chore(deps): bump the go_modules group across 4 directories with 6 updates by dependabot[bot] · Pull Request #2071 · helixml/helix

dependabot · 2026-03-31T08:54:06Z

Bumps the go_modules group with 4 updates in the / directory: github.com/nats-io/nats-server/v2, github.com/lestrrat-go/jwx, go.opentelemetry.io/otel/sdk and filippo.io/edwards25519.
Bumps the go_modules group with 1 update in the /for-mac directory: golang.org/x/crypto.
Bumps the go_modules group with 3 updates in the /operator directory: github.com/nats-io/nats-server/v2, go.opentelemetry.io/otel/sdk and filippo.io/edwards25519.
Bumps the go_modules group with 1 update in the /sandbox/dns-proxy directory: golang.org/x/net.

Updates github.com/nats-io/nats-server/v2 from 2.10.14 to 2.11.15

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.11.15

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

1.25.8

Dependencies

golang.org/x/crypto v0.49.0 (#7953)

github.com/nats-io/jwt/v2 v2.8.1 (#7960)

github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op

github.com/klauspost/compress v1.18.4

github.com/nats-io/nats.go v1.49.0

github.com/nats-io/nkeys v0.4.15

CVEs

Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)

Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)

Fixes CVE-2026-33218 (affects systems using leafnodes)

Fixes CVE-2026-33219 (affects systems using WebSockets)

Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)

Fixes CVE-2026-33248 (affects systems using mutual TLS)

Fixes CVE-2026-33247 (affects systems providing credentials on the command line)

Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Changed

General

There is now a 1MB size limit on JWTs (#7960)

Improved

JetStream

The stream peer-remove command now accepts a peer ID as well as a server name (#7952)

MQTT

Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#7933)

Fixed

General

Improved handling of duplicate headers

... (truncated)

Commits

bef17e1 Release v2.11.15
e349b31 Cherry-picks for 2.11.15 (#62)
782a6df [FIXED] Avoid stalling read loop on leafnode ErrMinimumVersionRequired
74a5f6f Remove FIXME about auth callout nonce
ea8ae87 Message tracing requires client publish permission for Nats-Trace-Dest
3fd43a0 Rebuild request info headers on leaf service imports
8dbf004 [FIXED] MQTT flappers use monotonic time
265a99b Update JWT and other dependencies
d6d1dd9 Streaming parsing of WebSocket frames with limited memory allocations
e6057af [FIXED] Avoid parsing trace headers from HPUB payload
Additional commits viewable in compare view

Updates github.com/lestrrat-go/jwx from 1.1.7 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

[jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28

v1.2.28 09 Jan 2024
[Security Fixes]
  * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
    consists of three base64 strings concatenated with a '.') with missing "protected"
    headers could cause a panic, thereby introducing a possiblity of a DoS.
This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
lacking a protected header. Calling `jws.Verify` on this same JWS message will result
in a failed verification attempt. Note that this behavior will differ slightly when
parsing JWS messages in compact form, which result in an error.

v1.2.27

v1.2.27 - 03 Dec 2023
[Security]
  * [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack,
    similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083.  All users should upgrade, as
    unlike v2, v1 attempts to decrypt JWEs on JWTs by default.
    [GHSA-7f9x-gw85-8grf]
[Bug Fixes]

[jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either
Set(.., <string>) or Set(..., []jwk.KeyOperation{...}) worked, but not a single
jwk.KeyOperation

[SECURITY] v1.2.26

v1.2.26 - 14 Jun 2023 [Security] * Potential Padding Oracle Attack Vulnerability and Timing Attack Vulnerability for JWE AES-CBC encrypted payloads affecting all v2 releases up to v2.0.10, all v1 releases up to v1.2.25, and all v0 releases up to v0.9.2 have been reported by @shogo82148. Please note that v0 versions will NOT receive fixes. This release fixes these vulnerabilities for the v1 series.

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

[jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28 09 Jan 2024 [Security Fixes]

[jws] JWS messages formated in full JSON format (i.e. not the compact format, which consists of three base64 strings concatenated with a '.') with missing "protected" headers could cause a panic, thereby introducing a possiblity of a DoS.

This has been fixed so that the jws.Parse function succeeds in parsing a JWS message lacking a protected header. Calling jws.Verify on this same JWS message will result in a failed verification attempt. Note that this behavior will differ slightly when parsing JWS messages in compact form, which result in an error.

v1.2.27 - 03 Dec 2023 [Security]

[jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack, similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users should upgrade, as unlike v2, v1 attempts to decrypt JWEs on JWTs by default. [GHSA-7f9x-gw85-8grf]

[Bug Fixes]

[jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either Set(.., ) or Set(..., []jwk.KeyOperation{...}) worked, but not a single jwk.KeyOperation

v1.2.26 - 14 Jun 2023 [Security]

Potential Padding Oracle Attack Vulnerability and Timing Attack Vulnerability for JWE AES-CBC encrypted payloads affecting all v2 releases up to v2.0.10, all v1 releases up to v1.2.25, and all v0 releases up to v0.9.2 have been reported by @shogo82148.

Please note that v0 versions will NOT receive fixes. This release fixes these vulnerabilities for the v1 series.

[Miscellaneous]

JWE tests now only run algorithms that are supported by the underlying jose tool

v1.2.25 23 May 2022 [Bug Fixes][Security]

[jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding, where the unpad operation might remove more bytes than necessary (#744) This affects all jwx code that is available before v2.0.2 and v1.2.25.

... (truncated)

Commits

1025f8e Merge pull request #1092 from lestrrat-go/develop/v1
4399ace Merge branch 'v1' into develop/v1
dc80fed Update Changes
e4c1511 silence linter
d01027d Merge pull request from GHSA-hj3v-m684-v259
3d6e0e0 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1085)
3af5916 Bump golang.org/x/crypto from 0.19.0 to 0.21.0 (#1087)
7a05818 Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#1074)
8e2aacd Bump golangci/golangci-lint-action from 3 to 4 (#1076)
4b1fd05 Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 (#1068)
Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/sdk from 1.39.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)

Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)

Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)

Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)

Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)

Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)

Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)

Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)

Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)

Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits

9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
5e363de limit response body size for OTLP HTTP exporters (#8108)
35214b6 Use an absolute path when calling bsd kenv (#8113)
290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
e70658e fix: support getBody in otelploghttp (#8096)
4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

d1c650a extra: initialize receiver in MultiScalarMult
See full diff in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

d1c650a extra: initialize receiver in MultiScalarMult
See full diff in compare view

Updates github.com/nats-io/nats-server/v2 from 2.10.14 to 2.11.15

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.11.15

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

1.25.8

Dependencies

golang.org/x/crypto v0.49.0 (#7953)

github.com/nats-io/jwt/v2 v2.8.1 (#7960)

github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op

github.com/klauspost/compress v1.18.4

github.com/nats-io/nats.go v1.49.0

github.com/nats-io/nkeys v0.4.15

CVEs

Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)

Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)

Fixes CVE-2026-33218 (affects systems using leafnodes)

Fixes CVE-2026-33219 (affects systems using WebSockets)

Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)

Fixes CVE-2026-33248 (affects systems using mutual TLS)

Fixes CVE-2026-33247 (affects systems providing credentials on the command line)

Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Changed

General

There is now a 1MB size limit on JWTs (#7960)

Improved

JetStream

The stream peer-remove command now accepts a peer ID as well as a server name (#7952)

MQTT

Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#7933)

Fixed

General

Improved handling of duplicate headers

... (truncated)

Commits

bef17e1 Release v2.11.15
e349b31 Cherry-picks for 2.11.15 (#62)
782a6df [FIXED] Avoid stalling read loop on leafnode ErrMinimumVersionRequired
74a5f6f Remove FIXME about auth callout nonce
ea8ae87 Message tracing requires client publish permission for Nats-Trace-Dest
3fd43a0 Rebuild request info headers on leaf service imports
8dbf004 [FIXED] MQTT flappers use monotonic time
265a99b Update JWT and other dependencies
d6d1dd9 Streaming parsing of WebSocket frames with limited memory allocations
e6057af [FIXED] Avoid parsing trace headers from HPUB payload
Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/sdk from 1.39.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)

Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)

Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)

Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)

Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)

Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)

Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)

Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)

Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)

Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

... (truncated)

Commits

9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
5e363de limit response body size for OTLP HTTP exporters (#8108)
35214b6 Use an absolute path when calling bsd kenv (#8113)
290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
e70658e fix: support getBody in otelploghttp (#8096)
4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.33.0 to 0.45.0

Commits

4e0068c go.mod: update golang.org/x dependencies
e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
f91f7a7 ssh/agent: prevent panic on malformed constraint
2df4153 acme/autocert: let automatic renewal work with short lifetime certs
bcf6a84 acme: pass context to request
b4f2b62 ssh: fix error message on unsupported cipher
79ec3a5 ssh: allow to bind to a hostname in remote forwarding
122a78f go.mod: update golang.org/x dependencies
c0531f9 all: eliminate vet diagnostics
0997000 all: fix some comments
Additional commits viewable in compare view

Updates golang.org/x/net from 0.35.0 to 0.47.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes <p> and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
99b3ae0 go.mod: update golang.org/x dependencies
85d1d54 go.mod: update golang.org/x dependencies
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.33.0 to 0.45.0

Commits

4e0068c go.mod: update golang.org/x dependencies
e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
f91f7a7 ssh/agent: prevent panic on malformed constraint
2df4153 acme/autocert: let automatic renewal work with short lifetime certs
bcf6a84 acme: pass context to request
b4f2b62 ssh: fix error message on unsupported cipher
79ec3a5 ssh: allow to bind to a hostname in remote forwarding
122a78f go.mod: update golang.org/x dependencies
c0531f9 all: eliminate vet diagnostics
0997000 all: fix some comments
Additional commits viewable in compare view

Updates golang.org/x/net from 0.35.0 to 0.47.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes <p> and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
99b3ae0 go.mod: update golang.org/x dependencies
85d1d54 go.mod: update golang.org/x dependencies
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.33.0 to 0.45.0

Commits

4e0068c go.mod: update golang.org/x dependencies
e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
f91f7a7 ssh/agent: prevent panic on malformed constraint
2df4153 acme/autocert: let automatic renewal work with short lifetime certs
bcf6a84 acme: pass context to request
b4f2b62 ssh: fix error message on unsupported cipher
79ec3a5 ssh: allow to bind to a hostname in remote forwarding
122a78f go.mod: update golang.org/x dependencies
c0531f9 all: eliminate vet diagnostics
0997000 all: fix some comments
Additional commits viewable in compare view

Updates golang.org/x/net from 0.35.0 to 0.47.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes <p> and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
99b3ae0 go.mod: update golang.org/x dependencies
85d1d54 go.mod: update golang.org/x dependencies
Additional commits viewable in compare view

Updates golang.org/x/net from 0.35.0 to 0.47.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes <p> and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
99b3ae0 go.mod: update golang.org/x dependencies
85d1d54 go.mod: update golang.org/x dependencies
Additional commits viewable in compare view

Updates github.com/nats-io/nats-server/v2 from 2.10.14 to 2.11.15

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.11.15

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

1.25.8

Dependencies

golang.org/x/crypto v0.49.0 (#7953)

github.com/nats-io/jwt/v2 v2.8.1 (#7960)

github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op

github.com/klauspost/compress v1.18.4

github.com/nats-io/nats.go v1.49.0

github.com/nats-io/nkeys v0.4.15

CVEs

Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)

Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)

Fixes CVE-2026-33218 (affects systems using leafnodes)

Fixes CVE-2026-33219 (affects systems using WebSockets)

Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)

Fixes CVE-2026-33248 (affects systems using mutual TLS)

Fixes CVE-2026-33247 (affects systems providing credentials on the command line)

Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Changed

General

There is now a 1MB size limit on JWTs (#7960)

Improved

JetStream

The stream peer-remove command now accepts a peer ID as well as a server name (#7952)

MQTT

Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#7933)

Fixed

General

Improved handling of duplicate headers

... (truncated)

Commits

bef17e1 Release v2.11.15
e349b31 Cherry-picks for 2.11.15 (#62)
782a6df [FIXED] Avoid stalling read loop on leafnode ErrMinimumVersionRequired
74a5f6f Remove FIXME about auth callout nonce
ea8ae87 Message tracing requires client publish permission for Nats-Trace-Dest
3fd43a0 Rebuild request info headers on leaf service imports
8dbf004 [FIXED] MQTT flappers use monotonic time
265a99b Update JWT and other dependencies
d6d1dd9 Streaming parsing of WebSocket frames with limited memory allocations
e6057af [FIXED] Avoid parsing trace headers from HPUB payload
Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/sdk from 1.39.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)

Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)

Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)

Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)

Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)

Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)

Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)

Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)

Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv com...
Description has been truncated

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

…dates Bumps the go_modules group with 4 updates in the / directory: [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server), [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx), [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) and [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519). Bumps the go_modules group with 1 update in the /for-mac directory: [golang.org/x/crypto](https://github.com/golang/crypto). Bumps the go_modules group with 3 updates in the /operator directory: [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server), [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) and [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519). Bumps the go_modules group with 1 update in the /sandbox/dns-proxy directory: [golang.org/x/net](https://github.com/golang/net). Updates `github.com/nats-io/nats-server/v2` from 2.10.14 to 2.11.15 - [Release notes](https://github.com/nats-io/nats-server/releases) - [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md) - [Commits](nats-io/nats-server@v2.10.14...v2.11.15) Updates `github.com/lestrrat-go/jwx` from 1.1.7 to 1.2.29 - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.29/Changes) - [Commits](lestrrat-go/jwx@v1.1.7...v1.2.29) Updates `go.opentelemetry.io/otel/sdk` from 1.39.0 to 1.43.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) Updates `filippo.io/edwards25519` from 1.1.0 to 1.1.1 - [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1) Updates `filippo.io/edwards25519` from 1.1.0 to 1.1.1 - [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1) Updates `github.com/nats-io/nats-server/v2` from 2.10.14 to 2.11.15 - [Release notes](https://github.com/nats-io/nats-server/releases) - [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md) - [Commits](nats-io/nats-server@v2.10.14...v2.11.15) Updates `go.opentelemetry.io/otel/sdk` from 1.39.0 to 1.43.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) Updates `golang.org/x/crypto` from 0.33.0 to 0.45.0 - [Commits](golang/crypto@v0.33.0...v0.45.0) Updates `golang.org/x/net` from 0.35.0 to 0.47.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `golang.org/x/crypto` from 0.33.0 to 0.45.0 - [Commits](golang/crypto@v0.33.0...v0.45.0) Updates `golang.org/x/net` from 0.35.0 to 0.47.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `golang.org/x/crypto` from 0.33.0 to 0.45.0 - [Commits](golang/crypto@v0.33.0...v0.45.0) Updates `golang.org/x/net` from 0.35.0 to 0.47.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `golang.org/x/net` from 0.35.0 to 0.47.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `github.com/nats-io/nats-server/v2` from 2.10.14 to 2.11.15 - [Release notes](https://github.com/nats-io/nats-server/releases) - [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md) - [Commits](nats-io/nats-server@v2.10.14...v2.11.15) Updates `go.opentelemetry.io/otel/sdk` from 1.39.0 to 1.43.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) Updates `filippo.io/edwards25519` from 1.1.0 to 1.1.1 - [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1) Updates `filippo.io/edwards25519` from 1.1.0 to 1.1.1 - [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1) Updates `github.com/nats-io/nats-server/v2` from 2.10.14 to 2.11.15 - [Release notes](https://github.com/nats-io/nats-server/releases) - [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md) - [Commits](nats-io/nats-server@v2.10.14...v2.11.15) Updates `go.opentelemetry.io/otel/sdk` from 1.39.0 to 1.43.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.43.0) Updates `golang.org/x/net` from 0.27.0 to 0.38.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `golang.org/x/net` from 0.27.0 to 0.38.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `golang.org/x/net` from 0.27.0 to 0.38.0 - [Commits](golang/net@v0.27.0...v0.38.0) Updates `golang.org/x/net` from 0.27.0 to 0.38.0 - [Commits](golang/net@v0.27.0...v0.38.0) --- updated-dependencies: - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect - dependency-name: github.com/lestrrat-go/jwx dependency-version: 1.2.29 dependency-type: indirect - dependency-name: github.com/nats-io/nats-server/v2 dependency-version: 2.11.15 dependency-type: direct:production - dependency-name: github.com/nats-io/nats-server/v2 dependency-version: 2.11.15 dependency-type: direct:production - dependency-name: github.com/nats-io/nats-server/v2 dependency-version: 2.11.15 dependency-type: indirect - dependency-name: github.com/nats-io/nats-server/v2 dependency-version: 2.11.15 dependency-type: indirect - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.40.0 dependency-type: indirect - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.40.0 dependency-type: indirect - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.40.0 dependency-type: indirect - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.40.0 dependency-type: indirect - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.47.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.47.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.47.0 dependency-type: indirect - dependency-name: golang.org/x/net dependency-version: 0.47.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 31, 2026

dependabot Bot mentioned this pull request Mar 31, 2026

chore(deps): bump the go_modules group across 2 directories with 1 update #2053

Closed

dependabot Bot changed the title ~~chore(deps): bump the go_modules group across 4 directories with 6 updates~~ build(deps): bump the go_modules group across 4 directories with 6 updates Apr 8, 2026

dependabot Bot force-pushed the dependabot/go_modules/go_modules-b5f6b63de3 branch from afe170b to 3151a14 Compare April 8, 2026 12:37

dependabot Bot force-pushed the dependabot/go_modules/go_modules-b5f6b63de3 branch 4 times, most recently from bf23a1f to ddf31f5 Compare April 21, 2026 14:50

dependabot Bot changed the title ~~build(deps): bump the go_modules group across 4 directories with 6 updates~~ chore(deps): bump the go_modules group across 4 directories with 6 updates Apr 24, 2026

dependabot Bot force-pushed the dependabot/go_modules/go_modules-b5f6b63de3 branch from ddf31f5 to edd3bc5 Compare April 24, 2026 12:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the go_modules group across 4 directories with 6 updates#2071

chore(deps): bump the go_modules group across 4 directories with 6 updates#2071
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go_modules-b5f6b63de3

dependabot Bot commented on behalf of github Mar 31, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release v2.11.15

Changelog

Go Version

Dependencies

CVEs

Changed

Improved

Fixed

v1.2.29 07 Mar 2024

[Security]

v1.2.28

v1.2.27

[SECURITY] v1.2.26

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Changed

Deprecated

Fixed

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

Release v2.11.15

Changelog

Go Version

Dependencies

CVEs

Changed

Improved

Fixed

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Changed

Deprecated

Fixed

[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

Added

Release v2.11.15

Changelog

Go Version

Dependencies

CVEs

Changed

Improved

Fixed

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Changed

Deprecated

Fixed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Mar 31, 2026 •

edited

Loading