chore(deps): bump golang.org/x/crypto from 0.35.0 to 0.45.0

[jentfoo]

This PR address the CVE-2025-58181 golang.org/x/crypto update across the project, encompassing the PR's:

• chore(deps): bump golang.org/x/crypto from 0.35.0 to 0.45.0 in /lib/ocrypto #2921
• fix(deps): bump golang.org/x/crypto from 0.39.0 to 0.45.0 in /service #2922
• fix(deps): bump golang.org/x/crypto from 0.39.0 to 0.45.0 in /examples #2923
• chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tests-bdd #2924
• fix(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /sdk #2925

A go 1.24 update is necessary in order to support the fixed crypto module.

[gemini-code-assist]

Summary of Changes

Hello @jentfoo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a crucial security update by upgrading the golang.org/x/crypto module to version 0.45.0 to mitigate a recently identified vulnerability (CVE-2025-58181). This change necessitates updates to several other related golang.org/x modules across various parts of the codebase, ensuring all dependencies are current and secure. Additionally, one of the project's libraries now requires Go version 1.24.0.

Highlights

• Security Update: Bumps the golang.org/x/crypto dependency from 0.35.0 (or 0.39.0/0.43.0 depending on the module) to 0.45.0 across the project to address the reported CVE-2025-58181 vulnerability.
• Dependency Updates: Updates several other golang.org/x dependencies, including net, sys, text, mod, sync, term, and tools, to their latest compatible versions as part of the broader dependency refresh.
• Go Version Bump: Increments the required Go language version in lib/ocrypto/go.mod from 1.23.0 to 1.24.0.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Dependencies rise, Security, a constant plea, Code now stands more strong.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the golang.org/x/crypto dependency to v0.45.0 across multiple Go modules, along with other related golang.org/x/ packages. This is a good maintenance update to keep dependencies current and consistent. I have one suggestion regarding an undocumented Go version bump in the lib/ocrypto module. While this is a positive change for consistency, it's important to document such updates in the pull request description to inform other developers about changes in environment requirements. Otherwise, the dependency updates look correct.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	174.291029ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	103.503163ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	23.066664694s
Throughput	4.34 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	8m32.42933172s
Average Latency	5.107250032s
Throughput	9.76 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.276142647s
Average Latency	272.004133ms
Throughput	183.31 requests/second

[github-actions]

X-Test Results

opentdfplatformKPVJGN.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2932
✅ java-pull-2932
✅ go-pull-2932