diff --git a/.golangci.yml b/.golangci.yml
index ab0ab933..1ebe18ec 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-run:
-  skip-files:
+issues:
+  exclude-files:
     - ".*\\.pb.*\\.go"
 linters:
   enable:
@@ -29,20 +29,16 @@ linters:
     - unused
     - staticcheck
     - gosimple
-    - megacheck
   disable:
-    - interfacer # deprecated since it "is prone to bad suggestions"
     - goimports # already run in `make format`
-    - deadcode # Deprecated. Author abandoned it.
-    - structcheck # Deprecated. Author abandoned it.
-    - varcheck # Deprecated. Author abandoned it.
 linters-settings:
   lll:
     line-length: 160
   goconst:
     min-occurrences: 4
   govet:
-    check-shadowing: true
+    enable:
+      - shadow
   revive:
     ignore-generated-header: false
     severity: error
diff --git a/e2e/testclient.go b/e2e/testclient.go
index 7b2509ec..df0e8ccd 100644
--- a/e2e/testclient.go
+++ b/e2e/testclient.go
@@ -113,7 +113,7 @@ func (a *AddressMappings) DialContext(ctx context.Context, network, addr string)
 
 // DialTLSContext is a custom dialer that resolves specific host:port to specific target addresses.
 func (a *AddressMappings) DialTLSContext(tlsConfig *tls.Config) func(context.Context, string, string) (net.Conn, error) {
-	return func(ctx context.Context, network, addr string) (net.Conn, error) {
+	return func(_ context.Context, network, addr string) (net.Conn, error) {
 		cfg := tlsConfig.Clone()
 		if resolved, ok := a.addresses[addr]; ok {
 			// Use the original hostname for the SNI, to avoid certificate verification errors
diff --git a/env.mk b/env.mk
index 2920ecce..7840f996 100644
--- a/env.mk
+++ b/env.mk
@@ -18,7 +18,7 @@ NAME      ?= authservice
 
 -include $(ROOT)/.makerc  # Pick up any local overrides.
 
-GOLANGCI_LINT ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2
+GOLANGCI_LINT ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.60.3
 GOSIMPORTS    ?= github.com/rinchsan/gosimports/cmd/gosimports@v0.3.8
 LICENSER      ?= github.com/liamawhite/licenser@v0.6.1-0.20210729145742-be6c77bf6a1f
 KIND          ?= sigs.k8s.io/kind@v0.18.0
diff --git a/go.mod b/go.mod
index c8e433d1..52839f67 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/istio-ecosystem/authservice
 
-go 1.22.5
+go 1.23.1
 
 require (
 	github.com/alicebob/miniredis/v2 v2.31.1
diff --git a/internal/authz/oidc_test.go b/internal/authz/oidc_test.go
index c51355d2..c16e5d32 100644
--- a/internal/authz/oidc_test.go
+++ b/internal/authz/oidc_test.go
@@ -1645,7 +1645,7 @@ func newServer(wellKnownPayload string) *idpServer {
 	idpServer := &idpServer{server: s, listener: bufconn.Listen(1024)}
 
 	handler := http.NewServeMux()
-	handler.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {
+	handler.HandleFunc("/token", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(idpServer.statusCode)
 
@@ -1656,7 +1656,7 @@ func newServer(wellKnownPayload string) *idpServer {
 			}
 		}
 	})
-	handler.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
+	handler.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte(wellKnownPayload))
diff --git a/internal/oidc/discovery_test.go b/internal/oidc/discovery_test.go
index 10bc981a..56f0021a 100644
--- a/internal/oidc/discovery_test.go
+++ b/internal/oidc/discovery_test.go
@@ -104,7 +104,7 @@ func newServer() *idpServer {
 	idpServer := &idpServer{server: s, listener: bufconn.Listen(1024)}
 
 	handler := http.NewServeMux()
-	handler.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
+	handler.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 		if idpServer.wellKnownConfig != "" {
diff --git a/internal/oidc/jwks_test.go b/internal/oidc/jwks_test.go
index 67c8fbad..867cabd9 100644
--- a/internal/oidc/jwks_test.go
+++ b/internal/oidc/jwks_test.go
@@ -155,7 +155,7 @@ func TestDynamicJWKSProvider(t *testing.T) {
 		jwks = newKeySet(t, pub)
 
 		tlsPool  = internal.NewTLSConfigPool(context.Background())
-		newCache = func(t *testing.T, oidc *oidcv1.OIDCConfig) JWKSProvider {
+		newCache = func(_ *testing.T, oidc *oidcv1.OIDCConfig) JWKSProvider {
 			cfg := &configv1.Config{
 				Chains: []*configv1.FilterChain{
 					{
diff --git a/internal/server/requestid_test.go b/internal/server/requestid_test.go
index 116f38fc..3d0584a2 100644
--- a/internal/server/requestid_test.go
+++ b/internal/server/requestid_test.go
@@ -37,7 +37,7 @@ func TestPropagateRequestId(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := context.Background()
-			_, _ = PropagateRequestID(ctx, tt.req, nil, func(ctx context.Context, req interface{}) (interface{}, error) {
+			_, _ = PropagateRequestID(ctx, tt.req, nil, func(ctx context.Context, _ interface{}) (interface{}, error) {
 				kvs := telemetry.KeyValuesFromContext(ctx)
 				require.Equal(t, tt.want, kvs)
 				return nil, nil