build(deps): Bump github.com/bufbuild/buf from 1.4.0 to 1.67.0

[dependabot]

Bumps github.com/bufbuild/buf from 1.4.0 to 1.67.0.

Release notes

Sourced from github.com/bufbuild/buf's releases.

v1.67.0

• Fix LSP not skipping buf.build/docs links for lint rules from check plugins and policies.
• Fix buf dep graph --format json silently dropping dependencies when a dependency was already seen.
• Add support for --rbs_out as a protoc_builtin plugin (requires protoc v34.0+).
• Add relevant links from CEL LSP hover documentation to either <celbyexample.com> or <protovalidate.com>
• Add OpenBSD and FreeBSD release binaries for amd64 and arm64.
• Skip writing unchanged output files in buf generate to preserve modification times
• Update buf beta registry plugin delete to prompt the user for deletion, matching the UX of the other deletion commands. Use --force to restore the old behavior.

v1.66.1

• Fix exclude_types in buf generate dropping transitive dependencies of import files retained for their extension fields.

v1.66.0

• Add LSP comment ignore code action to add comment ignores for lint errors.
• Fix buf breaking module comparison when adding new modules.
• Add LSP hover support for protovalidate CEL expressions.
• Fixed offset handling in CEL semantic tokens for non-ASCII content and proto escape sequences in multi-line string literal expressions.
• Improve URI normalization for the LSP.

v1.65.0

• Add buf registry policy {commit,create,delete,info,label,settings} commands to manage BSR policies.
• Add LSP deprecate code action to add the deprecated option on types and symbols.
• Fix import LSP document link to not include import keyword.
• Update PROTOVALIDATE lint rule to support checking unenforceable required rules on repeated.items, map.keys and map.values.
• Add buf source edit deprecate command to deprecate types by setting the deprecate = true option.

v1.64.0

• Fix LSP completion for options.
• Add LSP document highlighting support.
• Add LSP completion for fully-qualified type references.
• Improve LSP semantic tokens implementation (for syntax highlighting).
• Add LSP organize imports code action to add missing imports, remove unused imports, and sort imports alphabetically.
• Add LSP document link support.
• Add LSP folding range support.
• Update PROTOVALIDATE lint rule to support checking cel_expression fields for valid CEL.

v1.63.0

• Update PROTOVALIDATE lint rule to support field mask rules.
• Add LSP completion for field numbers.

v1.62.1

• Fix default behavior for swift_prefix to remain unset when no override is provided in managed mode.

v1.62.0

• Add swift_prefix to managed mode.
• Add textDocument/rename and textDocument/prepareRename support for buf lsp serve.
• Fix panic in LSP for empty option paths.
• Fix support for multi-arch image manifests for buf beta registry plugin push.

v1.61.0

... (truncated)

Changelog

Sourced from github.com/bufbuild/buf's changelog.

[v1.67.0] - 2026-04-01

• Fix LSP not skipping buf.build/docs links for lint rules from check plugins and policies.
• Fix buf dep graph --format json silently dropping dependencies when a dependency was already seen.
• Add support for --rbs_out as a protoc_builtin plugin (requires protoc v34.0+).
• Add relevant links from CEL LSP hover documentation to either <celbyexample.com> or <protovalidate.com>
• Add OpenBSD and FreeBSD release binaries for amd64 and arm64.
• Skip writing unchanged output files in buf generate to preserve modification times
• Update buf beta registry plugin delete to prompt the user for deletion, matching the UX of the other deletion commands. Use --force to restore the old behavior.

[v1.66.1] - 2026-03-09

• Fix exclude_types in buf generate dropping transitive dependencies of import files retained for their extension fields.

[v1.66.0] - 2026-02-23

• Add LSP comment ignore code action to add comment ignores for lint errors.
• Fix buf breaking module comparison when adding new modules.
• Add LSP hover support for protovalidate CEL expressions.
• Fixed offset handling in CEL semantic tokens for non-ASCII content and proto escape sequences in multi-line string literal expressions.
• Improve URI normalization for the LSP.

[v1.65.0] - 2026-02-03

• Add buf registry policy {commit,create,delete,info,label,settings} commands to manage BSR policies.
• Add LSP deprecate code action to add the deprecated option on types and symbols.
• Fix import LSP document link to not include import keyword.
• Update PROTOVALIDATE lint rule to support checking unenforceable required rules on repeated.items, map.keys and map.values.
• Add buf source edit deprecate command to deprecate types by setting the deprecate = true option.

[v1.64.0] - 2026-01-19

• Fix LSP completion for options.
• Add LSP document highlighting support.
• Add LSP completion for fully-qualified type references.
• Improve LSP semantic tokens implementation (for syntax highlighting).
• Add LSP organize imports code action to add missing imports, remove unused imports, and sort imports alphabetically.
• Add LSP document link support.
• Add LSP folding range support.
• Update PROTOVALIDATE lint rule to support checking cel_expression fields for valid CEL.

[v1.63.0] - 2026-01-06

• Update PROTOVALIDATE lint rule to support field mask rules.
• Add LSP completion for field numbers.

[v1.62.1] - 2025-12-29

... (truncated)

Commits

• 92a0237 Release v1.67.0 (#4426)
• 1b674f6 Revert "Use overlay bucket on buf.lock updates" (#4424)
• 88cea79 Skip adding links in LSP diagnostics for check plugins / policies (#4423)
• ece705f Add a prompt to buf beta registry plugin delete (#4421)
• d64c589 Implement smart clean (#4413)
• 725a0cf Set CHANGELOG gitattributes to union merge (#4420)
• ac1e8e4 Add release binaries for FreeBSD / OpenBSD (#4401)
• 540c848 Fix buf dep graph --format json silently dropping dependencies (#4419)
• 9c513a2 Upgrade buf.build/go/standard to latest main (#4414)
• a63b4cb Bump golangci-lint to latest and fix issues (#4410)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Medium Risk
Large dependency and toolchain upgrade (including go version and grpc/x/* libs) that can cause build, lint/proto generation, or transitive compatibility issues across the repo.

Overview
Upgrades the project toolchain by bumping the go version in go.mod and substantially refreshing module dependencies.

The primary change is updating github.com/bufbuild/buf to v1.67.0, which pulls in a broad set of new/updated transitive deps (notably LSP/CEL/protovalidate/connectrpc-related modules) and updates other key libraries (e.g., google.golang.org/grpc, golang.org/x/*, cobra, testify). The retract directive format is also adjusted and go.sum is regenerated accordingly.

^{Reviewed by Cursor Bugbot for commit d612d1f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[dependabot]

Labels

The following labels could not be found: S:automerge, T:dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit d612d1f. Configure here.}

[cursor]

Massive Go version jump hidden in dependency bump

High Severity

The go directive jumped from 1.17 to 1.25.7 — an approximately 5-year leap in minimum Go version requirement. This is buried inside what the PR title describes as merely bumping buf. This will break builds for any developer or CI environment not running Go 1.25.7+, and the project's Makefile, Docker images, and CI configuration almost certainly still target Go 1.17-era toolchains. This effectively makes the entire project unbuildable without a coordinated Go toolchain upgrade.

 

^{Reviewed by Cursor Bugbot for commit d612d1f. Configure here.}