chore(deps): bump the go-modules group across 1 directory with 18 updates

[dependabot]

Bumps the go-modules group with 17 updates in the / directory:

Package	From	To
cloud.google.com/go/cloudsqlconn	1.21.2	1.22.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity	1.13.1	1.14.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys	1.4.0	1.5.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob	1.7.0	1.8.0
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs	1.75.2	1.77.0
github.com/aws/aws-sdk-go-v2/service/eks	1.84.6	1.87.0
github.com/flanksource/clicky	1.21.18	1.21.25
github.com/labstack/echo/v4	4.15.2	4.15.4
github.com/onsi/ginkgo/v2	2.29.0	2.31.0
github.com/onsi/gomega	1.40.0	1.42.0
github.com/prometheus/common	0.68.1	0.69.0
github.com/testcontainers/testcontainers-go	0.42.0	0.43.0
google.golang.org/api	0.283.0	0.285.0
k8s.io/api	0.36.1	0.36.2
k8s.io/client-go	0.36.1	0.36.2
modernc.org/sqlite	1.51.0	1.53.0
github.com/aws/aws-sdk-go-v2/service/s3	1.102.2	1.104.0

Updates cloud.google.com/go/cloudsqlconn from 1.21.2 to 1.22.0

Release notes

Sourced from cloud.google.com/go/cloudsqlconn's releases.

v1.22.0

1.22.0 (2026-06-11)

Features

• Support AI Developer Edition connections through the Cloud SQL Auth Proxy (#1108) (116b2e5)

Changelog

Sourced from cloud.google.com/go/cloudsqlconn's changelog.

1.22.0 (2026-06-11)

Features

• Support AI Developer Edition connections through the Cloud SQL Auth Proxy (#1108) (116b2e5)

Commits

• 460c91b chore(main): release 1.22.0 (#1113)
• 116b2e5 feat: Support AI Developer Edition connections through the Cloud SQL Auth Pro...
• See full diff in compare view

Updates github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.13.1 to 1.14.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azidentity's releases.

sdk/azidentity/v1.14.0

1.14.0 (2026-06-15)

Breaking Changes

These changes affect only code written against a beta version such as v1.14.0-beta.3

• Removed WorkloadIdentityCredentialOptions.EnableAzureProxy. It will return in v1.15.0-beta.1

Bugs Fixed

• AzureDeveloperCLICredential improved reporting of error messages returned from azd

Other Changes

• Returned azidentity errors include links to the troubleshooting guide when appropriate
• This module now requires a minimum Go version of 1.25
• Upgraded dependencies

Commits

• 0495c20 Prep azcore 1.14.0 for release (#23293)
• 217edee fix(generator tool): filter tsp-client diagnostics log (#23292)
• 023c88f Increment package version after release of azidentity (#23290)
• 17f3361 Sync eng/common directory with azure-sdk-tools for PR 8760 (#23271)
• f5f3234 bump proxy to one with an audit log and more correct locking (#23288)
• d707091 Prepare azidentity v1.8.0-beta.2 for release (#23289)
• 84d213c NewManagedIdentityCredential returns an error for unsupported ID options (#23...
• ea67e9c azcontainerregistry: move method to function (#23270)
• 40dad0a fix (#23287)
• a368082 fix generator tool: ExecuteGoGenerate func (#23286)
• Additional commits viewable in compare view

Updates github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys from 1.4.0 to 1.5.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys's releases.

sdk/security/keyvault/azadmin/v1.5.0

1.5.0 (2026-05-25)

Other Changes

• Upgraded to API service version 2025-07-01

sdk/security/keyvault/azkeys/v1.5.0

1.5.0 (2026-05-25)

Other Changes

• Upgraded to API service version 2025-07-01

sdk/security/keyvault/azcertificates/v1.5.0

1.5.0 (2026-05-26)

Features Added

• Includes all changes from 1.5.0-beta.1.

sdk/security/keyvault/azsecrets/v1.5.0

1.5.0 (2026-05-26)

Features Added

• Includes all changes from 1.5.0-beta.1.

sdk/data/azcosmos/v1.5.0-beta.7

1.5.0-beta.7 (2026-06-02)

Features Added

• Added retry policy for transient 500, 502, and 504 server errors on read requests. The request is retried once in the current region and, if applicable, once against the next preferred region. Writes are not retried. This matches the behavior of the .NET, Java, and Python Cosmos SDKs. See PR 26821.

Bugs Fixed

• Fixed missing OTel tracing spans for internal queries executed by ReadManyItems. Each per-partition query page now creates a query_items span, matching the tracing behavior of NewQueryItemsPager. See PR 26813.
• 403/WriteForbidden retries refresh the global endpoint manager fire-and-forget (CAS-gated) instead of blocking on a synchronous gem.Update. See PR 26889.
• Connection-error retry policy now attempts up to 3 retries against the current region before failing over, and performs at most one cross-region failover per call. Cross-region failover for writes only occurs when the error proves the request never reached the service (DNS, dial, TLS handshake, ECONNREFUSED, etc.); writes on ambiguous transport failures (e.g. ECONNRESET, EOF, transport-level timeouts) no longer fail over to another region, avoiding potential duplicate writes. Reads still fail over for any transport error. Caller-set context deadlines or cancellations short-circuit the policy without consuming the caller's budget with retries. See PR 26858 and PR 26915.
• HTTP 408 Request Timeout responses are now handled by the Cosmos client retry policy: reads are retried exactly once against another region, and writes are returned to the caller immediately to avoid potential duplicates. See PR 26858.
• Fixed excessive GetDatabaseAccount HTTP calls when using preferred regions, and stopped data-plane retries from trailing into the customer-supplied (default) endpoint once account topology is populated. See PR 26815.
• Partition key range cache now serves concurrent callers from a single in-flight refresh per container, and the cached routing map remains readable while a refresh is in progress. The refresh runs on a detached background context.Background() so a caller's cancellation no longer aborts the shared fetch for other waiters; each caller continues to honor its own context deadline. See PR 26855.
• Partition key range cache change-feed pagination is now resilient to mid-drain throttling. 429 responses are retried indefinitely (with capped linear backoff + jitter) since the service is explicitly asking the client to slow down, and the pages already accumulated are preserved instead of restarting the drain from page 1 on the next refresh. See PR 26855.

Other Changes

• Tightened the default HTTP client: 5s dial timeout (down from azcore's 30s), 65s http.Client.Timeout wall-clock cap per HTTP attempt (was unbounded), larger idle connection pool (1000 total / 100 per host, up from azcore's 100 / 10), and faster HTTP/2 health checks. Caller-supplied Transport and shorter context deadlines are unaffected. See PR 26856.

sdk/resourcemanager/networkcloud/armnetworkcloud/v1.5.0-beta.1

1.5.0-beta.1 (2026-05-06)

Features Added

• New value CloudServicesNetworkStorageStatusStatusInitializing, CloudServicesNetworkStorageStatusStatusNone, CloudServicesNetworkStorageStatusStatusRepairing added to enum type CloudServicesNetworkStorageStatusStatus

... (truncated)

Commits

• f4ab3aa Remove arm/ClientOptions.AuxiliaryTenants (#20573)
• a554ef0 Remove azcore multitenant auth API (#20572)
• 0a42300 PutBlobFromURL/UploadBlobFromURL API (#20558)
• be3f449 Fix azcore changelog entry (#20569)
• 380d05a Fix regression - base name overrides in CI (#20563)
• 4bdfb89 Modified challenge policy test (#20554)
• 5ab558f Added support for copy source authorization to append block from url (#20557)
• d2534f7 [Azquery][Readme] Edit pass (#20382)
• e9c77a5 Bump credscan to 2.3.12.23 (#20562)
• dd74ea3 Transaction Validation - Blob Client (#20550)
• Additional commits viewable in compare view

Updates github.com/Azure/azure-sdk-for-go/sdk/storage/azblob from 1.7.0 to 1.8.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/storage/azblob's releases.

sdk/storage/azblob/v1.8.0

1.8.0 (2026-06-15)

