shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,268 Commits 1,133 Branches 344 Tags
1a1f06aa79928ca778d1f7c023bafde4be8439a7
Commit Graph

1253 Commits

Author SHA1 Message Date
Jakub Domeracki 1a1f06aa79 fix: verify PKCS7 signature on Azure instance identity tokens (#25286) 
Migrates Azure instance identity verification from
`go.mozilla.org/pkcs7` and `github.com/fullsailor/pkcs7` to
`github.com/smallstep/pkcs7`, using `VerifyWithChainAtTime` to validate
both the PKCS7 signature and the certificate chain in one call. The
previous code only verified the signer certificate against a set of
intermediates/roots but did not verify that the PKCS7 signature itself
covered the content, meaning tampered payloads could be accepted.

The `Options` struct is restructured to accept `Roots`, `Intermediates`,
and `CurrentTime` as explicit fields instead of embedding
`x509.VerifyOptions`. The test helper `NewAzureInstanceIdentity` now
builds a realistic 3-level certificate chain (Root CA -> Intermediate CA
-> Signing Cert) matching real Azure trust hierarchy. New tests
(`TestValidate_TamperedContent`,
`TestValidate_UntrustedCertWithValidSignature`) confirm tampered and
untrusted envelopes are rejected.

Addresses GHSA-6x44-w3xg-hqqf.

> [!NOTE]
> This PR was authored by Coder Agents.

<details>
<summary>Implementation Plan</summary>

### Files Changed

| File | Summary |
|------|---------|
| `coderd/azureidentity/azureidentity.go` | Replace `signer.Verify()`
with `VerifyWithChainAtTime`; restructure `Options` struct; add
`ParseCertificates()` helper |
| `coderd/azureidentity/azureidentity_test.go` | Add `testCertChain`
builder, tampered-content and untrusted-cert tests; update existing
tests for new `Options` API |
| `coderd/coderd.go` | Change `AzureCertificates` field from
`x509.VerifyOptions` to `azureidentity.Options` |
| `coderd/workspaceresourceauth.go` | Pass `api.AzureCertificates`
directly instead of wrapping |
| `coderd/coderdtest/coderdtest.go` | Migrate to `smallstep/pkcs7`;
build 3-level cert chain in test helper |
| `go.mod` / `go.sum` | Add `github.com/smallstep/pkcs7`; remove
`fullsailor/pkcs7` and `go.mozilla.org/pkcs7` |

</details>
 2026-05-13 14:14:07 +00:00
dependabot[bot] 4b54925abc chore: bump the x group across 1 directory with 7 updates (#25198) 
Bumps the x group with 4 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/mod](https://github.com/golang/mod),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/tools](https://github.com/golang/tools).

Updates `golang.org/x/crypto` from 0.50.0 to 0.51.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/b8a14a8d65f88c0c79c139171f1354c69a6cdb8a"><code>b8a14a8</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/9d9d5078968ddb8a279092c665a24e7de4178778"><code>9d9d507</code></a>
x509roots/fallback/bundle: fix bundle test with Go 1.27+</li>
<li><a
href="https://github.com/golang/crypto/commit/fd0b90d21f9ab4b5dd398e9526b570bfea86e370"><code>fd0b90d</code></a>
acme: include Problem in OrderError.Error</li>
<li><a
href="https://github.com/golang/crypto/commit/b9e53593a6073e6a786c49e9ad27956a9b77e54e"><code>b9e5359</code></a>
pbkdf2: turn into a wrapper for crypto/pbkdf2</li>
<li><a
href="https://github.com/golang/crypto/commit/cc0e4fc1d49127130b0d00612a2eeed2ab745d40"><code>cc0e4fc</code></a>
hkdf: forward Extract to the standard library</li>
<li><a
href="https://github.com/golang/crypto/commit/a8e9237a216b050e1b11e041863825104a6811db"><code>a8e9237</code></a>
x509roots/fallback: update bundle</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.50.0...v0.51.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/643da9ba74f1165d8cae1505d453b3de3cf21b7b"><code>643da9b</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/mod/commit/ccc3cdf529d1eee2a832437eb1b85240044d21cb"><code>ccc3cdf</code></a>
zip: include 'but content has correct sum' note in TestVCS</li>
<li><a
href="https://github.com/golang/mod/commit/ab3031803214705d2c9f1102318b083e7086a155"><code>ab30318</code></a>
zip: update zip hashes for new flate compression</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.35.0...v0.36.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.53.0 to 0.54.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/b138e06246cb323f2f380c2b7f7dd91f581dd56b"><code>b138e06</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/689f70a42abd350f3a1aaa70b0d13eb9543d927a"><code>689f70a</code></a>
quic: fix wrong final size being used for RESET_STREAM frame</li>
<li><a
href="https://github.com/golang/net/commit/208f306b2f0fd008b388bee2c2644be279778e94"><code>208f306</code></a>
http3: increase handshake timeout</li>
<li><a
href="https://github.com/golang/net/commit/49810da71b9026da9e0d028a6ad8c7730c52d9c4"><code>49810da</code></a>
http2: enable net/http wrapping when go &gt;= 1.27</li>
<li><a
href="https://github.com/golang/net/commit/5e11a5ab891c117eda83b4304d60dd13286c1c76"><code>5e11a5a</code></a>
quic: fix data race in streamForFrame</li>
<li><a
href="https://github.com/golang/net/commit/8c63081cd380ea768db5651941614b73472160ff"><code>8c63081</code></a>
http2: use empty Transport rather than DefaultTransport in
http2wrap</li>
<li><a
href="https://github.com/golang/net/commit/fc7b466ca49cb204039630533ece4fc557eb35cd"><code>fc7b466</code></a>
http2: add http2wrap test</li>
<li><a
href="https://github.com/golang/net/commit/15c2cb1875fd727313dc4de909b3ee149422fbe2"><code>15c2cb1</code></a>
http2: avoid overflowing 32-bit int when http2wrap enabled</li>
<li><a
href="https://github.com/golang/net/commit/64651885c2f2d745d77af2d7af2edbf568c179af"><code>6465188</code></a>
http2: add wrapped Server</li>
<li><a
href="https://github.com/golang/net/commit/72f419a894cb0597dd5b6bcf119086bf2af41231"><code>72f419a</code></a>
http2: add wrapped ClientConn</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.53.0...v0.54.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/sys` from 0.43.0 to 0.44.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sys/commit/fb1facd76f95fa87c151018200ea5e4892ff115d"><code>fb1facd</code></a>
windows: avoid uint16 overflow in NewNTUnicodeString</li>
<li><a
href="https://github.com/golang/sys/commit/94ad893e1e59c1d079221324d38945d2aad8703f"><code>94ad893</code></a>
windows: add GetIfTable2Ex, GetIpInterface{Entry,Table},
GetUnicastIpAddressT...</li>
<li><a
href="https://github.com/golang/sys/commit/54fe89f8411576c06b345b341ca79a77d878a4ad"><code>54fe89f</code></a>
cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows</li>
<li><a
href="https://github.com/golang/sys/commit/df7d5d7b60641d17d87e2b50911124cb65f954fd"><code>df7d5d7</code></a>
unix: automatically remove container created by mkall.sh</li>
<li><a
href="https://github.com/golang/sys/commit/68a4a8e945b22751c1a619261b1d755372a1d5f7"><code>68a4a8e</code></a>
unix: avoid nil pointer dereference in Utime</li>
<li><a
href="https://github.com/golang/sys/commit/690c91f6ecf3b3ef141ad2aedb1306a868b3a176"><code>690c91f</code></a>
unix: add CPUSetDynamic for systems with more than 1024 CPUs</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.43.0...v0.44.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/term` from 0.42.0 to 0.43.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/term/commit/3c3e4855f7d2eb06c3e48933554add9ec6b599b5"><code>3c3e485</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.42.0...v0.43.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/text` from 0.36.0 to 0.37.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/text/commit/3ef517e623a4bfc08d6457f87d73afda7af7d8e1"><code>3ef517e</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/text/compare/v0.36.0...v0.37.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/tools` from 0.44.0 to 0.45.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/tools/commit/2aabba0e4be44cc8f254ced118a7156d04bbc9f3"><code>2aabba0</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/tools/commit/ef989b3f45baff2849e87f4a70d9a189be5a6959"><code>ef989b3</code></a>
go/types/internal/play: show Info.Instances[Ident]</li>
<li><a
href="https://github.com/golang/tools/commit/21d44f2f2bb3f3a8e06e35523d14bb70cb275c89"><code>21d44f2</code></a>
go/analysis/passes/inline: document skipping of TestF-&gt;F calls</li>
<li><a
href="https://github.com/golang/tools/commit/ec83c2190d81a18bbd472cc1498575b168017e5d"><code>ec83c21</code></a>
go/analysis/passes/modernize: minmax: only remove exact userdefined</li>
<li><a
href="https://github.com/golang/tools/commit/5625353d39195f1deb9261c5ee983abbdc4a15ca"><code>5625353</code></a>
go/analysis/passes/modernize: improve value variable name
generation</li>
<li><a
href="https://github.com/golang/tools/commit/15a3bd5d4ce0651f5cf43ea125db2110c67b257b"><code>15a3bd5</code></a>
gopls/internal/analysis/errorsastype: imporove example clarity</li>
<li><a
href="https://github.com/golang/tools/commit/cd57ef8f8dd7a30ef500bfe1eef0779223cbdfc3"><code>cd57ef8</code></a>
go/packages: include dependency errors when CompiledGoFiles is
missing</li>
<li><a
href="https://github.com/golang/tools/commit/053fdbcef55e8f977d8decc0fde2920c61eb5374"><code>053fdbc</code></a>
go/analysis/passes/modernize: minmax: fix pure operands only</li>
<li><a
href="https://github.com/golang/tools/commit/bf84681c4a0185014c089cffd533e22bbeffcb49"><code>bf84681</code></a>
go/analysis/passes/errorsas: add example of invalid errors.As use</li>
<li><a
href="https://github.com/golang/tools/commit/23921d1decfe5da40309ac183353c8cb38b03dfa"><code>23921d1</code></a>
gopls: add errorsastype analyzer</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/tools/compare/v0.44.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-12 17:33:46 +00:00
dependabot[bot] 0234422a55 chore: bump google.golang.org/api from 0.277.0 to 0.278.0 (#25201) 
Bumps
[google.golang.org/api](https://github.com/googleapis/google-api-go-client)
from 0.277.0 to 0.278.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/releases">google.golang.org/api's
releases</a>.</em></p>
<blockquote>
<h2>v0.278.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.277.0...v0.278.0">0.278.0</a>
(2026-05-05)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3582">#3582</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/76b1187e506ac0f48caac67907dd0805b253f74c">76b1187</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3584">#3584</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/e36c88361d11545583325c3ac6bdbd9cf1f1a7d0">e36c883</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md">google.golang.org/api's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.277.0...v0.278.0">0.278.0</a>
(2026-05-05)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3582">#3582</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/76b1187e506ac0f48caac67907dd0805b253f74c">76b1187</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3584">#3584</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/e36c88361d11545583325c3ac6bdbd9cf1f1a7d0">e36c883</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/07c758daacbc24e32753c3f1b537c7f6cce626f0"><code>07c758d</code></a>
chore(main): release 0.278.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3583">#3583</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/e36c88361d11545583325c3ac6bdbd9cf1f1a7d0"><code>e36c883</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3584">#3584</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/76b1187e506ac0f48caac67907dd0805b253f74c"><code>76b1187</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3582">#3582</a>)</li>
<li>See full diff in <a
href="https://github.com/googleapis/google-api-go-client/compare/v0.277.0...v0.278.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/api&package-manager=go_modules&previous-version=0.277.0&new-version=0.278.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-12 17:19:34 +00:00
Yevhenii Shcherbina 592e45dcfb chore: bump coder-guts dependency (#25154) 
Bump coder/guts to v1.7.0.
Related PR: https://github.com/coder/guts/pull/81
 2026-05-11 19:18:44 -04:00
Garrett Delfosse aed43d9b61 fix: update coder/tailscale to 85c03fc8fb2a (#24824) 
Updates `coder/tailscale` fork to
[`85c03fc8fb2a`](https://github.com/coder/tailscale/commit/85c03fc8fb2ad8fdf5b9328be5d277aaa83afdff),
which includes the DNS resilience fix from
https://github.com/coder/tailscale/pull/114 (preserve NRPT rules on
startup and improve hosts file retry).

---

> Generated by Coder Agents
 2026-05-11 17:35:33 -04:00
dependabot[bot] c1c3b9784e chore: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#25124) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git)
from 5.18.0 to 5.19.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.19.0</h2>
<h2>What's Changed</h2>
<ul>
<li>build: Update module github.com/go-git/go-git/v5 to v5.18.0
[SECURITY] (releases/v5.x) by <a
href="https://github.com/go-git-renovate"><code>@​go-git-renovate</code></a>[bot]
in <a
href="https://redirect.github.com/go-git/go-git/pull/2010">go-git/go-git#2010</a></li>
<li>v5: Bump sha1cd and go-billy by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2060">go-git/go-git#2060</a></li>
<li>v5: Align object encoding with upstream by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2065">go-git/go-git#2065</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0">https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/go-git/go-git/commit/bc930f4cbe095a3e1d49273655f73fcef7d41a42"><code>bc930f4</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2065">#2065</a>
from go-git/commit-v5</li>
<li><a
href="https://github.com/go-git/go-git/commit/d315264343cead712aa9eb56475c2ec96f5ecef1"><code>d315264</code></a>
plumbing: object, Reset object before decode</li>
<li><a
href="https://github.com/go-git/go-git/commit/6e1d34890a4dae8a0df738e531234bd60b7e9b66"><code>6e1d348</code></a>
plumbing: object, Align Tree handling with upstream</li>
<li><a
href="https://github.com/go-git/go-git/commit/e134ba34cf95ed0167e5b1df36a933d7bde9d02d"><code>e134ba3</code></a>
tests: Skip double checks in Git v2.11</li>
<li><a
href="https://github.com/go-git/go-git/commit/1971422f6b1bec9176061b3293306981cfff981e"><code>1971422</code></a>
tests: Add git conformance tests for signing verification</li>
<li><a
href="https://github.com/go-git/go-git/commit/a387aa8857a8fbba8e74b7f5485e9e030669ab5d"><code>a387aa8</code></a>
plumbing: object, Add ErrMalformedTag</li>
<li><a
href="https://github.com/go-git/go-git/commit/f415670d906b5c6169d1fdc64f3f9f1d33eb6f9c"><code>f415670</code></a>
plumbing: object, Decode Tag headers via a state machine</li>
<li><a
href="https://github.com/go-git/go-git/commit/5b0cd38a62e2336bb5f1a2ad0eb8ac8f9e7b740e"><code>5b0cd38</code></a>
plumbing: object, Reject multi-signature commits at Verify</li>
<li><a
href="https://github.com/go-git/go-git/commit/fe8ed6223a6079d9fd84d853362a996e7df175fb"><code>fe8ed62</code></a>
plumbing: object, Align Tag.EncodeWithoutSignature with Commit</li>
<li><a
href="https://github.com/go-git/go-git/commit/98e337d5bdc4c0536a40ab7381b2231f7e0b15cd"><code>98e337d</code></a>
plumbing: object, Add support for Tag.SignatureSHA256</li>
<li>Additional commits viewable in <a
href="https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.18.0&new-version=5.19.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 15:57:33 +00:00
Ethan b6dbc5614c fix(coderd/x/chatd): handle truncated provider streams (#25074) 
coder/fantasy now fails closed when Anthropic or OpenAI Responses
streams close before their provider terminal events instead of yielding
a successful finish.

This bumps the fantasy replacement to coder/fantasy#33 and teaches chat
error classification to treat those failures as retryable timeout errors
with explicit stream-closed messages.

<img width="875" height="311" alt="image"
src="https://github.com/user-attachments/assets/69c6f7b5-c885-46d2-a88b-b7a2b111bd55"
/>
 2026-05-08 15:52:42 +10:00
dependabot[bot] b35a11cece chore: bump google.golang.org/grpc from 1.80.0 to 1.81.0 (#24959) 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from
1.80.0 to 1.81.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's
releases</a>.</em></p>
<blockquote>
<h2>Release 1.81.0</h2>
<h1>Behavior Changes</h1>
<ul>
<li>balancer/rls: Switch gauge metrics to asynchronous emission (once
per collection cycle) to reduce telemetry noise and align with other
gRPC language implementations. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8808">#8808</a>)</li>
</ul>
<h1>Dependencies</h1>
<ul>
<li>Minimum supported Go version is now 1.25. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8969">#8969</a>)</li>
</ul>
<h1>Bug Fixes</h1>
<ul>
<li>xds: Use the leaf cluster's security config for the TLS handshake
instead of the aggregate cluster's config. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8956">#8956</a>)</li>
<li>transport: Send a <code>RST_STREAM</code> when receiving an
<code>END_STREAM</code> when the stream is not already half-closed. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8832">#8832</a>)</li>
<li>xds: Fix ADS resource name validation to prevent a panic. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8970">#8970</a>)</li>
</ul>
<h1>New Features</h1>
<ul>
<li>grpc/stats: Add support for custom labels in per-call metrics (<a
href="https://github.com/grpc/proposal/blob/master/A108-otel-custom-per-call-label.md">gRFC
A108</a>). (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9008">#9008</a>)</li>
<li>xds: Add support for Server Name Indication (SNI) and SAN validation
(<a
href="https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md">gRFC
A101</a>). Disabled by default. To enable, set
<code>GRPC_EXPERIMENTAL_XDS_SNI=true</code> environment variable. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9016">#9016</a>)</li>
<li>xds: Add support to control which fields get propagated from ORCA
backend metric reports to LRS load reports (<a
href="https://github.com/grpc/proposal/blob/master/A85-lrs-custom-metrics-changes.md">gRFC
A85</a>). Disabled by default. To enable, set
<code>GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true</code>. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9005">#9005</a>)</li>
<li>xds: Add metrics to track xDS client connectivity and cached
resource state (<a
href="https://github.com/grpc/proposal/blob/master/A78-grpc-metrics-wrr-pf-xds.md">gRFC
A78</a>). (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8807">#8807</a>)</li>
<li>stats/otel: Enhance <code>grpc.subchannel.disconnections</code>
metric by adding disconnection reason to the
<code>grpc.disconnect_error</code> label (<a
href="https://github.com/grpc/proposal/blob/master/A94-subchannel-otel-metrics.md">gRFC
A94</a>). This provides granular insights into why subchannels are
closing. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8973">#8973</a>)</li>
<li>mem: Add <code>mem.Buffer.Slice()</code> API to slice the buffer
like a slice. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8977">#8977</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/ash2k"><code>@​ash2k</code></a></li>
</ul>
</li>
</ul>
<h1>Performance Improvements</h1>
<ul>
<li>alts: Pool read buffers to lower memory utilization when sockets are
unreadable. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8964">#8964</a>)</li>
<li>transport: Pool HTTP/2 framer read buffers to reduce idle memory
consumption. Currently limited to Linux for ALTS and non-encrypted
transports (TCP, Unix). To disable, set
<code>GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false</code>
and report any issues. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9032">#9032</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc-go/commit/cb18228317ff523e63d931b4058b0329585b7dcd"><code>cb18228</code></a>
Change version to 1.81.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9062">#9062</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/96748f973e20bbfcafa19a8bdffc85ad5da138d1"><code>96748f9</code></a>
Cherry-pick <a
href="https://redirect.github.com/grpc/grpc-go/issues/9105">#9105</a> to
1.81.x (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9106">#9106</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/91832222f0144f76527b630ca55cfea6e1aa015a"><code>9183222</code></a>
Cherry pick <a
href="https://redirect.github.com/grpc/grpc-go/issues/9055">#9055</a>,
<a href="https://redirect.github.com/grpc/grpc-go/issues/9032">#9032</a>
to v1.81.x (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9095">#9095</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/5cba6da4211f3b130238c792937f5921741b616a"><code>5cba6da</code></a>
Revert &quot;deps: update dependencies for all modules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9065">#9065</a>)&quot;
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9067">#9067</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/af8a9364aa7523ab24d214e9ef13e6ad64d5c5f9"><code>af8a936</code></a>
deps: update dependencies for all modules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9065">#9065</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/cdc60dfaaadde45e16aa3c28237c0e655a722c1a"><code>cdc60df</code></a>
transport: optimize heap allocations in ready reader and update syscall
conne...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/208d053e3204c806ba9e6205c26aa064c8b42852"><code>208d053</code></a>
xds/resolver: pass complete XDSConfig in RPC context for HTTP filters
(gRFC A...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/50fe1cc7fd78b78ae638ed90ea78514c934167ac"><code>50fe1cc</code></a>
test: Fix flaky test
<code>TestServerStreaming_ClientCallRecvMsgTwice</code> in
`end2end...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/d574bad188f25ba03d41a506e6f2ef93837ad10b"><code>d574bad</code></a>
build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9050">#9050</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/b8bf4d0488a351c563d63797ffba321585d6bb24"><code>b8bf4d0</code></a>
build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in
/inte...</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-go/compare/v1.80.0...v1.81.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:50:02 +00:00
dependabot[bot] f09c1bd695 chore: bump google.golang.org/api from 0.276.0 to 0.277.0 (#24961) 
Bumps
[google.golang.org/api](https://github.com/googleapis/google-api-go-client)
from 0.276.0 to 0.277.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/releases">google.golang.org/api's
releases</a>.</em></p>
<blockquote>
<h2>v0.277.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.276.0...v0.277.0">0.277.0</a>
(2026-04-29)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3567">#3567</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/39582952e4eac1b744499f8a8063a4a5f1ce7d6b">3958295</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3571">#3571</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ca9851efc573231ca1ed9c6fea4bc77d6052d0bb">ca9851e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3574">#3574</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8efb1afa0e5d9cc454f721124bba3881f3935e3c">8efb1af</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3575">#3575</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/de49bb519cab881f74e5b9ba11e263a2b9a4ad2e">de49bb5</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3577">#3577</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ce68c87d9dc6c144b6df578df725470b30cf83d6">ce68c87</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3578">#3578</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8be033e24e0c6ddb08a3df72c0a8997d21623a22">8be033e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3579">#3579</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/bc6990e20803f2ff2fd1b77995f6e9180ab2302b">bc6990e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3580">#3580</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/2de1a5aff3f3b6e53dff00da297c5d249ac8d791">2de1a5a</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3581">#3581</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/0c219d90e90899c93215558f3ea309c9732bf7ea">0c219d9</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>idtoken:</strong> Avoid double impersonation in
tokenSourceFromBytes (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3576">#3576</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/75172cf5cb7bfc260c22e481323355306f684a09">75172cf</a>),
refs <a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/2301">#2301</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md">google.golang.org/api's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.276.0...v0.277.0">0.277.0</a>
(2026-04-29)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3567">#3567</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/39582952e4eac1b744499f8a8063a4a5f1ce7d6b">3958295</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3571">#3571</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ca9851efc573231ca1ed9c6fea4bc77d6052d0bb">ca9851e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3574">#3574</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8efb1afa0e5d9cc454f721124bba3881f3935e3c">8efb1af</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3575">#3575</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/de49bb519cab881f74e5b9ba11e263a2b9a4ad2e">de49bb5</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3577">#3577</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ce68c87d9dc6c144b6df578df725470b30cf83d6">ce68c87</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3578">#3578</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8be033e24e0c6ddb08a3df72c0a8997d21623a22">8be033e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3579">#3579</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/bc6990e20803f2ff2fd1b77995f6e9180ab2302b">bc6990e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3580">#3580</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/2de1a5aff3f3b6e53dff00da297c5d249ac8d791">2de1a5a</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3581">#3581</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/0c219d90e90899c93215558f3ea309c9732bf7ea">0c219d9</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>idtoken:</strong> Avoid double impersonation in
tokenSourceFromBytes (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3576">#3576</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/75172cf5cb7bfc260c22e481323355306f684a09">75172cf</a>),
refs <a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/2301">#2301</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/dd598a60e19f836bb7ad709311b21d303bbab6c8"><code>dd598a6</code></a>
chore(main): release 0.277.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3568">#3568</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/b208a86db380e5e517451daa4e5f63fae1f723be"><code>b208a86</code></a>
chore(all): update all (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3573">#3573</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/0c219d90e90899c93215558f3ea309c9732bf7ea"><code>0c219d9</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3581">#3581</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/75172cf5cb7bfc260c22e481323355306f684a09"><code>75172cf</code></a>
fix(idtoken): avoid double impersonation in tokenSourceFromBytes (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3576">#3576</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/2de1a5aff3f3b6e53dff00da297c5d249ac8d791"><code>2de1a5a</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3580">#3580</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/60b078419409e11bc414c7ccbaf4d32ddfe2a5b0"><code>60b0784</code></a>
chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in
/inter...</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/bc6990e20803f2ff2fd1b77995f6e9180ab2302b"><code>bc6990e</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3579">#3579</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/8be033e24e0c6ddb08a3df72c0a8997d21623a22"><code>8be033e</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3578">#3578</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/ce68c87d9dc6c144b6df578df725470b30cf83d6"><code>ce68c87</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3577">#3577</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/de49bb519cab881f74e5b9ba11e263a2b9a4ad2e"><code>de49bb5</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3575">#3575</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/googleapis/google-api-go-client/compare/v0.276.0...v0.277.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:34:30 +00:00
dependabot[bot] 44b0fa4065 chore: bump github.com/valyala/fasthttp from 1.70.0 to 1.71.0 (#24958) 
Bumps [github.com/valyala/fasthttp](https://github.com/valyala/fasthttp)
from 1.70.0 to 1.71.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/valyala/fasthttp/releases">github.com/valyala/fasthttp's
releases</a>.</em></p>
<blockquote>
<h2>v1.71.0</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(client): add RetryIfErrUpstream function to handle upstream
information by <a
href="https://github.com/mdenushev"><code>@​mdenushev</code></a> in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2176">valyala/fasthttp#2176</a></li>
<li>Match net/http sensitive header redirect policy by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2181">valyala/fasthttp#2181</a></li>
<li>Sanitize first-line header setters to prevent CRLF injection by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2182">valyala/fasthttp#2182</a></li>
<li>server: apply ReadTimeout before first byte with ReduceMemoryUsage
by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2183">valyala/fasthttp#2183</a></li>
<li>header: reject invalid trailer names by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2188">valyala/fasthttp#2188</a></li>
<li>header: reject pre-colon whitespace in request headers by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2187">valyala/fasthttp#2187</a></li>
<li>Sanitize redirect Location header to prevent CRLF injection by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2186">valyala/fasthttp#2186</a></li>
<li>server: keep hijacked reader out of pool by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2184">valyala/fasthttp#2184</a></li>
<li>Sanitize cookie setters to prevent CRLF injection by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2185">valyala/fasthttp#2185</a></li>
<li>feat: add ExpectHandler for richer Expect: 100-continue handling by
<a href="https://github.com/miretskiy"><code>@​miretskiy</code></a> in
<a
href="https://redirect.github.com/valyala/fasthttp/pull/2175">valyala/fasthttp#2175</a></li>
<li>http: reject whitespace before chunk extensions by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2193">valyala/fasthttp#2193</a></li>
<li>header: reject unsupported response Transfer-Encoding by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2192">valyala/fasthttp#2192</a></li>
<li>header: match net/http CL+TE handling by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2190">valyala/fasthttp#2190</a></li>
<li>chore(deps): bump securego/gosec from 2.25.0 to 2.26.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2195">valyala/fasthttp#2195</a></li>
<li>chore(deps): bump github.com/klauspost/compress from 1.18.5 to
1.18.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2196">valyala/fasthttp#2196</a></li>
<li>feat(prefork): Enhance prefork management with WatchMaster,
CommandProducer, and Windows support by <a
href="https://github.com/ReneWerner87"><code>@​ReneWerner87</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2180">valyala/fasthttp#2180</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/miretskiy"><code>@​miretskiy</code></a>
made their first contribution in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2175">valyala/fasthttp#2175</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/valyala/fasthttp/compare/v1.70.0...v1.71.0">https://github.com/valyala/fasthttp/compare/v1.70.0...v1.71.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/valyala/fasthttp/commit/e9208ecebf0c102176bb0635043c17333b10401d"><code>e9208ec</code></a>
Revert &quot;feat(prefork): graceful shutdown, leak fixes, hook
robustness&quot; commit</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/481e579af9e7d79f9ce27909edd2c42ef9dce173"><code>481e579</code></a>
feat(prefork): Enhance prefork management with WatchMaster,
CommandProducer, ...</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/805cd1046567aa8a8b97a8bfe9e7b411621f68b2"><code>805cd10</code></a>
Add note on MaxResponseBodySize compatibility with
StreamResponseBody</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/5b5c1be52ca382dcea0ed86931b3f1d2aba9dce6"><code>5b5c1be</code></a>
chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6
(<a
href="https://redirect.github.com/valyala/fasthttp/issues/2196">#2196</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/d6a99db432025de9ae13051cb42b3e6c3d6568a3"><code>d6a99db</code></a>
chore(deps): bump securego/gosec from 2.25.0 to 2.26.1 (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2195">#2195</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/f36c9009027f81f4fbf304822f96752517b08949"><code>f36c900</code></a>
header: match net/http CL+TE handling (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2190">#2190</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/0b4cede30fa0eb22f9d10999e23ebaabba15e107"><code>0b4cede</code></a>
header: reject unsupported response Transfer-Encoding (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2192">#2192</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/c497746f7d52ab88597dc88310e7f797cc7755aa"><code>c497746</code></a>
http: reject whitespace before chunk extensions (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2193">#2193</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/97b38d3a4884b7c3d8891750a4c752073bc3c152"><code>97b38d3</code></a>
server: document SaveMultipartFile path trust requirement</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/19e4b24955fb0ef764229802378a5e36ae7a822b"><code>19e4b24</code></a>
feat: add ExpectHandler for richer Expect: 100-continue handling (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2175">#2175</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/valyala/fasthttp/compare/v1.70.0...v1.71.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/valyala/fasthttp&package-manager=go_modules&previous-version=1.70.0&new-version=1.71.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:19:28 +00:00
dependabot[bot] a970ffdac8 chore: bump github.com/gohugoio/hugo from 0.160.0 to 0.161.1 (#24957) 
Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from
0.160.0 to 0.161.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gohugoio/hugo/releases">github.com/gohugoio/hugo's
releases</a>.</em></p>
<blockquote>
<h2>v0.161.1</h2>
<h2>What's Changed</h2>
<ul>
<li>resources: Honor Retry-After header in resources.GetRemote retries
c4eba928 <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14828">#14828</a></li>
<li>warpc: Move to parson.c in <a
href="https://github.com/kgabis/parson">https://github.com/kgabis/parson</a>
8b40a96b <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14823">#14823</a></li>
<li>config/security: Add AllowChildProcess to security.node.permissions
d65af84d <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14824">#14824</a></li>
<li>config/security: Restrict default http.urls &quot;@&quot; deny to
userinfo 454450a6 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14825">#14825</a></li>
</ul>
<h2>v0.161.0</h2>
<p>This release contains two security hardening fixes:</p>
<ul>
<li>We now run the Node tools PostCSS, Babel and TailwindCSS, by
default, with the <code>--permission</code> flag with the permissions
defined in <a
href="https://gohugo.io/configuration/security/">security.node.permissions</a>.
This means that you need Node &gt;= 22 installed and that
<code>css.TailwindCSS</code> now requires that the Tailwind CSS CLI must
be installed as a Node.js package. The <a
href="https://github.com/tailwindlabs/tailwindcss/releases/latest">standalone
executable</a> is no longer supported</li>
<li>We have made the defaults in <a
href="https://gohugo.io/configuration/security/#httpurls">security.http.urls</a>
more restrictive.</li>
</ul>
<p>But there are some notable new features, as well:</p>
<h2>Nested vars support in css.Build and css.Sass</h2>
<p>A practical example in <code>css.Build</code> would be to have
something like this in <code>hugo.toml</code>:</p>
<pre lang="toml"><code>[params.style]
primary =
&quot;[#000000](https://github.com/gohugoio/hugo/issues/000000)&quot;
    background = &quot;#ffffff&quot;
    [params.style.dark]
        primary    = &quot;#ffffff&quot;
background =
&quot;[#000000](https://github.com/gohugoio/hugo/issues/000000)&quot;
</code></pre>
<p>And in the stylesheet:</p>
<pre lang="css"><code>@import &quot;hugo:vars&quot;;
@import &quot;hugo:vars/dark&quot; (prefers-color-scheme: dark);
<p>:root {
color-scheme: light dark;
}
</code></pre></p>
<h2>Slice-based permalinks config</h2>
<p>The <code>permalinks</code> configuration is now much more flexible
(the old setup still works). It uses the same <a
href="https://gohugo.io/configuration/cascade/#target">target</a>
matchers as in the <code>cascade</code> config, meaning you can now
do:</p>
<pre lang="yaml"><code>permalinks:
  - target:
      kind: page
      path: &quot;/books/**&quot;
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/gohugoio/hugo/commit/ea8f66a7ce988664dcc84c052fc96757042e2e4a"><code>ea8f66a</code></a>
releaser: Bump versions for release of 0.161.1</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/c4eba92863bbb988b23e63af40a22d6661b0ced6"><code>c4eba92</code></a>
resources: Honor Retry-After header in resources.GetRemote retries</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/8b40a96b6e992fbacd8626c24168889f50152808"><code>8b40a96</code></a>
warpc: Move to parson.c in <a
href="https://github.com/kgabis/parson">https://github.com/kgabis/parson</a></li>
<li><a
href="https://github.com/gohugoio/hugo/commit/d65af84d1572326057a9a55e26beb0cee784698a"><code>d65af84</code></a>
config/security: Add AllowChildProcess to security.node.permissions</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/454450a647111e5e0b41af595b310f3062c5630e"><code>454450a</code></a>
config/security: Restrict default http.urls &quot;@&quot; deny to
userinfo</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/2bfcc6b9941724cd1d0b490583e89413d7a66979"><code>2bfcc6b</code></a>
releaser: Prepare repository for 0.162.0-DEV</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/98d396c16a07b51df06e7673d817a3880da6218d"><code>98d396c</code></a>
releaser: Bump versions for release of 0.161.0</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/d4ae662d598db81d239a291bc26336be5fec6893"><code>d4ae662</code></a>
build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to
0.137.0</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/9ede5fb9e0304d3eb193b3c1a9214c735f05db21"><code>9ede5fb</code></a>
build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/833a878eef4fce2bbabb05dcbb8a7e31f93aadda"><code>833a878</code></a>
build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to
2.24.13</li>
<li>Additional commits viewable in <a
href="https://github.com/gohugoio/hugo/compare/v0.160.0...v0.161.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/gohugoio/hugo&package-manager=go_modules&previous-version=0.160.0&new-version=0.161.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:19:15 +00:00
dependabot[bot] fc04f0d71e chore: bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 (#24962) 
Bumps
[github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify)
from 1.9.0 to 1.10.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fsnotify/fsnotify/releases">github.com/fsnotify/fsnotify's
releases</a>.</em></p>
<blockquote>
<h2>v1.10.1</h2>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: don't remove sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>)</p>
</li>
<li>
<p>inotify, windows: don't rename sibling watches sharing a path prefix
(<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/754">fsnotify/fsnotify#754</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/755">fsnotify/fsnotify#755</a></p>
<h2>v1.10.0</h2>
<p>This version of fsnotify needs Go 1.23.</p>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: improve initialization error message (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>)</p>
</li>
<li>
<p>inotify: send Rename event if recursive watch is renamed (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>)</p>
</li>
<li>
<p>inotify: avoid copying event buffers when reading names (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>)</p>
</li>
<li>
<p>kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a
bad entry no longer aborts Watcher.Add for the whole directory (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>)</p>
</li>
<li>
<p>kqueue: drop watches directly in Close() to fix a file descriptor
leak when recycling watchers (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>)</p>
</li>
<li>
<p>windows: fix nil pointer dereference in remWatch (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>)</p>
</li>
<li>
<p>windows: lock watch field updates against concurrent WatchList to fix
a race introduced in v1.9.0 (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>,
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/696">fsnotify/fsnotify#696</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/709">fsnotify/fsnotify#709</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/731">fsnotify/fsnotify#731</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/736">fsnotify/fsnotify#736</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/740">fsnotify/fsnotify#740</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/741">fsnotify/fsnotify#741</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/748">fsnotify/fsnotify#748</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/749">fsnotify/fsnotify#749</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md">github.com/fsnotify/fsnotify's
changelog</a>.</em></p>
<blockquote>
<h2>1.10.1 2026-05-04</h2>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: don't remove sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>)</p>
</li>
<li>
<p>inotify, windows: don't rename sibling watches sharing a path prefix
(<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/754">fsnotify/fsnotify#754</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/755">fsnotify/fsnotify#755</a></p>
<h2>1.10.0 2026-04-30</h2>
<p>This version of fsnotify needs Go 1.23.</p>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: improve initialization error message (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>)</p>
</li>
<li>
<p>inotify: send Rename event if recursive watch is renamed (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>)</p>
</li>
<li>
<p>inotify: avoid copying event buffers when reading names (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>)</p>
</li>
<li>
<p>kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a
bad entry no longer aborts Watcher.Add for the whole directory (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>)</p>
</li>
<li>
<p>kqueue: drop watches directly in Close() to fix a file descriptor
leak
when recycling watchers (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>)</p>
</li>
<li>
<p>windows: fix nil pointer dereference in remWatch (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>)</p>
</li>
<li>
<p>windows: lock watch field updates against concurrent WatchList to fix
a race introduced in v1.9.0 (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>,
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/696">fsnotify/fsnotify#696</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/709">fsnotify/fsnotify#709</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/731">fsnotify/fsnotify#731</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/736">fsnotify/fsnotify#736</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/740">fsnotify/fsnotify#740</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/741">fsnotify/fsnotify#741</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/748">fsnotify/fsnotify#748</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/749">fsnotify/fsnotify#749</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/76b01a6e8f502187fecedea8b025e79e5a86085c"><code>76b01a6</code></a>
Release 1.10.1</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/fec150b807510e54e5b25def4b6e5fb001b4898c"><code>fec150b</code></a>
Update changelog</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/162b4216ab8f92ecd26425530bee198972c9b3cb"><code>162b421</code></a>
inotify, windows: don't rename sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/224257f23b2f3a96509b316c5cead71dd4a9099a"><code>224257f</code></a>
inotify: don't remove sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/e0c956c0ccaf51562fee30ef5c055c74e6ae2104"><code>e0c956c</code></a>
windows: document directory Write events and stabilize tests (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/745">#745</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/8d01d7b9cbe0199e4a1e60fbd965fb05dbb42123"><code>8d01d7b</code></a>
Release 1.10.0</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/602284e4a8cadd488d7a5fa07c48462dfac25108"><code>602284e</code></a>
Update changelog</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/7f03e59f9659552d8a084e03024cb9b983748ed7"><code>7f03e59</code></a>
kqueue: skip ENOENT entries in watchDirectoryFiles (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/dab9dde2fc9ba4d0c1076318f81cabcc8fdb2ec9"><code>dab9dde</code></a>
windows: lock watch field updates against concurrent WatchList (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>)
(<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/eadf267ce152b5e62d48cc2c13bb08bd4062b6c7"><code>eadf267</code></a>
kqueue: drop watches directly in Close() instead of going through
remove() (#...</li>
<li>Additional commits viewable in <a
href="https://github.com/fsnotify/fsnotify/compare/v1.9.0...v1.10.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/fsnotify/fsnotify&package-manager=go_modules&previous-version=1.9.0&new-version=1.10.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:18:24 +00:00
Steven Masley d4f913a4cf chore: bump coder/serpent to accept empty env vars (#24926) 
Non-zero default values can now be set to `""` with env vars. Eg:
`--log-human="" --log-json="/dev/stderr"`
 2026-05-04 13:42:03 -05:00
Michael Suchacz 0bb09935bc feat: add computer-use provider selection for AI agents (#24772) 
Adds a deployment-wide setting to select the computer-use provider
(Anthropic or OpenAI) for AI agents, plus the OpenAI computer-use runner
needed to honor that selection.

The setting is stored in `site_configs` under
`agents_computer_use_provider`, defaults to Anthropic when unset, and is
exposed via experimental GET/PUT endpoints under
`/api/experimental/chats/config/computer-use-provider`. The chatd
computer-use tool now dispatches to either `runAnthropicComputerUse` or
`runOpenAIComputerUse` based on the resolved provider, with
provider-specific result metadata for OpenAI screenshots.

Frontend adds a provider dropdown to the Agents Experiments settings
page nested under the virtual desktop toggle, with disabled state
handling while virtual desktop is off and skeleton loaders while config
queries are in flight.

Hugo and Codex review follow-up:
- Uses shared provider validation and clearer computer-use constant
names.
- Removes stale OpenAI pending-safety-checks commentary.
- Documents why provider result metadata is needed for OpenAI
screenshots.
- Keeps the computer-use subagent visible when provider credentials are
missing, then returns a clear spawn-time configuration error.
- Uses OpenAI's recommended 1600x900 screenshot geometry to preserve the
native 16:9 aspect ratio.
- Moves OpenAI-specific computer-use helpers into
`coderd/x/chatd/chatopenai/computeruse` after rebasing onto the provider
package refactor in `main`.
- Converts OpenAI pixel scroll deltas to Coder desktop wheel-click
amounts.
- Preserves OpenAI pointer modifiers with key down/up desktop actions
and rejects unsupported non-left double-click buttons explicitly.
- Maps OpenAI back/forward side-button clicks to browser navigation key
actions.
- Defaults omitted OpenAI click buttons to left-click.
- Retries mouse release cleanup if the final OpenAI drag release fails.
- Keeps computer-use subagent availability messages stable when provider
config cannot be loaded, while logging the backend error.
- Releases remaining OpenAI modifier keys if a synthetic key-up cleanup
action fails.
- Updates Storybook interaction stories so provider snapshots show the
selected final provider.

> Mux updated this PR description on behalf of Mike.
 2026-05-04 20:30:50 +02:00
George K fb6e00de18 fix: preserve rollback errors in runTx (#24598) 
Previously, `runTx` could lose a deferred rollback failure when returning an
existing transaction error, because the rollback path could not update the final
return value.

https://go.dev/play/p/AhBK31lO0Gd
 2026-04-30 10:27:53 -07:00
dylanhuff-at-coder fb84e72319 feat: add secret requirement contract to dynamic parameters (#24785) 
Adds structured `secret_requirements` to dynamic parameter responses and
enforces missing required secrets during workspace start.

Stop, delete, and tag rendering paths skip secret requirement
enforcement so unmet secrets do not prevent cleanup. The SDK, generated
API docs/types, and backend render/resolver/wsbuilder tests are updated
for the new contract.
 2026-04-29 16:38:26 -07:00
Michael Suchacz 8fe11e9b14 fix: match Bedrock streaming accept headers (#24781) 
> Mux is working on behalf of Mike.

## Summary
- Bump `github.com/coder/anthropic-sdk-go` to the corrected Bedrock
streaming header fix from coder/anthropic-sdk-go#14.
- Match botocore's `InvokeModelWithResponseStream` request shape by
using `X-Amzn-Bedrock-Accept` and omitting the HTTP `Accept` header.
- Update chatd regression coverage for the corrected header shape.

## Context
The previous fix set `Accept: application/vnd.amazon.eventstream`. Real
boto3/botocore streaming requests do not send that header. They send
`X-Amzn-Bedrock-Accept: application/json`, which is the modeled Bedrock
request header for the desired model response MIME type.

## Validation
- `go test ./coderd/x/chatd/chatprovider -run
'TestModelFromConfig_Bedrock(StreamingHeaders|StripsAnthropicHeaders)?$'
-count=1`
- `go mod tidy -diff`
- `git diff --check`
- pre-commit hook during `git commit`
 2026-04-28 14:39:10 +02:00
dependabot[bot] 8ba894ba46 chore: bump github.com/invopop/jsonschema from 0.13.0 to 0.14.0 (#24773) 
Bumps
[github.com/invopop/jsonschema](https://github.com/invopop/jsonschema)
from 0.13.0 to 0.14.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/invopop/jsonschema/releases">github.com/invopop/jsonschema's
releases</a>.</em></p>
<blockquote>
<h2>v0.14.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgrade to golangci-lint v2 by <a
href="https://github.com/samlown"><code>@​samlown</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/187">invopop/jsonschema#187</a></li>
<li>Bump minimum Go version to 1.24 by <a
href="https://github.com/samlown"><code>@​samlown</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/188">invopop/jsonschema#188</a></li>
<li>Support omitzero json tags by <a
href="https://github.com/YvanGuidoin"><code>@​YvanGuidoin</code></a> in
<a
href="https://redirect.github.com/invopop/jsonschema/pull/161">invopop/jsonschema#161</a></li>
<li>feat: Respect json:&quot;,string&quot; for integer fields in
generated schema by <a
href="https://github.com/fengxsong"><code>@​fengxsong</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/183">invopop/jsonschema#183</a></li>
<li>Split jsonschema_extras only on unescaped commas by <a
href="https://github.com/liorokman"><code>@​liorokman</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/173">invopop/jsonschema#173</a></li>
<li>Fix nil pointer dereference in ReflectFromType with ExpandedStruct
(fix <a
href="https://redirect.github.com/invopop/jsonschema/issues/163">#163</a>)
by <a href="https://github.com/edznux-dd"><code>@​edznux-dd</code></a>
in <a
href="https://redirect.github.com/invopop/jsonschema/pull/186">invopop/jsonschema#186</a></li>
<li>Replace wk8/go-ordered-map with pb33f/ordered-map by <a
href="https://github.com/samlown"><code>@​samlown</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/189">invopop/jsonschema#189</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/YvanGuidoin"><code>@​YvanGuidoin</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/161">invopop/jsonschema#161</a></li>
<li><a href="https://github.com/fengxsong"><code>@​fengxsong</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/183">invopop/jsonschema#183</a></li>
<li><a href="https://github.com/liorokman"><code>@​liorokman</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/173">invopop/jsonschema#173</a></li>
<li><a href="https://github.com/edznux-dd"><code>@​edznux-dd</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/186">invopop/jsonschema#186</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0">https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/invopop/jsonschema/commit/2c57d6074bf9004aaaf1fc9c07ff0ea730b23de7"><code>2c57d60</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/189">#189</a>
from invopop/replace-wk8-with-pb33f-ordered-map</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/d8cc8ebd57b811474861dd25409560271f084128"><code>d8cc8eb</code></a>
Replace wk8/go-ordered-map with pb33f/ordered-map</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/0d5bd753ec797ec5366a2145bf8252bff5f6406f"><code>0d5bd75</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/186">#186</a>
from edznux-dd/fix/expanded-struct-nil-deref</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/3d693733ab7bca092e8604299fb82ecb573b6b10"><code>3d69373</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/173">#173</a>
from liorokman/escape-extras-tags</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/b43264d2a5a9b129a943a1603d5d9df80f705b1f"><code>b43264d</code></a>
Silence revive unused-parameter on fuzz callback</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/7b21bb5bcefbed61748f2ac0388ccfc5a07ce928"><code>7b21bb5</code></a>
Merge remote-tracking branch 'origin/main' into
pr-186-expanded-struct</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/048739859f24dff300c94b8b2a75f17cb8f94c4c"><code>0487398</code></a>
Fix ExtraWithComman typo in test struct field</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/bc932369a8e17ddd0028658e1be49e35d6a748b5"><code>bc93236</code></a>
Merge remote-tracking branch 'origin/main' into
pr-173-escape-extras</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/d39f13c8fc27de49b934bd043f64e2f3284c920b"><code>d39f13c</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/183">#183</a>
from fengxsong/feat/reflect-json-string-for-integers</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/f2e2b913ec19ef878325e6ee1b78eb2dbcea26bb"><code>f2e2b91</code></a>
Extend json:&quot;,string&quot; support to number and boolean
fields</li>
<li>Additional commits viewable in <a
href="https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/invopop/jsonschema&package-manager=go_modules&previous-version=0.13.0&new-version=0.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-28 11:52:56 +00:00
Michael Suchacz dec3e98e54 fix: set Bedrock streaming accept headers (#24776) 
> Mux is working on behalf of Mike.

## Summary
- Bump `github.com/coder/anthropic-sdk-go` to the clean Bedrock
streaming header fix from coder/anthropic-sdk-go#10.
- Add chatd regression coverage that verifies Bedrock streaming requests
use AWS event stream headers and include `X-Amzn-Bedrock-Accept` in the
SigV4 signed headers.

## SDK follow-up
- Reverted the bad coder/anthropic-sdk-go#8 merge with
coder/anthropic-sdk-go#9.
- Re-applied only the intended Bedrock streaming header change in
coder/anthropic-sdk-go#10.

## Validation
- `go test ./coderd/x/chatd/chatprovider -run
'TestModelFromConfig_Bedrock(StreamingHeaders|StripsAnthropicHeaders)?$'
-count=1`
- `go test ./coderd/x/chatd/chatprovider -count=1`
- `go mod tidy -diff`
- `make lint`
- pre-commit hook during `git commit`
 2026-04-28 11:28:20 +00:00
dependabot[bot] 411dc1ca8e chore: bump github.com/aws/smithy-go from 1.24.2 to 1.25.1 (#24775) 
Bumps [github.com/aws/smithy-go](https://github.com/aws/smithy-go) from
1.24.2 to 1.25.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aws/smithy-go/releases">github.com/aws/smithy-go's
releases</a>.</em></p>
<blockquote>
<h2>v1.25.0</h2>
<h1>Release (2026-04-15)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.25.0
<ul>
<li><strong>Feature</strong>: Add support for endpointBdd trait</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws/smithy-go/blob/main/CHANGELOG.md">github.com/aws/smithy-go's
changelog</a>.</em></p>
<blockquote>
<h1>Release (2026-04-23)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.25.1
<ul>
<li><strong>Bug Fix</strong>: Fixed a memory leak in the LRU cache
implementation used by some AWS services.</li>
</ul>
</li>
</ul>
<h1>Release (2026-04-15)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.25.0
<ul>
<li><strong>Feature</strong>: Add support for endpointBdd trait</li>
</ul>
</li>
</ul>
<h1>Release (2026-04-02)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.24.3
<ul>
<li><strong>Bug Fix</strong>: Add additional sigv4 configuration.</li>
</ul>
</li>
<li><code>github.com/aws/smithy-go/aws-http-auth</code>: <a
href="https://github.com/aws/smithy-go/blob/main/aws-http-auth/CHANGELOG.md#v113-2026-04-02">v1.1.3</a>
<ul>
<li><strong>Bug Fix</strong>: Add additional sigv4 configuration.</li>
</ul>
</li>
</ul>
<h1>Release (2026-02-27)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Bump minimum go version to
1.24.</li>
</ul>
<h1>Release (2026-02-20)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.24.1
<ul>
<li><strong>Feature</strong>: Add new middleware functions to get event
stream output from middleware</li>
</ul>
</li>
</ul>
<h1>Release (2025-12-01)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.24.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aws/smithy-go/commit/e094f45e716e33a1b950cf8bbe804790bf87f965"><code>e094f45</code></a>
Release 2026-04-23</li>
<li><a
href="https://github.com/aws/smithy-go/commit/214d45be3be5188c4d2fd9cf744c21f8b3dfbabc"><code>214d45b</code></a>
changelog</li>
<li><a
href="https://github.com/aws/smithy-go/commit/3477da0b4dbf31de58ac375fe5abe5d268280824"><code>3477da0</code></a>
fix lrucache memory leak on existing item put (<a
href="https://redirect.github.com/aws/smithy-go/issues/652">#652</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/0d0b4d00f2430e62a790203b89fd76dceb4ae213"><code>0d0b4d0</code></a>
Bump Smithy version to 1.69.0 (<a
href="https://redirect.github.com/aws/smithy-go/issues/650">#650</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/be5e5ef0d73560eac9d71df7995b0eaffb9a8d71"><code>be5e5ef</code></a>
check <a href="https://github.com/enum"><code>@​enum</code></a> on
strings for cbor (<a
href="https://redirect.github.com/aws/smithy-go/issues/649">#649</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/5beb80e9da6bcad40dc304f062c27d8269abd67d"><code>5beb80e</code></a>
Ensure javadoc uses utf-8 (<a
href="https://redirect.github.com/aws/smithy-go/issues/648">#648</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/73bb8a7d6e222332d46eec7209ba3cd0ba520239"><code>73bb8a7</code></a>
Release 2026-04-15</li>
<li><a
href="https://github.com/aws/smithy-go/commit/f056c6fb0b43ba9bfeca6c29c8c1e1046437e45e"><code>f056c6f</code></a>
Changelog</li>
<li><a
href="https://github.com/aws/smithy-go/commit/ee36afc3d70050ba990c8de8d65043ac11d1f9f4"><code>ee36afc</code></a>
Implement BDD generator for <a
href="https://github.com/endpointBdd"><code>@​endpointBdd</code></a>
Smithy trait (<a
href="https://redirect.github.com/aws/smithy-go/issues/647">#647</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/3dbea7015f5ed79312e2a3cb6bbf39f7a26e46ea"><code>3dbea70</code></a>
Release 2026-04-02</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/smithy-go/compare/v1.24.2...v1.25.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/aws/smithy-go&package-manager=go_modules&previous-version=1.24.2&new-version=1.25.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-28 11:18:10 +00:00
dependabot[bot] a700523043 chore: bump github.com/sony/gobreaker/v2 from 2.3.0 to 2.4.0 (#24774) 
Bumps [github.com/sony/gobreaker/v2](https://github.com/sony/gobreaker)
from 2.3.0 to 2.4.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sony/gobreaker/commit/0ae90251b774f890e7586c96ea82d61eb74d556d"><code>0ae9025</code></a>
Update README (<a
href="https://redirect.github.com/sony/gobreaker/issues/114">#114</a>)</li>
<li><a
href="https://github.com/sony/gobreaker/commit/1ab58bdde813e51022946f4c9ee25906f0350982"><code>1ab58bd</code></a>
feat(circuitbreaker): add tri-state outcome evaluation with Excluded
support ...</li>
<li><a
href="https://github.com/sony/gobreaker/commit/91fd4d17c2aab3de8e6f5cd6bb738e8a4d4e6d68"><code>91fd4d1</code></a>
Update Go version matrix in test workflow (<a
href="https://redirect.github.com/sony/gobreaker/issues/113">#113</a>)</li>
<li>See full diff in <a
href="https://github.com/sony/gobreaker/compare/v2.3.0...v2.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/sony/gobreaker/v2&package-manager=go_modules&previous-version=2.3.0&new-version=2.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-28 11:15:36 +00:00
Zach ef6e452825 chore: uprev coder/terraform-provider-coder to v2.16.0 (#24719) 
Bumps coder/terraform-provider-coder to v2.16.0 to pick up the `coder_secret`
data source that enables expressing a required user secret in a template.
 2026-04-27 08:29:57 -06:00
Michael Suchacz 99a83a2702 fix: clean Bedrock headers (#24718) 
Bedrock chat provider requests can inherit Anthropic public API headers
from the process environment, which causes mixed Anthropic and Bedrock
auth headers on signed requests.

Update the Anthropic SDK fork so its Bedrock middleware strips
Anthropic-only headers before signing requests, and keep a chatprovider
regression test for the production request shape.

> Mux is acting on Mike's behalf.
 2026-04-26 21:50:29 +02:00
Michael Suchacz 62e9752acd fix: prevent malformed OpenAI Responses continuations (#24725) 
> Worked on by Mux on Mike's behalf.

## Summary

- Disable OpenAI Responses `previous_response_id` chain mode when the
prior assistant response has unresolved local tool calls, so the next
request can include paired tool outputs instead of sending an incomplete
continuation.
- Update the fantasy pin to a Responses replay fix that preserves stored
reasoning references, only replays web search references when paired
with reasoning, and validates local function-call output pairing before
send.
- Add fake OpenAI Responses input validation for the two production 400
shapes and integration coverage for full-history reasoning plus web
search replay.
- Add sanitized diagnostics for the OpenAI Responses continuity errors.

## Tests

- `go test ./providers/openai -run
'TestResponsesToPrompt_(ReasoningWithStore|ReasoningWithWebSearchCombined|WebSearchRequiresReasoningReference|ReasoningWithFunctionCallCombined|WebSearchProviderExecutedToolResults)|TestPrepareParams_(SkipsProviderExecutedToolReferences|ValidatesFunctionCallOutputPairing)|TestValidateResponsesInput_WebSearchReferenceRequiresReasoning'
-count=1`
- `go test ./providers/openai -count=1`
- `GOWORK=off go test ./coderd/x/chatd/chattest -run
TestValidateResponsesAPIInput -count=1`
- `GOWORK=off go test ./coderd/x/chatd -run
'TestOpenAIResponses(NoStaleWebSearchReplay|FullReplayPairsReasoningAndWebSearch|ChainModeSkipsWhenLocalCallPending|ChainModeStillFiresForProviderExecutedOnly)$|TestResolveChainMode_'
-count=1`
- `GOWORK=off go test ./coderd/x/chatd/chatprompt -run
'TestInjectMissingToolResults_' -count=1`
- `GOWORK=off go test ./coderd/x/chatd/chaterror -run
TestClassify_OpenAIResponsesAPIDiagnostics -count=1`
- `GOWORK=off go test ./coderd/x/chatd/... -count=1`
- `git diff --check`
- `git commit` pre-commit hook
 2026-04-26 21:23:06 +02:00
blinkagent[bot] a497d934db chore: bump coder/fantasy to include gpt-5.5 Responses API support (#24712) 
Bumps the `charm.land/fantasy` replace directive to pick up
<https://github.com/coder/fantasy/pull/29>, which adds `gpt-5.5` and
`gpt-5.5-pro` to `responsesReasoningModelIDs`.

Without this, chatd's `useOpenAIResponsesOptions` returns false for
GPT-5.5, so it falls back to Chat Completions and never attaches
`ResponsesProviderOptions` (losing `store=true` + `previous_response_id`
chaining and other Responses-only features).

## Changes
- `go.mod`: `github.com/coder/fantasy
v0.0.0-20260416152503-959aa39579d2` →
`v0.0.0-20260424191546-5ab464a305f4`
- `go.sum`: updated hashes

Verified `go build ./coderd/x/chatd/...` passes locally.

Created on behalf of @ibetitsmike

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
 2026-04-24 19:35:26 +00:00
Paweł Banaszewski e00e85765b chore: move aibridge library code into coder repo (#24190) 
This PR merges code from `coder/aibridge` repository into `coder/coder`.
It was split into 4 PRs for easier review but stacked PRs will need to
be merged into this PR so all checks pass.

* https://github.com/coder/coder/pull/24190 -> raw code copy (this PR,
before merging PRs on top of it, it was just 1 commit:
https://github.com/coder/coder/commit/70d33f33200c7e77df910957595715f81f9bec24)
* https://github.com/coder/coder/pull/24570 -> update imports in
`coder/coder` to use copied code
* https://github.com/coder/coder/pull/24586 -> linter fixes and CI
integration (also added README.md)
* https://github.com/coder/coder/pull/24571 -> added exclude to
scripts/check_emdash.sh check

Original PR message (before PR squash):
Moves coder/aibridge code into coder/coder repository.

Omitted files:

- `go.mod`, `go.sum`, `.gitignore`, `.github/workflows/ci.yml,`
`Makefile`, `LICENSE`, `README.md` (modified README.md is added later)
- `.github`, `example`, `buildinfo,` `scripts` directories

Simple verification script (will list omitted files)

```
tmp=$(mktemp -d)
echo "$tmp"
git clone --depth=1 https://github.com/coder/aibridge "$tmp/aibridge"
git clone --depth=1 --branch pb/aibridge-code-move https://github.com/coder/coder "$tmp/coder"
diff -rq --exclude=.git "$tmp/aibridge" "$tmp/coder/aibridge"
# rm -rf "$tmp"
```
 2026-04-22 17:01:01 +02:00
Lukasz 869168b316 chore: bump gomarkdown to patched revision (#24567) 
Updates `github.com/gomarkdown/markdown` from
`v0.0.0-20240930133441-72d49d9543d8` to
`v0.0.0-20260411013819-759bbc3e3207`.

This pulls in the patched upstream revision for the markdown dependency.
 2026-04-21 14:46:32 +00:00
Ethan bd3ed18fb1 chore: bump hashicorp/hc-install to v0.9.4 and drop coder fork replace (#24547) 
Upstream `github.com/hashicorp/hc-install` v0.9.4 ships the refreshed
HashiCorp release-signing key (hashicorp/hc-install#355 +
hashicorp/hc-install#372), so the `coder/hc-install` fork replace
directive added in #24516 is no longer needed.

Relates to https://github.com/coder/internal/issues/1476

Closes ENG-2496
 2026-04-21 15:21:12 +10:00
Susana Ferreira 522118ab20 feat: support AWS SDK default credential chain for Bedrock authentication (#24346) 
## Description

Makes AWS Bedrock credentials optional. When `AccessKey` and
`AccessKeySecret` are not set, AI Bridge falls back to the AWS SDK
default credential chain, which supports IAM Roles (instance profiles,
IRSA, ECS task roles), SSO, shared credentials files, and environment
variables.

This allows AI Bridge to authenticate with AWS Bedrock using:
- Permanent credentials (access key + secret) as before
- IAM Roles, shared config files, environment variables, SSO, etc, via
the SDK default credential chain

Depends on: https://github.com/coder/aibridge/pull/265
Related to: https://github.com/coder/aibridge/issues/144 
Related to: https://linear.app/codercom/issue/AIGOV-67

_Disclaimer: initially produced by Claude Opus 4.6, modified and
reviewed by @ssncferreira ._
 2026-04-20 10:00:05 +01:00
Ethan 7e89534d32 chore: use coder/hc-install fork to fix expired PGP key verification (#24516) 
hc-install's bundled HashiCorp release-signing pubkey contains both the
original armored block and a refreshed one, but
`openpgp.ReadArmoredKeyRing` only decodes the first, so the verifier
sees the expired key and terraform installs (and `TestInstall`) fail
with `openpgp: key expired`.

Point `github.com/hashicorp/hc-install` at our fork, which parses every
armored block and merges entities by fingerprint so the refreshed
self-signature wins. We can drop the go mod replace once
https://github.com/hashicorp/hc-install/pull/371 (or an equivalent
upstream fix) ships.

Relates to https://github.com/coder/internal/issues/1476
 2026-04-20 13:26:28 +10:00
Mathias Fredriksson 6b0bb02e5d fix: server-side diffs and stricter fuzzy splicing for edit_files (#24454) 
Fixes three classes of edit_files bugs and adds structured per-file
diff output for tool callers:

- New IncludeDiff flag on FileEditRequest; when set, the agent
  returns FileEditResponse.Files[]{Path, Diff} with unified diffs
  computed via go-udiff v0.4.1 Lines + ToUnified (not Unified,
  which calls log.Fatalf on internal error).
- Fuzzy match comparators split each line into leading whitespace,
  body, trailing whitespace, and ending. The splice substitutes at
  each position: on agreement between search and replace the file's
  bytes win; on disagreement the replacement's bytes are spliced
  verbatim. Carve-outs for empty-body lines, multi-line EOF splices,
  and level-aware indent translation for inserted lines.
- Indent-unit detection (GCD for spaces, tab-priority) lets a 4sp
  LLM search insert correctly into tab or 2sp files. Falls back to
  the previous cLead-inheritance path when units can't be detected
  cleanly.
- Empty search is rejected with "search string must not be empty".
- Duplicate file paths in one request are rejected; symlink aliases
  resolved via api.resolvePath before the dedup check.
- Frontend EditFilesRenderer consumes the structured files array by
  explicit path (no label munging) with per-file synthetic fallback
  for older agents or mismatched paths. On error, no diff is
  rendered so the synthetic fallback doesn't misrepresent a
  rejected edit as applied.

Breaking change: AgentConn.EditFiles changes from (ctx, req) error
to (ctx, req) (FileEditResponse, error) in codersdk/workspacesdk.
Source-breaking for external Go consumers; no compat shim per plan
owner.

Out of scope (tracked in CODAGT-214): level-aware indent for
middle-substituted splice lines. Locked in
TestEditFiles_FuzzyIndent_InsertionLevelAware's Lock_* cases plus
TestEditFiles_ReplaceAll_FuzzyIndentGap.
 2026-04-18 16:39:34 +03:00
dependabot[bot] 8e2343f59c chore: bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 (#24504) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git)
from 5.17.1 to 5.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.18.0</h2>
<h2>What's Changed</h2>
<ul>
<li>plumbing: transport/http, Add support for followRedirects policy by
<a href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2004">go-git/go-git#2004</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0">https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0</a></p>
<h2>v5.17.2</h2>
<h2>What's Changed</h2>
<ul>
<li>build: Update module github.com/go-git/go-git/v5 to v5.17.1
[SECURITY] (releases/v5.x) by <a
href="https://github.com/go-git-renovate"><code>@​go-git-renovate</code></a>[bot]
in <a
href="https://redirect.github.com/go-git/go-git/pull/1941">go-git/go-git#1941</a></li>
<li>dotgit: skip writing pack files that already exist on disk by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/1944">go-git/go-git#1944</a></li>
</ul>
<p>⚠️ This release fixes a bug (<a
href="https://redirect.github.com/go-git/go-git/issues/1942">go-git/go-git#1942</a>)
that blocked some users from upgrading to <code>v5.17.1</code>. Thanks
<a href="https://github.com/pskrbasu"><code>@​pskrbasu</code></a> for
reporting it. 🙇</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2">https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/go-git/go-git/commit/ea3e7ec9dfc54f577a01afb4dd601c0284604264"><code>ea3e7ec</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2004">#2004</a>
from go-git/v5-http-hardening</li>
<li><a
href="https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53"><code>bcd20a9</code></a>
plumbing: transport/http, Add support for followRedirects policy</li>
<li><a
href="https://github.com/go-git/go-git/commit/45ae193b3a60aa8ec8a3e373f7265a7819473d5f"><code>45ae193</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/1944">#1944</a>
from go-git/fix-perms</li>
<li><a
href="https://github.com/go-git/go-git/commit/fda4f7464b597ff33d2dea1c026482a5e900037c"><code>fda4f74</code></a>
storage: filesystem/dotgit, Skip writing pack files that already exist
on disk</li>
<li><a
href="https://github.com/go-git/go-git/commit/2212dc7caeb2a389fe2129923811ef63f75a557a"><code>2212dc7</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/1941">#1941</a>
from go-git/renovate/releases/v5.x-go-github.com-go-...</li>
<li><a
href="https://github.com/go-git/go-git/commit/ebb2d7da7f5d5aebeaa0b5e13276d72d602c1ae3"><code>ebb2d7d</code></a>
build: Update module github.com/go-git/go-git/v5 to v5.17.1
[SECURITY]</li>
<li>See full diff in <a
href="https://github.com/go-git/go-git/compare/v5.17.1...v5.18.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.17.1&new-version=5.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-17 22:53:10 +00:00
Danielle Maywood 15d8e4ff9f feat: accept xhigh effort for Anthropic (#24439) 2026-04-16 17:25:34 +01:00
Cian Johnston 2b68a1f4bd chore: update our fork of fantasy/anthropic-sdk-go to fix MarshalJSON over-allocations (#24390) 
Updates go.mod to reference our internal fork of anthropic-sdk-go.

See: https://github.com/coder/anthropic-sdk-go/pull/7

Relates to CODAGT-167

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-15 19:47:09 +01:00
Paweł Banaszewski 34f3d4a92a chore: bump aibridge version (#24368) 
No major feature changes.
New version mostly includes linter changes.
 2026-04-15 14:55:58 +02:00
dependabot[bot] 10f0786966 chore: bump the x group across 1 directory with 7 updates (#24259) 
Bumps the x group with 4 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/mod](https://github.com/golang/mod),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/tools](https://github.com/golang/tools).

Updates `golang.org/x/crypto` from 0.49.0 to 0.50.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/03ca0dcccbd37ba6be80adf74dde8d78a4d72817"><code>03ca0dc</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/8400f4a938077a7a7817ab7d163d148e371b320b"><code>8400f4a</code></a>
ssh: respect signer's algorithm preference in
pickSignatureAlgorithm</li>
<li><a
href="https://github.com/golang/crypto/commit/81c6cb34a8fc386ed53293cd79e3c0c232ee7366"><code>81c6cb3</code></a>
ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.49.0...v0.50.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.34.0 to 0.35.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/03901d351deb5bd95deb90714fb75bf8e232cb22"><code>03901d3</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.34.0...v0.35.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.52.0 to 0.53.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/a8d1fc14d9e33e1f6842ab78a0127d42cd8fff44"><code>a8d1fc1</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/056ac742146af742aa760d690269c02fa238cc7a"><code>056ac74</code></a>
quic: avoid depending on golang.org/x/sys/unix</li>
<li><a
href="https://github.com/golang/net/commit/c85f61116e47b1523036c3005f8b2923b661eb64"><code>c85f611</code></a>
http3: add http3 package for testing in std</li>
<li><a
href="https://github.com/golang/net/commit/805fc81a196b95c3c00f02e135ffb8a8d5582bdf"><code>805fc81</code></a>
http2: add transport API tests</li>
<li><a
href="https://github.com/golang/net/commit/e63b894ab3cd38a1d05396530dccde7ffa3f68d0"><code>e63b894</code></a>
http2: support testing via net/http.Transport.RoundTrip</li>
<li><a
href="https://github.com/golang/net/commit/9ee1e484e5aab0d95b3babbc6f1384d03f4f9e22"><code>9ee1e48</code></a>
http2/hpack: prevent HeaderField from escaping during encoding</li>
<li><a
href="https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49"><code>1e71bd8</code></a>
http2: prevent hanging Transport due to bad SETTINGS frame</li>
<li><a
href="https://github.com/golang/net/commit/7bca15042b9d2bda1402cb42232a9c6ddbae6212"><code>7bca150</code></a>
internal/http3: respect net/http Server Shutdown context when shutting
down</li>
<li><a
href="https://github.com/golang/net/commit/44c41bee5028537e64410b1583e8ae329ceac284"><code>44c41be</code></a>
internal/http3: prevent server from holding mutex when sleeping during
shutdown</li>
<li><a
href="https://github.com/golang/net/commit/228a67a374710bff77fc490e7f538b317c34e247"><code>228a67a</code></a>
internal/http3: add CloseIdleConnections support in transport</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.52.0...v0.53.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/sys` from 0.42.0 to 0.43.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sys/commit/f33a730cd0c449cfd6f7106780c73052e96cc33d"><code>f33a730</code></a>
windows: support nil security descriptor on GetNamedSecurityInfo</li>
<li><a
href="https://github.com/golang/sys/commit/493d1725989a7a3f3582adfa68faf7207aec666b"><code>493d172</code></a>
cpu: add runtime import in cpu_darwin_arm64_other.go</li>
<li><a
href="https://github.com/golang/sys/commit/2c2be756b97dee6d15aba69839acfbd4e0f3ccc5"><code>2c2be75</code></a>
windows: use syscall.SyscallN in Proc.Call</li>
<li><a
href="https://github.com/golang/sys/commit/a76ec62d6c5389e4fe51c659ba926bf71e471a67"><code>a76ec62</code></a>
cpu: roll back &quot;use IsProcessorFeaturePresent to calculate ARM64 on
windows&quot;</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.42.0...v0.43.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/term` from 0.41.0 to 0.42.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/term/commit/52b71d3344c86b384ed34ebf73f1e6f37044fe79"><code>52b71d3</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.41.0...v0.42.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/text` from 0.35.0 to 0.36.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/text/commit/8577a70117e110160c45f32af0e0df84eef844f7"><code>8577a70</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/text/compare/v0.35.0...v0.36.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/tools` from 0.43.0 to 0.44.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/tools/commit/3dd188df80fd3563559f02e4eeb10ba1043cce55"><code>3dd188d</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/tools/commit/aebd87084e63fd3aa0a5222eeae28af6c2e33629"><code>aebd870</code></a>
gopls: improve doc link matching to support links followed by a
colon</li>
<li><a
href="https://github.com/golang/tools/commit/5357b43c088d8403d5fcd9992431db0a351ce922"><code>5357b43</code></a>
go/analysis/passes/modernize: rangeint: handle type parameter
constraints</li>
<li><a
href="https://github.com/golang/tools/commit/bf04c618d518f244d26fb5c7ad77d893f8b1fc4d"><code>bf04c61</code></a>
go/types/internal/play: show normal terms of selected type</li>
<li><a
href="https://github.com/golang/tools/commit/0ae2de027e10d7a0530ecf7ccc2db8df8aa5dcb3"><code>0ae2de0</code></a>
gopls/internal/filecache: cache decoded objects in memCache</li>
<li><a
href="https://github.com/golang/tools/commit/8e51a5fb67f9b3e2b32792f21e727664ca6561e2"><code>8e51a5f</code></a>
go/ssa: support direct references to embedded fields in struct lit</li>
<li><a
href="https://github.com/golang/tools/commit/5005b9e710b3c1eef7e5077c77289410729919ec"><code>5005b9e</code></a>
internal/gcimporter: rename ureader_yes.go to ureader.go</li>
<li><a
href="https://github.com/golang/tools/commit/5ca865bb7d52012b73ac379c5aec59b3d04efce8"><code>5ca865b</code></a>
go/types/objectpath: add debugging command</li>
<li><a
href="https://github.com/golang/tools/commit/f6476fbaabd396b58618b473e4eb71e1f532b495"><code>f6476fb</code></a>
internal/gcimporter: consume generic methods in gcimporter</li>
<li><a
href="https://github.com/golang/tools/commit/b36d1d12a1a724eb9be6609c9789aec3d99e6030"><code>b36d1d1</code></a>
internal/pkgbits: sync version.go with goroot</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/tools/compare/v0.43.0...v0.44.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-14 11:17:52 +00:00
Yevhenii Shcherbina b78eba9f9d feat: make sure creds are always masked (#24241) 
## Summary  
Adds a `sanitizeCredentialHint` safety check in the db-to-SDK conversion
layer to ensure credential hints are always masked before being exposed
in the API. Also adds `credential_kind` and `credential_hint` assertions
to the session threads API test.
 2026-04-13 10:14:38 -04:00
dependabot[bot] 0552b927b2 chore: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.67.0 to 0.68.0 (#24078) 
Bumps
[go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib)
from 0.67.0 to 0.68.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/releases">go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's
releases</a>.</em></p>
<blockquote>
<h2>Release
v1.43.0/v2.5.0/v0.68.0/v0.37.0/v0.23.0/v0.18.0/v0.16.0/v0.15.0</h2>
<h2>Added</h2>
<ul>
<li>Add <code>Resource</code> method to <code>SDK</code> in
<code>go.opentelemetry.io/contrib/otelconf/v0.3.0</code> to expose the
resolved SDK resource from declarative configuration. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8660">#8660</a>)</li>
<li>Add support to set the configuration file via
<code>OTEL_CONFIG_FILE</code> in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8639">#8639</a>)</li>
<li>Add support for <code>service</code> resource detector in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8674">#8674</a>)</li>
<li>Add support for <code>attribute_count_limit</code> and
<code>attribute_value_length_limit</code> in tracer provider
configuration in <code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8687">#8687</a>)</li>
<li>Add support for <code>attribute_count_limit</code> and
<code>attribute_value_length_limit</code> in logger provider
configuration in <code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8686">#8686</a>)</li>
<li>Add support for <code>server.address</code> and
<code>server.port</code> attributes in
<code>go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc</code>.
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8723">#8723</a>)</li>
<li>Add support for <code>OTEL_SEMCONV_STABILITY_OPT_IN</code> in
<code>go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc</code>.
Supported values are <code>rpc</code> (default), <code>rpc/dup</code>
and <code>rpc/old</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8726">#8726</a>)</li>
<li>Add the <code>http.route</code> metric attribute to
<code>go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp</code>.
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8632">#8632</a>)</li>
</ul>
<h2>Changed</h2>
<ul>
<li>Prepend <code>_</code> to the normalized environment variable name
when the key starts with a digit in
<code>go.opentelemetry.io/contrib/propagators/envcar</code>, ensuring
POSIX compliance. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8678">#8678</a>)</li>
<li>Move experimental types from
<code>go.opentelemetry.io/contrib/otelconf</code> to
<code>go.opentelemetry.io/contrib/otelconf/x</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8529">#8529</a>)</li>
<li>Normalize cached environment variable names in
<code>go.opentelemetry.io/contrib/propagators/envcar</code>, aligning
<code>Carrier.Keys</code> output with the carrier's normalized key
format. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8761">#8761</a>)</li>
</ul>
<h2>Fixed</h2>
<ul>
<li>Fix <code>go.opentelemetry.io/contrib/otelconf</code> Prometheus
reader converting OTel dot-style label names (e.g.
<code>service.name</code>) to underscore-style
(<code>service_name</code>) in <code>target_info</code> when both
<code>without_type_suffix</code> and <code>without_units</code> are set.
Use <code>NoTranslation</code> instead of
<code>UnderscoreEscapingWithoutSuffixes</code> to preserve dot-style
label names while still suppressing metric name suffixes. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8763">#8763</a>)</li>
<li>Limit the request body size at 1MB in
<code>go.opentelemetry.io/contrib/zpages</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8656">#8656</a>)</li>
<li>Fix server spans using the client's address and port for
<code>server.address</code> and <code>server.port</code> attributes in
<code>go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc</code>.
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8723">#8723</a>)</li>
</ul>
<h2>Removed</h2>
<ul>
<li>Host ID resource detector has been removed when configuring the
<code>host</code> resource detector in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8581">#8581</a>)</li>
</ul>
<h2>Deprecated</h2>
<ul>
<li>Deprecate <code>OTEL_EXPERIMENTAL_CONFIG_FILE</code> in favour of
<code>OTEL_CONFIG_FILE</code> in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8639">#8639</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>chore(deps): update module github.com/jgautheron/goconst to v1.9.0
by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8651">open-telemetry/opentelemetry-go-contrib#8651</a></li>
<li>chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8652">open-telemetry/opentelemetry-go-contrib#8652</a></li>
<li>chore(deps): update golang.org/x/telemetry digest to e526e8a by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8647">open-telemetry/opentelemetry-go-contrib#8647</a></li>
<li>chore(deps): update module k8s.io/klog/v2 to v2.140.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8650">open-telemetry/opentelemetry-go-contrib#8650</a></li>
<li>chore(deps): update module github.com/mgechev/revive to v1.14.0 by
<a href="https://github.com/mmorel-35"><code>@​mmorel-35</code></a> in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8646">open-telemetry/opentelemetry-go-contrib#8646</a></li>
<li>chore(deps): update module github.com/mgechev/revive to v1.15.0 by
<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot]
in <a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8539">open-telemetry/opentelemetry-go-contrib#8539</a></li>
<li>chore: fix noctx issues by <a
href="https://github.com/mmorel-35"><code>@​mmorel-35</code></a> in <a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8645">open-telemetry/opentelemetry-go-contrib#8645</a></li>
<li>chore(deps): update golang.org/x by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8655">open-telemetry/opentelemetry-go-contrib#8655</a></li>
<li>chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by
<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot]
in <a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8654">open-telemetry/opentelemetry-go-contrib#8654</a></li>
<li>chore(deps): update module github.com/mattn/go-runewidth to v0.0.21
by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8653">open-telemetry/opentelemetry-go-contrib#8653</a></li>
<li>fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0
by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8657">open-telemetry/opentelemetry-go-contrib#8657</a></li>
<li>Limit the number of bytes read from the zpages body by <a
href="https://github.com/dmathieu"><code>@​dmathieu</code></a> in <a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8656">open-telemetry/opentelemetry-go-contrib#8656</a></li>
<li>fix(deps): update module github.com/golangci/golangci-lint/v2 to
v2.11.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8648">open-telemetry/opentelemetry-go-contrib#8648</a></li>
<li>fix(deps): update module github.com/golangci/golangci-lint/v2 to
v2.11.3 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8661">open-telemetry/opentelemetry-go-contrib#8661</a></li>
<li>chore(deps): update github.com/securego/gosec/v2 digest to 8895462
by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8663">open-telemetry/opentelemetry-go-contrib#8663</a></li>
<li>otelconf: support OTEL_CONFIG_FILE as it is no longer experimental
by <a href="https://github.com/codeboten"><code>@​codeboten</code></a>
in <a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8639">open-telemetry/opentelemetry-go-contrib#8639</a></li>
<li>chore(deps): update module github.com/sonatard/noctx to v0.5.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/pull/8664">open-telemetry/opentelemetry-go-contrib#8664</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md">go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's
changelog</a>.</em></p>
<blockquote>
<h2>[1.43.0/2.5.0/0.68.0/0.37.0/0.23.0/0.18.0/0.16.0/0.15.0] -
2026-04-03</h2>
<h3>Added</h3>
<ul>
<li>Add <code>Resource</code> method to <code>SDK</code> in
<code>go.opentelemetry.io/contrib/otelconf/v0.3.0</code> to expose the
resolved SDK resource from declarative configuration. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8660">#8660</a>)</li>
<li>Add support to set the configuration file via
<code>OTEL_CONFIG_FILE</code> in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8639">#8639</a>)</li>
<li>Add support for <code>service</code> resource detector in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8674">#8674</a>)</li>
<li>Add support for <code>attribute_count_limit</code> and
<code>attribute_value_length_limit</code> in tracer provider
configuration in <code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8687">#8687</a>)</li>
<li>Add support for <code>attribute_count_limit</code> and
<code>attribute_value_length_limit</code> in logger provider
configuration in <code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8686">#8686</a>)</li>
<li>Add support for <code>server.address</code> and
<code>server.port</code> attributes in
<code>go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc</code>.
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8723">#8723</a>)</li>
<li>Add support for <code>OTEL_SEMCONV_STABILITY_OPT_IN</code> in
<code>go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc</code>.
Supported values are <code>rpc</code> (default), <code>rpc/dup</code>
and <code>rpc/old</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8726">#8726</a>)</li>
<li>Add the <code>http.route</code> metric attribute to
<code>go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp</code>.
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8632">#8632</a>)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Prepend <code>_</code> to the normalized environment variable name
when the key starts with a digit in
<code>go.opentelemetry.io/contrib/propagators/envcar</code>, ensuring
POSIX compliance. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8678">#8678</a>)</li>
<li>Move experimental types from
<code>go.opentelemetry.io/contrib/otelconf</code> to
<code>go.opentelemetry.io/contrib/otelconf/x</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8529">#8529</a>)</li>
<li>Normalize cached environment variable names in
<code>go.opentelemetry.io/contrib/propagators/envcar</code>, aligning
<code>Carrier.Keys</code> output with the carrier's normalized key
format. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8761">#8761</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix <code>go.opentelemetry.io/contrib/otelconf</code> Prometheus
reader converting OTel dot-style label names (e.g.
<code>service.name</code>) to underscore-style
(<code>service_name</code>) in <code>target_info</code> when both
<code>without_type_suffix</code> and <code>without_units</code> are set.
Use <code>NoTranslation</code> instead of
<code>UnderscoreEscapingWithoutSuffixes</code> to preserve dot-style
label names while still suppressing metric name suffixes. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8763">#8763</a>)</li>
<li>Limit the request body size at 1MB in
<code>go.opentelemetry.io/contrib/zpages</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8656">#8656</a>)</li>
<li>Fix server spans using the client's address and port for
<code>server.address</code> and <code>server.port</code> attributes in
<code>go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc</code>.
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8723">#8723</a>)</li>
</ul>
<h3>Removed</h3>
<ul>
<li>Host ID resource detector has been removed when configuring the
<code>host</code> resource detector in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8581">#8581</a>)</li>
</ul>
<h3>Deprecated</h3>
<ul>
<li>Deprecate <code>OTEL_EXPERIMENTAL_CONFIG_FILE</code> in favour of
<code>OTEL_CONFIG_FILE</code> in
<code>go.opentelemetry.io/contrib/otelconf</code>. (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8639">#8639</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/45977a4b9cf4a60effd1ee07367043f7e9bcae66"><code>45977a4</code></a>
Release v1.43.0/v2.5.0/v0.68.0/v0.37.0/v0.23.0/v0.18.0/v0.16.0/v0.15.0
(<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8769">#8769</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/0fcc1524d1a740b3632db418f73236d29536f119"><code>0fcc152</code></a>
fix(deps): update module
github.com/googlecloudplatform/opentelemetry-operati...</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/eaba3cdaa1559cc7425644e21a389f227e30dc86"><code>eaba3cd</code></a>
chore(deps): update googleapis to 6f92a3b (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8776">#8776</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/6df430c48045ad1221f203c01f6656367dd46fd1"><code>6df430c</code></a>
chore(deps): update module github.com/jgautheron/goconst to v1.10.0 (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8771">#8771</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/ae90e3237e8d8f14bc3f181e1f82feb1686604f0"><code>ae90e32</code></a>
Fix otelconf prometheus label escaping (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8763">#8763</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/f202c3f8000fe3e681621808b5e316fe4749850a"><code>f202c3f</code></a>
otelconf: move experimental types to otelconf/x (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8529">#8529</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/8ddaecee1cc531ae753d4812842745bdfb805208"><code>8ddaece</code></a>
fix(deps): update aws-sdk-go-v2 monorepo (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8764">#8764</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/c7c03a47d4cf7252728b11efd78e2159b437dbd2"><code>c7c03a4</code></a>
chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8766">#8766</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/717a85a20313ac21712dd055ba2ede71205889e8"><code>717a85a</code></a>
envcar: normalize cached environment variable names (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8761">#8761</a>)</li>
<li><a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/commit/ad990b6d55811953d06ec88720fa373931fa1a27"><code>ad990b6</code></a>
fix(deps): update module github.com/aws/smithy-go to v1.24.3 (<a
href="https://redirect.github.com/open-telemetry/opentelemetry-go-contrib/issues/8765">#8765</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.67.0...zpages/v0.68.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-10 20:33:49 +00:00
dependabot[bot] 16b1b6865d chore: bump google.golang.org/api from 0.274.0 to 0.275.0 (#24260) 
Bumps
[google.golang.org/api](https://github.com/googleapis/google-api-go-client)
from 0.274.0 to 0.275.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/releases">google.golang.org/api's
releases</a>.</em></p>
<blockquote>
<h2>v0.275.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.274.0...v0.275.0">0.275.0</a>
(2026-04-07)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3557">#3557</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/2b2ef99cb9f245743690a4d26e4fdc65287253e0">2b2ef99</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3560">#3560</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/9437d4d741a6ae9e1c20a6f727b9c8f64e1bc19e">9437d4d</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md">google.golang.org/api's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.274.0...v0.275.0">0.275.0</a>
(2026-04-07)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3557">#3557</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/2b2ef99cb9f245743690a4d26e4fdc65287253e0">2b2ef99</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3560">#3560</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/9437d4d741a6ae9e1c20a6f727b9c8f64e1bc19e">9437d4d</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/d43aa15bdf02279f1beaa366b551587391355265"><code>d43aa15</code></a>
chore(main): release 0.275.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3558">#3558</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/9437d4d741a6ae9e1c20a6f727b9c8f64e1bc19e"><code>9437d4d</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3560">#3560</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/0a62c64ae95b23c6ecb9fc71db89f09c479b0442"><code>0a62c64</code></a>
chore(all): update cloud.google.com/go/auth to v0.20.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3559">#3559</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/2b2ef99cb9f245743690a4d26e4fdc65287253e0"><code>2b2ef99</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3557">#3557</a>)</li>
<li>See full diff in <a
href="https://github.com/googleapis/google-api-go-client/compare/v0.274.0...v0.275.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/api&package-manager=go_modules&previous-version=0.274.0&new-version=0.275.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-10 20:19:22 +00:00
dependabot[bot] 897533f08d chore: bump github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 (#24261) 
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc)
from 3.17.0 to 3.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/coreos/go-oidc/releases">github.com/coreos/go-oidc/v3's
releases</a>.</em></p>
<blockquote>
<h2>v3.18.0</h2>
<h2>What's Changed</h2>
<ul>
<li>.github: configure dependabot by <a
href="https://github.com/ericchiang"><code>@​ericchiang</code></a> in <a
href="https://redirect.github.com/coreos/go-oidc/pull/477">coreos/go-oidc#477</a></li>
<li>.github: update go versions in CI by <a
href="https://github.com/ericchiang"><code>@​ericchiang</code></a> in <a
href="https://redirect.github.com/coreos/go-oidc/pull/480">coreos/go-oidc#480</a></li>
<li>build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coreos/go-oidc/pull/478">coreos/go-oidc#478</a></li>
<li>build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coreos/go-oidc/pull/479">coreos/go-oidc#479</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/coreos/go-oidc/compare/v3.17.0...v3.18.0">https://github.com/coreos/go-oidc/compare/v3.17.0...v3.18.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/coreos/go-oidc/commit/da6b3bfca8af72414ee0e6e8746585ff5d206003"><code>da6b3bf</code></a>
build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4</li>
<li><a
href="https://github.com/coreos/go-oidc/commit/7f80694215d5eb5b28f851f35845439b1e1e9e5d"><code>7f80694</code></a>
build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0</li>
<li><a
href="https://github.com/coreos/go-oidc/commit/7271de57587bb756318f9819796ba846b1ba875a"><code>7271de5</code></a>
.github: update go versions in CI</li>
<li><a
href="https://github.com/coreos/go-oidc/commit/3ccf20fdc4afab7c64881a108d6f4c17a4ecc24d"><code>3ccf20f</code></a>
.github: configure dependabot</li>
<li>See full diff in <a
href="https://github.com/coreos/go-oidc/compare/v3.17.0...v3.18.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/coreos/go-oidc/v3&package-manager=go_modules&previous-version=3.17.0&new-version=3.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-10 20:19:21 +00:00
dependabot[bot] b68c14dd04 chore: bump github.com/hashicorp/go-getter from 1.8.4 to 1.8.6 (#24247) 
Bumps
[github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter)
from 1.8.4 to 1.8.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/hashicorp/go-getter/releases">github.com/hashicorp/go-getter's
releases</a>.</em></p>
<blockquote>
<h2>v1.8.6</h2>
<p>No release notes provided.</p>
<h2>v1.8.5</h2>
<h2>What's Changed</h2>
<ul>
<li>[chore] : Bump the go group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/576">hashicorp/go-getter#576</a></li>
<li>use %w to wrap error by <a
href="https://github.com/Ericwww"><code>@​Ericwww</code></a> in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/475">hashicorp/go-getter#475</a></li>
<li>fix: <a
href="https://redirect.github.com/hashicorp/go-getter/issues/538">#538</a>
http file download skipped if headResp.ContentLength is 0 by <a
href="https://github.com/martijnvdp"><code>@​martijnvdp</code></a> in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/539">hashicorp/go-getter#539</a></li>
<li>chore: fix error message capitalization in checksum function by <a
href="https://github.com/ssagarverma"><code>@​ssagarverma</code></a> in
<a
href="https://redirect.github.com/hashicorp/go-getter/pull/578">hashicorp/go-getter#578</a></li>
<li>[chore] : Bump the go group with 8 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/577">hashicorp/go-getter#577</a></li>
<li>Fix git url with ambiguous ref by <a
href="https://github.com/nimasamii"><code>@​nimasamii</code></a> in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/382">hashicorp/go-getter#382</a></li>
<li>fix: resolve compilation errors in get_git_test.go by <a
href="https://github.com/CreatorHead"><code>@​CreatorHead</code></a> in
<a
href="https://redirect.github.com/hashicorp/go-getter/pull/579">hashicorp/go-getter#579</a></li>
<li>[chore] : Bump the actions group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/582">hashicorp/go-getter#582</a></li>
<li>[chore] : Bump the go group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/583">hashicorp/go-getter#583</a></li>
<li>test that arbitrary files cannot be checksummed by <a
href="https://github.com/schmichael"><code>@​schmichael</code></a> in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/250">hashicorp/go-getter#250</a></li>
<li>[chore] : Bump google.golang.org/api from 0.260.0 to 0.262.0 in the
go group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/585">hashicorp/go-getter#585</a></li>
<li>[chore] : Bump actions/checkout from 6.0.1 to 6.0.2 in the actions
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/586">hashicorp/go-getter#586</a></li>
<li>[chore] : Bump the go group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/588">hashicorp/go-getter#588</a></li>
<li>[chore] : Bump actions/cache from 5.0.2 to 5.0.3 in the actions
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/589">hashicorp/go-getter#589</a></li>
<li>[chore] : Bump aws-actions/configure-aws-credentials from 5.1.1 to
6.0.0 in the actions group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/592">hashicorp/go-getter#592</a></li>
<li>[chore] : Bump google.golang.org/api from 0.264.0 to 0.265.0 in the
go group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/591">hashicorp/go-getter#591</a></li>
<li>[chore] : Bump the go group with 5 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/593">hashicorp/go-getter#593</a></li>
<li>IND-6310 - CRT Onboarding by <a
href="https://github.com/nasareeny"><code>@​nasareeny</code></a> in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/584">hashicorp/go-getter#584</a></li>
<li>Fix crt build path by <a
href="https://github.com/ssagarverma"><code>@​ssagarverma</code></a> in
<a
href="https://redirect.github.com/hashicorp/go-getter/pull/594">hashicorp/go-getter#594</a></li>
<li>[chore] : Bump the go group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/596">hashicorp/go-getter#596</a></li>
<li>fix: remove checkout action from set-product-version job by <a
href="https://github.com/ssagarverma"><code>@​ssagarverma</code></a> in
<a
href="https://redirect.github.com/hashicorp/go-getter/pull/598">hashicorp/go-getter#598</a></li>
<li>[chore] : Bump the actions group with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/595">hashicorp/go-getter#595</a></li>
<li>fix(deps): upgrade go.opentelemetry.io/otel/sdk to v1.40.0
(GO-2026-4394) by <a
href="https://github.com/ssagarverma"><code>@​ssagarverma</code></a> in
<a
href="https://redirect.github.com/hashicorp/go-getter/pull/599">hashicorp/go-getter#599</a></li>
<li>Prepare go-getter for v1.8.5 release by <a
href="https://github.com/nasareeny"><code>@​nasareeny</code></a> in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/597">hashicorp/go-getter#597</a></li>
<li>[chore] : Bump the actions group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/600">hashicorp/go-getter#600</a></li>
<li>sec: bump go and xrepos + redact aws tokens in url by <a
href="https://github.com/dduzgun-security"><code>@​dduzgun-security</code></a>
in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/604">hashicorp/go-getter#604</a></li>
</ul>
<p><strong>NOTES:</strong></p>
<p>Binary Distribution Update: To streamline our release process and
align with other HashiCorp tools, all release binaries will now be
published exclusively to the official HashiCorp <a
href="https://releases.hashicorp.com/go-getter/">release</a> site. We
will no longer attach release assets to GitHub Releases.</p>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Ericwww"><code>@​Ericwww</code></a> made
their first contribution in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/475">hashicorp/go-getter#475</a></li>
<li><a
href="https://github.com/martijnvdp"><code>@​martijnvdp</code></a> made
their first contribution in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/539">hashicorp/go-getter#539</a></li>
<li><a href="https://github.com/nimasamii"><code>@​nimasamii</code></a>
made their first contribution in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/382">hashicorp/go-getter#382</a></li>
<li><a href="https://github.com/nasareeny"><code>@​nasareeny</code></a>
made their first contribution in <a
href="https://redirect.github.com/hashicorp/go-getter/pull/584">hashicorp/go-getter#584</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/hashicorp/go-getter/compare/v1.8.4...v1.8.5">https://github.com/hashicorp/go-getter/compare/v1.8.4...v1.8.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/hashicorp/go-getter/commit/d23bff48fb87c956bb507a03d35a63ee45470e34"><code>d23bff4</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-getter/issues/608">#608</a>
from hashicorp/dependabot/go_modules/go-security-9c51...</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/2c4aba8e5286c18bc66358236454a3e3b0aa7421"><code>2c4aba8</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-getter/issues/613">#613</a>
from hashicorp/pull/v1.8.6</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/fe61ed9454b818721d81328d7e880fc2ed2c8d15"><code>fe61ed9</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-getter/issues/611">#611</a>
from hashicorp/SECVULN-41053</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/d53365612c5250f7df8d586ba3be70fbd42e613b"><code>d533656</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-getter/issues/606">#606</a>
from hashicorp/pull/CRT</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/388f23d7d40f1f1e1a9f5b40ee5590c08154cd6d"><code>388f23d</code></a>
Additional test for local branch and head</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/b7ceaa59b11a203c14cf58e5fcaa8f169c0ced6e"><code>b7ceaa5</code></a>
harden checkout ref handling and added regression tests</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/769cc14fdb0df5ac548f4ead1193b5c40460f11e"><code>769cc14</code></a>
Release version bump up</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/6086a6a1f6347f735401c26429d9a0e14ad29444"><code>6086a6a</code></a>
Review Comments Addressed</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/e02063cd28e97bb8a23a63e72e2a4a4ab6e982cf"><code>e02063c</code></a>
Revert &quot;SECVULN Fix for git checkout argument injection enables
arbitrary fil...</li>
<li><a
href="https://github.com/hashicorp/go-getter/commit/c93084dc4306b2c49c54fe6fbfbe79c98956e5f8"><code>c93084d</code></a>
[chore] : Bump google.golang.org/grpc</li>
<li>Additional commits viewable in <a
href="https://github.com/hashicorp/go-getter/compare/v1.8.4...v1.8.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/hashicorp/go-getter&package-manager=go_modules&previous-version=1.8.4&new-version=1.8.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-10 15:36:57 +00:00
Ethan ad2415ede7 fix: bump coder/tailscale to pick up RTM_MISS fix (#24187) 
## What

Bumps `coder/tailscale` to
[`e956a95`](https://github.com/coder/tailscale/commit/e956a950740bd737c55451f56e77038f7430a919)
([PR #113](https://github.com/coder/tailscale/pull/113)) to pick up the
`RTM_MISS` fix for the Darwin network monitor.

Already released on `release/2.31` as v2.31.8. (#24185) to unblock a
customer. This PR is to update `main`.

## Why

On Darwin, `RTM_MISS` route-socket messages (fired on every failed route
lookup) were not filtered by `netmon`, causing each one to be treated as
a `LinkChange`. When netcheck sends STUN probes to an IPv6 address with
no route, this creates a self-sustaining feedback loop: `RTM_MISS` →
`LinkChange` → `ReSTUN` → netcheck → v6 STUN probe → `RTM_MISS` → …

The loop drives DERP home-region flapping at ~70× baseline, which at
fleet scale saturates PostgreSQL's `NOTIFY` lock and causes coordinator
health-check timeouts.

The upstream fix adds a single `if msg.Type == unix.RTM_MISS { return
true }` check to `skipRouteMessage`. This is safe because `RTM_MISS` is
a lookup-path signal, not a table-mutation signal — route withdrawals
always emit `RTM_DELETE` before any subsequent lookup can miss.

Of note is that this issue has only been reported recently, since users
updated to macOS 26.4.

Relates to ENG-2394
 2026-04-09 13:22:56 -04:00
Cian Johnston 27e5ff0a8e chore: update to our fork of charm.land/fantasy with appendCompact perf improvement (#24142) 
Fixes CODAGT-117

Updates go.mod to reference our forks of the following dependencies:
* charmbracelet/anthropic-sdk-go =>
https://github.com/coder/anthropic-sdk-go/tree/coder_2_33
* charm.land/fantasy => https://github.com/coder/fantasy/tree/coder_2_33
 2026-04-09 13:08:19 +01:00
Yevhenii Shcherbina 7f496c2f18 feat: byok-observability for aibridge (#23808) 
## Summary

Adds `credential_kind` and `credential_hint` columns to
`aibridge_interceptions` to record how each LLM request was
authenticated and provide a masked credential identifier for audit
purposes.

This enables admins to distinguish between centralized API keys,
personal API keys, and subscription-based credentials in the
interceptions audit log.

