fix(deps): vuln minor upgrades — 13 packages (minor: 12 · patch: 1)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 13 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.65.0	v1.80.0	minor	Transitive	3 CRITICAL
github.com/sirupsen/logrus	v1.4.1	v1.9.4	minor	Direct	3 HIGH
github.com/golang-jwt/jwt/v5	v5.2.1	v5.2.3	patch	Transitive	3 HIGH
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.3	v1.7.9	minor	Transitive	1 MODERATE
github.com/aws/aws-sdk-go-v2/service/lambda	v1.56.1	v1.89.1	minor	Transitive	1 MODERATE
github.com/aws/aws-sdk-go-v2/service/s3	v1.58.0	v1.99.1	minor	Transitive	1 MODERATE
github.com/aws/aws-sdk-go-v2	v1.30.3	v1.41.6	minor	Direct	-
github.com/aws/aws-sdk-go-v2/config	v1.27.24	v1.32.16	minor	Direct	-
github.com/aws/aws-sdk-go-v2/service/cloudtrail	v1.42.1	v1.55.10	minor	Direct	-
github.com/aws/aws-sdk-go-v2/service/sts	v1.30.1	v1.42.0	minor	Direct	-
github.com/datadog/stratus-red-team/v2	v2.16.0	v2.31.1	minor	Direct	-
github.com/spf13/cobra	v1.6.0	v1.10.2	minor	Direct	-
github.com/stretchr/testify	v1.9.0	v1.11.1	minor	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (9 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.65.0	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.65.0	-
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.65.0	1.79.3
github.com/golang-jwt/jwt/v5	GO-2025-3553	high	Excessive memory allocation during header parsing in github.com/golang-jwt/jwt	v5.2.1	5.2.2
github.com/golang-jwt/jwt/v5	CVE-2025-30204	high	jwt-go allows excessive memory allocation during header parsing	v5.2.1	-
github.com/golang-jwt/jwt/v5	GHSA-mh63-6h87-95cp	HIGH	jwt-go allows excessive memory allocation during header parsing	v5.2.1	5.2.2
github.com/sirupsen/logrus	GO-2025-4188	high	Logrus is vulnerable to DoS when using Entry.writerScanner in github.com/sirupsen/logrus	v1.4.1	1.8.3
github.com/sirupsen/logrus	CVE-2025-65637	high	-	v1.4.1	-
github.com/sirupsen/logrus	GHSA-4f99-4q7p-p3gh	HIGH	Logrus is vulnerable to DoS when using Entry.Writer()	v1.4.1	1.8.3

ℹ️ Other Vulnerabilities (3)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.6.3	1.7.8
github.com/aws/aws-sdk-go-v2/service/lambda	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.56.1	1.88.5
github.com/aws/aws-sdk-go-v2/service/s3	GHSA-xmrv-pmrh-hhx2	MODERATE	Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder	v1.58.0	1.97.3

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/spf13/cobra	v1.6.0	Oct 11, 2025	v1.10.2	go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

google.golang.org/grpc (v1.65.0 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see balancer: use case-sensitive balancer registries grpc/grpc-go#5288 for details. (balancer: introduce env flag for case-sensitive registry grpc/grpc-go#8837)
• xds: update resource error handling and re-resolution logic (xds: change cdsbalancer to use update from dependency manager grpc/grpc-go#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (xds/clusterresolver: implement gRFC A61 changes for LOGICAL_DNS clusters grpc/grpc-go#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (credentials/tls: verify overwritten authority against only leaf certificate grpc/grpc-go#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (xds: decouple A76 and A86 EDS metadata parsing grpc/grpc-go#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (xds/xdsclient: add EDS sum of endpoint weights does not exceed MaxUint32 grpc/grpc-go#8899)
  • Special Thanks: @RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (xds: fix copy-paste bug in WeightExpirationPeriod config grpc/grpc-go#8915)
  • Special Thanks: @gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (xds/rbac: add additional handling for addresses with ports grpc/grpc-go#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (ringhash: enable behaviors of A76 by default grpc/grpc-go#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (credentials/alts: Pool write buffers grpc/grpc-go#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server

(truncated)

v1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (grpc: enforce strict path checking for incoming requests on the server grpc/grpc-go#8981)

v1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (client: process RPC stats/tracing only when a handler is configured grpc/grpc-go#8874)

v1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (Change version to 1.79.1 grpc/grpc-go#8902)

v1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (mem: Allow overriding the default buffer pool. grpc/grpc-go#8806)
  • Special Thanks: @vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (xds: remove references to ResolverState.Addresses grpc/grpc-go#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (*: Implementation of weighted random shuffling (A113) grpc/grpc-go#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (xds: implement :authority header rewriting in xds_cluster_impl LB policy (gRFC A81) grpc/grpc-go#8779)

(truncated — see source for full notes)

github.com/sirupsen/logrus (v1.4.1 → v1.9.4) — GitHub Release

v1.9.4

Notable changes

• go.mod: update minimum supported go version to v1.17 go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460
• go.mod: bump up dependencies go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460
• Touch-up godoc and add "doc" links.
• README: fix links, grammar, and update examples.
• Add GNU/Hurd support Add GNU/Hurd support sirupsen/logrus#1364
• Add WASI wasip1 support Add WASI wasip1 support sirupsen/logrus#1388
• Remove uses of deprecated ioutil package refactor: replace the deprecated function in the ioutil package sirupsen/logrus#1472
• CI: update actions and golangci-lint CI: update actions and golangci-lint sirupsen/logrus#1459
• CI: remove appveyor, add macOS go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460

Full Changelog: sirupsen/logrus@v1.9.3...v1.9.4

v1.9.3

• Fix a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines sirupsen/logrus@f9291a5 (re-apply This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. sirupsen/logrus#1376)
• Fix panic in Writer sirupsen/logrus@d40e25c

Full Changelog: sirupsen/logrus@v1.9.2...v1.9.3

v1.9.2

• Revert This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. sirupsen/logrus#1376, which introduced a regression in v1.9.1

Full Changelog: sirupsen/logrus@v1.9.1...v1.9.2

v1.9.1

What's Changed

• Fix data race in hooks.test package by @FrancoisWagner in Fix data race in hooks.test package sirupsen/logrus#1362
• Add instructions to use different log levels for local and syslog by @tommyblue in Add instructions to use different log levels for local and syslog sirupsen/logrus#1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @ozfive in This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. sirupsen/logrus#1376
• Use text when shows the logrus output by @xieyuschen in Use text when shows the logrus output sirupsen/logrus#1339

New Contributors

• @FrancoisWagner made their first contribution in Fix data race in hooks.test package sirupsen/logrus#1362
• @tommyblue made their first contribution in Add instructions to use different log levels for local and syslog sirupsen/logrus#1372
• @ozfive made their first contribution in This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. sirupsen/logrus#1376
• @xieyuschen made their first contribution in Use text when shows the logrus output sirupsen/logrus#1339

Full Changelog: sirupsen/logrus@v1.9.0...v1.9.1

v1.8.3

What's Changed

• Add instructions to use different log levels for local and syslog by @tommyblue in Add instructions to use different log levels for local and syslog sirupsen/logrus#1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @ozfive in This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. sirupsen/logrus#1376
• Use text when shows the logrus output by @xieyuschen in Use text when shows the logrus output sirupsen/logrus#1339

New Contributors

• @tommyblue made their first contribution in Add instructions to use different log levels for local and syslog sirupsen/logrus#1372
• @ozfive made their first contribution in This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. sirupsen/logrus#1376
• @xieyuschen made their first contribution in Use text when shows the logrus output sirupsen/logrus#1339

Full Changelog: sirupsen/logrus@v1.8.2...v1.8.3

v1.8.2

What's Changed

• CI: use GitHub Actions by @thaJeztah in CI: use GitHub Actions sirupsen/logrus#1239
• go.mod: github.com/stretchr/testify v1.7.0 by @thaJeztah in go.mod: github.com/stretchr/testify v1.7.0 sirupsen/logrus#1246
• Change godoc badge to pkg.go.dev badge by @Minizilla in Change godoc badge to pkg.go.dev badge sirupsen/logrus#1249
• Add support for the logger private buffer pool. by @edoger in Add support for the logger private buffer pool. sirupsen/logrus#1253
• bump golang.org/x/sys depency version by @dgsb in bump golang.org/x/sys depency version sirupsen/logrus#1280
• Update README.md by @runphp in Update README.md sirupsen/logrus#1266
• indicates issues as stale automatically by @dgsb in indicates issues as stale automatically sirupsen/logrus#1281
• ci: add go 1.17 to test matrix by @anajavi in ci: add go 1.17 to test matrix sirupsen/logrus#1277
• reduce the list of cross build target by @dgsb in reduce the list of cross build target sirupsen/logrus#1282
• Improve Log methods documentation by @dgsb in Improve Log methods documentation sirupsen/logrus#1283
• fix race condition for SetFormatter and SetReportCaller by @rubensayshi in fix race condition for SetFormatter and SetReportCaller sirupsen/logrus#1263

(truncated — see source for full notes)

github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream (v1.6.3 → v1.7.9) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/lambda (v1.56.1 → v1.89.1) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/s3 (v1.58.0 → v1.99.1) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2 (v1.30.3 → v1.41.6) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/config (v1.27.24 → v1.32.16) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/cloudtrail (v1.42.1 → v1.55.10) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/aws/aws-sdk-go-v2/service/sts (v1.30.1 → v1.42.0) — Changelog

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

github.com/datadog/stratus-red-team/v2 (v2.16.0 → v2.31.1) — GitHub Release

v2.31.1

Bugfix

Bumping the hc-install library version to fix a expired pubkey issue when downloading Terraform

Changelog

• ab1e2f9ce93428e8e1fca7f4d2d4a13fdca29280 Brew formula update for stratus-red-team version v2.31.0
• c1b051836478233386778e1ace599dd658c5945c Bump hc-install to o.9.4 to fix tf pubkey expired issue (Bump hc-install to v0.9.4 to fix expired Terraform public key issue stratus-red-team#839)
• 2fc0e0413d1e0e7ceb264d4286fc17deec0a3fa1 Merge pull request Brew formula update for stratus-red-team version v2.31.0 stratus-red-team#836 from DataDog/homebrew-update-2.31.0
• e2cd34b27aed63d4c48ca3476aae14b08ab75a56 Update maintainer list (Update maintainer list stratus-red-team#840)

v2.31.0

Changelog

New attack techniques:

• Backdoor Azure Managed Identity with Federated Identity Credential (FIC) (Azure) by @siigil
• Backdoor Entra ID application with Federated Identity Credential (FIC) (EntraID) by @siigil
• Attempt to Remove a GCP Project from its Organization (GCP) by @Minosity-VR
• Delete a Cloud DNS Logging Policy (GCP) by @Minosity-VR
• Disable Data Access Audit Logs for a GCP Service (GCP) by @Minosity-VR
• Disable VPC Flow Logs on a Subnet (GCP) by @Minosity-VR
• Disable a GCP Log Sink (GCP) by @Minosity-VR
• Read GCE Instance Metadata via the Compute API (GCP) by @Minosity-VR
• Reduce Log Retention Period on a Cloud Logging Sink Bucket (GCP) by @Minosity-VR

New features:

• e26e2c6779ee1a0d5f35c0252605a1f3a5eb6565 Programatic usage now supports using a S3 bucket for internal and terraform state (core(runner) - Add S3 remote state backend for Terraform and technique state stratus-red-team#834)
• 09d59fa3da9ce8730e79c07b76e177cf6da6b0db Programmatic usage now supports options to launch the runner with custom StateManager, TerraformManager, ProviderFactory, Config, and CorrelationID (Add functional options to Runner for dependency injection stratus-red-team#817)
• 23d67d2456cb602b9439256b8

(truncated)

v2.30.0

Changelog

New features:

• 53c92120cddf8851deaba184632c14a0bada0f6b Stratus Red Team now supports a YAML configuration file ([core] Add configuration file stratus-red-team#721). See the documentation: https://stratus-red-team.cloud/user-guide/getting-started/#configuration-file

Docs enhancements:

• 67045a5b598b8204ca28b93f260898071f96194b [cmd] - Add example for CLI expand ([cmd] - Add example for CLI expand stratus-red-team#763)

Bug fixes:

• 1ec5593b8a6c791bce11b8511839b4555c640621 Use DisassociateLifecycleConfig instead of setting name to empty string ((fix) AWS Sagemaker Attack Technique - Use DisassociateLifecycleConfig instead of setting name to empty string stratus-red-team#781)

Chores:

• 18ffc8007bec0ce91c684d2765b0f6f0249b4f1a (fix)[CI] - Allow release-assets.githubusercontent.com in harden runner ((fix)[CI] - Allow release-assets.githubusercontent.com in harden runner stratus-red-team#782)
• c5a0a89f925557456c097763f126d076ce53d6bf Fix static analysis CI by using actions/setup-go (Fix static analysis CI by using actions/setup-go stratus-red-team#785)

v2.29.0

Changelog

• b0616e1433b76a80a26e3ce9eccb5121481785e3 Brew formula update for stratus-red-team version v2.28.0 (Brew formula update for stratus-red-team version v2.28.0 stratus-red-team#770)
• 7be0afd4a92c10fcddff85c57e95e1f18e709c80 New attack technique: Elevate to User Access Administrator at Root Scope (Entra ID) (azure entra ID escalation stratus-red-team#771)

v2.28.0

Changelog

Notable changes:

• 42ac9309149d1e1abbac20b8109bc508f073a00b Move the CLI root command to its own package ([cmd] - Move the CLI root command to its own package stratus-red-team#762)

(truncated — see source for full notes)

github.com/spf13/cobra (v1.6.0 → v1.10.2) — GitHub Release

v1.10.2

🔧 Dependencies

• chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @dims in chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 spf13/cobra#2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

• Fix linter and allow CI to pass by @marckhouzam in Fix linter and allow CI to pass spf13/cobra#2327
• fix: actions/setup-go v6 by @jpmcb in fix: actions/setup-go v6 spf13/cobra#2337

🔥✍🏼 Docs

• Add documentation for repeated flags functionality by @rvergis in Add documentation for repeated flags functionality spf13/cobra#2316

🍂 Refactors

• refactor: replace several vars with consts by @htoyoda18 in refactor: replace several vars with consts spf13/cobra#2328
• refactor: change minUsagePadding from var to const by @ssam18 in refactor: change minUsagePadding from var to const spf13/cobra#2325

🤗 New Contributors

• @rvergis made their first contribution in Add documentation for repeated flags functionality spf13/cobra#2316
• @htoyoda18 made their first contribution in refactor: replace several vars with consts spf13/cobra#2328
• @ssam18 made their first contribution in refactor: change minUsagePadding from var to const spf13/cobra#2325
• @dims made their first contribution in chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 spf13/cobra#2336

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

v1.10.1

🐛 Fix

• chore: upgrade pflags v1.0.9 by @jpmcb in chore: upgrade pflags v1.0.9 spf13/cobra#2305

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

What's Changed

🚨 Attention!

• Bump pflag to 1.0.8 by @tomasaschan in Bump pflag to 1.0.8 spf13/cobra#2303

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

• If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`
• or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

More details can be found here: spf13/cobra#2303 (comment)

✨ Features

• Flow context to command in SetHelpFunc by @Frassle in Flow context to command in SetHelpFunc spf13/cobra#2241
• The default ShellCompDirective can be customized for a command and its subcommands by @albers in The default ShellCompDirective can be customized for a command and its subcommands spf13/cobra#2238

🐛 Fix

• Upgrade golangci-lint to v2, address findings by @scop in Upgrade golangci-lint to v2, address findings spf13/cobra#2279

🪠 Testing

• Test with Go 1.24 by @harryzcy in Test with Go 1.24 spf13/cobra#2236
• chore: Rm GitHub Action PR size labeler by @jpmcb in chore: Rm GitHub Action PR size labeler spf13/cobra#2256

📝 Docs

• Remove traling curlybrace by @yedayak in Remove traling curlybrace spf13/cobra#2237
• Update command.go by @styee in Update command.go spf13/cobra#2248
• feat: Add security policy by @jpmcb in feat: Add security policy spf13/cobra#2253
• Update Readme (Warp) by @ericdachen in Update Readme (Warp) spf13/cobra#2267
• Add Periscope to the list of projects using Cobra by @anishathalye in Add Periscope to the list of projects using Cobra spf13/cobra#2299

New Contributors

• @harryzcy made their first contribution in Test with Go 1.24 spf13/cobra#2236
• @yedayak made their first contribution in Remove traling curlybrace spf13/cobra#2237
• @Frassle made their first contribution in Flow context to command in SetHelpFunc spf13/cobra#2241
• @styee made their first contribution in https://gith

(truncated)

v1.9.1

🐛 Fixes

• Fix CompletionFunc implementation by @ccoVeille in fix CompletionFunc implementation spf13/cobra#2234
• Revert "Make detection for test-binary more universal (Make detection for test-binary more universal spf13/cobra#2173)" by @marckhouzam in Revert "Make detection for test-binary more universal (#2173)" spf13/cobra#2235

Full Changelog: spf13/cobra@v1.9.0...v1.9.1

v1.9.0

✨ Features

• Allow linker to perform deadcode elimination for program using Cobra by @aarzilli in Allow linker to perform deadcode elimination for program using Cobra spf13/cobra#1956
• Add default completion command even if there are no other sub-commands by @marckhouzam in Add default completion command even if there are no other sub-commands spf13/cobra#1559
• Add CompletionWithDesc helper by @ccoVeille in feat: add CompletionWithDesc helper spf13/cobra#2231

🐛 Fixes

• Fix deprecation comment for Command.SetOutput by @thaJeztah in Fix deprecation comment for Command.SetOutput spf13/cobra#2172

(truncated — see source for full notes)

github.com/stretchr/testify (v1.9.0 → v1.11.1) — GitHub Release

v1.11.1

This release fixes stretchr/testify#1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

• Backport mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers stretchr/testify#1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers by @brackendawson in Backport #1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers stretchr/testify#1788

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

• Call stack perf change for CallerInfo by @mikeauclair in Call stack perf change for CallerInfo stretchr/testify#1614
• Lazily render mock diff output on successful match by @mikeauclair in Lazily render mock diff output on successful match stretchr/testify#1615
• assert: check early in Eventually, EventuallyWithT, and Never by @cszczepaniak in assert: check early in Eventually, EventuallyWithT, and Never stretchr/testify#1427
• assert: add IsNotType by @bartventer in assert: add IsNotType stretchr/testify#1730
• assert.JSONEq: shortcut if same strings by @dolmen in assert.JSONEq: shortcut if same strings stretchr/testify#1754
• assert.YAMLEq: shortcut if same strings by @dolmen in assert.YAMLEq: shortcut if same strings stretchr/testify#1755
• assert: faster and simpler isEmpty using reflect.Value.IsZero by @dolmen in assert: faster and simpler isEmpty using reflect.Value.IsZero stretchr/testify#1761
• suite: faster methods filtering (internal refactor) by @dolmen in suite: faster methods filtering (internal refactor) stretchr/testify#1758

Fixes

• assert.ErrorAs: log target type by @craig65535 in assert.ErrorAs: log target type stretchr/testify#1345
• Fix failure message formatting for Positive and Negative asserts in Fix failure message formatting for Positive and Negative asserts stretchr/testify#1062
• Improve ErrorIs message when error is nil but an error was expected by @tsioftas in Improve ErrorIs message when error is nil but an error was expected stretchr/testify#1681
• fix Subset/NotSubset when calling with mixed input types by @siliconbrain in fix Subset/NotSubset when calling with mixed input types stretchr/testify#1729
• Improve ErrorAs failure message when error is nil by @ccoVeille in Improve ErrorAs failure message when error is nil stretchr/testify#1734
• mock.AssertNumberOfCalls: improve error msg by @3scalation in mock.AssertNumberOfCalls: improve error msg stretchr/testify#1743

Documentation, Build & CI

• docs: Fix typo in README by @alexandear in docs: Fix typo in README stretchr/testify#1688
• Replace deprecated io/ioutil with io and os by @alexandear in Replace deprecated io/ioutil with io and os stretchr/testify#1684
• Document consequences of calling t.FailNow() by @greg0i

(truncated)

v1.10.0

What's Changed

Functional Changes

• Add PanicAssertionFunc by @fahimbagar in Add PanicAssertionFunc stretchr/testify#1337
• assert: deprecate CompareType by @dolmen in assert: deprecate CompareType stretchr/testify#1566
• assert: make YAML dependency pluggable via build tags by @dolmen in assert: make YAML dependency pluggable via build tags stretchr/testify#1579
• assert: new assertion NotElementsMatch by @hendrywiranto in assert: new assertion NotElementsMatch stretchr/testify#1600
• mock: in order mock calls by @ReyOrtiz in mock: in order mock calls stretchr/testify#1637
• Add assertion for NotErrorAs by @palsivertsen in Add assertion for NotErrorAs stretchr/testify#1129
• Record Return Arguments of a Call by @jayd3e in Record Return Arguments of a Call stretchr/testify#1636
• assert.EqualExportedValues: accepts everything by @redachl in assert.EqualExportedValues: accepts everything stretchr/testify#1586

Fixes

• assert: make tHelper a type alias by @dolmen in assert: make tHelper a type alias stretchr/testify#1562
• Do not get argument again unnecessarily in Arguments.Error() by @TomWright in Do not get argument again unnecessarily in Arguments.Error() stretchr/testify#820
• Fix time.Time compare by @myxo in Fix time.Time compare stretchr/testify#1582
• assert.Regexp: handle []byte array properly by @kevinburkesegment in assert.Regexp: handle []byte array properly stretchr/testify#1587
• assert: collect.FailNow() should not panic by @marshall-lee in assert: collect.FailNow() should not panic stretchr/testify#1481
• mock: simplify implementation of FunctionalOptions by @dolmen in mock: simplify implementation of FunctionalOptions stretchr/testify#1571
• mock: caller information for unexpected method call by @spirin in mock: caller information for unexpected method call stretchr/testify#1644

(truncated — see source for full notes)

---

Generated by ADMS Sources: 5 GitHub Releases, 7 Changelogs, 1 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.