chore(deps): bump the go_modules group across 5 directories with 8 updates

[dependabot]

Bumps the go_modules group with 1 update in the /tools/goose directory: filippo.io/edwards25519.
Bumps the go_modules group with 2 updates in the /tools/goreleaser directory: github.com/go-git/go-git/v5 and github.com/sigstore/cosign/v2.
Bumps the go_modules group with 1 update in the /tools/buf directory: github.com/quic-go/quic-go.
Bumps the go_modules group with 2 updates in the /tools/tbls directory: filippo.io/edwards25519 and github.com/expr-lang/expr.
Bumps the go_modules group with 1 update in the /tools/sqlc directory: filippo.io/edwards25519.

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

• d1c650a extra: initialize receiver in MultiScalarMult
• See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.16.1 to 5.16.5

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

• internal: Expand regex to fix build [5.x] by @​baloo in go-git/go-git#1644
• build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by @​baloo in go-git/go-git#1646
• plumbing: support commits extra headers, support jujutsu signed commit [5.x] by @​baloo in go-git/go-git#1633

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

v5.16.2

What's Changed

• utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to releases/v5.x by @​kane8n in go-git/go-git#1567

Full Changelog: go-git/go-git@v5.16.1...v5.16.2

Commits

• 48a1ae0 Merge pull request #1836 from go-git/check-v5
• 42bdf1f storage: filesystem, Verify idx matches pack file
• 4146a56 plumbing: format/idxfile, Verify idxfile's checksum
• 63d78ec plumbing: format/packfile, Add new ErrMalformedPackFile
• 25f1624 Merge pull request #1800 from Ch00k/no-delete-untracked-v5
• 600fb13 git: worktree, Don't delete local untracked files when resetting worktree
• 390a569 Merge pull request #1746 from pjbgf/bump-go
• 61c8b85 build: Bump Go test versions to 1.23-1.25 (v5)
• e5a05ec Merge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...
• 1495930 plumbing: Remove use of non-constant format strings
• Additional commits viewable in compare view

Updates github.com/sigstore/cosign/v2 from 2.5.0 to 2.6.2

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.6.2

Changelog

v2.6.2 contains a fix for GHSA-whqx-f9j3-ch6m

• 3ade80c5f77cefc904f8c994e88618e5892e8f1c Fix bundle verify path for old bundle/trusted root (#4624)
• c4e6a783ce9b6ad08bb545b79a3277f1aaa16add v2.6 branch - bump sigstore deps (#4619)

Thanks to all contributors!

v2.6.1

Changelog

• 634fabe54f9fbbab55d821a83ba93b2d25bdba5f Bump sigstore-go, move conformance back to tagged release
• c5545eda23d770180880c245bf0d8f78c354ecc4 Partially populate the output of cosign verify when working with new bundles (#4416)
• e191024a636883b4e6b7de8db2f5cfb85a1fcd0c bump go builder to use 1.25.1 and cosign (#4417)

Thanks to all contributors!

v2.6.0 introduces a number of new features, including:

• Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#4306)
• Uploading a signature and its verification material (a "bundle") as an OCI Image 1.1 referring artifact, completing #3927 (#4316)
• Providing service URLs for signing and attesting using a SigningConfig. Note that this is required when using a Rekor v2 instance (#4319)

Example generation and verification of a signed in-toto statement:

cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt"
cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256"

Example container signing and verification using the new bundle format and referring artifacts:

cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733
cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733

Example usage of a signing config provided by the public good instance's TUF repository:

cosign sign-blob --use-signing-config --bundle sigstore.json README.md
cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md

v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs.

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.6.2

v2.6.2 resolves GHSA-whqx-f9j3-ch6m.

Changes

• Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4624)
• bump sigstore deps to resolve build errors (#4619)

v3.0.3

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional commands. We're continuing to work on compatibility with the remaining commands and will have a new release shortly. If you run into any problems, please file an issue

Changes

• 4554: Closes 4554 - Add warning when --output* is used (#4556)
• Protobuf bundle support for subcommand clean (#4539)
• Add staging flag to initialize with staging TUF metadata
• Updating sign-blob to also support signing with a certificate (#4547)
• Protobuf bundle support for subcommands save and load (#4538)
• Fix cert attachment for new bundle with signing config
• Fix OCI verification with local cert - old bundle
• Deprecate tlog-upload flag (#4458)
• fix: Use signal context for sign cli package.
• update offline verification directions (#4526)
• Fix signing/verifying annotations for new bundle
• Add support to download and attach for protobuf bundles (#4477)
• Add --signing-algorithm flag (#3497)
• Refactor signcommon bundle helpers
• Add --bundle and fix --upload for new bundle
• Pass insecure registry flags through to referrers
• Add protobuf bundle support for tree subcommand (#4491)
• Remove stale embed import (#4492)
• Support multiple container identities
• Fix segfault when no attestations are found (#4472)
• Use overridden repository for new bundle format (#4473)
• Remove --out flag from cosign initialize (#4462)
• Deprecate offline flag (#4457)
• Deduplicate code in sign/attest* and verify* commands (#4449)
• Cache signing config when calling initialize (#4456)

v3.0.2

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

• Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

... (truncated)

Commits

• 3ade80c Fix bundle verify path for old bundle/trusted root (#4624)
• c4e6a78 v2.6 branch - bump sigstore deps (#4619)
• 634fabe Bump sigstore-go, move conformance back to tagged release
• c5545ed Partially populate the output of cosign verify when working with new bundles ...
• e191024 bump go builder to use 1.25.1 and cosign (#4417)
• 37fbfc7 Require exclusively a SigningConfig or service URLs when signing (#4403)
• b1acaeb Add a terminal spinner while signing with sigstore-go (#4402)
• 2581dfd chore(deps): bump the gomod group across 1 directory with 8 updates (#4401)
• 11163ae Bump sigstore-go, support alternative hash algorithms with keys (#4386)
• 153df46 chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 (#4391)
• Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.4.1-0.20250814000724-cdd95725eb11 to 1.4.3

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

• use interruptable context to elegantly handle signals in rekor-cli (#2681)
• restapi: Don't log client errors as errors (#2680)
• pkg: separate pki types from implementations (#2668)
• e2e: don't mix e2e and regular utilities (#2672)
• pkg: remove viper config from spec definitions (#2669)
• log: remove zap & go-chi dependecy from pkg/types (#2667)
• chore: update go-openapi/runtime to v0.29.0 (#2670)
• chore: remove double imported mapstructure pkg (#2671)
• remove archived dependency and use stdlib slices (#2650)

Documentation

• (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

• AdamKorcz
• Bob Callaway
• Jussi Kukkonen
• Sachin Sampras M
• Tõnis Tiigi

v1.4.2

What's Changed

• build(deps): Bump google-github-actions/auth from 2.1.12 to 3.0.0 by @​dependabot[bot] in sigstore/rekor#2601
• build(deps): Bump github/codeql-action from 3.29.11 to 3.30.0 in the all group by @​dependabot[bot] in sigstore/rekor#2602
• build(deps): Bump the all group with 3 updates by @​dependabot[bot] in sigstore/rekor#2599
• optimize performance of regex operations by @​bobcallaway in sigstore/rekor#2603
• move to direct decoding instead of mapstructure by @​bobcallaway in sigstore/rekor#2598
• build(deps): Bump github.com/go-openapi/swag from 0.23.1 to 0.24.1 by @​dependabot[bot] in sigstore/rekor#2600
• build(deps): Bump golang from 1.24.6 to 1.25.0 in the all group by @​dependabot[bot] in sigstore/rekor#2587
• process type contents serially by @​bobcallaway in sigstore/rekor#2604
• use pubsub client to check IAM permissions by @​bobcallaway in sigstore/rekor#2605
• add changelog for v1.4.2 by @​bobcallaway in sigstore/rekor#2606

Full Changelog: sigstore/rekor@v1.4.1...v1.4.2

v1.4.1

... (truncated)

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

• use interruptable context to elegantly handle signals in rekor-cli (#2681)
• restapi: Don't log client errors as errors (#2680)
• pkg: separate pki types from implementations (#2668)
• e2e: don't mix e2e and regular utilities (#2672)
• pkg: remove viper config from spec definitions (#2669)
• log: remove zap & go-chi dependecy from pkg/types (#2667)
• chore: update go-openapi/runtime to v0.29.0 (#2670)
• chore: remove double imported mapstructure pkg (#2671)
• remove archived dependency and use stdlib slices (#2650)

Documentation

• (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

• AdamKorcz
• Bob Callaway
• Jussi Kukkonen
• Sachin Sampras M
• Tõnis Tiigi

v1.4.2

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

Fixes

• use pubsub client to check IAM permissions (#2605)
• process type contents serially (#2604)
• move to direct decoding instead of mapstructure (#2598)
• optimize performance of regex operations (#2603)

Contributors

• Bob Callaway

v1.4.1

... (truncated)

Commits

• See full diff in compare view

Updates github.com/sigstore/sigstore from 1.9.5 to 1.10.3

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.3

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

• Add back ValidatePubKey as a deprecated, minimal function in sigstore/sigstore#2235

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in sigstore/sigstore#2174
• set GoogleAPIClientOption on GCP KMS provider in sigstore/sigstore#2128

Refactoring

• cryptoutils: move goodkey validation to separate package in sigstore/sigstore#2194
• Stop depending on golang.org/x/crypto for sha3 in sigstore/sigstore#2209
• remove duplicative dependency for portable browser opener in sigstore/sigstore#2178
• consolidate deep Equal usage to one library in sigstore/sigstore#2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in sigstore/sigstore#2172

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in sigstore/sigstore#2174
• set GoogleAPIClientOption on GCP KMS provider in sigstore/sigstore#2128

Refactoring

• cryptoutils: move goodkey validation to separate package in sigstore/sigstore#2194
• Stop depending on golang.org/x/crypto for sha3 in sigstore/sigstore#2209
• remove duplicative dependency for portable browser opener in sigstore/sigstore#2178
• consolidate deep Equal usage to one library in sigstore/sigstore#2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in sigstore/sigstore#2172

... (truncated)

Commits

• 72f0ed7 build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2230)
• b257168 build(deps): Bump github.com/aws/aws-sdk-go-v2 in /pkg/signature/kms/aws (#2226)
• 84f57b8 build(deps): Bump github.com/sigstore/sigstore (#2221)
• bdc1a86 build(deps): Bump actions/checkout from 5.0.1 to 6.0.0 (#2220)
• 11dfe81 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/aws (#2236)
• 0214948 Add back ValidatePubKey as a deprecated, minimal function (#2235)
• cc26bb8 build(deps): Bump localstack/localstack in /test/e2e in the all group (#2227)
• 63ab8d8 build(deps): Bump github.com/aws/aws-sdk-go-v2/service/kms (#2229)
• 9e629f0 build(deps): Bump the all group with 2 updates (#2219)
• 234b99d build(deps): Bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 (#2223)
• Additional commits viewable in compare view

Updates github.com/theupdateframework/go-tuf/v2 from 2.0.2 to 2.3.0

Release notes

Sourced from github.com/theupdateframework/go-tuf/v2's releases.

v2.3.0

What's Changed

• Update the config for govulncheck by @​rdimitrov in theupdateframework/go-tuf#697
• Bump Go to 1.24.9 by @​rdimitrov in theupdateframework/go-tuf#698

Full Changelog: theupdateframework/go-tuf@v2.2.0...v2.3.0

v2.2.0

What's Changed

• fix: treat http 403 as an updater error by @​MDr164 in theupdateframework/go-tuf#687
• chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7 by @​dependabot[bot] in theupdateframework/go-tuf#646
• chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 by @​dependabot[bot] in theupdateframework/go-tuf#690
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] in theupdateframework/go-tuf#691
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] in theupdateframework/go-tuf#692
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] in theupdateframework/go-tuf#693
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] in theupdateframework/go-tuf#694

Full Changelog: theupdateframework/go-tuf@v2.1.1...v2.2.0

v2.1.1

What's Changed

Fixed a regression that can fail clients using the DefaultFetcher{} directly without using the constructor.

• Set a default HTTP client for DefaultFetcher in DownloadFile method if none is set by @​malancas in theupdateframework/go-tuf#686

Full Changelog: theupdateframework/go-tuf@v2.1.0...v2.1.1

v2.1.0

What's Changed

• Move the repository package under examples/repository by @​rdimitrov in theupdateframework/go-tuf#656
• docs: Joshua retiring as a maintainer by @​joshuagl in theupdateframework/go-tuf#657
• fix: multirepo potential nil pointer dereference by @​MrDan4es in theupdateframework/go-tuf#658
• chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @​dependabot in theupdateframework/go-tuf#661
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in theupdateframework/go-tuf#662
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot in theupdateframework/go-tuf#663
• Use the correct verifier for RSA PSS scheme keys by @​rdimitrov in theupdateframework/go-tuf#625
• updater.go: replace os.WriteFile with file.Write() by @​udf2457 in theupdateframework/go-tuf#669
• Remove readFile() and reverseSlice() in favour of stdlib by @​udf2457 in theupdateframework/go-tuf#671
• updater.go: replace url.QueryEscape() with url.PathEscape() by @​udf2457 in theupdateframework/go-tuf#675
• Bump Go to 1.22 by @​rdimitrov in theupdateframework/go-tuf#677
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in theupdateframework/go-tuf#679
• chore: make function comment match function name by @​suchsoon in theupdateframework/go-tuf#680
• Update README.md by @​trishankatdatadog in theupdateframework/go-tuf#681
• chore(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 by @​dependabot in theupdateframework/go-tuf#683
• Allow users to configure custom http.Client or http.RoundTripper in DefaultFetcher by @​malancas in theupdateframework/go-tuf#682
• Allow users to configure retry behavior in DefaultFetcher by @​malancas in theupdateframework/go-tuf#684

... (truncated)

Commits

• 3ace7ea Bump Go to 1.24.9 (#698)
• 0d67f52 Update the config for govulncheck (#697)
• 1980d8a chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#694)
• 2c9c81e chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 (#693)
• 7c6c5cf chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 (#692)
• 0dc5392 chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9....
• 93816df chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 (#690)
• 54bba83 chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7
• 2fd1bbf fix: treat http 403 as an updater error
• 7dec1ec Set a default HTTP client for DefaultFetcher in DownloadFile method if none i...
• Additional commits viewable in compare view

Updates github.com/quic-go/quic-go from 0.56.0 to 0.57.0

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.57.0

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in quic-go/quic-go#5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in quic-go/quic-go#5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in quic-go/quic-go#5431
• http3: read response after encountering error sending the request by @​marten-seemann in quic-go/quic-go#5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in quic-go/quic-go#5433
• http3: add a benchmark for header parsing by @​marten-seemann in quic-go/quic-go#5435
• update qpack to v0.6.0 by @​marten-seemann in quic-go/quic-go#5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in quic-go/quic-go#5439
• add documentation for Conn.NextConnection by @​marten-seemann in quic-go/quic-go#5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in quic-go/quic-go#5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in quic-go/quic-go#5449
• README: add nodepass to list of projects by @​yosebyte in quic-go/quic-go#5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in quic-go/quic-go#5454
• http3: limit size of decompressed headers by @​marten-seemann in quic-go/quic-go#5452

New Contributors

• @​yosebyte made their first contribution in quic-go/quic-go#5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

Commits

• 5b2d212 http3: limit size of decompressed headers (#5452)
• e80b378 qlogwriter: use synctest to make tests deterministic (#5454)
• d43c589 README: add nodepass to list of projects (#5448)
• ca2835d don’t arm connection timer for connection ID retirement (#5449)
• e84ebae ackhandler: don’t generate an immediate ACK for the first packet (#5447)
• d4d168f add documentation for Conn.NextConnection (#5442)
• 4cdebbe http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors (#5439)
• b7886d5 update qpack to v0.6.0 (#5434)
• 2fc9705 http3: add a benchmark for header parsing (#5435)
• dafdd6f http3: make Transport.MaxResponseBytes an int (#5433)
• Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

• d1c650a extra: initialize receiver in MultiScalarMult
• See full diff in compare view

Updates github.com/expr-lang/expr from 1.17.6 to 1.17.7

Release notes

Sourced from github.com/expr-lang/expr's releases.

v1.17.7

Expr is a Go-centric expression language designed to deliver dynamic configurations with unparalleled accuracy, safety, and speed.

program, err := expr.Compile(`let foo = bar(); baz(foo, foo)`)

This release brings new language features, performance improvements across runtime and compiler, better error handling, and many important bug fixes.

New Features

Support for else if expressions

• You can now chain conditional branches using else if! (#879)

Unicode escapes in the \u{XXXXXX} format

• String literals now support Unicode code point escapes such as \u{1F600}. (#882)

Byte slice support in the matches operator

The matches operator now works with []byte, improving interoperability with binary data. (#876)

Short-circuit control options

New options allow enabling or disabling short-circuiting behavior in the compiler and VM. (#847)

Option to disable if operator

A separate DisableIfOperator option is now available. (#881)

Performance Improvements

Runtime structure fetch improvements

Accessing struct fields at runtime is now faster. (#833)

VM function call optimizations

Function calls inside the VM execute more efficiently. (#832)

Type system performance boost

Large or complex type operations now run significantly faster. (#824)

Bug Fixes

• Guard negative forward jump offsets (#861).

... (truncated)

Commits

• d472286 Improve gen.go
• 713a26a Add support for Unicode escape sequences in the \u{XXXXXX} format (#882)
• 6ed72a2 Add DisableIfOperator option (#881)
• 4d38449 chore: test and build on Go 1.25 (#880)
• 087698e Add error handling for invalid if condition and test for crash with null byte
• 738da0b Remove ExampleDisableShortCircuit test function
• eb73788 Add else if support (#879)
• cf53913 Improve the performance of runtime.Fetch for structures (#833)
• e5ee6c2 Rename DisableSC to ShortCircuit for better clarity and consistency
• 1973835 feat: add disable short-circuiting option to compiler (#847)
• Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

• d1c650a extra: initialize receiver in MultiScalarMult
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #510.