Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

build(deps): bump the go_modules group across 1 directory with 11 updates#2

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/go_modules-ce0e947eb8
Open

build(deps): bump the go_modules group across 1 directory with 11 updates#2
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/go_modules-ce0e947eb8

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Nov 19, 2025

Bumps the go_modules group with 3 updates in the / directory: github.com/coredns/coredns, github.com/minio/console and github.com/nats-io/nats-server/v2.

Updates github.com/coredns/coredns from 1.9.2 to 1.12.4

Release notes

Sourced from github.com/coredns/coredns's releases.

v1.12.4

This release improves stability and security, fixing context propagation in DoH, label offset handling in the file plugin, and connection leaks in gRPC and transfer. It also adds support for the prefer option in loadbalance, introduces timeouts to the metrics server, and fixes several security vulnerabilities (see details in related security advisories).

Brought to You By

Archy Ilya Kulakov Olli Janatuinen Qasim Sarfraz Syed Azeez Ville Vesilehto wencyu Yong Tang

Noteworthy Changes

v1.12.3

This release improves plugin reliability and standards compliance, adding startup timeout to the Kubernetes plugin, fallthrough to gRPC, and EDNS0 unset to rewrite. The file plugin now preserves SRV record case per RFC 6763, route53 is updated to AWS SDK v2, and multiple race conditions in cache and connection handling in forward are fixed.

Brought to You By

blakebarnett Brennan Kinney Cameron Steel Dave Brown Dennis Simmons Guillaume Jacquet harshith-2411-2002 houpo-bob Oleg Guba Sebastian Mayr

... (truncated)

Commits
  • f323295 build(deps): bump github/codeql-action from 3.30.0 to 3.30.1 (#7528)
  • 3fc046f build(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 (#7525)
  • 1b35ba1 build(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 (#7527)
  • 8f76d6f build(deps): bump actions/stale from 9.1.0 to 10.0.0 (#7526)
  • ddc1878 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#7524)
  • f74bf9c build(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 (#7523)
  • cbc32d2 build(deps): bump github.com/aws/aws-sdk-go-v2/service/route53 (#7521)
  • 51d59e5 build(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0 (#7520)
  • a62ef5d build(deps): bump github.com/DataDog/dd-trace-go/v2 from 2.2.2 to 2.2.3 (#7519)
  • 96819ed Update note and versioon for 1.12.4 release (#7518)
  • Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.4.1 to 4.5.2

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

  • Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

v4.5.0

What's Changed

Full Changelog: golang-jwt/jwt@v4.4.3...v4.5.0

v4.4.3

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v4.4.2...v4.4.3

v4.4.2

What's Changed

... (truncated)

Commits

Updates github.com/minio/console from 0.19.0 to 0.28.0

Release notes

Sourced from github.com/minio/console's releases.

Release version v0.28.0

Changelog

  • fc9319e55 Added identifier field to Event destinations page & migrated to mds (#2816)
  • beed4895c Apply permission check for create accesskey button (#2822)
  • dc90db659 Changed SSO Login screen to hide login form by default (#2807)
  • 7a9b775b0 Changed Share Object logic to use Access Keys (#2827)
  • 920fc7d93 Fix Subpath behavior (#2818)
  • 629dd669c Fix anonymous access rule not displayed due to style (#2820)
  • 6e314a2fa Fix crash when backend has no rrSCParity property (#2826)
  • d93537261 Fix download of large files in Console (#2773)
  • 58b64a573 Fixed an issue with allowResources & KeyBar (#2817)
  • 028570279 Migrated Access Keys page components to mds (#2834)
  • 57bfe97d0 Release v0.28.0 (#2831)
  • 17e791afb Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)
  • 22ec87d00 improve playwright tests with refactoring and clean up (#2809)
  • bda1cd1f2 mds-released-V0.4.3 (#2830)
  • b87b4156e mds-released-v0.4.2 (#2815)

Release version v0.27.0

Changelog

  • cde6d1b0e Added Disable login animation with env variable (#2799)
  • be60569a1 Changed Object Browser components to use new mds components (#2796)
  • 1583b69fb Made Service Account creation consistent with mc (#2801)
  • 93f010b88 Release v0.27.0 (#2813)
  • c117601e5 Update madmin-go to 2.1.1 (#2810)
  • c5d4cdf1b fix to show or hide show deleted objects option based on versioning status (#2780)
  • f78f838ed mds-released-v0.4.1 (#2808)

