build(deps): bump the go_modules group across 5 directories with 4 updates

[dependabot]

Bumps the go_modules group with 1 update in the /examples/instance-aware-db directory: github.com/jackc/pgx/v5.
Bumps the go_modules group with 1 update in the /examples/verbose-debug directory: github.com/jackc/pgx/v5.
Bumps the go_modules group with 1 update in the /modules/database directory: github.com/jackc/pgx/v5.
Bumps the go_modules group with 1 update in the /modules/eventbus directory: github.com/nats-io/nats-server/v2.
Bumps the go_modules group with 1 update in the /modules/letsencrypt directory: github.com/go-acme/lego/v4.

Updates github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

• Require Go 1.25+
• Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
• Add OAuth authentication support for PostgreSQL 18 (David Schneider)
• Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
• Add tsvector type support (Adam Brightwell)
• Skip Describe Portal for cached prepared statements reducing network round trips
• Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
• Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
• Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
• Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
• Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
• Make RowsAffected faster (Abhishek Chanda)
• Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
• Fix: ContextWatcher goroutine leak (Hank Donnay)
• Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)
• Fix: pipelineBatchResults.Exec silently swallowing lastRows error
• Fix: ColumnTypeLength using BPCharArrayOID instead of BPCharOID
• Fix: TSVector text encoding returning nil for valid empty tsvector
• Fix: wrong error messages for Int2 and Int4 underflow
• Fix: Numeric nil Int pointer dereference with Valid: true
• Fix: reversed strings.ContainsAny arguments in Numeric.ScanScientific
• Fix: message length parsing on 32-bit platforms
• Fix: FunctionCallResponse.Decode mishandling of signed result size
• Fix: returning wrong error in configTLS when DecryptPEMBlock fails (Maxim Motyshen)
• Fix: misleading ParseConfig error when default_query_exec_mode is invalid (Skarm)
• Fix: missed Unwatch in Pipeline error paths
• Clarify too many failed acquire attempts error message
• Better error wrapping with context and SQL statement (Aneesh Makala)
• Enable govet and ineffassign linters (Federico Guerinoni)
• Guard against various malformed binary messages (arrays, hstore, multirange, protocol messages)
• Fix various godoc comments (ferhat elmas)
• Fix typos in comments (Oleksandr Redko)

5.8.0 (December 26, 2025)

• Require Go 1.24+
• Remove golang.org/x/crypto dependency
• Add OptionShouldPing to control ResetSession ping behavior (ilyam8)
• Fix: Avoid overflow when MaxConns is set to MaxInt32

... (truncated)

Commits

• b4d8e62 Release v5.9.0
• c227cd4 Bump minimum Go version from 1.24 to 1.25
• f492c14 Use reflect.TypeFor instead of reflect.TypeOf for static types
• ad8fb08 Use sync.WaitGroup.Go to simplify goroutine spawning
• 3033773 Remove go1.26 build tag from synctest test
• 83ffb3c Validate multirange element count against source length before allocating
• 828f214 Fix message length parsing on 32-bit platforms
• e196a39 Add fuzz test for SQL lexer in sanitize package
• 7f969f8 Rename TraceQueryute to traceExecute
• ab52391 Use single Stat snapshot in checkMinConns
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

• Require Go 1.25+
• Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
• Add OAuth authentication support for PostgreSQL 18 (David Schneider)
• Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
• Add tsvector type support (Adam Brightwell)
• Skip Describe Portal for cached prepared statements reducing network round trips
• Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
• Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
• Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
• Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
• Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
• Make RowsAffected faster (Abhishek Chanda)
• Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
• Fix: ContextWatcher goroutine leak (Hank Donnay)
• Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)
• Fix: pipelineBatchResults.Exec silently swallowing lastRows error
• Fix: ColumnTypeLength using BPCharArrayOID instead of BPCharOID
• Fix: TSVector text encoding returning nil for valid empty tsvector
• Fix: wrong error messages for Int2 and Int4 underflow
• Fix: Numeric nil Int pointer dereference with Valid: true
• Fix: reversed strings.ContainsAny arguments in Numeric.ScanScientific
• Fix: message length parsing on 32-bit platforms
• Fix: FunctionCallResponse.Decode mishandling of signed result size
• Fix: returning wrong error in configTLS when DecryptPEMBlock fails (Maxim Motyshen)
• Fix: misleading ParseConfig error when default_query_exec_mode is invalid (Skarm)
• Fix: missed Unwatch in Pipeline error paths
• Clarify too many failed acquire attempts error message
• Better error wrapping with context and SQL statement (Aneesh Makala)
• Enable govet and ineffassign linters (Federico Guerinoni)
• Guard against various malformed binary messages (arrays, hstore, multirange, protocol messages)
• Fix various godoc comments (ferhat elmas)
• Fix typos in comments (Oleksandr Redko)

5.8.0 (December 26, 2025)

• Require Go 1.24+
• Remove golang.org/x/crypto dependency
• Add OptionShouldPing to control ResetSession ping behavior (ilyam8)
• Fix: Avoid overflow when MaxConns is set to MaxInt32

... (truncated)

Commits

• b4d8e62 Release v5.9.0
• c227cd4 Bump minimum Go version from 1.24 to 1.25
• f492c14 Use reflect.TypeFor instead of reflect.TypeOf for static types
• ad8fb08 Use sync.WaitGroup.Go to simplify goroutine spawning
• 3033773 Remove go1.26 build tag from synctest test
• 83ffb3c Validate multirange element count against source length before allocating
• 828f214 Fix message length parsing on 32-bit platforms
• e196a39 Add fuzz test for SQL lexer in sanitize package
• 7f969f8 Rename TraceQueryute to traceExecute
• ab52391 Use single Stat snapshot in checkMinConns
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

• Require Go 1.25+
• Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
• Add OAuth authentication support for PostgreSQL 18 (David Schneider)
• Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
• Add tsvector type support (Adam Brightwell)
• Skip Describe Portal for cached prepared statements reducing network round trips
• Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
• Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
• Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
• Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
• Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
• Make RowsAffected faster (Abhishek Chanda)
• Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
• Fix: ContextWatcher goroutine leak (Hank Donnay)
• Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)
• Fix: pipelineBatchResults.Exec silently swallowing lastRows error
• Fix: ColumnTypeLength using BPCharArrayOID instead of BPCharOID
• Fix: TSVector text encoding returning nil for valid empty tsvector
• Fix: wrong error messages for Int2 and Int4 underflow
• Fix: Numeric nil Int pointer dereference with Valid: true
• Fix: reversed strings.ContainsAny arguments in Numeric.ScanScientific
• Fix: message length parsing on 32-bit platforms
• Fix: FunctionCallResponse.Decode mishandling of signed result size
• Fix: returning wrong error in configTLS when DecryptPEMBlock fails (Maxim Motyshen)
• Fix: misleading ParseConfig error when default_query_exec_mode is invalid (Skarm)
• Fix: missed Unwatch in Pipeline error paths
• Clarify too many failed acquire attempts error message
• Better error wrapping with context and SQL statement (Aneesh Makala)
• Enable govet and ineffassign linters (Federico Guerinoni)
• Guard against various malformed binary messages (arrays, hstore, multirange, protocol messages)
• Fix various godoc comments (ferhat elmas)
• Fix typos in comments (Oleksandr Redko)

5.8.0 (December 26, 2025)

• Require Go 1.24+
• Remove golang.org/x/crypto dependency
• Add OptionShouldPing to control ResetSession ping behavior (ilyam8)
• Fix: Avoid overflow when MaxConns is set to MaxInt32

... (truncated)

Commits

• b4d8e62 Release v5.9.0
• c227cd4 Bump minimum Go version from 1.24 to 1.25
• f492c14 Use reflect.TypeFor instead of reflect.TypeOf for static types
• ad8fb08 Use sync.WaitGroup.Go to simplify goroutine spawning
• 3033773 Remove go1.26 build tag from synctest test
• 83ffb3c Validate multirange element count against source length before allocating
• 828f214 Fix message length parsing on 32-bit platforms
• e196a39 Add fuzz test for SQL lexer in sanitize package
• 7f969f8 Rename TraceQueryute to traceExecute
• ab52391 Use single Stat snapshot in checkMinConns
• Additional commits viewable in compare view

Updates github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.6

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.12.6

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version

• 1.25.8

Dependencies

• golang.org/x/crypto v0.49.0 (#7953)
• github.com/nats-io/jwt/v2 v2.8.1 (#7960)
• golang.org/x/sys v0.42.0 (#7923)
• golang.org/x/time v0.15.0 (#7923)

CVEs

• Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)
• Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)
• Fixes CVE-2026-33218 (affects systems using leafnodes)
• Fixes CVE-2026-33219 (affects systems using WebSockets)
• Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)
• Fixes CVE-2026-33248 (affects systems using mutual TLS)
• Fixes CVE-2026-33247 (affects systems providing credentials on the command line)
• Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Improved

General

• Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (#7781)
• The $SYS.REQ.USER.INFO response now includes the friendly nametag of the account and/or user if known (#7973)

JetStream

• The stream peer-remove command now accepts a peer ID as well as a server name (#7952)

MQTT

• Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#7933)

Fixed

General

• Client connections are no longer registered after an auth callout timeout (#7932)
• Improved handling of duplicate headers
• A correctness bug when validating relative distinguished names has been fixed
• Secrets are now redacted correctly in trace logging (#7942)

... (truncated)

Commits

• 0e06390 Release v2.12.6
• f593d27 Cherry-picks for 2.12.6 (#61)
• 9f904de [FIXED] Incomplete route pool on premature pong
• b510192 [FIXED] Avoid stalling read loop on leafnode ErrMinimumVersionRequired
• 53941c2 Report the account and user name in USER.INFO request
• 1ab002a [IMPROVED] Support HTTP proxy connection from leaf nodes also for TCP
• 8b64082 Release v2.12.6-RC.3
• e6ab7e9 Cherry-picks for 2.12.6-RC.3 (#59)
• 9f4d960 Make the deduplication window actually work for deduplication for sourcing
• 304e184 Remove FIXME about auth callout nonce
• Additional commits viewable in compare view

Updates github.com/go-acme/lego/v4 from 4.26.0 to 4.34.0

Release notes

Sourced from github.com/go-acme/lego/v4's releases.

v4.34.0

lego is an independent, free, and open-source project, if you value it, consider supporting it! ❤️

Everybody thinks that the others will donate, but in the end, nobody does.

So if you think that lego is worth it, please consider donating.

For key updates, see the changelog.

Changelog

• b682f8494cca7fd9859adc8814b253e6855b7faa Add DNS provider for 1cloud.ru (#2921)
• 79b83fe1e38e6b93443077014fb51d3ba3bfed7b Add DNS provider for Netnod (#2919)
• ca178943d0a6394ae44d94ed37306d66b14ee2c2 Add DNS provider for UCloud (#2972)
• 61bd6bf0b9bc49c740528316dc8054871127d706 Add DNS provider for online.net (#2964)
• 4f6a481bc4298383b1d2514f3dab0dbd0120b544 bluecatv2: fix documentation
• aa6fcebccb73828e933c33363dccc0a93a101988 fix: check base64url token
• 1274ec8741d7ac0b4232775e358bc95db44d961c oraclecloud: support profile session token (#2965)
• cff2cd750413febbec64cb5fb3eedfc5a2e31a49 rfc2136: add RFC3645 (TSIG-GSS) support (#2946)
• 33754b3b216169b18d580bddf1837e713bff7c30 rfc2136: add dnsupdate as alias (#2957)
• 79796e155e4460967458c0df8fe58ea390cfe08f yandex360: update API docs links (#2922)

v4.33.0

lego is an independent, free, and open-source project, if you value it, consider supporting it! ❤️

Everybody thinks that the others will donate, but in the end, nobody does.

So if you think that lego is worth it, please consider donating.

For key updates, see the changelog.

Changelog

• a56697ed1cd7eddeedfb459f9200b936afeeb34a Add DNS provider for EuroDNS (#2898)
• 9be8cd43ae5de725b39643598e00da367969cab6 Add DNS provider for Excedo (#2910)
• 847c763504888c511d7fcec82d65004caf25853e feat: Add DNS provider for Czechia (#2885)
• 491dcaad1d4b77f3ec703a581e9a8d900869953d feat: allow to Unwrap obtainError (#2874)
• 87b172f103b26c8ea40c5e811576ad454f7b6891 gigahostno: remove unused Zone fields (#2913)
• 7d459b59c5882aac5cd8545cbda77e18852f5cd3 liara: add support for team ID (#2867)
• 7b1aa50081643440c853a682ad8a9c2bf706929b safedns: rename UKFast SafeDNS to ANS SafeDNS (#2877)

v4.32.0

lego is an independent, free, and open-source project, if you value it, consider supporting it! ❤️

Everybody thinks that the others will donate, but in the end, nobody does.

So if you think that lego is worth it, please consider donating.

For key updates, see the changelog.

Changelog

• 078a1889c87c750f6051a3dd9dc1e5e24e690ec8 Add DNS provider for ArtFiles (#2859)

... (truncated)

Changelog

Sourced from github.com/go-acme/lego/v4's changelog.

v4.34.0

• Release date: 2026-04-15
• Tag: v4.34.0

Added

• [dnsprovider] Add DNS provider for UCloud
• [dnsprovider] Add DNS provider for online.net
• [dnsprovider] Add DNS provider for 1cloud.ru
• [dnsprovider] Add DNS provider for Netnod
• [dnsprovider] oraclecloud: support profile session token
• [dnsprovider] rfc2136: add RFC3645 (TSIG-GSS) support

Changed

• [dnsprovider] rfc2136: add dnsupdate as alias

Fixed

• [httpprovider] Check base64url token

v4.33.0

• Release date: 2026-03-19
• Tag: v4.33.0

Added

• [dnsprovider] Add DNS provider for Excedo
• [dnsprovider] Add DNS provider for EuroDNS
• [dnsprovider] Add DNS provider for Czechia

Changed

• [lib] feat: allow to Unwrap obtainError

Fixed

• [dnsprovider] liara: add support for team ID
• [dnsprovider] gigahostno: remove unused Zone fields

v4.32.0

• Release date: 2026-02-19
• Tag: v4.32.0

Added

• [dnsprovider] Add DNS provider for ArtFiles

... (truncated)

Commits

• f3c686a Prepare release v4.34.0
• aa6fceb fix: check base64url token
• 2c87024 chore: update dependencies (#2978)
• 152e454 chore: update github.com/modern-go/reflect2 (#2977)
• 29fd2d9 chore: improve issue templates
• ca17894 Add DNS provider for UCloud (#2972)
• c4ab057 chore: improve issue templates
• 61bd6bf Add DNS provider for online.net (#2964)
• 1274ec8 oraclecloud: support profile session token (#2965)
• 4f6a481 bluecatv2: fix documentation
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

📋 API Contract Changes Summary

✅ No breaking changes detected - only additions and non-breaking modifications

Changed Components:

Core Framework

Contract diff saved to artifacts/diffs/core.json

Module: auth

Contract diff saved to artifacts/diffs/auth.json

Module: cache

Contract diff saved to artifacts/diffs/cache.json

Module: database

Contract diff saved to artifacts/diffs/database.json

Module: eventbus

Contract diff saved to artifacts/diffs/eventbus.json

Module: jsonschema

Contract diff saved to artifacts/diffs/jsonschema.json

Module: letsencrypt

Contract diff saved to artifacts/diffs/letsencrypt.json

Module: reverseproxy

Contract diff saved to artifacts/diffs/reverseproxy.json

Artifacts

📁 Full contract diffs and JSON artifacts are available in the workflow artifacts.

[dependabot]

Superseded by #104.