Multiple CVEs related to stdlib version 1.25.0

### What happened in your environment?

`stdlib` v1.25.0, that oras depends on, is affected by multiple CVEs. Here's a partial list.

- Go (Go) Security Update for stdlib (GO-2025-3955)           
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47910
- Go (Go) Security Update for stdlib (GO-2025-4009)           
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61723
- Go (Go) Security Update for stdlib (GO-2025-4006)           
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61725
- Go (Go) Security Update for stdlib (GO-2025-4013)           
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58188
- ...

Please bump the version of go to >= 1.25.2

### What did you expect to happen?

No CVEs detected.

### How can we reproduce it?

See links above for the details on vulnerabilities.

### What is the version of your ORAS CLI?

v1.3.0

### What is your OS environment?

Azure Linux 3

### Are you willing to submit PRs to fix it?

- [x] Yes, I am willing to fix it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Multiple CVEs related to stdlib version 1.25.0 #1909

What happened in your environment?

What did you expect to happen?

How can we reproduce it?

What is the version of your ORAS CLI?

What is your OS environment?

Are you willing to submit PRs to fix it?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Multiple CVEs related to stdlib version 1.25.0 #1909

Description

What happened in your environment?

What did you expect to happen?

How can we reproduce it?

What is the version of your ORAS CLI?

What is your OS environment?

Are you willing to submit PRs to fix it?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions