Skip to content

fix(deps): bump the all group with 5 updates#1101

Merged
Soner (shyim) merged 1 commit into
mainfrom
dependabot/go_modules/all-4f880fef85
Jun 16, 2026
Merged

fix(deps): bump the all group with 5 updates#1101
Soner (shyim) merged 1 commit into
mainfrom
dependabot/go_modules/all-4f880fef85

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the all group with 5 updates:

Package From To
charm.land/lipgloss/v2 2.0.3 2.0.4
github.com/evanw/esbuild 0.28.0 0.28.1
golang.org/x/image 0.41.0 0.42.0
golang.org/x/text 0.37.0 0.38.0
golang.org/x/net 0.55.0 0.56.0

Updates charm.land/lipgloss/v2 from 2.0.3 to 2.0.4

Release notes

Sourced from charm.land/lipgloss/v2's releases.

v2.0.4

Mini Crash Patch

Hi! This is a small patch to fix a writer-related panic. Thanks for using Lip Gloss!

Changelog

Fixed

Docs

Chore


Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

Commits
  • b00306c fix: prevent crash when writing to a closed wrap writer
  • 40ec0e6 docs: fix typo in table comment (#641)
  • e3b78a2 chore(deps): bump golang.org/x/sys in the all group (#691)
  • 758dd87 chore(deps): bump golang.org/x/sys in the all group (#674)
  • aa91b99 chore: remove CODEOWNERS
  • 9cbfe8b chore(lint): exclude revive naming linter
  • a4d0b40 docs: restore missing diaereses (#664)
  • See full diff in compare view

Updates github.com/evanw/esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from github.com/evanw/esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Changelog

Sourced from github.com/evanw/esbuild's changelog.

0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Commits

Updates golang.org/x/image from 0.41.0 to 0.42.0

Commits
  • 3fd0b07 go.mod: update golang.org/x dependencies
  • 28d2559 webp: avoid canvas overflow on 32-bit systems
  • bd05eea image: add security considerations to README
  • See full diff in compare view

Updates golang.org/x/text from 0.37.0 to 0.38.0

Commits

Updates golang.org/x/net from 0.55.0 to 0.56.0

Commits
  • 9e7fdbf internal/http3: fix wrong argument being given when validating header value
  • b686e5f internal/http3: add gzip support to transport
  • 8a34885 go.mod: update golang.org/x dependencies
  • 72eaf98 dns/dnsmessage: correctly validate SVCB record parameter order
  • 82e7868 dns/dnsmessage: avoid panic when parsing SVCB record with truncated data
  • b64f1fa internal/http3: add server support for "Trailer:" magic prefix
  • 2707ee2 internal/http3: implement HTTP/3 clientConn methods
  • 31358cc internal/http3: snapshot response headers at WriteHeader time
  • 8ecbaa9 html: don't adjust xml:base
  • 8ae811a html: properly handle end script tag in fragment mode
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [charm.land/lipgloss/v2](https://github.com/charmbracelet/lipgloss) | `2.0.3` | `2.0.4` |
| [github.com/evanw/esbuild](https://github.com/evanw/esbuild) | `0.28.0` | `0.28.1` |
| [golang.org/x/image](https://github.com/golang/image) | `0.41.0` | `0.42.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.37.0` | `0.38.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.55.0` | `0.56.0` |


Updates `charm.land/lipgloss/v2` from 2.0.3 to 2.0.4
- [Release notes](https://github.com/charmbracelet/lipgloss/releases)
- [Commits](charmbracelet/lipgloss@v2.0.3...v2.0.4)

Updates `github.com/evanw/esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `golang.org/x/image` from 0.41.0 to 0.42.0
- [Commits](golang/image@v0.41.0...v0.42.0)

Updates `golang.org/x/text` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.55.0 to 0.56.0
- [Commits](golang/net@v0.55.0...v0.56.0)

---
updated-dependencies:
- dependency-name: charm.land/lipgloss/v2
  dependency-version: 2.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/evanw/esbuild
  dependency-version: 0.28.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: golang.org/x/image
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: golang.org/x/text
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 15, 2026
@github-code-quality

Copy link
Copy Markdown

Code Coverage Overview

Languages: Go

Go / code-coverage/go-test

The overall coverage remains at 54%, unchanged from the branch.


Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@shyim Soner (shyim) merged commit d5b8a9b into main Jun 16, 2026
2 checks passed
@shyim Soner (shyim) deleted the dependabot/go_modules/all-4f880fef85 branch June 16, 2026 04:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant