deps: bump the minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the / directory:

Package	From	To
github.com/getkin/kin-openapi	0.137.0	0.139.0
github.com/go-chi/chi/v5	5.2.5	5.3.0
github.com/oapi-codegen/runtime	1.4.0	1.4.1
github.com/onsi/ginkgo/v2	2.28.3	2.29.0
github.com/onsi/gomega	1.40.0	1.41.0
github.com/open-policy-agent/opa	1.16.1	1.16.2

Updates github.com/getkin/kin-openapi from 0.137.0 to 0.139.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.139.0

What's Changed

• feat(openapi3): batch-convert long-tail RequiredFieldError sites by @​reuvenharrison in getkin/kin-openapi#1170
• feat(openapi3): typed validation error clusters (combined: #1171-#1179) by @​reuvenharrison in getkin/kin-openapi#1180
• openapi3gen: skip component export for anonymous types by @​0-don in getkin/kin-openapi#1163
• feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by @​reuvenharrison in getkin/kin-openapi#1181
• openapi3: typed context errors for Validate() wrapper chain by @​reuvenharrison in getkin/kin-openapi#1183
• openapi3: track Origin on the document root (T) by @​reuvenharrison in getkin/kin-openapi#1184
• openapi3: tests flakiness corrected by @​fenollp in getkin/kin-openapi#1159
• openapi3: aggregate independent validation errors via EnableMultiError by @​reuvenharrison in getkin/kin-openapi#1185
• openapi3: fix validation of duplicated path templates by @​reuvenharrison in getkin/kin-openapi#1189
• openapi3: type the remaining bare-error validation sites by @​reuvenharrison in getkin/kin-openapi#1187

Full Changelog: getkin/kin-openapi@v0.138.0...v0.139.0

v0.138.0

What's Changed

• openapi3gen: clear nullable on exported component bodies by @​0-don in getkin/kin-openapi#1164
• openapi3: add test for issue #927 (nullable not respected on $ref schemas) by @​fenollp in getkin/kin-openapi#1165
• test: move public-API tests to external _test packages by @​fenollp in getkin/kin-openapi#1168
• feat(openapi3): add per-type validation errors with cluster wrappers by @​reuvenharrison in getkin/kin-openapi#1166
• feat(openapi3conv): canonicalization pass for 3.0 -> 3.x by @​reuvenharrison in getkin/kin-openapi#1162
• openapi3conv: test Upgrade on many documents by @​fenollp in getkin/kin-openapi#1169

Full Changelog: getkin/kin-openapi@v0.137.0...v0.138.0

Commits

• 8381bfc openapi3: type the remaining bare-error validation sites (#1187)
• d29b5c0 openapi3: fix validation of duplicated path templates (#1189)
• e56c2c7 openapi3: aggregate independent validation errors via EnableMultiError (#1185)
• 7ea1ac8 openapi3: tests flakiness corrected (#1159)
• dc70f84 openapi3: track Origin on the document root (T) (#1184)
• 69492df openapi3: typed context errors for Validate() wrapper chain (#1183)
• 0a89925 un-patch YAML serialization of dates (see issue #697)
• 55a4c72 openapi3: re-enable tests disabled due to YAML dates in map keys
• c61836c ci: fixup lint after modifications to marsh.go
• 7633481 feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTim...
• Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Updates github.com/oapi-codegen/runtime from 1.4.0 to 1.4.1

Release notes

Sourced from github.com/oapi-codegen/runtime's releases.

Bug fixes

This is a bug fix release.

Changes in v1.4.0, coupled with changes in v2.7.0 of oapi-codegen exposed some new problems. deepObject style marshaling behavior now supports encoding unicode. UTF-8 can't be directly included in parameters, so we need to % escape it.

Form binding now detects maps, which makes binding to a Nullable possible. We can't use generics around Nullable[T], so we handle maps generically, assuming they're a Nullable with its behavior assumptions.

🐛 Bug fixes

• Fix form binding of Nullables (#133) @​mromaszewicz
• Percent-encode deepObject parameter wire output (#132) @​mromaszewicz

📦 Dependency updates

• chore(deps): update oapi-codegen/actions action to v0.7.0 (#127) @renovate[bot]
• chore(deps): update github/codeql-action action to v4 (#107) @renovate[bot]
• fix(deps): update module github.com/kataras/iris/v12 to v12.2.11 (#11) @renovate[bot]
• chore(deps): update release-drafter/release-drafter action to v7.2.0 (#122) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

Commits

• 2755f15 Fix form binding of Nullables (#133)
• 17de1dd Percent-encode deepObject parameter wire output (#132)
• d2b7c4c chore(deps): update oapi-codegen/actions action to v0.7.0
• 6fd6c25 chore(deps): update github/codeql-action action to v4
• 19040cc fix(deps): update module github.com/kataras/iris/v12 to v12.2.11
• e05282e chore(deps): update release-drafter/release-drafter action to v7.2.0 (#122)
• See full diff in compare view

Updates github.com/onsi/ginkgo/v2 from 2.28.3 to 2.29.0

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.29.0

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

Commits

• 04b5bcb v2.29.0
• 124232a docs: GinkgoHelperGo
• ad9cee8 feat: GinkgoHelperGo, with integration tests
• 9e56a0a chore: refactor devcontainer for better maintenance
• 3d235a9 chore: ignore internal/tmp_*/ integration suite temporary dirs
• 782666a feat: devcontainer configuration with local pkgsite and GH pages
• 009dd04 Support DescribeTableSubtree in ginkgo outline
• See full diff in compare view

Updates github.com/onsi/gomega from 1.40.0 to 1.41.0

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.41.0

Features

Add BeASlice and BeAnArray matchers

Fixes

Object formatting now detects pointer cycles to avoid runaway formatting output.

Commits

• af2bccb v1.41.0
• 73e81f6 v1.41.0 (full)
• e35a84f feat: devcontainer configuration with local pkgsite and GH pages
• f12e5e1 fix(format): detect pointer cycles to avoid runaway formatting output
• e14831f Add optionalDescription docs to AsyncAssertion and Assertion interfaces
• 344b94d Add BeASlice and BeAnArray matchers
• See full diff in compare view

Updates github.com/open-policy-agent/opa from 1.16.1 to 1.16.2

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.16.2

This release updates the version of Go used to build the OPA binaries and images to 1.26.3; addressing a number of vulnerabilities.

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.16.2

This release updates the version of Go used to build the OPA binaries and images to 1.26.3; addressing a number of vulnerabilities.

Commits

• 85f6d99 Prepare v1.16.2 release
• 1466714 build: bump go 1.26.2 -> 1.26.3
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions