shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,546 Commits 1,133 Branches 344 Tags
4591212482d0457dc632222959b4aa32eb0220d2
Commit Graph

1325 Commits

Author SHA1 Message Date
Steven Masley 4591212482 feat: implement SCIM handler for SCIM 2.0 compliance (#25572) 
Rewrites the SCIM 2.0 user provisioning handler to be RFC 7644
compliant. Verified against an external IdP Okta.

Behavior is OPT IN
 2026-05-28 10:00:37 -05:00
Jon Ayers f6f284ea51 feat: add initial NATS implementation (#25602) 2026-05-27 12:57:20 -05:00
dependabot[bot] d03986e3f6 chore: bump the x group with 3 updates (#25696) 
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps the x group with 3 updates:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/sys](https://github.com/golang/sys).

Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/a1c0d9929856c8aba2b31f079340f00578eda803"><code>a1c0d99</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/3c7c86938f4541c333d506f719388d9c42d4763d"><code>3c7c869</code></a>
ssh: fix deadlock on unexpected channel responses</li>
<li><a
href="https://github.com/golang/crypto/commit/533fb3f7e4a5ae23f69d1837cd851d35ff5b76ce"><code>533fb3f</code></a>
ssh: fix source-address critical option bypass</li>
<li><a
href="https://github.com/golang/crypto/commit/abbc44d451a6f9236a2bbd26cbcd4d0fec473da3"><code>abbc44d</code></a>
ssh: fix incorrect operator order</li>
<li><a
href="https://github.com/golang/crypto/commit/e052873987615dc96fe67607a9a6adb76311344f"><code>e052873</code></a>
ssh: fix infinite loop on large channel writes due to integer
overflow</li>
<li><a
href="https://github.com/golang/crypto/commit/b61cf853a89d82cad68da5e12a6beca2116f8456"><code>b61cf85</code></a>
ssh: enforce user presence verification for security keys</li>
<li><a
href="https://github.com/golang/crypto/commit/9c2cd33e8d96a96133fd6ff732510ebba539c2bd"><code>9c2cd33</code></a>
ssh: enforce strict limits on DSA key parameters</li>
<li><a
href="https://github.com/golang/crypto/commit/890731877d85f71cfdc9554e7a27fec4684fc4c4"><code>8907318</code></a>
ssh: reject RSA keys with excessively large moduli</li>
<li><a
href="https://github.com/golang/crypto/commit/ffd87b4878fa98ca2908ec534e1a410bf095a35e"><code>ffd87b4</code></a>
ssh: fix panic when authority callbacks are nil</li>
<li><a
href="https://github.com/golang/crypto/commit/4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946"><code>4e7a738</code></a>
ssh: fix deadlock on unexpected global responses</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.51.0...v0.52.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.54.0 to 0.55.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/7770ec48d03fec35e378665337b4faca93c38423"><code>7770ec4</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/4ece7b612ad44ad6c4d5e0d5d4df9c18cc211905"><code>4ece7b6</code></a>
html: escape greater-than symbol in doctype identifiers</li>
<li><a
href="https://github.com/golang/net/commit/08be507abce89191d78cd49da60f4501fc910472"><code>08be507</code></a>
html: improve Noah's Ark clause performance</li>
<li><a
href="https://github.com/golang/net/commit/a8fb2fe4f7378f816302b9f2f7b8290ce512e5dd"><code>a8fb2fe</code></a>
html: properly render fostered elements in foreign content</li>
<li><a
href="https://github.com/golang/net/commit/0dc5b7a5f81d7155ade6d5e9db35992998679932"><code>0dc5b7a</code></a>
html: properly check namespace in &quot;in body&quot; any other end
tag</li>
<li><a
href="https://github.com/golang/net/commit/a452f3cc17168a60bc3f439a3ae0fcffc32eca0e"><code>a452f3c</code></a>
html: ignore duplicate attributes during tokenization</li>
<li><a
href="https://github.com/golang/net/commit/f8651996b24ba47d89dd9eb97fd47758e6d1886f"><code>f865199</code></a>
quic: fix appendMaxDataFrame erroneously accumulating sentLimit</li>
<li><a
href="https://github.com/golang/net/commit/210ed3cb901cb549818aefa04b71dadaf149d05d"><code>210ed3c</code></a>
quic: establish a &quot;happened-before&quot; relationship between
stream write and read</li>
<li><a
href="https://github.com/golang/net/commit/ad8140e0aa2ec41b37ea478b4525a423bcc21af9"><code>ad8140e</code></a>
quic: fix buffer slicing when handling overlapping stream data</li>
<li><a
href="https://github.com/golang/net/commit/23ee2efe81a3ff183b4eca46c42f749af7efca45"><code>23ee2ef</code></a>
http2: avoid API changes when built with go1.27</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.54.0...v0.55.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/sys` from 0.44.0 to 0.45.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sys/commit/397d5f80920585bc27433d878aba498d062f81e1"><code>397d5f8</code></a>
unix: update to Linux kernel 7.0</li>
<li><a
href="https://github.com/golang/sys/commit/0a387f7a07d7a0e9811f00603c10b4e5a94ab79c"><code>0a387f7</code></a>
cpu: detect zbc extension on riscv64</li>
<li><a
href="https://github.com/golang/sys/commit/758f71cb839d131daf0ba4befa6a2c6ceb21a649"><code>758f71c</code></a>
cpu: add LLACQ_SCREL, SCQ, DBAR_HINTS detection for loong64</li>
<li><a
href="https://github.com/golang/sys/commit/99666ae32e07f6403182a79cb5df0c417cbbf25f"><code>99666ae</code></a>
unix: merge Linux readv/writev implementation with Darwin/OpenBSD</li>
<li><a
href="https://github.com/golang/sys/commit/e4444cbaaaf61cecff8e635874066fcd5c841575"><code>e4444cb</code></a>
windows: add NtSetEaFile, NtQueryEaFile and NtQueryInformationFile</li>
<li><a
href="https://github.com/golang/sys/commit/04396e85d470b7f990a9a1df5c1a44dc8e30c292"><code>04396e8</code></a>
unix: add Readv, Writev, Preadv, Pwritev for OpenBSD</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.44.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-26 18:57:15 +00:00
dependabot[bot] 089ae2411e chore: bump github.com/gohugoio/hugo from 0.161.1 to 0.162.0 (#25698) 
Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from
0.161.1 to 0.162.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gohugoio/hugo/releases">github.com/gohugoio/hugo's
releases</a>.</em></p>
<blockquote>
<h2>v0.162.0</h2>
<p>The notable new feature in this release is support for <a
href="https://gohugo.io/configuration/imaging/#avif-images">AVIF
images</a> (both encoder and decoder). There's a <a
href="https://github.com/bep/hdrsdr.com">demo site</a> set up that
demonstrates the difference between HDR AVIF and SDR JPEG images. Note
that that demo is only really interesting if viewed on an HDR capable
screen (e.g. Apple Retina).</p>
<h2>Security fixes</h2>
<p>There are some notable security fixes in this release.</p>
<h3>Security fixes in Go</h3>
<p>This release upgrades from Go 1.26.1 to 126.3, which brings a set of
security fixes. Some relevant for Hugo are:</p>
<ul>
<li>XSS in html/template (CVE-2026-39826 &amp; CVE-2026-39823): Two
separate vulnerabilities where escaper bypasses in html/template could
lead to Cross-Site Scripting (XSS).</li>
<li>html/template: Fixes an issue where JS template literal contexts
were incorrectly tracked across template branches, which could lead to
improper content escaping.</li>
</ul>
<h3>Security fixes and hardening in Hugo</h3>
<p>The following changes either fix a concrete issue or reduce the
default attack surface of <code>hugo</code> builds.</p>
<ul>
<li><strong>Disallow <code>text/html</code> content files by
default</strong> (<a
href="https://github.com/gohugoio/hugo/commit/e41a06447d">e41a064</a>).
A new <code>security.allowContent</code> policy gates which content
media types may be used for pages under <code>/content</code>.
<code>text/html</code> is denied by default; sites that rely on
hand-authored or adapter-emitted HTML content can opt back in with
<code>security.allowContent = ['.*']</code>.</li>
<li><strong>Re-check <code>security.http.urls</code> on every redirect
hop in <code>resources.GetRemote</code></strong> (<a
href="https://github.com/gohugoio/hugo/commit/86fbb0f7a8">86fbb0f</a>).</li>
<li><strong>Reject symlinked entries in
<code>resources.Get</code></strong> (<a
href="https://github.com/gohugoio/hugo/commit/f8b5fa09a6">f8b5fa0</a>).</li>
</ul>
<p><strong>We will update this section later with links to CVEs where
applicable.</strong></p>
<h2>All changes</h2>
<ul>
<li>hugolib: Fix Page.GitInfo for modules with go.mod in a repo
subdirectory df542191 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14942">#14942</a></li>
<li>Fix typo in CONTRIBUTING.md 4bc7caea <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>resources: Fix the :counter placeholder 5d51b82a <a
href="https://github.com/jmooring"><code>@​jmooring</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14921">#14921</a></li>
<li>commands: Fix import from Jekyll 81d77620 <a
href="https://github.com/jmooring"><code>@​jmooring</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14795">#14795</a>
<a
href="https://redirect.github.com/gohugoio/hugo/issues/14906">#14906</a></li>
<li>Fix prevention of direct symlink reads in resources.Get f8b5fa09 <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>commands: Fix github-dark chromastyles 88d838a9 <a
href="https://github.com/xndvaz"><code>@​xndvaz</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14831">#14831</a></li>
<li>Disallow HTML content by default e41a0644 <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>Add image processing support for AVIF 90d9f812 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/7837">#7837</a></li>
<li>config: Preserve intentionally empty maps 80e60847 <a
href="https://github.com/jmooring"><code>@​jmooring</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14944">#14944</a></li>
<li>hugolib: Merge existing hugo_stats.json when renderSegments is set
aeb9a5cc <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14939">#14939</a></li>
<li>all: Replace RWMutex struct caches with ConcurrentMap c4bbc280 <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>tpl/tplimpl: Consolidate and improve embedded template integration
tests d8c70218 <a
href="https://github.com/jmooring"><code>@​jmooring</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14932">#14932</a></li>
<li>parser: Drop empty sub maps from hugo config output ee4f1acd <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14855">#14855</a></li>
<li>markup/highlight: Allow overriding type and code via options
b6133657 <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/11872">#11872</a></li>
<li>Update AI assistance disclosure requirements d2c821b5 <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>hugolib: Use AllTranslated in IsTranslated 4ed7600f <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>tpl: Simplify sitemap template cbe4339a <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14912">#14912</a></li>
<li>tpl: Use AllTranslations in sitemap template 6475d308 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14912">#14912</a>
<a
href="https://redirect.github.com/gohugoio/hugo/issues/14917">#14917</a></li>
<li>tpl/collections: Make dict return nil when no values are provided
67aede43 <a href="https://github.com/bep"><code>@​bep</code></a></li>
<li>Sync Go template package to 1.26.3 87f194b2 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14897">#14897</a></li>
<li>Upgrade to Go 1.26.3 d81e3c29 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14897">#14897</a></li>
<li>ci: Check embedded template formatting with gotmplfmt 7c65a4db <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>tpl: Run gotmplfmt -w . d31a9275 <a
href="https://github.com/bep"><code>@​bep</code></a></li>
<li>markup/goldmark/codeblocks: Always split Chroma options into
.Options c36608c5 <a
href="https://github.com/jmooring"><code>@​jmooring</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14909">#14909</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/gohugoio/hugo/commit/076dfe13d0f789e3d9586b192f8f7f3329c26990"><code>076dfe1</code></a>
releaser: Bump versions for release of 0.162.0</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1"><code>e41a064</code></a>
Disallow HTML content by default</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/90d9f812b2cafc79ca125a829936dec9654aec64"><code>90d9f81</code></a>
Add image processing support for AVIF</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/80e60847fb5d12f6a54fae782cb643a1772c38b6"><code>80e6084</code></a>
config: Preserve intentionally empty maps</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/df5421918a987cedaba42a050b0e4dde9c88ba3f"><code>df54219</code></a>
hugolib: Fix Page.GitInfo for modules with go.mod in a repo
subdirectory</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/aeb9a5cc02fad527220d6a40b1450661c6a56503"><code>aeb9a5c</code></a>
hugolib: Merge existing hugo_stats.json when renderSegments is set</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/c4bbc2805c7092deafabae01e71ff2dda37bd877"><code>c4bbc28</code></a>
all: Replace RWMutex struct caches with ConcurrentMap</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/d8c70218b7385125d807784534af5e5491bc30df"><code>d8c7021</code></a>
tpl/tplimpl: Consolidate and improve embedded template integration
tests</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/ee4f1acd93b417078715693fb22ce1fd2bab2684"><code>ee4f1ac</code></a>
parser: Drop empty sub maps from hugo config output</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/b6133657e006290375e587bfb6566469a14911af"><code>b613365</code></a>
markup/highlight: Allow overriding type and code via options</li>
<li>Additional commits viewable in <a
href="https://github.com/gohugoio/hugo/compare/v0.161.1...v0.162.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/gohugoio/hugo&package-manager=go_modules&previous-version=0.161.1&new-version=0.162.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-26 18:55:33 +00:00
Cian Johnston 579daaff70 feat: add GitLab support to coderd/externalauth/gitprovider 
Fixes CODAGT-146

Add GitLab support to the gitprovider package for gitsync/chatd PR
diff flows. This is a squashed stack of 3 PRs:

#25651 - refactor(coderd/externalauth): prepare gitprovider for multi-provider support
- Change gitprovider.New to return (Provider, error)
- Extract shared helpers (parseRetryAfter, checkRateLimitError,
  countDiffLines, escapePathPreserveSlashes) from github.go
- Update all callers (db2sdk, exp_chats, gitsync) for new signature
- Add error logging for provider construction failures
- Thread context through provider resolution

#25652 - feat(coderd/externalauth/gitprovider): add GitLab provider
- Implement full Provider interface: FetchPullRequestStatus,
  FetchPullRequestDiff, FetchBranchDiff, ResolveBranchPullRequest
- Handle nested groups, forks, and self-hosted instances
- Rate limit detection on both library and raw HTTP paths
- URL parsing/building with NormalizePullRequestURL support
- Unit tests covering error paths, URL parsing, state mapping
- Document GitLab configuration and known limitations

#25653 - test(coderd/externalauth/gitprovider): add GitLab VCR integration tests
- FetchPullRequestStatus: 4 fixtures (open, conflicts, merged, closed)
- FetchPullRequestDiff: 4 fixtures
- FetchBranchDiff: 3 fixtures (open, deleted, fork)
- ResolveBranchPullRequest: 3 fixtures
- go-vcr cassettes with sanitized GitLab API responses
 2026-05-25 17:41:02 +01:00
Cian Johnston a4afb9dfc6 feat: add --env-file flag to develop.sh (#25621) 
Adds `--env-file` to `scripts/develop.sh` to allow reading environment 
from a given file. This makes it easier to configure things like external 
auth providers, access URLs, and other dev-time settings without 
exporting a wall of environment variables in every shell session.

> Generated with [Coder Agents](https://coder.com/agents)
 2026-05-25 11:54:57 +01:00
Zach 8d0a73f0b1 chore: bump terraform-provider-coder and coder/preview for coder_secret removal (#25590) 
We decided to remove secret requirements and go a different direction
for secrets in Coder (see PLAT-243). As a result, we removed the code in
terraform-provider-coder and coder/preview to handle this resource. This
PR pulls in said updated versions.

Generated with assistance by Coder Agents.
 2026-05-22 07:57:54 -06:00
Mathias Fredriksson f1b772928d feat: parse execute tool commands and render them in the chat UI (#25478) 
When the execute tool runs a chained shell command, the UI previously
rendered the raw string. Long chains like "cd /repo && git pull &&
git add . && git commit -m fix" were hard to scan.

A new ChatMessagePart.ParsedCommands [][]string field on tool-call
parts carries one entry per simple command, parsed in chatd from args
via mvdan.cc/sh/v3/syntax. The frontend renders the joined list ("cd,
git pull, git add, git commit") in place of the raw command, and falls
back to the raw command when the field is absent.

Closes CODAGT-446
 2026-05-21 08:12:34 +00:00
dependabot[bot] ce57ecc908 chore: bump google.golang.org/api from 0.278.0 to 0.280.0 (#25516) 
Bumps
[google.golang.org/api](https://github.com/googleapis/google-api-go-client)
from 0.278.0 to 0.280.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/releases">google.golang.org/api's
releases</a>.</em></p>
<blockquote>
<h2>v0.280.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.279.0...v0.280.0">0.280.0</a>
(2026-05-19)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3591">#3591</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/55ba2fab69ee14286ad052f57ed90a726b071e86">55ba2fa</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3593">#3593</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/054d4b6054450d2be21f50fad64145a4e0125424">054d4b6</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3594">#3594</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/03829161b8cd77bf11f4a3a5d07a43f6b1904fbe">0382916</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3595">#3595</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/13e1ad2eeb540d19709df87ce9a0cfdb632f1bf3">13e1ad2</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3596">#3596</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/4c77865748dda2086de226e9401531c934cd909f">4c77865</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3598">#3598</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ae2f33001826f523ecc6d2f141244e55fbac45c0">ae2f330</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3599">#3599</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/f82d2049187ed2ab7ee27831a1a78887c5969ca4">f82d204</a>)</li>
</ul>
<h2>v0.279.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.278.0...v0.279.0">0.279.0</a>
(2026-05-12)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3585">#3585</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/09db0e346a6b567747dceee3872229a62c95124c">09db0e3</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3587">#3587</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/e87e376dbd590cffb3632c378e1ade4a9dacf3ce">e87e376</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3590">#3590</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/d4241eaef9ab3daad4fd4aaeccc118795cfc58a7">d4241ea</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md">google.golang.org/api's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.279.0...v0.280.0">0.280.0</a>
(2026-05-19)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3591">#3591</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/55ba2fab69ee14286ad052f57ed90a726b071e86">55ba2fa</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3593">#3593</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/054d4b6054450d2be21f50fad64145a4e0125424">054d4b6</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3594">#3594</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/03829161b8cd77bf11f4a3a5d07a43f6b1904fbe">0382916</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3595">#3595</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/13e1ad2eeb540d19709df87ce9a0cfdb632f1bf3">13e1ad2</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3596">#3596</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/4c77865748dda2086de226e9401531c934cd909f">4c77865</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3598">#3598</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ae2f33001826f523ecc6d2f141244e55fbac45c0">ae2f330</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3599">#3599</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/f82d2049187ed2ab7ee27831a1a78887c5969ca4">f82d204</a>)</li>
</ul>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.278.0...v0.279.0">0.279.0</a>
(2026-05-12)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3585">#3585</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/09db0e346a6b567747dceee3872229a62c95124c">09db0e3</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3587">#3587</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/e87e376dbd590cffb3632c378e1ade4a9dacf3ce">e87e376</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3590">#3590</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/d4241eaef9ab3daad4fd4aaeccc118795cfc58a7">d4241ea</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/3887b09ecbbaf25fba1bf52227ad5ca4f89e9968"><code>3887b09</code></a>
chore(main): release 0.280.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3592">#3592</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/f82d2049187ed2ab7ee27831a1a78887c5969ca4"><code>f82d204</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3599">#3599</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/13e7314e1377c0dd4e132a681b3130abc5843dbd"><code>13e7314</code></a>
chore(all): update all (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3597">#3597</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/ae2f33001826f523ecc6d2f141244e55fbac45c0"><code>ae2f330</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3598">#3598</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/4c77865748dda2086de226e9401531c934cd909f"><code>4c77865</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3596">#3596</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/13e1ad2eeb540d19709df87ce9a0cfdb632f1bf3"><code>13e1ad2</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3595">#3595</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/03829161b8cd77bf11f4a3a5d07a43f6b1904fbe"><code>0382916</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3594">#3594</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/054d4b6054450d2be21f50fad64145a4e0125424"><code>054d4b6</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3593">#3593</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/55ba2fab69ee14286ad052f57ed90a726b071e86"><code>55ba2fa</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3591">#3591</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/e446d4cdeb5e63cd6916051edd2c56588eede309"><code>e446d4c</code></a>
chore(main): release 0.279.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3586">#3586</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/googleapis/google-api-go-client/compare/v0.278.0...v0.280.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/api&package-manager=go_modules&previous-version=0.278.0&new-version=0.280.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-19 22:55:11 +00:00
dependabot[bot] f6a9e43185 chore: bump github.com/coder/terraform-provider-coder/v2 from 2.16.0 to 2.17.0 (#25515) 
Bumps
[github.com/coder/terraform-provider-coder/v2](https://github.com/coder/terraform-provider-coder)
from 2.16.0 to 2.17.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/coder/terraform-provider-coder/releases">github.com/coder/terraform-provider-coder/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.17.0</h2>
<h2>What's Changed</h2>
<ul>
<li>build(deps): Bump golang.org/x/mod from 0.34.0 to 0.35.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/500">coder/terraform-provider-coder#500</a></li>
<li>build(deps): Bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/485">coder/terraform-provider-coder#485</a></li>
<li>build(deps): Bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/502">coder/terraform-provider-coder#502</a></li>
<li>build(deps): Bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/505">coder/terraform-provider-coder#505</a></li>
<li>build(deps): Bump golang.org/x/mod from 0.35.0 to 0.36.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/508">coder/terraform-provider-coder#508</a></li>
<li>chore: upgrade Go to 1.26 by <a
href="https://github.com/matifali"><code>@​matifali</code></a> in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/494">coder/terraform-provider-coder#494</a></li>
<li>chore: warn when coder_agent dir breaks Desktop file sync by <a
href="https://github.com/zenithwolf1000"><code>@​zenithwolf1000</code></a>
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/507">coder/terraform-provider-coder#507</a></li>
<li>build(deps): Bump github.com/hashicorp/terraform-plugin-sdk/v2 from
2.38.1 to 2.40.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/506">coder/terraform-provider-coder#506</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/zenithwolf1000"><code>@​zenithwolf1000</code></a>
made their first contribution in <a
href="https://redirect.github.com/coder/terraform-provider-coder/pull/507">coder/terraform-provider-coder#507</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/coder/terraform-provider-coder/compare/v2.16.0...v2.17.0">https://github.com/coder/terraform-provider-coder/compare/v2.16.0...v2.17.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/35a52f2969dfd236df4ea370fdb84a70475e5bbd"><code>35a52f2</code></a>
build(deps): Bump github.com/hashicorp/terraform-plugin-sdk/v2 from
2.38.1 to...</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/c80aa71a5d8d03c8ebb7de2c02e34556fa98f04b"><code>c80aa71</code></a>
chore: warn when coder_agent dir breaks Desktop file sync (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/507">#507</a>)</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/d1b758b3e04a35d3339fa838872bec137eb28e15"><code>d1b758b</code></a>
chore: upgrade Go to 1.26 (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/494">#494</a>)</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/223b51b40f52bfdfcad65805f3bf94c31dfd531d"><code>223b51b</code></a>
build(deps): Bump golang.org/x/mod from 0.35.0 to 0.36.0 (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/508">#508</a>)</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/fe03a1da39aaf2f1eb0945526d7a284339963262"><code>fe03a1d</code></a>
build(deps): Bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/505">#505</a>)</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/7da76fab022e71fd2ded14df27daa7de36e4980d"><code>7da76fa</code></a>
build(deps): Bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/502">#502</a>)</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/8f68c55762c371e4f4d3dcafd83688d0b613dffc"><code>8f68c55</code></a>
build(deps): Bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/485">#485</a>)</li>
<li><a
href="https://github.com/coder/terraform-provider-coder/commit/99b6eee0c6467576672ad8ff5a4a68539ccba19b"><code>99b6eee</code></a>
build(deps): Bump golang.org/x/mod from 0.34.0 to 0.35.0 (<a
href="https://redirect.github.com/coder/terraform-provider-coder/issues/500">#500</a>)</li>
<li>See full diff in <a
href="https://github.com/coder/terraform-provider-coder/compare/v2.16.0...v2.17.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/coder/terraform-provider-coder/v2&package-manager=go_modules&previous-version=2.16.0&new-version=2.17.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-19 22:52:59 +00:00
dependabot[bot] 91c405caa4 chore: bump github.com/brianvoe/gofakeit/v7 from 7.14.0 to 7.15.0 (#25513) 
Bumps
[github.com/brianvoe/gofakeit/v7](https://github.com/brianvoe/gofakeit)
from 7.14.0 to 7.15.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/brianvoe/gofakeit/commit/010dc54464bc1c104ee1bad3823325dd2e14d4dd"><code>010dc54</code></a>
email - better email generation with weighted mix and testing valid
email gen...</li>
<li><a
href="https://github.com/brianvoe/gofakeit/commit/794efc9b4520eb8f2df00b3db0aa8fb64e04d469"><code>794efc9</code></a>
password - space usage adjustment</li>
<li><a
href="https://github.com/brianvoe/gofakeit/commit/ee08eae8003a40768c47bacd76dfa5503a461752"><code>ee08eae</code></a>
Merge pull request <a
href="https://redirect.github.com/brianvoe/gofakeit/issues/392">#392</a>
from shubhamatkal/fix/password-guarantee-character-sets</li>
<li><a
href="https://github.com/brianvoe/gofakeit/commit/c38fe1a8fb22e850fbdbbe2a54d5954a60e13a65"><code>c38fe1a</code></a>
github - workflow less verbose</li>
<li><a
href="https://github.com/brianvoe/gofakeit/commit/22b91127ddcc896b66a389c2c00b73985091d11c"><code>22b9112</code></a>
datetime - yearly fix</li>
<li><a
href="https://github.com/brianvoe/gofakeit/commit/35520064411e85a403d4b41f22d3269604871e20"><code>3552006</code></a>
fix: guarantee at least one char per enabled set in Password()</li>
<li>See full diff in <a
href="https://github.com/brianvoe/gofakeit/compare/v7.14.0...v7.15.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/brianvoe/gofakeit/v7&package-manager=go_modules&previous-version=7.14.0&new-version=7.15.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-19 22:52:23 +00:00
dependabot[bot] 01492e0e7b chore: bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#25494) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git)
from 5.19.0 to 5.19.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.19.1</h2>
<h2>What's Changed</h2>
<ul>
<li>v5: plumbing: transport/ssh, Shell-quote path by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2068">go-git/go-git#2068</a></li>
<li>v5: git: submodule, Fix relative URL resolution by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2070">go-git/go-git#2070</a></li>
<li>v5: git: submodule, canonical remote for relative URLs by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2074">go-git/go-git#2074</a></li>
<li>v5: git: submodule, error on remote without URLs by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2078">go-git/go-git#2078</a></li>
<li>v5: plumbing: format/idxfile, Validate offset64 indices by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2084">go-git/go-git#2084</a></li>
<li>v5: *: Reject malformed variable-length integers by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2092">go-git/go-git#2092</a></li>
<li>v5: plumbing: format/packfile, Tighten delta validation by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2091">go-git/go-git#2091</a></li>
<li>v5: Add <code>worktreeFilesystem</code> wrapper for worktree and
hardening by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2100">go-git/go-git#2100</a></li>
<li>v5: config: validate submodule names by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2082">go-git/go-git#2082</a></li>
<li>build: Update module github.com/go-git/go-git/v5 to v5.19.0
[SECURITY] (releases/v5.x) by <a
href="https://github.com/go-git-renovate"><code>@​go-git-renovate</code></a>[bot]
in <a
href="https://redirect.github.com/go-git/go-git/pull/2111">go-git/go-git#2111</a></li>
<li>v5: git: Allow MkdirAll on worktree-root paths by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2117">go-git/go-git#2117</a></li>
<li>v5: git: Stop validating symlink target paths by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2116">go-git/go-git#2116</a></li>
<li>v5: plumbing: format decoder input bounds and contracts by <a
href="https://github.com/hiddeco"><code>@​hiddeco</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2125">go-git/go-git#2125</a></li>
<li>plumbing: format/packfile, cap delta chain depth in parser by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2137">go-git/go-git#2137</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1">https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/go-git/go-git/commit/3c3be601aa6c0fd0d536c0d1e4f898b4c60e65fe"><code>3c3be60</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2137">#2137</a>
from go-git/validate-v5</li>
<li><a
href="https://github.com/go-git/go-git/commit/3fba897bd9e84b1aec170fa708b80e297b7d6cf6"><code>3fba897</code></a>
plumbing: format/packfile, cap delta chain depth in parser</li>
<li><a
href="https://github.com/go-git/go-git/commit/a97d6601c85e017bb64c2b0f2e3169f6ef6a6709"><code>a97d660</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2125">#2125</a>
from hiddeco/v5/format-input-bounds</li>
<li><a
href="https://github.com/go-git/go-git/commit/aeaa125c8af8e4c4c95b574c22c5633e97fc436e"><code>aeaa125</code></a>
plumbing: format/objfile, require Header before Read</li>
<li><a
href="https://github.com/go-git/go-git/commit/1f38e171218526ea254a73187a52f0648253c1b8"><code>1f38e17</code></a>
plumbing: format/packfile, bound inflate size</li>
<li><a
href="https://github.com/go-git/go-git/commit/f7545a02529e03998d6a7219140dc0e6644ad337"><code>f7545a0</code></a>
plumbing: format/idxfile, bound nr by file size</li>
<li><a
href="https://github.com/go-git/go-git/commit/170b88181f385913a457a08b68c88956fb3f8e4f"><code>170b881</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2116">#2116</a>
from pjbgf/symlink-v5</li>
<li><a
href="https://github.com/go-git/go-git/commit/7b6d994467f06630268904aa3c441b6de7248b31"><code>7b6d994</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2117">#2117</a>
from hiddeco/v5/worktree-fs-mkdirall-root-noop</li>
<li><a
href="https://github.com/go-git/go-git/commit/f0709b32f8fbb87c16cd63c6762d2cd515f36541"><code>f0709b3</code></a>
git: Stop validating symlink target paths</li>
<li><a
href="https://github.com/go-git/go-git/commit/776d00f11d336f26862d0f2bab987b217f3a7844"><code>776d00f</code></a>
git: Allow MkdirAll on worktree-root paths</li>
<li>Additional commits viewable in <a
href="https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.19.0&new-version=5.19.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-19 16:20:21 +00:00
Rowan Smith 9cf359475b fix: update tailscale fork to fix TSMP/ICMP callback leak (#25469) 
Updates `github.com/coder/tailscale` to
[`v1.1.1-0.20260519043957-6f014ff9434f`](https://github.com/coder/tailscale/commit/6f014ff9434f8c7c4b5b0b0450cbaf2e8b4a52af)
to include the fix from
[coder/tailscale#122](https://github.com/coder/tailscale/pull/122),
which ports the upstream
[tailscale/tailscale#18113](https://github.com/tailscale/tailscale/pull/18113)
fix for TSMP/ICMP callback leaks.

