dep: upgrade golang.org/x/crypto to v0.45.0

[marevers]

This PR upgrades golang.org/x/crypto to version v0.45.0. Versions prior to it contain two CVEs (medium severity):

• CVE-2025-47914
• CVE-2025-58181

I also ran go mod tidy to fix some issues in the go.mod file:

• toolchain 1.24 while go version 1.23
• github.com/shopspring/decimal as direct dependency, not indirect

[marevers]

@microsoft-github-policy-service agree company="GK Software SE"

[shueybubbles]

thx for the PR!

Updating the tool chain creates some build errors

# [github.com/microsoft/go-mssqldb]
.\bulkcopy.go:144:74: non-constant format string in call to (*github.com/microsoft/go-mssqldb.Bulk).dlogf
.\token.go:1199:39: non-constant format string in call to (*github.com/microsoft/go-mssqldb.tdsSession).LogF
.\error_test.go:55:20: non-constant format string in call to fmt.Errorf
.\log_test.go:69:46: non-constant format string in call to fmt.Errorf
FAIL	github.com/microsoft/go-mssqldb [build failed]
Command exited with code 1
``` #Closed

[Copilot]

Pull request overview

This PR upgrades golang.org/x/crypto from v0.38.0 to v0.45.0 to address two medium-severity CVEs (CVE-2025-47914 and CVE-2025-58181). The upgrade also includes related golang.org/x dependencies and fixes issues in go.mod by upgrading the Go version to 1.24.0 and properly classifying github.com/shopspring/decimal as a direct dependency.

Key Changes:

• Upgrades golang.org/x/crypto to v0.45.0 to address security vulnerabilities
• Upgrades Go version from 1.23.0 to 1.24.0 to match the existing toolchain go1.24.4
• Moves github.com/shopspring/decimal from indirect to direct dependencies (correctly reflects actual usage in the codebase)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
go.mod	Upgrades Go version to 1.24.0, updates golang.org/x dependencies to latest versions, and properly classifies shopspring/decimal as a direct dependency
go.sum	Updates checksums for golang.org/x/crypto (v0.45.0), golang.org/x/net (v0.47.0), golang.org/x/sys (v0.38.0), and golang.org/x/text (v0.31.0)

[shueybubbles]

pls fix the build breaks and update the appveyor action per comments

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.53%. Comparing base (0bbbaf2) to head (5ab3793).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #301      +/-   ##
==========================================
- Coverage   75.66%   75.53%   -0.14%     
==========================================
  Files          34       34              
  Lines        6580     6580              
==========================================
- Hits         4979     4970       -9     
- Misses       1317     1324       +7     
- Partials      284      286       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[marevers]

@shueybubbles thanks for your comment, these issues should be resolved now. Build breaks were due to incorrect use of some logging statements, I would have expected the build to have already failed on 1.23 - but maybe this is due to more strict enforcement in 1.24 and up? At any rate, this should be fine now.

[shueybubbles]

@marevers thx. What do you think of the upcoming cert handling break in Go 1.25 per #302 ? Are app developers/enterprises more interesting in having secure clients on modern code or do they need old clients that handle sha-1 certs on their old SQL Servers because they don't want to bother getting new certs?

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

[Copilot]

This code change (fixing format string usage) appears unrelated to the PR description, which focuses on upgrading golang.org/x/crypto to address CVEs. While this is a good fix for potential format string vulnerabilities, it should ideally be in a separate PR or at least mentioned in the PR description. If this change is required by linting tools or was discovered during the dependency upgrade process, please update the PR description to mention it.

[Copilot]

This code change (using errors.New instead of fmt.Errorf for non-formatted errors) appears unrelated to the PR description, which focuses on upgrading golang.org/x/crypto to address CVEs. While this is a good improvement, it should ideally be in a separate PR or at least mentioned in the PR description.

[marevers]

@marevers thx. What do you think of the upcoming cert handling break in Go 1.25 per #302 ? Are app developers/enterprises more interesting in having secure clients on modern code or do they need old clients that handle sha-1 certs on their old SQL Servers because they don't want to bother getting new certs?

@shueybubbles I checked the issue you linked, in our case I don't believe we have any servers that are using SHA-1 so this should not influence us. Users still using SHA-1 should strongly consider switching to something else as it is cryptographically broken.