## Changes

- New migration adding `credential_kind`and `credential_hint` to
`aibridge_interceptions`
- Updated `InsertAIBridgeInterception` query and proto definition to
carry the new fields
- Wired proto fields through `translator.go` and `aibridgedserver.go` to
the database

Depends on https://github.com/coder/aibridge/pull/239
 2026-04-08 13:24:28 -04:00
Michael Suchacz 590235138f fix: pin fixed anthropic/fantasy forks for streaming token accounting (#24077) 2026-04-08 17:07:39 +00:00
dependabot[bot] d87c5ef439 chore: bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.0 to 1.97.3 (#24136) 
Bumps
[github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2)
from 1.96.0 to 1.97.3.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/90650dd22735ab68f6089ae5c39b6614286ae9ec"><code>90650dd</code></a>
Release 2026-03-26</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/dd88818bee7d632a8b9da6e2c78ef92e23c94c62"><code>dd88818</code></a>
Regenerated Clients</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/b662c50138bd393927871b46e84ee3483377f5be"><code>b662c50</code></a>
Update endpoints model</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/500a9cb3522a0e71d798d7079ff5856b23c2cac1"><code>500a9cb</code></a>
Update API model</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/6221102f763bd65d7e403fa62c3a1e3d39e24dc6"><code>6221102</code></a>
fix stale skew and delayed skew healing (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3359">#3359</a>)</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/0a39373433a121800bc68efa743a7486eb07aa3f"><code>0a39373</code></a>
fix order of generated event header handlers (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3361">#3361</a>)</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/098f3898271e2eaaf8a92e38d1d928fb018805a6"><code>098f389</code></a>
Only generate resolveAccountID when it's required (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3360">#3360</a>)</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/6ebab66428e97db0ee252fea042d56b1313cb9f6"><code>6ebab66</code></a>
Release 2026-03-25</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/b2ec3beebb986a5e74e50d0c105119d84e1e934e"><code>b2ec3be</code></a>
Regenerated Clients</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/abc126f6b35bfe2f77e2505f6d04f8ceced971ee"><code>abc126f</code></a>
Update API model</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.96.0...service/s3/v1.97.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/aws/aws-sdk-go-v2/service/s3&package-manager=go_modules&previous-version=1.96.0&new-version=1.97.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-08 04:40:17 +00:00
dependabot[bot] ef3e17317c chore: bump github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.7.6 to 1.7.8 (#24134) 
Bumps
[github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream](https://github.com/aws/aws-sdk-go-v2)
from 1.7.6 to 1.7.8.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/e3b97d2a02cd4e27c40224f05aa1a7deba24abe2"><code>e3b97d2</code></a>
Release 2023-10-12</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/863010ddb23c242c2a5d49d9f40094a6a49b5525"><code>863010d</code></a>
Regenerated Clients</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/6946ef8b9149fe75ac1b427ca2c7f57cdcb64549"><code>6946ef8</code></a>
Update endpoints model</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/6d93ded4536184d38a664b4b75dadd36cbd79878"><code>6d93ded</code></a>
Update API model</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/bebc232e7f65b02d0b519d11e73cf925c38e716f"><code>bebc232</code></a>
fix: fail to load config if configured profile doesn't exist (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2309">#2309</a>)</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/5de46742b7fb1b72d93d344ee81568800a707267"><code>5de4674</code></a>
fix DNS timeout error not retried (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2300">#2300</a>)</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/e155bb72a2ec20ec61db50fc3d4568e373fa4b63"><code>e155bb7</code></a>
Release 2023-10-06</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/9d342ba33937c562d215f317a37dea121ee9763d"><code>9d342ba</code></a>
Regenerated Clients</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/1df99141a143a38570d64a182ed972ce9e3dba65"><code>1df9914</code></a>
Update SDK's smithy-go dependency to v1.15.0</li>
<li><a
href="https://github.com/aws/aws-sdk-go-v2/commit/32ada3a191ac770b1b24164b667692183fc77ed9"><code>32ada3a</code></a>
Update API model</li>
<li>See full diff in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/service/m2/v1.7.6...service/m2/v1.7.8">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream&package-manager=go_modules&previous-version=1.7.6&new-version=1.7.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-08 03:14:12 +00:00
Kyle Carberry 16265e834e chore: update fantasy fork to use github.com/coder/fantasy (#24100) 
Moves the `charm.land/fantasy` replace directive from
`github.com/kylecarbs/fantasy` to `github.com/coder/fantasy`, pointing
at the same `cj/go1.25` branch and commit (`112927d9b6d8`).

> Generated by Coder Agents
 2026-04-07 16:11:49 +01:00
dependabot[bot] 2ea08aa168 chore: bump github.com/gohugoio/hugo from 0.159.2 to 0.160.0 (#24081) 
Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from
0.159.2 to 0.160.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gohugoio/hugo/releases">github.com/gohugoio/hugo's
releases</a>.</em></p>
<blockquote>
<h2>v0.160.0</h2>
<p>Now you can inject <a
href="https://gohugo.io/functions/css/build/#vars">CSS vars</a>, e.g.
from the configuration, into your stylesheets when building with <a
href="https://gohugo.io/functions/css/build/">css.Build</a>. Also, now
all the render hooks has a <a
href="https://gohugo.io/render-hooks/links/#position">.Position</a>
method, now also more accurate and effective.</p>
<h2>Bug fixes</h2>
<ul>
<li>Fix some recently introduced Position issues 4e91e14c <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14710">#14710</a></li>
<li>markup/goldmark: Fix double-escaping of ampersands in link URLs
dc9b51d2 <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14715">#14715</a></li>
<li>tpl: Fix stray quotes from partial decorator in script context
43aad711 <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14711">#14711</a></li>
</ul>
<h2>Improvements</h2>
<ul>
<li>all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning
481baa08 <a href="https://github.com/bep"><code>@​bep</code></a></li>
<li>tpl/css: Support <a
href="https://github.com/import"><code>@​import</code></a>
&quot;hugo:vars&quot; for CSS custom properties in css.Build 5d09b5e3 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14699">#14699</a></li>
<li>Improve and extend .Position handling in Goldmark render hooks
303e443e <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14663">#14663</a></li>
<li>markup/goldmark: Clean up test 638262ce <a
href="https://github.com/bep"><code>@​bep</code></a></li>
</ul>
<h2>Dependency Updates</h2>
<ul>
<li>build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1
bf6e35a7 <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]</li>
<li>build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
0eda24e6 <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]</li>
<li>build(deps): bump golang.org/x/image from 0.37.0 to 0.38.0 beb57a68
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]</li>
</ul>
<h2>Documentation</h2>
<ul>
<li>readme: Revise edition descriptions and installation instructions
9f1f1be0 <a
href="https://github.com/jmooring"><code>@​jmooring</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/gohugoio/hugo/commit/652fc5acddf94e0501f778e196a8b630566b39ad"><code>652fc5a</code></a>
releaser: Bump versions for release of 0.160.0</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/bf6e35a7557bb31b0e38b29eb10b94e03afa0d8a"><code>bf6e35a</code></a>
build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/4e91e14cb0152f6e6bd216c0cd2f0913e6e17325"><code>4e91e14</code></a>
Fix some recently introduced Position issues</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/dc9b51d2e2fa1bfc2b7c68c01417bb7ae2c9c6a2"><code>dc9b51d</code></a>
markup/goldmark: Fix double-escaping of ampersands in link URLs</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/481baa08968e29e2a2771e9d6022c9f995b2fc11"><code>481baa0</code></a>
all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/43aad7118da6f8365d9cdb4aaada1878ce68fb98"><code>43aad71</code></a>
tpl: Fix stray quotes from partial decorator in script context</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/9f1f1be0be2e5b8280e16df647d838c538edb9c2"><code>9f1f1be</code></a>
readme: Revise edition descriptions and installation instructions</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/0eda24e65fdde77878a17d9583c5f2bce4f3d437"><code>0eda24e</code></a>
build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/5d09b5e32a4d0e9b3fe8797c91804f6a7804bb5a"><code>5d09b5e</code></a>
tpl/css: Support <a
href="https://github.com/import"><code>@​import</code></a>
&quot;hugo:vars&quot; for CSS custom properties in css.Build</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/303e443ea7ba5c22dc5d2b5df5d7c5392b0dcc3a"><code>303e443</code></a>
Improve and extend .Position handling in Goldmark render hooks</li>
<li>Additional commits viewable in <a
href="https://github.com/gohugoio/hugo/compare/v0.159.2...v0.160.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/gohugoio/hugo&package-manager=go_modules&previous-version=0.159.2&new-version=0.160.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-07 11:17:57 +00:00
dependabot[bot] d4b9248202 chore: bump github.com/valyala/fasthttp from 1.69.0 to 1.70.0 (#24080) 
Bumps [github.com/valyala/fasthttp](https://github.com/valyala/fasthttp)
from 1.69.0 to 1.70.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/valyala/fasthttp/releases">github.com/valyala/fasthttp's
releases</a>.</em></p>
<blockquote>
<h2>v1.70.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Go 1.26 and golangci-lint updates by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2146">valyala/fasthttp#2146</a></li>
<li>Add WithLimit methods for uncompression by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2147">valyala/fasthttp#2147</a></li>
<li>Honor Root for fs.FS and normalize fs-style roots by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2145">valyala/fasthttp#2145</a></li>
<li>Sanitize header values in all setter paths to prevent CRLF injection
by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2162">valyala/fasthttp#2162</a></li>
<li>Add ServeFileLiteral, ServeFSLiteral and SendFileLiteral by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2163">valyala/fasthttp#2163</a></li>
<li>Prevent chunk extension request smuggling by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2165">valyala/fasthttp#2165</a></li>
<li>Validate request URI format during header parsing to reject
malformed requests by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2168">valyala/fasthttp#2168</a></li>
<li>HTTP1/1 requires exactly one Host header by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2164">valyala/fasthttp#2164</a></li>
<li>Strict HTTP version validation and simplified first line parsing by
<a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2167">valyala/fasthttp#2167</a></li>
<li>Only normalize pre-colon whitespace for HTTP headers by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2172">valyala/fasthttp#2172</a></li>
<li>fs: reject '..' path segments in rewritten paths by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2173">valyala/fasthttp#2173</a></li>
<li>fasthttpproxy: reject CRLF in HTTP proxy CONNECT target by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2174">valyala/fasthttp#2174</a></li>
<li>fasthttpproxy: scope proxy auth cache to GetDialFunc by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2144">valyala/fasthttp#2144</a></li>
<li>feat: enhance performance by <a
href="https://github.com/ReneWerner87"><code>@​ReneWerner87</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2135">valyala/fasthttp#2135</a></li>
<li>export ErrConnectionClosed by <a
href="https://github.com/pjebs"><code>@​pjebs</code></a> in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2152">valyala/fasthttp#2152</a></li>
<li>fix: detect master process death in prefork children by <a
href="https://github.com/meruiden"><code>@​meruiden</code></a> in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2158">valyala/fasthttp#2158</a></li>
<li>return prev values by <a
href="https://github.com/pjebs"><code>@​pjebs</code></a> in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2123">valyala/fasthttp#2123</a></li>
<li>docs: added httpgo to related projects by <a
href="https://github.com/MUlt1mate"><code>@​MUlt1mate</code></a> in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2169">valyala/fasthttp#2169</a></li>
<li>chore(deps): bump actions/upload-artifact from 6 to 7 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2149">valyala/fasthttp#2149</a></li>
<li>chore(deps): bump github.com/andybalholm/brotli from 1.2.0 to 1.2.1
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2170">valyala/fasthttp#2170</a></li>
<li>chore(deps): bump github.com/klauspost/compress from 1.18.2 to
1.18.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2129">valyala/fasthttp#2129</a></li>
<li>chore(deps): bump github.com/klauspost/compress from 1.18.3 to
1.18.4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2140">valyala/fasthttp#2140</a></li>
<li>chore(deps): bump github.com/klauspost/compress from 1.18.4 to
1.18.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2166">valyala/fasthttp#2166</a></li>
<li>chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2139">valyala/fasthttp#2139</a></li>
<li>chore(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2128">valyala/fasthttp#2128</a></li>
<li>chore(deps): bump golang.org/x/net from 0.49.0 to 0.50.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2138">valyala/fasthttp#2138</a></li>
<li>chore(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2125">valyala/fasthttp#2125</a></li>
<li>chore(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2137">valyala/fasthttp#2137</a></li>
<li>chore(deps): bump securego/gosec from 2.22.11 to 2.23.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2142">valyala/fasthttp#2142</a></li>
<li>Update securego/gosec from 2.23.0 to 2.25.0 by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2161">valyala/fasthttp#2161</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/MUlt1mate"><code>@​MUlt1mate</code></a>
made their first contribution in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2169">valyala/fasthttp#2169</a></li>
<li><a href="https://github.com/meruiden"><code>@​meruiden</code></a>
made their first contribution in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2158">valyala/fasthttp#2158</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/valyala/fasthttp/compare/v1.69.0...v1.70.0">https://github.com/valyala/fasthttp/compare/v1.69.0...v1.70.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/valyala/fasthttp/commit/534461ad123bfbcc1190d29cb3553a19b72d2845"><code>534461a</code></a>
fasthttpproxy: reject CRLF in HTTP proxy CONNECT target (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2174">#2174</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/267e740f5657cb606d35de3ca54df55b2625508c"><code>267e740</code></a>
fs: reject '..' path segments in rewritten paths (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2173">#2173</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/a95a1ad11ceeb1726740070ab464b8d22d3278d8"><code>a95a1ad</code></a>
Only normalize pre-colon whitespace for HTTP headers (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2172">#2172</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/ab8c2aceea3da871f9f901e595425fd144d1790f"><code>ab8c2ac</code></a>
fix: detect master process death in prefork children (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2158">#2158</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/c4569c5fbb7b0142cb2607dbb170f6efcec96894"><code>c4569c5</code></a>
feat: enhance performance (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2135">#2135</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/beab280ed3f7be24111fe5b452564be647370ee7"><code>beab280</code></a>
chore(deps): bump github.com/andybalholm/brotli from 1.2.0 to 1.2.1 (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2170">#2170</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/82254a7addc61a494b6a504fb0c65871a9c0444f"><code>82254a7</code></a>
Normalize framing header names with pre-colon whitespace</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/611132707f1d75db30a7f3347092e36bcd87094e"><code>6111327</code></a>
Strict HTTP version validation and simplified first line parsing (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2167">#2167</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/eb38f5fc140be062aa5acbbeb97571e538a4e781"><code>eb38f5f</code></a>
HTTP1/1 requires exactly one Host header (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2164">#2164</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/7d90713bda6f90f398f42dced466942912b44fd6"><code>7d90713</code></a>
Validate request URI format during header parsing to reject malformed
request...</li>
<li>Additional commits viewable in <a
href="https://github.com/valyala/fasthttp/compare/v1.69.0...v1.70.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/valyala/fasthttp&package-manager=go_modules&previous-version=1.69.0&new-version=1.70.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-07 11:17:34 +00:00