fix(deps): vuln minor upgrades — 11 packages (minor: 7 · patch: 4) [server]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 11 packages upgraded (MINOR changes included)

Manifests changed:

• server (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
google.golang.org/grpc	v1.66.1	v1.80.0	minor	Direct	3 CRITICAL
github.com/go-jose/go-jose/v4	v4.0.5	v4.1.4	minor	Transitive	1 HIGH
github.com/coreos/go-oidc/v3	v3.11.0	v3.18.0	minor	Direct	-
github.com/grpc-ecosystem/grpc-gateway/v2	v2.22.0	v2.29.0	minor	Direct	-
github.com/labstack/echo/v4	v4.13.4	v4.15.1	minor	Direct	-
github.com/stretchr/testify	v1.10.0	v1.11.1	minor	Direct	-
github.com/urfave/cli/v2	v2.3.0	v2.27.7	minor	Direct	-
github.com/gorilla/securecookie	v1.1.1	v1.1.2	patch	Direct	-
go.temporal.io/api	v1.62.2	v1.62.9	patch	Direct	-
google.golang.org/protobuf	v1.36.5	v1.36.11	patch	Direct	-
gopkg.in/validator.v2	v2.0.0-20210331031555-b37d688a7fb0	v2.0.1	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
google.golang.org/grpc	GHSA-p77j-4mvh-x3m3	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.66.1	1.79.3
google.golang.org/grpc	CVE-2026-33186	CRITICAL	gRPC-Go has an authorization bypass via missing leading slash in :path	v1.66.1	-
google.golang.org/grpc	GO-2026-4762	CRITICAL	Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc	v1.66.1	1.79.3
github.com/go-jose/go-jose/v4	GHSA-78h2-9frx-2jm8	HIGH	Go JOSE Panics in JWE decryption	v4.0.5	4.1.4

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/urfave/cli/v2	v2.3.0	-	v2.27.7	server/go.mod
gopkg.in/validator.v2	v2.0.0-20210331031555-b37d688a7fb0	-	v2.0.1	server/go.mod

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

google.golang.org/grpc (v1.66.1 → v1.80.0) — GitHub Release

v1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see balancer: use case-sensitive balancer registries grpc/grpc-go#5288 for details. (balancer: introduce env flag for case-sensitive registry grpc/grpc-go#8837)
• xds: update resource error handling and re-resolution logic (xds: change cdsbalancer to use update from dependency manager grpc/grpc-go#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (xds/clusterresolver: implement gRFC A61 changes for LOGICAL_DNS clusters grpc/grpc-go#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (credentials/tls: verify overwritten authority against only leaf certificate grpc/grpc-go#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (xds: decouple A76 and A86 EDS metadata parsing grpc/grpc-go#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (xds/xdsclient: add EDS sum of endpoint weights does not exceed MaxUint32 grpc/grpc-go#8899)
  • Special Thanks: @RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (xds: fix copy-paste bug in WeightExpirationPeriod config grpc/grpc-go#8915)
  • Special Thanks: @gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (xds/rbac: add additional handling for addresses with ports grpc/grpc-go#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (ringhash: enable behaviors of A76 by default grpc/grpc-go#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (credentials/alts: Pool write buffers grpc/grpc-go#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server

(truncated)

v1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (grpc: enforce strict path checking for incoming requests on the server grpc/grpc-go#8981)

v1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (client: process RPC stats/tracing only when a handler is configured grpc/grpc-go#8874)

v1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (Change version to 1.79.1 grpc/grpc-go#8902)

v1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (mem: Allow overriding the default buffer pool. grpc/grpc-go#8806)
  • Special Thanks: @vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (xds: remove references to ResolverState.Addresses grpc/grpc-go#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (stats/otel: a79 scaffolding to register an async gauge metric and api to record it- part 3 grpc/grpc-go#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (*: Implementation of weighted random shuffling (A113) grpc/grpc-go#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (xds: implement :authority header rewriting in xds_cluster_impl LB policy (gRFC A81) grpc/grpc-go#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (balancer/randomsubsetting: Implementation of the random_subsetting LB policy grpc/grpc-go#8650)
  • Special Thanks: @marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (credentials/tls: Strip port before validating authority override grpc/grpc-go#8726)
  • Special Thanks: @Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (priority: prevent init timer restarting when a child transitions from CONNECTING to CONNECTING grpc/grpc-go#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (grpc: initialize decompressor for health check streams grpc/grpc-go#8765)
  • Special Thanks: @sanki92

(truncated — see source for full notes)

github.com/go-jose/go-jose/v4 (v4.0.5 → v4.1.4) — GitHub Release

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @mcpherrinm in Remove Go 1.23 support go-jose/go-jose#205
• Reject JWS with an unprotected critical b64 header by @mcpherrinm in Reject JWS with an unprotected critical b64 header go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @mcpherrinm in Update go-jose documentation go-jose/go-jose#198
• Remove dependency on testify by @wardviaene in Remove dependency on testify go-jose/go-jose#197
• Improve error message for invalid private keys by @ProjectMutilation in Improve error message for invalid private keys go-jose/go-jose#195
• JWK unsupported error when unmarshalling by @fprojetto in JWK unsupported error when unmarshalling go-jose/go-jose#191
• Add JSONWebKey type to makeJWERecipient by @alvarolivie in Add JSONWebKey type to makeJWERecipient go-jose/go-jose#200
• testutils/assert: remove True, Nil, NotNil by @jsha in testutils/assert: remove True, Nil, NotNil go-jose/go-jose#202

New Contributors

• @wardviaene made their first contribution in Remove dependency on testify go-jose/go-jose#197
• @fprojetto made their first contribution in JWK unsupported error when unmarshalling go-jose/go-jose#191
• @alvarolivie made their first contribution in Add JSONWebKey type to makeJWERecipient go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

• Drop go-cmp dependency by @mcpherrinm in Drop go-cmp dependency go-jose/go-jose#186
• jws: improve performance and allocations for ParseSignedCompact by @drakkan in jws: improve performance and allocations for ParseSignedCompact go-jose/go-jose#188
• Add missing quote to unknown curve message Missing single tick in error message go-jose/go-jose#170 by @sudhanvaghebbale in Add missing quote to unknown curve message #170 go-jose/go-jose#189
• Fix incorrect validation by @ProjectMutilation in Fix incorrect validation go-jose/go-jose#192
• Restore Go 1.23 compatibility by @anuraaga in Restore Go 1.23 compatibility go-jose/go-jose#193

New Contributors

• @drakkan made their first contribution in jws: improve performance and allocations for ParseSignedCompact go-jose/go-jose#188
• @sudhanvaghebbale made their first contribution in Add missing quote to unknown curve message #170 go-jose/go-jose#189
• @ProjectMutilation made their first contribution in Fix incorrect validation go-jose/go-jose#192
• @anuraaga made their first contribution in Restore Go 1.23 compatibility go-jose/go-jose#193

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v4.1.0

What's Changed

• Document signatureAlgorithms argument by @tgeoghegan in Document signatureAlgorithms argument go-jose/go-jose#163
• Add custom error for unsupported JWS signature algorithms by @beautifulentropy in Add custom error for unsupported JWS signature algorithms go-jose/go-jose#181
• use stdlib pbkdf2 package on go 1.24 by @kruskall in feat: use stdlib pbkdf2 package on go 1.24 go-jose/go-jose#180
• The minimum supported Go version is now 1.24

New Contributors

• @kruskall made their first contribution in feat: use stdlib pbkdf2 package on go 1.24 go-jose/go-jose#180

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

github.com/coreos/go-oidc/v3 (v3.11.0 → v3.18.0) — GitHub Release

v3.18.0

What's Changed

• .github: configure dependabot by @ericchiang in .github: configure dependabot coreos/go-oidc#477
• .github: update go versions in CI by @ericchiang in .github: update go versions in CI coreos/go-oidc#480
• build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0 by @dependabot[bot] in build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0 coreos/go-oidc#478
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 coreos/go-oidc#479

Full Changelog: coreos/go-oidc@v3.17.0...v3.18.0

v3.17.0

What's Changed

• oidc: improve error message for mismatched issuer URLs by @ericchiang in oidc: improve error message for mismatched issuer URLs coreos/go-oidc#469

Full Changelog: coreos/go-oidc@v3.16.0...v3.17.0

v3.16.0

What's Changed

• refactor: Remove unused time injection from RemoteKeySet by @ponimas in refactor: Remove unused time injection from RemoteKeySet coreos/go-oidc#466
• bump go to 1.24, remove 1.23 support, bump go-jose dependency, remove x/net dependency by @wardviaene in bump go to 1.24, remove 1.23 support, bump go-jose dependency, remove x/net dependency coreos/go-oidc#467

New Contributors

• @wardviaene made their first contribution in bump go to 1.24, remove 1.23 support, bump go-jose dependency, remove x/net dependency coreos/go-oidc#467

Full Changelog: coreos/go-oidc@v3.15.0...v3.16.0

v3.15.0

What's Changed

• oidc: verify the ID Token's signature before processing claims by @ericchiang in oidc: verify the ID Token's signature before processing claims coreos/go-oidc#464

Full Changelog: coreos/go-oidc@v3.14.1...v3.15.0

v3.14.1

What's Changed

• oidctest: fix import by @ericchiang in oidctest: fix import coreos/go-oidc#457

Full Changelog: coreos/go-oidc@v3.14.0...v3.14.1

v3.14.0

What's Changed

• oidc/oidctest: add new package by @ericchiang in oidc/oidctest: add new package coreos/go-oidc#400

Full Changelog: coreos/go-oidc@v3.13.0...v3.14.0

v3.13.0

What's Changed

• *: bump dependency versions by @ericchiang in *: bump dependency versions coreos/go-oidc#453

Full Changelog: coreos/go-oidc@v3.12.0...v3.13.0

v3.12.0

What's Changed

• oidc: add JSON tags to ProviderConfig by @ericchiang in oidc: add JSON tags to ProviderConfig coreos/go-oidc#446

Full Changelog: coreos/go-oidc@v3.11.0...v3.12.0

github.com/grpc-ecosystem/grpc-gateway/v2 (v2.22.0 → v2.29.0) — GitHub Release

v2.29.0

What's Changed

• fix: use proto.Merge to avoid copylocks with use_opaque_api=true by @emahiro in fix: use proto.Merge to avoid copylocks with use_opaque_api=true grpc-ecosystem/grpc-gateway#6383
• fix: allow proto3 optional fields in path parameters by @susanachl in fix: allow proto3 optional fields in path parameters grpc-ecosystem/grpc-gateway#6416
• Add option to disable HTTP method override by @achew22 in Add option to disable HTTP method override grpc-ecosystem/grpc-gateway#6447
• Add Go documentation badge to README by @achew22 in Add Go documentation badge to README grpc-ecosystem/grpc-gateway#6448
• fix: add missing return statements in error handler paths by @jet-go in fix: add missing return statements in error handler paths grpc-ecosystem/grpc-gateway#6561
• Deprecate fields and methods if file is deprecated by @aidandj in Deprecate fields and methods if file is deprecated grpc-ecosystem/grpc-gateway#6613
• Add edition 2024 support by @printfn in Add edition 2024 support grpc-ecosystem/grpc-gateway#6622

New Contributors

• @emahiro made their first contribution in fix: use proto.Merge to avoid copylocks with use_opaque_api=true grpc-ecosystem/grpc-gateway#6383
• @susanachl made their first contribution in fix: allow proto3 optional fields in path parameters grpc-ecosystem/grpc-gateway#6416
• @jet-go made their first contribution in fix: add missing return statements in error handler paths grpc-ecosystem/grpc-gateway#6561
• @aidandj made their first contribution in Deprecate fields and methods if file is deprecated grpc-ecosystem/grpc-gateway#6613
• @printfn made their first contribution in Add edition 2024 support grpc-ecosystem/grpc-gateway#6622

Full Changelog: grpc-ecosystem/grpc-gateway@v2.28.0...v2.29.0

v2.28.0

What's Changed

• feat: add option to disable chunked headers by @irenarindos in feat: add option to disable chunked headers grpc-ecosystem/grpc-gateway#6354
• fix(protoc-gen-openapiv2): fix panic on enum resolution in nested messages by @franchb in fix(protoc-gen-openapiv2): fix panic on enum resolution in nested messages grpc-ecosystem/grpc-gateway#6367

New Contributors

• @irenarindos made their first contribution in feat: add option to disable chunked headers grpc-ecosystem/grpc-gateway#6354

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.8...v2.28.0

v2.27.8

What's Changed

• Fix opaque missing imports casing by @kellen-miller in Fix opaque missing imports casing grpc-ecosystem/grpc-gateway#6304
• Revert "fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files" by @johanbrandhorst in Revert "fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files" grpc-ecosystem/grpc-gateway#6309
• fix(protoc-gen-openapiv2): fix naming cache for multi-file generation by @franchb in fix(protoc-gen-openapiv2): fix naming cache for multi-file generation grpc-ecosystem/grpc-gateway#6315
• fix(openapiv2): exclude oneof fields from required with proto3 field semantics by @sessa in fix(openapiv2): exclude oneof fields from required with proto3 field semantics grpc-ecosystem/grpc-gateway#6335

New Contributors

• @sessa made their first contribution in fix(openapiv2): exclude oneof fields from required with proto3 field semantics grpc-ecosystem/grpc-gateway#6335

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.7...v2.27.8

v2.27.7

Re-release of v2.26.7 as v2.27.7 for correct semver ordering.

v2.26.7

What's Changed

• Revert "feat(generator): harden opaque imports and fix snake case to go casing" by @johanbrandhorst in Revert "feat(generator): harden opaque imports and fix snake case to go casing" grpc-ecosystem/grpc-gateway#6299

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.6...v2.26.7

v2.27.6

What's Changed

• feat(generator): harden opaque imports and fix snake case to go casing by @kellen-miller in feat(generator): harden opaque imports and fix snake case to go casing grpc-ecosystem/grpc-gateway#6279
• fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files by @franchb in fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files grpc-ecosystem/grpc-gateway#6275

New Contributors

• @franchb made their first contribution in fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files grpc-ecosystem/grpc-gateway#6275

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.5...v2.27.6

v2.27.5

What's Changed

• Issue5799 by @rohitlohar45 in Issue5799 grpc-ecosystem/grpc-gateway#6123
• fix: Add example repo in Java to README by @majiayu000 in fix: Add example repo in Java to README grpc-ecosystem/grpc-gateway#6199
• fix: Use summary/description instead of title for field comments in openapi gen by @iamrajiv in fix: Use summary/description instead of title for field comments in openapi gen grpc-ecosystem/grpc-gateway#6223
• fix(gengateway): use pointer for bodyData in OpaqueAPI PATCH requests by @kop in fix(gengateway): use pointer for bodyData in OpaqueAPI PATCH requests grpc-ecosystem/grpc-gateway#6246
• fix(gengateway): use opaque chain for setting path params by @kellen-miller in fix(gengateway): use opaque chain for setting path params grpc-ecosystem/grpc-gateway#6215

New Contributors

• @majiayu000 made their first contribution in fix: Add example repo in Java to README grpc-ecosystem/grpc-gateway#6199
• @kellen-miller made their first contribution in fix(gengateway): use opaque chain for setting path params grpc-ecosystem/grpc-gateway#6215

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.4...v2.27.5

v2.27.4

What's Changed

• feat: support deprecated field for OpenAPI parameters by @lachlancooper in feat: support deprecated field for OpenAPI parameters grpc-ecosystem/grpc-gateway#6068
• fix(openapiv2): Invalid entries in body parameter schema required array when using body: "field_name" by @rdark in fix(openapiv2): Invalid entries in body parameter schema required array when using body: "field_name" grpc-ecosystem/grpc-gateway#6088
• fix(openapiv2): prevent nested required fields hoisting to parent schema by @rdark in fix(openapiv2): prevent nested required fields hoisting to parent schema grpc-ecosystem/grpc-gateway#6078

(truncated — see source for full notes)

github.com/labstack/echo/v4 (v4.13.4 → v4.15.1) — GitHub Release

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF
protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship
between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to
traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},

    // Custom validation for same-site requests
    AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
        // Your custom authorization logic here
        return validateCustomAuth(c), nil
        // return true, err  // blocks r

_(truncated)_

### v4.14.0

`middleware.Logger()` has been deprecated. For request logging, use `middleware.RequestLogger()` or
`middleware.RequestLoggerWithConfig()`.

`middleware.RequestLogger()` replaces `middleware.Logger()`, offering comparable configuration while relying on the
Go standard library’s new `slog` logger.

The previous default output format was JSON. The new default follows the standard `slog` logger settings.
To continue emitting request logs in JSON, configure `slog` accordingly:
```go
slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, nil)))
e.Use(middleware.RequestLogger())

If you are developing anything more substantial than a demo, use middleware.RequestLoggerWithConfig()

Security

• Logger middleware json string escaping and deprecation by @aldas in Logger middleware json string escaping and deprecation labstack/echo#2849

What's Changed

• Update deps by @aldas in Update deps  labstack/echo#2807
• refactor to use reflect.TypeFor by @cuiweixie in refactor to use reflect.TypeFor labstack/echo#2812
• Use Go 1.25 in CI by @aldas in Use Go 1.25 in CI labstack/echo#2810
• Modernize context.go by replacing interface{} with any by @vishr in Modernize context.go by replacing interface{} with any labstack/echo#2822
• Fix typo in SetParamValues comment by @vishr in Fix typo in SetParamValues comment labstack/echo#2828
• Fix typo in ContextTimeout middleware comment by @vishr in Fix typo in ContextTimeout middleware comment labstack/echo#2827
• Improve BasicAuth middleware: use strings.Cut and RFC compliance by @vishr in Improve BasicAuth middleware: use strings.Cut and RFC compliance labstack/echo#2825
• Fix duplicate plus operator in router backtracking logic by @yuya-morimoto in Fix duplicate plus operator in router backtracking logic labstack/echo#2832
• Replace custom private IP range check with built-in net.IP.IsPrivate by @kumapower17 in Replace custom private IP range check with built-in net.IP.IsPrivate labstack/echo#2835
• Ensure proxy connection is closed in proxyRaw function(Connection not closed in proxy middleware labstack/echo#2837) by @kumapower17 in Ensure proxy connection is closed in proxyRaw function(#2837) labstack/echo#2838
• Update deps by @aldas in Update deps labstack/echo#2843

(truncated)

github.com/stretchr/testify (v1.10.0 → v1.11.1) — GitHub Release

v1.11.1

This release fixes stretchr/testify#1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

• Backport mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers stretchr/testify#1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers by @brackendawson in Backport #1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers stretchr/testify#1788

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

• Call stack perf change for CallerInfo by @mikeauclair in Call stack perf change for CallerInfo stretchr/testify#1614
• Lazily render mock diff output on successful match by @mikeauclair in Lazily render mock diff output on successful match stretchr/testify#1615
• assert: check early in Eventually, EventuallyWithT, and Never by @cszczepaniak in assert: check early in Eventually, EventuallyWithT, and Never stretchr/testify#1427
• assert: add IsNotType by @bartventer in assert: add IsNotType stretchr/testify#1730
• assert.JSONEq: shortcut if same strings by @dolmen in assert.JSONEq: shortcut if same strings stretchr/testify#1754
• assert.YAMLEq: shortcut if same strings by @dolmen in assert.YAMLEq: shortcut if same strings stretchr/testify#1755
• assert: faster and simpler isEmpty using reflect.Value.IsZero by @dolmen in assert: faster and simpler isEmpty using reflect.Value.IsZero stretchr/testify#1761
• suite: faster methods filtering (internal refactor) by @dolmen in suite: faster methods filtering (internal refactor) stretchr/testify#1758

Fixes

• assert.ErrorAs: log target type by @craig65535 in assert.ErrorAs: log target type stretchr/testify#1345
• Fix failure message formatting for Positive and Negative asserts in Fix failure message formatting for Positive and Negative asserts stretchr/testify#1062
• Improve ErrorIs message when error is nil but an error was expected by @tsioftas in Improve ErrorIs message when error is nil but an error was expected stretchr/testify#1681
• fix Subset/NotSubset when calling with mixed input types by @siliconbrain in fix Subset/NotSubset when calling with mixed input types stretchr/testify#1729
• Improve ErrorAs failure message when error is nil by @ccoVeille in Improve ErrorAs failure message when error is nil stretchr/testify#1734
• mock.AssertNumberOfCalls: improve error msg by @3scalation in mock.AssertNumberOfCalls: improve error msg stretchr/testify#1743

Documentation, Build & CI

• docs: Fix typo in README by @alexandear in docs: Fix typo in README stretchr/testify#1688
• Replace deprecated io/ioutil with io and os by @alexandear in Replace deprecated io/ioutil with io and os stretchr/testify#1684
• Document consequences of calling t.FailNow() by @greg0i

(truncated)

go.temporal.io/api (v1.62.2 → v1.62.9) — GitHub Release

v1.62.9

Full Changelog: temporalio/api-go@v1.62.8...v1.62.9

v1.62.8

What's Changed

• Enable concurrent payload visiting by @jmaeagle99 in Enable concurrent payload visiting temporalio/api-go#244
• Fix proto generation for new subdirectories by @rkannan82 in Fix proto generation for new subdirectories temporalio/api-go#248

Full Changelog: temporalio/api-go@v1.62.7...v1.62.8

v1.62.7

What's Changed

• Context hook for payload visitor by @jmaeagle99 in Context hook for payload visitor temporalio/api-go#243

New Contributors

• @jmaeagle99 made their first contribution in Context hook for payload visitor temporalio/api-go#243

Full Changelog: temporalio/api-go@v1.62.6...v1.62.7

v1.62.6

What's Changed

• Automatic request header support by @tconley1428 in Automatic request header support temporalio/api-go#236

New Contributors

• @tconley1428 made their first contribution in Automatic request header support temporalio/api-go#236

Full Changelog: temporalio/api-go@v1.62.5...v1.62.6

v1.62.5

Full Changelog: temporalio/api-go@v1.62.4...v1.62.5

v1.62.4

Full Changelog: temporalio/api-go@v1.62.3...v1.62.4

v1.62.3

What's Changed

• Fix protogen to only compile .proto files by @rkannan82 in Fix protogen to only compile .proto files temporalio/api-go#238

New Contributors

• @rkannan82 made their first contribution in Fix protogen to only compile .proto files temporalio/api-go#238

Full Changelog: temporalio/api-go@v1.62.2...v1.62.3

google.golang.org/protobuf (v1.36.5 → v1.36.11) — GitHub Release

v1.36.11

Full Changelog: protocolbuffers/protobuf-go@v1.36.10...v1.36.11

User-visible changes:
CL/726780: encoding/prototext: Support URL chars in type URLs in text-format.

Bug fixes:
CL/728680: internal/impl: check recursion limit in lazy decoding validation
CL/711015: reflect/protodesc: fix handling of import options in dynamic builds

Maintenance:
CL/728681: reflect/protodesc: add support for edition unstable
CL/727960: all: add EDITION_UNSTABLE support
CL/727940: types: regenerate using latest protobuf v33.2 release
CL/727140: internal/testprotos/lazy: convert .proto files to editions
CL/723440: cmd/protoc-gen-go: add missing annotations for few generated protobuf symbols.
CL/720980: internal/filedesc: remove duplicative Message.unmarshalOptions
CL/716360: internal/encoding/tag: use proto3 defaults if proto3
CL/716520: proto: un-flake TestHasExtensionNoAlloc
CL/713342: compiler/protogen: properly filter option dependencies in go-protobuf plugin.
CL/711200: proto: add test for oneofs containing messages with required fields
CL/710855: proto: add explicit test for a non-nil but empty byte slice

v1.36.10

Full Changelog: protocolbuffers/protobuf-go@v1.36.9...v1.36.10

Bug fixes:
CL/704415: reflect/protodesc: edition-2024-specific properties should not be lost when converting FileDescriptorProto to protoreflect.FileDescriptor

Maintenance:
CL/708555: internal/race_test: add missing impl.LazyEnabled() t.Skip
CL/703295: proto: add more invalid group encoding test cases
CL/703276: internal/impl: verify lazy unmarshal on Deterministic encoding
CL/703275: internal/impl: stop using deprecated .Field in lazy_test.go
CL/702795: all: update to latest github.com/google/go-cmp

v1.36.9

Full Changelog: protocolbuffers/protobuf-go@v1.36.8...v1.36.9

User-visible changes:
CL/699715: cmd/protoc-gen-go: add test for "import option" directive
CL/699115: internal/editionssupport: declare support for edition 2024
CL/697595: editions: Fix spelling mistake in panic message

v1.36.8

Maintenance:

CL/696316: all: set Go language version to Go 1.23
CL/696315: types: regenerate using latest protobuf v32 release

v1.36.7

Maintenance / optimizations:

CL/683955: encoding/protowire: micro-optimize SizeVarint (-20% on Intel)
CL/674055: internal/impl: remove unnecessary atomic access for non-lazy lists
CL/674015: impl: remove unnecessary nil check from presence.Present
CL/673495: types/descriptorpb: regenerate using latest protobuf v31 release
CL/670516: cmd/protoc-gen-go: centralize presence and lazy logic into filedesc
CL/670515: internal: move usePresenceForField to internal/filedesc
CL/670275: internal/impl: clean up usePresenceForField() (no-op)

v1.36.6

Full Changelog: protocolbuffers/protobuf-go@v1.36.5...v1.36.6

User-visible changes:
CL/657895: internal_gengo: generate a const string literal for the raw descriptor
CL/653536: proto: Add CloneOf[M Message](m M) M

Maintenance:
CL/649135: all: set Go language version to Go 1.22
CL/654955: types/descriptorpb: regenerate using latest protobuf v30 release

---

Generated by ADMS Sources: 8 GitHub Releases, 3 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.