Fixes #25380

> Generated with [Coder Agents](https://coder.com) by @rowansmithau
 2026-05-19 15:19:09 +10:00
Ethan e75bd3aca4 fix: preserve Anthropic replay fidelity (#25377) 
Anthropic is strict about replaying the latest assistant turn once it
contains signed or redacted reasoning. We were still mutating that turn
in a few Coder-owned places: dropping empty reasoning blocks on replay,
rewriting provider-tool history during sanitization, and in the worst
case sending a prompt we already knew Anthropic would reject.

This patch keeps the latest signed assistant immutable through Coder's
replay and sanitization paths, preserves empty signed or redacted
reasoning anywhere Coder owns the ledger, and fails before the provider
call if the prompt is still unsafe.

It also bumps the existing `coder/fantasy` `coder_2_33` fork that `main`
already uses to the commit containing coder/fantasy#35. These fixes have
also been upstreamed to charmbracelet/fantasy.

Closes CODAGT-409.
 2026-05-18 15:20:33 +10:00
Ethan e37bf4f7be ci: bump paralleltestctx to v0.0.2 (#25323) 
## Summary

- bump `github.com/coder/paralleltestctx` from v0.0.1 to v0.0.2
- pick up the latest paralleltestctx timeout-context detection
improvements in `go tool ... paralleltestctx` runs
 2026-05-15 00:14:38 +10:00
Jakub Domeracki 1a1f06aa79 fix: verify PKCS7 signature on Azure instance identity tokens (#25286) 
Migrates Azure instance identity verification from
`go.mozilla.org/pkcs7` and `github.com/fullsailor/pkcs7` to
`github.com/smallstep/pkcs7`, using `VerifyWithChainAtTime` to validate
both the PKCS7 signature and the certificate chain in one call. The
previous code only verified the signer certificate against a set of
intermediates/roots but did not verify that the PKCS7 signature itself
covered the content, meaning tampered payloads could be accepted.

The `Options` struct is restructured to accept `Roots`, `Intermediates`,
and `CurrentTime` as explicit fields instead of embedding
`x509.VerifyOptions`. The test helper `NewAzureInstanceIdentity` now
builds a realistic 3-level certificate chain (Root CA -> Intermediate CA
-> Signing Cert) matching real Azure trust hierarchy. New tests
(`TestValidate_TamperedContent`,
`TestValidate_UntrustedCertWithValidSignature`) confirm tampered and
untrusted envelopes are rejected.

Addresses GHSA-6x44-w3xg-hqqf.

> [!NOTE]
> This PR was authored by Coder Agents.

<details>
<summary>Implementation Plan</summary>

### Files Changed

| File | Summary |
|------|---------|
| `coderd/azureidentity/azureidentity.go` | Replace `signer.Verify()`
with `VerifyWithChainAtTime`; restructure `Options` struct; add
`ParseCertificates()` helper |
| `coderd/azureidentity/azureidentity_test.go` | Add `testCertChain`
builder, tampered-content and untrusted-cert tests; update existing
tests for new `Options` API |
| `coderd/coderd.go` | Change `AzureCertificates` field from
`x509.VerifyOptions` to `azureidentity.Options` |
| `coderd/workspaceresourceauth.go` | Pass `api.AzureCertificates`
directly instead of wrapping |
| `coderd/coderdtest/coderdtest.go` | Migrate to `smallstep/pkcs7`;
build 3-level cert chain in test helper |
| `go.mod` / `go.sum` | Add `github.com/smallstep/pkcs7`; remove
`fullsailor/pkcs7` and `go.mozilla.org/pkcs7` |

</details>
 2026-05-13 14:14:07 +00:00
dependabot[bot] 4b54925abc chore: bump the x group across 1 directory with 7 updates (#25198) 
Bumps the x group with 4 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/mod](https://github.com/golang/mod),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/tools](https://github.com/golang/tools).

