From 557d117acb123fdcf8b1e60c64273f4059779739 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Piotr=20Ros=C5=82aniec?= <p.roslaniec@gmail.com>
Date: Sat, 23 May 2026 13:45:36 +0000
Subject: [PATCH] ci(govulncheck): bump v1.1.1 -> v1.1.4 to unblock Go 1.25
 toolchain

govulncheck v1.1.1 transitively imports golang.org/x/tools@v0.21.1,
which contains an array-length trick in internal/tokeninternal/tokeninternal.go:64
that evaluates to -256 on Go 1.25 and fails to compile:

    invalid array length -delta * delta (constant -256 of type int64)

This blocks any dep bump that pushes go.mod past go 1.24.0 (e.g. PR #11's
golang.org/x/time v0.15.0, which requires go 1.25.0).

govulncheck v1.1.4 uses x/tools v0.29.0, which doesn't have that pattern.
v1.1.4 still requires only Go 1.22.0 minimum, so it works on both Go 1.24
(current main) and Go 1.25 (post-#11). Holding back from v1.2.0 because
v1.2.0+ requires Go 1.25.0 minimum, which would prematurely force the
toolchain floor before consumers are ready.

Pairs with #18's gotestsum v1.12.0 -> v1.13.0 bump for the same
underlying issue.
---
 .github/workflows/client.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/client.yml b/.github/workflows/client.yml
index 0287730..7f8df22 100644
--- a/.github/workflows/client.yml
+++ b/.github/workflows/client.yml
@@ -40,7 +40,7 @@ jobs:
         run: gotestsum
 
       - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.1
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
 
       - name: Run govulncheck
         run: govulncheck ./...