Features Added

• Includes all features from 1.8.0-beta.1 and 1.8.0-beta.2

sdk/storage/azblob/v1.8.0-beta.2

1.8.0-beta.2 (2026-06-03)

Features Added

• Added support for the Expect: 100-continue HTTP header on requests with a body. The new ExpectContinueBehavior field on ClientOptions configures the behavior via ExpectContinueOptions. By default (ExpectContinueModeApplyOnThrottle) the header is sent for one minute after a 429, 500, or 503 response is received; the interval can be overridden via ExpectContinueOptions.ThrottleInterval. Other modes are ExpectContinueModeOn (always send) and ExpectContinueModeOff (never send). Set the environment variable AZURE_STORAGE_DISABLE_EXPECT_CONTINUE_HEADER=true to disable the feature regardless of ClientOptions.

Commits

• 42def97 Add breaking changes to release notes (#21696)
• 112db83 Azcore v1.8.0 (#21694)
• 204a3c4 Prep azcore v1.7.2 for release (#21506)
• 89497f5 Add changelog entry for WASM fix (#21493)
• 0414a4b Transport dialer: setting nil for wasm build (#21451)
• b1db0be Enable TLS renegotiation (#21182)
• See full diff in compare view

Updates github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.75.2 to 1.77.0

Commits

• 5c34f50 Release 2025-02-14
• 9f9feba Regenerated Clients
• 0a277d8 Update API model
• 11e6ab9 Remove max limit on event stream messages (#3009)
• ccde625 Release 2025-02-13
• 97cd707 Regenerated Clients
• a153c09 Update API model
• 147ea96 Release 2025-02-12
• 036ff43 Regenerated Clients
• 81a152e Update API model
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/eks from 1.84.6 to 1.87.0

Commits

• 0ab2d66 Release 2025-08-11
• ae81008 Regenerated Clients
• 6cf56c1 Update endpoints model
• 5e25292 Update API model
• 14e9fb7 upgrade to smithy v1.61.0
• fcdf6ab regen
• 2230299 fix changelog
• 76aa8d7 feat: add support for per service options to Config (#3145)
• 8afe327 Release 2025-08-08
• 4d6e55d Regenerated Clients
• Additional commits viewable in compare view

Updates github.com/flanksource/clicky from 1.21.18 to 1.21.25

Release notes

Sourced from github.com/flanksource/clicky's releases.

v1.21.25

1.21.25 (2026-06-20)

✅ Tests

• batch: uncomment TestBatch_ErrorIdentification (1baedde)
• formatters: cover map[string]any input for markdown paths (2dd611a), closes flanksource/clicky#38

🐛 Bug Fixes

• batch: detect item timeout by elapsed time, not context state (391e6f5)
• formatters: handle map input in ToPrettyData (c21fd39)

v1.21.24

1.21.24 (2026-06-16)

✨ Features

• aichat: add newer Anthropic models (56ed4f0)

🐛 Bug Fixes

• aichat: set Anthropic max tokens (d6f4892)

v1.21.23

1.21.23 (2026-06-15)

✨ Features

• exec: add process supervision with resource limits and port detection (e8972b6), closes #123
• webapp: Wire ChatWidget to operations client for tool parity (b542518)

v1.21.22

1.21.22 (2026-06-15)

🐛 Bug Fixes

• Improve in-memory timeseries store write performance (#110) (bf79215)

v1.21.21

1.21.21 (2026-06-14)

🔧 Maintenance

... (truncated)

Changelog

Sourced from github.com/flanksource/clicky's changelog.

1.21.25 (2026-06-20)

✅ Tests

• batch: uncomment TestBatch_ErrorIdentification (1baedde)
• formatters: cover map[string]any input for markdown paths (2dd611a), closes flanksource/clicky#38

🐛 Bug Fixes

• batch: detect item timeout by elapsed time, not context state (391e6f5)
• formatters: handle map input in ToPrettyData (c21fd39)

1.21.24 (2026-06-16)

✨ Features

• aichat: add newer Anthropic models (56ed4f0)

🐛 Bug Fixes

• aichat: set Anthropic max tokens (d6f4892)

1.21.23 (2026-06-15)

✨ Features

• exec: add process supervision with resource limits and port detection (e8972b6), closes #123
• webapp: Wire ChatWidget to operations client for tool parity (b542518)

1.21.22 (2026-06-15)

🐛 Bug Fixes

• Improve in-memory timeseries store write performance (#110) (bf79215)

1.21.21 (2026-06-14)

🔧 Maintenance

• add Apache 2.0 license (1ef624b)

1.21.20 (2026-06-14)

... (truncated)

Commits

• d39e72e chore(release): 1.21.25 [skip ci]
• 391e6f5 fix(batch): detect item timeout by elapsed time, not context state
• 1baedde test(batch): uncomment TestBatch_ErrorIdentification
• c21fd39 fix(formatters): handle map input in ToPrettyData
• 2dd611a test(formatters): cover map[string]any input for markdown paths
• fafaaed chore(release): 1.21.24 [skip ci]
• 56ed4f0 feat(aichat): add newer Anthropic models
• d6f4892 fix(aichat): set Anthropic max tokens
• 3e7da2d chore(release): 1.21.23 [skip ci]
• b542518 feat(webapp): Wire ChatWidget to operations client for tool parity
• Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits

• ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
• 2714c07 Changelog for v4.15.4 - security fix
• 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
• d16a4ec backport PR 3016 from v4
• 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
• 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
• 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
• 11a3cc4 Update dependencies and add ignore for linting
• 26bd016 Update CI action versions
• aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
• Additional commits viewable in compare view

Updates github.com/onsi/ginkgo/v2 from 2.29.0 to 2.31.0

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.31.0

2.31.0

Add a bunch of Claude Skills via the marketplace:

/plugin marketplace add onsi/ginkgo
/plugin install ginkgo@ginkgo

v2.30.0

2.30.0

Features

Ginkgo now allows extentions/global.Reset to support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.

Thanks @​lawrencejones !

Fixes

• Fix nested --github-output group for progress report nested inside timeline [4f62d7a]

Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.31.0

Add a bunch of Claude Skills via the marketplace:

/plugin marketplace add onsi/ginkgo
/plugin install ginkgo@ginkgo

2.30.0

Features

Ginkgo now allows extentions/global.Reset to support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.

Thanks @​lawrencejones !

Fixes

• Fix nested --github-output group for progress report nested inside timeline [4f62d7a]

Commits

• 3c7bde4 v2.31.0
• e479459 add claude skills
• 31e9912 v2.30.0
• a79cdbb Document running multiple suites in a single test process
• 800291a Allow extensions/globals.Reset to support re-running RunSpecs
• 4f62d7a Fix nested --github-output group for progress report nested inside timeline
• See full diff in compare view

Updates github.com/onsi/gomega from 1.40.0 to 1.42.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.42.0

1.42.0

Add a set of Claude skill as a marketplace plugin

v1.41.0

No release notes provided.

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.42.0

Add a set of Claude skill as a marketplace plugin

1.41.0

Features

Add BeASlice and BeAnArray matchers

Fixes

Object formatting now detects pointer cycles to avoid runaway formatting output.

Commits

• 35ca084 v1.42.0
• d72697b v1.42.0 (full)
• 1f95d86 add a set of claude skills as a marketplace plugin
• af2bccb v1.41.0
• 73e81f6 v1.41.0 (full)
• e35a84f feat: devcontainer configuration with local pkgsite and GH pages
• f12e5e1 fix(format): detect pointer cycles to avoid runaway formatting output
• e14831f Add optionalDescription docs to AsyncAssertion and Assertion interfaces
• 344b94d Add BeASlice and BeAnArray matchers
• See full diff in compare view

Updates github.com/prometheus/common from 0.68.1 to 0.69.0

Release notes

Sourced from github.com/prometheus/common's releases.

v0.69.0

What's Changed

• config: strip credentials on cross-host redirects by @​roidelapluie in prometheus/common#901
• Modernize Go by @​SuperQ in prometheus/common#919
• config: make isCrossHostRedirect sticky across the redirect chain by @​roidelapluie in prometheus/common#920
• config: check cross-host redirect before OAuth2 token fetch by @​roidelapluie in prometheus/common#921
• expfmt: fix nil pointer panic when parsing empty braces "{}" by @​roidelapluie in prometheus/common#922
• model: reduce allocations in Time.UnmarshalJSON by @​bboreham in prometheus/common#918
• config: resolve LoadHTTPConfigFile paths relative to the config file by @​roidelapluie in prometheus/common#925

Full Changelog: prometheus/common@v0.68.1...v0.69.0

Changelog

Sourced from github.com/prometheus/common's changelog.

v0.69.0 / 2026-06-17

Security / behavior changes

• config: credentials are no longer forwarded across cross-host redirects. When FollowRedirects is enabled, the HTTP client now strips Authorization, Cookie, Proxy-Authorization and other sensitive headers, and skips basic-auth, bearer-token and OAuth2 credentials, when a redirect points to a different host. This aligns with Go's net/http behavior. Callers that relied on credentials being sent to a redirect target on another host will need to target that host directly. #901 #920 #921
• config: LoadHTTPConfigFile now resolves relative file paths (e.g. *_file credentials, http_headers files) against the config file's own directory instead of its parent directory. Configs that worked around the old behavior by prefixing paths with the config's directory name must drop that prefix. #925

Bugfixes

• expfmt: fix nil pointer panic when parsing empty braces {}. #922
• model: fix Time.UnmarshalJSON for larger negative numbers. #918

Performance

• model: reduce allocations in Time.UnmarshalJSON. #918

Internal

• Synchronize common files from prometheus/prometheus. #917
• Modernize Go. #919

Full Changelog: prometheus/common@v0.68.1...v0.69.0

v0.67.2 / 2025-10-28

What's Changed

• config: Fix panic in tlsRoundTripper when CA file is absent by @​ndk in prometheus/common#792
• Cleanup linting issues by @​SuperQ in prometheus/common#860

New Contributors

• @​ndk made their first contribution in prometheus/common#792

Full Changelog: prometheus/common@v0.67.1...v0.67.2

v0.67.1 / 2025-10-07

What's Changed

• Remove VERSION file to avoid Go conflict error in prometheus/common#853

Full Changelog: prometheus/common@v0.67.0...v0.67.1

v0.67.0 / 2025-10-07

What's Changed

• Create CHANGELOG.md for easier communication of library changes, especially possible breaking changes. by @​ywwg in prometheus/common#833
• model: New test for validation with dots by @​m1k1o in prometheus/common#759
• expfmt: document NewTextParser as required by @​burgerdev in prometheus/common#842
• expfmt: Add support for float histograms and gauge histograms by @​beorn7 in prometheus/common#843
• Updated minimum Go version to 1.24.0, updated Go dependecies by @​SuperQ in prometheus/common#849

... (truncated)

Commits

• e3c14a0 Merge pull request #925 from roidelapluie/roidelapluie/fix-loadhttpconfigfile...
• a7b791d config: resolve LoadHTTPConfigFile paths relative to the config file
• f84efec Merge pull request #918 from prometheus/time-split
• 2269d3d Merge pull request #922 from roidelapluie/roidelapluie/fix-textparse-empty-br...
• a1600af expfmt: fix nil pointer panic when parsing empty braces "{}"
• 56fe395 Merge pull request #921 from roidelapluie/roidelapluie/oauth2-cross-host-check
• 0fcda47 Merge pull request #920 from roidelapluie/roidelapluie/cross-host-sticky
• 30ba470 Merge pull request #919 from prometheus/superq/modernize
• 2b55b3e config: check cross-host redirect before OAuth2 token fetch
• 428856f config: make isCrossHostRedirect sticky across the redirect chain
• Additional commits viewable in compare view

Updates github.com/testcontainers/testcontainers-go from 0.42.0 to 0.43.0

Release notes

Sourced from github.com/testcontainers/testcontainers-go's releases.

v0.43.0

What's Changed

⚠️ Breaking Changes

• chore(wait)!: change url callback in wait.ForSQL to accept network.Port (#3650) @​thaJeztah

Users of wait.ForSQL need to follow the new API contract, using Moby's network.Port instead of string when building the callback function to check the URL. Please see https://golang.testcontainers.org/features/wait/sql/

• feat!: add PullImageWithPlatform to DockerProvider (#3710) @​blueprismo

Users implementing their own testcontainers.ImageProvider need to implement the new PullImageWithPlatform method introduced by this PR.

🚀 Features

• feat(k3s): pull image opts (#3716) @​blueprismo
• feat(wait): implement AnyMultiStrategy: ForAny equivalent to ForAll. (#3719) @​jeanbza
• feat(eventhubs): add WithAzuriteContainer and functional-options config builder (#3722) @​mdelapenya
• feat!: add PullImageWithPlatform to DockerProvider (#3710) @​blueprismo
• feat(modules/dex): add Dex OIDC provider module (#3659) @​guilycst

🐛 Bug Fixes

• fix(security): remove debug code that leaks Docker credentials (#3721) @​mdelapenya
• fix(ollama): align local exec test with Ollama 0.30.6 log format (#3715) @​mdelapenya
• fix: close temp file handle before removal (#3672) @​acouvreur
• fix(compose): close docker clients to prevent goroutine leaks (#3661) @​mdelapenya
• fix: wait for log production goroutine to drain on stop (#3660) @​mdelapenya

📖 Documentation

• chore: update usage metrics (2026-06) (#3714) @github-actions[bot]

🧹 Housekeeping

• chore(wait)!: change url callback in wait.ForSQL to accept network.Port (#3650) @​thaJeztah
• chore: update usage metrics (2026-05) (#3670) @github-actions[bot]
• chore: remove cgroupnsMode setting from K3s container configuration (#3653) @​lixin9311

📦 Dependency updates

• chore(deps): update dependencies to latest versions in go.mod and go.sum (#3729) @​Steven-Harris
• chore: bump sshd-docker image to 1.4.0 (#3727) @​mdelapenya
• chore(deps): bump Ryuk to v0.14.0 (#3313) @​mdelapenya
• chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 (#3713) @dependabot[bot]
• chore(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0 (#3712) @dependabot[bot]
• chore(deps): bump mkdocs-include-markdown-plugin from 7.2.2 to 7.3.0 (#3711) @dependabot[bot]
• chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.3 (#3677) @dependabot[bot]
• chore(deps): bump idna from 3.11 to 3.15 (#3708) @dependabot[bot]
• chore(deps): bump github.com/containerd/containerd/v2 from 2.2.2 to 2.2.4 in /modules/compose (#3709) @dependabot[bot]
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 (#3704) @dependabot[bot]

... (truncated)

Commits

• 0835739 chore: use new version (v0.43.0) in modules and examples
• 85b6d70 chore(deps): update dependencies to latest versions in go.mod and go.sum (#3729)
• 8360f71 feat(k3s): pull image opts (#3716)
• b5e7022 chore: bump sshd-docker image to 1.4.0 (#3727)
• 1c05dd5 chore(deps): bump Ryuk to v0.14.0 (#3313)
• 96ab095 feat(wait): implement AnyMultiStrategy: ForAny equivalent to ForAll. (#3719)
• 42ac7d2 chore(wait)!: change url callback in wait.ForSQL to accept network.Port (#3650)
• ab312e0 chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 (#3713)
• c5c95e5 chore(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0 (#3712)
• 465d002 chore(deps): bump mkdocs-include-markdown-plugin from 7.2.2 to 7.3.0 (#3711)
• Additional commits viewable in compare view

Updates google.golang.org/api from 0.283.0 to 0.285.0

Release notes

Sourced from google.golang.org/api's releases.

Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​onsi/​gomega@​v1.40.0 ⏵ v1.42.0	-1
	github.com/​labstack/​echo/​v4@​v4.15.2 ⏵ v4.15.4	+1
	github.com/​flanksource/​clicky@​v1.21.18 ⏵ v1.21.25	+1
	k8s.io/​apimachinery@​v0.36.1 ⏵ v0.36.2
	k8s.io/​client-go@​v0.36.1 ⏵ v0.36.2
	k8s.io/​api@​v0.36.1 ⏵ v0.36.2
	google.golang.org/​api@​v0.283.0 ⏵ v0.285.0	+1
	github.com/​prometheus/​common@​v0.68.1 ⏵ v0.69.0
	modernc.org/​sqlite@​v1.51.0 ⏵ v1.53.0	+9
	github.com/​Azure/​azure-sdk-for-go/​sdk/​storage/​azblob@​v1.7.0 ⏵ v1.8.0	-2
	github.com/​Azure/​azure-sdk-for-go/​sdk/​azidentity@​v1.13.1 ⏵ v1.14.0	-3
	github.com/​onsi/​ginkgo/​v2@​v2.29.0 ⏵ v2.31.0	+1
	github.com/​testcontainers/​testcontainers-go@​v0.42.0 ⏵ v0.43.0
	github.com/​aws/​aws-sdk-go-v2/​service/​s3@​v1.102.2 ⏵ v1.104.0
	cloud.google.com/​go/​cloudsqlconn@​v1.21.2 ⏵ v1.22.0
	github.com/​aws/​aws-sdk-go-v2/​service/​eks@​v1.84.6 ⏵ v1.87.0	+1
	github.com/​aws/​aws-sdk-go-v2/​service/​cloudwatchlogs@​v1.75.2 ⏵ v1.77.0	+1
	github.com/​Azure/​azure-sdk-for-go/​sdk/​security/​keyvault/​azkeys@​v1.4.0 ⏵ v1.5.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: golang k8s.io/client-go is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: go.mod → golang/k8s.io/client-go@v0.36.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/k8s.io/client-go@v0.36.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang modernc.org/libc is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/modernc.org/sqlite@v1.53.0 → golang/modernc.org/libc@v1.73.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/modernc.org/libc@v1.73.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang modernc.org/libc is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/modernc.org/sqlite@v1.53.0 → golang/modernc.org/libc@v1.73.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/modernc.org/libc@v1.73.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

Benchstat (RLS)

Base: 2d6145fb051521015e813170c924b02a2d32d59b
Head: 47272a5bda2cacfd144f9b46de218a3dccdeb63a

📊 5 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_classes/Without_RLS-4	3.506m	3.563m	+1.60%	0.041
RLS/Sample-15000/analysis_types/With_RLS-4	3.419m	3.466m	+1.40%	0.002
RLS/Sample-15000/analysis_types/Without_RLS-4	3.354m	3.388m	+1.03%	0.009
RLS/Sample-15000/config_changes/With_RLS-4	126.0m	127.1m	+0.84%	0.002
RLS/Sample-15000/config_types/With_RLS-4	120.9m	121.9m	+0.79%	0.002

✅ 2 improvement(s)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_types/Without_RLS-4	4.573m	4.238m	-7.34%	0.004
RLS/Sample-15000/change_types/Without_RLS-4	4.717m	4.407m	-6.56%	0.002

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 9V74 80-Core Processor                
                                               │ bench-base.txt │          bench-head.txt           │
                                               │     sec/op     │   sec/op     vs base              │
RLS/Sample-15000/catalog_changes/Without_RLS-4      4.543m ± 4%   4.542m ± 5%       ~ (p=0.937 n=6)
RLS/Sample-15000/catalog_changes/With_RLS-4         126.6m ± 1%   125.2m ± 2%       ~ (p=0.065 n=6)
RLS/Sample-15000/config_changes/Without_RLS-4       4.416m ± 3%   4.406m ± 1%       ~ (p=0.818 n=6)
RLS/Sample-15000/config_changes/With_RLS-4          126.0m ± 1%   127.1m ± 1%  +0.84% (p=0.002 n=6)
RLS/Sample-15000/config_detail/Without_RLS-4        4.287m ± 0%   4.257m ± 1%       ~ (p=0.132 n=6)
RLS/Sample-15000/config_detail/With_RLS-4           121.6m ± 2%   121.4m ± 2%       ~ (p=0.589 n=6)
RLS/Sample-15000/config_names/Without_RLS-4         13.18m ± 1%   13.10m ± 2%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_names/With_RLS-4            120.8m ± 1%   121.5m ± 0%       ~ (p=0.065 n=6)
RLS/Sample-15000/config_summary/Without_RLS-4       97.28m ± 2%   97.53m ± 1%       ~ (p=0.699 n=6)
RLS/Sample-15000/config_summary/With_RLS-4          606.5m ± 0%   608.6m ± 1%       ~ (p=0.240 n=6)
RLS/Sample-15000/configs/Without_RLS-4              7.458m ± 2%   7.258m ± 3%       ~ (p=0.132 n=6)
RLS/Sample-15000/configs/With_RLS-4                 121.2m ± 0%   121.6m ± 1%       ~ (p=0.132 n=6)
RLS/Sample-15000/analysis_types/Without_RLS-4       3.354m ± 1%   3.388m ± 1%  +1.03% (p=0.009 n=6)
RLS/Sample-15000/analysis_types/With_RLS-4          3.419m ± 1%   3.466m ± 1%  +1.40% (p=0.002 n=6)
RLS/Sample-15000/analyzer_types/Without_RLS-4       3.246m ± 2%   3.220m ± 1%       ~ (p=0.132 n=6)
RLS/Sample-15000/analyzer_types/With_RLS-4          3.225m ± 1%   3.237m ± 2%       ~ (p=0.699 n=6)
RLS/Sample-15000/change_types/Without_RLS-4         4.717m ± 0%   4.407m ± 1%  -6.56% (p=0.002 n=6)
RLS/Sample-15000/change_types/With_RLS-4            4.488m ± 1%   4.480m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_classes/Without_RLS-4       3.506m ± 1%   3.563m ± 2%  +1.60% (p=0.041 n=6)
RLS/Sample-15000/config_classes/With_RLS-4          120.5m ± 0%   119.8m ± 1%       ~ (p=0.065 n=6)
RLS/Sample-15000/config_types/Without_RLS-4         4.573m ± 3%   4.238m ± 6%  -7.34% (p=0.004 n=6)
RLS/Sample-15000/config_types/With_RLS-4            120.9m ± 0%   121.9m ± 0%  +0.79% (p=0.002 n=6)
geomean                                             18.59m        18.47m       -0.63%

[github-actions]

Benchstat (Other)

Base: 2d6145fb051521015e813170c924b02a2d32d59b
Head: 47272a5bda2cacfd144f9b46de218a3dccdeb63a

✅ No significant performance changes detected

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                                       │ bench-base.txt │           bench-head.txt           │
                                                       │     sec/op     │    sec/op     vs base              │
InsertionForRowsWithAliases/external_users.aliases-4       611.7µ ± 14%   612.7µ ±  4%       ~ (p=0.699 n=6)
InsertionForRowsWithAliases/config_items.external_id-4     1.118m ± 10%   1.121m ± 19%       ~ (p=0.937 n=6)
InsertionOfConfigsWithProperties-4                         3.756m ±  1%   3.758m ±  2%       ~ (p=0.937 n=6)
UpdateOfConfigsWithProperties-4                            7.567m ±  4%   7.631m ±  2%       ~ (p=0.589 n=6)
ResourceSelectorConfigs/name-4                             214.4µ ±  2%   210.4µ ±  3%       ~ (p=0.132 n=6)
ResourceSelectorConfigs/name_and_type-4                    231.5µ ±  4%   230.4µ ±  3%       ~ (p=0.937 n=6)
ResourceSelectorConfigs/tags-4                             29.72m ±  3%   29.49m ±  4%       ~ (p=0.699 n=6)
ResourceSelectorQueryBuild/name-4                          43.68µ ±  1%   43.75µ ±  1%       ~ (p=0.394 n=6)
ResourceSelectorQueryBuild/name_and_type-4                 63.22µ ±  1%   64.14µ ±  1%       ~ (p=0.065 n=6)
ResourceSelectorQueryBuild/tags-4                          17.31µ ±  1%   17.27µ ±  0%       ~ (p=0.589 n=6)
geomean                                                    517.2µ         517.0µ        -0.05%

[github-actions]

Gavel results

Gavel exited with code .

View full results