Update Go dependencies

[silverwind]

Update all non-locked Go dependencies and pin incompatible ones.

• Pin urfave/cli/v3 to v3.4.1 and cli-docs/v3 to v3.0.0-alpha6 via replace (v3.6.2 breaks -c flag parsing)
• Pin go.yaml.in/yaml/v4 to rc.2 via replace (rc.4 changes block scalar serialization)

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR performs a broad set of dependency upgrades across Go and JavaScript ecosystems, including several major version bumps. The main code changes are adaptations to breaking API changes in updated libraries.

Changes:

• Bump major Go dependencies: go-github v74→v84, gocron v1→v2, PAM v1→v2, jsonschema v5→v6, enmime v1→v2, go-gitlab, ntlmssp, and go-ap, with corresponding API adaptation code
• Update minor/patch Go and JS dependencies across the board
• Update GitHub Actions workflow actions (actions/checkout v5→v6, aws-actions/configure-aws-credentials v5→v6)

Reviewed changes

Copilot reviewed 24 out of 27 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
services/migrations/github.go	Adapts to go-github v84: removes ListReviewers pagination loop; updates import path
services/migrations/gitlab.go	Adapts to new go-gitlab API: int→int64 for IDs, restructured pagination options
services/migrations/gitlab_test.go	Updates test types to match int64 ID fields; uses new gitlab.NoteAuthor type
services/mailer/sender/smtp_auth.go	Adapts NTLM auth to go-ntlmssp v0.1.0 (drops GetDomain/ProcessChallenge)
services/mailer/incoming/incoming.go, incoming_test.go	Updates enmime import path to v2
services/cron/cron.go	Adapts to gocron v2: Scheduler interface, non-blocking Start, error-returning Shutdown
services/cron/tasks.go	Adapts job registration to gocron v2 NewJob/CronJob/NewTask API
services/cron/tasks_test.go	Replaces removed scheduler.Clear() with manual job removal in test teardown
routers/api/v1/activitypub/person.go	Adapts to new go-ap API: uses ap.MakeRef([]byte("en")) for language keys
modules/auth/pam/pam.go	Updates PAM import to v2; adds defer t.End() for proper resource cleanup
modules/migration/file_format.go	Adapts jsonschema v6: implements URLLoader interface via schemaLoader struct
modules/migration/schemas_bindata.go, schemas_dynamic.go	Adapts schema loading to return pre-unmarshaled JSON (any) instead of io.ReadCloser
modules/migration/file_format_test.go	Updates jsonschema import to v6
web_src/js/globals.d.ts	Updates jQuery Window type to use JQueryStatic directly (for @types/jquery v4)
package.json	Bumps various JS dependencies
go.mod / go.sum	Updates all Go dependency versions
.github/workflows/*.yml	Updates GitHub Actions versions
assets/go-licenses.json	Adds/updates license entries for new/renamed dependencies
contrib/backport/backport.go	Updates go-github import path to v84
services/migrations/error.go	Updates go-github import path to v84

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[TheFox0x7]

Failures are related. How pam upgrade migration was tested because I know it doesn't run in CI?

I really don't think grouping minor updates and ones that require a rewrite - see migration code especially - is a good idea but I won't object on this since you did the work.

[wxiaoguang]

You should really learn from this:

• Update go dependencies Update go dependencies #36618

[silverwind]

Summary of CI failures:

1. azblob v1.6.2→v1.6.4 sends API version 2026-02-06, which Azurite doesn't support yet (no release timeline)
2. go.yaml.in/yaml/v4 rc.2→rc.4 changed block scalar serialization (|2-→|-), both are valid YAML
3. urfave/cli/v3 v3.4.1→v3.6.2 broke help -c flag parsing and isValidDefaultSubCommand — multiple tests affected, needs code rework

Failures are related. How pam upgrade migration was tested because I know it doesn't run in CI?

we can make it run in CI, it is Linux after all

You should really learn from this:

We will see, I prefer avoid using replace hacks at least

[wxiaoguang]

You should really learn from this:

We will see, I prefer avoid using replace hacks at least

It's not hack. It is the official correct approach, even you ask AI.

I will block non-official hacks for the go dependency management.

[wxiaoguang]

Well, AI really likes removing the test cases that it is unable to handle.

Don't you think it is a breaking change?

[silverwind]

I will block non-official hacks for the go dependency management.

As I see it replace is a escape hatch when you are too lazy to update import paths or when you want to interfere in automatic dependency updates. In all other cases, it's better to directly alter the dependency version.

[silverwind]

1. CI failures addressed
2. PAM test added

@wxiaoguang so what changes do you want? What should be replaced exactly? CI should now pass. The urfave change can not be fixed without downgrading the dependency so we would have to forever remain on the old version.

[wxiaoguang]

I will block non-official hacks for the go dependency management.

As I see it replace is a escape hatch when you are too lazy to update ....

Your "updates" also does so, https://github.com/go-gitea/gitea/blob/main/updates.config.ts . If you say this, then you mean you are also "too lazy".

---

1. CI failures addressed
2. PAM test added

@wxiaoguang so what changes do you want? What should be replaced exactly? CI should now pass.

I have said clearly

• Update Go dependencies #36781 (comment)
• Update Go dependencies #36781 (review)

I won't waste time on this topic for you. Don't ask more, just do it right.

• Update go dependencies #36618 (comment)
• update go #36546 (comment)

[silverwind]

All tests including the new pam tests are passing, but I guess I will just revert all the "controversial" updates, thought I'm still not sure which ones are controversial as no one wants to tell me.

Regarding urfave/cli I think that module should be removed, it's too unstable (does unsolvable breaking changes in patch releases) and probably everything can be implemented using stdlib too.

[TheFox0x7]

probably everything can be implemented using stdlib too

it can, question is are you willing port it and not break anything, while keeping a sane interface? And generate shell completions?

I'm not sure what the issue with bumping versions in go.mod and changing paths on major upgrade but I'm hardly an authority on this. If there's a doc/best practices for this I'd love to read it though, it'll be useful.

[silverwind]

All go dependencies updated again and ready for review.

[silverwind]

Had to pin these as well because of the mcr.microsoft.com/azure-storage/azurite:latest compat issues:

• azcore to v1.19.0
• azblob to v1.6.2
• go-mssqldb to v1.9.7

Should come out green now.

[silverwind]

@wxiaoguang any other concerns? want me to revert more changes? Would like to get this topic off the table.

[wxiaoguang]

Didn't spend time on the changed logic