build(deps): bump the security-updates group across 1 directory with 4 updates

[dependabot]

Bumps the security-updates group with 3 updates in the / directory: github.com/go-git/go-git/v5, github.com/traefik/traefik/v3 and github.com/moby/spdystream.

Updates github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.18.0

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in go-git/go-git#2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

Commits

• ea3e7ec Merge pull request #2004 from go-git/v5-http-hardening
• bcd20a9 plumbing: transport/http, Add support for followRedirects policy
• See full diff in compare view

Updates github.com/traefik/traefik/v3 from 3.6.12 to 3.6.14

Release notes

Sourced from github.com/traefik/traefik/v3's releases.

v3.6.14

Important: Please read the migration guide.

CVE fixed:

• CVE-2026-40912 (Advisory GHSA-6jwx-7vp4-9847)
• CVE-2026-39858 (Advisory GHSA-5m6w-wvh7-57vm)
• CVE-2026-35051 (Advisory GHSA-6384-m2mw-rf54)
• CVE-2026-41263 (Advisory GHSA-6x2q-h3cr-8j2h)
• CVE-2026-41174 (Advisory GHSA-xhjw-95fp-8vgq)

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.34.0 (#12993 @​ldez)
• [docker] Downgrade log level for missing container on inspect (#12900 @​Otoru)
• [sticky-session, k8s/crd] Make SameSite cookie value case-insensitive (#12922 @​murataslan1)
• [k8s/crd, k8s] Honor allowCrossNamespace with chain middleware CRD (#12976 @​rtribotte)
• [middleware] Remove untrusted X headers with underscores (#12961 @​rtribotte)
• [middleware] Sanitize the request URL after stripping the prefix (#12990 @​kevinpollet)
• [middleware] Deprecate ForwardAuth.TrustForwardHeader option (#13012 @​kevinpollet)
• [middleware, authentication] Remove map lookup making the basic auth notFoundSecret empty (#12960 @​rtribotte)
• [middleware, authentication] Fix trustForwardHeader on forward auth middleware (#12994 @​juliens)
• [middleware, authentication] Cleanup and make ForwardAuth logs consistent (#13013 @​kevinpollet)
• [webui] Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 (#12958 @​orbisai0security)

Documentation:

• [k8s] Fix yaml indentation (#12957 @​isayme)
• [k8s] Clarify install config watchNamespace watches only one namespace (#12962 @​parkerfath)
• [k8s/crd] Update ingressroute.md (#12916 @​Rajakavitha1)
• Reverse versions order in migration guide (#12959 @​nmengin)
• Update vulnerability submission guidelines (#12968 @​emilevauge)

v3.6.13

Bug fixes:

• [middleware] Bump github.com/klauspost/compress v1.18.4 and fix TestNegotiation (#12937 @​thaJeztah)

Documentation:

• [docker] Fix docker-compose.yaml location in Docker setup page (#12860 @​ScottA38)
• [docker, consul, ecs, k8s] Fix documentation on how to restrict the scope of service discovery (#12645 @​mloiseleur)
• [k8s/ingress-nginx] Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management (#12759 @​antonin-a)
• [k8s/ingress-nginx] Clarify IngressClass selection logic (#12926 @​kevinpollet)
• Add missing redirects for Getting started (#12886 @​nmengin)
• Add redirects for deleted pages (#12889 @​sheddy-traefik)
• Fix default value of http.sanitizePath (#12904 @​iTob191)

Changelog

Sourced from github.com/traefik/traefik/v3's changelog.

v3.6.14 (2026-04-22)

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.34.0 (#12993 @​ldez)
• [docker] Downgrade log level for missing container on inspect (#12900 @​Otoru)
• [sticky-session, k8s/crd] Make SameSite cookie value case-insensitive (#12922 @​murataslan1)
• [k8s/crd, k8s] Honor allowCrossNamespace with chain middleware CRD (#12976 @​rtribotte)
• [middleware] Remove untrusted X headers with underscores (#12961 @​rtribotte)
• [middleware] Sanitize the request URL after stripping the prefix (#12990 @​kevinpollet)
• [middleware] Deprecate ForwardAuth.TrustForwardHeader option (#13012 @​kevinpollet)
• [middleware, authentication] Remove map lookup making the basic auth notFoundSecret empty (#12960 @​rtribotte)
• [middleware, authentication] Fix trustForwardHeader on forward auth middleware (#12994 @​juliens)
• [middleware, authentication] Cleanup and make ForwardAuth logs consistent (#13013 @​kevinpollet)
• [webui] Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 (#12958 @​orbisai0security)

Documentation:

• [k8s] Fix yaml indentation (#12957 @​isayme)
• [k8s] Clarify install config watchNamespace watches only one namespace (#12962 @​parkerfath)
• [k8s/crd] Update ingressroute.md (#12916 @​Rajakavitha1)
• Reverse versions order in migration guide (#12959 @​nmengin)
• Update vulnerability submission guidelines (#12968 @​emilevauge)

v2.11.43 (2026-04-22)

All Commits

Bug fixes:

• [middleware, authentication] Remove map lookup making the basic auth notFoundSecret empty (#12960 @​rtribotte)
• [middleware, authentication] Fix trustForwardHeader on forward auth middleware (#12994 @​juliens)
• [middleware, authentication] Cleanup and make ForwardAuth logs consistent (#13013 @​kevinpollet)
• [middleware] Remove untrusted X headers with underscores (#12961 @​rtribotte)
• [middleware] Sanitize the request URL after stripping the prefix (#12990 @​kevinpollet)
• [k8s/crd, k8s] Honor allowCrossNamespace with chain middleware CRD (#12976 @​rtribotte)

v3.6.13 (2026-04-07)

All Commits

Bug fixes:

• [middleware] Bump github.com/klauspost/compress v1.18.4 and fix TestNegotiation (#12937 @​thaJeztah)

Documentation:

• [docker] Fix docker-compose.yaml location in Docker setup page (#12860 @​ScottA38)
• [docker, consul, ecs, k8s] Fix documentation on how to restrict the scope of service discovery (#12645 @​mloiseleur)
• [k8s/ingress-nginx] Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management (#12759 @​antonin-a)
• [k8s/ingress-nginx] Clarify IngressClass selection logic (#12926 @​kevinpollet)
• Add missing redirects for Getting started (#12886 @​nmengin)
• Add redirects for deleted pages (#12889 @​sheddy-traefik)
• Fix default value of http.sanitizePath (#12904 @​iTob191)

Commits

• a6664c9 Prepare release v3.6.14
• 379d691 Merge v2.11 into v3.6
• a9ce32a Prepare release v2.11.43
• 5375274 Deprecate ForwardAuth.TrustForwardHeader option
• 13302a2 Cleanup and make ForwardAuth logs consistent
• 4aea15f Merge v2.11 into v3.6
• 5e1de22 Fix trustForwardHeader on forward auth middleware
• 184de70 Remove duplicate step in CI
• f4766d7 Bump github.com/go-acme/lego/v4 to v4.34.0
• 1a43505 Sanitize the request URL after stripping the prefix
• Additional commits viewable in compare view

Updates github.com/go-acme/lego/v4 from 4.33.0 to 4.34.0

Release notes

Sourced from github.com/go-acme/lego/v4's releases.

v4.34.0

lego is an independent, free, and open-source project, if you value it, consider supporting it! ❤️

Everybody thinks that the others will donate, but in the end, nobody does.

So if you think that lego is worth it, please consider donating.

For key updates, see the changelog.

Changelog

• b682f8494cca7fd9859adc8814b253e6855b7faa Add DNS provider for 1cloud.ru (#2921)
• 79b83fe1e38e6b93443077014fb51d3ba3bfed7b Add DNS provider for Netnod (#2919)
• ca178943d0a6394ae44d94ed37306d66b14ee2c2 Add DNS provider for UCloud (#2972)
• 61bd6bf0b9bc49c740528316dc8054871127d706 Add DNS provider for online.net (#2964)
• 4f6a481bc4298383b1d2514f3dab0dbd0120b544 bluecatv2: fix documentation
• aa6fcebccb73828e933c33363dccc0a93a101988 fix: check base64url token
• 1274ec8741d7ac0b4232775e358bc95db44d961c oraclecloud: support profile session token (#2965)
• cff2cd750413febbec64cb5fb3eedfc5a2e31a49 rfc2136: add RFC3645 (TSIG-GSS) support (#2946)
• 33754b3b216169b18d580bddf1837e713bff7c30 rfc2136: add dnsupdate as alias (#2957)
• 79796e155e4460967458c0df8fe58ea390cfe08f yandex360: update API docs links (#2922)

Changelog

Sourced from github.com/go-acme/lego/v4's changelog.

v4.34.0

• Release date: 2026-04-15
• Tag: v4.34.0

Added

• [dnsprovider] Add DNS provider for UCloud
• [dnsprovider] Add DNS provider for online.net
• [dnsprovider] Add DNS provider for 1cloud.ru
• [dnsprovider] Add DNS provider for Netnod
• [dnsprovider] oraclecloud: support profile session token
• [dnsprovider] rfc2136: add RFC3645 (TSIG-GSS) support

Changed

• [dnsprovider] rfc2136: add dnsupdate as alias

Fixed

• [httpprovider] Check base64url token

Commits

• f3c686a Prepare release v4.34.0
• aa6fceb fix: check base64url token
• 2c87024 chore: update dependencies (#2978)
• 152e454 chore: update github.com/modern-go/reflect2 (#2977)
• 29fd2d9 chore: improve issue templates
• ca17894 Add DNS provider for UCloud (#2972)
• c4ab057 chore: improve issue templates
• 61bd6bf Add DNS provider for online.net (#2964)
• 1274ec8 oraclecloud: support profile session token (#2965)
• 4f6a481 bluecatv2: fix documentation
• Additional commits viewable in compare view

Updates github.com/moby/spdystream from 0.5.0 to 0.5.1

Release notes

Sourced from github.com/moby/spdystream's releases.

v0.5.1

What's Changed

Security

Fix memory amplification in SPDY frame parsing leads to denial of service (CVE-2026-35469 / GHSA-pc3f-x583-g7j2)

Changes

• spdy: fix duplicate license headers, add LICENSE, PATENTS, and update NOTICE moby/spdystream#106
• ci: update actions and test against latest Go versions moby/spdystream#107
• use ioutil.Discard for go1.13 compatibility moby/spdystream#109

Full Changelog: moby/spdystream@v0.5.0...v0.5.1

Commits

• c59e5d7 Merge pull request #109 from thaJeztah/use_ioutil
• 2fd0155 use ioutil.Discard for go1.13 compatibility
• ef6121f Merge commit from fork
• 241cec9 compare with signed Int for 32-bit Arm
• 21c3864 Add options to customize limits
• acf9b45 spdy: update godoc for MaxDataLength
• eb63605 spdy: limit header-size and header-count
• 2f21da4 spdy: fix header block byte accounting
• 5976b66 spdy: enforce 24-bit frame length limits
• cf0ec5d Guard against oversized SPDY frames
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Preview (prod backend + PR dashboard) → https://1207.ns-preview.trapti.tech/