Bump github.com/gin-gonic/gin from 1.10.1 to 1.11.0

[dependabot]

Bumps github.com/gin-gonic/gin from 1.10.1 to 1.11.0.

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.11.0

Changelog

Features

• 6ca8ddb1aed78d9ffaf984e5489111838242fedb: feat(binding): add BindPlain (#3904) (@​guonaihong)
• 4ccfa7c275c449990818e46759d5974a953cc1c1: feat(binding): add support for unixMilli and unixMicro (#4190) (@​takanuva15)
• 9d7c0e9e1a301f417df9dc89a8cadc3bf9063db2: feat(context): GetXxx added support for more go native types (#3633) (@​CC11001100)
• fb09c825e8e13134daaa90debfda198520e1b347: feat(context): add SetCookieData (#4240) (@​Narita-1095305)
• f05f966a0824b1d302ee556183e2579c91954266: feat(form): Support default values for collections in form binding (#4048) (@​takanuva15)
• 3cb30679b5e3021db16c776ed7e70d380586e9ce: feat(form): add array collection format in form binding (#3986) (@​slowhigh)
• 24d67647cb9b4e0bbdcdec7f0c2086e8004e1572: feat(form): add custom string slice for form tag unmarshal (#3970) (#3971) (@​bruceNu1l)
• 8791c96960e719ff2f41e24163c5898656cee474: feat(fs): Export, test and document OnlyFilesFS (#3939) (@​joeig)
• 71496abe6836462e2ed70436b7d72ea2a3585417: feat(fs): Implement loading HTML from http.FileSystem (#4053) (@​sunshineplan)
• 3ac729dc4a497d360a23b9d7e766c622b3c99f51: feat(gin): support http3 using quic-go/quic-go (#3210) (@​thinkerou)
• 4621b7ac982335d9a74432e182dd2bfc6d841431: feat(router): add literal colon support (#1432) (#2857) (@​wssccc)
• dbd8a2515093ad47cadc5c1fface89861a0b765c: feat: added AbortWithStatusPureJSON() in Context (#4290) (@​ddevsr)
• 688a429d19d8c804447bb889d3635e2c31a5564d: feat: support custom json codec at runtime (#3391) (@​timandy)

Bug fixes

• 8fb3136664254d7c592127f00d52849caba18a67: Revert "fix(time): binding time with empty value (#4103)" (#4245) (@​appleboy)
• e737e3e267beb4dc3bab16cc8be59e3902d98a94: fix(binding): prevent duplicate decoding and add validation in decodeToml (#4193) (@​revevide)
• 4f339e6a35b163d31b30916b37f4176d385f41bd: fix(context): YAML judgment logic in Negotiate (#3966) (@​RedCrazyGhost)
• 36b0dede4b8c4a67d92c4107cebc5a068364321d: fix(context): check handler is nil (#3413) (@​hktalent)
• e0d46ded6cb6974d55a255ab122d1aa6ca0cd60e: fix(context): verify URL is Non-nil in initQueryCache() (#3969) (@​adrianosela)
• dd33ff793861cee3baa77d575ff319119c366f3a: fix(docs): missing go markdown codeblock (#4266) (@​vdusart)
• b38c59de7fef67400a1c98efeae700a689c45783: fix(errors): change Unwrap method receiver to value type (#4232) (@​OrkhanAlikhanov)
• 28e57f58b184b2305ace192e02496bb89f6fd8cb: fix(form): Set default value for form fields (#4047) (@​ahmadSaeedGoda)
• 626d55b0c02937645c21774cacc021713de88604: fix(gin): Do not panic when handling method not allowed on empty tree (#4003) (@​phsym)
• 7d147928ee232fce156ea7ce8ae6329e148aeb41: fix(gin): data race warning for gin mode (#1580) (@​kplachkov)
• c677ccc40a60386565dd0d755efacb85d153feca: fix(go): invalid Go toolchain version (#3961) (@​thinkerou)
• 3319038418656a268c889393cb2dd4224c4469ec: fix(readme): fix broken link to English documentation (#4222) (@​eduardo-ax)
• 674522db91d637d179c16c372d87756ea26fa089: fix(time): binding time with empty value (#4103) (@​ksw2000)
• ea53388e6ee4a6a0a1647b390c56eeed780e7e56: fix(tree): Keep panic infos consistent when wildcard type build faild (#4077) (@​kingcanfish)
• 8763f33c65f7df8be5b9fe7504ab7fcf20abb41d: fix: prevent middleware re-entry issue in HandleContext (#3987) (@​bound2)
• 7a1b655074c313f9491c83bb8ea164cdc4a9afe9: fix: sonic on arm64 (#4234) (@​yashgorana)
• 5826722a87cf5855fcc4b794cbef11612352771d: fix: version number discrepancy (#4299) (@​suwakei)

