Bump the all-updates group across 1 directory with 13 updates

[dependabot]

Bumps the all-updates group with 9 updates in the / directory:

Package	From	To
github.com/aws/aws-sdk-go	1.41.14	1.55.8
github.com/golang-jwt/jwt/v4	4.1.0	4.5.2
github.com/golangci/golangci-lint/v2	2.7.2	2.10.1
github.com/gosimple/slug	1.11.0	1.15.0
github.com/joho/godotenv	1.4.0	1.5.1
github.com/microcosm-cc/bluemonday	1.0.16	1.0.27
github.com/prometheus/client_golang	1.12.1	1.23.2
golang.org/x/oauth2	0.34.0	0.35.0
rogchap.com/v8go	0.7.1-0.20211222173054-943fcf9e74cc	0.9.0

Updates github.com/aws/aws-sdk-go from 1.41.14 to 1.55.8

Release notes

Sourced from github.com/aws/aws-sdk-go's releases.

Release v1.55.8 (2025-07-31)

SDK Features

• Mark the module and all packages as deprecated.
  • This SDK has entered end-of-support.

Release v1.55.7 (2025-04-22)

SDK Bugs

• service/s3/s3manager: Abort multipart download if object is modified during download
  • Fixes 4986

Release v1.55.6 (2025-01-15)

SDK Bugs

• Fix broken printf for go1.24

Release v1.55.5 (2024-07-30)

Service Client Updates

• service/appstream: Updates service API and documentation
  • Added support for Red Hat Enterprise Linux 8 on Amazon AppStream 2.0
• service/autoscaling: Updates service API and documentation
  • Increase the length limit for VPCZoneIdentifier from 2047 to 5000
• service/codepipeline: Updates service API, documentation, and paginators
  • AWS CodePipeline V2 type pipelines now support stage level conditions to enable development teams to safely release changes that meet quality and compliance requirements.
• service/elasticache: Updates service documentation
  • Doc only update for changes to deletion API.
• service/elasticloadbalancing: Updates service API
• service/eventbridge: Updates service API
• service/logs: Updates service API
  • Add v2 smoke tests and smithy smokeTests trait for SDK testing.
• service/models.lex.v2: Updates service API and documentation
• service/rolesanywhere: Updates service API and documentation
• service/tnb: Updates service API and documentation
• service/workspaces: Updates service documentation
  • Removing multi-session as it isn't supported for pools

Release v1.55.4 (2024-07-29)

Service Client Updates

• service/elasticache: Updates service documentation
  • Renaming full service name as it appears in developer documentation.
• service/memorydb: Updates service API and documentation

... (truncated)

Commits

• 070853e release v1.55.8 (2025-07-31)
• bb0168e Add deprecation warnings everywhere and remove some README content
• 7ce44f3 aws
• 6d9a26d remove doc issue tmpl
• 239002f deprecate service packages and HLLs
• 70c4177 deprecate main runtime packages
• bbdd4e9 deprecate
• 163aada release v1.55.7 (2025-04-22) (#5346)
• 9eb2bfd Abort multi part download if the object is modified during download
• 8d203cc Update bug-report.yml
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.1.0 to 4.5.2

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

• Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

v4.5.0

What's Changed

• Allow strict base64 decoding by @​AlexanderYastrebov in golang-jwt/jwt#259

Full Changelog: golang-jwt/jwt@v4.4.3...v4.5.0

v4.4.3

What's Changed

• fix: link update for README.md for v4 by @​krokite in golang-jwt/jwt#217
• Implement a BearerExtractor by @​WhyNotHugo in golang-jwt/jwt#226
• Bump matrix to support latest go version (go1.19) by @​mfridman in golang-jwt/jwt#231
• Include https://github.com/golang-jwt/jwe in README by @​oxisto in golang-jwt/jwt#229
• Add doc comment to ParseWithClaims by @​jkopczyn in golang-jwt/jwt#232
• Refactor: removed the unneeded if statement by @​Krout0n in golang-jwt/jwt#241
• No pointer embedding in the example by @​oxisto in golang-jwt/jwt#255

New Contributors

• @​krokite made their first contribution in golang-jwt/jwt#217
• @​WhyNotHugo made their first contribution in golang-jwt/jwt#226
• @​jkopczyn made their first contribution in golang-jwt/jwt#232
• @​Krout0n made their first contribution in golang-jwt/jwt#241

Full Changelog: golang-jwt/jwt@v4.4.2...v4.4.3

v4.4.2

What's Changed

• Added MicahParks/keyfunc to extensions by @​oxisto in golang-jwt/jwt#194
• Update link to v4 on pkg.go.dev page by @​polRk in golang-jwt/jwt#195

... (truncated)

Commits

• 2f0e9ad Backporting 0951d18 to v4
• 7b1c1c0 Merge commit from fork
• 9358574 Allow strict base64 decoding (#259)
• 2f0984a Using tparse for nicer CI test display (#251)
• 2101c1f No pointer embedding in the example (#255)
• 35053d4 Removed unneeded if statement (#241)
• 0c4e387 Add doc comment to ParseWithClaims (#232)
• bfea432 Include https://github.com/golang-jwt/jwe in README (#229)
• d81acbf Bump matrix to support latest go version (go1.19) (#231)
• fdaf0eb Implement a BearerExtractor (#226)
• Additional commits viewable in compare view

Updates github.com/golangci/golangci-lint/v2 from 2.7.2 to 2.10.1

Release notes

Sourced from github.com/golangci/golangci-lint/v2's releases.

v2.10.1

golangci-lint is a free and open-source project built by volunteers.

If you value it, consider supporting us, the maintainers and linter authors.

We appreciate it! ❤️

For key updates, see the changelog.

Changelog

• 31356b6d5acb466c4411411895352565306ebbf8 fix: make markDepsForAnalyzingSource recursive to fix buildssa panic (#6376)

v2.10.0

golangci-lint is a free and open-source project built by volunteers.

If you value it, consider supporting us, the maintainers and linter authors.

We appreciate it! ❤️

For key updates, see the changelog.

Changelog

• 87a60c93b3304014ffd5853112e5ca1bac570a2c build(deps): bump github.com/godoc-lint/godoc-lint from 0.11.1 to 0.11.2 (#6372)
• f9b0a754aec7d1167df94bcac71e49500d4489d6 build(deps): bump github.com/nunnatsa/ginkgolinter from 0.22.0 to 0.23.0 (#6368)
• abdeb8dce5d479f0750015ce5800390984ada13f build(deps): bump github.com/securego/gosec/v2 from 2.22.11 to 2.23.0 (#6366)
• d9d4b1928f1fc0c0d610742b56b622dc7daf4aa4 build(deps): bump honnef.co/go/tools from 0.6.1 to 0.7.0 (#6367)

v2.9.0

golangci-lint is a free and open-source project built by volunteers.

If you value it, consider supporting us, the maintainers and linter authors.

We appreciate it! ❤️

For key updates, see the changelog.

Changelog

• 7bcbbbf04e2dff939a1383b44391d33949bcbfab build(deps): bump github.com/MirrexOne/unqueryvet from 1.4.0 to 1.5.0 (#6320)
• 34a7735dcafe57189faa191994faf3d546d9065e build(deps): bump github.com/MirrexOne/unqueryvet from 1.5.0 to 1.5.3 (#6332)
• 4fd6c246757e682f823d73ed4c34db5987571966 build(deps): bump github.com/alecthomas/chroma/v2 from 2.21.1 to 2.22.0 (#6308)
• bc9df8bab4d4bb1e809326fb78d18321b4c86bc1 build(deps): bump github.com/alecthomas/chroma/v2 from 2.22.0 to 2.23.0 (#6328)
• 2ed365c7944938b15a969dd36be9637b6c9c0d9e build(deps): bump github.com/alecthomas/chroma/v2 from 2.23.0 to 2.23.1 (#6338)
• 935cc2f1eb985f958f3e09ed9fbab7b008454ba3 build(deps): bump github.com/alexkohler/prealloc from 1.0.1 to 1.0.2 (#6307)
• a0a46d1c5f4333f10c702ac035534f4c81655316 build(deps): bump github.com/bombsimon/wsl/v5 from 5.3.0 to 5.6.0 (#6333)
• d79ce2f9d50dd7825ac18629e2ddd831190c195f build(deps): bump github.com/ghostiam/protogetter from 0.3.18 to 0.3.19 (#6326)
• 1d3d007777bd3381374e22f52e0c62e0bf282300 build(deps): bump github.com/ghostiam/protogetter from 0.3.19 to 0.3.20 (#6346)
• a41092538295644b731c139a3a29a30c26265001 build(deps): bump github.com/go-viper/mapstructure/v2 from 2.4.0 to 2.5.0 (#6318)
• 353cec6f307fe6c69ea1d584a6859efeafc2c2bc build(deps): bump github.com/golangci/golines from 0.14.0 to 0.15.0 (#6354)
• 645ae5b29b795d6dc23d387118890ec12a38319e build(deps): bump github.com/golangci/misspell from 0.7.0 to 0.8.0 (#6358)
• 9abb996cafd57c8a7c11d137cd4a300ce8379530 build(deps): bump github.com/mgechev/revive from 1.13.0 to 1.14.0 (#6359)

... (truncated)

Changelog

Sourced from github.com/golangci/golangci-lint/v2's changelog.

v2.10.1

Released on 2026-02-17

1. Fixes
   • buildssa panic

v2.10.0

Released on 2026-02-17

1. Linters new features or changes
   • ginkgolinter: from 0.22.0 to 0.23.0
   • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
   • staticcheck: from 0.6.1 to 0.7.0
2. Linters bug fixes
   • godoclint: from 0.11.1 to 0.11.2

v2.9.0

Released on 2026-02-10

1. Enhancements
   • 🎉 go1.26 support
2. Linters new features or changes
   • arangolint: from 0.3.1 to 0.4.0 (new rule: detect potential query injections)
   • ginkgolinter: from 0.21.2 to 0.22.0 (support for wrappers)
   • golines: from 0.14.0 to 0.15.0
   • misspell: from 0.7.0 to 0.8.0
   • revive: from v1.13.0 to v1.14.0 (new rules: epoch-naming, use-slices-sort)
   • unqueryvet: from 1.4.0 to 1.5.3 (new options: check-n1, check-sql-injection, check-tx-leaks, allow, custom-rules)
   • wsl_v5: from 5.3.0 to 5.6.0 (new rule: after-block)
3. Linters bug fixes
   • modernize: from 0.41.0 to 0.42.0
   • prealloc: from 1.0.1 to 1.0.2
   • protogetter: from 0.3.18 to 0.3.20
4. Misc.
   • Log information about files when configuration verification
   • Emit an error when no linters enabled
   • Do not collect VCS information when loading code

v2.8.0

Released on 2026-01-07

1. Linters new features or changes
   • godoclint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
   • golines: from 442fd0091d95 to 0.14.0
   • gomoddirectives: from 0.7.1 to 0.8.0
   • gosec: from daccba6b93d7 to 2.22.11 (new rule: G116)

... (truncated)

Commits

• 5d1e709 chore: prepare release
• d5f2de2 dev: refactor to use waitgroup.Go (#6377)
• 31356b6 fix: make markDepsForAnalyzingSource recursive to fix buildssa panic (#6376)
• cb54f49 docs: update GitHub Action assets (#6374)
• c70f78e docs: update documentation assets (#6373)
• 95dcb68 chore: prepare release
• 87a60c9 build(deps): bump github.com/godoc-lint/godoc-lint from 0.11.1 to 0.11.2 (#6372)
• d9d4b19 build(deps): bump honnef.co/go/tools from 0.6.1 to 0.7.0 (#6367)
• ab19213 chore: improve the support of large numbers of packages (FilenameUnadjuster) ...
• abdeb8d build(deps): bump github.com/securego/gosec/v2 from 2.22.11 to 2.23.0 (#6366)
• Additional commits viewable in compare view

Updates github.com/gosimple/slug from 1.11.0 to 1.15.0

Release notes

Sourced from github.com/gosimple/slug's releases.

v1.15.0

🚀 New features and improvements

• Add option to disable trimming of dashes and underscores (#91) by @​matrixik
• optimize: pre alloc slice (#87) by @​rfyiamcool

v1.14.0

🚀 New features and improvements

• Add portuguese language (#78) by @​guilherme-santos
• Add AppendTimestamp option to make slug unique (#81) by @​phihungtf
• Adds portuguese language & @ symbols (#79) by @​auyer

🐛 Bug Fixes

• Correct substitution for bulgarian 'Щ' (#80) by @​kvalev

🧰 Maintenance

• Remove rebase Github action (#86) by @​matrixik
• Update Github test actions (#85) by @​matrixik

🚦 Tests

• Fix some order dependent tests (#83) by @​vannem-sj

v1.13.1: Fix for panic when MaxLength is greater then string length and SmartTruncate is disabled

🐛 Bug Fixes

• Fixed truncation issue (#77) by @​Aym3nTN

v1.13.0: Ability to disable smart truncate, 3 new languages (bg, it, ro) and bug fixes

Thank you for all contributions.

🚀 New features and improvements

• Added the possibility to disable smart truncate (with the exception of the trimming) (#75) by @​Aym3nTN
• Add Romanian (#69) by @​vasilegoian
• Add Italian language substitutions (#68) by @​TomOne
• Adds support for Bulgarian language (#66) by @​aquilax

🐛 Bug Fixes

• Fix edge case in truncate function allowing too long slugs (#74) by @​Redlinkk
• Fix Greek language to follow ELOT 743 standard (#70) by @​imikod

... (truncated)

Commits

• 62efd7f Add option to disable trimming of dashes and underscores
• 8f2fa2f optimize: pre alloc slice
• 412e31a Add portuguese language (#78)
• a9e699c Add AppendTimestamp option to make slug unique (#81)
• 4a8e359 Adds portuguese language & @ symbols (#79)
• f701be4 Remove rebase Github action (#86)
• 78044c1 Correct substitution for bulgarian 'Щ' (#80)
• 76470d7 Fix some order dependent tests (#83)
• 5b9c2ce Update Github test actions (#85)
• 1eab316 Fixed truncation issue (#77)
• Additional commits viewable in compare view

Updates github.com/joho/godotenv from 1.4.0 to 1.5.1

Release notes

Sourced from github.com/joho/godotenv's releases.

Fix parser regressions from multiline support

Version 1.5 came with a whole new parser, and with a new parser comes new bugs.

Things that were broken in 1.5 that are now fixed:

• unquoted variables with interior whitespace no longer split on the first space (and then break the following line if you have one)
• inline comments now work again for both quoted and unquoted variables
• export statement filtering was made more robust and matched earlier versions behaviour
• FOO.BAR key names are permitted again (i have no idea why you'd do it, but it's explicitly supported in ruby dotenv files)

There's one breaking change: earlier versions of this library would allow unterminated quoted variables in some instances and return a value (ie FOO="bar would set env of FOO: '"bar'), this now returns an error.

What's Changed

• Fix bug where internal unquoted whitespace truncates values by @​joho in joho/godotenv#205

Full Changelog: joho/godotenv@v1.5.0...v1.5.1

v1.5.0 - multiline variables

The big news this release is that godotenv finally, after much procrastination in review, supports multiline variables (fixes #64). Big shoutout to @​x1unix for the bulk of the work on the original PR and also to @​coolaj86 and @​austinsasko for some very helpful review and tweaks.

Also added a -o overload flag (thanks @​2tef)

What's Changed

• Try and fix go get in CI for power8 by @​joho in joho/godotenv#157
• Fix typos in comments and extend README by @​alexandear in joho/godotenv#177
• tune README by @​bikbah in joho/godotenv#170
• Remove renovate, add dependabot by @​joho in joho/godotenv#183
• Setup codeql by @​joho in joho/godotenv#186
• Bump actions/checkout from 2 to 3 by @​dependabot in joho/godotenv#184
• Bump actions/setup-go from 2 to 3 by @​dependabot in joho/godotenv#185
• Add darwin arm64 build by @​statik in joho/godotenv#174
• Sort Go import in README by @​Doarakko in joho/godotenv#193
• Fix godoc formatting by @​joho in joho/godotenv#197
• fix tiny details by @​2tef in joho/godotenv#199
• Multiline string support by @​x1unix in joho/godotenv#156
• Update CI to test go 1.20 by @​joho in joho/godotenv#201
• fix whitespace with gofmt by @​2tef in joho/godotenv#203
• add overload flag by @​2tef in joho/godotenv#200
• • Fix: ioutil.ReadAll() is deprecated, so removed it's dependency by @​dreygur in joho/godotenv#202

New Contributors

• @​x1unix made their first contribution in joho/godotenv#118
• @​alexandear made their first contribution in joho/godotenv#177
• @​bikbah made their first contribution in joho/godotenv#170
• @​dependabot made their first contribution in joho/godotenv#184
• @​statik made their first contribution in joho/godotenv#174
• @​Doarakko made their first contribution in joho/godotenv#193
• @​2tef made their first contribution in joho/godotenv#199
• @​dreygur made their first contribution in joho/godotenv#202

... (truncated)

Commits

• 3fc4292 Fix bug where internal unquoted whitespace truncates values (#205)
• b311b26 Fix: ioutil.ReadAll() is deprecated, so removed it's dependency (#202)
• 4321598 add overload flag (#200)
• 32a3b9b fix whitespace with gofmt (#203)
• 06bf2d6 Update CI to test go 1.20 (#201)
• cc9e9b7 Multiline string support (#156)
• 0f21d20 fix tiny details (#199)
• 5c76d3e Add punctuation to please godoc (#197)
• 85a2237 sort go import in readme (#193)
• add39c6 Remove power8 again as it wasn't fixed
• Additional commits viewable in compare view

Updates github.com/lib/pq from 1.10.9 to 1.11.1

Release notes

Sourced from github.com/lib/pq's releases.

v1.11.1

This fixes two regressions present in the v1.11.0 release:

• Fix build on 32bit systems, Windows, and Plan 9 (#1253).

• Named []byte types and pointers to []byte (e.g. *[]byte, json.RawMessage) would be treated as an array instead of bytea (#1252).

#1252: lib/pq#1252 #1253: lib/pq#1253

v1.11.0

This version of pq requires Go 1.21 or newer.

pq now supports only maintained PostgreSQL releases, which is PostgreSQL 14 and newer. Previously PostgreSQL 8.4 and newer were supported.

Features

• The pq.Error.Error() text includes the position of the error (if reported by PostgreSQL) and SQLSTATE code (#1219, #1224):

  pq: column "columndoesntexist" does not exist at column 8 (42703)
  pq: syntax error at or near ")" at position 2:71 (42601)
  

• The pq.Error.ErrorWithDetail() method prints a more detailed multiline message, with the Detail, Hint, and error position (if any) (#1219):

  ERROR:   syntax error at or near ")" (42601)
  CONTEXT: line 12, column 1:
   10 |     name           varchar,
   11 |     version        varchar,
   12 | );
        ^
  
  

• Add Config, NewConfig(), and NewConnectorConfig() to supply connection details in a more structured way (#1240).

• Support hostaddr and $PGHOSTADDR (#1243).

• Support multiple values in host, port, and hostaddr, which are each tried in order, or randomly if load_balance_hosts=random is set (#1246).

• Support target_session_attrs connection parameter (#1246).

• Support [sslnegotiation] to use SSL without negotiation (#1180).

• Allow using a custom tls.Config, for example for encrypted keys (#1228).

• Add PQGO_DEBUG=1 print the communication with PostgreSQL to stderr, to aid in debugging, testing, and bug reports (#1223).

• Add support for NamedValueChecker interface (#1125, #1238).

Fixes

... (truncated)

Changelog

Sourced from github.com/lib/pq's changelog.

v1.11.1 (2026-01-29)

This fixes two regressions present in the v1.11.0 release:

• Fix build on 32bit systems, Windows, and Plan 9 (#1253).

• Named []byte types and pointers to []byte (e.g. *[]byte, json.RawMessage) would be treated as an array instead of bytea (#1252).

#1252: lib/pq#1252 #1253: lib/pq#1253

v1.11.0 (2026-01-28)

This version of pq requires Go 1.21 or newer.

pq now supports only maintained PostgreSQL releases, which is PostgreSQL 14 and newer. Previously PostgreSQL 8.4 and newer were supported.

Features

• The pq.Error.Error() text includes the position of the error (if reported by PostgreSQL) and SQLSTATE code (#1219, #1224):

  pq: column "columndoesntexist" does not exist at column 8 (42703)
  pq: syntax error at or near ")" at position 2:71 (42601)
  

• The pq.Error.ErrorWithDetail() method prints a more detailed multiline message, with the Detail, Hint, and error position (if any) (#1219):

  ERROR:   syntax error at or near ")" (42601)
  CONTEXT: line 12, column 1:
   10 |     name           varchar,
   11 |     version        varchar,
   12 | );
        ^
  
  

• Add Config, NewConfig(), and NewConnectorConfig() to supply connection details in a more structured way (#1240).

• Support hostaddr and $PGHOSTADDR (#1243).

• Support multiple values in host, port, and hostaddr, which are each tried in order, or randomly if load_balance_hosts=random is set (#1246).

• Support target_session_attrs connection parameter (#1246).

• Support [sslnegotiation] to use SSL without negotiation (#1180).

... (truncated)

Commits

• eec526c Release v1.11.1 (#1255)
• 1928a1d Fix []byte types incorrectly converted to PostgreSQL array (#1252)
• 9e2aa8e Run staticcheck on all GOOS/GOARCH combinations
• c9320c4 Fix build on Windows and Plan9
• 2809526 Fix build on 32bit systems
• 8e88f7e Release 1.11.0
• 0ad3049 Handle pre-protocol errors to prevent memory exhaustion
• f1fae2e Add pqtest.Fake.Close()
• 3815d03 Remove assumption that the auth response is AuthenticateOk
• 589ad43 Implement load_balance_hosts=random
• Additional commits viewable in compare view

Updates github.com/microcosm-cc/bluemonday from 1.0.16 to 1.0.27

Release notes

Sourced from github.com/microcosm-cc/bluemonday's releases.

Update golang.org/x/net to latest and force latest version

Bumping version and ensuring latest golang.org/x/net as the HTTP rapid reset is triggering primitive vuln scanners, we do not implement a HTTP2 server and are not vulnerable but a minor bump can still help reduce noise for those searching for what they need to upgrade and patch.

Nothing else is in this release aside from the dependency updates and some staticcheck messages being resolved that should not modify behaviour.

Added src rewriter to allow for proxying inline assets.

What's Changed

• Bump golang.org/x/net from 0.10.0 to 0.12.0 by @​dependabot in microcosm-cc/bluemonday#178
• Prefer explicit rules over regexp by @​KN4CK3R in microcosm-cc/bluemonday#182
• Added src rewriter by @​yyewolf in microcosm-cc/bluemonday#179

New Contributors

• @​yyewolf made their first contribution in microcosm-cc/bluemonday#179

Full Changelog: microcosm-cc/bluemonday@v1.0.24...v1.0.25

Added AllowURLSchemesMatching

This is a feature release, there are no security fixes in this release.

What's Changed

• Minor bug fix parsing style attribute with trailing spaces by @​sergeyfedotov in microcosm-cc/bluemonday#172
• Allow custom URL schemes by matching regex by @​yardenshoham in microcosm-cc/bluemonday#175
• Bump golang.org/x/net from 0.8.0 to 0.10.0 by @​dependabot in microcosm-cc/bluemonday#173

New Contributors

• @​sergeyfedotov made their first contribution in microcosm-cc/bluemonday#172
• @​yardenshoham made their first contribution in microcosm-cc/bluemonday#175

Full Changelog: microcosm-cc/bluemonday@v1.0.23...v1.0.24

Resolve golang.org/x/net CVE-2022-41723

What's Changed

• Upgrade golang.org/x/net to 0.8.0 by @​barshociaj in microcosm-cc/bluemonday#165 to address CVE-2022-41723 which requires updating the x/net dependency

New Contributors

• @​barshociaj made their first contribution in microcosm-cc/bluemonday#165

Full Changelog: microcosm-cc/bluemonday@v1.0.22...v1.0.23

Add picture to list of elements allowed without attributes

This is not a security update!

This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.

The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #161 .

Very minor bug fix to remove empty elements without attributes

Thanks to @​Gusted for microcosm-cc/bluemonday#151 which fixes a bug that allowed a policy to be defined in a way that input could've allowed an empty and meaningless element to be left in the output when it should not have done so.

This is not a security issue, and the details can be seen in the PR comment.

... (truncated)

Commits

• 10b8ac6 Remove SPDX header from LICENSE to enable GitHub auto-detection
• 30fb5d7 Don't duplicate attrs if multiple global policies allow them
• e244202 Update CONTRIBUTING.md (fixup of 109c9cf)
• 206ce8a Update the security policy
• 109c9cf Clean up developer instructions to a vanilla Go project
• e602a4a Fix RequireCrossOriginAnonymous when crossorigin attr is allowed
• 37251d9 Consistently raise minimum Go version and update CI
• 135e7bb all: upgrade dependencies
• 5703ea6 Merge pull request #207 from silverwind/4hex
• af654ef Merge pull request #202 from caarlos0/tidy
• Additional commits viewable in compare view

Updates github.com/prometheus/client_golang from 1.12.1 to 1.23.2

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.23.2 - 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

• [release-1.23] Upgrade to prometheus/common@v0.66.1 by @​aknuds1 in prometheus/client_golang#1869
• [release-1.23] Cut v1.23.2 by @​aknuds1 in prometheus/client_golang#1870

Full Changelog: prometheus/client_golang@v1.23.1...v1.23.2

v1.23.1 - 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

• [release-1.23] Upgrade to prometheus/common v0.66 by @​aknuds1 in prometheus/client_golang#1866
• [release-1.23] Cut v1.23.1 by @​aknuds1 in prometheus/client_golang#1867

Full Changelog: prometheus/client_golang@v1.23.0...v1.23.1

v1.23.0 - 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

... (truncated)

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

1.22.0 / 2025-04-07

⚠️ This release contains potential breaking change if you use experimental zstd support introduce in #1496 ⚠️

Experimental support for zstd on scrape was added, controlled by the request Accept-Encoding header. It was enabled by default since version 1.20, but now you need to add a blank import to enable it. The decision to make it opt-in by default was originally made because the Go standard library was expected to have default zstd support added soon, golang/go#62513 however, the work took longer than anticipated and it will be postponed to upcoming major Go versions.

e.g.:

import (
  _ "github.com/prometheus/client_golang/prometheus/promhttp/zstd"
)

• [FEATURE] prometheus: Add new CollectorFunc utility #1724
• [CHANGE] Minimum required Go version is now 1.22 (we also test client_golang against latest go version - 1.24) #1738
• [FEATURE] api: WithLookbackDelta and WithStats options have been added to API client. #1743
• [CHANGE] ⚠️ promhttp: Isolate zstd support and klauspost/compress library use to promhttp/zstd package. #1765

1.21.1 / 2025-03-04

• [BUGFIX] prometheus: Revert of Inc, Add and Observe cumulative metric CAS optimizations (#1661), causing regressions on low contention cases.
• [BUGFIX] prometheus: Fix GOOS=ios build, broken due to process_collector_* wrong build tags.

1.21.0 / 2025-02-17

⚠️ This release contains potential breaking change if you upgrade github.com/prometheus/common to 0.62+ together with client_golang. ⚠️

... (truncated)

Commits

• 8179a56 Cut v1.23.2 (#1870)
• 4142b59 Merge pull request #1869 from prometheus/arve/upgrade-common
• 4ff40f0 Cut v1.23.1 (#1867)
• 989b029 Upgrade to prometheus/common v0.66 (#1866)
• e4b2208 Cut v1.23.0 (#1848<...

  Description has been truncated