chore(deps): bump the go_modules group across 3 directories with 2 updates

[dependabot]

Bumps the go_modules group with 1 update in the /packages/api directory: github.com/gohugoio/hugo.
Bumps the go_modules group with 1 update in the /packages/clickhouse directory: github.com/ydb-platform/ydb-go-sdk/v3.
Bumps the go_modules group with 1 update in the /packages/db directory: github.com/ydb-platform/ydb-go-sdk/v3.

Updates github.com/gohugoio/hugo from 0.157.0 to 0.161.0

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.161.0

This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"

And in the stylesheet:

@import "hugo:vars";
@import "hugo:vars/dark" (prefers-color-scheme: dark);
:root {
color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

... (truncated)

Commits

• 98d396c releaser: Bump versions for release of 0.161.0
• d4ae662 build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0
• 9ede5fb build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22
• 833a878 build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13
• 7622dd8 css: Support nested hugo:vars/<name> imports
• 0814059 github: Update GitHub actions versions
• 8920d56 hugolib: Do not render aliases if the page is not rendered
• 633cc77 langs/i18n: Improve default content language fallback
• 90d8bf3 Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests
• 4c40c6d helpers: Remove unused code
• Additional commits viewable in compare view

Updates github.com/ydb-platform/ydb-go-sdk/v3 from 3.108.1 to 3.134.2

Release notes

Sourced from github.com/ydb-platform/ydb-go-sdk/v3's releases.

v3.134.2

• Fixed table.Session.Execute ignoring options.WithCommit() so transactions were not committed when the option was passed

Full Changelog: v3.134.1...v3.134.2

v3.134.1

• Changed multi-partition topic writer (topicoptions.WithWriteToManyPartitions) so Write and Flush block until internal initialization completes, consistent with single-partition writers

Full Changelog: v3.134.0...v3.134.1

v3.134.0

• Fixed sugar.RemoveRecursive() for directories containing external data sources or external tables
• Added table.DescribeExternalDataSource() and table.DescribeExternalTable() methods for describing external data sources and external tables

Full Changelog: v3.133.1...v3.134.0

v3.133.1

• Added TopicListener.ReadSessionID() getter

Full Changelog: v3.133.0...v3.133.1

v3.133.0

• Added ydb.WithIssuesHandler context option for surfacing YDB QueryService issues to database/sql callers

Full Changelog: v3.132.0...v3.133.0

v3.132.0

• Added topic.Client.CommitOffset() method for committing a consumer offset without an active read session
• Added topicreader.Reader.ReadSessionID() method for obtaining the current read session identifier

Full Changelog: v3.131.0...v3.132.0

v3.131.0

• Added ydb.WithStatsModeBasic, ydb.WithStatsModeFull, ydb.WithStatsModeProfile context options for collecting query statistics via database/sql

Full Changelog: v3.130.0...v3.131.0

v3.130.0

• Changed default for database/sql driver from TABLE service to QUERY service
• Added __ydb_partition_key metadata key to messages for topic writer to store the key used to choose the partition

Full Changelog: v3.129.0...v3.130.0

v3.129.0

• Added config.WithBuildInfo option to append child frameworks to x-ydb-sdk-build-info header for all API requests
• Automatically added (if used) database/sql framework to x-ydb-sdk-build-info header

Full Changelog: v3.128.4...v3.129.0

v3.128.4

... (truncated)

Changelog

Sourced from github.com/ydb-platform/ydb-go-sdk/v3's changelog.

v3.134.2

• Fixed table.Session.Execute ignoring options.WithCommit() so transactions were not committed when the option was passed

v3.134.1

• Changed multi-partition topic writer (topicoptions.WithWriteToManyPartitions) so Write and Flush block until internal initialization completes, consistent with single-partition writers

v3.134.0

• Fixed sugar.RemoveRecursive() for directories containing external data sources or external tables
• Added table.DescribeExternalDataSource() and table.DescribeExternalTable() methods for describing external data sources and external tables

v3.133.1

• Added TopicListener.ReadSessionID() getter

v3.133.0

• Added ydb.WithIssuesHandler context option for surfacing YDB QueryService issues to database/sql callers

v3.132.0

• Added topic.Client.CommitOffset() method for committing a consumer offset without an active read session
• Added topicreader.Reader.ReadSessionID() method for obtaining the current read session identifier

v3.131.0

• Added ydb.WithStatsModeBasic, ydb.WithStatsModeFull, ydb.WithStatsModeProfile context options for collecting query statistics via database/sql

v3.130.0

• Changed default for database/sql driver from TABLE service to QUERY service
• Added __ydb_partition_key metadata key to messages for topic writer to store the key used to choose the partition

v3.129.0

• Added config.WithBuildInfo option to append child frameworks to x-ydb-sdk-build-info header for all API requests
• Automatically added (if used) database/sql framework to x-ydb-sdk-build-info header

v3.128.4

• Fixed panic when topic writer is closed unexpectedly

v3.128.3

• Fixed panic and unsupported type error when passing a nil pointer to a json.Marshaler-implementing type as a database/sql query parameter (toType now handles json.Marshaler and returns types.JSON, matching the existing toValue behaviour)
• Supported pool of decoders, which implement ResettableReader interface

v3.128.2

• Downgraded direct dependency google.golang.org/grpc to v1.78.0

v3.128.1

• Fixed go_query_mode / query_mode DSN parameters for table-backed modes (data, scan, scheme, scripting) to select the TABLE processor so the default query mode applies
• Fixed a bug where the topic writer was not able to resend messages when the partition was split

v3.128.0

• New options for topicwriter:
  • WithProducerIDPrefix
  • WithPartitioningKeyHasher
  • WithPartitionChooserStrategy

... (truncated)

Commits

• 6f1e6e3 Release v3.134.2
• 25dcff4 Fix table.Session.Execute ignoring options.WithCommit() (#2091)
• 66fc52e Release v3.134.1
• 042c924 LOGBROKER-10368 Add wait init to multiwriter (#2088)
• c1ddb52 Remove unused code in database/sql connector (#2085)
• d9d2943 LOGBROKER-10206 Add tests (#2075)
• f3aeeb1 Modernize Go codebase: adopt modern idioms and upgrade CI tooling (#2082)
• f2452c1 Release v3.134.0
• de3907a Describe external data source / external table (#2079)
• 589dacf Release v3.133.1
• Additional commits viewable in compare view

Updates github.com/ydb-platform/ydb-go-sdk/v3 from 3.108.1 to 3.134.2

Release notes

Sourced from github.com/ydb-platform/ydb-go-sdk/v3's releases.

v3.134.2

• Fixed table.Session.Execute ignoring options.WithCommit() so transactions were not committed when the option was passed

Full Changelog: v3.134.1...v3.134.2

v3.134.1

• Changed multi-partition topic writer (topicoptions.WithWriteToManyPartitions) so Write and Flush block until internal initialization completes, consistent with single-partition writers

Full Changelog: v3.134.0...v3.134.1

v3.134.0

• Fixed sugar.RemoveRecursive() for directories containing external data sources or external tables
• Added table.DescribeExternalDataSource() and table.DescribeExternalTable() methods for describing external data sources and external tables

Full Changelog: v3.133.1...v3.134.0

v3.133.1

• Added TopicListener.ReadSessionID() getter

Full Changelog: v3.133.0...v3.133.1

v3.133.0

• Added ydb.WithIssuesHandler context option for surfacing YDB QueryService issues to database/sql callers

Full Changelog: v3.132.0...v3.133.0

v3.132.0

• Added topic.Client.CommitOffset() method for committing a consumer offset without an active read session
• Added topicreader.Reader.ReadSessionID() method for obtaining the current read session identifier

Full Changelog: v3.131.0...v3.132.0

v3.131.0

• Added ydb.WithStatsModeBasic, ydb.WithStatsModeFull, ydb.WithStatsModeProfile context options for collecting query statistics via database/sql

Full Changelog: v3.130.0...v3.131.0

v3.130.0

• Changed default for database/sql driver from TABLE service to QUERY service
• Added __ydb_partition_key metadata key to messages for topic writer to store the key used to choose the partition

Full Changelog: v3.129.0...v3.130.0

v3.129.0

• Added config.WithBuildInfo option to append child frameworks to x-ydb-sdk-build-info header for all API requests
• Automatically added (if used) database/sql framework to x-ydb-sdk-build-info header

Full Changelog: v3.128.4...v3.129.0

v3.128.4

... (truncated)

Changelog

Sourced from github.com/ydb-platform/ydb-go-sdk/v3's changelog.

v3.134.2

• Fixed table.Session.Execute ignoring options.WithCommit() so transactions were not committed when the option was passed

v3.134.1

• Changed multi-partition topic writer (topicoptions.WithWriteToManyPartitions) so Write and Flush block until internal initialization completes, consistent with single-partition writers

v3.134.0

• Fixed sugar.RemoveRecursive() for directories containing external data sources or external tables
• Added table.DescribeExternalDataSource() and table.DescribeExternalTable() methods for describing external data sources and external tables

v3.133.1

• Added TopicListener.ReadSessionID() getter

v3.133.0

• Added ydb.WithIssuesHandler context option for surfacing YDB QueryService issues to database/sql callers

v3.132.0

• Added topic.Client.CommitOffset() method for committing a consumer offset without an active read session
• Added topicreader.Reader.ReadSessionID() method for obtaining the current read session identifier

v3.131.0

• Added ydb.WithStatsModeBasic, ydb.WithStatsModeFull, ydb.WithStatsModeProfile context options for collecting query statistics via database/sql

v3.130.0

• Changed default for database/sql driver from TABLE service to QUERY service
• Added __ydb_partition_key metadata key to messages for topic writer to store the key used to choose the partition

v3.129.0

• Added config.WithBuildInfo option to append child frameworks to x-ydb-sdk-build-info header for all API requests
• Automatically added (if used) database/sql framework to x-ydb-sdk-build-info header

v3.128.4

• Fixed panic when topic writer is closed unexpectedly

v3.128.3

• Fixed panic and unsupported type error when passing a nil pointer to a json.Marshaler-implementing type as a database/sql query parameter (toType now handles json.Marshaler and returns types.JSON, matching the existing toValue behaviour)
• Supported pool of decoders, which implement ResettableReader interface

v3.128.2

• Downgraded direct dependency google.golang.org/grpc to v1.78.0

v3.128.1

• Fixed go_query_mode / query_mode DSN parameters for table-backed modes (data, scan, scheme, scripting) to select the TABLE processor so the default query mode applies
• Fixed a bug where the topic writer was not able to resend messages when the partition was split

v3.128.0

• New options for topicwriter:
  • WithProducerIDPrefix
  • WithPartitioningKeyHasher
  • WithPartitionChooserStrategy

... (truncated)

Commits

• 6f1e6e3 Release v3.134.2
• 25dcff4 Fix table.Session.Execute ignoring options.WithCommit() (#2091)
• 66fc52e Release v3.134.1
• 042c924 LOGBROKER-10368 Add wait init to multiwriter (#2088)
• c1ddb52 Remove unused code in database/sql connector (#2085)
• d9d2943 LOGBROKER-10206 Add tests (#2075)
• f3aeeb1 Modernize Go codebase: adopt modern idioms and upgrade CI tooling (#2082)
• f2452c1 Release v3.134.0
• de3907a Describe external data source / external table (#2079)
• 589dacf Release v3.133.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

LGTM — indirect-only dependency bumps from Dependabot.

Extended reasoning...

Overview

Dependabot PR bumping two indirect Go module dependencies across three modules:

• github.com/gohugoio/hugo 0.157.0 → 0.161.0 in packages/api
• github.com/ydb-platform/ydb-go-sdk/v3 3.108.1 → 3.134.2 in packages/clickhouse and packages/db

Only go.mod and go.sum files are modified; no source files change.

Security risks

Both bumps are pulled in transitively (// indirect lines) and a repo-wide grep for gohugoio/hugo and ydb-platform/ydb-go-sdk in *.go returns no matches, so neither package's API is exercised directly by this codebase. The hugo release notes call out two security-hardening fixes; the ydb-go-sdk diff is a long stream of feature additions and bug fixes with no security advisories surfaced. Risk surface is limited to whatever transitive caller already pulls these modules.

Level of scrutiny

Low — this is a routine indirect dependency refresh with no first-party code changes and no callers of the bumped APIs in this repo. CI build/test passing is sufficient signal that the new module set still resolves and compiles.

Other factors

No prior review activity on the PR. The bug-hunting system flagged no issues. Some assorted ancillary indirect deps shifted along with the targeted bumps (gax-go, googleapis, mattn/go-isatty, oasdiff/yaml, etc.), which is expected for a transitive update of this size.