Updates `golang.org/x/crypto` from 0.50.0 to 0.51.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/b8a14a8d65f88c0c79c139171f1354c69a6cdb8a"><code>b8a14a8</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/9d9d5078968ddb8a279092c665a24e7de4178778"><code>9d9d507</code></a>
x509roots/fallback/bundle: fix bundle test with Go 1.27+</li>
<li><a
href="https://github.com/golang/crypto/commit/fd0b90d21f9ab4b5dd398e9526b570bfea86e370"><code>fd0b90d</code></a>
acme: include Problem in OrderError.Error</li>
<li><a
href="https://github.com/golang/crypto/commit/b9e53593a6073e6a786c49e9ad27956a9b77e54e"><code>b9e5359</code></a>
pbkdf2: turn into a wrapper for crypto/pbkdf2</li>
<li><a
href="https://github.com/golang/crypto/commit/cc0e4fc1d49127130b0d00612a2eeed2ab745d40"><code>cc0e4fc</code></a>
hkdf: forward Extract to the standard library</li>
<li><a
href="https://github.com/golang/crypto/commit/a8e9237a216b050e1b11e041863825104a6811db"><code>a8e9237</code></a>
x509roots/fallback: update bundle</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.50.0...v0.51.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/643da9ba74f1165d8cae1505d453b3de3cf21b7b"><code>643da9b</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/mod/commit/ccc3cdf529d1eee2a832437eb1b85240044d21cb"><code>ccc3cdf</code></a>
zip: include 'but content has correct sum' note in TestVCS</li>
<li><a
href="https://github.com/golang/mod/commit/ab3031803214705d2c9f1102318b083e7086a155"><code>ab30318</code></a>
zip: update zip hashes for new flate compression</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.35.0...v0.36.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.53.0 to 0.54.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/b138e06246cb323f2f380c2b7f7dd91f581dd56b"><code>b138e06</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/689f70a42abd350f3a1aaa70b0d13eb9543d927a"><code>689f70a</code></a>
quic: fix wrong final size being used for RESET_STREAM frame</li>
<li><a
href="https://github.com/golang/net/commit/208f306b2f0fd008b388bee2c2644be279778e94"><code>208f306</code></a>
http3: increase handshake timeout</li>
<li><a
href="https://github.com/golang/net/commit/49810da71b9026da9e0d028a6ad8c7730c52d9c4"><code>49810da</code></a>
http2: enable net/http wrapping when go &gt;= 1.27</li>
<li><a
href="https://github.com/golang/net/commit/5e11a5ab891c117eda83b4304d60dd13286c1c76"><code>5e11a5a</code></a>
quic: fix data race in streamForFrame</li>
<li><a
href="https://github.com/golang/net/commit/8c63081cd380ea768db5651941614b73472160ff"><code>8c63081</code></a>
http2: use empty Transport rather than DefaultTransport in
http2wrap</li>
<li><a
href="https://github.com/golang/net/commit/fc7b466ca49cb204039630533ece4fc557eb35cd"><code>fc7b466</code></a>
http2: add http2wrap test</li>
<li><a
href="https://github.com/golang/net/commit/15c2cb1875fd727313dc4de909b3ee149422fbe2"><code>15c2cb1</code></a>
http2: avoid overflowing 32-bit int when http2wrap enabled</li>
<li><a
href="https://github.com/golang/net/commit/64651885c2f2d745d77af2d7af2edbf568c179af"><code>6465188</code></a>
http2: add wrapped Server</li>
<li><a
href="https://github.com/golang/net/commit/72f419a894cb0597dd5b6bcf119086bf2af41231"><code>72f419a</code></a>
http2: add wrapped ClientConn</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.53.0...v0.54.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/sys` from 0.43.0 to 0.44.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sys/commit/fb1facd76f95fa87c151018200ea5e4892ff115d"><code>fb1facd</code></a>
windows: avoid uint16 overflow in NewNTUnicodeString</li>
<li><a
href="https://github.com/golang/sys/commit/94ad893e1e59c1d079221324d38945d2aad8703f"><code>94ad893</code></a>
windows: add GetIfTable2Ex, GetIpInterface{Entry,Table},
GetUnicastIpAddressT...</li>
<li><a
href="https://github.com/golang/sys/commit/54fe89f8411576c06b345b341ca79a77d878a4ad"><code>54fe89f</code></a>
cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows</li>
<li><a
href="https://github.com/golang/sys/commit/df7d5d7b60641d17d87e2b50911124cb65f954fd"><code>df7d5d7</code></a>
unix: automatically remove container created by mkall.sh</li>
<li><a
href="https://github.com/golang/sys/commit/68a4a8e945b22751c1a619261b1d755372a1d5f7"><code>68a4a8e</code></a>
unix: avoid nil pointer dereference in Utime</li>
<li><a
href="https://github.com/golang/sys/commit/690c91f6ecf3b3ef141ad2aedb1306a868b3a176"><code>690c91f</code></a>
unix: add CPUSetDynamic for systems with more than 1024 CPUs</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.43.0...v0.44.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/term` from 0.42.0 to 0.43.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/term/commit/3c3e4855f7d2eb06c3e48933554add9ec6b599b5"><code>3c3e485</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.42.0...v0.43.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/text` from 0.36.0 to 0.37.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/text/commit/3ef517e623a4bfc08d6457f87d73afda7af7d8e1"><code>3ef517e</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/text/compare/v0.36.0...v0.37.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/tools` from 0.44.0 to 0.45.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/tools/commit/2aabba0e4be44cc8f254ced118a7156d04bbc9f3"><code>2aabba0</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/tools/commit/ef989b3f45baff2849e87f4a70d9a189be5a6959"><code>ef989b3</code></a>
go/types/internal/play: show Info.Instances[Ident]</li>
<li><a
href="https://github.com/golang/tools/commit/21d44f2f2bb3f3a8e06e35523d14bb70cb275c89"><code>21d44f2</code></a>
go/analysis/passes/inline: document skipping of TestF-&gt;F calls</li>
<li><a
href="https://github.com/golang/tools/commit/ec83c2190d81a18bbd472cc1498575b168017e5d"><code>ec83c21</code></a>
go/analysis/passes/modernize: minmax: only remove exact userdefined</li>
<li><a
href="https://github.com/golang/tools/commit/5625353d39195f1deb9261c5ee983abbdc4a15ca"><code>5625353</code></a>
go/analysis/passes/modernize: improve value variable name
generation</li>
<li><a
href="https://github.com/golang/tools/commit/15a3bd5d4ce0651f5cf43ea125db2110c67b257b"><code>15a3bd5</code></a>
gopls/internal/analysis/errorsastype: imporove example clarity</li>
<li><a
href="https://github.com/golang/tools/commit/cd57ef8f8dd7a30ef500bfe1eef0779223cbdfc3"><code>cd57ef8</code></a>
go/packages: include dependency errors when CompiledGoFiles is
missing</li>
<li><a
href="https://github.com/golang/tools/commit/053fdbcef55e8f977d8decc0fde2920c61eb5374"><code>053fdbc</code></a>
go/analysis/passes/modernize: minmax: fix pure operands only</li>
<li><a
href="https://github.com/golang/tools/commit/bf84681c4a0185014c089cffd533e22bbeffcb49"><code>bf84681</code></a>
go/analysis/passes/errorsas: add example of invalid errors.As use</li>
<li><a
href="https://github.com/golang/tools/commit/23921d1decfe5da40309ac183353c8cb38b03dfa"><code>23921d1</code></a>
gopls: add errorsastype analyzer</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/tools/compare/v0.44.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-12 17:33:46 +00:00
dependabot[bot] 0234422a55 chore: bump google.golang.org/api from 0.277.0 to 0.278.0 (#25201) 
Bumps
[google.golang.org/api](https://github.com/googleapis/google-api-go-client)
from 0.277.0 to 0.278.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/releases">google.golang.org/api's
releases</a>.</em></p>
<blockquote>
<h2>v0.278.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.277.0...v0.278.0">0.278.0</a>
(2026-05-05)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3582">#3582</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/76b1187e506ac0f48caac67907dd0805b253f74c">76b1187</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3584">#3584</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/e36c88361d11545583325c3ac6bdbd9cf1f1a7d0">e36c883</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md">google.golang.org/api's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.277.0...v0.278.0">0.278.0</a>
(2026-05-05)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3582">#3582</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/76b1187e506ac0f48caac67907dd0805b253f74c">76b1187</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3584">#3584</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/e36c88361d11545583325c3ac6bdbd9cf1f1a7d0">e36c883</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/07c758daacbc24e32753c3f1b537c7f6cce626f0"><code>07c758d</code></a>
chore(main): release 0.278.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3583">#3583</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/e36c88361d11545583325c3ac6bdbd9cf1f1a7d0"><code>e36c883</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3584">#3584</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/76b1187e506ac0f48caac67907dd0805b253f74c"><code>76b1187</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3582">#3582</a>)</li>
<li>See full diff in <a
href="https://github.com/googleapis/google-api-go-client/compare/v0.277.0...v0.278.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/api&package-manager=go_modules&previous-version=0.277.0&new-version=0.278.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-12 17:19:34 +00:00
Yevhenii Shcherbina 592e45dcfb chore: bump coder-guts dependency (#25154) 
Bump coder/guts to v1.7.0.
Related PR: https://github.com/coder/guts/pull/81
 2026-05-11 19:18:44 -04:00
Garrett Delfosse aed43d9b61 fix: update coder/tailscale to 85c03fc8fb2a (#24824) 
Updates `coder/tailscale` fork to
[`85c03fc8fb2a`](https://github.com/coder/tailscale/commit/85c03fc8fb2ad8fdf5b9328be5d277aaa83afdff),
which includes the DNS resilience fix from
https://github.com/coder/tailscale/pull/114 (preserve NRPT rules on
startup and improve hosts file retry).

---

> Generated by Coder Agents
 2026-05-11 17:35:33 -04:00
dependabot[bot] c1c3b9784e chore: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#25124) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git)
from 5.18.0 to 5.19.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.19.0</h2>
<h2>What's Changed</h2>
<ul>
<li>build: Update module github.com/go-git/go-git/v5 to v5.18.0
[SECURITY] (releases/v5.x) by <a
href="https://github.com/go-git-renovate"><code>@​go-git-renovate</code></a>[bot]
in <a
href="https://redirect.github.com/go-git/go-git/pull/2010">go-git/go-git#2010</a></li>
<li>v5: Bump sha1cd and go-billy by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2060">go-git/go-git#2060</a></li>
<li>v5: Align object encoding with upstream by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2065">go-git/go-git#2065</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0">https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/go-git/go-git/commit/bc930f4cbe095a3e1d49273655f73fcef7d41a42"><code>bc930f4</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2065">#2065</a>
from go-git/commit-v5</li>
<li><a
href="https://github.com/go-git/go-git/commit/d315264343cead712aa9eb56475c2ec96f5ecef1"><code>d315264</code></a>
plumbing: object, Reset object before decode</li>
<li><a
href="https://github.com/go-git/go-git/commit/6e1d34890a4dae8a0df738e531234bd60b7e9b66"><code>6e1d348</code></a>
plumbing: object, Align Tree handling with upstream</li>
<li><a
href="https://github.com/go-git/go-git/commit/e134ba34cf95ed0167e5b1df36a933d7bde9d02d"><code>e134ba3</code></a>
tests: Skip double checks in Git v2.11</li>
<li><a
href="https://github.com/go-git/go-git/commit/1971422f6b1bec9176061b3293306981cfff981e"><code>1971422</code></a>
tests: Add git conformance tests for signing verification</li>
<li><a
href="https://github.com/go-git/go-git/commit/a387aa8857a8fbba8e74b7f5485e9e030669ab5d"><code>a387aa8</code></a>
plumbing: object, Add ErrMalformedTag</li>
<li><a
href="https://github.com/go-git/go-git/commit/f415670d906b5c6169d1fdc64f3f9f1d33eb6f9c"><code>f415670</code></a>
plumbing: object, Decode Tag headers via a state machine</li>
<li><a
href="https://github.com/go-git/go-git/commit/5b0cd38a62e2336bb5f1a2ad0eb8ac8f9e7b740e"><code>5b0cd38</code></a>
plumbing: object, Reject multi-signature commits at Verify</li>
<li><a
href="https://github.com/go-git/go-git/commit/fe8ed6223a6079d9fd84d853362a996e7df175fb"><code>fe8ed62</code></a>
plumbing: object, Align Tag.EncodeWithoutSignature with Commit</li>
<li><a
href="https://github.com/go-git/go-git/commit/98e337d5bdc4c0536a40ab7381b2231f7e0b15cd"><code>98e337d</code></a>
plumbing: object, Add support for Tag.SignatureSHA256</li>
<li>Additional commits viewable in <a
href="https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.18.0&new-version=5.19.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 15:57:33 +00:00
Ethan b6dbc5614c fix(coderd/x/chatd): handle truncated provider streams (#25074) 
coder/fantasy now fails closed when Anthropic or OpenAI Responses
streams close before their provider terminal events instead of yielding
a successful finish.

This bumps the fantasy replacement to coder/fantasy#33 and teaches chat
error classification to treat those failures as retryable timeout errors
with explicit stream-closed messages.

<img width="875" height="311" alt="image"
src="https://github.com/user-attachments/assets/69c6f7b5-c885-46d2-a88b-b7a2b111bd55"
/>
 2026-05-08 15:52:42 +10:00
Atif Ali 3d03c393d2 chore: bump Go toolchain version to 1.26.2 (#24975) 
## Summary
Bumps the repository Go toolchain from 1.25.9 to 1.26.2 across local
development, CI, dogfood Docker images, and Nix builds.

## Changes
- Update `go.mod` and the shared setup-go action to Go 1.26.2.
- Update dogfood Ubuntu image Go versions and the official linux-amd64
tarball checksum.
- Move Nix Go module builds from `buildGo125Module` to
`buildGo126Module`.
- Regenerate API docs affected by Go 1.26 stdlib URL documentation
changes.

## Validation
- `./scripts/check_go_versions.sh`
- `make fmt`
- `make lint`
- `make build-slim`
- `make test TEST_SHORT=1`
- `make pre-commit`

