chore(deps): update security updates (major)

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/evanphx/json-patch	indirect	major	v4.12.0+incompatible -> v5.9.11+incompatible
github.com/formancehq/go-libs/v2	require	major	v2.2.3 -> v4.1.1
github.com/imdario/mergo	require	major	v0.3.16 -> v1.0.2
github.com/lithammer/shortuuid/v3	indirect	major	v3.0.7 -> v4.2.0
github.com/oklog/ulid	indirect	major	v1.3.1 -> v2.1.1
github.com/puzpuzpuz/xsync/v3	indirect	major	v3.5.1 -> v4.4.0
go.yaml.in/yaml/v2	indirect	major	v2.4.3 -> v3.0.4
gomodules.xyz/jsonpatch/v2	indirect	major	v2.4.0 -> v3.0.1
gopkg.in/evanphx/json-patch.v4	indirect	major	v4.13.0 -> v5.9.11

---

Release Notes

evanphx/json-patch (github.com/evanphx/json-patch)

v5.9.11+incompatible

Compare Source

v5.9.10+incompatible

Compare Source

v5.9.0+incompatible

Compare Source

v5.8.1+incompatible

Compare Source

v5.8.0+incompatible

Compare Source

v5.7.0+incompatible

Compare Source

v5.6.0+incompatible

Compare Source

v4.13.0+incompatible

Compare Source

formancehq/go-libs (github.com/formancehq/go-libs/v2)

v4.1.1

Compare Source

v4.1.0

Compare Source

What's Changed

• chore(deps): update module go.opentelemetry.io/otel/sdk to v1.40.0 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/551
• chore(deps): update module filippo.io/edwards25519 to v1.1.1 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/550
• feat(EN-780): extract OTel trace context from message metadata in que… by @​fguery in https://github.com/formancehq/go-libs/pull/558
• chore(deps): update module github.com/docker/cli to v29 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/560
• feat: listener should inject the context into the context so that it … by @​fguery in https://github.com/formancehq/go-libs/pull/561
• chore(deps): update module github.com/nats-io/nats-server/v2 to v2.11.12 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/553
• feat(licence): offline JWT validation with embedded Formance public key by @​flemzord in https://github.com/formancehq/go-libs/pull/562

Full Changelog: formancehq/go-libs@v4.0.0...v4.1.0

v4.0.0

Compare Source

v3.6.1

Compare Source

v3.6.0

Compare Source

v3.5.0

Compare Source

v3.4.0

Compare Source

What's Changed

• fix: really use the publisher-nats-client-id flag for nats connections by @​sylr in https://github.com/formancehq/go-libs/pull/523
• chore(deps): update module github.com/opencontainers/runc to v1.2.8 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/525
• feat: add capacity to specify a static keyset on auth middleware by @​gfyrag in https://github.com/formancehq/go-libs/pull/524

New Contributors

• @​sylr made their first contribution in https://github.com/formancehq/go-libs/pull/523

Full Changelog: formancehq/go-libs@v3.3.0...v3.4.0

v3.3.0

Compare Source

v3.2.1

Compare Source

v3.2.0

Compare Source

v3.1.0

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

v2.2.4

Compare Source

yaml/go-yaml (go.yaml.in/yaml/v2)

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

v2.4.4

Compare Source

gomodules/jsonpatch (gomodules.xyz/jsonpatch/v2)

v3.0.1

Compare Source

This release uses our forked gomodules/orderedmap library. Our forked version has 2 major changes:

• Uses *OrderedMap instead of OrderedMap inside nested orderedmaps.
• I ported unstructured helpers from Kubernetes to work with orderedmaps.

v3.0.0

Compare Source

This release uses iancoleman/orderedmap to generate predictable patch. This is very useful if the generated patch is checked into a VCS like git.

v2.5.0

Compare Source

What's Changed

• Fix: handle lossy max int64 by @​lacroixthomas in https://github.com/gomodules/jsonpatch/pull/40

New Contributors

• @​lacroixthomas made their first contribution in https://github.com/gomodules/jsonpatch/pull/40

Full Changelog: gomodules/jsonpatch@v2.4.0...v2.5.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[NumaryBot]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: github.com/imdario/mergo@v1.0.2: parsing go.mod:
	module declares its path as: dario.cat/mergo
	        but was required as: github.com/imdario/mergo

File name: undefined

Command failed: just pre-commit
go mod tidy
go: downloading github.com/stoewer/go-strcase v1.3.0
go: downloading k8s.io/api v0.34.2
go: downloading k8s.io/apimachinery v0.34.2
go: downloading k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
go: downloading sigs.k8s.io/controller-runtime v0.22.4
go: downloading k8s.io/client-go v0.34.2
go: downloading k8s.io/apiextensions-apiserver v0.34.1
go: downloading golang.org/x/mod v0.29.0
go: downloading github.com/imdario/mergo v1.0.2
go: downloading github.com/onsi/ginkgo/v2 v2.23.4
go: downloading github.com/onsi/gomega v1.38.0
go: downloading sigs.k8s.io/structured-merge-diff/v6 v6.3.0
go: downloading github.com/evanphx/json-patch v5.9.11+incompatible
go: downloading golang.org/x/net v0.47.0
go: downloading go.uber.org/zap v1.27.0
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3
go: downloading github.com/prometheus/common v0.67.2
go: downloading github.com/prometheus/procfs v0.17.0
go: downloading golang.org/x/sys v0.38.0
go: downloading google.golang.org/protobuf v1.36.10
go: downloading golang.org/x/term v0.37.0
go: downloading golang.org/x/oauth2 v0.33.0
go: downloading github.com/google/gnostic-models v0.7.0
go: downloading golang.org/x/sync v0.18.0
go: downloading go.uber.org/automaxprocs v1.6.0
go: downloading github.com/go-openapi/jsonreference v0.21.0
go: downloading github.com/go-openapi/swag v0.23.1
go: downloading golang.org/x/text v0.31.0
go: downloading golang.org/x/tools v0.38.0
go: downloading github.com/go-openapi/jsonpointer v0.21.2
go: downloading github.com/mailru/easyjson v0.9.0
go: downloading github.com/google/pprof v0.0.0-20250501235452-c0086092b71a
go: github.com/imdario/mergo@v1.0.2: parsing go.mod:
	module declares its path as: dario.cat/mergo
	        but was required as: github.com/imdario/mergo
error: Recipe `tidy` failed on line 16 with exit code 1

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (5)

• go.mod is excluded by !**/*.mod
• tools/kubectl-stacks/go.mod is excluded by !**/*.mod
• tools/kubectl-stacks/go.sum is excluded by !**/*.sum, !**/*.sum
• tools/utils/go.mod is excluded by !**/*.mod
• tools/utils/go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 39d69e2a-2211-4dab-9d89-fa744f56a0f6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/major-security

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}