chore(deps): bump github.com/hashicorp/go-getter from 1.8.3 to 1.8.6

[dependabot]

Bumps github.com/hashicorp/go-getter from 1.8.3 to 1.8.6.

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.6

No release notes provided.

v1.8.5

What's Changed

• [chore] : Bump the go group with 2 updates by @​dependabot[bot] in hashicorp/go-getter#576
• use %w to wrap error by @​Ericwww in hashicorp/go-getter#475
• fix: #538 http file download skipped if headResp.ContentLength is 0 by @​martijnvdp in hashicorp/go-getter#539
• chore: fix error message capitalization in checksum function by @​ssagarverma in hashicorp/go-getter#578
• [chore] : Bump the go group with 8 updates by @​dependabot[bot] in hashicorp/go-getter#577
• Fix git url with ambiguous ref by @​nimasamii in hashicorp/go-getter#382
• fix: resolve compilation errors in get_git_test.go by @​CreatorHead in hashicorp/go-getter#579
• [chore] : Bump the actions group with 2 updates by @​dependabot[bot] in hashicorp/go-getter#582
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in hashicorp/go-getter#583
• test that arbitrary files cannot be checksummed by @​schmichael in hashicorp/go-getter#250
• [chore] : Bump google.golang.org/api from 0.260.0 to 0.262.0 in the go group by @​dependabot[bot] in hashicorp/go-getter#585
• [chore] : Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by @​dependabot[bot] in hashicorp/go-getter#586
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in hashicorp/go-getter#588
• [chore] : Bump actions/cache from 5.0.2 to 5.0.3 in the actions group by @​dependabot[bot] in hashicorp/go-getter#589
• [chore] : Bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 in the actions group by @​dependabot[bot] in hashicorp/go-getter#592
• [chore] : Bump google.golang.org/api from 0.264.0 to 0.265.0 in the go group by @​dependabot[bot] in hashicorp/go-getter#591
• [chore] : Bump the go group with 5 updates by @​dependabot[bot] in hashicorp/go-getter#593
• IND-6310 - CRT Onboarding by @​nasareeny in hashicorp/go-getter#584
• Fix crt build path by @​ssagarverma in hashicorp/go-getter#594
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in hashicorp/go-getter#596
• fix: remove checkout action from set-product-version job by @​ssagarverma in hashicorp/go-getter#598
• [chore] : Bump the actions group with 4 updates by @​dependabot[bot] in hashicorp/go-getter#595
• fix(deps): upgrade go.opentelemetry.io/otel/sdk to v1.40.0 (GO-2026-4394) by @​ssagarverma in hashicorp/go-getter#599
• Prepare go-getter for v1.8.5 release by @​nasareeny in hashicorp/go-getter#597
• [chore] : Bump the actions group with 2 updates by @​dependabot[bot] in hashicorp/go-getter#600
• sec: bump go and xrepos + redact aws tokens in url by @​dduzgun-security in hashicorp/go-getter#604

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

• @​Ericwww made their first contribution in hashicorp/go-getter#475
• @​martijnvdp made their first contribution in hashicorp/go-getter#539
• @​nimasamii made their first contribution in hashicorp/go-getter#382
• @​nasareeny made their first contribution in hashicorp/go-getter#584

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

v1.8.4

What's Changed

• [IND-4227][COMPLIANCE] chore: Fix lint issues-build tags by @​ssagarverma in hashicorp/go-getter#568
• [IND-4227] [COMPLIANCE] Update Copyright Headers by @​oss-core-libraries-dashboard[bot] in hashicorp/go-getter#566
• [COMPLIANCE] Update Copyright Headers by @​oss-core-libraries-dashboard[bot] in hashicorp/go-getter#571
• [chore] : Bump the actions group across 1 directory with 3 updates by @​dependabot[bot] in hashicorp/go-getter#567

... (truncated)

Commits

• d23bff4 Merge pull request #608 from hashicorp/dependabot/go_modules/go-security-9c51...
• 2c4aba8 Merge pull request #613 from hashicorp/pull/v1.8.6
• fe61ed9 Merge pull request #611 from hashicorp/SECVULN-41053
• d533656 Merge pull request #606 from hashicorp/pull/CRT
• 388f23d Additional test for local branch and head
• b7ceaa5 harden checkout ref handling and added regression tests
• 769cc14 Release version bump up
• 6086a6a Review Comments Addressed
• e02063c Revert "SECVULN Fix for git checkout argument injection enables arbitrary fil...
• c93084d [chore] : Bump google.golang.org/grpc
• Additional commits viewable in compare view

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

Although Codacy analysis indicates the PR is up to standards, it should not be merged in its current state due to security vulnerabilities identified in the requested Go toolchain (1.25.8). Specifically, this version is susceptible to XSS (CVE-2026-32289) and DoS (CVE-2026-32281, CVE-2026-32288) attacks. Furthermore, there is a significant gap between the PR title and the actual changes, which include substantial updates to the Go toolchain and various cloud SDKs.

About this PR

• The update involves a high number of indirect dependencies across critical SDKs. This increases the risk surface beyond a standard maintenance bump; verify that no breaking changes are introduced by these secondary updates.
• The scope of this PR is much broader than the title suggests. It includes a Go toolchain update and updates to several major library suites (AWS, Google Cloud SDK, and OpenTelemetry). Please update the PR metadata to reflect the full scope of these changes to ensure they are properly audited.

Test suggestions

• Verify successful compilation and basic functionality of resource fetching using the upgraded go-getter library.
• Verify that the project build environment supports the non-standard Go version 1.25.8 specified in go.mod.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify successful compilation and basic functionality of resource fetching using the upgraded `go-getter` library.
2. Verify that the project build environment supports the non-standard Go version 1.25.8 specified in `go.mod`.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The requested Go toolchain version 1.25.8 has multiple known vulnerabilities: XSS via improper context tracking in JS template literals (CVE-2026-32289), and Denial of Service (DoS) risks via certificate chain validation (CVE-2026-32281) and crafted archives (CVE-2026-32288). Additionally, version 1.25.8 appears to be a non-standard release for the current Go ecosystem. Upgrading to 1.25.9 is required to mitigate these security risks.

Suggested change

	go 1.25.8
	go 1.25.9

See Issue in Codacy
See Issue in Codacy
See Issue in Codacy