> 🤖 This PR was created with the help of Coder Agents, and needs a human
review. 🧑💻
 2026-05-06 17:06:07 +05:00
dependabot[bot] b35a11cece chore: bump google.golang.org/grpc from 1.80.0 to 1.81.0 (#24959) 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from
1.80.0 to 1.81.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's
releases</a>.</em></p>
<blockquote>
<h2>Release 1.81.0</h2>
<h1>Behavior Changes</h1>
<ul>
<li>balancer/rls: Switch gauge metrics to asynchronous emission (once
per collection cycle) to reduce telemetry noise and align with other
gRPC language implementations. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8808">#8808</a>)</li>
</ul>
<h1>Dependencies</h1>
<ul>
<li>Minimum supported Go version is now 1.25. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8969">#8969</a>)</li>
</ul>
<h1>Bug Fixes</h1>
<ul>
<li>xds: Use the leaf cluster's security config for the TLS handshake
instead of the aggregate cluster's config. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8956">#8956</a>)</li>
<li>transport: Send a <code>RST_STREAM</code> when receiving an
<code>END_STREAM</code> when the stream is not already half-closed. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8832">#8832</a>)</li>
<li>xds: Fix ADS resource name validation to prevent a panic. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8970">#8970</a>)</li>
</ul>
<h1>New Features</h1>
<ul>
<li>grpc/stats: Add support for custom labels in per-call metrics (<a
href="https://github.com/grpc/proposal/blob/master/A108-otel-custom-per-call-label.md">gRFC
A108</a>). (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9008">#9008</a>)</li>
<li>xds: Add support for Server Name Indication (SNI) and SAN validation
(<a
href="https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md">gRFC
A101</a>). Disabled by default. To enable, set
<code>GRPC_EXPERIMENTAL_XDS_SNI=true</code> environment variable. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9016">#9016</a>)</li>
<li>xds: Add support to control which fields get propagated from ORCA
backend metric reports to LRS load reports (<a
href="https://github.com/grpc/proposal/blob/master/A85-lrs-custom-metrics-changes.md">gRFC
A85</a>). Disabled by default. To enable, set
<code>GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true</code>. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9005">#9005</a>)</li>
<li>xds: Add metrics to track xDS client connectivity and cached
resource state (<a
href="https://github.com/grpc/proposal/blob/master/A78-grpc-metrics-wrr-pf-xds.md">gRFC
A78</a>). (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8807">#8807</a>)</li>
<li>stats/otel: Enhance <code>grpc.subchannel.disconnections</code>
metric by adding disconnection reason to the
<code>grpc.disconnect_error</code> label (<a
href="https://github.com/grpc/proposal/blob/master/A94-subchannel-otel-metrics.md">gRFC
A94</a>). This provides granular insights into why subchannels are
closing. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8973">#8973</a>)</li>
<li>mem: Add <code>mem.Buffer.Slice()</code> API to slice the buffer
like a slice. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8977">#8977</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/ash2k"><code>@​ash2k</code></a></li>
</ul>
</li>
</ul>
<h1>Performance Improvements</h1>
<ul>
<li>alts: Pool read buffers to lower memory utilization when sockets are
unreadable. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8964">#8964</a>)</li>
<li>transport: Pool HTTP/2 framer read buffers to reduce idle memory
consumption. Currently limited to Linux for ALTS and non-encrypted
transports (TCP, Unix). To disable, set
<code>GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false</code>
and report any issues. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9032">#9032</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc-go/commit/cb18228317ff523e63d931b4058b0329585b7dcd"><code>cb18228</code></a>
Change version to 1.81.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9062">#9062</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/96748f973e20bbfcafa19a8bdffc85ad5da138d1"><code>96748f9</code></a>
Cherry-pick <a
href="https://redirect.github.com/grpc/grpc-go/issues/9105">#9105</a> to
1.81.x (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9106">#9106</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/91832222f0144f76527b630ca55cfea6e1aa015a"><code>9183222</code></a>
Cherry pick <a
href="https://redirect.github.com/grpc/grpc-go/issues/9055">#9055</a>,
<a href="https://redirect.github.com/grpc/grpc-go/issues/9032">#9032</a>
to v1.81.x (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9095">#9095</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/5cba6da4211f3b130238c792937f5921741b616a"><code>5cba6da</code></a>
Revert &quot;deps: update dependencies for all modules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9065">#9065</a>)&quot;
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9067">#9067</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/af8a9364aa7523ab24d214e9ef13e6ad64d5c5f9"><code>af8a936</code></a>
deps: update dependencies for all modules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9065">#9065</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/cdc60dfaaadde45e16aa3c28237c0e655a722c1a"><code>cdc60df</code></a>
transport: optimize heap allocations in ready reader and update syscall
conne...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/208d053e3204c806ba9e6205c26aa064c8b42852"><code>208d053</code></a>
xds/resolver: pass complete XDSConfig in RPC context for HTTP filters
(gRFC A...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/50fe1cc7fd78b78ae638ed90ea78514c934167ac"><code>50fe1cc</code></a>
test: Fix flaky test
<code>TestServerStreaming_ClientCallRecvMsgTwice</code> in
`end2end...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/d574bad188f25ba03d41a506e6f2ef93837ad10b"><code>d574bad</code></a>
build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9050">#9050</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/b8bf4d0488a351c563d63797ffba321585d6bb24"><code>b8bf4d0</code></a>
build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in
/inte...</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-go/compare/v1.80.0...v1.81.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:50:02 +00:00
dependabot[bot] f09c1bd695 chore: bump google.golang.org/api from 0.276.0 to 0.277.0 (#24961) 
Bumps
[google.golang.org/api](https://github.com/googleapis/google-api-go-client)
from 0.276.0 to 0.277.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/releases">google.golang.org/api's
releases</a>.</em></p>
<blockquote>
<h2>v0.277.0</h2>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.276.0...v0.277.0">0.277.0</a>
(2026-04-29)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3567">#3567</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/39582952e4eac1b744499f8a8063a4a5f1ce7d6b">3958295</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3571">#3571</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ca9851efc573231ca1ed9c6fea4bc77d6052d0bb">ca9851e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3574">#3574</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8efb1afa0e5d9cc454f721124bba3881f3935e3c">8efb1af</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3575">#3575</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/de49bb519cab881f74e5b9ba11e263a2b9a4ad2e">de49bb5</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3577">#3577</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ce68c87d9dc6c144b6df578df725470b30cf83d6">ce68c87</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3578">#3578</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8be033e24e0c6ddb08a3df72c0a8997d21623a22">8be033e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3579">#3579</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/bc6990e20803f2ff2fd1b77995f6e9180ab2302b">bc6990e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3580">#3580</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/2de1a5aff3f3b6e53dff00da297c5d249ac8d791">2de1a5a</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3581">#3581</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/0c219d90e90899c93215558f3ea309c9732bf7ea">0c219d9</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>idtoken:</strong> Avoid double impersonation in
tokenSourceFromBytes (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3576">#3576</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/75172cf5cb7bfc260c22e481323355306f684a09">75172cf</a>),
refs <a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/2301">#2301</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md">google.golang.org/api's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/googleapis/google-api-go-client/compare/v0.276.0...v0.277.0">0.277.0</a>
(2026-04-29)</h2>
<h3>Features</h3>
<ul>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3567">#3567</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/39582952e4eac1b744499f8a8063a4a5f1ce7d6b">3958295</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3571">#3571</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ca9851efc573231ca1ed9c6fea4bc77d6052d0bb">ca9851e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3574">#3574</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8efb1afa0e5d9cc454f721124bba3881f3935e3c">8efb1af</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3575">#3575</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/de49bb519cab881f74e5b9ba11e263a2b9a4ad2e">de49bb5</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3577">#3577</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/ce68c87d9dc6c144b6df578df725470b30cf83d6">ce68c87</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3578">#3578</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/8be033e24e0c6ddb08a3df72c0a8997d21623a22">8be033e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3579">#3579</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/bc6990e20803f2ff2fd1b77995f6e9180ab2302b">bc6990e</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3580">#3580</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/2de1a5aff3f3b6e53dff00da297c5d249ac8d791">2de1a5a</a>)</li>
<li><strong>all:</strong> Auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3581">#3581</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/0c219d90e90899c93215558f3ea309c9732bf7ea">0c219d9</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>idtoken:</strong> Avoid double impersonation in
tokenSourceFromBytes (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3576">#3576</a>)
(<a
href="https://github.com/googleapis/google-api-go-client/commit/75172cf5cb7bfc260c22e481323355306f684a09">75172cf</a>),
refs <a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/2301">#2301</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/dd598a60e19f836bb7ad709311b21d303bbab6c8"><code>dd598a6</code></a>
chore(main): release 0.277.0 (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3568">#3568</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/b208a86db380e5e517451daa4e5f63fae1f723be"><code>b208a86</code></a>
chore(all): update all (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3573">#3573</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/0c219d90e90899c93215558f3ea309c9732bf7ea"><code>0c219d9</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3581">#3581</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/75172cf5cb7bfc260c22e481323355306f684a09"><code>75172cf</code></a>
fix(idtoken): avoid double impersonation in tokenSourceFromBytes (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3576">#3576</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/2de1a5aff3f3b6e53dff00da297c5d249ac8d791"><code>2de1a5a</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3580">#3580</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/60b078419409e11bc414c7ccbaf4d32ddfe2a5b0"><code>60b0784</code></a>
chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in
/inter...</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/bc6990e20803f2ff2fd1b77995f6e9180ab2302b"><code>bc6990e</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3579">#3579</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/8be033e24e0c6ddb08a3df72c0a8997d21623a22"><code>8be033e</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3578">#3578</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/ce68c87d9dc6c144b6df578df725470b30cf83d6"><code>ce68c87</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3577">#3577</a>)</li>
<li><a
href="https://github.com/googleapis/google-api-go-client/commit/de49bb519cab881f74e5b9ba11e263a2b9a4ad2e"><code>de49bb5</code></a>
feat(all): auto-regenerate discovery clients (<a
href="https://redirect.github.com/googleapis/google-api-go-client/issues/3575">#3575</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/googleapis/google-api-go-client/compare/v0.276.0...v0.277.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:34:30 +00:00
dependabot[bot] 44b0fa4065 chore: bump github.com/valyala/fasthttp from 1.70.0 to 1.71.0 (#24958) 
Bumps [github.com/valyala/fasthttp](https://github.com/valyala/fasthttp)
from 1.70.0 to 1.71.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/valyala/fasthttp/releases">github.com/valyala/fasthttp's
releases</a>.</em></p>
<blockquote>
<h2>v1.71.0</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(client): add RetryIfErrUpstream function to handle upstream
information by <a
href="https://github.com/mdenushev"><code>@​mdenushev</code></a> in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2176">valyala/fasthttp#2176</a></li>
<li>Match net/http sensitive header redirect policy by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2181">valyala/fasthttp#2181</a></li>
<li>Sanitize first-line header setters to prevent CRLF injection by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2182">valyala/fasthttp#2182</a></li>
<li>server: apply ReadTimeout before first byte with ReduceMemoryUsage
by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2183">valyala/fasthttp#2183</a></li>
<li>header: reject invalid trailer names by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2188">valyala/fasthttp#2188</a></li>
<li>header: reject pre-colon whitespace in request headers by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2187">valyala/fasthttp#2187</a></li>
<li>Sanitize redirect Location header to prevent CRLF injection by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2186">valyala/fasthttp#2186</a></li>
<li>server: keep hijacked reader out of pool by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2184">valyala/fasthttp#2184</a></li>
<li>Sanitize cookie setters to prevent CRLF injection by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2185">valyala/fasthttp#2185</a></li>
<li>feat: add ExpectHandler for richer Expect: 100-continue handling by
<a href="https://github.com/miretskiy"><code>@​miretskiy</code></a> in
<a
href="https://redirect.github.com/valyala/fasthttp/pull/2175">valyala/fasthttp#2175</a></li>
<li>http: reject whitespace before chunk extensions by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2193">valyala/fasthttp#2193</a></li>
<li>header: reject unsupported response Transfer-Encoding by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2192">valyala/fasthttp#2192</a></li>
<li>header: match net/http CL+TE handling by <a
href="https://github.com/erikdubbelboer"><code>@​erikdubbelboer</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2190">valyala/fasthttp#2190</a></li>
<li>chore(deps): bump securego/gosec from 2.25.0 to 2.26.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2195">valyala/fasthttp#2195</a></li>
<li>chore(deps): bump github.com/klauspost/compress from 1.18.5 to
1.18.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2196">valyala/fasthttp#2196</a></li>
<li>feat(prefork): Enhance prefork management with WatchMaster,
CommandProducer, and Windows support by <a
href="https://github.com/ReneWerner87"><code>@​ReneWerner87</code></a>
in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2180">valyala/fasthttp#2180</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/miretskiy"><code>@​miretskiy</code></a>
made their first contribution in <a
href="https://redirect.github.com/valyala/fasthttp/pull/2175">valyala/fasthttp#2175</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/valyala/fasthttp/compare/v1.70.0...v1.71.0">https://github.com/valyala/fasthttp/compare/v1.70.0...v1.71.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/valyala/fasthttp/commit/e9208ecebf0c102176bb0635043c17333b10401d"><code>e9208ec</code></a>
Revert &quot;feat(prefork): graceful shutdown, leak fixes, hook
robustness&quot; commit</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/481e579af9e7d79f9ce27909edd2c42ef9dce173"><code>481e579</code></a>
feat(prefork): Enhance prefork management with WatchMaster,
CommandProducer, ...</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/805cd1046567aa8a8b97a8bfe9e7b411621f68b2"><code>805cd10</code></a>
Add note on MaxResponseBodySize compatibility with
StreamResponseBody</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/5b5c1be52ca382dcea0ed86931b3f1d2aba9dce6"><code>5b5c1be</code></a>
chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6
(<a
href="https://redirect.github.com/valyala/fasthttp/issues/2196">#2196</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/d6a99db432025de9ae13051cb42b3e6c3d6568a3"><code>d6a99db</code></a>
chore(deps): bump securego/gosec from 2.25.0 to 2.26.1 (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2195">#2195</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/f36c9009027f81f4fbf304822f96752517b08949"><code>f36c900</code></a>
header: match net/http CL+TE handling (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2190">#2190</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/0b4cede30fa0eb22f9d10999e23ebaabba15e107"><code>0b4cede</code></a>
header: reject unsupported response Transfer-Encoding (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2192">#2192</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/c497746f7d52ab88597dc88310e7f797cc7755aa"><code>c497746</code></a>
http: reject whitespace before chunk extensions (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2193">#2193</a>)</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/97b38d3a4884b7c3d8891750a4c752073bc3c152"><code>97b38d3</code></a>
server: document SaveMultipartFile path trust requirement</li>
<li><a
href="https://github.com/valyala/fasthttp/commit/19e4b24955fb0ef764229802378a5e36ae7a822b"><code>19e4b24</code></a>
feat: add ExpectHandler for richer Expect: 100-continue handling (<a
href="https://redirect.github.com/valyala/fasthttp/issues/2175">#2175</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/valyala/fasthttp/compare/v1.70.0...v1.71.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/valyala/fasthttp&package-manager=go_modules&previous-version=1.70.0&new-version=1.71.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:19:28 +00:00
dependabot[bot] a970ffdac8 chore: bump github.com/gohugoio/hugo from 0.160.0 to 0.161.1 (#24957) 
Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from
0.160.0 to 0.161.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gohugoio/hugo/releases">github.com/gohugoio/hugo's
releases</a>.</em></p>
<blockquote>
<h2>v0.161.1</h2>
<h2>What's Changed</h2>
<ul>
<li>resources: Honor Retry-After header in resources.GetRemote retries
c4eba928 <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14828">#14828</a></li>
<li>warpc: Move to parson.c in <a
href="https://github.com/kgabis/parson">https://github.com/kgabis/parson</a>
8b40a96b <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14823">#14823</a></li>
<li>config/security: Add AllowChildProcess to security.node.permissions
d65af84d <a href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14824">#14824</a></li>
<li>config/security: Restrict default http.urls &quot;@&quot; deny to
userinfo 454450a6 <a
href="https://github.com/bep"><code>@​bep</code></a> <a
href="https://redirect.github.com/gohugoio/hugo/issues/14825">#14825</a></li>
</ul>
<h2>v0.161.0</h2>
<p>This release contains two security hardening fixes:</p>
<ul>
<li>We now run the Node tools PostCSS, Babel and TailwindCSS, by
default, with the <code>--permission</code> flag with the permissions
defined in <a
href="https://gohugo.io/configuration/security/">security.node.permissions</a>.
This means that you need Node &gt;= 22 installed and that
<code>css.TailwindCSS</code> now requires that the Tailwind CSS CLI must
be installed as a Node.js package. The <a
href="https://github.com/tailwindlabs/tailwindcss/releases/latest">standalone
executable</a> is no longer supported</li>
<li>We have made the defaults in <a
href="https://gohugo.io/configuration/security/#httpurls">security.http.urls</a>
more restrictive.</li>
</ul>
<p>But there are some notable new features, as well:</p>
<h2>Nested vars support in css.Build and css.Sass</h2>
<p>A practical example in <code>css.Build</code> would be to have
something like this in <code>hugo.toml</code>:</p>
<pre lang="toml"><code>[params.style]
primary =
&quot;[#000000](https://github.com/gohugoio/hugo/issues/000000)&quot;
    background = &quot;#ffffff&quot;
    [params.style.dark]
        primary    = &quot;#ffffff&quot;
background =
&quot;[#000000](https://github.com/gohugoio/hugo/issues/000000)&quot;
</code></pre>
<p>And in the stylesheet:</p>
<pre lang="css"><code>@import &quot;hugo:vars&quot;;
@import &quot;hugo:vars/dark&quot; (prefers-color-scheme: dark);
<p>:root {
color-scheme: light dark;
}
</code></pre></p>
<h2>Slice-based permalinks config</h2>
<p>The <code>permalinks</code> configuration is now much more flexible
(the old setup still works). It uses the same <a
href="https://gohugo.io/configuration/cascade/#target">target</a>
matchers as in the <code>cascade</code> config, meaning you can now
do:</p>
<pre lang="yaml"><code>permalinks:
  - target:
      kind: page
      path: &quot;/books/**&quot;
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/gohugoio/hugo/commit/ea8f66a7ce988664dcc84c052fc96757042e2e4a"><code>ea8f66a</code></a>
releaser: Bump versions for release of 0.161.1</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/c4eba92863bbb988b23e63af40a22d6661b0ced6"><code>c4eba92</code></a>
resources: Honor Retry-After header in resources.GetRemote retries</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/8b40a96b6e992fbacd8626c24168889f50152808"><code>8b40a96</code></a>
warpc: Move to parson.c in <a
href="https://github.com/kgabis/parson">https://github.com/kgabis/parson</a></li>
<li><a
href="https://github.com/gohugoio/hugo/commit/d65af84d1572326057a9a55e26beb0cee784698a"><code>d65af84</code></a>
config/security: Add AllowChildProcess to security.node.permissions</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/454450a647111e5e0b41af595b310f3062c5630e"><code>454450a</code></a>
config/security: Restrict default http.urls &quot;@&quot; deny to
userinfo</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/2bfcc6b9941724cd1d0b490583e89413d7a66979"><code>2bfcc6b</code></a>
releaser: Prepare repository for 0.162.0-DEV</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/98d396c16a07b51df06e7673d817a3880da6218d"><code>98d396c</code></a>
releaser: Bump versions for release of 0.161.0</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/d4ae662d598db81d239a291bc26336be5fec6893"><code>d4ae662</code></a>
build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to
0.137.0</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/9ede5fb9e0304d3eb193b3c1a9214c735f05db21"><code>9ede5fb</code></a>
build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22</li>
<li><a
href="https://github.com/gohugoio/hugo/commit/833a878eef4fce2bbabb05dcbb8a7e31f93aadda"><code>833a878</code></a>
build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to
2.24.13</li>
<li>Additional commits viewable in <a
href="https://github.com/gohugoio/hugo/compare/v0.160.0...v0.161.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/gohugoio/hugo&package-manager=go_modules&previous-version=0.160.0&new-version=0.161.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:19:15 +00:00
dependabot[bot] fc04f0d71e chore: bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 (#24962) 
Bumps
[github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify)
from 1.9.0 to 1.10.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fsnotify/fsnotify/releases">github.com/fsnotify/fsnotify's
releases</a>.</em></p>
<blockquote>
<h2>v1.10.1</h2>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: don't remove sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>)</p>
</li>
<li>
<p>inotify, windows: don't rename sibling watches sharing a path prefix
(<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/754">fsnotify/fsnotify#754</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/755">fsnotify/fsnotify#755</a></p>
<h2>v1.10.0</h2>
<p>This version of fsnotify needs Go 1.23.</p>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: improve initialization error message (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>)</p>
</li>
<li>
<p>inotify: send Rename event if recursive watch is renamed (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>)</p>
</li>
<li>
<p>inotify: avoid copying event buffers when reading names (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>)</p>
</li>
<li>
<p>kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a
bad entry no longer aborts Watcher.Add for the whole directory (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>)</p>
</li>
<li>
<p>kqueue: drop watches directly in Close() to fix a file descriptor
leak when recycling watchers (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>)</p>
</li>
<li>
<p>windows: fix nil pointer dereference in remWatch (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>)</p>
</li>
<li>
<p>windows: lock watch field updates against concurrent WatchList to fix
a race introduced in v1.9.0 (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>,
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/696">fsnotify/fsnotify#696</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/709">fsnotify/fsnotify#709</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/731">fsnotify/fsnotify#731</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/736">fsnotify/fsnotify#736</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/740">fsnotify/fsnotify#740</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/741">fsnotify/fsnotify#741</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/748">fsnotify/fsnotify#748</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/749">fsnotify/fsnotify#749</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md">github.com/fsnotify/fsnotify's
changelog</a>.</em></p>
<blockquote>
<h2>1.10.1 2026-05-04</h2>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: don't remove sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>)</p>
</li>
<li>
<p>inotify, windows: don't rename sibling watches sharing a path prefix
(<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/754">fsnotify/fsnotify#754</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/755">fsnotify/fsnotify#755</a></p>
<h2>1.10.0 2026-04-30</h2>
<p>This version of fsnotify needs Go 1.23.</p>
<h3>Changes and fixes</h3>
<ul>
<li>
<p>inotify: improve initialization error message (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>)</p>
</li>
<li>
<p>inotify: send Rename event if recursive watch is renamed (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>)</p>
</li>
<li>
<p>inotify: avoid copying event buffers when reading names (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>)</p>
</li>
<li>
<p>kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a
bad entry no longer aborts Watcher.Add for the whole directory (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>)</p>
</li>
<li>
<p>kqueue: drop watches directly in Close() to fix a file descriptor
leak
when recycling watchers (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>)</p>
</li>
<li>
<p>windows: fix nil pointer dereference in remWatch (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>)</p>
</li>
<li>
<p>windows: lock watch field updates against concurrent WatchList to fix
a race introduced in v1.9.0 (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>,
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>)</p>
</li>
</ul>
<p><a
href="https://redirect.github.com/fsnotify/fsnotify/issues/696">#696</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/696">fsnotify/fsnotify#696</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/709">fsnotify/fsnotify#709</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/731">#731</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/731">fsnotify/fsnotify#731</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/736">#736</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/736">fsnotify/fsnotify#736</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/740">#740</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/740">fsnotify/fsnotify#740</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/741">#741</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/741">fsnotify/fsnotify#741</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/748">fsnotify/fsnotify#748</a>
<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>:
<a
href="https://redirect.github.com/fsnotify/fsnotify/pull/749">fsnotify/fsnotify#749</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/76b01a6e8f502187fecedea8b025e79e5a86085c"><code>76b01a6</code></a>
Release 1.10.1</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/fec150b807510e54e5b25def4b6e5fb001b4898c"><code>fec150b</code></a>
Update changelog</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/162b4216ab8f92ecd26425530bee198972c9b3cb"><code>162b421</code></a>
inotify, windows: don't rename sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/755">#755</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/224257f23b2f3a96509b316c5cead71dd4a9099a"><code>224257f</code></a>
inotify: don't remove sibling watches sharing a path prefix (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/754">#754</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/e0c956c0ccaf51562fee30ef5c055c74e6ae2104"><code>e0c956c</code></a>
windows: document directory Write events and stabilize tests (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/745">#745</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/8d01d7b9cbe0199e4a1e60fbd965fb05dbb42123"><code>8d01d7b</code></a>
Release 1.10.0</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/602284e4a8cadd488d7a5fa07c48462dfac25108"><code>602284e</code></a>
Update changelog</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/7f03e59f9659552d8a084e03024cb9b983748ed7"><code>7f03e59</code></a>
kqueue: skip ENOENT entries in watchDirectoryFiles (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/748">#748</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/dab9dde2fc9ba4d0c1076318f81cabcc8fdb2ec9"><code>dab9dde</code></a>
windows: lock watch field updates against concurrent WatchList (<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/709">#709</a>)
(<a
href="https://redirect.github.com/fsnotify/fsnotify/issues/749">#749</a>)</li>
<li><a
href="https://github.com/fsnotify/fsnotify/commit/eadf267ce152b5e62d48cc2c13bb08bd4062b6c7"><code>eadf267</code></a>
kqueue: drop watches directly in Close() instead of going through
remove() (#...</li>
<li>Additional commits viewable in <a
href="https://github.com/fsnotify/fsnotify/compare/v1.9.0...v1.10.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/fsnotify/fsnotify&package-manager=go_modules&previous-version=1.9.0&new-version=1.10.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-05 11:18:24 +00:00
Steven Masley d4f913a4cf chore: bump coder/serpent to accept empty env vars (#24926) 
Non-zero default values can now be set to `""` with env vars. Eg:
`--log-human="" --log-json="/dev/stderr"`
 2026-05-04 13:42:03 -05:00
Michael Suchacz 0bb09935bc feat: add computer-use provider selection for AI agents (#24772) 
Adds a deployment-wide setting to select the computer-use provider
(Anthropic or OpenAI) for AI agents, plus the OpenAI computer-use runner
needed to honor that selection.

The setting is stored in `site_configs` under
`agents_computer_use_provider`, defaults to Anthropic when unset, and is
exposed via experimental GET/PUT endpoints under
`/api/experimental/chats/config/computer-use-provider`. The chatd
computer-use tool now dispatches to either `runAnthropicComputerUse` or
`runOpenAIComputerUse` based on the resolved provider, with
provider-specific result metadata for OpenAI screenshots.

Frontend adds a provider dropdown to the Agents Experiments settings
page nested under the virtual desktop toggle, with disabled state
handling while virtual desktop is off and skeleton loaders while config
queries are in flight.

Hugo and Codex review follow-up:
- Uses shared provider validation and clearer computer-use constant
names.
- Removes stale OpenAI pending-safety-checks commentary.
- Documents why provider result metadata is needed for OpenAI
screenshots.
- Keeps the computer-use subagent visible when provider credentials are
missing, then returns a clear spawn-time configuration error.
- Uses OpenAI's recommended 1600x900 screenshot geometry to preserve the
native 16:9 aspect ratio.
- Moves OpenAI-specific computer-use helpers into
`coderd/x/chatd/chatopenai/computeruse` after rebasing onto the provider
package refactor in `main`.
- Converts OpenAI pixel scroll deltas to Coder desktop wheel-click
amounts.
- Preserves OpenAI pointer modifiers with key down/up desktop actions
and rejects unsupported non-left double-click buttons explicitly.
- Maps OpenAI back/forward side-button clicks to browser navigation key
actions.
- Defaults omitted OpenAI click buttons to left-click.
- Retries mouse release cleanup if the final OpenAI drag release fails.
- Keeps computer-use subagent availability messages stable when provider
config cannot be loaded, while logging the backend error.
- Releases remaining OpenAI modifier keys if a synthetic key-up cleanup
action fails.
- Updates Storybook interaction stories so provider snapshots show the
selected final provider.

> Mux updated this PR description on behalf of Mike.
 2026-05-04 20:30:50 +02:00
George K fb6e00de18 fix: preserve rollback errors in runTx (#24598) 
Previously, `runTx` could lose a deferred rollback failure when returning an
existing transaction error, because the rollback path could not update the final
return value.

https://go.dev/play/p/AhBK31lO0Gd
 2026-04-30 10:27:53 -07:00
dylanhuff-at-coder fb84e72319 feat: add secret requirement contract to dynamic parameters (#24785) 
Adds structured `secret_requirements` to dynamic parameter responses and
enforces missing required secrets during workspace start.

Stop, delete, and tag rendering paths skip secret requirement
enforcement so unmet secrets do not prevent cleanup. The SDK, generated
API docs/types, and backend render/resolver/wsbuilder tests are updated
for the new contract.
 2026-04-29 16:38:26 -07:00
Michael Suchacz 8fe11e9b14 fix: match Bedrock streaming accept headers (#24781) 
> Mux is working on behalf of Mike.

## Summary
- Bump `github.com/coder/anthropic-sdk-go` to the corrected Bedrock
streaming header fix from coder/anthropic-sdk-go#14.
- Match botocore's `InvokeModelWithResponseStream` request shape by
using `X-Amzn-Bedrock-Accept` and omitting the HTTP `Accept` header.
- Update chatd regression coverage for the corrected header shape.

## Context
The previous fix set `Accept: application/vnd.amazon.eventstream`. Real
boto3/botocore streaming requests do not send that header. They send
`X-Amzn-Bedrock-Accept: application/json`, which is the modeled Bedrock
request header for the desired model response MIME type.

## Validation
- `go test ./coderd/x/chatd/chatprovider -run
'TestModelFromConfig_Bedrock(StreamingHeaders|StripsAnthropicHeaders)?$'
-count=1`
- `go mod tidy -diff`
- `git diff --check`
- pre-commit hook during `git commit`
 2026-04-28 14:39:10 +02:00
dependabot[bot] 8ba894ba46 chore: bump github.com/invopop/jsonschema from 0.13.0 to 0.14.0 (#24773) 
Bumps
[github.com/invopop/jsonschema](https://github.com/invopop/jsonschema)
from 0.13.0 to 0.14.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/invopop/jsonschema/releases">github.com/invopop/jsonschema's
releases</a>.</em></p>
<blockquote>
<h2>v0.14.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgrade to golangci-lint v2 by <a
href="https://github.com/samlown"><code>@​samlown</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/187">invopop/jsonschema#187</a></li>
<li>Bump minimum Go version to 1.24 by <a
href="https://github.com/samlown"><code>@​samlown</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/188">invopop/jsonschema#188</a></li>
<li>Support omitzero json tags by <a
href="https://github.com/YvanGuidoin"><code>@​YvanGuidoin</code></a> in
<a
href="https://redirect.github.com/invopop/jsonschema/pull/161">invopop/jsonschema#161</a></li>
<li>feat: Respect json:&quot;,string&quot; for integer fields in
generated schema by <a
href="https://github.com/fengxsong"><code>@​fengxsong</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/183">invopop/jsonschema#183</a></li>
<li>Split jsonschema_extras only on unescaped commas by <a
href="https://github.com/liorokman"><code>@​liorokman</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/173">invopop/jsonschema#173</a></li>
<li>Fix nil pointer dereference in ReflectFromType with ExpandedStruct
(fix <a
href="https://redirect.github.com/invopop/jsonschema/issues/163">#163</a>)
by <a href="https://github.com/edznux-dd"><code>@​edznux-dd</code></a>
in <a
href="https://redirect.github.com/invopop/jsonschema/pull/186">invopop/jsonschema#186</a></li>
<li>Replace wk8/go-ordered-map with pb33f/ordered-map by <a
href="https://github.com/samlown"><code>@​samlown</code></a> in <a
href="https://redirect.github.com/invopop/jsonschema/pull/189">invopop/jsonschema#189</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/YvanGuidoin"><code>@​YvanGuidoin</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/161">invopop/jsonschema#161</a></li>
<li><a href="https://github.com/fengxsong"><code>@​fengxsong</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/183">invopop/jsonschema#183</a></li>
<li><a href="https://github.com/liorokman"><code>@​liorokman</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/173">invopop/jsonschema#173</a></li>
<li><a href="https://github.com/edznux-dd"><code>@​edznux-dd</code></a>
made their first contribution in <a
href="https://redirect.github.com/invopop/jsonschema/pull/186">invopop/jsonschema#186</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0">https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/invopop/jsonschema/commit/2c57d6074bf9004aaaf1fc9c07ff0ea730b23de7"><code>2c57d60</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/189">#189</a>
from invopop/replace-wk8-with-pb33f-ordered-map</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/d8cc8ebd57b811474861dd25409560271f084128"><code>d8cc8eb</code></a>
Replace wk8/go-ordered-map with pb33f/ordered-map</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/0d5bd753ec797ec5366a2145bf8252bff5f6406f"><code>0d5bd75</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/186">#186</a>
from edznux-dd/fix/expanded-struct-nil-deref</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/3d693733ab7bca092e8604299fb82ecb573b6b10"><code>3d69373</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/173">#173</a>
from liorokman/escape-extras-tags</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/b43264d2a5a9b129a943a1603d5d9df80f705b1f"><code>b43264d</code></a>
Silence revive unused-parameter on fuzz callback</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/7b21bb5bcefbed61748f2ac0388ccfc5a07ce928"><code>7b21bb5</code></a>
Merge remote-tracking branch 'origin/main' into
pr-186-expanded-struct</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/048739859f24dff300c94b8b2a75f17cb8f94c4c"><code>0487398</code></a>
Fix ExtraWithComman typo in test struct field</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/bc932369a8e17ddd0028658e1be49e35d6a748b5"><code>bc93236</code></a>
Merge remote-tracking branch 'origin/main' into
pr-173-escape-extras</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/d39f13c8fc27de49b934bd043f64e2f3284c920b"><code>d39f13c</code></a>
Merge pull request <a
href="https://redirect.github.com/invopop/jsonschema/issues/183">#183</a>
from fengxsong/feat/reflect-json-string-for-integers</li>
<li><a
href="https://github.com/invopop/jsonschema/commit/f2e2b913ec19ef878325e6ee1b78eb2dbcea26bb"><code>f2e2b91</code></a>
Extend json:&quot;,string&quot; support to number and boolean
fields</li>
<li>Additional commits viewable in <a
href="https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/invopop/jsonschema&package-manager=go_modules&previous-version=0.13.0&new-version=0.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-28 11:52:56 +00:00
Michael Suchacz dec3e98e54 fix: set Bedrock streaming accept headers (#24776) 
> Mux is working on behalf of Mike.

## Summary
- Bump `github.com/coder/anthropic-sdk-go` to the clean Bedrock
streaming header fix from coder/anthropic-sdk-go#10.
- Add chatd regression coverage that verifies Bedrock streaming requests
use AWS event stream headers and include `X-Amzn-Bedrock-Accept` in the
SigV4 signed headers.

## SDK follow-up
- Reverted the bad coder/anthropic-sdk-go#8 merge with
coder/anthropic-sdk-go#9.
- Re-applied only the intended Bedrock streaming header change in
coder/anthropic-sdk-go#10.

## Validation
- `go test ./coderd/x/chatd/chatprovider -run
'TestModelFromConfig_Bedrock(StreamingHeaders|StripsAnthropicHeaders)?$'
-count=1`
- `go test ./coderd/x/chatd/chatprovider -count=1`
- `go mod tidy -diff`
- `make lint`
- pre-commit hook during `git commit`
 2026-04-28 11:28:20 +00:00
dependabot[bot] 411dc1ca8e chore: bump github.com/aws/smithy-go from 1.24.2 to 1.25.1 (#24775) 
Bumps [github.com/aws/smithy-go](https://github.com/aws/smithy-go) from
1.24.2 to 1.25.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aws/smithy-go/releases">github.com/aws/smithy-go's
releases</a>.</em></p>
<blockquote>
<h2>v1.25.0</h2>
<h1>Release (2026-04-15)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.25.0
<ul>
<li><strong>Feature</strong>: Add support for endpointBdd trait</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws/smithy-go/blob/main/CHANGELOG.md">github.com/aws/smithy-go's
changelog</a>.</em></p>
<blockquote>
<h1>Release (2026-04-23)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.25.1
<ul>
<li><strong>Bug Fix</strong>: Fixed a memory leak in the LRU cache
implementation used by some AWS services.</li>
</ul>
</li>
</ul>
<h1>Release (2026-04-15)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.25.0
<ul>
<li><strong>Feature</strong>: Add support for endpointBdd trait</li>
</ul>
</li>
</ul>
<h1>Release (2026-04-02)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.24.3
<ul>
<li><strong>Bug Fix</strong>: Add additional sigv4 configuration.</li>
</ul>
</li>
<li><code>github.com/aws/smithy-go/aws-http-auth</code>: <a
href="https://github.com/aws/smithy-go/blob/main/aws-http-auth/CHANGELOG.md#v113-2026-04-02">v1.1.3</a>
<ul>
<li><strong>Bug Fix</strong>: Add additional sigv4 configuration.</li>
</ul>
</li>
</ul>
<h1>Release (2026-02-27)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Bump minimum go version to
1.24.</li>
</ul>
<h1>Release (2026-02-20)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.24.1
<ul>
<li><strong>Feature</strong>: Add new middleware functions to get event
stream output from middleware</li>
</ul>
</li>
</ul>
<h1>Release (2025-12-01)</h1>
<h2>General Highlights</h2>
<ul>
<li><strong>Dependency Update</strong>: Updated to the latest SDK module
versions</li>
</ul>
<h2>Module Highlights</h2>
<ul>
<li><code>github.com/aws/smithy-go</code>: v1.24.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aws/smithy-go/commit/e094f45e716e33a1b950cf8bbe804790bf87f965"><code>e094f45</code></a>
Release 2026-04-23</li>
<li><a
href="https://github.com/aws/smithy-go/commit/214d45be3be5188c4d2fd9cf744c21f8b3dfbabc"><code>214d45b</code></a>
changelog</li>
<li><a
href="https://github.com/aws/smithy-go/commit/3477da0b4dbf31de58ac375fe5abe5d268280824"><code>3477da0</code></a>
fix lrucache memory leak on existing item put (<a
href="https://redirect.github.com/aws/smithy-go/issues/652">#652</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/0d0b4d00f2430e62a790203b89fd76dceb4ae213"><code>0d0b4d0</code></a>
Bump Smithy version to 1.69.0 (<a
href="https://redirect.github.com/aws/smithy-go/issues/650">#650</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/be5e5ef0d73560eac9d71df7995b0eaffb9a8d71"><code>be5e5ef</code></a>
check <a href="https://github.com/enum"><code>@​enum</code></a> on
strings for cbor (<a
href="https://redirect.github.com/aws/smithy-go/issues/649">#649</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/5beb80e9da6bcad40dc304f062c27d8269abd67d"><code>5beb80e</code></a>
Ensure javadoc uses utf-8 (<a
href="https://redirect.github.com/aws/smithy-go/issues/648">#648</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/73bb8a7d6e222332d46eec7209ba3cd0ba520239"><code>73bb8a7</code></a>
Release 2026-04-15</li>
<li><a
href="https://github.com/aws/smithy-go/commit/f056c6fb0b43ba9bfeca6c29c8c1e1046437e45e"><code>f056c6f</code></a>
Changelog</li>
<li><a
href="https://github.com/aws/smithy-go/commit/ee36afc3d70050ba990c8de8d65043ac11d1f9f4"><code>ee36afc</code></a>
Implement BDD generator for <a
href="https://github.com/endpointBdd"><code>@​endpointBdd</code></a>
Smithy trait (<a
href="https://redirect.github.com/aws/smithy-go/issues/647">#647</a>)</li>
<li><a
href="https://github.com/aws/smithy-go/commit/3dbea7015f5ed79312e2a3cb6bbf39f7a26e46ea"><code>3dbea70</code></a>
Release 2026-04-02</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/smithy-go/compare/v1.24.2...v1.25.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/aws/smithy-go&package-manager=go_modules&previous-version=1.24.2&new-version=1.25.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-28 11:18:10 +00:00
dependabot[bot] a700523043 chore: bump github.com/sony/gobreaker/v2 from 2.3.0 to 2.4.0 (#24774) 
Bumps [github.com/sony/gobreaker/v2](https://github.com/sony/gobreaker)
from 2.3.0 to 2.4.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sony/gobreaker/commit/0ae90251b774f890e7586c96ea82d61eb74d556d"><code>0ae9025</code></a>
Update README (<a
href="https://redirect.github.com/sony/gobreaker/issues/114">#114</a>)</li>
<li><a
href="https://github.com/sony/gobreaker/commit/1ab58bdde813e51022946f4c9ee25906f0350982"><code>1ab58bd</code></a>
feat(circuitbreaker): add tri-state outcome evaluation with Excluded
support ...</li>
<li><a
href="https://github.com/sony/gobreaker/commit/91fd4d17c2aab3de8e6f5cd6bb738e8a4d4e6d68"><code>91fd4d1</code></a>
Update Go version matrix in test workflow (<a
href="https://redirect.github.com/sony/gobreaker/issues/113">#113</a>)</li>
<li>See full diff in <a
href="https://github.com/sony/gobreaker/compare/v2.3.0...v2.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/sony/gobreaker/v2&package-manager=go_modules&previous-version=2.3.0&new-version=2.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-28 11:15:36 +00:00
Zach ef6e452825 chore: uprev coder/terraform-provider-coder to v2.16.0 (#24719) 
Bumps coder/terraform-provider-coder to v2.16.0 to pick up the `coder_secret`
data source that enables expressing a required user secret in a template.
 2026-04-27 08:29:57 -06:00
Michael Suchacz 99a83a2702 fix: clean Bedrock headers (#24718) 
Bedrock chat provider requests can inherit Anthropic public API headers
from the process environment, which causes mixed Anthropic and Bedrock
auth headers on signed requests.

Update the Anthropic SDK fork so its Bedrock middleware strips
Anthropic-only headers before signing requests, and keep a chatprovider
regression test for the production request shape.

> Mux is acting on Mike's behalf.
 2026-04-26 21:50:29 +02:00
Michael Suchacz 62e9752acd fix: prevent malformed OpenAI Responses continuations (#24725) 
> Worked on by Mux on Mike's behalf.

## Summary

- Disable OpenAI Responses `previous_response_id` chain mode when the
prior assistant response has unresolved local tool calls, so the next
request can include paired tool outputs instead of sending an incomplete
continuation.
- Update the fantasy pin to a Responses replay fix that preserves stored
reasoning references, only replays web search references when paired
with reasoning, and validates local function-call output pairing before
send.
- Add fake OpenAI Responses input validation for the two production 400
shapes and integration coverage for full-history reasoning plus web
search replay.
- Add sanitized diagnostics for the OpenAI Responses continuity errors.

## Tests

- `go test ./providers/openai -run
'TestResponsesToPrompt_(ReasoningWithStore|ReasoningWithWebSearchCombined|WebSearchRequiresReasoningReference|ReasoningWithFunctionCallCombined|WebSearchProviderExecutedToolResults)|TestPrepareParams_(SkipsProviderExecutedToolReferences|ValidatesFunctionCallOutputPairing)|TestValidateResponsesInput_WebSearchReferenceRequiresReasoning'
-count=1`
- `go test ./providers/openai -count=1`
- `GOWORK=off go test ./coderd/x/chatd/chattest -run
TestValidateResponsesAPIInput -count=1`
- `GOWORK=off go test ./coderd/x/chatd -run
'TestOpenAIResponses(NoStaleWebSearchReplay|FullReplayPairsReasoningAndWebSearch|ChainModeSkipsWhenLocalCallPending|ChainModeStillFiresForProviderExecutedOnly)$|TestResolveChainMode_'
-count=1`
- `GOWORK=off go test ./coderd/x/chatd/chatprompt -run
'TestInjectMissingToolResults_' -count=1`
- `GOWORK=off go test ./coderd/x/chatd/chaterror -run
TestClassify_OpenAIResponsesAPIDiagnostics -count=1`
- `GOWORK=off go test ./coderd/x/chatd/... -count=1`
- `git diff --check`
- `git commit` pre-commit hook
 2026-04-26 21:23:06 +02:00
blinkagent[bot] a497d934db chore: bump coder/fantasy to include gpt-5.5 Responses API support (#24712) 
Bumps the `charm.land/fantasy` replace directive to pick up
<https://github.com/coder/fantasy/pull/29>, which adds `gpt-5.5` and
`gpt-5.5-pro` to `responsesReasoningModelIDs`.

Without this, chatd's `useOpenAIResponsesOptions` returns false for
GPT-5.5, so it falls back to Chat Completions and never attaches
`ResponsesProviderOptions` (losing `store=true` + `previous_response_id`
chaining and other Responses-only features).

## Changes
- `go.mod`: `github.com/coder/fantasy
v0.0.0-20260416152503-959aa39579d2` →
`v0.0.0-20260424191546-5ab464a305f4`
- `go.sum`: updated hashes

Verified `go build ./coderd/x/chatd/...` passes locally.

Created on behalf of @ibetitsmike

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
 2026-04-24 19:35:26 +00:00
Paweł Banaszewski e00e85765b chore: move aibridge library code into coder repo (#24190) 
This PR merges code from `coder/aibridge` repository into `coder/coder`.
It was split into 4 PRs for easier review but stacked PRs will need to
be merged into this PR so all checks pass.

* https://github.com/coder/coder/pull/24190 -> raw code copy (this PR,
before merging PRs on top of it, it was just 1 commit:
https://github.com/coder/coder/commit/70d33f33200c7e77df910957595715f81f9bec24)
* https://github.com/coder/coder/pull/24570 -> update imports in
`coder/coder` to use copied code
* https://github.com/coder/coder/pull/24586 -> linter fixes and CI
integration (also added README.md)
* https://github.com/coder/coder/pull/24571 -> added exclude to
scripts/check_emdash.sh check

Original PR message (before PR squash):
Moves coder/aibridge code into coder/coder repository.

Omitted files:

- `go.mod`, `go.sum`, `.gitignore`, `.github/workflows/ci.yml,`
`Makefile`, `LICENSE`, `README.md` (modified README.md is added later)
- `.github`, `example`, `buildinfo,` `scripts` directories

Simple verification script (will list omitted files)

```
tmp=$(mktemp -d)
echo "$tmp"
git clone --depth=1 https://github.com/coder/aibridge "$tmp/aibridge"
git clone --depth=1 --branch pb/aibridge-code-move https://github.com/coder/coder "$tmp/coder"
diff -rq --exclude=.git "$tmp/aibridge" "$tmp/coder/aibridge"
# rm -rf "$tmp"
```
 2026-04-22 17:01:01 +02:00
Lukasz 869168b316 chore: bump gomarkdown to patched revision (#24567) 
Updates `github.com/gomarkdown/markdown` from
`v0.0.0-20240930133441-72d49d9543d8` to
`v0.0.0-20260411013819-759bbc3e3207`.

This pulls in the patched upstream revision for the markdown dependency.
 2026-04-21 14:46:32 +00:00
Ethan bd3ed18fb1 chore: bump hashicorp/hc-install to v0.9.4 and drop coder fork replace (#24547) 
Upstream `github.com/hashicorp/hc-install` v0.9.4 ships the refreshed
HashiCorp release-signing key (hashicorp/hc-install#355 +
hashicorp/hc-install#372), so the `coder/hc-install` fork replace
directive added in #24516 is no longer needed.

Relates to https://github.com/coder/internal/issues/1476

Closes ENG-2496
 2026-04-21 15:21:12 +10:00
Susana Ferreira 522118ab20 feat: support AWS SDK default credential chain for Bedrock authentication (#24346) 
## Description

Makes AWS Bedrock credentials optional. When `AccessKey` and
`AccessKeySecret` are not set, AI Bridge falls back to the AWS SDK
default credential chain, which supports IAM Roles (instance profiles,
IRSA, ECS task roles), SSO, shared credentials files, and environment
variables.

This allows AI Bridge to authenticate with AWS Bedrock using:
- Permanent credentials (access key + secret) as before
- IAM Roles, shared config files, environment variables, SSO, etc, via
the SDK default credential chain

Depends on: https://github.com/coder/aibridge/pull/265
Related to: https://github.com/coder/aibridge/issues/144 
Related to: https://linear.app/codercom/issue/AIGOV-67

_Disclaimer: initially produced by Claude Opus 4.6, modified and
reviewed by @ssncferreira ._
 2026-04-20 10:00:05 +01:00
Ethan ef6969dd70 feat(coderd/x/chatd): agent-created file attachments in chat (#24280) 
Agents can already see workspace files and take screenshots, but users could not download those artifacts from chat. This PR adds durable chat attachments to chatd. `attach_file`, explicit `computer` screenshot actions (not the automatic post-action screenshots), and `propose_plan` now fetch bytes over the agent connection, store them in `chat_files`, link them to the chat, and carry attachment metadata in tool responses so `buildAssistantPartsForPersist` can materialize ordinary `type:"file"` assistant parts that the chat file APIs serve.

The same storage helpers are reused for other artifact-producing paths. `wait_agent` recordings and thumbnails are stored as chat files and linked back to the parent chat, with best-effort relinking so parent chats retain those artifacts without leaving orphaned rows when chat-file caps reject links. `storeChatAttachment` wraps insert + link in one transaction, files are capped at 10 MB each and 20 per chat, and serving defaults to `Content-Disposition: attachment` with an explicit inline-safe allowlist.

This PR also consolidates chat-file media policy in `coderd/chatfiles`. Uploads and tool-generated attachments share byte-based MIME detection, SVG blocking, inline-safety rules, and compatible `text/plain` refinement for JSON, CSV, and Markdown. Prompt construction still only inlines synthetic pasted text for model consumption; assistant-created attachments are persisted for the user and intentionally not replayed into later LLM turns.

UI follow-up lives in #24281.

Relates to CODAGT-91
 2026-04-20 18:04:35 +10:00
Ethan 7e89534d32 chore: use coder/hc-install fork to fix expired PGP key verification (#24516) 
hc-install's bundled HashiCorp release-signing pubkey contains both the
original armored block and a refreshed one, but
`openpgp.ReadArmoredKeyRing` only decodes the first, so the verifier
sees the expired key and terraform installs (and `TestInstall`) fail
with `openpgp: key expired`.

Point `github.com/hashicorp/hc-install` at our fork, which parses every
armored block and merges entities by fingerprint so the refreshed
self-signature wins. We can drop the go mod replace once
https://github.com/hashicorp/hc-install/pull/371 (or an equivalent
upstream fix) ships.

Relates to https://github.com/coder/internal/issues/1476
 2026-04-20 13:26:28 +10:00
Mathias Fredriksson 6b0bb02e5d fix: server-side diffs and stricter fuzzy splicing for edit_files (#24454) 
Fixes three classes of edit_files bugs and adds structured per-file
diff output for tool callers:

- New IncludeDiff flag on FileEditRequest; when set, the agent
  returns FileEditResponse.Files[]{Path, Diff} with unified diffs
  computed via go-udiff v0.4.1 Lines + ToUnified (not Unified,
  which calls log.Fatalf on internal error).
- Fuzzy match comparators split each line into leading whitespace,
  body, trailing whitespace, and ending. The splice substitutes at
  each position: on agreement between search and replace the file's
  bytes win; on disagreement the replacement's bytes are spliced
  verbatim. Carve-outs for empty-body lines, multi-line EOF splices,
  and level-aware indent translation for inserted lines.
- Indent-unit detection (GCD for spaces, tab-priority) lets a 4sp
  LLM search insert correctly into tab or 2sp files. Falls back to
  the previous cLead-inheritance path when units can't be detected
  cleanly.
- Empty search is rejected with "search string must not be empty".
- Duplicate file paths in one request are rejected; symlink aliases
  resolved via api.resolvePath before the dedup check.
- Frontend EditFilesRenderer consumes the structured files array by
  explicit path (no label munging) with per-file synthetic fallback
  for older agents or mismatched paths. On error, no diff is
  rendered so the synthetic fallback doesn't misrepresent a
  rejected edit as applied.

Breaking change: AgentConn.EditFiles changes from (ctx, req) error
to (ctx, req) (FileEditResponse, error) in codersdk/workspacesdk.
Source-breaking for external Go consumers; no compat shim per plan
owner.

Out of scope (tracked in CODAGT-214): level-aware indent for
middle-substituted splice lines. Locked in
TestEditFiles_FuzzyIndent_InsertionLevelAware's Lock_* cases plus
TestEditFiles_ReplaceAll_FuzzyIndentGap.
 2026-04-18 16:39:34 +03:00
dependabot[bot] 8e2343f59c chore: bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 (#24504) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git)
from 5.17.1 to 5.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's
releases</a>.</em></p>
<blockquote>
<h2>v5.18.0</h2>
<h2>What's Changed</h2>
<ul>
<li>plumbing: transport/http, Add support for followRedirects policy by
<a href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/2004">go-git/go-git#2004</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0">https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0</a></p>
<h2>v5.17.2</h2>
<h2>What's Changed</h2>
<ul>
<li>build: Update module github.com/go-git/go-git/v5 to v5.17.1
[SECURITY] (releases/v5.x) by <a
href="https://github.com/go-git-renovate"><code>@​go-git-renovate</code></a>[bot]
in <a
href="https://redirect.github.com/go-git/go-git/pull/1941">go-git/go-git#1941</a></li>
<li>dotgit: skip writing pack files that already exist on disk by <a
href="https://github.com/pjbgf"><code>@​pjbgf</code></a> in <a
href="https://redirect.github.com/go-git/go-git/pull/1944">go-git/go-git#1944</a></li>
</ul>
<p>⚠️ This release fixes a bug (<a
href="https://redirect.github.com/go-git/go-git/issues/1942">go-git/go-git#1942</a>)
that blocked some users from upgrading to <code>v5.17.1</code>. Thanks
<a href="https://github.com/pskrbasu"><code>@​pskrbasu</code></a> for
reporting it. 🙇</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2">https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/go-git/go-git/commit/ea3e7ec9dfc54f577a01afb4dd601c0284604264"><code>ea3e7ec</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/2004">#2004</a>
from go-git/v5-http-hardening</li>
<li><a
href="https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53"><code>bcd20a9</code></a>
plumbing: transport/http, Add support for followRedirects policy</li>
<li><a
href="https://github.com/go-git/go-git/commit/45ae193b3a60aa8ec8a3e373f7265a7819473d5f"><code>45ae193</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/1944">#1944</a>
from go-git/fix-perms</li>
<li><a
href="https://github.com/go-git/go-git/commit/fda4f7464b597ff33d2dea1c026482a5e900037c"><code>fda4f74</code></a>
storage: filesystem/dotgit, Skip writing pack files that already exist
on disk</li>
<li><a
href="https://github.com/go-git/go-git/commit/2212dc7caeb2a389fe2129923811ef63f75a557a"><code>2212dc7</code></a>
Merge pull request <a
href="https://redirect.github.com/go-git/go-git/issues/1941">#1941</a>
from go-git/renovate/releases/v5.x-go-github.com-go-...</li>
<li><a
href="https://github.com/go-git/go-git/commit/ebb2d7da7f5d5aebeaa0b5e13276d72d602c1ae3"><code>ebb2d7d</code></a>
build: Update module github.com/go-git/go-git/v5 to v5.17.1
[SECURITY]</li>
<li>See full diff in <a
href="https://github.com/go-git/go-git/compare/v5.17.1...v5.18.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-git/go-git/v5&package-manager=go_modules&previous-version=5.17.1&new-version=5.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-04-17 22:53:10 +00:00
Danielle Maywood 15d8e4ff9f feat: accept xhigh effort for Anthropic (#24439) 2026-04-16 17:25:34 +01:00