Update go dependencies

[sebastianertz]

---

	from	to
github.com/42wim/httpsig	1.2.3	1.2.4
github.com/42wim/sshsig	0.0.0-20250502153856-5100632e8920	0.0.0-20260317195500-b9f38cf0d432
github.com/Azure/azure-sdk-for-go/sdk/azcore	1.19.0	1.21.0
github.com/Azure/go-ntlmssp	0.0.0-20221128193559-754e6932135	0.1.0
github.com/ProtonMail/go-crypto	1.3.0	1.4.1
github.com/PuerkitoBio/goquery	1.11.0	1.12.0
github.com/aws/aws-sdk-go-v2/credentials	1.19.7	1.19.12
github.com/aws/aws-sdk-go-v2/service/codecommit	1.33.8	1.33.11
github.com/caddyserver/certmagic	0.25.1	0.25.2
github.com/go-enry/go-enry/v2	2.9.4	2.9.5
github.com/go-git/go-billy/v5	5.7.0	5.8.0
github.com/go-git/go-git/v5	5.16.5	5.17.0
github.com/go-ldap/ldap/v3	3.4.12	3.4.13
github.com/go-redsync/redsync/v4	4.15.0	4.16.0
github.com/go-webauthn/webauthn	0.13.4	0.16.1
github.com/goccy/go-json	0.10.5	0.10.6
github.com/google/pprof	0.0.0-20260202012954-cb029daf43ef	0.0.0-20260302011040-a15ffb7f9dcc
github.com/klauspost/compress	1.18.3	1.18.5
github.com/lib/pq	1.11.1	1.12.0
github.com/mattn/go-sqlite3	1.14.33	1.14.37
github.com/meilisearch/meilisearch-go	0.36.0	0.36.1
github.com/microsoft/go-mssqldb	1.9.6	1.9.8
github.com/minio/minio-go/v7	7.0.98	7.0.99
github.com/redis/go-redis/v9	9.17.3	9.18.0
github.com/yuin/goldmark	1.7.16	1.7.17
golang.org/x/crypto	0.47.0	0.49.0
golang.org/x/image	0.35.0	0.37.0
golang.org/x/net	0.49.0	0.52.0
golang.org/x/oauth2	0.34.0	0.36.0
golang.org/x/sync	0.19.0	0.20.0
golang.org/x/sys	0.40.0	0.42.0
golang.org/x/text	0.33.0	0.35.0
google.golang.org/grpc	1.78.0	1.79.3
strk.kbt.io/projects/go/libravatar	0.0.0-20191008002943-06d1c002b251	0.0.0-20260301104140-add494e31dab

[bircni]

Can you confirm that NewAuthenticateMessage in v0.1.0 still handles DOMAIN\user format usernames correctly, or is this a known behavioral change? If the new library no longer parses the domain from the username, users who rely on that format for NTLM SMTP auth would silently break.

[sebastianertz]

Can you confirm that NewAuthenticateMessage in v0.1.0 still handles DOMAIN\user format usernames correctly, or is this a known behavioral change? If the new library no longer parses the domain from the username, users who rely on that format for NTLM SMTP auth would silently break.

The function NewAuthenticateMessage extracts the domain from the username if needed.

https://github.com/Azure/go-ntlmssp/blob/679c777cd4d937215e617d47aa5f1de0dfad6240/authenticate_message.go#L131

[bircni]

Generated by Claude Code on behalf of @bircni

Notable Updates

github.com/go-webauthn/webauthn 0.13.4 → 0.16.1 ⚠️

• Largest version jump in this PR (3 minor versions on a pre-1.0 library where semver guarantees don't apply).
• The license text changed significantly: dropped the Duo Security attribution and now only lists "2025 go-webauthn authors" — indicating substantial project restructuring.
• The companion package github.com/go-webauthn/x also jumped from 0.1.24 → 0.2.2.
• No Go source files were changed in this PR. This either means the API was fully backward compatible, or it should be manually verified that Gitea's WebAuthn code still compiles and functions correctly with 0.16.1.
• WebAuthn is a security-critical path (passkey/FIDO2 login). Regression in this area would silently break hardware key authentication.
• Recommendation: Confirm CI passes authentication-related integration tests, and check the library's changelog for breaking changes between 0.13.x and 0.16.x.

github.com/mitchellh/mapstructure removed → github.com/go-viper/mapstructure/v2 v2.5.0 added (indirect)

• mitchellh/mapstructure is now archived/unmaintained upstream. The go-viper/mapstructure/v2 fork is its community continuation.
• This is an indirect dependency — it comes in transitively through the webauthn update (the new webauthn version moved to the v2 fork). The replacement is appropriate.
• License is unchanged (MIT in both cases, same original author).

golang.org/x/crypto 0.47.0 → 0.49.0

• Security-relevant. Pulling in two releases' worth of cryptographic fixes. This is a good update.

golang.org/x/net 0.49.0 → 0.52.0

• Three releases; also security-relevant for HTTP handling. Good to have.

github.com/go-git/go-git/v5 5.16.5 → 5.17.0

• Minor version bump on a core dependency. go-git is used for a lot of Gitea's internal git operations. Should be backward compatible but worth keeping an eye on CI results.

google.golang.org/grpc 1.78.0 → 1.79.3

• Patch-level update. Low risk.

---

assets/go-licenses.json

• Correctly removes the mitchellh/mapstructure entry and adds go-viper/mapstructure/v2.
• Updates go-webauthn/webauthn license text to match the new version's LICENSE file. The content is still BSD-3-Clause; only the copyright holder attribution changed.
• minio/minlz license is removed — this package was an indirect dependency of an older minio version and is no longer needed.

---

Summary

Area	Assessment
Routine bumps (crypto, net, grpc, sqlite3, redis, etc.)	Low risk, good hygiene
go-webauthn/webauthn 0.13.4 → 0.16.1	Needs verification — large jump on pre-1.0 security library with no source changes
mapstructure → go-viper/mapstructure/v2	Correct and expected
License file	Accurate

The PR is well-formed and follows the right process (license file updated). The main open question is whether the webauthn jump was tested end-to-end, especially hardware key login/registration flows. If CI covers those paths, this is ready.

[bircni]

I'd say its good but I am not that familiar with the go reps maybe @wxiaoguang could have a look?

[lunny]

It's better not upgrade too many dependencies in one PR.

[wxiaoguang]

I'd say its good but I am not that familiar with the go reps maybe @wxiaoguang could have a look?

I won't approve this one, because there is already one: Update Go dependencies #36781 . In most cases, the early ones should have higher priority.

I won't spend time on Update Go dependencies #36781, because the author "don't feel like talking against a wall", I don't want to talk to a wall either. context: #36541 (comment) , #36546 , #36618

[wxiaoguang]

It's better not upgrade too many dependencies in one PR.

If you'd like to make "constructive" reviews, you should either: show how to do it "better", or do it "better" by yourself.

btw: I don't think opening dozens or even hundreds of PRs to update dependencies is better.