chore(deps): bump the all group across 1 directory with 9 updates

[dependabot]

Bumps the all group with 7 updates in the / directory:

Package	From	To
charm.land/bubbletea/v2	2.0.6	2.0.7
charm.land/glamour/v2	2.0.0	2.0.1
github.com/alecthomas/chroma/v2	2.24.1	2.26.1
github.com/go-git/go-git/v5	5.18.0	5.19.1
github.com/rogpeppe/go-internal	1.14.1	1.15.0
golang.org/x/crypto	0.50.0	0.53.0
modernc.org/sqlite	1.50.0	1.52.0

Updates charm.land/bubbletea/v2 from 2.0.6 to 2.0.7

Release notes

Sourced from charm.land/bubbletea/v2's releases.

v2.0.7

A few lil’ stability patches

Hi! This is a patch release with a few solid improvements around stability and correctness.

• @​lrstanley, one of our faves, fixed a race condition around mice in the Cursed Renderer
• @​lawrence3699 fixed a panic that could happen when input's not available
• We fixed a correctness issue with regard to mouse releases when Kitty Keyboard was active (thanks, @​mitchellh)

Thanks for using Bubble Tea, and if you see anything awry please do let us know!

—Charm 👋

Changelog

Fixed

• c60f0c53042238305ec13b486326588f12aea0ec: fix: prevent data race with cursedRenderer.onMouse (#1691) (@​lrstanley)
• 074596e14e2f5ca5e3986ee72e7c08f1569c4178: fix: skip input reader restore when input is disabled (#1680) (@​lawrence3699)
• 878d7df2f2b02f3ca8db177fa8553834bc35ea7c: fix(deps): bump ultraviolet for kitty keyboard fix (@​meowgorithm)

---

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

Commits

• a23da80 v2.0.7
• 670963e chore(task): add release and fetch-tags tasks
• 29c4c32 fix(examples/deps): go mod tidy
• 878d7df chore(deps): bump ultraviolet for kitty keyboard fix
• c60f0c5 fix: prevent data race with cursedRenderer.onMouse (#1691)
• 640d879 docs(readme): update footer image
• 0fbefd2 chore: remove CODEOWNERS
• 074596e fix: skip input reader restore when input is disabled (#1680)
• See full diff in compare view

Updates charm.land/glamour/v2 from 2.0.0 to 2.0.1

Release notes

Sourced from charm.land/glamour/v2's releases.

v2.0.1

Changelog

Bug fixes

• 975a0f30cc6519fde4481ab084987222c8f06c34: fix: close wrap writer before its downstream chain (#575) (@​taciturnaxolotl)

Other work

• c29364924407add0616fc067e4c70ddf9a5da0dd: chore: fix pre-existing lint failures (#575) (@​taciturnaxolotl)
• 95c93db04489cebf252ec856584445c7e85ee276: chore: bump lipgloss to v2.0.4 (@​taciturnaxolotl)
• 600b93a40bb9754522c7e3496b8b41989cf1dec7: chore: remove CODEOWNERS (@​aymanbagabas)
• 253da61fcb275fcd28296956ffae5f7d98ff618d: fix(ci): use local golangci config (@​aymanbagabas)

---

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

Commits

• 95c93db chore: bump lipgloss to v2.0.4
• c293649 chore: fix pre-existing lint failures
• 975a0f3 fix: close wrap writer before its downstream chain
• 600b93a chore: remove CODEOWNERS
• 253da61 fix(ci): use local golangci config
• See full diff in compare view

Updates charm.land/lipgloss/v2 from 2.0.3 to 2.0.4

Release notes

Sourced from charm.land/lipgloss/v2's releases.

v2.0.4

Mini Crash Patch

Hi! This is a small patch to fix a writer-related panic. Thanks for using Lip Gloss!

Changelog

Fixed

• fefa41d: fix: prevent crash when writing to a closed wrap writer (#699) (@​taciturnaxolotl)

Docs

• 40ec0e6: docs: fix typo in table comment (#641) (@​aymanbagabas)
• a4d0b40: docs: restore missing diaereses (#664) (@​meowgorithm)

Chore

• aa91b99: chore: remove CODEOWNERS (@​aymanbagabas)
• 9cbfe8b: chore(lint): exclude revive naming linter (@​aymanbagabas)

---

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

Commits

• b00306c fix: prevent crash when writing to a closed wrap writer
• 40ec0e6 docs: fix typo in table comment (#641)
• e3b78a2 chore(deps): bump golang.org/x/sys in the all group (#691)
• 758dd87 chore(deps): bump golang.org/x/sys in the all group (#674)
• aa91b99 chore: remove CODEOWNERS
• 9cbfe8b chore(lint): exclude revive naming linter
• a4d0b40 docs: restore missing diaereses (#664)
• See full diff in compare view

Updates github.com/alecthomas/chroma/v2 from 2.24.1 to 2.26.1

Release notes

Sourced from github.com/alecthomas/chroma/v2's releases.

v2.26.1

Changelog

• 56c7702 fix: downgrade go.mod version to 1.25

v2.26.0

Changelog

• a4d3f60 feat(chromad): use style counterparts for theme switching
• ce159e6 chore: migrate to new bit format
• 180ea9f perf(colour): replace Sprintf/ParseUint round-trip in NewColour with direct bit arithmetic (#1274)
• 68a08b0 docs: how to support dynamic theme switching
• 6fb9d92 feat(html): tag output with style mode
• a71fea3 feat(styles): add light/dark mode support

v2.25.0

Changelog

• c3826f0 chore: go mod tidy
• fb5bc39 fix: emit HTTP body tokens without Coalesce
• a3c2946 Improve Nu file detection (#1260)
• e841b1a chore(deps): update all non-major dependencies (#1272)
• 3ed2db8 Add Gemfile.lock lexer (& ruby improvements) (#1269)
• 41fb546 Add YAML+Jinja lexer (#1268)
• e99b881 chore(deps): update all non-major dependencies (#1263)
• e67dd2f (Markless) Fix parse issue for embed directives without options (#1266)
• dffa370 fix(go): tokenize trailing // as comment instead of consuming next line (#1265)
• 1cf1560 chore: upgrade to github.com/dlclark/regexp2/v2
• 2cbcf7b chore: upgrade golangci-lint
• 786675b chore(deps): update all non-major dependencies (#1257)
• 235590c feat: add JSONL support to JSON lexer (#1262)
• f9b5c97 fix(dart): match single-line comments without trailing newline (#1225) (#1261)
• 097f8e9 Mention Arturo in README (#1256)
• d46ce60 feat(markdown): highlight frontmatter and comments (#1245)
• f786b2a feat(lexers): add support for LilyPond (#1255)
• 0a02b98 chore(deps): update actions/checkout digest to de0fac2 (#1212)
• c55009e Fix AGENTS.md referencing a non-existent scripts directory (#1231)
• c5e763e Improve protobuf lexer (#1253)
• 113cd0e Add Arturo lexer (#1232)
• 4498d71 chore(deps): update dependency binaryen to v129 (#1238)
• 885f912 Added f4 to "Projects using Chroma" list (#1242)
• c42c9ef Update java lexer (#1254)

Commits

• 56c7702 fix: downgrade go.mod version to 1.25
• a4d3f60 feat(chromad): use style counterparts for theme switching
• ce159e6 chore: migrate to new bit format
• 180ea9f perf(colour): replace Sprintf/ParseUint round-trip in NewColour with direct b...
• 68a08b0 docs: how to support dynamic theme switching
• 6fb9d92 feat(html): tag output with style mode
• a71fea3 feat(styles): add light/dark mode support
• c3826f0 chore: go mod tidy
• fb5bc39 fix: emit HTTP body tokens without Coalesce
• a3c2946 Improve Nu file detection (#1260)
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

• v5: plumbing: transport/ssh, Shell-quote path by @​hiddeco in go-git/go-git#2068
• v5: git: submodule, Fix relative URL resolution by @​hiddeco in go-git/go-git#2070
• v5: git: submodule, canonical remote for relative URLs by @​hiddeco in go-git/go-git#2074
• v5: git: submodule, error on remote without URLs by @​hiddeco in go-git/go-git#2078
• v5: plumbing: format/idxfile, Validate offset64 indices by @​hiddeco in go-git/go-git#2084
• v5: *: Reject malformed variable-length integers by @​hiddeco in go-git/go-git#2092
• v5: plumbing: format/packfile, Tighten delta validation by @​hiddeco in go-git/go-git#2091
• v5: Add worktreeFilesystem wrapper for worktree and hardening by @​hiddeco in go-git/go-git#2100
• v5: config: validate submodule names by @​hiddeco in go-git/go-git#2082
• build: Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2111
• v5: git: Allow MkdirAll on worktree-root paths by @​hiddeco in go-git/go-git#2117
• v5: git: Stop validating symlink target paths by @​pjbgf in go-git/go-git#2116
• v5: plumbing: format decoder input bounds and contracts by @​hiddeco in go-git/go-git#2125
• plumbing: format/packfile, cap delta chain depth in parser by @​pjbgf in go-git/go-git#2137

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

v5.19.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2010
• v5: Bump sha1cd and go-billy by @​pjbgf in go-git/go-git#2060
• v5: Align object encoding with upstream by @​pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

Commits

• 3c3be60 Merge pull request #2137 from go-git/validate-v5
• 3fba897 plumbing: format/packfile, cap delta chain depth in parser
• a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
• aeaa125 plumbing: format/objfile, require Header before Read
• 1f38e17 plumbing: format/packfile, bound inflate size
• f7545a0 plumbing: format/idxfile, bound nr by file size
• 170b881 Merge pull request #2116 from pjbgf/symlink-v5
• 7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
• f0709b3 git: Stop validating symlink target paths
• 776d00f git: Allow MkdirAll on worktree-root paths
• Additional commits viewable in compare view

Updates github.com/rogpeppe/go-internal from 1.14.1 to 1.15.0

Release notes

Sourced from github.com/rogpeppe/go-internal's releases.

v1.15.0

What's Changed

• hash: do not salt with Go runtime version by @​rogpeppe in rogpeppe/go-internal#292
• testscript: reset verbose on new blocks by @​myitcv in rogpeppe/go-internal#293
• testscript: rewind last block if it was not in error by @​myitcv in rogpeppe/go-internal#294
• testscript: protect against no-op uses of cmp by @​mvdan in rogpeppe/go-internal#295
• goproxytest: add Setup by @​rogpeppe in rogpeppe/go-internal#303
• update Go, fix, add /@latest to goproxytest by @​mvdan in rogpeppe/go-internal#302
• internal/vcs: remove SYSTEMROOT workaround for Windows by @​mvdan in rogpeppe/go-internal#299
• goproxytest: add overlay capability by @​rogpeppe in rogpeppe/go-internal#304

Full Changelog: rogpeppe/go-internal@v1.14.1...v1.15.0

Commits

• 8b1dcd4 goproxytest: make .mod and .info files optional
• 02e5dd4 goproxytest: add overlay capability (#304)
• 3030644 internal/vcs: remove SYSTEMROOT workaround for Windows
• a4c00dc goproxytest: handle /@​latest endpoint
• 19311e8 all: go fix ./...
• 74d1312 test on Go 1.25 and 1.26
• aa1b1e2 goproxytest: add Setup (#303)
• 5223eff testscript: protect against no-op uses of cmp
• ee70938 testscript: rewind last block if it was not in error
• a4ecbfb testscript: add a non-failing block to the end of logging tests
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.50.0 to 0.53.0

Commits

• 45460e0 go.mod: update golang.org/x dependencies
• d37c95e pkcs12: limit PBKDF iteration count to prevent CPU exhaustion
• e2ffffe ssh: reject incomplete gssapi-with-mic configurations
• 60e158a ssh/test: isolate CLI tests from user SSH config and agent
• 1b77d23 ssh/knownhosts: reject lines with multiple or unknown markers
• 3872a2b ssh/knownhosts: verify declared key type matches decoded key
• 9f72ecc ssh/knownhosts: treat only ASCII space and tab as whitespace
• 8f405a4 ssh: validate ECDSA curve matches expected algorithm
• bb41b3d ssh: improve DH GEX group selection using PreferredBits
• e04e721 ssh/agent: validate ed25519 private key length in Add
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.20.0 to 0.21.0

Commits

• 5071ed6 all: fix some comments to improve readability
• See full diff in compare view

Updates modernc.org/sqlite from 1.50.0 to 1.52.0

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-06-14 v1.54.0:

  • Add experimental netbsd/amd64 support, resolving the long-standing build break in [GitLab issue #246](https://gitlab.com/cznic/sqlite/-/issues/246). This target is intentionally not yet listed among the supported platforms in the package documentation: the port had been broken for years and is only now revived, and there is as yet no real-world experience running it under production workloads. Green CI is not the same as battle-tested — so while the full test suite (including the pcache and vec packages and the -race concurrency test) passes on NetBSD 10.1 / Go 1.26.3, and the entire upstream toolchain (libc, cc, ccgo, libz, libtcl8.6, libsqlite3, libsqlite_vec) is green on the NetBSD CI builder, the target is offered for evaluation only. If you run NetBSD, please exercise it with your own workloads and report back via #246; the intent is to promote it to a fully supported platform after a period of broader real-world testing (on the order of a month) elapses without surprises.
  • Implementation notes: the previously shipped lib/sqlite_netbsd_amd64.go was a stale old-generator transpile that no longer compiled (the mu.enter/mu.leave break in #246); it is replaced by a fresh new-generator transpile consistent with every other platform, and modernc.org/sqlite/vec (sqlite-vec) is vendored and auto-registers on netbsd. Correct operation requires the matching pinned modernc.org/libc, which carries two NetBSD-specific fixes found during this work: the mmap(2) PAD-argument ABI (without it, concurrent WAL access faults with SIGBUS in the WAL-index shared memory) and a working abort(3) (the prior stub left SQLite's crash-recovery writecrash test unable to terminate by signal). As usual, downstream modules must pin the exact modernc.org/libc version this module's go.mod pins.
  • See [GitLab merge request #82](https://gitlab.com/cznic/sqlite/-/merge_requests/82), thanks Leonardo Taccari (@​iamleot) and Thomas Klausner (@wiz)!

• 2026-06-10 v1.53.0:

  • Add a Go-facing wrapper for SQLITE_CONFIG_PCACHE2. PageCache is the factory and Cache the per-database instance, both idiomatic Go interfaces; Page exposes the raw Buf and Extra pointers that SQLite reads through the C pcache contract. RegisterPageCache and MustRegisterPageCache install the module process-globally before the first sql.Open; subsequent Open calls are gated through a one-shot Xsqlite3_config(SQLITE_CONFIG_PCACHE2) so a too-late Register returns ErrPageCacheTooLate rather than silently falling through to the built-in pcache1. The binding owns the sqlite3_pcache_page stub and re-consults the implementation on every Fetch, reusing the stub only when the returned Page value is unchanged, which keeps a bounded/evicting purgeable cache safe by construction.
  • See [GitLab merge request #126](https://gitlab.com/cznic/sqlite/-/merge_requests/126), thanks Ian Chechin!
  • Add modernc.org/sqlite/pcache, the reference page-cache implementation that accompanies the #126 SQLITE_CONFIG_PCACHE2 wrapper. pcache.New returns a *Pool satisfying the PageCache interface; register it once with sqlite.MustRegisterPageCache(pcache.New()) and every connection opened afterwards draws its pages from it. Each Pool.Create mints a fresh per-database Cache: a bounded, LRU-evicting page store that honours the PRAGMA cache_size soft cap and releases the least-recently-unpinned page when it must make room. Page memory — the Buf and Extra buffers SQLite reads through — is allocated with libc.Xmalloc/libc.Xcalloc and therefore lives off the Go heap, which keeps SQLite's interior pointer arithmetic on the page extras from tripping the race detector's checkptr enforcement. Pool.Stats reports aggregate lifetime counters (hits, misses, allocs, evictions, rekeys, truncates, caches) across every cache a Pool has created, so hit/miss/eviction behaviour is observable without instrumenting individual caches. Cross-connection page sharing is out of scope for now; each Create returns an independent per-database cache.
  • Validated end-to-end against the #126 stress workload (cache_size=16, 4000 BLOB rows with DELETE and incremental_vacuum, integrity_check clean under -race) and benchmarked for the memory-utilization goal tracked in [GitLab issue #204](https://gitlab.com/cznic/sqlite/-/issues/204).
  • See [GitLab merge request #127](https://gitlab.com/cznic/sqlite/-/merge_requests/127), thanks Ian Chechin!
  • Add an opt-in _dqs DSN query parameter that disables SQLite's double-quoted string literal compatibility quirk on a per-connection basis. When _dqs=0 (or any strconv.ParseBool false value) is supplied, the driver calls sqlite3_db_config with SQLITE_DBCONFIG_DQS_DDL and SQLITE_DBCONFIG_DQS_DML set to off before any statement is prepared, so a double-quoted identifier that fails to resolve raises a parse error instead of silently falling back to a string literal. Absence of the parameter, or _dqs=1, leaves SQLite's default behavior unchanged; existing DSNs continue to work byte-for-byte. Resolves [GitLab issue #61](https://gitlab.com/cznic/sqlite/-/issues/61).
  • See [GitLab merge request #128](https://gitlab.com/cznic/sqlite/-/merge_requests/128), thanks Ian Chechin!
  • Add an opt-in _error_rc DSN query parameter for clearer error reporting on open-time failures. When _error_rc=1 (or any strconv.ParseBool true value) is supplied, error strings synthesised from a (rc, db) pair only append sqlite3_errmsg(db) when sqlite3_extended_errcode(db) is consistent with the operation rc (full match first, primary code &0xff as fallback). On mismatch the canonical sqlite3_errstr(rc) is used alone, so an open-time SQLITE_CANTOPEN no longer carries the temporary handle's stale "out of memory" errmsg. Absence of the parameter, or _error_rc=0, preserves the legacy "errstr: errmsg" form byte-for-byte; existing callers that parse error strings are unaffected. The driver's *Error.Code() returns the same SQLite result code in both modes. Parsed before sqlite3_open_v2 so open-time errors are covered. Resolves [GitLab issue #230](https://gitlab.com/cznic/sqlite/-/issues/230).
  • See [GitLab merge request #129](https://gitlab.com/cznic/sqlite/-/merge_requests/129), thanks Ian Chechin!

• 2026-06-06 v1.52.0:

  • Upgrade to SQLite 3.53.2.
  • Add Backup.Remaining and Backup.PageCount, thin wrappers around the existing sqlite3_backup_remaining and sqlite3_backup_pagecount C symbols. Together they expose the per-Step progress counters that the underlying backup object already maintains, enabling progress reporting during online backups without dropping to modernc.org/sqlite/lib directly.
  • See [GitLab merge request #122](https://gitlab.com/cznic/sqlite/-/merge_requests/122), thanks Ian Chechin!
  • Drop the redundant second copy in (*conn).columnText, the path that backs every Rows.Scan into a Go string for a TEXT column. The value's bytes are still copied once out of SQLite-owned memory into a fresh Go buffer; that buffer is then reinterpreted as the result string with unsafe.String rather than copied a second time by the implicit string([]byte) conversion. This removes one allocation per TEXT value per row and roughly halves the bytes allocated on that path; on the new BenchmarkColumnTextScan cases it is ~13–20% faster for payloads of 256 B and larger, with no measurable change for very short strings. Purely internal: no API or behavioral change, and the returned string never aliases SQLite's buffer.
  • See [GitLab merge request #123](https://gitlab.com/cznic/sqlite/-/merge_requests/123), thanks Ian Chechin!
  • Cache each result column's declared type once per result set in newRows instead of recomputing it on every row. The TEXT branch of Rows.Next calls ColumnTypeDatabaseTypeName for every TEXT column on every row (independent of any DSN flag), which previously did a libc.GoString + strings.ToUpper each time; that lookup is now a single index into a cached, pre-uppercased []string, and ColumnTypeScanType reads the same cache and drops its per-call strings.ToLower. The declared type is fixed for the lifetime of a prepared statement, so the C round-trip is paid once per column rather than once per column per row, removing exactly 1 alloc + 8 B per TEXT column per row from the Next hot path. The new BenchmarkTextToTimeScan cases show ~7% faster on a 1000-row DATETIME SELECT under _texttotime=1. Purely internal: ColumnTypeDatabaseTypeName and ColumnTypeScanType return identical values, no API or behavioral change.
  • See [GitLab merge request #124](https://gitlab.com/cznic/sqlite/-/merge_requests/124), thanks Ian Chechin!
  • Cache, per result column, the parseTimeFormats index that first parsed a TEXT-stored DATE/DATETIME/TIMESTAMP value, and try that format first on later rows instead of re-walking the list from the top. (*conn).parseTime previously ran time.Parse down the format list on every such row; for the canonical SQLite TEXT datetime format every row paid two failed time.Parse attempts — each allocating a *time.ParseError — before the match. On a 1000-row DATETIME TEXT SELECT this cuts ~50% of allocs/op and ~57% of B/op and is ~37% faster. The fall-through chain is preserved exactly: the seven formats are mutually exclusive, so the cached hint can never select a different match than the in-order scan, and the parsed driver.Value is identical to before. Purely internal: no API or behavioral change.
  • See [GitLab merge request #125](https://gitlab.com/cznic/sqlite/-/merge_requests/125), thanks Ian Chechin!

• 2026-05-28 v1.51.0:

  • Pool the []driver.Value slice passed to scalar/aggregate UDF callbacks and to vtab Filter/Insert/Update callbacks, eliminating the dominant per-row allocation on UDF-heavy queries. Benchmarks on a 1000-row, 3-arg noop scalar UDF show ~40% fewer bytes/op and ~15% fewer allocs/op.
  • Document the matching "arguments are not valid past return" contract on vtab.Cursor.Filter and vtab.Updater.Insert/Update, consistent with the existing rule for FunctionImpl.Scalar / AggregateFunction.Step / WindowInverse.
  • Resolves [GitLab issue #226](https://gitlab.com/cznic/sqlite/-/issues/226). See [GitLab merge request #114](https://gitlab.com/cznic/sqlite/-/merge_requests/114), thanks Ian Chechin!
  • Add FileControl.FileControlDataVersion, a wrapper around SQLITE_FCNTL_DATA_VERSION for observing pager-cache data-version changes, including those made on the same connection. Useful as a primitive for application-level cache invalidation.
  • Exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), consistent with the existing FileControlPersistWAL.
  • See [GitLab merge request #115](https://gitlab.com/cznic/sqlite/-/merge_requests/115), thanks Ian Chechin!
  • Fix a regression where in-memory connections (:memory:, file::memory:, shared-cache memory URIs) were discarded by database/sql after a context-cancelled query, taking the entire in-memory store with them. The fix for #198 had added an sqlite3_is_interrupted check to the connection validator that mistakenly applied to in-memory connections too, re-introducing the bug originally fixed by !74. File-backed connections keep the existing behaviour and are still discarded after an interrupt.
  • Resolves [GitLab issue #196](https://gitlab.com/cznic/sqlite/-/issues/196). See [GitLab merge request #116](https://gitlab.com/cznic/sqlite/-/merge_requests/116), thanks Ian Chechin!
  • Add an opt-in FunctionImpl.VolatileArgs flag that hands TEXT and BLOB arguments to scalar and aggregate UDF callbacks as zero-copy views (unsafe.String/unsafe.Slice) over SQLite's own value buffers, eliminating the per-argument libc.GoString/make([]byte) copy that the #226 slice-pooling left as the remaining per-row allocation. On the same 1000-row, 3-arg (INTEGER/TEXT/BLOB) noop scalar UDF this removes a further ~35% of allocs/op and ~11% of bytes/op on top of #226.
  • The views are valid only for the duration of the callback and must not be retained past return or across rows; a callback that needs to keep a value must copy it. With VolatileArgs unset (the default) arguments keep the existing copied, caller-owned semantics, so the flag is fully backward compatible; it has no effect on integer, float, time, or NULL arguments.
  • See [GitLab merge request #120](https://gitlab.com/cznic/sqlite/-/merge_requests/120), thanks Ian Chechin!
  • Extend the opt-in VolatileArgs zero-copy TEXT/BLOB argument access from #120 to the virtual-table Cursor.Filter (xFilter) and Updater.Insert/Update (xUpdate) callbacks. A vtab.Module opts in by implementing the new optional vtab.VolatileArgsOpter interface (VolatileArgs() bool); the flag is read once at module registration and shared by every table created from it. On a vtab call carrying one TEXT and one BLOB argument this removes 2 allocs/op (one libc.GoString, one make([]byte)) on each of the Filter and Update paths.
  • The same safety contract as #120 applies: the views are valid only for the duration of the callback and must not be retained past return or across rows; a callback that needs to keep a value must copy it. Modules that do not implement VolatileArgsOpter (the default for all existing modules) are byte-for-byte unchanged, and the flag has no effect on integer, float, time, or NULL arguments.
  • See [GitLab merge request #121](https://gitlab.com/cznic/sqlite/-/merge_requests/121), thanks Ian Chechin!

• 2026-05-10 v1.50.1:

  • Upgrade to SQLite 3.53.1.

• 2026-04-24 v1.50.0:

  • Upgrade to sqlite-vec v0.1.9.

... (truncated)

Commits

• 66b4d20 release v1.52.0, upgrade to SQLite 3.53.2
• e3f64ec rows: clarify parseFmtIdx mixed-column cost; CHANGELOG.md: document #125
• 4485793 Merge branch 'perf/cache-parse-time-format' into 'master'
• 3638d17 rows: cache the parseTime format index per result column
• 7da793e CHANGELOG.md: document #124
• 51e6714 Merge branch 'perf/cache-column-decltype' into 'master'
• 8a6f33c rows: lock down ColumnTypeScanType under the decltype cache
• f8fb6dd rows: cache the column decltype lookup once per result set
• b17c0c7 CHANGELOG.md: document #123
• c80a08f Merge branch 'perf/column-text-zero-copy' into 'master'
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions