Bump gofr.dev from 1.54.4 to 1.54.5 in the go-deps group

[dependabot]

Bumps the go-deps group with 1 update: gofr.dev.

Updates gofr.dev from 1.54.4 to 1.54.5

Release notes

Sourced from gofr.dev's releases.

v1.54.5

Release v1.54.5

🚀 Enhancements

🔹 Google Pub/Sub Span Links for Tracing

GoFr now supports OpenTelemetry span links for Google Cloud Pub/Sub, extending the tracing capabilities introduced for Kafka in v1.54.4.

• End-to-End Traceability: Connects producer and consumer spans across asynchronous Google Pub/Sub messaging, enabling complete request lifecycle visualization.
• Context Propagation: Automatically injects and extracts trace context through Pub/Sub message attributes using the standard OpenTelemetry propagator.
• Semantic Conventions: Follows OpenTelemetry messaging semantic conventions for consistent, standards-compliant spans and links.

🔹 SQS Span Links for Tracing

Added OpenTelemetry span links for AWS SQS, completing pub/sub tracing support across all major message brokers.

• AWS Observability: Connects producer and consumer spans for SQS messages, providing full distributed tracing for AWS-based event-driven architectures.
• Attribute Propagation: Leverages SQS message attributes for trace context propagation, enabling seamless correlation across services.
• Consistent Tracing: Aligns with the same span link patterns used for Kafka and Google Pub/Sub for a unified observability experience.

🔹 Oracle Migration Locks Management

Extended migration locks support to Oracle datasources, building on the SQL & Redis locking introduced in v1.54.3.

• Safe Concurrent Deployments: In multi-instance deployments (e.g., Kubernetes), only one instance executes Oracle migrations at a time, preventing race conditions.
• Automatic Lock Lifecycle: Manages lock acquisition, expiry-based cleanup, periodic refresh, and safe release with full PL/SQL-based error handling.
• Data Integrity: Prevents corrupted migration states during parallel deployments against Oracle databases.

🛠️ Fixes

• Static File Path Traversal Prevention

Resolved a security issue in the static file handler where sibling directory names could bypass the restricted file check.

• Security Hardening: Appended a path separator in isRestrictedFile to ensure that sibling directories sharing a common prefix with the static directory (e.g., /app/publicother vs /app/public) cannot be traversed to serve unauthorized files.
• What's Restricted: Files outside the configured static directory are blocked from being served. Additionally, direct access to openapi.json via static routes remains restricted — it is only accessible through the /.well-known/swagger or /.well-known/openapi.json endpoints.

🔹 Kafka Subscribe Data Race

Fixed a data race condition in the Kafka Subscribe method that could surface under concurrent access.

• Concurrency Safety: Ensures thread-safe subscription handling, preventing unpredictable behavior in high-concurrency environments.

🔹 Config Parsing Silent Failures

Resolved an issue where invalid or missing configuration values would fail silently, making it difficult to diagnose misconfiguration issues.

• Better Error Reporting: Added proper nil-checks and logging for configuration parsing, ensuring misconfigurations are surfaced through structured log messages instead of being swallowed silently.

Commits

• be23df6 Merge pull request #3043 from gofr-dev/release_v1.54.5
• ace6d1c Merge branch 'main' into release_v1.54.5
• 029c11e Merge branch 'main' into release_v1.54.5 - resolve version conflict
• 4433207 chore: bump version to v1.54.5
• 38a609c feat(google): add span links for pub/sub tracing (#3019)
• 33c1816 feat(migration): add Oracle migration locks management (#3004)
• 4c0717c feat(sqs): add span links for pub/sub tracing (#3018)
• 6cf0065 fix: append path separator in isRestrictedFile to prevent sibling directory e...
• ca463e6 fix: resolve data race in kafka Subscribe method (#2959)
• e638311 build(deps): bump github.com/nats-io/nats-server/v2 (#3037)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like gofr.dev is updatable in another way, so this is no longer needed.