build(deps): bump the minor-and-patch group across 1 directory with 4 updates

[dependabot]

Bumps the minor-and-patch group with 4 updates in the / directory: github.com/a-h/templ, github.com/jackc/pgx/v5, github.com/xraph/forge and go.mongodb.org/mongo-driver/v2.

Updates github.com/a-h/templ from 0.3.1001 to 0.3.1020

Release notes

Sourced from github.com/a-h/templ's releases.

v0.3.1020

Changelog

• 09d6b02 chore: bump version
• a411f13 chore: fix linter warning in test code
• 524cd39 feat: add -check flag, closes #1007 (#1373)
• f3d595c feat: add Range to ExpressionAttribute nodes (#1347)
• 82af17c feat: add Range to GoCode nodes (#1348)
• cf98cdc feat: add Range to StringExpression nodes (#1349)
• ff38cee feat: add ranges for attribute node values (#1383)
• 552ed02 feat: support concurrent rendering of templ components (#1359)
• b310a97 fix(generatecmd): check cmd.Start() error before inserting cmd in to running map (#1382)
• 410a80e fix(lsp): delete $GOROOT hack in uri.File
• 95a0854 fix: allow JSFuncCall on arbitrary HTML attributes (#1375)
• e581c01 fix: attributes containing a conditional, are always multiline (#1380)
• b2952ed fix: clear children context in Fragment.Render (#1360)
• 8fecf2d fix: prevent corrupted output in watch mode with gzip, fixes #1365 (#1366)
• 7adcb62 fix: show correct updates based on written Go files without watch (#1363)
• aa493e0 fix: track Range for non-JavaScript ScriptExpression nodes (#1350)
• d52d64e fix: use dedicated shadow host in Suspense example to ensure header is rendered (#1370)
• 83176f9 fix: vulnerabilities in x/net (only affects templ watch mode and tests), fixes #1354

Commits

• 09d6b02 chore: bump version
• ff38cee feat: add ranges for attribute node values (#1383)
• e581c01 fix: attributes containing a conditional, are always multiline (#1380)
• b310a97 fix(generatecmd): check cmd.Start() error before inserting cmd in to `run...
• 95a0854 fix: allow JSFuncCall on arbitrary HTML attributes (#1375)
• 8fecf2d fix: prevent corrupted output in watch mode with gzip, fixes #1365 (#1366)
• a411f13 chore: fix linter warning in test code
• 524cd39 feat: add -check flag, closes #1007 (#1373)
• d52d64e fix: use dedicated shadow host in Suspense example to ensure header is render...
• 552ed02 feat: support concurrent rendering of templ components (#1359)
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.8.0 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

5.9.1 (March 22, 2026)

• Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

• Require Go 1.25+
• Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
• Add OAuth authentication support for PostgreSQL 18 (David Schneider)
• Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
• Add tsvector type support (Adam Brightwell)
• Skip Describe Portal for cached prepared statements reducing network round trips
• Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
• Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
• Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
• Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
• Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
• Make RowsAffected faster (Abhishek Chanda)
• Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
• Fix: ContextWatcher goroutine leak (Hank Donnay)
• Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)

... (truncated)

Commits

• 0aeabbc Release v5.9.2
• 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
• a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
• e34e452 doc: Add godoc links
• 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
• 96b4dbd Remove unstable test
• acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
• 2f81f1f Update max_protocol_version and min_protocol_version defaults
• 4e4eaed Release v5.9.1
• 6273188 Fix batch result format corruption when using cached prepared statements
• Additional commits viewable in compare view

Updates github.com/xraph/forge from 1.6.5 to 1.6.6

Release notes

Sourced from github.com/xraph/forge's releases.

v1.6.6

Forge Framework v1.6.6 (2026-06-01T04:33:49Z)

Welcome to this new release of Forge Framework!

Changelog

New Features

• 10c789de54ae0efe5f897cbddd593e9dae2b9b09: feat: add HTTP response wrapper methods for WebSocket hijacking, flushing, and HTTP/2 push support (@​juicycleff)
• 9f690cd2dc0cb674e47edaf1a4a5dc560e1e8e4b: feat: expand slot catalog with new intent kinds and validate compositions (@​juicycleff)

Bug Fixes

• fee7a572cf20d85d569c2c77e3e8acb5895c16d1: fix: fixed dashboard contract for auth related extensions (@​juicycleff)
• c5a6b490a960a5f0787252656ced04c196a8556d: fix: improve PR title and commit validation logic in workflow (@​juicycleff)

Refactoring

• 7783bec04312d92b19f05682e7351cef779fae8d: refactor: streamline Go module caching in CI workflow (@​juicycleff)

Documentation Updates

• 3362108c9c1c98170f695bc0246213068a400464: docs(changelog): update CHANGELOG.md for v1.6.5 (@​github-actions[bot])

Other Changes

• 50995281ec1099cbdb9b1242288d87dda424a63e: chore(deps): update Kubernetes dependencies to v0.35.5 across multiple extensions (@​juicycleff)

Installation

Using Go Install

go install github.com/xraph/forge/cmd/forge@v1.6.6

Download Binary

Download the appropriate binary for your platform from the assets below.

Using Package Managers

# Homebrew (macOS/Linux)
brew install xraph/tap/forge
Scoop (Windows)
scoop bucket add xraph https://github.com/xraph/scoop-bucket
scoop install forge

What's Changed

Full changelog: xraph/forge@v1.6.5...v1.6.6

Changelog

Sourced from github.com/xraph/forge's changelog.

1.6.6 (2026-06-01)

Features

• add HTTP response wrapper methods for WebSocket hijacking, flushing, and HTTP/2 push support (10c789d)

Bug Fixes

• improve PR title and commit validation logic in workflow (c5a6b49)

Refactoring

• streamline Go module caching in CI workflow (7783bec)

Maintenance

• changelog: update CHANGELOG.md for v1.6.5 (3362108)
• deps: update Kubernetes dependencies to v0.35.5 across multiple extensions (5099528)

Commits

• 7d61625 Merge pull request #31 from xraph/dashboard-contract-slice-a
• 3362108 docs(changelog): update CHANGELOG.md for v1.6.5
• c5a6b49 fix: improve PR title and commit validation logic in workflow
• fee7a57 fix: fixed dashboard contract for auth related extensions
• 9f690cd feat: expand slot catalog with new intent kinds and validate compositions
• 10c789d feat: add HTTP response wrapper methods for WebSocket hijacking, flushing, an...
• 7783bec refactor: streamline Go module caching in CI workflow
• 5099528 chore(deps): update Kubernetes dependencies to v0.35.5 across multiple extens...
• See full diff in compare view

Updates go.mongodb.org/mongo-driver/v2 from 2.5.0 to 2.6.0

Release notes

Sourced from go.mongodb.org/mongo-driver/v2's releases.

MongoDB Go Driver 2.6.0

The MongoDB Go Driver Team is pleased to release version 2.6.0 of the official MongoDB Go Driver.

Release Highlights

[!IMPORTANT] Go Driver v2.6 will be the last minor version to support MongoDB 4.2. Go Driver v2.7 will require MongoDB 4.4 or newer.

This release adds support for MongoDB's Intelligent Workload Management (IWM) and ingress connection rate limiting features. The driver now gracefully handles write-blocking scenarios and optimizes connection establishment during high-load conditions to maintain application availability.

Two new methods of ClientOptions are available:

• SetMaxAdaptiveRetries - specifies the maximum number of times the driver should retry operations that fail with a server side overload error. If not invoked, the default is 2. MaxAdaptiveRetries can also be set through the "maxAdaptiveRetries" URI option (e.g. "maxAdaptiveRetries=5").
• SetEnableOverloadRetargeting - specifies whether the driver should enable overload retargeting for operations that fail with a server side overload error. If not invoked, the default is false. EnableOverloadRetargeting can also be set through the "enableOverloadRetargeting" URI option (e.g. "enableOverloadRetargeting=true").

What's Changed

✨ New Features

• GODRIVER-3734 Add TransactionRunning to Session API by @​prestonvasquez in mongodb/mongo-go-driver#2309
• GODRIVER-3719: Expand server deprioritization to all topologies by @​RafaelCenzano in mongodb/mongo-go-driver#2292
• GODRIVER-3647 Add backoff for transaction retry. by @​qingyang-hu in mongodb/mongo-go-driver#2327
• GODRIVER-3646 Implement backpressure error labels for connection establishment by @​tadjik1 in mongodb/mongo-go-driver#2330
• GODRIVER-3822 Server selection deprioritization only for overload errors on replica sets. by @​qingyang-hu in mongodb/mongo-go-driver#2341
• GODRIVER-3658 Implement backpressure retry logic. by @​qingyang-hu in mongodb/mongo-go-driver#2353
• GODRIVER-3810 Update WithTransaction to raise timeout error. by @​qingyang-hu in mongodb/mongo-go-driver#2344
• GODRIVER-3844 Add maxAdaptiveRetries and enableOverloadRetargeting options for backpressure. by @​qingyang-hu in mongodb/mongo-go-driver#2363
• GODRIVER-3778 Add code examples for non-backpressure drivers handling backpressure errors. by @​qingyang-hu in mongodb/mongo-go-driver#2338

Full Changelog: mongodb/mongo-go-driver@v2.5.1...v2.6.0

For a full list of tickets included in this release, please see the list of fixed issues.

Documentation for the Go Driver can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. For issues with, questions about, or feedback for the Go Driver, please look into our support channels, including StackOverflow. Bugs can be reported in the Go Driver project in the MongoDB JIRA where a list of current issues can be found. Your feedback on the Go Driver is greatly appreciated!

MongoDB Go Driver 2.5.1

The MongoDB Go Driver Team is pleased to release version 2.5.1 of the official MongoDB Go Driver.

Release Highlights

This release fixes two BSON unmarshaling edge cases.

What's Changed

🐛 Fixed

• GODRIVER-3768 Check unmatched type in Unmarshal(). by @​qingyang-hu in mongodb/mongo-go-driver#2318
• GODRIVER-3809 Fix *streamingByteSrc.readSlice(). by @​qingyang-hu in mongodb/mongo-go-driver#2326

... (truncated)

Commits

• fd85a83 BUMP v2.6.0
• 52b385d GODRIVER-3829 Cleanup skip list. (#2369)
• 71375d7 Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.1...
• 65f4e94 GODRIVER-3870 Use a generic type parameter for retry func in overload code ex...
• 00ab776 GODRIVER-3849 Update backpressure errors handling examples. (#2365)
• fa56c25 Bump github/codeql-action from 4.35.1 to 4.35.2 in the actions group (#2367)
• 4ee727e GODRIVER-3844 Add maxAdaptiveRetries and enableOverloadRetargeting option...
• 881269a GODRIVER-3810 Update WithTransaction to raise timeout error. (#2344)
• c1d47f7 Bump actions/upload-artifact from 7.0.0 to 7.0.1 in the actions group (#2361)
• 9a15470 GODRIVER-3658 Implement backpressure retry logic. (#2353)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
warden	Error		Jun 2, 2026 8:46pm

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.