chore(deps): update oryd/hydra docker tag to v26

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
oryd/hydra (source)	Kustomization	major	v2.3.0 → v26.2.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

ory/hydra (oryd/hydra)

v26.2.0

Compare Source

v26.2.0

Bug Fixes

• Always retry curl invocations to surmount transient third-party failures (c28a6c8):

• Broken older down migrations (8ed407d):

• Context passing and limit response size (f33d6a8):

• Context passing in jsonnetsecure (5884774):

• Correctly detect when to use self-signed certificates (6f9af27):

• Correctly scan SQL NULL into go JSON types (163c579):

• Data race in hydra-oss test (262f85b):

• deps: Update dependency prettier to v3.7.4 (106865d):

• Do not cache pairwise subject algorithm (a341867):

• Down migrations in newer MySQL versions (5b0360d):

• Fix benchmark test (d0e0659):

• Flaky tests on hydra-oss tests (ce58946):

• Incorrect default value for page_tokens (f1290da):

• Incorrect usage of database/sql (a8142d0):

• Properly validate policy URI on client creation (44347e7):

• Remove flaky test for unused function (e8c8803):

• Remove WithDumpMigrations option to MigrationBox (6fd8a64):

• Request log config key (11ad1ac):

• Stray debug print (f6b28db):

• Transactions managed by fosite were not working (3ad64db):

• Update CONTRIBUTING.md (0c78aa7):

• Update go modules (845cc4d):

• Update packages to fix GHSA-7h2j-956f-4vf2 (ae75488):

• Upgrade vulnerable dependencies across Go and npm (f28904c):

  Co-authored-by: Deepak Prabhakara deepak.prabhakara@ory.sh

• X data race and parallize some tests (d37af61):

Code Generation

• Prepare for OSS release - v26.2.0 (0b84568):

Code Refactoring

• Squash merge old backoffice migration and fix up command (9d96bbd):

Documentation

• Update readmes (8daeebb):

Features

• Add ratelimit buckets to swagger definitions (1819465):

• Add support for NULL and more column types to keysetpagination (6a041ef):

• Automatic transaction retries for postgres (a008e91):

• Collect external latency data and write to logs (46846e9):

• Consider Go migrations DirHash when restoring full schema from backups (5306aaf):

• Forward (some) user request headers to SMS HTTP channel (640eb0b):

• Generate events for SSO and SCIM provider revisions (47a9384):

• Hydra benchmarking tool (f5b4aed):

• Improved tracing (724e425):

• Keto-cli improvements (9f81a29):

• Make SCIM work with MySQL (10ec9bf):

• Move search sidecar to its own docker image (8bd331c):

• Optionally do not store skipped consents (cf77ed6):

• Rename project revision columns (af69132):

• Use keysetpagination planner for keto read queries (5ca4c85):

Reverts

• Simplify consent store (fdca960):

Tests

• Deflake and improve performance (cdf972e):

• Deflake directory watcherx (ea02ce9):

• Faster and more reliable courier tests (a43d8f8):

• Fix multiple data races (4f8ff8e):

• hydra: Add plaintext backups for all DB types (822ea26):

• Minor setup improvements (e65fba7):

Changelog

• 2580424 autogen(docs): generate and bump docs
• 5c51033 autogen(sdk): bump to 05ddc40
• e76172c autogen(sdk): bump to 0747faf
• d93a822 autogen(sdk): bump to 11290d8
• cb1bfce autogen(sdk): bump to 17d4d13
• d2c58c4 autogen(sdk): bump to 453eb02
• 0383012 autogen(sdk): bump to 6d7d1f1
• 82b1e3c autogen(sdk): bump to 870c658
• 6309f91 autogen(sdk): bump to 9c2abd7
• 1b6e8f3 autogen(sdk): bump to f149949
• 0b84568 autogen: prepare for OSS release - v26.2.0
• fc32cb5 chore(deps): update actions/cache action to v5
• 2f10442 chore(deps): update actions/checkout action to v6
• 20fd22c chore(deps): update dependency @​types/lodash to v4.17.21
• 67b8f20 chore(deps): update dependency golangci/golangci-lint to v2.10.1
• 1435b4c chore(deps): update dependency golangci/golangci-lint to v2.11.0
• 105741f chore(deps): update dependency golangci/golangci-lint to v2.11.1
• eb9ebf1 chore(deps): update docker/setup-buildx-action action to v4
• e2eb8b4 chore(deps): update go modules
• 0866b86 chore(deps): update golangci/golangci-lint-action action to v9
• 57818db chore(deps): update hydra to v4 (major)
• ae65101 chore(deps): update jackson (major)
• 55dadd5 chore(deps): update mysql docker tag to v9.6
• 11db47b chore(keto): use ory/x router
• 9746c8a chore(kratos): use httprouter from ory/x
• 8d25e4a chore: add cause to context cancels with 'context.WithTimeoutCause' in ./x
• 19e9987 chore: add helpers for Kratos OEL to support various databases
• 0c9364d chore: add retries to more curl invocations
• b8307f8 chore: added CLIENT_SECRET_VERIFIER to our deployment
• 10df7e1 chore: always use ristretto/v2
• d774b36 chore: audit and fix npm dependencies
• 3357c2e chore: bump to CRDB v25.4
• 74348bb chore: bump to Go 1.26 massive cleanup in ory/x
• 5a12526 chore: clean up / compress recent migrations to avoid creating and dropping indices unnecessarily
• 9dd9247 chore: cleanup package-lock files
• 5364144 chore: configure mappers when creating onboarding portal
• 72e3747 chore: correct typos
• c7b53c0 chore: delete unused CRDB changefeed watcherx module
• 29ca852 chore: deprecate organization APIs
• 1f4b512 chore: drop flow table defaults
• 011a01c chore: fix for critical CVE - GHSA-p77j-4mvh-x3m3
• eaa9393 chore: fix golangci-lint issues in Hydra
• db17987 chore: fosite and hydra interface enhancements
• a52a01e chore: fully implement provider pattern
• ea76644 chore: improve clidoc generation
• 9023ef4 chore: improve error reporting to help diagnose flaky test
• 71e6385 chore: improve readability of popx.MigrationBox
• f9af4a1 chore: keysetpagination improvements
• 11c2b05 chore: more npm security updates
• 223eadd chore: remove internal address types
• b7b297e chore: remove unnecessary check constraint
• e8586df chore: remove unused code
• c72853f chore: remove unused internal AXv2 ACL check API
• 502b8cc chore: remove unused log code
• 6255bf8 chore: remove unused x/watcherx/websocket
• 0f16952 chore: rename and simplify some internals
• 10b8b58 chore: run go mod tidy and misc cleanup
• 0ff58dd chore: run npm audit fix
• 6280d3a chore: security updates for glob library
• a6dda62 chore: simplify HTTP metrics instrumentation
• 028908f chore: simplify consent store
• 2dd6b94 chore: simplify consent store
• 2dc4ebe chore: simplify decoderx usage
• dacd7fd chore: split SCIM from multi-region & make it work with SQLite
• 37d18a6 chore: unify common dependency interfaces
• bbed48f chore: update @​openapitools/openapi-generator-cli
• c760183 chore: update OSS ory.sh to ory.com
• 1171b85 chore: update go.mod
• 517677c chore: update pop to latest & only run pop.SetNowFunc() inside init()
• 1cdb046 chore: update to dockertest v4
• b1d203f chore: updated axios
• 48cb166 chore: updated golang.org/x/crypto
• b7ac883 chore: updated minimatch
• 02c6085 chore: use pgx pool in Kratos OEL & fix some OEL commands not using enterprise migrations
• 8d9ac2b ci: add docker driver to cve scan
• 8daeebb docs: update readmes
• 1819465 feat: add ratelimit buckets to swagger definitions
• 6a041ef feat: add support for NULL and more column types to keysetpagination
• a008e91 feat: automatic transaction retries for postgres
• 46846e9 feat: collect external latency data and write to logs
• 5306aaf feat: consider Go migrations DirHash when restoring full schema from backups
• 640eb0b feat: forward (some) user request headers to SMS HTTP channel
• 47a9384 feat: generate events for SSO and SCIM provider revisions
• f5b4aed feat: hydra benchmarking tool
• 724e425 feat: improved tracing
• 9f81a29 feat: keto-cli improvements
• 10ec9bf feat: make SCIM work with MySQL
• 8bd331c feat: move search sidecar to its own docker image
• cf77ed6 feat: optionally do not store skipped consents
• af69132 feat: rename project revision columns
• 5ca4c85 feat: use keysetpagination planner for keto read queries
• 106865d fix(deps): update dependency prettier to v3.7.4
• c28a6c8 fix: always retry curl invocations to surmount transient third-party failures
• 8ed407d fix: broken older down migrations
• f33d6a8 fix: context passing and limit response size
• 5884774 fix: context passing in jsonnetsecure
• 6f9af27 fix: correctly detect when to use self-signed certificates
• 163c579 fix: correctly scan SQL NULL into go JSON types
• 262f85b fix: data race in hydra-oss test
• a341867 fix: do not cache pairwise subject algorithm
• 5b0360d fix: down migrations in newer MySQL versions
• d0e0659 fix: fix benchmark test
• ce58946 fix: flaky tests on hydra-oss tests
• f1290da fix: incorrect default value for page_tokens
• a8142d0 fix: incorrect usage of database/sql
• 44347e7 fix: properly validate policy URI on client creation
• 6fd8a64 fix: remove WithDumpMigrations option to MigrationBox
• e8c8803 fix: remove flaky test for unused function
• 11ad1ac fix: request log config key
• f6b28db fix: stray debug print
• 3ad64db fix: transactions managed by fosite were not working
• 0c78aa7 fix: update CONTRIBUTING.md
• 845cc4d fix: update go modules
• ae75488 fix: update packages to fix GHSA-7h2j-956f-4vf2
• f28904c fix: upgrade vulnerable dependencies across Go and npm
• d37af61 fix: x data race and parallize some tests
• 9d96bbd refactor: squash merge old backoffice migration and fix up command
• fdca960 revert: simplify consent store
• 822ea26 test(hydra): add plaintext backups for all DB types
• cdf972e test: deflake and improve performance
• ea02ce9 test: deflake directory watcherx
• a43d8f8 test: faster and more reliable courier tests
• 4f8ff8e test: fix multiple data races
• e65fba7 test: minor setup improvements

Artifacts can be verified with cosign using this public key.

v25.4.0

Compare Source

v25.4.0 brings first-class support for agentic authorization with the Device Authorization Grant (RFC 8628) and OAuth 2.1 discovery endpoint, making it easier for agents, IoT devices, and headless clients to obtain and manage access securely. Combined with new consent-chain revocation and migration fixes for CockroachDB v25+, Hydra v25.4 strengthens its role as the web and AI scale-ready OAuth 2.1 and OpenID Connect server for modern applications.

Ory has moved to a new versioning scheme. Read about our new version scheme. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Highlights

Agentic authentication use cases

This release makes Ory Hydra a stronger foundation for agentic authentication, where autonomous agents or constrained devices need to obtain and manage access without a full browser or direct human interaction. Two key updates enable this:

• Device authorization grant (RFC 8628): Essential for headless or limited-input clients (e.g., smart TVs, IoT devices, AI agents). It allows users to securely authorize agents through a secondary device, solving a common gap in agentic workflows.
• OAuth 2.1 discovery endpoint: Hydra now serves both OpenID Connect and OAuth 2.1 discovery documents, aligning with emerging standards. This simplifies integration for agents that expect OAuth 2.1 metadata and removes friction in federated or automated flows.

Together, these features address longstanding issues for agentic use cases by combining standards compliance with Hydra’s production-grade session and consent handling.

Device authorization grant (RFC 8628)

Adds full device flow support for devices without a browser or with limited input (smart TVs, consoles, agents).

Revoke token chains by consent challenge ID

New capability to revoke the entire token chain (refresh token and all derived access tokens) produced by a specific consent session.

OAuth 2.1 discovery endpoint

Hydra now serves /.well-known/oauth-authorization-server in addition to /.well-known/openid-configuration to aid OAuth 2.1 and certain integrations (per RFC 8414).

Improvements

• Lower latency when revoking linked Kratos sessions by making revocation asynchronous.
• Client updates with JWKS URI: PATCH/PUT no longer blocked when json_web_keys_uri is set (and json_web_keys present).
• JWT query performance: added an index for faster JWT-related lookups.
• CLI: clearer usage/help examples.

Fixes

• CockroachDB v25+ migrations: corrected/updated migration scripts; includes device-flow down/auto-commit fixes.
• Postgres UUIDs: use uuid_generate_v4() instead of MD5-based generation (enable the uuid-ossp extension if not already).
• Case-insensitive user_code scrubbing in device flow.
• Validation: tos_uri validation corrected.
• Docs: fixed JWT access token documentation link.

Security and dependencies

• go-jose v3.0.4 with a backport for CVE-2025-27144.
• Go toolchain upgrades (1.24.x) and crypto stack updates (e.g., ThalesGroup/crypto11, circl) addressing advisories.
• General dependency hygiene and CI hardening.

Upgrade notes

1. Run migrations before rolling out v2.4.0.
   • CockroachDB users on v25+: this release includes specific migration fixes; ensure your migration runner picks up the updated scripts.
   • Postgres users: ensure uuid-ossp is enabled (CREATE EXTENSION IF NOT EXISTS "uuid-ossp";) to support native UUIDs.
2. Device flow UI: add the two required screens/routes in your login/consent app to use RFC 8628.
3. Monitoring: if you scrape Prometheus on public endpoints, expect additional metrics.

Auto-generated release notes

Bug Fixes

• Add repo syncing for polis (46d17f8):

• Add virtual expiry column to flow for easy cross-db querying (1c402e3):

• Allow updating when JWKS URI is set (#​3935) (#​3946) (fb1655b):

  The client validator no longer rejects PATCH and PUT updates when JSONWebKeysURI is non-empty and JSONWebKeys is not nil.

• Always use EC private keys in tests (7481827):

• Better tracing in proxy HTTP (0d8a797):

• Case-insensitive user_code scrubbing (#​3979) (d389fd0)

• changelog-oel: Cap grace period for refresh token rotation at 30d (35d5d58):

• changelog-oel: Reduce rows read when checking past consents (ace80c2):

• changelog-oel: Replace returning * with defined column names (0b26e27):

• changelog-oel: Update expires_at on token use (0588744):

• changelog-oel: Use keyset pagination instead of offset (cbf14c0):

• CLI usage help examples (#​3943) (e24f9a7)

• Copybara script (7b33358):

• Correct multiple instances of 'stragegy' typo (#​3906) (50eefbc):

  This commit addresses several occurrences where 'strategy' was
  misspelled as 'stragegy' throughout the codebase.

  Additionally, a similar issue was found and corrected in the Ory
  documentation repository (ory/docs), with a corresponding pull request
  submitted.

• Deduplicate down migrations (02baf36):

• deps: Update go-x (582a3c5):

• Escape IPv6 regex string (0ba326a):

• Failing CI in OSS repos (c900985):

• Fix expires_at timestamp not in UTC leading to local test failures (337000a):

• Fixed typo in description of api (4551eb6):

• Force autocommit for device auth code migration (#​3991) (29761f4), closes #​1234 #​1234:

• Force SQL operator precedence in pagination v2 to ensure nid isolation (43c9be1):

• Hydra CI (dde63d8):

• Hydra tracing (38ee050):

• hydra: Instrument metrics also on public endpoints (8aee364):

• hydra: Use prometheus metrics instead of SQA metrics (7a6592e):

• Identity queries (a30f021):

• Ignore flaky keys in Hydra HSM tests (469b2ad):

• Ignore non SQL files when applying migrations (38a28d4):

• Implicit transactions for cockroach v23.5 and simplified migration logic (fbc982a):

• Include go.mod in vendored oryx (08a3ab4):

• Increase refresh token grace period (50608c2):

• infrastructure: Hydra oss CI (e846541):

• Jsonx.ApplyJSONPatch (c6fa2a6):

• JWT documentation link to point to the correct resource (#​3907) (b746e41):

  The previous link in the documentation led to a page unrelated to JWT.
  Updated the URL to https://www.ory.sh/docs/oauth2-oidc/jwt-access-token,
  which provides proper JWT guidance.

• Migration problems (fe459ea):

• Migrations on CockroachDB v25+ (#​3994) (38efece), closes #​3964 #​3993:

  I've added some output to the generated migrations files to make them
  easier to recreate, hence the big diff.

  These are important:

  persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.up.sql
  persistence/sql/migrations/20211004110003000000_change_client_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211004110003000000_change_client_primary_key.cockroach.up.sql
  
  persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.up.sql
  persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.up.sql
  
  persistence/sql/src/20220210000001_nid/20220210000001000000_nid.cockroach.up.sql
  

• Otlp sampling rate default (cbd5094):

• Print correct content of down migrations (4a4a088):

• Regression in UsedTimes calculation (b432e46):

• Reject invalid migration names (eb3b6ac):

• Remove strict decoding on consent and login endpoints (fb7dc75):

• Return 404 on schema file not exists (76079c0):

• Revert "fix: otlp sampling rate default (#​9055)" (02e86bc):

• Revoke by consent request ID (#​3947) (5d8635c), closes #​3932 #​3932 #​3941

• Routes in AX with identity_schema (5014348):

• Simplify and fix Copybara sync job (f998d09):

• Tos_uri validation (#​3945) (007e224):

  Contributes to ory-corp/cloud#7395

• Towards fixing fosite CI (061d3fb):

• Update debian version in httpd test image (f6720c4):

• Upgrade to go 1.24.4 to fix CVE-2025-4673 (c14e538):

• Use batch insert to speed up project changes (692e41c):

• Use git hash to render ory x schema references (0a6ea5b):

• Use hard-coded fallback key instead of panic (e1f6450):

• Use main branch for polis (6c24e68):

• Using uuid_generate_v4 function (#​3958) (c206066):

  Removing the md5 function for the uuid generation with native pgsql
  function https://www.postgresql.org/docs/current/uuid-ossp.html

  Closes #​3844

Code Generation

• Prepare for OSS release - v25.4.0 (de9baaa):

Code Refactoring

• Move database meta functions to root x folder for reusability (7e49133):

Features

• Add allowed domains configuration for captcha (df3f05c):

• Add error reason to OAuth2TokenExchangeError event (#​3971) (241dd45)

• Add handler for /.well-known/oauth-authorization-server. (#​3980) (5baca28):

  In order to support OAuth2.1 and some specific integrations that
  leverage the /.well-known/oauth-authorization-server endpoint, this PR
  adds a handler for the specific endpoint. The
  /.well-known/openid-configuration endpoint already supports all
  configuration items that conform to this endpoint as seen here:
  https://datatracker.ietf.org/doc/html/rfc8414

• Autoconfigure kratos-changefeed (d92dabe):

• Bump CRDB, establish foreign key, (52c0432):

• changelog-oel: Add hydra debug challenge command (a94662f):

• changelog-oel: Add expiry and TTL to authentication_session table (d9ea549):

• changelog-oel: Choose identity schema in self-service registration and login flows (a398b64):

• changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (17a4c4f):

• changelog-oel: Reduce hydra CPU and memory consumption (018709e):

• changelog: Graceful refresh count limit (470713d):

• changelog: Migrate http router to stdlib router (a147e3b):

• Custom page token column extraction (756708e):

• Domain telemetry improvements (abd5f04):

• Expose Ory-Error-Id HTTP header (8ff62f8):

• Full user-code configuration (b6ac894):

• hydra: Configurable JWK cache (994ea18):

• hydra: Split up persister (bea6b4d):

• Implement RFC 8628 (#​3912) (5215d24), closes #​3851 #​3252 #​3230 #​2416:

  This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
  Hydra. The OAuth 2.0 device authorization grant is designed for
  Internet-connected devices that either lack a browser to perform a
  user-agent-based authorization or are input constrained to the extent
  that requiring the user to input text in order to authenticate during
  the authorization flow is impractical. It enables OAuth clients on such
  devices (like smart TVs, media consoles, digital picture frames, and
  printers) to obtain user authorization to access protected resources by
  using a user agent on a separate device.

  The OAuth 2.0 Device Authorization Grant may also become relevant for AI
  Agent authentication flows and is generally an amazing step and
  innovation for this project.

  A very special thanks goes to @​nsklikas from
  Canonical, @​supercairos from
  shadow.tech and @​BuzzBumbleBee.

  For more details, please check out the documentation
  (ory/docs#2026)

  To implement this feature, you will need to implement two additional
  screens in your login and consent application. A reference
  implementation can be found
  here.

• Improve domain telemetry for OSS (Hydra & Kratos) (02c5757):

• Improve oauth2 event data (#​3975) (6da0fd3)

• Improve openapi spec (#​3908) (4053c9e), closes #​1234 #​1234:

• Improved events and identity recent activity (a8449c8):

• List clients by ID (f8a53b0):

• Monorepo (3ff992e):

• Monorepo (a77b206):

• Move config testhelpers to ory/x (3a4ba08):

• Revoke Kratos session asynchronously (#​3936) (a0e7ee2):

  This change makes the session revocation in Kratos async to improve
  observed latency.

• Revoke token chain by consent challenge ID (#​3932) (4a40193):

  This change adds the ability to revoke token chains by "consent
  challenge ID".

"Consent sessions"

Each time the user goes through a `GET
/oauth2/auth?response_type=code&...` auth code flow, we persist a new
"consent session" to the database.

This is independent of whether the user has previously logged in and/or
granted consent, or whether the user was actively asked to grant consent
by the consent app. A successful journey through the auth code flow
results in a new "consent session".

This consent session is uniquely identified by its "consent challenge
ID". This ID is obtained from the [`GET
/admin/oauth2/auth/requests/consent?consent_challenge=...`](https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/getOAuth2ConsentRequest)
API. Note that it is not the same as the `consent_challenge=...` query
parameter!

Any access and refresh tokens obtained from a token exchange following
that particular user journey are bound to that consent session.

We call the totality of all refresh+access tokens derived from a
particular consent session a "token chain".

Token revocation

Revoking an access token (AT) is simple: send the AT to `/oauth2/revoke`
and it is revoked. If this AT was derived from a refresh token (RT), the
parent RT is not revoked.

Revoking a refresh token (RT) also revokes associated access tokens.

Revocation by consent challenge ID

During an authorization code flow, save the consent challenge ID into
the access token session data:

```
GET /admin/oauth2/auth/requests/consent?consent_challenge=abcdef
```
Response:
```
{
  "acr": ...,
  "challenge": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" # <- this is the ID we need
  ...
}
```

Accept the consent request:
```
PUT /admin/oauth2/auth/requests/consent/accept?consent_challenge=abcdef
{
  "remember": true,
  "remember_for": 3600,
  "session": {
    "access_token": {
      "ccid": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix"
    }
  },
  ...
}
```

To revoke the token chain associated with this consent challenge ID, use

```
POST admin/oauth2/auth/sessions/consent?consent_challenge_id=G_TIM3XABG14UwIgDoT1DRfipjhC1uix
```

• Use stdlib HTTP router in Kratos (8f81931):

• Use vendored jackson (a0a9062):

• Use vendored ory/x (6581e01):

Performance Improvements

• Add index to optimize jwt query (72fa16d):

• Index hint for CRDB consents query (919b73f):

Tests

• Add golangci-lint config and GHA (1209de7):

• Ensure current encoded flows stay valid (f4301e6):

• hydra: Add snapshots for login & consent requests (687cfae):

• hydra: Clean oauth2 session setup (699e382):

• hydra: Clean up some helpers (7840b0e):

• hydra: Convert custom JWT claim tests to table (8391d1b):

• hydra: New and better e2e go tests (aefe5e2):

• hydra: Refactor consent handler tests (4d61925):

• Parallelize and improve (#​3989) (a47e395)

• Resturcture and improve integration tests (2769a75):

• Split up consent manager test (42b6a79):

Unclassified

• Merge branch 'fosite-monorepo' (2c3ba13):

• Merge 3834fab into 4dae0f4 (dc84053):

Changelog

• 1ec40dd chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 in the go_modules group (#​3952)
• 35d6393 chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 in the go_modules group across 1 directory (#​3961)
• 36f21d0 chore(deps): update actions/setup-node action to v6
• edb9ba8 chore(deps): update dependency node to v24
• 1449aff chore(deps): update hadolint/hadolint-action action to v3.3.0
• ea8f607 chore(deps): update hydra
• 6ac3c31 chore(deps): update hydra workflows
• ad05646 chore(deps): update oss workflows
• fbae239 chore(hydra): clean up command setup
• 29ba474 chore(hydra): improve test config setup
• add73e4 chore(hydra): minor internal improvements
• dd97ec8 chore(hydra): registry setup refactoring
• ae2dda1 chore(hydra): remove CreateConsentRequest
• 6ba796b chore(hydra): remove unnecessary registry functionality
• 7f02e54 chore(kratos): cleanup and improve some tests
• 0e7f000 chore: add migration tests in kratos non-oss for crdb
• [dcd696d](https://redirect.github.com/ory/hydra/commit/dcd69

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.