Skip to content

build(deps): bump the go_modules group across 3 directories with 10 updates#17

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/go_modules-924e31962c
Open

build(deps): bump the go_modules group across 3 directories with 10 updates#17
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/go_modules-924e31962c

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Feb 24, 2026

Bumps the go_modules group with 5 updates in the / directory:

Package From To
github.com/coredns/coredns 1.11.1 1.14.0
github.com/eclipse/paho.mqtt.golang 1.4.3 1.5.1
github.com/nats-io/nats-server/v2 2.9.23 2.11.12
github.com/rs/cors 1.10.1 1.11.0
github.com/lestrrat-go/jwx 1.2.26 1.2.29

Bumps the go_modules group with 1 update in the /docs/debugging/inspect directory: golang.org/x/crypto.
Bumps the go_modules group with 1 update in the /docs/debugging/s3-verify directory: golang.org/x/crypto.

Updates github.com/coredns/coredns from 1.11.1 to 1.14.0

Release notes

Sourced from github.com/coredns/coredns's releases.

v1.14.0

This release focuses on security hardening and operational reliability. Core updates introduce a regex length limit to reduce resource-exhaustion risk. Plugin updates improve error consolidation (show_first), reduce misleading SOA warnings, add Kubernetes API rate limiting, enhance metrics with plugin chain tracking, and fix issues in azure and sign. This release also includes additional security fixes; see the security advisory for details.

Brought to You By

cangming pasteley Raisa Kabir Ross Golder rusttech Syed Azeez Ville Vesilehto Yong Tang

Noteworthy Changes

v1.13.2

This release adds initial support for DoH3 and includes several core performance and stability fixes, including reduced allocations, a resolved data race in uniq, and safer QUIC listener initialization. Plugin updates improve forwarder reliability, extend GeoIP schema support, and fix issues in secondary, nomad, and kubernetes. Cache and file plugins also receive targeted performance tuning.

Deprecations: The GeoIP plugin currently returns 0 for missing latitude/longitude, even though 0,0 is a real location. In the next release, this behavior will change: missing coordinates will return an empty string instead. This avoids conflating “missing” with a real coordinate. Users relying on 0 as a sentinel value should update their logic before this change takes effect. See PR #7732 for reference.

Brought to You By

Alicia Y Andrey Smirnov Brennan Kinney Charlie Vieth Endre Szabo

... (truncated)

Commits
  • 1c964f2 Bump version to 1.14.0 (#7803)
  • b723bd9 fix(plugins): add regex length limit (#7802)
  • adba778 Refactor: Update the cache getter function (#7800)
  • 6dca5b2 fix(lint): address G114 gosec findings in ready, pprof, and health plugins (#...
  • 7b38eb8 plugin: fix gosec G115 integer overflow warnings (#7799)
  • be934b2 perf(metrics): implement plugin chain tracking (#7791)
  • b21c752 chore(lint): enable gosec (#7792)
  • 1e0095d build(deps): bump github.com/oschwald/geoip2-golang/v2 (#7797)
  • 748f494 build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#7796)
  • 376c712 chore(ci): bump golangci-lint to v2.7.2 (#7783)
  • Additional commits viewable in compare view

Updates github.com/eclipse/paho.mqtt.golang from 1.4.3 to 1.5.1

Release notes

Sourced from github.com/eclipse/paho.mqtt.golang's releases.

v1.5.1

This is a minor release incorporating changes made in the 14 months since v1.5.0 (including updating dependencies, and raising the Go version to 1.24). The changes are relatively minor but address a potential security issue (CVE-2025-10543), possible panic, enable users to better monitor the connection status, and incorporate a few optimisations.

Thanks to those who have provided fixes/enhancements included in this release!

Special thanks to Paul Gerste at Sonar for reporting issue #730 via the Eclipse security team (fix was implemented in PR #714 in May, github issue created just prior to this release). This issue arose where a topic > 65535 bytes was passed to the Publish function, due to the way the data was encoded the topic could leak into the message body. Please see issue #730 or CVE-2025-10543 for further details.

What's Changed

Full Changelog: eclipse-paho/paho.mqtt.golang@v1.5.0...v1.5.1

v1.5.0

In the year since the release of v1.4.3 the majority of changes have been small incremental improvements/fixes. One notable change is that Go v1.20+ is now required (due to PR #646).

What's Changed

New Contributors

Full Changelog: eclipse-paho/paho.mqtt.golang@v1.4.3...v1.5.0

Commits
  • b305237 Update dependencies in docker examples
  • 35ee03d Potential panic when using manual ACK
  • 433bd22 address data race in test
  • 4debe3a Potential panic when using manual ACK
  • 601453b Resolve issues in fvt_client_test
  • 439e2ab Dependency update (also rise Go version to 1.24)
  • d276593 ConnectionNotificationHandler - generic callback for all types of connection ...
  • 8a350a9 notifications
  • 5620c5e notifications
  • 45048cc notifications
  • Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.2

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

  • Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

Commits

Updates github.com/nats-io/nats-server/v2 from 2.9.23 to 2.11.12

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.11.12

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

Dependencies

  • github.com/nats-io/nkeys v0.4.12 (#7578)
  • github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op (#7604)
  • github.com/klauspost/compress v1.18.3 (#7736)
  • golang.org/x/crypto v0.47.0 (#7736)
  • golang.org/x/sys v0.40.0 (#7736)
  • github.com/google/go-tpm v0.9.8 (#7696)
  • github.com/nats-io/nats.go v1.48.0 (#7696)

Added

General

  • Added WebSocket-specific ping interval configuration with ping_internal in the websocket block (#7614)

Monitoring

  • Added tls_cert_not_after to the varz monitoring endpoint for showing when TLS certificates are due to expire (#7709)

Improved

JetStream

  • The scan for the last sourced message sequence when setting up a subject-filtered source is now considerably faster (#7553)
  • Consumer interest checks on interest-based streams are now significantly faster when there are large gaps in interest (#7656)
  • Creating consumer file stores no longer contends on the stream lock, improving consumer create performance on heavily loaded streams (#7700)
  • Recalculating num pending with updated filter subjects no longer gathers and sorts the subject filter list twice (#7772)
  • Switching to interest-based retention will now remove no-interest messages from the head of the stream (#7766)

MQTT

  • Retained messages will now work correctly even when sourced from a different account and has a subject transform (#7636)

Fixed

General

  • WebSocket connections will now correctly limit the buffer size during decompression (#7625, thanks to Pavel Kokout at Aisle Research)
  • The config parser now correctly detects and errors on self-referencing environment variables (#7737)
  • Internal functions for handling headers should no longer corrupt message bodies if appended (#7752)

... (truncated)

Commits
  • 2d97cb7 Release v2.11.12
  • ea9680a Cherry-picks for 2.11.12 (#7776)
  • eb53e0d [IMPROVED] Remove no interest messages from head of stream
  • dc0d365 [FIXED] Many concurrent checkInterestState goroutines
  • 360db02 [FIXED] Interest stream desync after consumer filter update
  • 74802ff [IMPROVED] Simplify recalculate pending with updated filter subject(s)
  • 6f77800 Release v2.11.12-RC.7
  • 134ebc2 Revert "Perform _writeFullState under read lock only"
  • ddd1442 Release v2.11.12-RC.6
  • 59b2eb8 Cherry-picks for 2.11.12-RC.6 (#7768)
  • Additional commits viewable in compare view

Updates github.com/rs/cors from 1.10.1 to 1.11.0

Commits
  • 4c32059 Normalize allowed request headers and store them in a sorted set (fixes #170)...
  • 8d33ca4 Complete documentation; deprecate AllowOriginRequestFunc in favour of AllowOr...
  • af821ae Merge branch 'jub0bs-master'
  • 0bcf73f Update benchmark
  • eacc8e8 Fix skewed middleware benchmarks (#165)
  • 9297f15 Respect the documented precedence of options (#163)
  • 73f81b4 Fix readme benchmark rendering (#161)
  • See full diff in compare view

Updates golang.org/x/crypto from 0.14.0 to 0.47.0

Commits
  • 4e0068c go.mod: update golang.org/x dependencies
  • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
  • f91f7a7 ssh/agent: prevent panic on malformed constraint
  • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
  • bcf6a84 acme: pass context to request
  • b4f2b62 ssh: fix error message on unsupported cipher
  • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
  • 122a78f go.mod: update golang.org/x dependencies
  • c0531f9 all: eliminate vet diagnostics
  • 0997000 all: fix some comments
  • Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.13.0 to 0.34.0

Commits
  • acc3815 endpoints: fix %q verb use with wrong type
  • f28b0b5 all: fix some comments
  • fd15e0f x/oauth2: populate RetrieveError from DeviceAuth
  • 792c877 oauth2: use strings.Builder instead of bytes.Buffer
  • 014cf77 all: upgrade go directive to at least 1.24.0 [generated]
  • 3c76ce5 endpoints: correct Naver OAuth2 endpoint URLs
  • cf14319 oauth2: fix expiration time window check
  • 32d34ef internal: include clientID in auth style cache key
  • 2d34e30 oauth2: replace a magic number with AuthStyleUnknown
  • 696f7b3 all: modernize with doc links and any
  • Additional commits viewable in compare view

Updates github.com/lestrrat-go/jwx from 1.2.26 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

  • [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

    Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28

v1.2.28 09 Jan 2024
[Security Fixes]
  * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
    consists of three base64 strings concatenated with a '.') with missing "protected"
    headers could cause a panic, thereby introducing a possiblity of a DoS.

This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
lacking a protected header. Calling `jws.Verify` on this same JWS message will result
in a failed verification attempt. Note that this behavior will differ slightly when
parsing JWS messages in compact form, which result in an error.

v1.2.27

v1.2.27 - 03 Dec 2023
[Security]
  * [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack,
    similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083.  All users should upgrade, as
    unlike v2, v1 attempts to decrypt JWEs on JWTs by default.
    [GHSA-7f9x-gw85-8grf]

[Bug Fixes]


    

  • [jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either
Set(.., <string>) or Set(..., []jwk.KeyOperation{...}) worked, but not a single
jwk.KeyOperation
Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

  • [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

    Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28 09 Jan 2024 [Security Fixes]

  • [jws] JWS messages formated in full JSON format (i.e. not the compact format, which consists of three base64 strings concatenated with a '.') with missing "protected" headers could cause a panic, thereby introducing a possiblity of a DoS.

    This has been fixed so that the jws.Parse function succeeds in parsing a JWS message lacking a protected header. Calling jws.Verify on this same JWS message will result in a failed verification attempt. Note that this behavior will differ slightly when parsing JWS messages in compact form, which result in an error.

v1.2.27 - 03 Dec 2023 [Security]

[Bug Fixes]

  • [jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either Set(.., ) or Set(..., []jwk.KeyOperation{...}) worked, but not a single jwk.KeyOperation
Commits

Updates golang.org/x/net from 0.17.0 to 0.48.0

Commits
  • 35e1306 go.mod: update golang.org/x dependencies
  • 7c36036 http2, webdav, websocket: fix %q verb uses with wrong type
  • ec11ecc trace: fix data race in RenderEvents
  • bff14c5 http2: don't PING a responsive server when resetting a stream
  • 88a6421 dns/dnsmessage: avoid use of "strings" and "math" in dns/dnsmessage
  • 123d099 http2: support net/http.Transport.NewClientConn
  • 346cc61 webdav: relax test to check for any redirect status, not just 301
  • 9a29643 go.mod: update golang.org/x dependencies
  • 07cefd8 context: deprecate
  • 5ac9dac publicsuffix: don't treat ip addresses as domain names
  • Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.31.0 to 1.36.11

Updates golang.org/x/crypto from 0.6.0 to 0.45.0

Commits
  • 4e0068c go.mod: update golang.org/x dependencies
  • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
  • f91f7a7 ssh/agent: prevent panic on malformed constraint
  • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
  • bcf6a84 acme: pass context to request
  • b4f2b62 ssh: fix error message on unsupported cipher
  • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
  • 122a78f go.mod: update golang.org/x dependencies
  • c0531f9 all: eliminate vet diagnostics
  • 0997000 all: fix some comments
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.14.0 to 0.45.0

Commits
  • 4e0068c go.mod: update golang.org/x dependencies
  • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
  • f91f7a7 ssh/agent: prevent panic on malformed constraint
  • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
  • bcf6a84 acme: pass context to request
  • b4f2b62 ssh: fix error message on unsupported cipher
  • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
  • 122a78f go.mod: update golang.org/x dependencies
  • c0531f9 all: eliminate vet diagnostics
  • 0997000 all: fix some comments
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.17.0 to 0.47.0

Commits
  • 35e1306 go.mod: update golang.org/x dependencies
  • 7c36036 http2, webdav, websocket: fix %q verb uses with wrong type
  • ec11ecc trace: fix data race in RenderEvents
  • bff14c5 http2: don't PING a responsive server when resetting a stream
  • 88a6421 dns/dnsmessage: avoid use of "strings" and "math" in dns/dnsmessage
  • 123d099 http2: support net/http.Transport.NewClientConn
  • 346cc61 webdav: relax test to check for any redirect status, not just 301
  • 9a29643 go.mod: update golang.org/x dependencies
  • 07cefd8 context: deprecate
  • 5ac9dac publicsuffix: don't treat ip addresses as domain names
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the go_modules group across 3 directories with 10 u…
79c4b3b 
…pdates

Bumps the go_modules group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/coredns/coredns](https://github.com/coredns/coredns) | `1.11.1` | `1.14.0` |
| [github.com/eclipse/paho.mqtt.golang](https://github.com/eclipse/paho.mqtt.golang) | `1.4.3` | `1.5.1` |
| [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) | `2.9.23` | `2.11.12` |
| [github.com/rs/cors](https://github.com/rs/cors) | `1.10.1` | `1.11.0` |
| [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) | `1.2.26` | `1.2.29` |

Bumps the go_modules group with 1 update in the /docs/debugging/inspect directory: [golang.org/x/crypto](https://github.com/golang/crypto).
Bumps the go_modules group with 1 update in the /docs/debugging/s3-verify directory: [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `github.com/coredns/coredns` from 1.11.1 to 1.14.0
- [Release notes](https://github.com/coredns/coredns/releases)
- [Commits](coredns/coredns@v1.11.1...v1.14.0)

Updates `github.com/eclipse/paho.mqtt.golang` from 1.4.3 to 1.5.1
- [Release notes](https://github.com/eclipse/paho.mqtt.golang/releases)
- [Commits](eclipse-paho/paho.mqtt.golang@v1.4.3...v1.5.1)

Updates `github.com/golang-jwt/jwt/v4` from 4.5.0 to 4.5.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v4.5.0...v4.5.2)

Updates `github.com/nats-io/nats-server/v2` from 2.9.23 to 2.11.12
- [Release notes](https://github.com/nats-io/nats-server/releases)
- [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md)
- [Commits](nats-io/nats-server@v2.9.23...v2.11.12)

Updates `github.com/rs/cors` from 1.10.1 to 1.11.0
- [Commits](rs/cors@v1.10.1...v1.11.0)

Updates `golang.org/x/crypto` from 0.14.0 to 0.47.0
- [Commits](golang/crypto@v0.6.0...v0.45.0)

Updates `golang.org/x/oauth2` from 0.13.0 to 0.34.0
- [Commits](golang/oauth2@v0.13.0...v0.34.0)

Updates `github.com/lestrrat-go/jwx` from 1.2.26 to 1.2.29
- [Release notes](https://github.com/lestrrat-go/jwx/releases)
- [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.29/Changes)
- [Commits](lestrrat-go/jwx@v1.2.26...v1.2.29)

Updates `golang.org/x/net` from 0.17.0 to 0.48.0
- [Commits](golang/net@v0.17.0...v0.48.0)

Updates `google.golang.org/protobuf` from 1.31.0 to 1.36.11

Updates `golang.org/x/crypto` from 0.6.0 to 0.45.0
- [Commits](golang/crypto@v0.6.0...v0.45.0)

Updates `golang.org/x/crypto` from 0.14.0 to 0.45.0
- [Commits](golang/crypto@v0.6.0...v0.45.0)

Updates `golang.org/x/net` from 0.17.0 to 0.47.0
- [Commits](golang/net@v0.17.0...v0.48.0)

---
updated-dependencies:
- dependency-name: github.com/coredns/coredns
  dependency-version: 1.14.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/eclipse/paho.mqtt.golang
  dependency-version: 1.5.1
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-version: 4.5.2
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/nats-io/nats-server/v2
  dependency-version: 2.11.12
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/rs/cors
  dependency-version: 1.11.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.47.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.34.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/lestrrat-go/jwx
  dependency-version: 1.2.29
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.48.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.11
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.47.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Feb 24, 2026
This was referenced Feb 24, 2026
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants