Update go updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/fxamacker/cbor/v2	v2.7.0 → v2.9.1
golang.org/x/sys	v0.30.0 → v0.42.0
golang.org/x/term	v0.29.0 → v0.41.0

---

Release Notes

fxamacker/cbor (github.com/fxamacker/cbor/v2)

v2.9.1

Compare Source

This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.

🐞 Bug fixes related to the keyasint feature

These changes only affect Go struct fields tagged with keyasint:

• [Decoding] Reject integer keys that exceed math.MaxInt64 when decoding CBOR map to a struct with keyasint field (PR #​757)
• [Decoding] Prevent string representation of an integer key from matching the struct field tagged by keyasint (PR #​757)
• [Encoding & Decoding] Deduplicate struct fields with the same normalized keyasint tag values (PR #​757)

🐞 Other bug fixes and defensive checks

Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).

NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).

• [Decoding] Reject decoding epoch time encoded as floats that overflow int64 (PR #​753)
• [Encoding] Return a cloned slice for an empty RawMessage from RawMessage.MarshalCBOR (PR #​753)
• [Encoding] Reject encoding nil inside indefinite-length strings (PR #​750)
• [Diagnostic] Accept valid U+FFFD replacement character (PR #​753)

What's Changed

• 🆕 Add TimeMode encoding option TimeRFC3339NanoUTC by @​fxamacker in #​688
• Use actual negative zero in tests by @​makew0rld in #​708
• Reject encoding nil inside CBOR indefinite-length string by @​fxamacker in #​750
• Refactor and add tests by @​fxamacker in #​752
• Small bugfixes, defensive checks, and improvements by @​fxamacker in #​753
• Refactor parseMapToStruct(), getDecodingStructType(), getEncodingStructType(), and field struct by @​fxamacker in #​754
• Fix several issues related to keyasint tag option by @​fxamacker in #​757

CI / GitHub Actions and Docs

🔎 Details...

• Bump github/codeql-action from 3.29.2 to 3.29.4 by @​dependabot[bot] in #​690
• Bump github/codeql-action from 3.29.4 to 3.29.5 by @​dependabot[bot] in #​691
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​696
• Bump github/codeql-action from 3.29.7 to 3.29.9 by @​dependabot[bot] in #​697
• Bump github/codeql-action from 3.29.9 to 3.29.11 by @​dependabot[bot] in #​700
• Bump github/codeql-action from 3.29.11 to 3.30.0 by @​dependabot[bot] in #​702
• Bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in #​703
• Bump github/codeql-action from 3.30.0 to 3.30.3 by @​dependabot[bot] in #​706
• Bump github/codeql-action from 3.30.3 to 3.30.4 by @​dependabot[bot] in #​710
• Bump github/codeql-action from 3.30.4 to 3.30.6 by @​dependabot[bot] in #​712
• Bump github/codeql-action from 3.30.6 to 4.30.7 by @​dependabot[bot] in #​713
• Bump github/codeql-action from 4.30.7 to 4.30.8 by @​dependabot[bot] in #​716
• Bump github/codeql-action from 4.30.8 to 4.30.9 by @​dependabot[bot] in #​718
• Bump github/codeql-action from 4.30.9 to 4.31.2 by @​dependabot[bot] in #​720
• Bump github/codeql-action from 4.31.2 to 4.31.3 by @​dependabot[bot] in #​721
• Bump github/codeql-action from 4.31.3 to 4.31.4 by @​dependabot[bot] in #​724
• Bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​725
• Bump actions/checkout from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​726
• Bump github/codeql-action from 4.31.4 to 4.31.5 by @​dependabot[bot] in #​727
• Bump github/codeql-action from 4.31.5 to 4.31.6 by @​dependabot[bot] in #​728
• Bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​729
• Bump github/codeql-action from 4.31.6 to 4.31.8 by @​dependabot[bot] in #​732
• Bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in #​733
• Bump github/codeql-action from 4.31.9 to 4.31.10 by @​dependabot[bot] in #​738
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @​dependabot[bot] in #​739
• Bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​740
• Bump github/codeql-action from 4.31.10 to 4.32.0 by @​dependabot[bot] in #​742
• Bump github/codeql-action from 4.32.0 to 4.32.3 by @​dependabot[bot] in #​745
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​746
• Bump github/codeql-action from 4.32.3 to 4.32.4 by @​dependabot[bot] in #​747
• Bump github/codeql-action from 4.32.4 to 4.32.6 by @​dependabot[bot] in #​748
• Bump github/codeql-action from 4.32.6 to 4.34.0 by @​dependabot[bot] in #​749
• Bump github/codeql-action from 4.34.0 to 4.34.1 by @​dependabot[bot] in #​751
• Update README status section by @​fxamacker in #​758

New Contributors

• @​makew0rld made their first contributihttps://github.com/fxamacker/cbor/pull/708ll/708

Full Changelog: fxamacker/cbor@v2.9.0...v2.9.1

v2.9.0

Compare Source

v2.9.0 adds new features, refactors tests, and improves docs. New features improve interoperability/transcoding between CBOR & JSON.

v2.9.0 passed fuzz tests and is production quality. However, the new TextUnmarshaler feature will continue being fuzz tested a bit longer due to recent changes. The recent changes are limited and don't affect other parts of the codec that passed ~2 billion execs fuzzing.

What's Changed

• Refactor to use Go standard library functions by @​fxamacker in #​663
• Improve DupMapKeyError message by @​fxamacker in #​670
• Add options to support TextMarshaler and TextUnmarshaler by @​benluddy in #​672
• Add optional support for json.Marshaler and json.Unmarshaler via transcoding by @​benluddy in #​673
• Refactor tests and update comments by @​fxamacker in #​678
• Use TextUnmarshaler on byte strings with ByteStringToStringAllowed. by @​benluddy in #​682

Docs

• README: Document struct field tag "-" by @​fxamacker in #​653
• Fix IntDecConvertSignedOrBigInt doc comment by @​theory in #​655
• Update docs for TimeMode, Tag, RawTag, and add example for Embedded JSON Tag for CBOR by @​fxamacker in #​659
• Update README for Embedded JSON Tag for CBOR (tag 262) by @​fxamacker in #​662
• Fix typos in some comments by @​adeinega in #​671
• Update README for v2.9.0 and add Red Hat as a user by @​fxamacker in #​684

CI

🔎 Details

• Bump github/codeql-action from 3.28.13 to 3.28.15 by @​dependabot[bot] in #​651
• Bump github/codeql-action from 3.28.15 to 3.28.16 by @​dependabot[bot] in #​658
• Bump github/codeql-action from 3.28.16 to 3.28.17 by @​dependabot[bot] in #​660
• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot[bot] in #​661
• Bump github/codeql-action from 3.28.17 to 3.28.18 by @​dependabot[bot] in #​664
• Bump github/codeql-action from 3.28.18 to 3.28.19 by @​dependabot[bot] in #​667
• Bump github/codeql-action from 3.28.19 to 3.29.0 by @​dependabot[bot] in #​674
• Bump github/codeql-action from 3.29.0 to 3.29.2 by @​dependabot[bot] in #​680

Special Thanks

Many thanks to @​benluddy for adding these new features! 🎉

• Add opt-in support for encoding.TextMarshaler and encoding.TextUnmarshaler to encode and decode from CBOR text string.
• Add opt-in support for json.Marshaler and json.Unmarshaler via user-provided transcoding function.

New Contributors

• @​theory made their first contribution in #​655
• @​adeinega made their first contribution in #​671

Full Changelog: fxamacker/cbor@v2.8.0...v2.9.0

v2.8.0

Compare Source

v2.8.0 adds omitzero struct tag option, fixes and deprecates 3 functions, and bumps requirements to go 1.20+.

Many thanks to @​liggitt for contributing the omitzero support!

The "omitzero" option omits zero values from encoding, matching stdlib encoding/json behavior.
When specified in the cbor tag, the option is always honored.
When specified in the json tag, the option is honored when building with Go 1.24+.

This release fixes 3 functions (when called directly by user apps) to use same error handling on bad input as cbor.Unmarshal():

• RawTag.UnmarshalCBOR() (thanks @​thomas-fossati for reporting this!)
• ByteString.UnmarshalCBOR()
• SimpleValue.UnmarshalCBOR()

This release also deprecates those 3 functions because they were initially created for internal use. Please use Unmarshal() or UnmarshalFirst() instead.

To preserve backward compatibility, the deprecated functions were added to fuzz tests and will not be removed in v2.x.

What's Changed

• go: update go.mod and ci.yml to require go1.20 or newer (was go1.17) by @​fxamacker in #​626
• Replace interface{} with any by @​fxamacker in #​627
• Replace reflect.Ptr with reflect.Pointer by @​fxamacker in #​628
• Replace reflect.PtrTo with reflect.PointerTo by @​fxamacker in #​629
• Add omitzero support by @​liggitt in #​644
• Update error handling in RawTag.UnmarshalCBOR(), etc. to match cbor.Unmarshal() by @​fxamacker in #​645
• Optimize internal calls to UnmarshalCBOR() for ByteString, RawTag, SimpleValue by @​fxamacker in #​647

Other Changes

🔍 Details

• Bump github/codeql-action from 3.25.10 to 3.25.11 by @​dependabot in #​562
• Bump actions/setup-go from 5.0.1 to 5.0.2 by @​dependabot in #​564
• Bump github/codeql-action from 3.25.11 to 3.25.12 by @​dependabot in #​565
• Bump github/codeql-action from 3.25.12 to 3.25.14 by @​dependabot in #​567
• Bump github/codeql-action from 3.25.14 to 3.25.15 by @​dependabot in #​569
• Bump github/codeql-action from 3.25.15 to 3.26.0 by @​dependabot in #​571
• Bump govulncheck from 1.0.4 to 1.1.3 by @​fxamacker in #​572
• Bump github/codeql-action from 3.26.0 to 3.26.2 by @​dependabot in #​575
• Add go1.23 to ci.yml by @​fxamacker in #​573
• Bump github/codeql-action from 3.26.2 to 3.26.6 by @​dependabot in #​580
• Mention new TinyGo feature branch in README by @​fxamacker in #​582
• Bump github/codeql-action from 3.26.6 to 3.26.8 by @​dependabot in #​585
• Bump github/codeql-action from 3.26.8 to 3.26.9 by @​dependabot in #​586
• Bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in #​587
• README: update benchmark comparisons, etc. by @​fxamacker in #​588
• Bump github/codeql-action from 3.26.9 to 3.26.11 by @​dependabot in #​590
• README: update to clarify CBOR benchmark comparison and resolve nits by @​fxamacker in #​591
• README: fix broken link to svg file by @​fxamacker in #​592
• Bump github/codeql-action from 3.26.11 to 3.26.12 by @​dependabot in #​594
• Bump actions/checkout from 4.2.0 to 4.2.1 by @​dependabot in #​593
• Bump github/codeql-action from 3.26.12 to 3.26.13 by @​dependabot in #​595
• Bump github/codeql-action from 3.26.13 to 3.27.0 by @​dependabot in #​596
• Bump actions/checkout from 4.2.1 to 4.2.2 by @​dependabot in #​597
• Bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot in #​598
• Bump github/codeql-action from 3.27.0 to 3.27.4 by @​dependabot in #​602
• Bump github/codeql-action from 3.27.4 to 3.27.6 by @​dependabot in #​604
• Bump github/codeql-action from 3.27.6 to 3.27.7 by @​dependabot in #​605
• Bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot in #​606
• Bump github/codeql-action from 3.27.7 to 3.27.9 by @​dependabot in #​607
• Bump github/codeql-action from 3.27.9 to 3.28.0 by @​dependabot in #​608
• Bump github/codeql-action from 3.28.0 to 3.28.1 by @​dependabot in #​609
• Bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot in #​610
• Bump github/codeql-action from 3.28.1 to 3.28.4 by @​dependabot in #​614
• Bump github/codeql-action from 3.28.4 to 3.28.8 by @​dependabot in #​618
• Bump github/codeql-action from 3.28.8 to 3.28.9 by @​dependabot in #​619
• .github: Bump govulncheck from 1.1.3 to 1.1.4 by @​fxamacker in #​620
• .github: Require 97% or more code coverage by @​fxamacker in #​621
• Add missing copyright notice to a few files by @​fxamacker in #​630
• Bump github/codeql-action from 3.28.9 to 3.28.10 by @​dependabot in #​631
• Bump github/codeql-action from 3.28.10 to 3.28.11 by @​dependabot in #​633
• Bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot in #​639
• Bump github/codeql-action from 3.28.11 to 3.28.12 by @​dependabot in #​641
• Bump github/codeql-action from 3.28.12 to 3.28.13 by @​dependabot in #​642
• README: fix typo in code example in Struct Tags section by @​sschulz-t in #​637
• Update docs for cbor v2.8.0 by @​fxamacker in #​649

New Contributors

• @​sschulz-t made their first contributihttps://github.com/fxamacker/cbor/pull/637ll/637
• @​liggitt made their first contributihttps://github.com/fxamacker/cbor/pull/644ll/644

Full Changelog: fxamacker/cbor@v2.7.0...v2.8.0

v2.7.1

Compare Source

v2.7.1 fixes 3 functions (when called directly by user apps) to use same error handling on bad inputs as cbor.Unmarshal():

• ByteString.UnmarshalCBOR()
• RawTag.UnmarshalCBOR()
• SimpleValue.UnmarshalCBOR()

The above 3 fixed functions are deprecated because they were initially created for internal use. Please use Unmarshal() or UnmarshalFirst() instead.

To preserve backward compatibility, the deprecated functions were added to fuzz tests and will not be removed in v2.x.

Before Upgrading to v2.7.1

v2.8.0 is being fuzz tested and will be released later today. It adds support for omitzero struct tag option.

v2.7.1 is the last version to support go 1.17-1.19. v2.8.0 and newer releases will require go 1.20+.

What's Changed

• Update error handling in RawTag.UnmarshalCBOR(), etc. to match cbor.Unmarshal() by @​fxamacker in #​636
• Optimize internal calls to UnmarshalCBOR() by @​fxamacker in #​648

Special Thanks

Thanks @​thomas-fossati for reporting the bug in RawTag.UnmarshalCBOR() when it is called directly by user apps providing bad input data!

Full Changelog: fxamacker/cbor@v2.7.0...v2.7.1

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.23.0 -> 1.25.0