Skip to content

chore(deps)(deps): bump the go-deps group across 1 directory with 5 updates#54

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/backend/go-deps-6fd81e8bc2
Open

chore(deps)(deps): bump the go-deps group across 1 directory with 5 updates#54
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/backend/go-deps-6fd81e8bc2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-deps group with 4 updates in the /backend directory: github.com/minio/minio-go/v7, github.com/redis/go-redis/v9, github.com/go-playground/validator/v10 and github.com/labstack/echo/v4.

Updates github.com/minio/minio-go/v7 from 7.1.0 to 7.2.0

Release notes

Sourced from github.com/minio/minio-go/v7's releases.

v7.2.0

What's Changed

Full Changelog: minio/minio-go@v7.1.0...v7.2.0

Commits

Updates github.com/redis/go-redis/v9 from 9.19.0 to 9.20.1

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.20.1

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

(#3842) by @​ndyakov

🐛 Bug Fixes

  • RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #3839) (#3842) by @​ndyakov
  • FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#3844) by @​ndyakov
  • CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#3843) by @​madolson
  • PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#3833) by @​cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​cxljs, @​madolson, @​ndyakov

Full Changelog: redis/go-redis@v9.20.0...v9.20.1

9.20.0

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

  • AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
  • INCREX (#3816) — atomic increment with expiration in a single round-trip.
  • XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
  • XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
  • TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
  • Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
  • JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.20.1 (2026-06-11)

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

(#3842) by @​ndyakov

🐛 Bug Fixes

  • RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #3839) (#3842) by @​ndyakov
  • FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#3844) by @​ndyakov
  • CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#3843) by @​madolson
  • PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#3833) by @​cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​cxljs, @​madolson, @​ndyakov

Full Changelog: redis/go-redis@v9.20.0...v9.20.1

9.20.0 (2026-05-28)

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8-rc1 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

  • AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
  • INCREX (#3816) — atomic increment with expiration in a single round-trip.
  • XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
  • XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
  • TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
  • Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
  • JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

... (truncated)

Commits
  • a13416b chore(release): 9.20.1 (#3847)
  • 10dc44f fix(push): fix peeking when push name is truncated (#3842)
  • e1a2d68 fix(ft.hybrid): Always generate vector param names if they are not provided b...
  • a4b234f chore(deps): bump codecov/codecov-action from 6 to 7 (#3845)
  • 974e717 fix(command): ignore unknown fields in CLUSTER SHARDS response (#3843)
  • 65d6abd fix(pubsub): prevent double reconnect in releaseConn (#3833)
  • 7d05dd3 chore(release): v9.20.0 (#3832)
  • 9756882 fix(test): make waitForSentinelClusterStable robust to disconnected r… (#3830)
  • 875ce21 fix(sentinel): do not close sentinel when replica list is empty (#3795)
  • 8a027f2 chore(ci): add govulncheck workflow (#3779)
  • Additional commits viewable in compare view

Updates github.com/go-playground/validator/v10 from 10.30.2 to 10.30.3

Release notes

Sourced from github.com/go-playground/validator/v10's releases.

v10.30.3

What's Changed

New Contributors

Full Changelog: go-playground/validator@v10.30.2...v10.30.3

Commits
  • ac4c1ba fix(docs): correct ripemd160 tag name in README validation table (#1582)
  • feacb34 feat: omit blank tag names from namespace (#1567)
  • 5ed0a7e chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 (#1580)
  • 0364541 fix(cron): anchor regex and accept full cron syntax (#1577)
  • 8eb2659 chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 (#1571)
  • f7e1721 chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 (#1572)
  • cf37fce fix(lint): correctly disable govet inline analyzer & deprecated gomodguard (#...
  • 7c334e5 fix: reject hostnames with trailing hyphen in RFC 952 validator (#1569)
  • 6bcb7bc feat: add origin validator for web origin URLs (#1565)
  • 6fd2fa8 docs: fix typos (#1568)
  • Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.3

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Full Changelog: labstack/echo@v4.15.2...v4.15.3

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.3 - 2026-06-14

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Commits
  • 8800212 Changelog for v4.15.3 (#3012)
  • c3fa2a2 fix(static): reject encoded path separators that bypass route-level middlewar...
  • See full diff in compare view

Updates golang.org/x/crypto from 0.50.0 to 0.52.0

Commits
  • a1c0d99 go.mod: update golang.org/x dependencies
  • 3c7c869 ssh: fix deadlock on unexpected channel responses
  • 533fb3f ssh: fix source-address critical option bypass
  • abbc44d ssh: fix incorrect operator order
  • e052873 ssh: fix infinite loop on large channel writes due to integer overflow
  • b61cf85 ssh: enforce user presence verification for security keys
  • 9c2cd33 ssh: enforce strict limits on DSA key parameters
  • 8907318 ssh: reject RSA keys with excessively large moduli
  • ffd87b4 ssh: fix panic when authority callbacks are nil
  • 4e7a738 ssh: fix deadlock on unexpected global responses
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps)(deps): bump the go-deps group across 1 directory with 5 u…
d126a4b 
…pdates

Bumps the go-deps group with 4 updates in the /backend directory: [github.com/minio/minio-go/v7](https://github.com/minio/minio-go), [github.com/redis/go-redis/v9](https://github.com/redis/go-redis), [github.com/go-playground/validator/v10](https://github.com/go-playground/validator) and [github.com/labstack/echo/v4](https://github.com/labstack/echo).


Updates `github.com/minio/minio-go/v7` from 7.1.0 to 7.2.0
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](minio/minio-go@v7.1.0...v7.2.0)

Updates `github.com/redis/go-redis/v9` from 9.19.0 to 9.20.1
- [Release notes](https://github.com/redis/go-redis/releases)
- [Changelog](https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md)
- [Commits](redis/go-redis@v9.19.0...v9.20.1)

Updates `github.com/go-playground/validator/v10` from 10.30.2 to 10.30.3
- [Release notes](https://github.com/go-playground/validator/releases)
- [Commits](go-playground/validator@v10.30.2...v10.30.3)

Updates `github.com/labstack/echo/v4` from 4.15.2 to 4.15.3
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.3/CHANGELOG.md)
- [Commits](labstack/echo@v4.15.2...v4.15.3)

Updates `golang.org/x/crypto` from 0.50.0 to 0.52.0
- [Commits](golang/crypto@v0.50.0...v0.52.0)

---
updated-dependencies:
- dependency-name: github.com/minio/minio-go/v7
  dependency-version: 7.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/redis/go-redis/v9
  dependency-version: 9.20.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/go-playground/validator/v10
  dependency-version: 10.30.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: backend, dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants