.25.4
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: all
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm as builder
+FROM golang:1.25.4-bookworm as builder
 
 ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin
 

@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm as builder
+FROM golang:1.25.4-bookworm as builder
 
 ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin
 

@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm as builder
+FROM golang:1.25.4-bookworm as builder
 
 ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin
 

@@ -11,7 +11,6 @@ compile:
     MS_GOTOOLCHAIN_TELEMETRY_ENABLED: "0"
   tags:
     - requirefips
-    - ms_tls13kdf
   platforms:
     # If the platform list changes, update the platforms for FIPS packaging in CI pipelines '.buildkite/**/pipeline.<beat>.yml' and '.buildkite/packaging-pipeline.yml'
     - linux/amd64

@@ -127,15 +127,15 @@ func fetchGoPackages(module string) ([]string, error) {
 
 // testTagsFromEnv gets a list of comma-separated tags from the TEST_TAGS
 // environment variables, e.g: TEST_TAGS=aws,azure.
-// If the FIPS env var is set to true, the requirefips and ms_tls13kdf tags are injected.
+// If the FIPS env var is set to true, the requirefips tag is injected.
 func testTagsFromEnv() []string {
 	testTags := strings.Trim(os.Getenv("TEST_TAGS"), ", ")
 	var tags []string
 	if testTags != "" {
 		tags = strings.Split(testTags, ",")
 	}
 	if FIPSBuild {
-		tags = append(tags, "requirefips", "ms_tls13kdf")
+		tags = append(tags, "requirefips")
 	}
 	return tags
 }
@@ -148,7 +148,13 @@ func DefaultGoTestUnitArgs() GoTestArgs { return makeGoTestArgs("Unit") }
 // fips140=only unit tests.
 func DefaultGoFIPSOnlyTestArgs() GoTestArgs {
 	args := makeGoTestArgs("Unit-FIPS-only")
-	args.Env["GODEBUG"] = "fips140=only"
+
+	// We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key
+	// exchange mechanism; without this setting and with the GODEBUG=fips140=only
+	// setting, we get errors in tests like so:
+	// Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
+	// Note that we are only disabling this TLS key exchange mechanism in tests!
+	args.Env["GODEBUG"] = "fips140=only,tlsmlkem=0"
 	return args
 }
 
@@ -211,7 +217,13 @@ func FIPSOnlyGoTestIntegrationFromHostArgs(ctx context.Context) GoTestArgs {
 	args := DefaultGoTestIntegrationArgs(ctx)
 	args.Tags = append(args.Tags, "requirefips")
 	args.Env = WithGoIntegTestHostEnv(args.Env)
-	args.Env["GODEBUG"] = "fips140=only"
+
+	// We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key
+	// exchange mechanism; without this setting and with the GODEBUG=fips140=only
+	// setting, we get errors in tests like so:
+	// Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
+	// Note that we are only disabling this TLS key exchange mechanism in tests!
+	args.Env["GODEBUG"] = "fips140=only,tlsmlkem=0"
 	return args
 }
 

@@ -842,7 +842,6 @@ func checkFIPS(t *testing.T, beatName, path string) {
 		case "-tags":
 			foundTags = true
 			require.Contains(t, setting.Value, "requirefips")
-			require.Contains(t, setting.Value, "ms_tls13kdf")
 			continue
 		case "GOEXPERIMENT":
 			foundExperiment = true

@@ -25,6 +25,7 @@ import (
 	"time"
 
 	"github.com/magefile/mage/mg"
+	"github.com/magefile/mage/sh"
 
 	devtools "github.com/elastic/beats/v7/dev-tools/mage"
 	"github.com/elastic/beats/v7/dev-tools/mage/target/build"
@@ -202,6 +203,16 @@ func GoIntegTest(ctx context.Context) error {
 // GoFIPSOnlyIntegTest starts the docker containers and executes the Go integration tests with GODEBUG=fips140=only set.
 func GoFIPSOnlyIntegTest(ctx context.Context) error {
 	mg.Deps(BuildSystemTestBinary)
+
+	// We pre-cache go module dependencies before running the unit tests with
+	// GODEBUG=fips140=only.  Otherwise, the command that runs the unit tests
+	// will try to download the dependencies and could fail because the TLS
+	// negotiation with the Go module proxy could use a non-FIPS compliant
+	// key exchange protocol, e.g. X25519.
+	if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil {
+		return err
+	}
+
 	return devtools.GoIntegTestFromHost(ctx, devtools.FIPSOnlyGoTestIntegrationFromHostArgs(ctx))
 }
 

@@ -1,6 +1,6 @@
 module github.com/elastic/beats/v7
 
-go 1.24.11
+go 1.25.4
 
 require (
 	cloud.google.com/go/bigquery v1.69.0
@@ -188,7 +188,7 @@ require (
 	github.com/go-resty/resty/v2 v2.17.0
 	github.com/gofrs/uuid/v5 v5.3.2
 	github.com/golang-jwt/jwt/v5 v5.3.0
-	github.com/google/cel-go v0.25.0
+	github.com/google/cel-go v0.26.1
 	github.com/googleapis/gax-go/v2 v2.15.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674

@@ -575,8 +575,8 @@ github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
 github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/gomodule/redigo v1.9.2 h1:HrutZBLhSIU8abiSfW8pj8mPhOyMYjZT/wcA4/L9L9s=
 github.com/gomodule/redigo v1.9.2/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw=
-github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
-github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI=
+github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
+github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=

@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm
+FROM golang:1.25.4-bookworm
 
 RUN \
     apt-get update \

@@ -212,7 +212,7 @@ func ResolveChecks(ip string) validator.Validator {
 func SimpleURLChecks(t *testing.T, scheme string, host string, port uint16) validator.Validator {
 	hostPort := host
 	if port != 0 {
-		hostPort = fmt.Sprintf("%s:%d", host, port)
+		hostPort = net.JoinHostPort(host, strconv.Itoa(int(port)))
 	}
 
 	u, err := url.Parse(fmt.Sprintf("%s://%s", scheme, hostPort))

@@ -32,6 +32,7 @@ import (
 	"os"
 	"path"
 	"reflect"
+	"strconv"
 	"sync"
 	"testing"
 	"time"
@@ -620,7 +621,7 @@ func TestConnRefusedJob(t *testing.T) {
 		lookslike.Strict(lookslike.Compose(
 			hbtest.BaseChecks(ip, "down", "http"),
 			hbtest.SummaryStateChecks(0, 1),
-			hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, fmt.Sprintf("%s:%d", ip, port)),
+			hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, net.JoinHostPort(ip, strconv.Itoa(int(port)))),
 			urlChecks(url),
 		)),
 		event.Fields,
@@ -642,7 +643,7 @@ func TestUnreachableJob(t *testing.T) {
 		lookslike.Strict(lookslike.Compose(
 			hbtest.BaseChecks(ip, "down", "http"),
 			hbtest.SummaryStateChecks(0, 1),
-			hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, fmt.Sprintf("%s:%d", ip, port)),
+			hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, net.JoinHostPort(ip, strconv.Itoa(int(port)))),
 			urlChecks(url),
 		)),
 		event.Fields,

@@ -1,6 +1,6 @@
 :stack-version: 9.3.0
 :doc-branch: current
-:go-version: 1.24.11
+:go-version: 1.25.4
 :release-state: unreleased
 :python: 3.7
 :docker: 1.12

@@ -19,6 +19,8 @@ package add_kubernetes_metadata
 
 import (
 	"fmt"
+	"net"
+	"strconv"
 
 	"github.com/elastic/elastic-agent-autodiscover/kubernetes"
 	"github.com/elastic/elastic-agent-autodiscover/kubernetes/metadata"
@@ -247,7 +249,7 @@ func (h *IPPortIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex {
 			if port.ContainerPort != 0 {
 
 				m = append(m, MetadataIndex{
-					Index: fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort),
+					Index: net.JoinHostPort(pod.Status.PodIP, strconv.Itoa(int(port.ContainerPort))),
 					Data: h.metaGen.Generate(
 						pod,
 						metadata.WithFields("container.name", container.Name),
@@ -279,7 +281,7 @@ func (h *IPPortIndexer) GetIndexes(pod *kubernetes.Pod) []string {
 
 		for _, port := range ports {
 			if port.ContainerPort != 0 {
-				hostPorts = append(hostPorts, fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort))
+				hostPorts = append(hostPorts, net.JoinHostPort(pod.Status.PodIP, strconv.Itoa(int(port.ContainerPort))))
 			}
 		}
 	}

@@ -19,6 +19,8 @@ package add_kubernetes_metadata
 
 import (
 	"fmt"
+	"net"
+	"strconv"
 	"testing"
 
 	"github.com/elastic/elastic-agent-autodiscover/kubernetes"
@@ -468,12 +470,12 @@ func TestIpPortIndexer(t *testing.T) {
 	indexers = ipIndexer.GetMetadata(&pod)
 	assert.Equal(t, 2, len(indexers))
 	assert.Equal(t, ip, indexers[0].Index)
-	assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indexers[1].Index)
+	assert.Equal(t, net.JoinHostPort(ip, strconv.Itoa(int(port))), indexers[1].Index)
 
 	indices = ipIndexer.GetIndexes(&pod)
 	assert.Equal(t, 2, len(indices))
 	assert.Equal(t, ip, indices[0])
-	assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indices[1])
+	assert.Equal(t, net.JoinHostPort(ip, strconv.Itoa(int(port))), indices[1])
 
 	assert.Equal(t, expected.String(), indexers[0].Data.String())
 	expected.Put("kubernetes.container",

@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm
+FROM golang:1.25.4-bookworm
 COPY --from=docker:26.0.0-alpine3.19 /usr/local/bin/docker  /usr/local/bin/
 
 RUN \

@@ -20,8 +20,8 @@
 package tcp
 
 import (
-	"fmt"
 	"net"
+	"strconv"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -31,7 +31,7 @@ import (
 )
 
 func GetTestTcpServer(host string, port int) (server.Server, error) {
-	addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("%s:%d", host, port))
+	addr, err := net.ResolveTCPAddr("tcp", net.JoinHostPort(host, strconv.Itoa(int(port))))
 
 	if err != nil {
 		return nil, err
@@ -80,7 +80,7 @@ func TestTcpServer(t *testing.T) {
 }
 
 func writeToServer(t *testing.T, message, host string, port int) {
-	servAddr := fmt.Sprintf("%s:%d", host, port)
+	servAddr := net.JoinHostPort(host, strconv.Itoa(int(port)))
 	tcpAddr, err := net.ResolveTCPAddr("tcp", servAddr)
 	if err != nil {
 		t.Error(err)

@@ -20,8 +20,8 @@
 package udp
 
 import (
-	"fmt"
 	"net"
+	"strconv"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -31,7 +31,7 @@ import (
 )
 
 func GetTestUdpServer(host string, port int) (server.Server, error) {
-	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", host, port))
+	addr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, strconv.Itoa(int(port))))
 
 	if err != nil {
 		return nil, err
@@ -78,7 +78,7 @@ func TestUdpServer(t *testing.T) {
 }
 
 func writeToServer(t *testing.T, message, host string, port int) {
-	servAddr := fmt.Sprintf("%s:%d", host, port)
+	servAddr := net.JoinHostPort(host, strconv.Itoa(int(port)))
 	conn, err := net.Dial("udp", servAddr)
 	if err != nil {
 		t.Error(err)

@@ -238,7 +238,13 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error {
 	if !devtools.IsInIntegTestEnv() {
 		mg.SerialDeps(Fields, Dashboards)
 	}
-	os.Setenv("GODEBUG", "fips140=only")
+
+	// We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key
+	// exchange mechanism; without this setting and with the GODEBUG=fips140=only
+	// setting, we get errors in tests like so:
+	// Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
+	// Note that we are only disabling this TLS key exchange mechanism in tests!
+	os.Setenv("GODEBUG", "fips140=only,tlsmlkem=0")
 	return devtools.GoTestIntegrationForModule(ctx)
 }
 

@@ -245,7 +245,7 @@ func TestHostParser(t *testing.T) {
 		{"localhost/ServerStatus", "http://localhost/ServerStatus?auto=", ""},
 		{"127.0.0.1", "http://127.0.0.1/server-status?auto=", ""},
 		{"https://127.0.0.1", "https://127.0.0.1/server-status?auto=", ""},
-		{"[2001:db8::1]:80", "http://[2001:db8::1]:80/server-status?auto=", ""},
+		{"[2001:db8:0:1::]:80", "http://[2001:db8:0:1::]:80/server-status?auto=", ""},
 		{"https://admin:secret@127.0.0.1", "https://admin:secret@127.0.0.1/server-status?auto=", ""},
 	}
 

@@ -1,4 +1,4 @@
-FROM golang:1.24.11-bookworm
+FROM golang:1.25.4-bookworm
 
 COPY test/main.go main.go
 

@@ -1,5 +1,5 @@
 ARG VSPHERE_GOLANG_VERSION
-FROM golang:1.24.11-bookworm
+FROM golang:1.25.4-bookworm
 
 RUN apt-get install curl git
 RUN go install github.com/vmware/govmomi/vcsim@v0.30.4