Release version v0.26.4

Changelog

  • 4d783c5e4 Added Object Version read-only field in Edit Lifecycle Modal (#2772)
  • 81e0c82fe Changed GitHub labels (#2768)
  • 0dacc4d49 Changed breadcrumbs back button behavior (#2776)
  • 211ab3fd9 Fix incorrect logo appearing for Standard License holders (#2797)
  • 8882f1da0 Fix yaml vulnerability (#2785)
  • 75b3a6bea Fixed Object Version selector visibility in Add Lifecycle Rule modal (#2769)
  • f7a7f01d7 Fixed issue while getting locking status of a bucket (#2790)
  • 6020590b2 Make playwright run faster (#2737)
  • 51226a74d Release v0.26.4 (#2798)
  • 0e0f5030d Remove health diagnostic warning (#2779)
  • 056d487f1 Show progress bar when loading Usage Info (#2784)
  • b8083215b Update Dev Docs with MinIO naming conventions (#2783)
  • 61c864e74 Update Dev Documentation (#2781)
  • 1477def4f Updated Console UI dependencies (#2787)
  • fb5193d89 Updated mds to v0.4.0 (#2794)
  • 29507cda7 Updated xml2js library (#2770)
  • e983473a5 Upgrade Go Dependencies (#2786)
  • 2c84a5293 Use FormLayout from mds (#2788)
  • 90c8ea7f0 Use PageLayout from mds (#2789)

... (truncated)

Commits

Updates github.com/nats-io/nats-server/v2 from 2.7.4 to 2.10.27

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.10.27

Changelog

Go Version

  • 1.24.1

CVEs

  • This release contains fixes for CVE-2025-30215, a CRITICAL severity vulnerability affecting all NATS Server versions from v2.2.0, prior to v2.11.1 or v2.10.27.

Fixed

JetStream

  • Correctly validate the calling account on a number of system API calls
  • Check system and account limits when processing a stream restore
  • Fixed a performance regression when using max messages per subject of 1 (#6688)

Complete Changes

nats-io/nats-server@v2.10.26...v2.10.27

Release v2.10.27-binary

Changelog

Go Version

  • 1.24.1

CVEs

  • This is a binary-only release containing fixes for CVE-2025-30215, a CRITICAL severity vulnerability affecting all NATS Server versions from v2.2.0, prior to v2.11.1 or v2.10.27. Public disclosure of the details, including the source code, will be made available no sooner than a week from the release date. All environments should update as soon as possible. For workflows that rely on building from source, we recommend using the binary in the interim.

Release v2.10.26

Changelog

Refer to the 2.10 Upgrade Guide for backwards compatibility notes with 2.9.x.

Go Version

Dependencies

  • github.com/nats-io/nats.go v1.39.1 (#6574)
  • golang.org/x/crypto v0.34.0 (#6574)
  • golang.org/x/sys v0.30.0 (#6487)
  • golang.org/x/time v0.10.0 (#6487)
  • github.com/nats-io/nkeys v0.4.10 (#6494)

... (truncated)

Commits
  • 6b830a9 Release v2.10.27
  • c6bbff7 Release v2.10.27-binary
  • 4b0e2ca Test subject state optimization
  • d984613 Optimize removeSeqPerSubject() for MaxMsgPerSubject == 1
  • 406f836 Improved request account validation
  • 372d7c5 Check server and account limits on stream restore
  • 20019bf Import GitHub Actions, goreleaser and golangci-lint workflow changes from main
  • 14fa949 Release v2.10.26
  • 50ee75c Release v2.10.26-RC.7
  • 723dca8 Fix for data race for c.out
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.0.0-20220411220226-7b82a4e95df4 to 0.41.0

Commits

Updates golang.org/x/oauth2 from 0.0.0-20220411215720-9780585627b5 to 0.30.0

Commits

Updates github.com/lestrrat-go/jwx from 1.2.19 to 1.2.25

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.25

v1.2.25 23 May 2022
[Bug Fixes][Security]
  * [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
    where the unpad operation might remove more bytes than necessary ([#744](https://github.com/lestrrat-go/jwx/issues/744))
    This affects all jwx code that is available before v2.0.2 and v1.2.25.

v1.2.24

v1.2.24 05 May 2022
[Security]
  * Upgrade golang.org/x/crypto ([#724](https://github.com/lestrrat-go/jwx/issues/724))

v1.2.23

v1.2.23 13 Apr 2022
[Bug fixes]
  * [jwk] jwk.AutoRefresh had a race condition when `Configure()` was
    called concurrently ([#686](https://github.com/lestrrat-go/jwx/issues/686))
    (It has been patched correctly, but we may come back to revisit
     the design choices in the near future)

v1.2.22

v1.2.22 08 Apr 2022
[Bug fixes]
  * [jws] jws.Verify was ignoring the `b64` header when it was present
    in the protected headers ([#681](https://github.com/lestrrat-go/jwx/issues/681)). Now the following should work:

  jws.Sign(..., jws.WithDetachedPayload(payload))
  // previously payload had to be base64 encoded
  jws.Verify(..., jws.WithDetachedPayload(payload))

(note: v2 branch was not affected)

v1.2.21

v1.2.21 30 Mar 2022
[Bug fixes]
  * [jwk] RSA keys without p and q can now be parsed.

v1.2.20

v1.2.20 03 Mar 2022
</tr></table>

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.25 23 May 2022 [Bug Fixes][Security]

  • [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding, where the unpad operation might remove more bytes than necessary (#744) This affects all jwx code that is available before v2.0.2 and v1.2.25.

v1.2.24 05 May 2022 [Security]

  • Upgrade golang.org/x/crypto (#724)

v1.2.23 13 Apr 2022 [Bug fixes]

  • [jwk] jwk.AutoRefresh had a race condition when Configure() was called concurrently (#686) (It has been patched correctly, but we may come back to revisit the design choices in the near future)

v1.2.22 08 Apr 2022 [Bug fixes]

  • [jws] jws.Verify was ignoring the b64 header when it was present in the protected headers (#681). Now the following should work:

    jws.Sign(..., jws.WithDetachedPayload(payload)) // previously payload had to be base64 encoded jws.Verify(..., jws.WithDetachedPayload(payload))

    (note: v2 branch was not affected)

v1.2.21 30 Mar 2022 [Bug fixes]

  • [jwk] RSA keys without p and q can now be parsed.

v1.2.20 03 Mar 2022 [Miscellaneous]

Commits

Updates golang.org/x/net from 0.0.0-20220425223048-2871e0cb64e4 to 0.43.0

Commits

Updates golang.org/x/text from 0.3.7 to 0.28.0

Commits
  • 425d715 go.mod: update golang.org/x dependencies
  • b6d2645 go.mod: update golang.org/x dependencies
  • 8072180 go.mod: update golang.org/x dependencies
  • 6cacac1 go.mod: update tagx:ignore'd golang.org/x dependencies
  • 700cc20 go.mod: update golang.org/x dependencies
  • 4890c57 go.mod: update golang.org/x dependencies
  • 566b44f go.mod: update golang.org/x dependencies
  • d5156da collate/build: do not use println in tests
  • 221d88c x/text: fix scientific notation by removing extraneous spaces
  • b18c107 internal/export/unicode: change C comment to mention unassigned code points
  • Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.46.0 to 1.75.0

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.75.0

Behavior Changes

  • xds: Remove support for GRPC_EXPERIMENTAL_XDS_FALLBACK environment variable. Fallback support can no longer be disabled. (#8482)
  • stats: Introduce DelayedPickComplete event, a type alias of PickerUpdated. (#8465)
    • This (combined) event will now be emitted only once per call, when a transport is successfully selected for the attempt.
    • OpenTelemetry metrics will no longer have multiple "Delayed LB pick complete" events in Go, matching other gRPC languages.
    • A future release will delete the PickerUpdated symbol.
  • credentials: Properly apply grpc.WithAuthority as the highest-priority option for setting authority, above the setting in the credentials themselves. (#8488)
    • Now that this WithAuthority is available, the credentials should not be used to override the authority.
  • round_robin: Randomize the order in which addresses are connected to in order to spread out initial RPC load between clients. (#8438)
  • server: Return status code INTERNAL when a client sends more than one request in unary and server streaming RPC. (#8385)
    • This is a behavior change but also a bug fix to bring gRPC-Go in line with the gRPC spec.

New Features

  • dns: Add an environment variable (GRPC_ENABLE_TXT_SERVICE_CONFIG) to provide a way to disable TXT lookups in the DNS resolver (by setting it to false). By default, TXT lookups are enabled, as they were previously. (#8377)

Bug Fixes

  • xds: Fix regression preventing empty node IDs in xDS bootstrap configuration. (#8476)
  • xds: Fix possible panic when certain invalid resources are encountered. (#8412)
  • xdsclient: Fix a rare panic caused by processing a response from a closed server. (#8389)
  • stats: Fix metric unit formatting by enclosing non-standard units like call and endpoint in curly braces to comply with UCUM and gRPC OpenTelemetry guidelines. (#8481)
  • xds: Fix possible panic when clusters are removed from the xds configuration. (#8428)
  • xdsclient: Fix a race causing "resource doesn not exist" when rapidly subscribing and unsubscribing to the same resource. (#8369)
  • client: When determining the authority, properly percent-encode (if needed, which is unlikely) when the target string omits the hostname and only specifies a port (grpc.NewClient(":<port-number-or-name>")). (#8488)

Release 1.74.3

Bug Fixes

  • xds: Fix a regression preventing empty node IDs in the bootstrap configuration. (#8476 , #8483)
  • xdsclient: Fix a data race caused while reporting load to LRS. (#8483)
  • server: Fix a regression preventing streams from being cancelled or timed out when blocked on flow control. (#8528)

Release 1.74.2

New Features

  • grpc: introduce new DialOptions and ServerOptions (WithStaticStreamWindowSize, WithStaticConnWindowSize, StaticStreamWindowSize, StaticConnWindowSize) that force fixed window sizes for all HTTP/2 connections. By default, gRPC uses dynamic sizing of these windows based upon a BDP estimation algorithm. The existing options (WithInitialWindowSize, etc) also disable BDP estimation, but this behavior will be changed in a following release. (#8283)

API Changes

  • balancer: add ExitIdle method to Balancer interface. Earlier, implementing this method was optional. (#8367)

Behavior Changes

  • xds: Remove the GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST environment variable that allows disabling the least request balancer with xDS. Least request was made available by default with xDS in v1.72.0. (#8248)

... (truncated)

Commits
  • b9788ef Change version to 1.75.0 (#8493)
  • 2bd74b2 credentials: fix behavior of grpc.WithAuthority and credential handshake prec...
  • 9fa3267 xds: remove xds client fallback environment variable (#8482)
  • 62ec29f grpc: Fix cardinality violations in non-client streaming RPCs. (#8385)
  • 85240a5 stats: change non-standard units to annotations (#8481)
  • ac13172 update deps (#8478)
  • 0a895bc examples/opentelemetry: use experimental metrics in example (#8441)
  • 8b61e8f xdsclient: do not process updates from closed server channels (#8389)
  • 7238ab1 Allow empty nodeID (#8476)
  • 9186ebd cleanup: use slices.Equal to simplify code (#8472)
  • Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.28.0 to 1.36.8

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the go_modules group across 1 directory with 11 upd…
1512fe5 
…ates

Bumps the go_modules group with 3 updates in the / directory: [github.com/coredns/coredns](https://github.com/coredns/coredns), [github.com/minio/console](https://github.com/minio/console) and [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server).


Updates `github.com/coredns/coredns` from 1.9.2 to 1.12.4
- [Release notes](https://github.com/coredns/coredns/releases)
- [Changelog](https://github.com/coredns/coredns/blob/master/Makefile.release)
- [Commits](coredns/coredns@v1.9.2...v1.12.4)

Updates `github.com/golang-jwt/jwt/v4` from 4.4.1 to 4.5.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](golang-jwt/jwt@v4.4.1...v4.5.2)

Updates `github.com/minio/console` from 0.19.0 to 0.28.0
- [Release notes](https://github.com/minio/console/releases)
- [Changelog](https://github.com/minio/object-browser/blob/master/CHANGELOG.md)
- [Commits](minio/object-browser@v0.19.0...v0.28.0)

Updates `github.com/nats-io/nats-server/v2` from 2.7.4 to 2.10.27
- [Release notes](https://github.com/nats-io/nats-server/releases)
- [Changelog](https://github.com/nats-io/nats-server/blob/main/.goreleaser.yml)
- [Commits](nats-io/nats-server@v2.7.4...v2.10.27)

Updates `golang.org/x/crypto` from 0.0.0-20220411220226-7b82a4e95df4 to 0.41.0
- [Commits](https://github.com/golang/crypto/commits/v0.41.0)

Updates `golang.org/x/oauth2` from 0.0.0-20220411215720-9780585627b5 to 0.30.0
- [Commits](https://github.com/golang/oauth2/commits/v0.30.0)

Updates `github.com/lestrrat-go/jwx` from 1.2.19 to 1.2.25
- [Release notes](https://github.com/lestrrat-go/jwx/releases)
- [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.25/Changes)
- [Commits](lestrrat-go/jwx@v1.2.19...v1.2.25)

Updates `golang.org/x/net` from 0.0.0-20220425223048-2871e0cb64e4 to 0.43.0
- [Commits](https://github.com/golang/net/commits/v0.43.0)

Updates `golang.org/x/text` from 0.3.7 to 0.28.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.3.7...v0.28.0)

Updates `google.golang.org/grpc` from 1.46.0 to 1.75.0
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.46.0...v1.75.0)

Updates `google.golang.org/protobuf` from 1.28.0 to 1.36.8

---
updated-dependencies:
- dependency-name: github.com/coredns/coredns
  dependency-version: 1.12.4
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-version: 4.5.2
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/minio/console
  dependency-version: 0.28.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/nats-io/nats-server/v2
  dependency-version: 2.10.27
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.41.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.30.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/lestrrat-go/jwx
  dependency-version: 1.2.25
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.43.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/text
  dependency-version: 0.28.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/grpc
  dependency-version: 1.75.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Nov 19, 2025
@dependabot dependabot bot mentioned this pull request Nov 19, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants