Skip to content

chore(deps): bump the server-go-deps group across 1 directory with 9 updates#94

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/server/server-go-deps-b3cf0d3ab0
Open

chore(deps): bump the server-go-deps group across 1 directory with 9 updates#94
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/server/server-go-deps-b3cf0d3ab0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 12, 2026
edited
Loading

Bumps the server-go-deps group with 9 updates in the /server directory:

Package From To
github.com/coreos/go-oidc/v3 3.17.0 3.18.0
github.com/google/cel-go 0.28.0 0.28.1
github.com/google/go-github/v69 69.0.0 69.2.0
github.com/jackc/pgx/v5 5.9.1 5.9.2
github.com/redis/go-redis/v9 9.18.0 9.19.0
github.com/riandyrn/otelchi 0.12.2 0.12.3
go.opentelemetry.io/contrib/bridges/otelslog 0.17.0 0.18.0
golang.org/x/crypto 0.50.0 0.51.0
google.golang.org/grpc 1.80.0 1.81.1

Updates github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0

Release notes

Sourced from github.com/coreos/go-oidc/v3's releases.

v3.18.0

What's Changed

Full Changelog: coreos/go-oidc@v3.17.0...v3.18.0

Commits
  • da6b3bf build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
  • 7f80694 build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0
  • 7271de5 .github: update go versions in CI
  • 3ccf20f .github: configure dependabot
  • See full diff in compare view

Updates github.com/google/cel-go from 0.28.0 to 0.28.1

Release notes

Sourced from github.com/google/cel-go's releases.

Release v0.28.1

What's Changed

New Contributors

Full Changelog: google/cel-go@v0.28.0...v0.28.1

Commits

Updates github.com/google/go-github/v69 from 69.0.0 to 69.2.0

Release notes

Sourced from github.com/google/go-github/v69's releases.

v69.2.0

This minor release contains the following changes:

  • Add helper to get runID from Custom Deployment Protection Rule Event (#3476)
  • feat: Add JSON marshal tests for dependabot alerts (#3480)
  • feat: Add sorting list options for secret scanning (#3481)
  • Bump version of go-github to v69.2.0 (#3482)

v69.1.0

This minor release contains the following changes:

  • Bump go-github from v68 to v69 in /scrape (#3464)
  • Use a max retry after duration for secondary rate limit if specified (#3438)
  • docs: Clarify ListPullRequestsWithCommit usage (#3465)
  • fix: go 1.22 test breakage (#3459)
  • feat: Add link to bored-engineer/github-conditional-http-transport to conditional requests documentation (#3469)
  • build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0 in /tools (#3472)
  • build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0 in /scrape (#3470)
  • build(deps): bump github.com/alecthomas/kong from 1.7.0 to 1.8.0 in /tools (#3471)
  • Update workflow and tools to use Go1.24 and 1.23 (#3474)
  • chore: Only use master test runs for status badge (#3475)
  • feat: Add ListProvisionedScimGroupsForEnterprise inside SCIM service (#3467)
  • fix: Add missing query params to AlertListOptions (#3477)
  • Bump version of go-github to v69.1.0 (#3478)
Commits
  • 0b11dbf Bump version of go-github to v69.2.0 (#3482)
  • e4c974e feat: Add sorting list options for secret scanning (#3481)
  • 81dc7a9 feat: Add JSON marshal tests for dependabot alerts (#3480)
  • 6c46d71 Add helper to get runID from Custom Deployment Protection Rule Event (#3476)
  • f867d00 Bump version of go-github to v69.1.0 (#3478)
  • c4b2cb9 fix: Add missing query params to AlertListOptions (#3477)
  • 77684a4 feat: Add ListProvisionedScimGroupsForEnterprise inside SCIM service (#3467)
  • ce42642 chore: Only use master test runs for status badge (#3475)
  • 26f71a3 Update workflow and tools to use Go1.24 and 1.23 (#3474)
  • 3d4784c build(deps): bump github.com/alecthomas/kong from 1.7.0 to 1.8.0 in /tools (#...
  • Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Commits
  • 0aeabbc Release v5.9.2
  • 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
  • a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
  • e34e452 doc: Add godoc links
  • 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
  • 96b4dbd Remove unstable test
  • acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
  • 2f81f1f Update max_protocol_version and min_protocol_version defaults
  • See full diff in compare view

Updates github.com/redis/go-redis/v9 from 9.18.0 to 9.19.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.19.0

🚀 Highlights

FIPS-Compatible Script Helper

Script now supports a FIPS-safe execution mode that avoids client-side SHA-1 computation, which is blocked in strict FIPS environments. A new NewScriptServerSHA constructor uses SCRIPT LOAD to obtain and cache the digest from the server, then runs commands via EVALSHA/EVALSHA_RO. Falls back to EVAL/EVALRO if loading fails, and transparently retries once on NOSCRIPT. The default behavior is unchanged for existing users.

(#3700) by @​chaitanyabodlapati

FT.AGGREGATE Step-Based Pipeline Builder

Added a new step-based FT.AGGREGATE pipeline API via FTAggregateOptions.Steps, allowing LOAD, APPLY, GROUPBY, and SORTBY (with per-step MAX) to be repeated and interleaved in arbitrary order — matching Redis's native multi-stage aggregation semantics. The legacy Load/Apply/GroupBy/SortBy/SortByMax fields are now deprecated.

(#3782) by @​ndyakov

Raw RESP Protocol Access

Added DoRaw and DoRawWriteTo methods for executing arbitrary commands and reading the raw RESP response. Useful for proxying, custom protocol inspection, and working with commands not yet wrapped by go-redis.

(#3713) by @​ofekshenawa

Configurable Dial Retry Backoff

Added DialerRetryBackoff option (plumbed through Options, ClusterOptions, RingOptions, FailoverOptions) to let callers customize the delay between failed dial attempts. Helpers DialRetryBackoffConstant and DialRetryBackoffExponential (with jitter and cap) are provided out of the box. Dial timeout is now also applied per attempt rather than across all retries.

(#3706, #3705) by @​mwhooker

✨ New Features

  • FT.AGGREGATE Steps: Step-based pipeline builder for FT.AGGREGATE with support for repeated/interleaved LOAD, APPLY, GROUPBY, and SORTBY stages (#3782) by @​ndyakov
  • VectorSet commands: Added VISMEMBER and WITHATTRIBS support (#3753) by @​romanpovol
  • FIPS-safe Script: NewScriptServerSHA uses SCRIPT LOAD to obtain the digest from the server, avoiding client-side SHA-1 (#3700) by @​chaitanyabodlapati
  • Raw RESP access: DoRaw and DoRawWriteTo for raw RESP protocol access (#3713) by @​ofekshenawa
  • Dial retry backoff: DialerRetryBackoff function option with constant and exponential helpers (#3706) by @​mwhooker
  • Typed NOSCRIPT error: Redis NOSCRIPT replies are now surfaced as a typed error for easier handling (#3738) by @​LINKIWI
  • PubSub ClientSetName: Added ClientSetName method to PubSub (#3727) by @​Flack74
  • ReplicaOf: New ReplicaOf method replaces the deprecated SlaveOf (#3720) by @​Copilot
  • HSCAN BinaryUnmarshaler: HScan now supports types implementing encoding.BinaryUnmarshaler (#3768) by @​Aaditya-dubey1

🐛 Bug Fixes

  • Auto hostname type detection: Improved endpoint type detection for maintenance notifications using DNS-based classification; handles empty hosts and expanded private-IP ranges (#3789) by @​ndyakov
  • HELLO fallback: Don't send CLIENT MAINT_NOTIFICATIONS handshake when HELLO fails and connection falls back to RESP2; fail fast when explicitly enabled with RESP3 (#3788) by @​ndyakov
  • Dial TCP retry: ShouldRetry now treats net.OpError with Op == "dial" timeout errors as safe to retry since no command was sent (#3787) by @​vladisa88
  • wrappedOnClose leak: Fixed resource leak caused by repeatedly wrapping baseClient close logic; replaced with a bounded, concurrency-safe named-hook registry (#3785) by @​ndyakov
  • Pool Close() on stale connections: Suppress close errors (e.g., TLS closeNotify timeouts) for connections already dropped by the server due to idle timeout (#3778) by @​ofekshenawa
  • FIFO waiter ordering: Fixed race in ConnStateMachine.notifyWaiters that could wake multiple waiters under a single mutex hold and violate FIFO ordering (#3777) by @​0x48core
  • Lua READONLY detection: Detect READONLY errors embedded in Lua script error messages on read-only replicas so commands are correctly retried (#3769) by @​zhengjilei
  • VectorScoreSliceCmd RESP2: Fixed VSimWithScores, VSimWithArgsWithScores, and VLinksWithScores which were broken on RESP2 connections returning flat arrays instead of maps (#3767) by @​Copilot

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.19.0 (2026-04-27)

🚀 Highlights

FIPS-Compatible Script Helper

Script now supports a FIPS-safe execution mode that avoids client-side SHA-1 computation, which is blocked in strict FIPS environments. A new NewScriptServerSHA constructor uses SCRIPT LOAD to obtain and cache the digest from the server, then runs commands via EVALSHA/EVALSHA_RO. Falls back to EVAL/EVALRO if loading fails, and transparently retries once on NOSCRIPT. The default behavior is unchanged for existing users.

(#3700) by @​chaitanyabodlapati

FT.AGGREGATE Step-Based Pipeline Builder

Added a new step-based FT.AGGREGATE pipeline API via FTAggregateOptions.Steps, allowing LOAD, APPLY, GROUPBY, and SORTBY (with per-step MAX) to be repeated and interleaved in arbitrary order — matching Redis's native multi-stage aggregation semantics. The legacy Load/Apply/GroupBy/SortBy/SortByMax fields are now deprecated.

(#3782) by @​ndyakov

Raw RESP Protocol Access

Added DoRaw and DoRawWriteTo methods for executing arbitrary commands and reading the raw RESP response. Useful for proxying, custom protocol inspection, and working with commands not yet wrapped by go-redis.

(#3713) by @​ofekshenawa

Configurable Dial Retry Backoff

Added DialerRetryBackoff option (plumbed through Options, ClusterOptions, RingOptions, FailoverOptions) to let callers customize the delay between failed dial attempts. Helpers DialRetryBackoffConstant and DialRetryBackoffExponential (with jitter and cap) are provided out of the box. Dial timeout is now also applied per attempt rather than across all retries.

(#3706, #3705) by @​mwhooker

✨ New Features

  • FT.AGGREGATE Steps: Step-based pipeline builder for FT.AGGREGATE with support for repeated/interleaved LOAD, APPLY, GROUPBY, and SORTBY stages (#3782) by @​ndyakov
  • VectorSet commands: Added VISMEMBER and WITHATTRIBS support (#3753) by @​romanpovol
  • FIPS-safe Script: NewScriptServerSHA uses SCRIPT LOAD to obtain the digest from the server, avoiding client-side SHA-1 (#3700) by @​chaitanyabodlapati
  • Raw RESP access: DoRaw and DoRawWriteTo for raw RESP protocol access (#3713) by @​ofekshenawa
  • Dial retry backoff: DialerRetryBackoff function option with constant and exponential helpers (#3706) by @​mwhooker
  • Typed NOSCRIPT error: Redis NOSCRIPT replies are now surfaced as a typed error for easier handling (#3738) by @​LINKIWI
  • PubSub ClientSetName: Added ClientSetName method to PubSub (#3727) by @​Flack74
  • ReplicaOf: New ReplicaOf method replaces the deprecated SlaveOf (#3720) by @​Copilot
  • HSCAN BinaryUnmarshaler: HScan now supports types implementing encoding.BinaryUnmarshaler (#3768) by @​Aaditya-dubey1

🐛 Bug Fixes

  • Auto hostname type detection: Improved endpoint type detection for maintenance notifications using DNS-based classification; handles empty hosts and expanded private-IP ranges (#3789) by @​ndyakov
  • HELLO fallback: Don't send CLIENT MAINT_NOTIFICATIONS handshake when HELLO fails and connection falls back to RESP2; fail fast when explicitly enabled with RESP3 (#3788) by @​ndyakov
  • Dial TCP retry: ShouldRetry now treats net.OpError with Op == "dial" timeout errors as safe to retry since no command was sent (#3787) by @​vladisa88
  • wrappedOnClose leak: Fixed resource leak caused by repeatedly wrapping baseClient close logic; replaced with a bounded, concurrency-safe named-hook registry (#3785) by @​ndyakov
  • Pool Close() on stale connections: Suppress close errors (e.g., TLS closeNotify timeouts) for connections already dropped by the server due to idle timeout (#3778) by @​ofekshenawa
  • FIFO waiter ordering: Fixed race in ConnStateMachine.notifyWaiters that could wake multiple waiters under a single mutex hold and violate FIFO ordering (#3777) by @​0x48core
  • Lua READONLY detection: Detect READONLY errors embedded in Lua script error messages on read-only replicas so commands are correctly retried (#3769) by @​zhengjilei
  • VectorScoreSliceCmd RESP2: Fixed VSimWithScores, VSimWithArgsWithScores, and VLinksWithScores which were broken on RESP2 connections returning flat arrays instead of maps (#3767) by @​Copilot

... (truncated)

Commits
  • e7e9866 chore(release): v9.19.0 (#3796)
  • 22b26f4 feat(ft.aggregate): Add Steps for query building (#3782)
  • d9d7694 fix(pool): two fixes for closed connection handling (#3764)
  • 44e8b73 fix(sch): auto hostname type detection (#3789)
  • ad21622 fix(hello): do not send maintnotifications handshake when hello fails (#3788)
  • 1a7ac74 fix(pool): suppress pool Close() errors for stale connections (#3778)
  • 903d6bd fix(retry): make dial tcp error redirectable (#3786) (#3787)
  • 00a551b fix(credentials): leak in wrappedOnClose (#3785)
  • b5a6f99 refactor(pool): remove redundant Conn.closed atomic field (#3783)
  • 928f27a feat(hscan): add support for encoding.BinaryUnmarshaler (#3768)
  • Additional commits viewable in compare view

Updates github.com/riandyrn/otelchi from 0.12.2 to 0.12.3

Release notes

Sourced from github.com/riandyrn/otelchi's releases.

Release v0.12.3

What's Changed

New Contributors

Full Changelog: riandyrn/otelchi@v0.12.2...v0.12.3

Note:

Current trace middleware uses HTTP semantic conventions based on semconv/v1.20.0. A future release will update trace attributes to the latest HTTP semantic conventions.

Changelog

Sourced from github.com/riandyrn/otelchi's changelog.

[0.12.3] - 2026-05-03

Added

  • Add OpenTelemetry semantic-convention compliant HTTP server metric middleware for http.server.request.duration, http.server.active_requests, http.server.request.body.size, and http.server.response.body.size.

Deprecated

  • Deprecate legacy metric middleware for request_duration_millis, requests_inflight, and response_size_bytes. These remain available for backward compatibility.
Commits
  • a6fa5c6 Merge pull request #101 from riandyrn/pre_release/v0.12.3
  • 3ca1b12 docs: update the versioning;
  • d567190 Merge pull request #100 from riandyrn/fix/metric-dont-follow-semantic-convention
  • 8e7314e docs: add comment regarding the regarding bucket boundaries in server request...
  • 00b7b2d refactor: separate the new metric file implementation to follow the same exis...
  • 35615e2 feat: add new metric middleware to avoid breaking changes;
  • f90315d Merge pull request #99 from bullet4791/master
  • 5c3229f add test case with chunks
  • 21257c9 Fix response size sum in metrics
  • See full diff in compare view

Updates go.opentelemetry.io/contrib/bridges/otelslog from 0.17.0 to 0.18.0

Release notes

Sourced from go.opentelemetry.io/contrib/bridges/otelslog's releases.

Release v0.18.0

Fixed

  • otelmemcache no longer sets span status to OK instead of leaving it unset. (#477)
  • Fix goroutine leak in gRPC StreamClientInterceptor. (#581)

Removed

  • Remove service name from otelmemcache configuration and span attributes. (#477)

Raw changes made between v0.17.0 and v0.18.0

839e505a67ca9fb5a3089cd1af5943061fcaf1ef Bumping otel version to v0.18.0. Prepare for releasing v0.18.0 (#600) f82555b1db7ebbd67f52d1389337e68ab85302ed Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /instrumentation/google.golang.org/grpc/otelgrpc (#594) 8fb6eb1e7560e7f22d01218264a73e7172173f68 Bump google.golang.org/grpc (#593) b3b6ccdfa1aea62088903d973917635d9b9fde88 Bump github.com/aws/aws-sdk-go from 1.37.15 to 1.37.20 in /detectors/aws (#591) 5783e2d230663a3bc6d580bc4bddb45b92447f2c Bump github.com/golang/snappy from 0.0.2 to 0.0.3 in /exporters/metric/cortex (#592) 3c49aeb44902006969fbb47f75a9bdd92ad08484 Bump cloud.google.com/go from 0.77.0 to 0.78.0 in /detectors/gcp (#595) a2de3b63d65496e14f95e382d19b8f8524a3597f Bump google.golang.org/grpc in /propagators/opencensus/examples (#596) f011c951891df554fe8b8db1e2b691d108f94eb4 Bump github.com/Shopify/sarama from 1.27.2 to 1.28.0 in /instrumentation/github.com/Shopify/sarama/otelsarama (#588) 598a707ec29164ec7c9ea3db025652ed7e9d77cb Bump go.uber.org/goleak from 1.1.0 to 1.1.10 in /instrumentation/google.golang.org/grpc/otelgrpc (#587) e5fef668e2306ca1c806c60610a7f850e56b5853 Bump cloud.google.com/go from 0.76.0 to 0.77.0 in /detectors/gcp (#586) 8334b44287c8e5651c0e5da146ccb0d7f08fc5e6 Bump github.com/golangci/golangci-lint from 1.36.0 to 1.37.1 in /tools (#585) 462580efd273ddf5cf411107bc0918afc2d6427d Bump github.com/aws/aws-sdk-go from 1.37.10 to 1.37.15 in /detectors/aws (#584) f875adf805119c91159087bacffb2e3b83c18af4 Update docs from gitter to slack for communication (#582) 3349bafa63a692d547650e65ee0512cb0fe7f22b otelmemcache: Simplify config and span status setting (#477) 62c8535f780b3d1891733443acd47473c0620512 Fix goroutine leak in gRPC StreamClientInterceptor (#581) 0fe41992b29720a798cfb0968d85ea5f44f67184 Update AWS detector assert dependency (#574)

Changelog

Sourced from go.opentelemetry.io/contrib/bridges/otelslog's changelog.

[1.43.0/2.5.0/0.68.0/0.37.0/0.23.0/0.18.0/0.16.0/0.15.0] - 2026-04-03

Added

  • Add Resource method to SDK in go.opentelemetry.io/contrib/otelconf/v0.3.0 to expose the resolved SDK resource from declarative configuration. (#8660)
  • Add support to set the configuration file via OTEL_CONFIG_FILE in go.opentelemetry.io/contrib/otelconf. (#8639)
  • Add support for service resource detector in go.opentelemetry.io/contrib/otelconf. (#8674)
  • Add support for attribute_count_limit and attribute_value_length_limit in tracer provider configuration in go.opentelemetry.io/contrib/otelconf. (#8687)
  • Add support for attribute_count_limit and attribute_value_length_limit in logger provider configuration in go.opentelemetry.io/contrib/otelconf. (#8686)
  • Add support for server.address and server.port attributes in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8723)
  • Add support for OTEL_SEMCONV_STABILITY_OPT_IN in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. Supported values are rpc (default), rpc/dup and rpc/old. (#8726)
  • Add the http.route metric attribute to go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#8632)

Changed

  • Prepend _ to the normalized environment variable name when the key starts with a digit in go.opentelemetry.io/contrib/propagators/envcar, ensuring POSIX compliance. (#8678)
  • Move experimental types from go.opentelemetry.io/contrib/otelconf to go.opentelemetry.io/contrib/otelconf/x. (#8529)
  • Normalize cached environment variable names in go.opentelemetry.io/contrib/propagators/envcar, aligning Carrier.Keys output with the carrier's normalized key format. (#8761)

Fixed

  • Fix go.opentelemetry.io/contrib/otelconf Prometheus reader converting OTel dot-style label names (e.g. service.name) to underscore-style (service_name) in target_info when both without_type_suffix and without_units are set. Use NoTranslation instead of UnderscoreEscapingWithoutSuffixes to preserve dot-style label names while still suppressing metric name suffixes. (#8763)
  • Limit the request body size at 1MB in go.opentelemetry.io/contrib/zpages. (#8656)
  • Fix server spans using the client's address and port for server.address and server.port attributes in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#8723)

Removed

  • Host ID resource detector has been removed when configuring the host resource detector in go.opentelemetry.io/contrib/otelconf. (#8581)

Deprecated

  • Deprecate OTEL_EXPERIMENTAL_CONFIG_FILE in favour of OTEL_CONFIG_FILE in go.opentelemetry.io/contrib/otelconf. (#8639)
Commits
  • 839e505 Bumping otel version to v0.18.0. Prepare for releasing v0.18.0 (#600)
  • f82555b Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /instrumentation/google....
  • 8fb6eb1 Bump google.golang.org/grpc (#593)
  • b3b6ccd Bump github.com/aws/aws-sdk-go from 1.37.15 to 1.37.20 in /detectors/aws (#591)
  • 5783e2d Bump github.com/golang/snappy from 0.0.2 to 0.0.3 in /exporters/metric/cortex...
  • 3c49aeb Bump cloud.google.com/go from 0.77.0 to 0.78.0 in /detectors/gcp (#595)
  • a2de3b6 Bump google.golang.org/grpc in /propagators/opencensus/examples (#596)
  • f011c95 Bump github.com/Shopify/sarama from 1.27.2 to 1.28.0 in /instrumentation/gith...
  • 598a707 Bump go.uber.org/goleak from 1.1.0 to 1.1.10 in /instrumentation/google.golan...
  • e5fef66 Bump cloud.google.com/go from 0.76.0 to 0.77.0 in /detectors/gcp (#586)
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.50.0 to 0.51.0

Commits
  • b8a14a8 go.mod: update golang.org/x dependencies
  • 9d9d507 x509roots/fallback/bundle: fix bundle test with Go 1.27+
  • fd0b90d acme: include Problem in OrderError.Error
  • b9e5359 pbkdf2: turn into a wrapper for crypto/pbkdf2
  • cc0e4fc hkdf: forward Extract to the standard library
  • a8e9237 x509roots/fallback: update bundle
  • See full diff in compare view

Updates google.golang.org/grpc from 1.80.0 to 1.81.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.1

Security

  • xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#9111)

Bug Fixes

  • otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (#9081)

Release 1.81.0

Behavior Changes

  • balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

  • Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

  • xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
  • transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
  • xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

  • grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
  • xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
  • xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
  • xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
  • stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
  • mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)

Performance Improvements

  • alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
  • transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)
Commits

@dependabot dependabot Bot added the area: server Go backend (server/) label May 12, 2026
@dependabot dependabot Bot requested a review from dinesh-g1 as a code owner May 12, 2026 19:16
@dependabot dependabot Bot added the type: task Engineering work (refactoring, infra, deps) label May 12, 2026
@dependabot dependabot Bot requested a review from ssJvirtually as a code owner May 12, 2026 19:16
@dependabot dependabot Bot added type: task Engineering work (refactoring, infra, deps) area: server Go backend (server/) labels May 12, 2026
@dependabot
chore(deps): bump the server-go-deps group across 1 directory with 9 …
4646994 
…updates

Bumps the server-go-deps group with 9 updates in the /server directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) | `3.17.0` | `3.18.0` |
| [github.com/google/cel-go](https://github.com/google/cel-go) | `0.28.0` | `0.28.1` |
| [github.com/google/go-github/v69](https://github.com/google/go-github) | `69.0.0` | `69.2.0` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.9.1` | `5.9.2` |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) | `9.18.0` | `9.19.0` |
| [github.com/riandyrn/otelchi](https://github.com/riandyrn/otelchi) | `0.12.2` | `0.12.3` |
| [go.opentelemetry.io/contrib/bridges/otelslog](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.17.0` | `0.18.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.50.0` | `0.51.0` |
| [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.80.0` | `1.81.1` |



Updates `github.com/coreos/go-oidc/v3` from 3.17.0 to 3.18.0
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](coreos/go-oidc@v3.17.0...v3.18.0)

Updates `github.com/google/cel-go` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/google/cel-go/releases)
- [Commits](google/cel-go@v0.28.0...v0.28.1)

Updates `github.com/google/go-github/v69` from 69.0.0 to 69.2.0
- [Release notes](https://github.com/google/go-github/releases)
- [Commits](google/go-github@v69.0.0...v69.2.0)

Updates `github.com/jackc/pgx/v5` from 5.9.1 to 5.9.2
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.1...v5.9.2)

Updates `github.com/redis/go-redis/v9` from 9.18.0 to 9.19.0
- [Release notes](https://github.com/redis/go-redis/releases)
- [Changelog](https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md)
- [Commits](redis/go-redis@v9.18.0...v9.19.0)

Updates `github.com/riandyrn/otelchi` from 0.12.2 to 0.12.3
- [Release notes](https://github.com/riandyrn/otelchi/releases)
- [Changelog](https://github.com/riandyrn/otelchi/blob/master/CHANGELOG.md)
- [Commits](riandyrn/otelchi@v0.12.2...v0.12.3)

Updates `go.opentelemetry.io/contrib/bridges/otelslog` from 0.17.0 to 0.18.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go-contrib@v0.17.0...v0.18.0)

Updates `golang.org/x/crypto` from 0.50.0 to 0.51.0
- [Commits](golang/crypto@v0.50.0...v0.51.0)

Updates `google.golang.org/grpc` from 1.80.0 to 1.81.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.80.0...v1.81.1)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-version: 3.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: server-go-deps
- dependency-name: github.com/google/cel-go
  dependency-version: 0.28.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: server-go-deps
- dependency-name: github.com/google/go-github/v69
  dependency-version: 69.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: server-go-deps
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.9.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: server-go-deps
- dependency-name: github.com/redis/go-redis/v9
  dependency-version: 9.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: server-go-deps
- dependency-name: github.com/riandyrn/otelchi
  dependency-version: 0.12.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: server-go-deps
- dependency-name: go.opentelemetry.io/contrib/bridges/otelslog
  dependency-version: 0.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: server-go-deps
- dependency-name: golang.org/x/crypto
  dependency-version: 0.51.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: server-go-deps
- dependency-name: google.golang.org/grpc
  dependency-version: 1.81.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: server-go-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/server/server-go-deps-b3cf0d3ab0 branch from 4c9e865 to 4646994 Compare May 15, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dinesh-g1 dinesh-g1 Awaiting requested review from dinesh-g1 dinesh-g1 is a code owner

@ssJvirtually ssJvirtually Awaiting requested review from ssJvirtually ssJvirtually is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area: server Go backend (server/) type: task Engineering work (refactoring, infra, deps)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants