Skip to content

chore(deps): bump the go-deps group across 1 directory with 3 updates#63

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-deps-6ca1192612
Open

chore(deps): bump the go-deps group across 1 directory with 3 updates#63
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-deps-6ca1192612

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-deps group with 3 updates in the / directory: github.com/ethereum/go-ethereum, github.com/labstack/echo/v4 and github.com/redis/go-redis/v9.

Updates github.com/ethereum/go-ethereum from 1.17.3 to 1.17.4

Release notes

Sourced from github.com/ethereum/go-ethereum's releases.

Flexible Polymer Casing (v1.17.4)

This is a maintenance release with accumulated bug fixes and improvements, and is recommended for all users. It also continues the implementation work for the upcoming Amsterdam hardfork.

One thing worth highlighting:

Fork Implementation (Amsterdam)

  • EIP-7928: Block-Level Access Lists: the block access list is now constructed and verified during block execution, with the serving side of the eth/71 BAL messages implemented (#34652, #34803, #34879, #34957, #34967, #34972, #34977, #35110)
  • EIP-8189: snap/2, a new state-sync protocol based on block-level access lists, has been added (#34626, #34807, #35098, #35155, #35158, #35163, #35178, #35180, #35181)
  • EIP-8037: state-creation gas cost increase, has been implemented (#33601)
    • The tracing system provides a new OnGasChangeV2 hook for multi-dimensional gas (#34946)
  • engine_newPayloadWithWitnessV5 has been added and the witness format now uses the canonical spec field ordering (#35009)
  • The evm t8n tooling has been updated for Amsterdam, adding BAL and slot-number support and binary-trie leaf export (#34843, #35025)
  • For EIP-7843, the slot number is now set for the pending block post-Amsterdam (#34792, #35036)

Geth

  • Caches are now sized against the cgroup memory cap (e.g. Docker --memory) when one is set (#34947)
  • A number of small command-line flag and logging issues have been fixed (#33880, #34732, #34943, #34948, #35011, #35104, #35116, #35136)
  • A number of long-deprecated command-line flags have been removed (#35021)

RPC

  • eth_baseFee has been added, returning the base fee of the next block (#34904, #35023)

  • eth_capabilities has been added, letting clients discover which historical data a node can serve (#33886)

  • debug_clearTxpool has been added to clear the transaction pool (#33347, #35130)

  • State-reading methods (eth_getBalance, eth_getCode, eth_getStorageAt, etc.) now default the block parameter to latest when omitted (#35100)

  • Fixes for eth_simulateV1: an incorrect "base fee too low" error code and a pre-Shanghai withdrawal regression (#34951, #34939)

  • debug_setHead now propagates rewind errors instead of silently ignoring them (#35001)

  • EIP-7702 transactions with a nil To address are now rejected (#35094)

  • HTTP RPC responses now always set Content-Length, and a WebSocket handshake status-code bug was fixed (#35072, #35111)

  • The client can now configure trace-context propagation via the traceparent header, and response writes are now traced (#35132, #35049)

GraphQL

  • GraphQL request bodies are now limited to 5 MiB (#35034)
  • Log-range queries with begin > 0 and end == 0 are now rejected (#35032)
  • The Block.raw resolver now returns empty bytes when the block body is missing (#35027)

Core

  • A global cache for JUMPDEST bitmaps speeds up EVM execution (#34850)
  • EVM stack operations are now computed in place, avoiding per-operand copies (#35156)
  • New code-cache hit/miss meters have been added (#34821)
  • A shutdown race in snapshot generation has been fixed (#33540)

... (truncated)

Commits
  • 36a7dc7 version: release go-ethereum v1.17.4
  • 6b72f26 triedb/pathdb: log the expected version in obsolete-index cleanup (#35194)
  • e5ff359 p2p/discover: fix waiting wrong duration (#35002)
  • 7c9032d all: change reflect.Ptr to reflect.Pointer (#35176)
  • 8c540cb eth/catalyst: add testing_commitBlockV1 (#34995)
  • 7122ecc eth/protocols/snap: remove uncovered states before resuming (#35159)
  • 0e810e4 eth, triedb, internal: add snap/2 sync progress (#35178)
  • 1be5da2 eth/protocols/snap: redo the snap sync if the bal is unavailable (#35181)
  • ad68ce2 eth: reserve peer slot for usable snap peer (#35180)
  • cb387c9 cmd/devp2p/internal/ethtest: validate received txs, not the sent ones (#35170)
  • Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.


Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits
  • ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
  • 2714c07 Changelog for v4.15.4 - security fix
  • 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
  • d16a4ec backport PR 3016 from v4
  • 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
  • 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
  • 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
  • 11a3cc4 Update dependencies and add ignore for linting
  • 26bd016 Update CI action versions
  • aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
  • Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.20.0 to 9.21.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.21.0

This is a minor release adding new features and bug fixes. There are no breaking changes; upgrading from 9.20.x is a drop-in replacement.

🚀 Highlights

Zero-copy GetToBuffer / SetFromBuffer

Two new StringCmdable methods let callers read and write Redis string values directly into and from pre-allocated byte buffers, eliminating the per-call payload allocation that Get/Set incur:

GetToBuffer(ctx, key, buf) *ZeroCopyStringCmd   // reads into buf; ZeroCopyStringCmd { Val() int; Bytes() []byte; Result() (int, error) }
SetFromBuffer(ctx, key, buf) *StatusCmd

GetToBuffer decodes the bulk reply straight into the caller-owned buf (no intermediate allocation); a buffer that is too small returns an error after draining the payload, so the connection stays aligned for the next reply. SetFromBuffer is provided for API symmetry — it dispatches to the same []byte writer path as Set(ctx, key, buf, 0) and produces byte-identical output on the wire. Available on *Client, *ClusterClient, *Ring, *Conn and Pipeliner.

(#3834) by @​ndyakov

Explicit LIMIT 0 for stream trimming

Redis treats XTRIM/XADD approximate-trim (~) LIMIT 0 as "disable the trimming effort cap entirely", which differs from omitting LIMIT (the implicit 100 * stream-node-max-entries default). The command builders previously only emitted LIMIT when limit > 0, so callers could never send an explicit LIMIT 0. Following the KeepTTL = -1 precedent, the new XTrimLimitDisabled = -1 sentinel now emits an explicit LIMIT 0; limit == 0 keeps the historical no-LIMIT behavior, so existing callers produce byte-identical commands.

(#3848) by @​TheRealMal

✨ New Features

  • Zero-copy buffer string commands: new GetToBuffer / SetFromBuffer on StringCmdable and the ZeroCopyStringCmd result type, reading/writing string values into caller-owned buffers without per-call payload allocation (#3834) by @​ndyakov
  • XTrimLimitDisabled sentinel: XTRIM/XADD approximate trimming can now send an explicit LIMIT 0 to disable the trim effort cap, via the new XTrimLimitDisabled = -1 sentinel (#3848) by @​TheRealMal
  • PubSub health-check timeouts: channel.initHealthCheck now bounds the Ping it issues with a fresh per-check timeout context (the exported pingTimeout / reconnectTimeout) instead of context.TODO(), so a stuck health-check Ping can no longer block indefinitely (#3819) by @​abdellani
  • Skip redundant UNWATCH in Tx.Close: a transaction now tracks whether a WATCH is still active (watchArmed) and only issues UNWATCH on Close when it is, removing an extra round trip on the common WATCH/.../EXEC and no-key Watch paths while never returning a connection to the pool with an active watch (#3854) by @​fcostaoliveira

🐛 Bug Fixes

  • maintnotifications ModeAuto fail-open: ModeAuto now stays fail-open when the server does not support maintenance notifications — connections are retired and tracking is guarded during downgrade so the client keeps working instead of erroring (#3853) by @​terrorobe

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​abdellani, @​fcostaoliveira, @​ndyakov, @​terrorobe, @​TheRealMal

9.20.1

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.21.0 (2026-06-18)

This is a minor release adding new features and bug fixes. There are no breaking changes; upgrading from 9.20.x is a drop-in replacement.

🚀 Highlights

Zero-copy GetToBuffer / SetFromBuffer

Two new StringCmdable methods let callers read and write Redis string values directly into and from pre-allocated byte buffers, eliminating the per-call payload allocation that Get/Set incur:

GetToBuffer(ctx, key, buf) *ZeroCopyStringCmd   // reads into buf; ZeroCopyStringCmd { Val() int; Bytes() []byte; Result() (int, error) }
SetFromBuffer(ctx, key, buf) *StatusCmd

GetToBuffer decodes the bulk reply straight into the caller-owned buf (no intermediate allocation); a buffer that is too small returns an error after draining the payload, so the connection stays aligned for the next reply. SetFromBuffer is provided for API symmetry — it dispatches to the same []byte writer path as Set(ctx, key, buf, 0) and produces byte-identical output on the wire. Available on *Client, *ClusterClient, *Ring, *Conn and Pipeliner.

(#3834) by @​ndyakov

Explicit LIMIT 0 for stream trimming

Redis treats XTRIM/XADD approximate-trim (~) LIMIT 0 as "disable the trimming effort cap entirely", which differs from omitting LIMIT (the implicit 100 * stream-node-max-entries default). The command builders previously only emitted LIMIT when limit > 0, so callers could never send an explicit LIMIT 0. Following the KeepTTL = -1 precedent, the new XTrimLimitDisabled = -1 sentinel now emits an explicit LIMIT 0; limit == 0 keeps the historical no-LIMIT behavior, so existing callers produce byte-identical commands.

(#3848) by @​TheRealMal

✨ New Features

  • Zero-copy buffer string commands: new GetToBuffer / SetFromBuffer on StringCmdable and the ZeroCopyStringCmd result type, reading/writing string values into caller-owned buffers without per-call payload allocation (#3834) by @​ndyakov
  • XTrimLimitDisabled sentinel: XTRIM/XADD approximate trimming can now send an explicit LIMIT 0 to disable the trim effort cap, via the new XTrimLimitDisabled = -1 sentinel (#3848) by @​TheRealMal
  • PubSub health-check timeouts: channel.initHealthCheck now bounds the Ping it issues with a fresh per-check timeout context (the exported pingTimeout / reconnectTimeout) instead of context.TODO(), so a stuck health-check Ping can no longer block indefinitely (#3819) by @​abdellani
  • Skip redundant UNWATCH in Tx.Close: a transaction now tracks whether a WATCH is still active (watchArmed) and only issues UNWATCH on Close when it is, removing an extra round trip on the common WATCH/.../EXEC and no-key Watch paths while never returning a connection to the pool with an active watch (#3854) by @​fcostaoliveira

🐛 Bug Fixes

  • maintnotifications ModeAuto fail-open: ModeAuto now stays fail-open when the server does not support maintenance notifications — connections are retired and tracking is guarded during downgrade so the client keeps working instead of erroring (#3853) by @​terrorobe

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​abdellani, @​fcostaoliveira, @​ndyakov, @​terrorobe, @​TheRealMal


Full Changelog: redis/go-redis@v9.20.1...v9.21.0

9.20.1 (2026-06-11)

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

... (truncated)

Commits
  • 1551837 chore(release): 9.21.0 (#3857)
  • 1cfa927 fix(maintnotifications): keep ModeAuto fail-open (#3853)
  • 1f0ea0e feat(pubsub): introduce timeouts for Ping on channel.initHealthCheck (#3819)
  • 5484b0b feat(tx): skip redundant UNWATCH in Tx.Close when no WATCH is active (#3854)
  • bf57a51 chore(deps): bump rojopolis/spellcheck-github-actions (#3852)
  • 641294c feat(streams): support explicit LIMIT 0 in XTRIM/XADD trimming via XTrimLimit...
  • 74d9bb0 feat(command): add zero-copy GetToBuffer and SetFromBuffer (#3834)
  • a13416b chore(release): 9.20.1 (#3847)
  • 10dc44f fix(push): fix peeking when push name is truncated (#3842)
  • e1a2d68 fix(ft.hybrid): Always generate vector param names if they are not provided b...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 30, 2026
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Changelog not found.

A changelog entry is required before merging.

Add changelog

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​ethereum/​go-ethereum@​v1.17.3 ⏵ v1.17.476 +110010010070
Updatedgithub.com/​labstack/​echo/​v4@​v4.15.2 ⏵ v4.15.472 +1100100100100
Updatedgithub.com/​redis/​go-redis/​v9@​v9.20.0 ⏵ v9.21.074 +1100100100100

View full report

Bumps the go-deps group with 3 updates in the / directory: [github.com/ethereum/go-ethereum](https://github.com/ethereum/go-ethereum), [github.com/labstack/echo/v4](https://github.com/labstack/echo) and [github.com/redis/go-redis/v9](https://github.com/redis/go-redis).


Updates `github.com/ethereum/go-ethereum` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/ethereum/go-ethereum/releases)
- [Commits](ethereum/go-ethereum@v1.17.3...v1.17.4)

Updates `github.com/labstack/echo/v4` from 4.15.2 to 4.15.4
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.4/CHANGELOG.md)
- [Commits](labstack/echo@v4.15.2...v4.15.4)

Updates `github.com/redis/go-redis/v9` from 9.20.0 to 9.21.0
- [Release notes](https://github.com/redis/go-redis/releases)
- [Changelog](https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md)
- [Commits](redis/go-redis@v9.20.0...v9.21.0)

---
updated-dependencies:
- dependency-name: github.com/ethereum/go-ethereum
  dependency-version: 1.17.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/redis/go-redis/v9
  dependency-version: 9.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/go-deps-6ca1192612 branch from 75cb0e3 to 6b53e9d Compare July 9, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants