Release v1.18.2#848
Merged
Merged
Conversation
https://github.com/user-attachments/assets/ec61f4ed-d89d-47d3-a64e-39ea169456c1 ## Summary - `services/brent-backend/service/riveruiauth` — server-side OIDC code+PKCE flow with HMAC-signed session cookies (Secure / HttpOnly / SameSite=Lax) - `/riverui/` mount in `service/server.go` behind auth middleware + `WithAnyScope("brent:write")`, browser-redirect on 401 - Fail-closed `ServerConfig.Validate()` — backend refuses to start when RIVERUI auth config is missing - viper bindings for the four new `BRENT_BACKEND_RIVERUI_AUTH0_*` env vars - `brent-frontend` AppNav "Job Queue" external link to `/riverui/` - `.devcontainer/adminproxy/nginx.conf` proxies `/riverui/`; launch.json and op.local.env wire the secrets through for local dev - ADR 0025 with OAuth2/OIDC primer and debug-only scoping - go-oidc/v3 v3.18.0 promoted to a direct dependency - doc-maintainer touch-ups across `docs/` and frontend READMEs <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new authentication flow and cookie-based session handling for `/riverui/`, plus fail-closed startup validation; mistakes could break access to the dashboard or cause boot failures if secrets are missing/misconfigured. > > **Overview** > Adds the embedded River dashboard at `/riverui/` to `brent-backend`, protected by `auth.NewAuthMiddleware` accepting a new `brent_riverui_token` cookie and requiring `brent:write`; browser navigations that hit a 401 are now redirected to a login endpoint. > > Introduces `service/riveruiauth` implementing Auth0 OIDC code+PKCE (`/riverui/brent/login`, `/callback`, `/logout`) with HMAC-signed short-lived state cookies, nonce verification, and a fail-fast scope check before setting the session cookie. > > Wires four new `BRENT_BACKEND_RIVERUI_AUTH0_*` settings through CLI/viper/config, and makes `ServerConfig.Validate()` **fail closed** when auth is enabled but River UI auth config is missing/invalid; adds unit tests for the OIDC flow and the 401→302 wrapper. > > Updates devcontainer proxying/env wiring and docs/ADRs, and adds a brent-frontend nav link to open `/riverui/` in a new tab; adds `github.com/coreos/go-oidc/v3` as a direct dependency. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 06e03789d1f1e99d06331d8f9d64d8e7fd1035fa. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 3ec31cc8485d5e2dadeb6d6a595820eb9bb77c26
…ty] (#5022) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/slack-go/slack](https://redirect.github.com/slack-go/slack) | `v0.23.0` → `v0.23.1` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### slack-go `SecretsVerifier` accepts empty signing secret without precondition [GHSA-gxhx-2686-5h9g](https://redirect.github.com/advisories/GHSA-gxhx-2686-5h9g) <details> <summary>More information</summary> #### Details ```go func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) { hash := hmac.New(sha256.New, []byte(secret)) // raw secret, no precondition } ``` #### Severity - CVSS Score: 4.8 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U` #### References - [https://github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g](https://redirect.github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g) - [https://github.com/slack-go/slack/releases/tag/v0.23.1](https://redirect.github.com/slack-go/slack/releases/tag/v0.23.1) - [https://github.com/advisories/GHSA-gxhx-2686-5h9g](https://redirect.github.com/advisories/GHSA-gxhx-2686-5h9g) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-gxhx-2686-5h9g) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>slack-go/slack (github.com/slack-go/slack)</summary> ### [`v0.23.1`](https://redirect.github.com/slack-go/slack/releases/tag/v0.23.1) [Compare Source](https://redirect.github.com/slack-go/slack/compare/v0.23.0...v0.23.1) > \[!IMPORTANT] > Even though this is a \[security] patch release, if you were using an empty secret, this is a breaking change due to a change in behaviour. That's on purpose, to ensure you fix your approach so that there are no footguns. ##### Fixed - `NewSecretsVerifier` now rejects empty signing secrets to avoid accepting forged request signatures when applications are misconfigured. **Full Changelog**: <slack-go/slack@v0.23.0...v0.23.1> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 249356a36e09c1f88082398f9ce81b6fd11382c9
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/a-h/templ](https://redirect.github.com/a-h/templ) | `v0.3.1001` → `v0.3.1020` |  |  | | [github.com/a-h/templ/cmd/templ](https://redirect.github.com/a-h/templ) | `v0.3.1001` → `v0.3.1020` |  |  | | [github.com/auth0/go-auth0/v2](https://redirect.github.com/auth0/go-auth0) | `v2.10.0` → `v2.11.0` |  |  | | [github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk) | `v0.7.26` → `v0.7.27` |  |  | | [github.com/posthog/posthog-go](https://redirect.github.com/posthog/posthog-go) | `v1.12.4` → `v1.12.5` |  |  | | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.53.0` → `v0.54.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.53.0...refs/tags/v0.54.0) |  |  | | [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) | [`v0.36.0` → `v0.37.0`](https://cs.opensource.google/go/x/text/+/refs/tags/v0.36.0...refs/tags/v0.37.0) |  |  | | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.81.0` → `v1.81.1` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>a-h/templ (github.com/a-h/templ)</summary> ### [`v0.3.1020`](https://redirect.github.com/a-h/templ/releases/tag/v0.3.1020) [Compare Source](https://redirect.github.com/a-h/templ/compare/v0.3.1001...v0.3.1020) ##### Changelog - [`09d6b02`](https://redirect.github.com/a-h/templ/commit/09d6b02) chore: bump version - [`a411f13`](https://redirect.github.com/a-h/templ/commit/a411f13) chore: fix linter warning in test code - [`524cd39`](https://redirect.github.com/a-h/templ/commit/524cd39) feat: add -check flag, closes [#​1007](https://redirect.github.com/a-h/templ/issues/1007) ([#​1373](https://redirect.github.com/a-h/templ/issues/1373)) - [`f3d595c`](https://redirect.github.com/a-h/templ/commit/f3d595c) feat: add Range to ExpressionAttribute nodes ([#​1347](https://redirect.github.com/a-h/templ/issues/1347)) - [`82af17c`](https://redirect.github.com/a-h/templ/commit/82af17c) feat: add Range to GoCode nodes ([#​1348](https://redirect.github.com/a-h/templ/issues/1348)) - [`cf98cdc`](https://redirect.github.com/a-h/templ/commit/cf98cdc) feat: add Range to StringExpression nodes ([#​1349](https://redirect.github.com/a-h/templ/issues/1349)) - [`ff38cee`](https://redirect.github.com/a-h/templ/commit/ff38cee) feat: add ranges for attribute node values ([#​1383](https://redirect.github.com/a-h/templ/issues/1383)) - [`552ed02`](https://redirect.github.com/a-h/templ/commit/552ed02) feat: support concurrent rendering of templ components ([#​1359](https://redirect.github.com/a-h/templ/issues/1359)) - [`b310a97`](https://redirect.github.com/a-h/templ/commit/b310a97) fix(generatecmd): check `cmd.Start()` error before inserting `cmd` in to `running` map ([#​1382](https://redirect.github.com/a-h/templ/issues/1382)) - [`410a80e`](https://redirect.github.com/a-h/templ/commit/410a80e) fix(lsp): delete $GOROOT hack in uri.File - [`95a0854`](https://redirect.github.com/a-h/templ/commit/95a0854) fix: allow JSFuncCall on arbitrary HTML attributes ([#​1375](https://redirect.github.com/a-h/templ/issues/1375)) - [`e581c01`](https://redirect.github.com/a-h/templ/commit/e581c01) fix: attributes containing a conditional, are always multiline ([#​1380](https://redirect.github.com/a-h/templ/issues/1380)) - [`b2952ed`](https://redirect.github.com/a-h/templ/commit/b2952ed) fix: clear children context in Fragment.Render ([#​1360](https://redirect.github.com/a-h/templ/issues/1360)) - [`8fecf2d`](https://redirect.github.com/a-h/templ/commit/8fecf2d) fix: prevent corrupted output in watch mode with gzip, fixes [#​1365](https://redirect.github.com/a-h/templ/issues/1365) ([#​1366](https://redirect.github.com/a-h/templ/issues/1366)) - [`7adcb62`](https://redirect.github.com/a-h/templ/commit/7adcb62) fix: show correct updates based on written Go files without watch ([#​1363](https://redirect.github.com/a-h/templ/issues/1363)) - [`aa493e0`](https://redirect.github.com/a-h/templ/commit/aa493e0) fix: track Range for non-JavaScript ScriptExpression nodes ([#​1350](https://redirect.github.com/a-h/templ/issues/1350)) - [`d52d64e`](https://redirect.github.com/a-h/templ/commit/d52d64e) fix: use dedicated shadow host in Suspense example to ensure header is rendered ([#​1370](https://redirect.github.com/a-h/templ/issues/1370)) - [`83176f9`](https://redirect.github.com/a-h/templ/commit/83176f9) fix: vulnerabilities in x/net (only affects templ watch mode and tests), fixes [#​1354](https://redirect.github.com/a-h/templ/issues/1354) </details> <details> <summary>auth0/go-auth0 (github.com/auth0/go-auth0/v2)</summary> ### [`v2.11.0`](https://redirect.github.com/auth0/go-auth0/blob/HEAD/CHANGELOG.md#v2110-2026-05-14) [Compare Source](https://redirect.github.com/auth0/go-auth0/compare/v2.10.0...v2.11.0) [Full Changelog](https://redirect.github.com/auth0/go-auth0/compare/v2.10.0...v2.11.0) **Added** - feat: add passkey-related fields (`aaguid`, `credential_device_type`, `credential_backed_up`, `identity_user_id`, `user_agent`, `user_handle`, `transports`) to user authentication method types [#​770](https://redirect.github.com/auth0/go-auth0/pull/770) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) - feat: add `CredentialDeviceTypeEnum` with `single_device` and `multi_device` values [#​770](https://redirect.github.com/auth0/go-auth0/pull/770) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) - feat: add `allow_online_access_with_ephemeral_sessions` field to resource server types [#​770](https://redirect.github.com/auth0/go-auth0/pull/770) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) - feat: add `audience` field to `RevokeRefreshTokensRequestContent` for audience-scoped revocation [#​770](https://redirect.github.com/auth0/go-auth0/pull/770) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) - feat: add `LoginWithCustomTokenExchange` method for Custom Token Exchange (RFC 8693) [#​766](https://redirect.github.com/auth0/go-auth0/pull/766) ([JohnRoesler](https://redirect.github.com/JohnRoesler)) **Fixed** - fix: preserve request body in debug output for POST, PATCH, and PUT methods [#​751](https://redirect.github.com/auth0/go-auth0/pull/751) ([bkiran6398](https://redirect.github.com/bkiran6398)) </details> <details> <summary>harness/harness-go-sdk (github.com/harness/harness-go-sdk)</summary> ### [`v0.7.27`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.26...v0.7.27) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.26...v0.7.27) </details> <details> <summary>posthog/posthog-go (github.com/posthog/posthog-go)</summary> ### [`v1.12.5`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.12.5): 1.12.5 [Compare Source](https://redirect.github.com/posthog/posthog-go/compare/v1.12.4...v1.12.5) ##### Unreleased </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.81.1`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.81.1): Release 1.81.1 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1) ### Security - xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per [gRFC A41](https://redirect.github.com/grpc/proposal/blob/master/A41-xds-rbac.md). ([#​9111](https://redirect.github.com/grpc/grpc-go/issues/9111)) - Special Thanks: [@​al4an444](https://redirect.github.com/al4an444) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Primarily dependency upgrades plus regenerated `templ` output; risk is moderate because the new `templ` generator changes how attribute values are resolved/escaped and bumps auth-related libs (`auth0`, `grpc`) which could affect security-sensitive request flows. > > **Overview** > Updates Go dependencies in `go.mod/go.sum`, including `github.com/a-h/templ` (and its install steps), `github.com/auth0/go-auth0/v2`, `google.golang.org/grpc`, `golang.org/x/*`, and others. > > Regenerates `services/api-server/area51/*_templ.go` with the newer `templ` version, switching many attribute render paths from `templ.JoinStringErrs` + `templ.EscapeString` to `templ.ResolveAttributeValue`. > > Extends the `TestPosthogClient` mock to support the newer PostHog client API by adding `EvaluateFlags`/`EvaluateFlagsFunc`. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit ff3c8c5c5173e45900fd5e68b24abec329e3b05a. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: carabasdaniel <daniel.carabas@overmind.tech> Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: TP Honey <thomas.honey@overmind.tech> GitOrigin-RevId: 3abbc8ec1953614ec5c66858d0d851537542ac3a
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/aws/aws-sdk-go-v2/service/cloudfront](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.63.0` → `v1.64.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.301.0` → `v1.302.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/cloudfront)</summary> ### [`v1.64.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-04-22) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/batch`: [v1.64.0](service/batch/CHANGELOG.md#v1640-2026-04-22) - **Feature**: Support of S3Files volume type, container start and stop timeouts. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentcore`: [v1.22.0](service/bedrockagentcore/CHANGELOG.md#v1220-2026-04-22) - **Feature**: Adds support for Amazon Bedrock AgentCore Harness data plane APIs, enabling customers to invoke managed agent loops and execute commands on live agent sessions with streaming responses. - `github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol`: [v1.31.0](service/bedrockagentcorecontrol/CHANGELOG.md#v1310-2026-04-22) - **Feature**: Adds support for Amazon Bedrock AgentCore Harness control plane APIs, enabling customers to create, manage, and configure managed agent loops with customizable models, tools, memory, and isolated execution environments. - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.299.0](service/ec2/CHANGELOG.md#v12990-2026-04-22) - **Feature**: Managed resource visibility settings control whether resources that AWS services provision on your behalf within your AWS account appear in your Amazon console views and API list operations. - `github.com/aws/aws-sdk-go-v2/service/ecs`: [v1.79.0](service/ecs/CHANGELOG.md#v1790-2026-04-22) - **Feature**: GPU health monitoring and auto-repair for ECS Managed Instances - `github.com/aws/aws-sdk-go-v2/service/emrserverless`: [v1.40.0](service/emrserverless/CHANGELOG.md#v1400-2026-04-22) - **Feature**: This release adds support for Spark connect sessions starting with release label emr-7.13.0. - `github.com/aws/aws-sdk-go-v2/service/iotwireless`: [v1.55.0](service/iotwireless/CHANGELOG.md#v1550-2026-04-22) - **Feature**: Enable customers to optionally specify a desired confidence level for Cellular and WiFi position estimates. Customers can use this to trade off confidence level and radius of uncertainty based on their needs. - `github.com/aws/aws-sdk-go-v2/service/ivs`: [v1.49.0](service/ivs/CHANGELOG.md#v1490-2026-04-22) - **Feature**: Adds support for Amazon IVS server-side ad insertion - `github.com/aws/aws-sdk-go-v2/service/lambda`: [v1.90.0](service/lambda/CHANGELOG.md#v1900-2026-04-22) - **Feature**: Add Ruby 4.0 (ruby4.0) support to AWS Lambda. - `github.com/aws/aws-sdk-go-v2/service/opensearch`: [v1.65.0](service/opensearch/CHANGELOG.md#v1650-2026-04-22) - **Feature**: Adds support for RollbackServiceSoftwareUpdate API - `github.com/aws/aws-sdk-go-v2/service/s3`: [v1.100.0](service/s3/CHANGELOG.md#v11000-2026-04-22) - **Feature**: This release adds five additional checksum algorithms for S3 data integrity (MD5, SHA-512, XXHash3, XXHash64, XXHash128) and support for S3 Inventory on directory buckets (S3 Express One Zone). - `github.com/aws/aws-sdk-go-v2/service/s3control`: [v1.70.0](service/s3control/CHANGELOG.md#v1700-2026-04-22) - **Feature**: This release adds support for five additional checksum algorithms for data integrity checking in Amazon S3 - MD5, SHA-512, XXHash3, XXHash64, and XXHash128. </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: bb4e008a0601d438fd3700046d1553b982f383d6
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Medium risk because it changes Go module resolution via `replace` directives (including a pseudo-version pin) and forces an upstream dependency upgrade, which can subtly affect build/runtime behavior despite being dependency-only. > > **Overview** > **Pins and protects specific Go dependency versions.** `go.mod` now pins `github.com/exaring/otelpgx` to a fork *pseudo-version* that contains a required span-removal patch (with expanded comments warning not to bump to tags), and adds a `replace` to force `github.com/go-git/go-git/v5` to `v5.19.0` for a security fix. > > **Prevents Renovate from undoing the otelpgx pin.** `.github/renovate.json` adds a rule that disables updates for `github.com/overmindtech/otelpgx` to avoid Renovate bumping to fork tags that lack the patch. `go.sum` is updated accordingly. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit e87399119e1e07ef5a632e0dd94a39a78f316540. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 5480197cb22c27c199abfeca5567c1e5be85110d
<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary
Closes **ENG-4205** — the stdlib HTTP adapter accepted user-supplied
URLs but only blocked the IPv4 link-local range (`169.254.0.0/16`),
leaving private, loopback, carrier-grade NAT, and IPv6 private ranges
reachable. DNS resolution failures were also silently swallowed, leaving
room for DNS rebinding attacks.
## What changed
### New file: `stdlib-source/adapters/http_ssrf.go`
Extracts all SSRF validation into a dedicated file containing:
- **`ErrIPBlocked`** — sentinel error for policy rejections (supports
`errors.Is`)
- **`IPPolicy` interface** — `CheckIP(ip net.IP) error` contract for IP
validation
- **`defaultIPPolicy`** — production policy that blocks:
- IPv4 loopback (`127.0.0.0/8`)
- IPv4 link-local (`169.254.0.0/16`)
- IPv4 private RFC1918 (`10/8`, `172.16/12`, `192.168/16`)
- IPv4 carrier-grade NAT RFC6598 (`100.64.0.0/10`)
- IPv6 loopback (`::1`)
- IPv6 link-local (`fe80::/10`)
- IPv6 unique-local ULA (`fc00::/7`)
- IPv4-mapped IPv6 (`::ffff:a.b.c.d`) — unwrapped to v4 before checks
- **`allowLoopbackPolicy`** — test-only policy that wraps
`defaultIPPolicy` but permits loopback, so `httptest.NewServer` on
`127.0.0.1` still works in tests
- **`validateHost`** — resolves hostnames via an injectable
`*net.Resolver` and checks all returned IPs against the policy; DNS
failures are now returned as errors instead of silently swallowed
- **`newSecureTransport`** — builds an `*http.Transport` with a
`DialContext` hook that re-resolves DNS and enforces the IP policy at
connection time, preventing DNS rebinding. Skips blocked IPs and tries
allowed ones; preserves `lastErr` for diagnostics; respects
`context.Canceled`/`DeadlineExceeded`.
### Modified file: `stdlib-source/adapters/http.go`
- Removed the old `linkLocalRange`, `isLinkLocalIP`, and
`validateHostname` helpers
- Added `ipPolicy IPPolicy` and `resolver *net.Resolver` fields to
`HTTPAdapter` with a `policy()` helper (nil defaults to
`defaultIPPolicy`/`net.DefaultResolver`)
- Replaced the inline `http.Transport` with
`newSecureTransport(s.policy(), s.resolver)`
- Redirect validation now goes through `validateHost` with the full
blocklist and injected resolver
- Production construction in `main.go` is unchanged
(`&HTTPAdapter{cache: sharedCache}`)
### Test files
- **`http_ssrf_test.go`** — unit tests for both policies covering all
blocked CIDR families, IPv4-mapped IPv6 bypass prevention, nil IP, and
public IP allowance
- **`http_test.go`** — `newTestAdapter` helper replaces all raw adapter
literals; new end-to-end tests for private IPs, CGNAT, IPv6 loopback,
IPv6 link-local, IPv6 ULA, IPv4-mapped IPv6, and a `defaultIPPolicy`
integration test proving loopback is blocked at dial time
- **DNS rebinding regression test** — starts a stub UDP DNS server
(`newStubDNSServer`) that resolves `attacker.test` → `10.0.0.1`; injects
it via the `resolver` field on `HTTPAdapter`; asserts `Get` is blocked
with "private" in the error message
## How to verify
```bash
go test -race -v -timeout 5m ./stdlib-source/adapters/...
```
## Security impact
This is a **medium severity** fix under the Compliance Maintenance
project. The attack surface (user-supplied URLs fetched by the stdlib
HTTP adapter) is now protected at connection time against all
private/internal IP ranges enumerated in ENG-4205.
<!-- CURSOR_AGENT_PR_BODY_END -->
Linear Issue:
[ENG-4205](https://linear.app/overmind/issue/ENG-4205/close-ssrf-gaps-in-the-http-adapter)
<div><a
href="https://cursor.com/agents/bc-e3668fa5-ae2c-4358-9c2c-b9d63196d88c"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a
href="https://cursor.com/background-agent?bcId=bc-e3668fa5-ae2c-4358-9c2c-b9d63196d88c"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div>
GitOrigin-RevId: b8087fb61bffc52f28f71180f16f3eefe51f5e77
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary The api-server-worker was holding tens of megabytes of protobuf items and edges per change-analysis job that nothing in the api-server ever read. Root cause: `sdpws.WaitForAllQueriesHandler` silently embedded `StoreEverythingHandler`, so every caller inherited per-event item/edge accumulation whether they consumed it or not. This contributed to the OOMKills tracked on ThousandEyes-scale loads (2,026 items / 37,892 edges per change). Two layers of fix: 1. **Flip the naming so the safe variant is the default.** The bare `WaitForAllQueriesHandler` now stores nothing; the old behavior moves to `WaitForAllQueriesStoreEverythingHandler`. Storage is opt-in by name — future callers cannot add this waste back by accident. New `WaitForAllQueriesItemsOnlyHandler` covers the common "I need items but not edges" case. 2. **Migrate every existing caller.** Each call site is on the variant matching what it actually reads — verified by the compiler (the bare type no longer has `Items`/`Edges` fields, so any missed site fails to build). ## Caller classification | Site | Reads | Migrated to | | --- | --- | --- | | `BlastRadiusProgressHandler` (affectedClient) | neither (edge count via atomic) | `WaitForAllQueriesHandler` (no-store) | | `lookupClient` in `recursivelyQueryBlastRadius` | items only (LLM input) | `WaitForAllQueriesItemsOnlyHandler` | | gateway `tools.go` relationship tool | items only | `WaitForAllQueriesItemsOnlyHandler` | | `revlink.go` warmup | items + edges (the actual output) | unchanged (uses `StoreEverythingHandler` directly) | | Tests reading items + edges | both | `WaitForAllQueriesStoreEverythingHandler` | | Tests reading items only | items | `WaitForAllQueriesItemsOnlyHandler` | | Tests reading neither (connection-lifecycle) | neither | bare (now safely no-store) | `numEdges` in `runLLMBlastRadiusCalculation` now reads from the existing `edgeCount atomic.Int32` that was already counting every edge via the `onEdgeReceived` callback — values are equivalent. ## Estimated heap savings Back-of-envelope from the proto struct shapes in `go/sdp-go/items.pb.go` against the ThousandEyes vpc-cni example: - `affectedClient` edges: 37,892 × ≈600 B ≈ **22 MB**. - `affectedClient` items: 2,026 × ≈8 KB ≈ **16 MB**. - `lookupClient` transient edge waste across recursion: **5–10 MB**. - **Per-job total: ~40–50 MB.** At 4–8 concurrent jobs per worker: **~160–400 MB** lower peak heap per `api-server-worker` against a `GOMEMLIMIT` of 6400 MiB. The number that decides whether OOMKills return at non-throttled presets is peak heap — that's what the operational validation step measures. ## Testing - ✅ `go build ./...` — clean. - ✅ `go vet ./go/sdp-go/sdpws/... ./services/api-server/... ./services/gateway/...` — clean. (The pre-existing `cli/cmd/root.go:544` `WithTimeout` vet warning is untouched.) - ✅ `go test ./go/sdp-go/sdpws/... -count=1` — five new unit tests covering all four wait variants pass: bare retains nothing, items-only retains items, store-everything retains both, `DoneCallback` fires exactly once on `Status.Done()==true`. - ✅ `go test ./services/api-server/service/changeanalysis -run 'TestBlastRadiusChunkMapper_ShortCircuitsOverCap|TestBlastRadiusArgsReducer|TestRunWholeChangeHypothesisGenerator' -count=1` — pure-unit coverage of the blast-radius pipeline passes. -⚠️ Integration tests requiring a live gateway (`TestRecursivelyQueryBlastRadius*`, `TestAffectedClient*`, `TestCalculateMappedResources`) and tests requiring Postgres (`TestGenericRiskCalculationWorker`, `TestChangesByReferenceTool_Call`, etc.) were not run — the cloud agent VM has neither service available. These predate this change; the rename surfaces zero compile errors in any of them after migration. -⚠️ The v6 benchmark heap evidence (`TestV6Benchmark` with ThousandEyes-shaped fixture) was not captured — same environment limitation. Worth running locally against `services/api-server/service/changeanalysis/v6_benchmark_test.go` with backend services up and `OPENAI_API_KEY` set to confirm the heap delta empirically before merging. The type-system layer of the validation plan is the strongest guarantee here: the rename forces every site that touched `.Items` or `.Edges` to declare what it actually consumes, and the build fails until they all line up. ## Out of scope - Gateway-side `GraphStateTracker`. - Snapshot lifecycle. - `StoreEverythingHandler` itself (kept as-is — its name already warns; `revlink.go` and `services/gateway/service/e2e_test.go` are the two legitimate consumers). <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-4d9ba373-1787-4125-9e82-a05392b67f0b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-4d9ba373-1787-4125-9e82-a05392b67f0b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: ff074e8a02a3a805321ff3b324e542212f875925
## Summary - Drop the `replace github.com/google/cel-go => github.com/google/cel-go v0.22.1` in `go.mod`. The protovalidate/kubernetes incompatibility it worked around is gone in the current dep graph. - Bump the direct `github.com/google/cel-go` require from `v0.28.0` (replaced down to v0.22.1, so the require line was a lie) to `v0.28.1`, the current latest. - Drop the matching Renovate `allowedVersions` pin so Renovate stops reverting future bumps. ## Linear Ticket Fixes: [ENG-4231](https://linear.app/overmind/issue/ENG-4231/revisit-cel-go-replace-directive-and-upgrade-to-latest) — Revisit `cel-go` replace directive and upgrade to latest - **Purpose**: Clean up a stale `replace` directive in `go.mod` so authors browsing CEL features stop landing on a 6-version-old API surface. `cel-go` is now a direct dependency of `services/brent-backend/workflows` for the `EventListener`'s `match:` evaluator. - **Blocks**: Not on the critical path; ticket recommends shipping before WA8 (Dogfood Point 1) so the EventListener arrives at customers on a current CEL. ## Changes `go mod graph` confirms the original incompatibility is no longer present: ``` github.com/overmindtech/workspace github.com/google/cel-go@v0.28.0 buf.build/go/protovalidate@v1.2.0 github.com/google/cel-go@v0.28.0 k8s.io/apiserver@v0.35.0 github.com/google/cel-go@v0.26.0 k8s.io/apiextensions-apiserver@v0.35.0 github.com/google/cel-go@v0.26.0 sigs.k8s.io/controller-runtime@v0.23.3 github.com/google/cel-go@v0.26.0 ``` The kubernetes side has moved from "incompatible with anything above v0.22.1" to "happily on v0.26", and the underlying registry-isolation bug was fixed by [bufbuild/protovalidate-go#302](bufbuild/protovalidate-go#302) (shipped in protovalidate v1.2.0, which we already use). MVS resolves to v0.28.1 cleanly with the replace removed. Only one production file uses `cel-go`: `services/brent-backend/workflows/cel_cache.go`. The APIs it touches (`cel.NewEnv`, `cel.Variable`, `cel.ObjectType`, `cel.{String,Dyn}Type`, `cel.CustomTypeAdapter`, `cel.CustomTypeProvider`, `types.NewRegistry`, `types.{Provider,Type,FieldType}`, `ref.Val`) are stable surface area across v0.22 → v0.28. Local checks (all clean): - `go mod tidy` - `go build ./...` - `go test ./services/brent-backend/workflows/...` - `golangci-lint run ./services/brent-backend/workflows/...` The v0.28.0 release enables backtick identifier escaping by default ([cel-go#1295](google/cel-go#1295)). This is additive (unescaped identifiers still work); no shipped CEL expression uses the new syntax. ## Approved Plan - **Plan approver**: Elliot Waddington - **Approval ticket**: https://linear.app/overmind/issue/ENG-4368/approve-revisit-cel-go-replace-directive-and-upgrade-to-latest > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk dependency-only change: removes a `go.mod` `replace` override for `github.com/google/cel-go` and bumps the module patch version; main risk is subtle behavior differences in CEL parsing/type-checking at runtime. > > **Overview** > Drops the `go.mod` `replace` that forced `github.com/google/cel-go` down to `v0.22.1`, and removes the matching Renovate `allowedVersions` pin so dependency automation can upgrade it going forward. > > Updates the direct `cel-go` requirement from `v0.28.0` to `v0.28.1` and refreshes `go.sum` accordingly (including pruning now-unused transitive entries like `github.com/stoewer/go-strcase`). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 717669ce49a234cd44baf46ce60d02a65e26bc06. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: 004bbc0301f0233ba866312fd2f15c376de8074c
…#5068)
## Summary
- `auth.ExtractAccount` previously returned `("", nil)` when the JWT
custom claim `https://api.overmind.tech/account-name` was present but
blank — an empty string is a valid SQL value and would silently file
tenant data into a "no-tenant" bucket.
- Adds a new sentinel `ErrEmptyAccountName` returned for that case;
`ErrNoClaims` continues to mean "no claims at all".
- Every existing caller either discards the error and applies its own
`== ""` guard, or already tests `err != nil || accountName == ""`. No
behaviour change for current callers; future callers inherit the
protection.
## Drive-by
`services/brent-backend/workflows/on_yaml.go` — two
`//nolint:exhaustive` directives were flagged as dead by `nolintlint` on
CI (but valid locally; cache state difference on the same golangci-lint
v2.12.2). Made both switches genuinely exhaustive on `yaml.Kind` so both
linters agree on every machine. Unblocks this PR's CI.
## Linear Ticket
Fixes: [ENG-4371](https://linear.app/overmind/issue/ENG-4371) — Reject
empty account_name custom claim in auth.ExtractAccount
- **Purpose**: Close a silent-fall-through path in the shared auth
helper where an empty `account_name` claim slipped past `err != nil`
checks and reached tenant-scoped SQL as a valid empty string.
- **Surfaced by**: Review of
[ENG-4313](https://linear.app/overmind/issue/ENG-4313) — Phase 1.2 plan
(`GetUserStatus` / `ProvisionCurrentUser`) — where both new RPCs called
`ExtractAccount` and only checked the error. Landing this on `main`
first removes the trap before Phase 1.2 ships.
## Changes
- `go/auth/middleware.go` — new sentinel `ErrEmptyAccountName`;
`ExtractAccount` returns it when the claim is present but blank. Doc
comment explains the rationale.
- `go/auth/middleware_test.go` — new `TestExtractAccount` covering
missing-claim, blank-claim, and populated-claim paths.
- `services/brent-backend/workflows/on_yaml.go` — drive-by; see above.
Caller-impact survey (every `ExtractAccount` use in the tree) confirmed
safe: handlers that discard the error and apply their own `== ""` guard
see no change; revlink span-attribute callers correctly now skip the
attribute on a malformed JWT.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Touches shared auth/tenant-identification logic; while the change is
small, it can turn previously-accepted empty account names into request
failures and may impact callers that assumed empty was valid.
>
> **Overview**
> Prevents silent “no-tenant” behavior by making `ExtractAccount` return
a new sentinel error (`ErrEmptyAccountName`) when the `account_name`
custom claim exists but is blank (while preserving `ErrNoClaims` for
missing claims).
>
> Adds `TestExtractAccount` to cover the no-claims, blank-claim, and
populated-claim paths, ensuring callers can distinguish missing vs
malformed tenant identity.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
8bda33cf3de63327b579a3518a74de8ac3468485. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Cursor <cursoragent@cursor.com>
GitOrigin-RevId: 04411c29ab2476e347c151ec832e0d6f49aacb31
## Summary - Adds `tools/depot-usage/` — Cobra CLI wrapping Depot's `UsageService`, `BuildService`, and `RegistryService`. Seven subcommands (`get-usage`, `compare`, `compare-builds`, `sample-steps`, `platform-overhead`, `images`, `list-projects`) that produce the views Depot's dashboard hides. - Adds `docs/research/depot-build-analytics-research.md` with the analytics-options inventory, the April → May findings, and reproduce commands. Headline: the Cloudsmith-key cache-bust is real but < 2 % of the bill; the dominant mover is Depot platform overhead (`exporting to image` mean 8.1 → 34.9 s/build, ~14 % of the May bill). ## Linear Ticket Fixes: [ENG-4386](https://linear.app/overmind/issue/ENG-4386/review-depot-container-build-spend) — review depot container build spend - **Purpose**: track the follow-ups the investigation surfaced (Depot support ticket, Cloudsmith secret-mount fix, GHCR image-size dive, GitHub Actions launch-side review, Honeycomb daily-usage trigger, key rotation). ## Changes - `tools/depot-usage/` — new Go package under the workspace `go.mod`. 13 source files, unit tests for percentile/normalisation helpers. - `docs/research/depot-build-analytics-research.md` — research note. Live Cloudsmith API key values that surfaced in un-truncated `sample-steps` output are redacted to prefix-suffix form before commit. - `go.mod` / `go.sum` — adds cobra, viper, the depot Connect-RPC bindings, and bumps `connectrpc.com/connect` to v1.19.2 (existing pin guard documents that v1.19.0 was faulty; v1.19.2 is past it). Reviewer focus areas: `cmd/sample_steps.go` (build sampling and step-name normalisation) and `cmd/platform_overhead.go` (percentile computation that drives the ticket-ready table). Everything else is mechanical Connect-RPC paging. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Introduces a new Go CLI plus new third-party API bindings and updates the CI container build export mode on non-`main` refs, which could affect PR build verification behavior and caching if misconfigured. > > **Overview** > Adds a new `tools/depot-usage` Go CLI (with tests) for pulling Depot Usage/Build/Registry data and generating summaries/diffs across time windows (including per-build and per-step sampling plus platform-overhead reports). > > Updates `.github/workflows/ci.yml` to set BuildKit output to `type=cacheonly` on non-`main` refs, skipping image export/assembly during PR builds while keeping cache warm; `main` builds keep the default image output for push/SBOM. > > Adds a detailed research writeup in `docs/research/depot-build-analytics-research.md` and updates Go dependencies (bumps `connectrpc.com/connect` to `v1.19.2` and adds Depot buf-generated client modules). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit ecf6ecc3fa760ade1aded2a2119e017192e53343. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: David Schmitt <DavidS-ovm@users.noreply.github.com> GitOrigin-RevId: 6fd5c5bd3f4150f56a62764813b8e4a6a9de3298
plan: a749596c-d871-45d1-a113-7f2e552f172b <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds new identity FKs and uniqueness/index constraints to `plans`/`reviews` and updates events/protos/workflow prompts to use principal UUIDs; mistakes could break review assignment, notifications, or cross-tenant identity resolution. Changes are largely additive with legacy subject fallbacks, reducing immediate rollout risk. > > **Overview** > **Begins migrating Brent from Auth0-subject identity to stable principal UUIDs.** Adds `author_principal_id` on plans and `requested_reviewer_id`/`actual_reviewer_id` (plus reserved delegation/auth-strength columns) on reviews via a new migration, with concurrent indexes and a new partial-unique constraint keyed on `(plan_id, actual_reviewer_id)`. > > Updates workflow markdown prompts (Slack + Linear mirroring + PR review) and `.cursor/team-members.md` to resolve/display people by **Brent Principal ID** (with explicit fallbacks to legacy `*_subject` for historical rows), and introduces a reproducible `seed_team_principals.sh` to pin/seed principals, identities, and verified bindings. > > Extends the Brent protobuf surface (`brent.proto` + generated Go/TS) and event payloads to carry principal IDs alongside legacy subjects, and adds `auth.ResolvePrincipalID` (with tests) to standardize subject→principal resolution; integration tests are adjusted to seed principals before creating plans. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 29f89eb6d0c2a377550d3477b442ce3b16ae4bdd. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: jameslaneovermind <122231433+jameslaneovermind@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: 66a81693d176384c129d4bb447d536154fc84df8
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/aws/aws-sdk-go-v2/service/apigateway](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.39.3` → `v1.39.4` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.302.0` → `v1.303.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ecs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.79.1` → `v1.80.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/kms](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.51.1` → `v1.52.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/apigateway)</summary> ### [`v1.39.4`](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.39.3...v1.39.4) [Compare Source](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.39.3...v1.39.4) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 671fff792802adcc8fc9c00a65a9bf2e6f0644fe
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/nats-io/nats-server/v2](https://redirect.github.com/nats-io/nats-server) | `v2.14.0` → `v2.14.1` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>nats-io/nats-server (github.com/nats-io/nats-server/v2)</summary> ### [`v2.14.1`](https://redirect.github.com/nats-io/nats-server/releases/tag/v2.14.1) [Compare Source](https://redirect.github.com/nats-io/nats-server/compare/v2.14.0...v2.14.1) #### Changelog Refer to the [2.14 Upgrade Guide](https://docs.nats.io/release-notes/whats_new/whats_new_214) for backwards compatibility notes with 2.12.x. Please note that the 2.13.x version was skipped. ##### Go Version - 1.26.3 ([#​8107](https://redirect.github.com/nats-io/nats-server/issues/8107)) ##### Dependencies - github.com/klauspost/compress v1.18.6 ([#​8124](https://redirect.github.com/nats-io/nats-server/issues/8124)) - golang.org/x/crypto v0.51.0 ([#​8124](https://redirect.github.com/nats-io/nats-server/issues/8124)) - golang.org/x/sys v0.44.0 ([#​8124](https://redirect.github.com/nats-io/nats-server/issues/8124)) ##### Added General - New metrics `in_client_msgs`, `in_client_bytes`, `out_client_msgs` and `out_client_bytes` are now available via the `/varz` monitoring endpoint for tracking data to/from normal clients only ([#​7851](https://redirect.github.com/nats-io/nats-server/issues/7851)) ##### Improved General - Client TLS certificates without subject DNs but with DNS subject alternate names are now permitted ([#​8100](https://redirect.github.com/nats-io/nats-server/issues/8100)) - The log level of TLS handshake timeout or non-TLS record errors have been demoted to debug level to reduce noise ([#​8096](https://redirect.github.com/nats-io/nats-server/issues/8096)) JetStream - Num pending is now only calculated on consumer leaders, avoiding unnecessary CPU usage on followers ([#​8172](https://redirect.github.com/nats-io/nats-server/issues/8172)) - Snapshot and catchup loops no longer leak timers ([#​8186](https://redirect.github.com/nats-io/nats-server/issues/8186), thanks to [@​SebTardif](https://redirect.github.com/SebTardif)) - Stream and consumer assignment errors are now surfaced ([#​8208](https://redirect.github.com/nats-io/nats-server/issues/8208)) - Intersection of sublists and subject trees can now be cancelled early, avoiding high CPU usage in some pathological cases ([#​8209](https://redirect.github.com/nats-io/nats-server/issues/8209)) ##### Fixed General - Cluster route compression now obeys the cluster `max_pings_out` option if configured ([#​8093](https://redirect.github.com/nats-io/nats-server/issues/8093)) - The internal send loop no longer mutates caller headers, which could corrupt buffers ([#​8097](https://redirect.github.com/nats-io/nats-server/issues/8097)) - Removing headers no longer fails to remove later headers if the matching prefix also appeared in an earlier header value ([#​8103](https://redirect.github.com/nats-io/nats-server/issues/8103)) - The sublist now correctly maintains negative results in the cache when calculating number of interested subjects ([#​8119](https://redirect.github.com/nats-io/nats-server/issues/8119)) - Server shutdown requests are now idempotent, preventing concurrency issues when shutting down in embedded contexts ([#​8163](https://redirect.github.com/nats-io/nats-server/issues/8163)) - TLS listeners now work correctly with the PROXY protocol where enabled ([#​8130](https://redirect.github.com/nats-io/nats-server/issues/8130)) - Reduced lock contention that could be created between leafnodes and clients ([#​8139](https://redirect.github.com/nats-io/nats-server/issues/8139), [#​8159](https://redirect.github.com/nats-io/nats-server/issues/8159)) - Fixed a panic that could happen when an error occurs when walking JWT directory resolver folders ([#​8173](https://redirect.github.com/nats-io/nats-server/issues/8173), thanks to [@​SebTardif](https://redirect.github.com/SebTardif)) - In-process connections will no longer unexpectedly revert to TLS required with async `INFO` ([#​8205](https://redirect.github.com/nats-io/nats-server/issues/8205)) Leafnodes - Leafnode connections will no longer negotiate compression if they are configured over already-compressed WebSockets ([#​7969](https://redirect.github.com/nats-io/nats-server/issues/7969)) JetStream - Fast batch now correctly parses the batch sequence as a uint64 ([#​8094](https://redirect.github.com/nats-io/nats-server/issues/8094)) - Atomic batch no longer double-pools committed entries on cleanup ([#​8098](https://redirect.github.com/nats-io/nats-server/issues/8098)) - Raft nodes will now ignore temporary snapshots on recovery after a crash ([#​8101](https://redirect.github.com/nats-io/nats-server/issues/8101)) - A number of paths that could leave consumer redelivered in a drifted state have been fixed, e.g. with workqueue or interest-based streams with `max_deliver`, on single message removal or after purges/compactions ([#​8102](https://redirect.github.com/nats-io/nats-server/issues/8102)) - Caches are now cleared correctly when converting filestore encryption mode, avoiding block-level corruption ([#​8105](https://redirect.github.com/nats-io/nats-server/issues/8105), [#​8166](https://redirect.github.com/nats-io/nats-server/issues/8166)) - Fixed a race condition when updating the deduplication map on leader change ([#​8106](https://redirect.github.com/nats-io/nats-server/issues/8106)) - Source consumer creation will no longer schedule a recreation if a setup is already in progress, avoiding potential setup storms ([#​8111](https://redirect.github.com/nats-io/nats-server/issues/8111)) - Fixed data races when reading from the stream configuration when checking reservations, answering some API requests amongst others ([#​8115](https://redirect.github.com/nats-io/nats-server/issues/8115)) - Stream republish subjects are now validated correctly ([#​8127](https://redirect.github.com/nats-io/nats-server/issues/8127)) - The delivery policy for consumers on clustered workqueue streams is now enforced correctly ([#​8126](https://redirect.github.com/nats-io/nats-server/issues/8126)) - The `Nats-Schedule-Next: purge` action now correctly checks if the target is a schedule ([#​8135](https://redirect.github.com/nats-io/nats-server/issues/8135)) - Raft node append entry caches are now invalidated correctly on WAL truncation and snapshot installs ([#​8149](https://redirect.github.com/nats-io/nats-server/issues/8149)) - Skip message errors are now surfaced correctly, propagating failures ([#​8152](https://redirect.github.com/nats-io/nats-server/issues/8152)) - Mirror consumers are now retried immediately on a last sequence mismatch, avoiding stalling for longer than necessary ([#​8152](https://redirect.github.com/nats-io/nats-server/issues/8152)) - Raft nodes will no longer allow proposals to remove unknown peers ([#​8154](https://redirect.github.com/nats-io/nats-server/issues/8154)) - Pending state no longer leaks when reaching max deliveries ([#​8156](https://redirect.github.com/nats-io/nats-server/issues/8156)) - A panic when reusing a wait group when resetting a stream's clustered state has been fixed ([#​8158](https://redirect.github.com/nats-io/nats-server/issues/8158)) - Correctly reset local meta log when extending the meta group to a parent domain ([#​8142](https://redirect.github.com/nats-io/nats-server/issues/8142)) - Consumer file stores will now correctly flush when deleting a single redelivery, avoiding unexpected further redeliveries ([#​8168](https://redirect.github.com/nats-io/nats-server/issues/8168)) - Storage reservations for un-tiered streams have been made consistent between creates/updates and clustered/non-clustered modes ([#​8170](https://redirect.github.com/nats-io/nats-server/issues/8170)) - Raft will now correctly cancel an in-flight checkpoint operation when resetting ([#​8180](https://redirect.github.com/nats-io/nats-server/issues/8180), [#​8202](https://redirect.github.com/nats-io/nats-server/issues/8202)) - The `JetStreamMaxMemory` and `JetStreamMaxStore` options are now handled correctly in embedded mode ([#​8184](https://redirect.github.com/nats-io/nats-server/issues/8184)) - A number of fields that were aliasing underlying filestore block caches have been fixed ([#​8187](https://redirect.github.com/nats-io/nats-server/issues/8187)) - Consumers with `inactive_threshold` should no longer have their local state deleted unexpectedly when the proposal to the metalayer to clean up the consumer fails ([#​8198](https://redirect.github.com/nats-io/nats-server/issues/8198)) - Metalayer state is now preserved in a number of cases where it was incorrectly being removed on shutdown ([#​8199](https://redirect.github.com/nats-io/nats-server/issues/8199)) MQTT - Invalid characters in subjects are now rejected correctly, avoiding protocol issues when forwarded to other connection types ([#​8104](https://redirect.github.com/nats-io/nats-server/issues/8104), [#​8112](https://redirect.github.com/nats-io/nats-server/issues/8112)) ##### Complete Changes </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: cebf20b4ca0624c3d653463eeecc1cd54089238c
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | |---|---|---|---|---|---| | [cloud.google.com/go/compute](https://redirect.github.com/googleapis/google-cloud-go) | `v1.62.0` → `v1.63.0` |  |  | require | minor | | [cloud.google.com/go/container](https://redirect.github.com/googleapis/google-cloud-go) | `v1.51.0` → `v1.52.0` |  |  | require | minor | | [cloud.google.com/go/dataproc/v2](https://redirect.github.com/googleapis/google-cloud-go) | `v2.21.0` → `v2.22.0` |  |  | require | minor | | [cloud.google.com/go/storage](https://redirect.github.com/googleapis/google-cloud-go) | `v1.62.1` → `v1.62.2` |  |  | require | patch | | [google.golang.org/api](https://redirect.github.com/googleapis/google-api-go-client) | `v0.278.0` → `v0.280.0` |  |  | require | minor | | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | `60b97b3` → `aa98bba` |  |  | require | digest | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>googleapis/google-api-go-client (google.golang.org/api)</summary> ### [`v0.280.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.280.0) [Compare Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.279.0...v0.280.0) ##### Features - **all:** Auto-regenerate discovery clients ([#​3591](https://redirect.github.com/googleapis/google-api-go-client/issues/3591)) ([55ba2fa](https://redirect.github.com/googleapis/google-api-go-client/commit/55ba2fab69ee14286ad052f57ed90a726b071e86)) - **all:** Auto-regenerate discovery clients ([#​3593](https://redirect.github.com/googleapis/google-api-go-client/issues/3593)) ([054d4b6](https://redirect.github.com/googleapis/google-api-go-client/commit/054d4b6054450d2be21f50fad64145a4e0125424)) - **all:** Auto-regenerate discovery clients ([#​3594](https://redirect.github.com/googleapis/google-api-go-client/issues/3594)) ([0382916](https://redirect.github.com/googleapis/google-api-go-client/commit/03829161b8cd77bf11f4a3a5d07a43f6b1904fbe)) - **all:** Auto-regenerate discovery clients ([#​3595](https://redirect.github.com/googleapis/google-api-go-client/issues/3595)) ([13e1ad2](https://redirect.github.com/googleapis/google-api-go-client/commit/13e1ad2eeb540d19709df87ce9a0cfdb632f1bf3)) - **all:** Auto-regenerate discovery clients ([#​3596](https://redirect.github.com/googleapis/google-api-go-client/issues/3596)) ([4c77865](https://redirect.github.com/googleapis/google-api-go-client/commit/4c77865748dda2086de226e9401531c934cd909f)) - **all:** Auto-regenerate discovery clients ([#​3598](https://redirect.github.com/googleapis/google-api-go-client/issues/3598)) ([ae2f330](https://redirect.github.com/googleapis/google-api-go-client/commit/ae2f33001826f523ecc6d2f141244e55fbac45c0)) - **all:** Auto-regenerate discovery clients ([#​3599](https://redirect.github.com/googleapis/google-api-go-client/issues/3599)) ([f82d204](https://redirect.github.com/googleapis/google-api-go-client/commit/f82d2049187ed2ab7ee27831a1a78887c5969ca4)) ### [`v0.279.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.279.0) [Compare Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.278.0...v0.279.0) ##### Features - **all:** Auto-regenerate discovery clients ([#​3585](https://redirect.github.com/googleapis/google-api-go-client/issues/3585)) ([09db0e3](https://redirect.github.com/googleapis/google-api-go-client/commit/09db0e346a6b567747dceee3872229a62c95124c)) - **all:** Auto-regenerate discovery clients ([#​3587](https://redirect.github.com/googleapis/google-api-go-client/issues/3587)) ([e87e376](https://redirect.github.com/googleapis/google-api-go-client/commit/e87e376dbd590cffb3632c378e1ade4a9dacf3ce)) - **all:** Auto-regenerate discovery clients ([#​3590](https://redirect.github.com/googleapis/google-api-go-client/issues/3590)) ([d4241ea](https://redirect.github.com/googleapis/google-api-go-client/commit/d4241eaef9ab3daad4fd4aaeccc118795cfc58a7)) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 4f7322b17999367d3c041abb12c7370b0b81c53f
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/aws/aws-sdk-go-v2/service/apigateway](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.39.4` → `v1.40.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/eks](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.83.0` → `v1.84.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/networkmanager](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.10` → `v1.42.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sesv2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.60.4` → `v1.60.5` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/apigateway)</summary> ### [`v1.40.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2025-11-192) [Compare Source](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.39.4...v1.40.0) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2`: v1.40.0 - **Feature**: Add support for AWS Login credentials (package credentials/logincreds) to the default credential chain. - `github.com/aws/aws-sdk-go-v2/config`: [v1.32.0](config/CHANGELOG.md#v1320-2025-11-192) - **Feature**: Add support for AWS Login credentials (package credentials/logincreds) to the default credential chain. - `github.com/aws/aws-sdk-go-v2/credentials`: [v1.19.0](credentials/CHANGELOG.md#v1190-2025-11-192) - **Feature**: Add support for AWS Login credentials (package credentials/logincreds) to the default credential chain. </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 0b3dae651fab44e475bd1e427d5a7a27382fd322
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | buf.build/gen/go/depot/api/connectrpc/go | `v1.19.2-20260430091712-6fbfdf526256.1` → `v1.20.0-20260430091712-6fbfdf526256.1` |  |  | | [github.com/auth0/go-jwt-middleware/v3](https://redirect.github.com/auth0/go-jwt-middleware) | `v3.1.0` → `v3.2.0` |  |  | | [github.com/brianvoe/gofakeit/v7](https://redirect.github.com/brianvoe/gofakeit) | `v7.14.1` → `v7.15.0` |  |  | | [github.com/exaring/otelpgx](https://redirect.github.com/exaring/otelpgx) | `v0.10.0` → `v0.11.1` |  |  | | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | `v5.19.0` → `v5.19.1` |  |  | | [github.com/kaptinlin/jsonrepair](https://redirect.github.com/kaptinlin/jsonrepair) | `v0.4.3` → `v0.4.4` |  |  | | [github.com/neo4j/neo4j-go-driver/v6](https://redirect.github.com/neo4j/neo4j-go-driver) | `v6.0.0` → `v6.1.0` |  |  | | [github.com/openai/openai-go/v3](https://redirect.github.com/openai/openai-go) | `v3.35.0` → `v3.37.0` |  |  | | [github.com/posthog/posthog-go](https://redirect.github.com/posthog/posthog-go) | `v1.12.5` → `v1.12.6` |  |  | | riverqueue.com/riverui | `v0.15.0` → `v0.16.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>auth0/go-jwt-middleware (github.com/auth0/go-jwt-middleware/v3)</summary> ### [`v3.2.0`](https://redirect.github.com/auth0/go-jwt-middleware/blob/HEAD/CHANGELOG.md#v320-2026-05-15) [Compare Source](https://redirect.github.com/auth0/go-jwt-middleware/compare/v3.1.0...v3.2.0) [Full Changelog](https://redirect.github.com/auth0/go-jwt-middleware/compare/v3.1.0...v3.2.0) **Added** - feat(validator): add WithRegisteredClaimsValidator option [#​394](https://redirect.github.com/auth0/go-jwt-middleware/pull/394) ([developerkunal](https://redirect.github.com/developerkunal)) - feat: Add native gRPC integration support [#​377](https://redirect.github.com/auth0/go-jwt-middleware/pull/377) ([developerkunal](https://redirect.github.com/developerkunal)) </details> <details> <summary>brianvoe/gofakeit (github.com/brianvoe/gofakeit/v7)</summary> ### [`v7.15.0`](https://redirect.github.com/brianvoe/gofakeit/compare/v7.14.1...v7.15.0) [Compare Source](https://redirect.github.com/brianvoe/gofakeit/compare/v7.14.1...v7.15.0) </details> <details> <summary>exaring/otelpgx (github.com/exaring/otelpgx)</summary> ### [`v0.11.1`](https://redirect.github.com/exaring/otelpgx/releases/tag/v0.11.1) [Compare Source](https://redirect.github.com/exaring/otelpgx/compare/v0.11.0...v0.11.1) #### What's Changed - fix: Tracer.logConnectionDetails defaults to true by [@​trygve-baerland](https://redirect.github.com/trygve-baerland) in [#​80](https://redirect.github.com/exaring/otelpgx/pull/80) #### New Contributors - [@​trygve-baerland](https://redirect.github.com/trygve-baerland) made their first contribution in [#​80](https://redirect.github.com/exaring/otelpgx/pull/80) **Full Changelog**: <exaring/otelpgx@v0.11.0...v0.11.1> ### [`v0.11.0`](https://redirect.github.com/exaring/otelpgx/releases/tag/v0.11.0) [Compare Source](https://redirect.github.com/exaring/otelpgx/compare/v0.10.0...v0.11.0) #### What's Changed - chore(deps): upgrade Go version to 1.25 + use latest stable otel semconv by [@​ValentinLvr](https://redirect.github.com/ValentinLvr) in [#​74](https://redirect.github.com/exaring/otelpgx/pull/74) - feat: add option to disable the AcquireTracer by [@​joshua-tianci](https://redirect.github.com/joshua-tianci) in [#​73](https://redirect.github.com/exaring/otelpgx/pull/73) - fix(stats): allow WithStatsAttributes to override library defaults by [@​obitech](https://redirect.github.com/obitech) in [#​78](https://redirect.github.com/exaring/otelpgx/pull/78) - chore: spring cleaning — Go matrix, pgx, testify, golangci-lint by [@​obitech](https://redirect.github.com/obitech) in [#​79](https://redirect.github.com/exaring/otelpgx/pull/79) #### New Contributors - [@​ValentinLvr](https://redirect.github.com/ValentinLvr) made their first contribution in [#​74](https://redirect.github.com/exaring/otelpgx/pull/74) - [@​joshua-tianci](https://redirect.github.com/joshua-tianci) made their first contribution in [#​73](https://redirect.github.com/exaring/otelpgx/pull/73) **Full Changelog**: <exaring/otelpgx@v0.10.0...v0.11.0> </details> <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.19.1`](https://redirect.github.com/go-git/go-git/releases/tag/v5.19.1) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.19.0...v5.19.1) #### What's Changed - v5: plumbing: transport/ssh, Shell-quote path by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2068](https://redirect.github.com/go-git/go-git/pull/2068) - v5: git: submodule, Fix relative URL resolution by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2070](https://redirect.github.com/go-git/go-git/pull/2070) - v5: git: submodule, canonical remote for relative URLs by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2074](https://redirect.github.com/go-git/go-git/pull/2074) - v5: git: submodule, error on remote without URLs by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2078](https://redirect.github.com/go-git/go-git/pull/2078) - v5: plumbing: format/idxfile, Validate offset64 indices by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2084](https://redirect.github.com/go-git/go-git/pull/2084) - v5: \*: Reject malformed variable-length integers by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2092](https://redirect.github.com/go-git/go-git/pull/2092) - v5: plumbing: format/packfile, Tighten delta validation by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2091](https://redirect.github.com/go-git/go-git/pull/2091) - v5: Add `worktreeFilesystem` wrapper for worktree and hardening by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2100](https://redirect.github.com/go-git/go-git/pull/2100) - v5: config: validate submodule names by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2082](https://redirect.github.com/go-git/go-git/pull/2082) - build: Update module github.com/go-git/go-git/v5 to v5.19.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in [#​2111](https://redirect.github.com/go-git/go-git/pull/2111) - v5: git: Allow MkdirAll on worktree-root paths by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2117](https://redirect.github.com/go-git/go-git/pull/2117) - v5: git: Stop validating symlink target paths by [@​pjbgf](https://redirect.github.com/pjbgf) in [#​2116](https://redirect.github.com/go-git/go-git/pull/2116) - v5: plumbing: format decoder input bounds and contracts by [@​hiddeco](https://redirect.github.com/hiddeco) in [#​2125](https://redirect.github.com/go-git/go-git/pull/2125) - plumbing: format/packfile, cap delta chain depth in parser by [@​pjbgf](https://redirect.github.com/pjbgf) in [#​2137](https://redirect.github.com/go-git/go-git/pull/2137) **Full Changelog**: <go-git/go-git@v5.19.0...v5.19.1> </details> <details> <summary>kaptinlin/jsonrepair (github.com/kaptinlin/jsonrepair)</summary> ### [`v0.4.4`](https://redirect.github.com/kaptinlin/jsonrepair/releases/tag/v0.4.4) [Compare Source](https://redirect.github.com/kaptinlin/jsonrepair/compare/v0.4.3...v0.4.4) #### What's Changed ##### Changed - Streamlined NDJSON comma repair. - Simplified JSON string escape handling. - Updated dependencies and shared skills. - Expanded repair edge case test coverage. </details> <details> <summary>neo4j/neo4j-go-driver (github.com/neo4j/neo4j-go-driver/v6)</summary> ### [`v6.1.0`](https://redirect.github.com/neo4j/neo4j-go-driver/releases/tag/v6.1.0) [Compare Source](https://redirect.github.com/neo4j/neo4j-go-driver/compare/v6.0.0...v6.1.0) See <https://github.com/neo4j/neo4j-go-driver/wiki/6.x-changelog> for more information. </details> <details> <summary>openai/openai-go (github.com/openai/openai-go/v3)</summary> ### [`v3.37.0`](https://redirect.github.com/openai/openai-go/blob/HEAD/CHANGELOG.md#3370-2026-05-21) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.36.0...v3.37.0) Full Changelog: [v3.36.0...v3.37.0](https://redirect.github.com/openai/openai-go/compare/v3.36.0...v3.37.0) ##### Features - **api:** api update ([7f7416e](https://redirect.github.com/openai/openai-go/commit/7f7416ea4f6953a2861189dee6391515c3b995a9)) - **api:** manual updates ([d646562](https://redirect.github.com/openai/openai-go/commit/d6465620413df87d971e7e37ae74bef4c70076b1)) - **api:** update OpenAPI spec or Stainless config ([b34b78a](https://redirect.github.com/openai/openai-go/commit/b34b78a83433003a6168fffd175cc963ad719495)) - **client:** optimize json encoder for internal types ([93adc6e](https://redirect.github.com/openai/openai-go/commit/93adc6e6247e8ce830152c3df0980a3154aa098a)) ##### Bug Fixes - **go:** format generated admin paths ([1dd8f5e](https://redirect.github.com/openai/openai-go/commit/1dd8f5ec0adeeefef6a56068b5532ba5e3b3290e)) - **go:** format generated project permission paths ([b751c37](https://redirect.github.com/openai/openai-go/commit/b751c37ce2d6348545d75451dfc253dd7dda0f4f)) ##### Chores - **api:** docs updates ([08bc80e](https://redirect.github.com/openai/openai-go/commit/08bc80ea58a19ba0725942c1f3afbcfb043851a0)) ### [`v3.36.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.36.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.35.0...v3.36.0) #### 3.36.0 (2026-05-13) Full Changelog: [v3.35.0...v3.36.0](https://redirect.github.com/openai/openai-go/compare/v3.35.0...v3.36.0) ##### Features - **api:** add service\_tier parameter to response compact method ([bacd2c0](https://redirect.github.com/openai/openai-go/commit/bacd2c0bcf980e8d424d67446fb4d9c4ea897d24)) ##### Bug Fixes - **go:** avoid panic when http.DefaultTransport is wrapped ([95a0250](https://redirect.github.com/openai/openai-go/commit/95a0250a9c770674f8deacb3a3fc1175e6808967)) </details> <details> <summary>posthog/posthog-go (github.com/posthog/posthog-go)</summary> ### [`v1.12.6`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.12.6): 1.12.6 [Compare Source](https://redirect.github.com/posthog/posthog-go/compare/v1.12.5...v1.12.6) #### Unreleased </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 9aa9930960b23afc235869dc0940c0c9eae1ad63
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/onsi/ginkgo/v2](https://redirect.github.com/onsi/ginkgo) | `v2.28.3` → `v2.29.0` |  |  | | [github.com/onsi/gomega](https://redirect.github.com/onsi/gomega) | `v1.40.0` → `v1.41.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>onsi/ginkgo (github.com/onsi/ginkgo/v2)</summary> ### [`v2.29.0`](https://redirect.github.com/onsi/ginkgo/releases/tag/v2.29.0) [Compare Source](https://redirect.github.com/onsi/ginkgo/compare/v2.28.3...v2.29.0) #### 2.29.0 `GinkgoHelperGo` makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward. `ginkgo outline` now includes entries defined in `DescribeTableSubtree` </details> <details> <summary>onsi/gomega (github.com/onsi/gomega)</summary> ### [`v1.41.0`](https://redirect.github.com/onsi/gomega/compare/v1.40.0...v1.41.0) [Compare Source](https://redirect.github.com/onsi/gomega/compare/v1.40.0...v1.41.0) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: c8d65252b195a9dac1668fa36286f9acc0d9597d
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk) | `v0.7.27` → `v0.7.28` |  |  | | [github.com/resend/resend-go/v3](https://redirect.github.com/resend/resend-go) | `v3.6.0` → `v3.7.0` |  |  | | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.54.0` → `v0.55.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.54.0...refs/tags/v0.55.0) |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>harness/harness-go-sdk (github.com/harness/harness-go-sdk)</summary> ### [`v0.7.28`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.27...v0.7.28) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.27...v0.7.28) </details> <details> <summary>resend/resend-go (github.com/resend/resend-go/v3)</summary> ### [`v3.7.0`](https://redirect.github.com/resend/resend-go/releases/tag/v3.7.0) [Compare Source](https://redirect.github.com/resend/resend-go/compare/v3.6.0...v3.7.0) #### What's Changed - chore: gh actions hardening by [@​felipefreitag](https://redirect.github.com/felipefreitag) in [#​114](https://redirect.github.com/resend/resend-go/pull/114) - feat(domains): add Capabilities to CreateDomainRequest by [@​ryanhill4L](https://redirect.github.com/ryanhill4L) in [#​115](https://redirect.github.com/resend/resend-go/pull/115) - feat(domains): add capabilities to Domain and CreateDomainResponse structs by [@​drish](https://redirect.github.com/drish) in [#​117](https://redirect.github.com/resend/resend-go/pull/117) #### New Contributors - [@​felipefreitag](https://redirect.github.com/felipefreitag) made their first contribution in [#​114](https://redirect.github.com/resend/resend-go/pull/114) - [@​ryanhill4L](https://redirect.github.com/ryanhill4L) made their first contribution in [#​115](https://redirect.github.com/resend/resend-go/pull/115) **Full Changelog**: <resend/resend-go@v3.6.0...v3.7.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: a3929c481f6a2dfd94dc6230c3d3911f9cd4c1bc
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/riverqueue/river](https://redirect.github.com/riverqueue/river) | `v0.35.1` → `v0.37.1` |  |  | | [github.com/riverqueue/river/riverdriver/riverpgxv5](https://redirect.github.com/riverqueue/river) | `v0.35.1` → `v0.37.1` |  |  | | [github.com/riverqueue/river/rivertype](https://redirect.github.com/riverqueue/river) | `v0.35.1` → `v0.37.1` |  |  | | [github.com/riverqueue/rivercontrib/otelriver](https://redirect.github.com/riverqueue/rivercontrib) | `v0.7.0` → `v0.8.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. ##⚠️ Warning These modules contain database migrations that need to be added manually to our atlas migrations. Check the contents of https://github.com/riverqueue/river/tree/master/rivermigrate/migration before merging this update. --- ### Release Notes <details> <summary>riverqueue/river (github.com/riverqueue/river)</summary> ### [`v0.37.1`](https://redirect.github.com/riverqueue/river/releases/tag/v0.37.1) [Compare Source](https://redirect.github.com/riverqueue/river/compare/v0.37.0...v0.37.1) ##### Fixed - Wrap `PeriodicJobEnqueuer.insertBatch` database calls in a 30-second timeout. Previously, a stalled pgx `Begin`/`Insert`/`Commit` could hang the periodic enqueuer indefinitely, halting all periodic job insertion until the process was restarted or leader re-elected. [PR #​1251](https://redirect.github.com/riverqueue/river/pull/1251) ### [`v0.37.0`](https://redirect.github.com/riverqueue/river/releases/tag/v0.37.0) [Compare Source](https://redirect.github.com/riverqueue/river/compare/v0.36.0...v0.37.0) ##### Added - Added "resumable jobs" that can be broken down into multiple steps and with a step persisted after it finishes that lets them skip work that's already been done. This is particularly useful for long running jobs that may experience a cancellation (like in the event of a deploy) during the span of their run. [PR #​1226](https://redirect.github.com/riverqueue/river/pull/1226). ### [`v0.36.0`](https://redirect.github.com/riverqueue/river/releases/tag/v0.36.0) [Compare Source](https://redirect.github.com/riverqueue/river/compare/v0.35.1...v0.36.0) ##### Added - Add `QeueueBundle.Remove` to remove an already added queue/producer. [PR #​1235](https://redirect.github.com/riverqueue/river/pull/1235) and [PR #​1240](https://redirect.github.com/riverqueue/river/pull/1240). ##### Fixed - Fix unsafe concurrent producer map access in client. [PR #​1236](https://redirect.github.com/riverqueue/river/pull/1236). - Mark schema replacements as `Stable` in sqlc templates, preventing query SQL from having to be reallocated over and over again.. [PR #​1242](https://redirect.github.com/riverqueue/river/pull/1242). - Fix bug in `sqltemplate` cached path in order in which named args are passed to a query (previously, the order was unstable). [PR #​1243](https://redirect.github.com/riverqueue/river/pull/1243). </details> <details> <summary>riverqueue/rivercontrib (github.com/riverqueue/rivercontrib/otelriver)</summary> ### [`v0.8.0`](https://redirect.github.com/riverqueue/rivercontrib/releases/tag/v0.8.0) [Compare Source](https://redirect.github.com/riverqueue/rivercontrib/compare/v0.7.0...v0.8.0) ##### Added - Augment `otelriver` middleware to cleanly handle errors returned in batch results from River Pro's batch jobs feature. [PR #​54](https://redirect.github.com/riverqueue/rivercontrib/pull/54). </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> GitOrigin-RevId: 2085d02fb65ce68529e09bbaf50d3589c0703b62
…5178) ## Summary - Delete `.cursor/team-members.md` and the one-off `seed_team_principals.sh` script now that `principal_bindings` is canonical in Brent. - Migrate Cursor commands and subagents to resolve approvers via Brent MCP (`list_principals_by_kind`, `get_bindings`, `reviewer_principal_id`). - Drop the retired path from `get_policy_file`, remove the transitional CI guard, and update docs to past tense. ## Linear Ticket Fixes: [ENG-4317](https://linear.app/overmind/issue/ENG-4317/phase-15b-retire-cursorteam-membersmd-and-migrate-downstream-consumers) — Phase 1.5b — retire `.cursor/team-members.md` and migrate downstream consumers - **Purpose**: Close the Friends milestone identity workstream by retiring the hand-maintained team directory and moving IDE-side consumers to Brent MCP, after ENG-4316 proved runtime cutover in production. ## Changes Review focus: `.cursor/agents/` and `.cursor/commands/` migration to Brent MCP; `github_policy_file_tool.go` allowlist shrink; deletion of seed/guard scripts; doc rewrites in `docs/plans/` and friends-using-brent playbook. ## Brent Plan - **Plan**: [Retire team-members.md and migrate downstream consumers](https://brent-dev.overmind-demo.com/open/plans/510973d1-4b09-476a-a209-c9d8ac246e08?prompt=Use+the+Brent+MCP+server+to+call+get_plan+with+id+%22510973d1-4b09-476a-a209-c9d8ac246e08%22%2C+then+help+me+review+or+continue+from+that+plan.&target=cursor) - **Approved by**: James Lane > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Medium risk because it removes the legacy `.cursor/team-members.md` directory and updates multiple Cursor command/subagent workflows to resolve reviewers via Brent principal/binding MCP calls, which could break approval/reviewer assignment if bindings are missing or name matching is ambiguous. > > **Overview** > Retires the hand-maintained Cursor team roster by deleting `.cursor/team-members.md`, removing the `seed_team_principals.sh` seeding script, and dropping the transitional CI guard that prevented workflows from referencing the file. > > Updates Cursor agents/commands used for plan submission, PR creation/update, `/next`, and approval flows to resolve humans via Brent MCP (`list_principals_by_kind`) and map to GitHub/Linear via `get_bindings`, switching review requests to use `reviewer_principal_id` and adding explicit *not found/ambiguous* error handling. > > Documentation is updated to reflect the new principal/binding-based directory as the source of truth, including playbooks and automation docs that previously referenced the retired roster. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 333f178f7fdc0558eea0b66744b593ea514b11be. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: d0d2add90992df1051bb11ccf841a978233a9fc0
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [k8s.io/api](https://redirect.github.com/kubernetes/api) | `v0.35.4` → `v0.36.1` |  |  | | [k8s.io/apimachinery](https://redirect.github.com/kubernetes/apimachinery) | `v0.35.4` → `v0.36.1` |  |  | | [k8s.io/client-go](https://redirect.github.com/kubernetes/client-go) | `v0.35.4` → `v0.36.1` |  |  | | [k8s.io/component-base](https://redirect.github.com/kubernetes/component-base) | `v0.35.4` → `v0.36.1` |  |  | | [sigs.k8s.io/controller-runtime](https://redirect.github.com/kubernetes-sigs/controller-runtime) | `v0.23.3` → `v0.24.1` |  |  | | [sigs.k8s.io/controller-runtime/tools/setup-envtest](https://redirect.github.com/kubernetes-sigs/controller-runtime) | `v0.0.0-20260405152528-6210f847b2c1` → `v0.24.1` |  |  | | [sigs.k8s.io/controller-tools/cmd/controller-gen](https://redirect.github.com/kubernetes-sigs/controller-tools) | `v0.20.1` → `v0.21.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>kubernetes/api (k8s.io/api)</summary> ### [`v0.36.1`](https://redirect.github.com/kubernetes/api/compare/v0.36.0...v0.36.1) [Compare Source](https://redirect.github.com/kubernetes/api/compare/v0.36.0...v0.36.1) ### [`v0.36.0`](https://redirect.github.com/kubernetes/api/compare/v0.35.4...v0.36.0) [Compare Source](https://redirect.github.com/kubernetes/api/compare/v0.35.5...v0.36.0) ### [`v0.35.5`](https://redirect.github.com/kubernetes/api/compare/v0.35.4...v0.35.5) [Compare Source](https://redirect.github.com/kubernetes/api/compare/v0.35.4...v0.35.5) </details> <details> <summary>kubernetes/apimachinery (k8s.io/apimachinery)</summary> ### [`v0.36.1`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.36.0...v0.36.1) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.36.0...v0.36.1) ### [`v0.36.0`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.4...v0.36.0) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.5...v0.36.0) ### [`v0.35.5`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.4...v0.35.5) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.4...v0.35.5) </details> <details> <summary>kubernetes/client-go (k8s.io/client-go)</summary> ### [`v0.36.1`](https://redirect.github.com/kubernetes/client-go/compare/v0.36.0...v0.36.1) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.36.0...v0.36.1) ### [`v0.36.0`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.4...v0.36.0) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.5...v0.36.0) ### [`v0.35.5`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.4...v0.35.5) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.4...v0.35.5) </details> <details> <summary>kubernetes/component-base (k8s.io/component-base)</summary> ### [`v0.36.1`](https://redirect.github.com/kubernetes/component-base/compare/v0.36.0...v0.36.1) [Compare Source](https://redirect.github.com/kubernetes/component-base/compare/v0.36.0...v0.36.1) ### [`v0.36.0`](https://redirect.github.com/kubernetes/component-base/compare/v0.35.4...v0.36.0) [Compare Source](https://redirect.github.com/kubernetes/component-base/compare/v0.35.5...v0.36.0) ### [`v0.35.5`](https://redirect.github.com/kubernetes/component-base/compare/v0.35.4...v0.35.5) [Compare Source](https://redirect.github.com/kubernetes/component-base/compare/v0.35.4...v0.35.5) </details> <details> <summary>kubernetes-sigs/controller-runtime (sigs.k8s.io/controller-runtime)</summary> ### [`v0.24.1`](https://redirect.github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.24.1) [Compare Source](https://redirect.github.com/kubernetes-sigs/controller-runtime/compare/v0.24.0...v0.24.1) #### What's Changed - \[release-0.24] 🐛 Fix regression in Apply typed error handling by [@​k8s-infra-cherrypick-robot](https://redirect.github.com/k8s-infra-cherrypick-robot) in [#​3516](https://redirect.github.com/kubernetes-sigs/controller-runtime/pull/3516) **Full Changelog**: <kubernetes-sigs/controller-runtime@v0.24.0...v0.24.1> ### [`v0.24.0`](https://redirect.github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.24.0) [Compare Source](https://redirect.github.com/kubernetes-sigs/controller-runtime/compare/v0.23.3...v0.24.0) #####⚠️ Breaking Changes - Dependencies: Update to k8s.io/\* v1.36 ([#​3506](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3506) [#​3462](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3462) [#​3486](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3486) [#​3450](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3450)) ##### 🐛 Bug Fixes - Cache: Fix IndexField blocking until informer is synced ([#​3445](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3445)) - Cache: Wait for cache sync when ReaderFailOnMissingInformer is true ([#​3425](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3425)) - Client: Update typed ApplyConfigurations with server response ([#​3475](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3475)) - Fakeclient: Fix SSA status patch resource version check ([#​3443](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3443)) - Fakeclient: Fix panic when using CRs with embedded pointer structs ([#​3431](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3431)) - Fakeclient: Fix status apply if existing object has managedFields set ([#​3430](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3430)) - Fakeclient: Retry GenerateName on AlreadyExists collisions ([#​3498](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3498)) - HTTP servers: Wire up base context into http servers ([#​3452](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3452)) ##### 🌱 Others - Builder/Webhooks: Remove deprecated custom path function ([#​3465](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3465)) - Cache: Test cache reader waits for cache sync ([#​3434](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3434)) - Certwatcher: Deflake certwatcher tests ([#​3457](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3457)) - Dependencies: Use forked version of btree ([#​3449](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3449)) - Envtest: Ensure envtest stops the whole process group ([#​3447](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3447)) - Logging: Add missing space in zap-log-level flag description ([#​3492](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3492)) - Misc: Adopt new(x) over ptr.To(x) and re-enable newexpr lint ([#​3489](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3489)) - Owners: Cleanup ([#​3453](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3453)) - Recorder: Add logger into context for structured logging ([#​3454](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3454)) - Recorder: Switch to `StartLogging` for event debug logs ([#​3451](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3451)) - Scheme: Deprecate the scheme builder ([#​3461](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3461)) - Source/Kind: Improve logging for dynamic type kind source ([#​3494](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3494)) - Webhooks: Reduce memory usage of default webhooks ([#​3463](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3463) [#​3468](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3468)) ##### 🌱 CI & linters - Chore: Update golangci-lint version to v2.8.0 ([#​3448](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3448)) - Chore: Update golangci-lint version to v2.10.1 ([#​3470](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3470)) - Chore: Update golangci-lint version to v2.11.3 ([#​3482](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3482)) - Migrate away from custom GitHub action approval workflow ([#​3491](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3491)) - Release: Auto-create git tags for the `tools/setup-envtest` submodule ([#​3476](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3476)) :book: Additionally, there has been 1 contribution to our documentation. ([#​3477](https://redirect.github.com/kubernetes-sigs/controller-runtime/issues/3477)) ##### Dependencies ##### Added - github.com/cenkalti/backoff/v5: [v5.0.3](https://redirect.github.com/cenkalti/backoff/tree/v5.0.3) - gonum.org/v1/gonum: v0.16.0 - k8s.io/streaming: v0.36.0 ##### Changed - cel.dev/expr: v0.24.0 → v0.25.1 - cloud.google.com/go/compute/metadata: v0.6.0 → v0.9.0 - github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: [v1.26.0 → v1.30.0](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/compare/detectors/gcp/v1.26.0...detectors/gcp/v1.30.0) - github.com/alecthomas/units: [b94a6e3 → 0f3dac3](https://redirect.github.com/alecthomas/units/compare/b94a6e3...0f3dac3) - github.com/cncf/xds/go: [2f00578 → ee656c7](https://redirect.github.com/cncf/xds/compare/2f00578...ee656c7) - github.com/coreos/go-oidc: [v2.3.0+incompatible → v2.5.0+incompatible](https://redirect.github.com/coreos/go-oidc/compare/v2.3.0...v2.5.0) - github.com/coreos/go-systemd/v22: [v22.5.0 → v22.7.0](https://redirect.github.com/coreos/go-systemd/compare/v22.5.0...v22.7.0) - github.com/davecgh/go-spew: [v1.1.1 → d8f796a](https://redirect.github.com/davecgh/go-spew/compare/v1.1.1...d8f796a) - github.com/emicklei/go-restful/v3: [v3.12.2 → v3.13.0](https://redirect.github.com/emicklei/go-restful/compare/v3.12.2...v3.13.0) - github.com/envoyproxy/go-control-plane/envoy: [v1.32.4 → v1.36.0](https://redirect.github.com/envoyproxy/go-control-plane/compare/envoy/v1.32.4...envoy/v1.36.0) - github.com/envoyproxy/go-control-plane: [v0.13.4 → v0.14.0](https://redirect.github.com/envoyproxy/go-control-plane/compare/v0.13.4...v0.14.0) - github.com/envoyproxy/protoc-gen-validate: [v1.2.1 → v1.3.0](https://redirect.github.com/envoyproxy/protoc-gen-validate/compare/v1.2.1...v1.3.0) - github.com/go-jose/go-jose/v4: [v4.0.4 → v4.1.3](https://redirect.github.com/go-jose/go-jose/compare/v4.0.4...v4.1.3) - github.com/golang-jwt/jwt/v5: [v5.2.2 → v5.3.0](https://redirect.github.com/golang-jwt/jwt/compare/v5.2.2...v5.3.0) - github.com/golang/glog: [v1.2.4 → v1.2.5](https://redirect.github.com/golang/glog/compare/v1.2.4...v1.2.5) - github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: [v1.0.1 → v1.1.0](https://redirect.github.com/grpc-ecosystem/go-grpc-middleware/compare/providers/prometheus/v1.0.1...providers/prometheus/v1.1.0) - github.com/grpc-ecosystem/go-grpc-middleware/v2: [v2.3.0 → v2.3.3](https://redirect.github.com/grpc-ecosystem/go-grpc-middleware/compare/v2.3.0...v2.3.3) - github.com/grpc-ecosystem/grpc-gateway/v2: [v2.26.3 → v2.27.7](https://redirect.github.com/grpc-ecosystem/grpc-gateway/compare/v2.26.3...v2.27.7) - github.com/moby/spdystream: [v0.5.0 → v0.5.1](https://redirect.github.com/moby/spdystream/compare/v0.5.0...v0.5.1) - github.com/onsi/ginkgo/v2: [v2.27.2 → v2.27.4](https://redirect.github.com/onsi/ginkgo/compare/v2.27.2...v2.27.4) - github.com/onsi/gomega: [v1.38.2 → v1.39.0](https://redirect.github.com/onsi/gomega/compare/v1.38.2...v1.39.0) - github.com/pmezard/go-difflib: [v1.0.0 → 5d4384e](https://redirect.github.com/pmezard/go-difflib/compare/v1.0.0...5d4384e) - github.com/prometheus/common: [v0.66.1 → v0.67.5](https://redirect.github.com/prometheus/common/compare/v0.66.1...v0.67.5) - github.com/prometheus/procfs: [v0.16.1 → v0.19.2](https://redirect.github.com/prometheus/procfs/compare/v0.16.1...v0.19.2) - github.com/spf13/cobra: [v1.10.0 → v1.10.2](https://redirect.github.com/spf13/cobra/compare/v1.10.0...v1.10.2) - github.com/spiffe/go-spiffe/v2: [v2.5.0 → v2.6.0](https://redirect.github.com/spiffe/go-spiffe/compare/v2.5.0...v2.6.0) - go.etcd.io/etcd/api/v3: v3.6.5 → v3.6.8 - go.etcd.io/etcd/client/pkg/v3: v3.6.5 → v3.6.8 - go.etcd.io/etcd/client/v3: v3.6.5 → v3.6.8 - go.etcd.io/etcd/pkg/v3: v3.6.5 → v3.6.8 - go.etcd.io/etcd/server/v3: v3.6.5 → v3.6.8 - go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1 - go.opentelemetry.io/contrib/detectors/gcp: v1.34.0 → v1.39.0 - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.60.0 → v0.65.0 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.61.0 → v0.65.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.34.0 → v1.40.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.34.0 → v1.40.0 - go.opentelemetry.io/otel/metric: v1.36.0 → v1.41.0 - go.opentelemetry.io/otel/sdk/metric: v1.36.0 → v1.40.0 - go.opentelemetry.io/otel/sdk: v1.36.0 → v1.40.0 - go.opentelemetry.io/otel/trace: v1.36.0 → v1.41.0 - go.opentelemetry.io/otel: v1.36.0 → v1.41.0 - go.opentelemetry.io/proto/otlp: v1.5.0 → v1.9.0 - go.uber.org/zap: v1.27.0 → v1.27.1 - golang.org/x/crypto: v0.45.0 → v0.47.0 - golang.org/x/exp: [`8a7402a`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/8a7402a) → [`944ab1f`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/944ab1f) - golang.org/x/mod: v0.29.0 → v0.32.0 - golang.org/x/net: v0.47.0 → v0.49.0 - golang.org/x/oauth2: v0.30.0 → v0.34.0 - golang.org/x/sync: v0.18.0 → v0.19.0 - golang.org/x/sys: v0.38.0 → v0.40.0 - golang.org/x/telemetry: [`078029d`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/078029d) → [`bd525da`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/bd525da) - golang.org/x/term: v0.37.0 → v0.39.0 - golang.org/x/text: v0.31.0 → v0.33.0 - golang.org/x/time: v0.9.0 → v0.14.0 - golang.org/x/tools/go/expect: v0.1.0-deprecated → v0.1.1-deprecated - golang.org/x/tools: v0.38.0 → v0.41.0 - google.golang.org/genproto/googleapis/api: [`a0af3ef`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/a0af3ef) → [`8636f87`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/8636f87) - google.golang.org/genproto/googleapis/rpc: [`200df99`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/200df99) → [`8636f87`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/8636f87) - google.golang.org/grpc: v1.72.2 → v1.79.3 - google.golang.org/protobuf: v1.36.8 → [`f2248ac`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/f2248ac) - k8s.io/api: v0.35.0 → v0.36.0 - k8s.io/apiextensions-apiserver: v0.35.0 → v0.36.0 - k8s.io/apimachinery: v0.35.0 → v0.36.0 - k8s.io/apiserver: v0.35.0 → v0.36.0 - k8s.io/client-go: v0.35.0 → v0.36.0 - k8s.io/code-generator: v0.35.0 → v0.36.0 - k8s.io/component-base: v0.35.0 → v0.36.0 - k8s.io/klog/v2: v2.130.1 → v2.140.0 - k8s.io/kms: v0.35.0 → v0.36.0 - k8s.io/kube-openapi: [`589584f`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/589584f) → [`43fb72c`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/43fb72c) - k8s.io/utils: [`bc988d5`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/bc988d5) → [`b8788ab`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/b8788ab) - sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.31.2 → v0.34.0 - sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2 ##### Removed - github.com/cenkalti/backoff/v4: [v4.3.0](https://redirect.github.com/cenkalti/backoff/tree/v4.3.0) - github.com/gregjones/httpcache: [901d907](https://redirect.github.com/gregjones/httpcache/tree/901d907) - github.com/grpc-ecosystem/go-grpc-prometheus: [v1.2.0](https://redirect.github.com/grpc-ecosystem/go-grpc-prometheus/tree/v1.2.0) - github.com/zeebo/errs: [v1.4.0](https://redirect.github.com/zeebo/errs/tree/v1.4.0) - golang.org/x/xerrors: [`9bdfabe`](https://redirect.github.com/kubernetes-sigs/controller-runtime/commit/9bdfabe) *Thanks to all our contributors!* 😊 </details> <details> <summary>kubernetes-sigs/controller-tools (sigs.k8s.io/controller-tools/cmd/controller-gen)</summary> ### [`v0.21.0`](https://redirect.github.com/kubernetes-sigs/controller-tools/releases/tag/v0.21.0) [Compare Source](https://redirect.github.com/kubernetes-sigs/controller-tools/compare/v0.20.1...v0.21.0) #### What's Changed -⚠️ Bump to k8s.io/\* v1.36 by [@​sbueringer](https://redirect.github.com/sbueringer) in [#​1407](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1407) -⚠️ Upgrade Go version to 1.26.0 by [@​camilamacedo86](https://redirect.github.com/camilamacedo86) in [#​1402](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1402) - ✨ Add `kubebuilder:externalDoc` marker by [@​pedjak](https://redirect.github.com/pedjak) in [#​1335](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1335) - ✨ Add optional roleName parameter to RBAC marker by [@​AlirezaPourchali](https://redirect.github.com/AlirezaPourchali) in [#​1334](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1334) - ✨ Add support for external ApplyConfiguration mappings by [@​andrew-farries](https://redirect.github.com/andrew-farries) in [#​1327](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1327) - ✨ Add support for k8s:enum markers by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1352](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1352) - ✨ Add support for k8s:immutable by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1354](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1354) - ✨ ApplyConfigurations: Generate extract functions by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1346](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1346) - ✨ Preserve Enum validation for IntOrString type in CRD generation by [@​dongjiang1989](https://redirect.github.com/dongjiang1989) in [#​1370](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1370) - ✨ Support nested pointer to type-aliased slices by [@​dongjiang1989](https://redirect.github.com/dongjiang1989) in [#​1331](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1331) - 🌱 Handle any/interface{} type in CRD generator with clear error by [@​Fedosin](https://redirect.github.com/Fedosin) in [#​1362](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1362) - 🐛 Fix applyconfiguration generator for cluster-scoped resources by [@​joelanford](https://redirect.github.com/joelanford) in [#​1347](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1347) #### Misc - 📖 docs: Add examples to all marker types. by [@​camilamacedo86](https://redirect.github.com/camilamacedo86) in [#​1340](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1340) - 🌱 Fix and test webhook testdata compilation by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1345](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1345) - 🌱 Fix go generate validation by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1348](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1348) - 🌱 Migrate away from custom GitHub action approval workflow by [@​karimzakzouk](https://redirect.github.com/karimzakzouk) in [#​1372](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1372) - ✨ Migrate to new envtest location and newer Kubernetes version by [@​sbueringer](https://redirect.github.com/sbueringer) in [#​1337](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1337) - 🌱 Test the test CRD can actually be applied by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1351](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1351) - 🌱 Validate tidyness of all go modules by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1349](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1349) - 🌱 Validate we use the same k8s.io/\* version in all modules by [@​alvaroaleman](https://redirect.github.com/alvaroaleman) in [#​1353](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1353) #### envtest - ✨ Release envtest v1.36.0 by [@​erikgb](https://redirect.github.com/erikgb) in [#​1393](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1393) - 🌱 Promotion of envtest release for Kubernetes v1.36.0 by [@​sbueringer](https://redirect.github.com/sbueringer) in [#​1400](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1400) #### Dependency bumps - 🌱 Bump EndBug/add-and-commit from 9.1.4 to 10.0.0 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1369](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1369) - 🌱 Bump actions/setup-go from 6.1.0 to 6.2.0 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1326](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1326) - 🌱 Bump actions/setup-go from 6.2.0 to 6.3.0 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1356](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1356) - 🌱 Bump github.com/fatih/color from 1.18.0 to 1.19.0 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1368](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1368) - 🌱 Bump github.com/onsi/gomega from 1.38.3 to 1.39.0 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1322](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1322) - 🌱 Bump github.com/onsi/gomega from 1.39.0 to 1.39.1 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1330](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1330) - 🌱 Bump github.com/onsi/gomega from 1.39.1 to 1.40.0 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1405](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1405) - 🌱 Bump golang.org/x/tools from 0.40.0 to 0.41.0 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1325](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1325) - 🌱 Bump golang.org/x/tools from 0.41.0 to 0.42.0 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1342](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1342) - 🌱 Bump golang.org/x/tools from 0.42.0 to 0.43.0 in the all-go-mod-patch-and-minor group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1364](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1364) - 🌱 Bump golang.org/x/tools from 0.43.0 to 0.44.0 in the all-go-mod-patch-and-minor group across 1 directory by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1377](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1377) - 🌱 Bump golangci-lint to v2.8.0 by [@​dongjiang1989](https://redirect.github.com/dongjiang1989) in [#​1332](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1332) - 🌱 Bump golangci-lint to v2.10.1 by [@​dongjiang1989](https://redirect.github.com/dongjiang1989) in [#​1358](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1358) - 🌱 Bump golangci-lint to v2.11.3 by [@​dongjiang1989](https://redirect.github.com/dongjiang1989) in [#​1367](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1367) - 🌱 Bump softprops/action-gh-release from 2.5.0 to 2.6.1 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1365](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1365) - 🌱 Bump the all-github-actions group across 1 directory with 4 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1383](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1383) - 🌱 Bump the all-github-actions group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1328](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1328) - 🌱 Bump tj-actions/changed-files from 47.0.1 to 47.0.2 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1343](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1343) - 🌱 Bump tj-actions/changed-files from 47.0.2 to 47.0.4 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1355](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1355) - 🌱 Bump tj-actions/changed-files from 47.0.4 to 47.0.5 in the all-github-actions group by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1361](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1361) #### New Contributors - [@​AlirezaPourchali](https://redirect.github.com/AlirezaPourchali) made their first contribution in [#​1334](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1334) - [@​andrew-farries](https://redirect.github.com/andrew-farries) made their first contribution in [#​1327](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1327) - [@​pedjak](https://redirect.github.com/pedjak) made their first contribution in [#​1335](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1335) - [@​camilamacedo86](https://redirect.github.com/camilamacedo86) made their first contribution in [#​1340](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1340) - [@​Fedosin](https://redirect.github.com/Fedosin) made their first contribution in [#​1362](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1362) - [@​karimzakzouk](https://redirect.github.com/karimzakzouk) made their first contribution in [#​1372](https://redirect.github.com/kubernetes-sigs/controller-tools/pull/1372) **Full Changelog**: <kubernetes-sigs/controller-tools@v0.20.0...v0.21.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - "after 6pm on thursday,before 10am on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Elliot Waddington <getinnocuous@users.noreply.github.com> GitOrigin-RevId: bd5f821d43a8b755b79039e4e5fcb6eeff37af13
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v1.18.2
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: renovate[bot] (29139614+renovate[bot]@users.noreply.github.com)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev1.18.2tag on mainReview Checklist