build(deps): bump github.com/fxamacker/cbor/v2 from 2.8.0 to 2.9.2

[dependabot]

Bumps github.com/fxamacker/cbor/v2 from 2.8.0 to 2.9.2.

Release notes

Sourced from github.com/fxamacker/cbor/v2's releases.

v2.9.2

This release refactors and hardens the streaming encoder by adding stricter checks for encoding CBOR indefinite-length data. Other changes include minor bugfixes, defensive checks, and more tests.

Projects that don't use CBOR indefinite-length data may also want to upgrade (summary of prior releases).

The stricter checks in the encoder prevent improper use of the library and bad inputs from producing malformed CBOR indefinite-length data that would be rejected by the decoder.

This release passed fuzz tests (billions of execs) and it is production quality.

What's Changed

• Reject encoding indefinite-length map with odd item count by @​fxamacker in fxamacker/cbor#764
• Reject encoding indefinite-length data item as a chunk inside indefinite-length byte string or text string by @​fxamacker in fxamacker/cbor#765
• Make TagSet.Remove a no-op when contentType is nil by @​fxamacker in fxamacker/cbor#766
• Refactor indefinite-length encoding and improve chunk validation during encoding by @​fxamacker in fxamacker/cbor#767
• Add more tests, fix a nit in unreachable panic message, update docs & ci by @​fxamacker in fxamacker/cbor#768

CI / GitHub Actions and Docs

• Bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in fxamacker/cbor#760
• Bump github/codeql-action from 4.34.1 to 4.35.1 by @​dependabot[bot] in fxamacker/cbor#761
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in fxamacker/cbor#763
• Update README for v2.9.2 release by @​fxamacker in fxamacker/cbor#769

Full Changelog: fxamacker/cbor@v2.9.1...v2.9.2

v2.9.1

This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.

🐞 Bug fixes related to the keyasint feature

These changes only affect Go struct fields tagged with keyasint:

• [Decoding] Reject integer keys that exceed math.MaxInt64 when decoding CBOR map to a struct with keyasint field (PR #757)
• [Decoding] Prevent string representation of an integer key from matching the struct field tagged by keyasint (PR #757)
• [Encoding & Decoding] Deduplicate struct fields with the same normalized keyasint tag values (PR #757)

🐞 Other bug fixes and defensive checks

Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).

NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).

• [Decoding] Reject decoding epoch time encoded as floats that overflow int64 (PR #753)
• [Encoding] Return a cloned slice for an empty RawMessage from RawMessage.MarshalCBOR (PR #753)
• [Encoding] Reject encoding nil inside indefinite-length strings (PR #750)

... (truncated)

Commits

• 45589ab Merge pull request #769 from fxamacker/fxamacker/update-readme-release-status
• 8e98ea5 Update README for v2.9.2 release
• e501aca Merge pull request #768 from fxamacker/fxamacker/update-docs
• e6af0aa Merge pull request #767 from fxamacker/fxamacker/refactor-indefinite-length-e...
• 57f1601 Merge pull request #766 from fxamacker/fxamacker/no-opt-to-remove-nil-type-in...
• 0cdb674 Fix indefinite-length string chunk validation
• c0db60f Improve GitHub Workflow code coverage regex
• 63937fe Fix panic message to print the unrecognized tag
• f0352a5 Add more tests
• 0c20a0f Refactor encoding of indefinite-length data item
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)