build(deps): bump pgdriver, mapstructure, testcontainers + currency refresh#115
Merged
build(deps): bump pgdriver, mapstructure, testcontainers + currency refresh#115
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates several project dependencies in go.mod and go.sum, including huma/v2, testcontainers-go, bun, OpenTelemetry, and gRPC. It also includes updates to various indirect dependencies and adds new ones such as moby/moby/api and pgregory.net/rapid. There are no review comments provided, and I have no feedback to provide.
3 tasks
jalbrethsen-highflame
approved these changes
May 5, 2026
…efresh
Closes the Go-ecosystem Dependabot alerts that were addressable via go get,
plus a currency refresh on the directly-used libraries that drift the most.
## Security-flagged
- uptrace/bun + dialect/pgdialect + driver/pgdriver: v1.2.11 -> v1.2.18
Closes pgdriver SQL injection (GHSA tracked by Dependabot, MEDIUM).
- go-viper/mapstructure/v2: v2.2.1 -> v2.5.0
Closes "May Leak Sensitive Information in Logs When Processing Malformed
Data" (MEDIUM, indirect via koanf).
- testcontainers-go + modules/postgres: v0.41.0 -> v0.42.0
Brings in moby/sys/* + sirupsen/logrus + gopsutil patch versions.
## Currency
- danielgtaylor/huma/v2: v2.37.2 -> v2.37.3
- go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc: v1.42.0 -> v1.43.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace + .../otlptracegrpc: v1.35.0 -> v1.43.0
- go.opentelemetry.io/proto/otlp: v1.9.0 -> v1.10.0
- google.golang.org/grpc: v1.79.3 -> v1.80.0
- google.golang.org/genproto/googleapis/{api,rpc}: 0209 -> 0401 snapshot
## Not addressed (known limitation)
The HIGH-severity docker/docker AuthZ-plugin-bypass advisory (>=v29.3.1)
is unactionable via go get. Moby's v29.x line uses docker-v29.x.x prefix
tags which the Go module proxy does not expose under
github.com/docker/docker; v28.5.2+incompatible is the maximum installable
version on the module path. The CVE concerns docker daemon AuthZ plugins
which we don't run -- testcontainers-go uses only the docker client to
manage test fixtures. Dependabot will continue to flag this until either
Moby republishes the v29.x line with plain v29.x.x tags or testcontainers
moves to a different docker client surface.
## Scope
- Root go.mod / go.sum only. pkg/authjwt/go.mod unchanged.
- Rebased onto current main (which now includes #114, jwx v4 + Go 1.26).
- No code changes -- pure dependency manifest update.
## Test plan
- [x] go vet ./... (root + pkg/authjwt) -- clean
- [x] Full integration suite (testcontainers Postgres) -- green ~10s
rsharath
force-pushed
the
deps-bump-2026-05
branch
from
4f966d5 to
50a49d7
Compare
bun v1.2.18 deprecated bun.In in favor of bun.List/bun.Tuple. Inside an existing 'IN (?)' template, bun.List produces identical SQL to bun.In (comma-separated values, no surrounding parens), so this is a 1:1 mechanical swap. Resolves staticcheck SA1019 in lint-check.
Contributor
Author
|
Auto-fixed by pr-shepherd (iteration 1):
Local verification: Re-running CI. |
6 tasks
rsharath
added a commit
that referenced
this pull request
May 5, 2026
…npm advisories (#117) Closes the three npm-side Dependabot alerts on cli/package-lock.json: | Severity | Package | Before -> After | Advisory | | -------- | -------- | ------------------- | ------------------------------------------ | | MEDIUM | postcss | 8.5.8 -> 8.5.14 | XSS via Unescaped </style> (GHSA-qx2v-qp2m-jg93) | | MEDIUM | vite | 5.4.21 -> 6.4.2 | Dev-server response leak (GHSA-4w7w-66w2-5vf9) | | MEDIUM | esbuild | 0.21.5 -> 0.25.12 | Dev-server CORS bypass (GHSA-67mh-4wv8-2f99) | ## Approach - vitest direct: ^2 -> ^3. vitest@3 supports vite ^5/^6/^7; the override below pins it onto v6 transitively. Smaller migration than vitest@4 (which would force a major-major jump from v2). The test surface uses only describe/it/expect/beforeEach/vi.fn -- no v3 breaking changes exercised by this CLI's 101 tests. - npm `overrides`: - `vite: ^6.4.2` -- forces vitest@3's transitive vite up from v5 to v6 (clears the vite advisory and pulls esbuild 0.25.x as a side effect). - `postcss: ^8.5.10` -- forces both tsup's and vite's transitive postcss onto a fixed line (8.5.14 ends up resolved). Without the override, tsup pins postcss@8.5.8 indirectly via postcss-load-config. esbuild needs no explicit override -- vite@6.4.2 already pulls esbuild@0.25.12, well past the 0.24.2 advisory ceiling. ## Scope - `cli/package.json` + `cli/package-lock.json` only. - No src changes -- pure build-tool dependency update. - Independent of #114 (jwx v4) and #115 (Go-side deps); both are Go-only. ## Test plan - [x] `npm install` -- clean, 0 vulnerabilities. - [x] `npm test` -- 101/101 passing (~590ms). - [x] `npm run typecheck` -- clean. - [x] `npm run build` (tsup) -- ESM + d.ts artifacts produced. - [x] `npm run lint` (eslint) -- clean. - [x] `npm audit` -- 0 vulnerabilities found.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the Go-ecosystem Dependabot alerts that are addressable via
go get, plus a currency refresh on the directly-used libraries that drift the most. Pure dependency-manifest update — zero code changes, two files touched (go.mod,go.sum).Dependabot alerts closed
github.com/uptrace/bun/driver/pgdrivergithub.com/go-viper/mapstructure/v2uptrace/bunanduptrace/bun/dialect/pgdialectwere bumped together withpgdriver(all three to v1.2.18) to keep the bun stack at one minor version.Currency
github.com/danielgtaylor/huma/v2github.com/testcontainers/testcontainers-go(+modules/postgres)go.opentelemetry.io/otel+sdk+sdk/metric+metric+tracego.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpcgo.opentelemetry.io/otel/exporters/otlp/otlptrace+.../otlptracegrpcgo.opentelemetry.io/proto/otlpgoogle.golang.org/grpcgoogle.golang.org/genproto/googleapis/{api,rpc}moby/patternmatcher,shirou/gopsutil/v4,sirupsen/logrusNot addressed (known limitation)
The HIGH-severity
docker/dockeradvisory (Moby AuthZ plugin bypass, ≥v29.3.1 required) is unactionable viago get. Moby's v29.x line usesdocker-v29.x.xprefixed tags which the Go module proxy does not expose undergithub.com/docker/docker; v28.5.2+incompatible is the maximum installable version on this module path:The CVE concerns the docker daemon's AuthZ plugin handling — we don't run docker daemon with AuthZ plugins.
testcontainers-gouses only the docker client to manage test fixtures, so this CVE has no actual impact on our deployment. Dependabot will continue to flag the alert until either Moby republishes the v29.x line with plainv29.x.xtags ortestcontainers-gomoves off the legacy module path.Scope
go.mod/go.sumonly.pkg/authjwt/go.modis untouched.go.mod/go.sumin this PR; build(deps): upgrade lestrrat-go/jwx v2 → v4 + Go 1.26 #114 also touches those but is a separate concern).Test plan
go vet ./...— clean (root +pkg/authjwt)Out of scope (separate workstreams)
postcss < 8.5.10,vite <= 6.4.1,esbuild <= 0.24.2) — these are incli/(the TypeScript CLI) and@highflame/sdkconsumer surface. Different module ecosystem, different release cadence; should land as separatecli/andsdk/PRs.