Enhancements

• 40725d85badd647870df6f9fa7a75ac76341f804: chore(bind): return 413 status code when error is http.MaxBytesError (#4227) (@​ItalyPaleAle)
• f875d8728306c2c2c6f504900ab08cd1d8c47f12: chore(context): test context initialization and handler logic (#4087) (@​appleboy)
• e7693e67c23005743502962d3bb9839a354d6688: chore(deps): bump actions/setup-go from 5 to 6 (#4351) (@​dependabot[bot])
• afa0c31d97e1b112ccfe7652957f7d8514580c72: chore(deps): bump github.com/gin-contrib/sse from 0.1.0 to 1.1.0 (#4216) (@​dependabot[bot])
• 255af882db4baf0ed6209f1a5471f1663c5d0060: chore(deps): bump github.com/go-playground/validator/v10 (#4208) (@​dependabot[bot])
• 545fd74379a0b167a918e38626ae5f7eb83fb243: chore(deps): bump github.com/go-playground/validator/v10 (#4289) (@​dependabot[bot])
• c3c8620a7fb4e09c7845feca4e8e8a8678a2685d: chore(deps): bump github.com/go-playground/validator/v10 from 10.20.0 to 10.22.1 (#4052) (@​dependabot[bot])
• cf32d2dcf8c7534f59727c5e213e45f2412c593a: chore(deps): bump github.com/pelletier/go-toml/v2 from 2.2.2 to 2.2.4 (#4212) (@​dependabot[bot])
• bb824731032856460aa3ffc23bd90e11bf7d5199: chore(deps): bump github.com/quic-go/quic-go from 0.48.2 to 0.50.1 (#4197) (@​dependabot[bot])
• 61c2b1c28f0c5a754330545e31f02cd6d6f7944e: chore(deps): bump github.com/quic-go/quic-go from 0.51.0 to 0.52.0 (#4250) (@​dependabot[bot])
• b7d6308bcc84066df79a047ae363a6120fe87808: chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.53.0 (#4281) (@​dependabot[bot])
• 077a2f39c85700ba0823f85ed29cec0c8f2cbdfc: chore(deps): bump github.com/quic-go/quic-go from 0.53.0 to 0.54.0 (#4328) (@​dependabot[bot])
• 46150257b3eec60e3e0bf1cee7c03439099aef83: chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (#4347) (@​dependabot[bot])
• a6287825c95821a378a34f8a5c9139ea1f6ebd96: chore(deps): bump github.com/ugorji/go/codec from 1.2.12 to 1.3.0 (#4268) (@​dependabot[bot])
• cc4e11438cd6c0bcc632fe3492d3817dfa21c337: chore(deps): bump golang.org/x/net from 0.25.0 to 0.27.0 (#4013) (@​dependabot[bot])

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.11.0

Features

• feat(gin): Experimental support for HTTP/3 using quic-go/quic-go (#3210)
• feat(form): add array collection format in form binding (#3986), add custom string slice for form tag unmarshal (#3970)
• feat(binding): add BindPlain (#3904)
• feat(fs): Export, test and document OnlyFilesFS (#3939)
• feat(binding): add support for unixMilli and unixMicro (#4190)
• feat(form): Support default values for collections in form binding (#4048)
• feat(context): GetXxx added support for more go native types (#3633)

Enhancements

• perf(context): optimize getMapFromFormData performance (#4339)
• refactor(tree): replace string(/) with "/" in node.insertChild (#4354)
• refactor(render): remove headers parameter from writeHeader (#4353)
• refactor(context): simplify "GetType()" functions (#4080)
• refactor(slice): simplify SliceValidationError Error method (#3910)
• refactor(context):Avoid using filepath.Dir twice in SaveUploadedFile (#4181)
• refactor(context): refactor context handling and improve test robustness (#4066)
• refactor(binding): use strings.Cut to replace strings.Index (#3522)
• refactor(context): add an optional permission parameter to SaveUploadedFile (#4068)
• refactor(context): verify URL is Non-nil in initQueryCache() (#3969)
• refactor(context): YAML judgment logic in Negotiate (#3966)
• tree: replace the self-defined 'min' to official one (#3975)
• context: Remove redundant filepath.Dir usage (#4181)

Bug Fixes

• fix: prevent middleware re-entry issue in HandleContext (#3987)
• fix(binding): prevent duplicate decoding and add validation in decodeToml (#4193)
• fix(gin): Do not panic when handling method not allowed on empty tree (#4003)
• fix(gin): data race warning for gin mode (#1580)
• fix(context): verify URL is Non-nil in initQueryCache() (#3969)
• fix(context): YAML judgment logic in Negotiate (#3966)
• fix(context): check handler is nil (#3413)
• fix(readme): fix broken link to English documentation (#4222)
• fix(tree): Keep panic infos consistent when wildcard type build faild (#4077)

Build process updates / CI

• ci: integrate Trivy vulnerability scanning into CI workflow (#4359)
• ci: support Go 1.25 in CI/CD (#4341)
• build(deps): upgrade github.com/bytedance/sonic from v1.13.2 to v1.14.0 (#4342)
• ci: add Go version 1.24 to GitHub Actions (#4154)
• build: update Gin minimum Go version to 1.21 (#3960)
• ci(lint): enable new linters (testifylint, usestdlibvars, perfsprint, etc.) (#4010, #4091, #4090)
• ci(lint): update workflows and improve test request consistency (#4126)

... (truncated)

Commits

• 6ad6205 docs(changelog): upgrade Gin to v1.11.0 and add release notes (#4361)
• 7858527 docs(changelog): update release notes for Gin v1.10.1 (#4360)
• cb000f5 ci: integrate Trivy vulnerability scanning into CI workflow (#4359)
• 2119046 ci: support Go 1.25 (#4341)
• da372fc build(deps): upgrade github.com/bytedance/sonic from v1.13.2 to v1.14.0 (#4342)
• e198f6e refactor(render): remove headers parameter from writeHeader (#4353)
• cca98d2 chore(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9 (#4356)
• 9b1e353 refactor(tree): replace string(/) with "/" in node.insertChild (#4354)
• f9bd00a perf(context): optimize getMapFromFormData performance (#4339)
• 28172fa chore(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4346)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

go.mod

Name	Version	Vulnerability	Severity
github.com/quic-go/quic-go	0.54.0	quic-go: Panic occurs when queuing undecryptable packets after handshake completion	high

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/quic-go/quic-go	0.54.0	🟢 7.1	Details Check Score Reason Code-Review ⚠️ 1 Found 3/26 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Vulnerabilities 🟢 9 1 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
gomod/github.com/gin-gonic/gin	1.11.0	🟢 6.4	Details Check Score Reason Code-Review 🟢 7 Found 14/20 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 9 SAST tool detected but not run on all commits
gomod/github.com/quic-go/qpack	0.5.1	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 14 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 1/24 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 7 3 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/go.uber.org/mock	0.6.0	Unknown	Unknown

Scanned Files

• go.mod

[dhurley]

@dependabot rebase

[dhurley]

Closing PR as new version of github.com/gin-gonic/gin contains a new dependency that has a vulnerability. We will update github.com/gin-gonic/gin once it has a new version with a fix for this.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.