chore(deps): bump the prod-deps group across 1 directory with 7 updates #89

dependabot · 2026-02-01T08:06:39Z

Bumps the prod-deps group with 6 updates in the / directory:

Package	From	To
github.com/goccy/go-yaml	`1.19.1`	`1.19.2`
github.com/golang-jwt/jwt/v5	`5.3.0`	`5.3.1`
github.com/jackc/pgx/v5	`5.7.6`	`5.8.0`
github.com/labstack/echo-contrib	`0.17.4`	`0.50.0`
github.com/labstack/echo/v4	`4.14.0`	`4.15.0`
github.com/swaggo/swag/v2	`2.0.0-rc4`	`2.0.0-rc5`

Updates github.com/goccy/go-yaml from 1.19.1 to 1.19.2

Release notes

Sourced from github.com/goccy/go-yaml's releases.

1.19.2

What's Changed

Fix anchor reference regression in nested structures by @linyows in goccy/go-yaml#839

New Contributors

@linyows made their first contribution in goccy/go-yaml#839

Full Changelog: goccy/go-yaml@v1.19.1...v1.19.2

Commits

92bc79c Fix anchor reference regression in nested structures (#839)
See full diff in compare view

Updates github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.3.1

What's Changed

🔐 Features

Add spellcheck Github action to catch common spelling mistakes by @equalsgibson in golang-jwt/jwt#458

Add WithNotBeforeRequired parser option and add test coverage by @equalsgibson in golang-jwt/jwt#456

Update godoc example func to properly refer to NewWithClaims() by @equalsgibson in golang-jwt/jwt#459

Update github workflows by @mfridman in golang-jwt/jwt#462

Additional test for CustomClaims that validates unmarshalling behaviour by @equalsgibson in golang-jwt/jwt#457

Fix early file close in jwt cli by @mfridman in golang-jwt/jwt#472

Add TPM signature reference by @salrashid123 in golang-jwt/jwt#473

Remove misleading ParserOptions documentation in golang-jwt/jwt#484

Save signature to Token struct after successful signing by @EgorSheff in golang-jwt/jwt#417

Set token.Signature in ParseUnverified by @slickwilli in golang-jwt/jwt#414

👒 Dependencies

Bump crate-ci/typos from 1.34.0 to 1.35.3 by @dependabot[bot] in golang-jwt/jwt#461

Bump crate-ci/typos from 1.35.4 to 1.36.2 by @dependabot[bot] in golang-jwt/jwt#470

Bump github/codeql-action from 3 to 4 by @dependabot[bot] in golang-jwt/jwt#478

Bump crate-ci/typos from 1.36.2 to 1.39.0 by @dependabot[bot] in golang-jwt/jwt#480

Bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in golang-jwt/jwt#481

Bump actions/setup-go from 5 to 6 by @dependabot[bot] in golang-jwt/jwt#469

Bump crate-ci/typos from 1.39.0 to 1.40.0 by @dependabot[bot] in golang-jwt/jwt#488

Bump actions/checkout from 5 to 6 by @dependabot[bot] in golang-jwt/jwt#487

Bump crate-ci/typos from 1.40.0 to 1.41.0 by @dependabot[bot] in golang-jwt/jwt#490

Bump crate-ci/typos from 1.41.0 to 1.42.1 by @dependabot[bot] in golang-jwt/jwt#492

New Contributors

@equalsgibson made their first contribution in golang-jwt/jwt#458

@salrashid123 made their first contribution in golang-jwt/jwt#473

@EgorSheff made their first contribution in golang-jwt/jwt#417

@slickwilli made their first contribution in golang-jwt/jwt#414

Full Changelog: golang-jwt/jwt@v5.3.0...v5.3.1

Commits

7ceae61 Add release.yml for changelog configuration
dce8e4d Set token.Signature in ParseUnverified (#414)
8889e20 Save signature to Token struct after successful signing (#417)
d237f82 ci: update github-actions schedule interval to monthly
d8dce95 Bump crate-ci/typos from 1.41.0 to 1.42.1 (#492)
e931803 Bump crate-ci/typos from 1.40.0 to 1.41.0 (#490)
e6a0afa Bump actions/checkout from 5 to 6 (#487)
9f85c9e Bump crate-ci/typos from 1.39.0 to 1.40.0 (#488)
60a8669 Bump actions/setup-go from 5 to 6 (#469)
76f5828 Remove misleading ParserOptions documentation (#484)
Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.6 to 5.8.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.8.0 (December 26, 2025)

Require Go 1.24+

Remove golang.org/x/crypto dependency

Add OptionShouldPing to control ResetSession ping behavior (ilyam8)

Fix: Avoid overflow when MaxConns is set to MaxInt32

Fix: Close batch pipeline after a query error (Anthonin Bonnefoy)

Faster shutdown of pgxpool.Pool background goroutines (Blake Gentry)

Add pgxpool ping timeout (Amirsalar Safaei)

Fix: Rows.FieldDescriptions for empty query

Scan unknown types into *any as string or []byte based on format code

Optimize pgtype.Numeric (Philip Dubé)

Add AfterNetConnect hook to pgconn.Config

Fix: Handle for preparing statements that fail during the Describe phase

Fix overflow in numeric scanning (Ilia Demianenko)

Fix: json/jsonb sql.Scanner source type is []byte

Migrate from math/rand to math/rand/v2 (Mathias Bogaert)

Optimize internal iobufpool (Mathias Bogaert)

Optimize stmtcache invalidation (Mathias Bogaert)

Fix: missing error case in interval parsing (Maxime Soulé)

Fix: invalidate statement/description cache in Exec (James Hartig)

ColumnTypeLength method return the type length for varbit type (DengChan)

Array and Composite codecs handle typed nils

Commits

fe8740a Release v5.8.0
e5dde5a Skip test on CockroachDB
06f2d82 Remove trailing space
2cf78dd Merge pull request #2448 from DengChan/column_type_lenth_varbit
2d1c4ef Skip tests on CockroachDB
1a5fa7f Array and Composite codecs handle typed nils
5736d09 ColumnTypeLength method return the type length for varbit type.
4c1308c Revert "stdlib matches native pgx scanning support"
14ce2b7 Skip test on CockroachDB
65b2724 Merge pull request #2443 from jameshartig/x-invalidate-cache-in-exec
Additional commits viewable in compare view

Updates github.com/labstack/echo-contrib from 0.17.4 to 0.50.0

Release notes

Sourced from github.com/labstack/echo-contrib's releases.

V5 is out

See: https://github.com/labstack/echo/releases/tag/v5.0.0

Retract v0.50.0

Echo 5 support was introduced in this repository with the v0.50.0 release. However, this also means that users who are still on Echo 4 and run go get -u ./... will inadvertently pull in Echo 5, which they neither want nor need at this time.

v0.50.0 will be retracted in v0.18.0 series and v0+ will only support Echo 4. For Echo 5 support use v5 major version of this repository.

Full Changelog: labstack/echo-contrib@v0.17.4...v0.18.0

Relates to labstack/echo-contrib#142

Commits

fb1b028 Use Echo v5 tag
e5a435c Remove github.com/labstack/gommon dependency
16afb59 Echo V5 support
6c28e2b Update deps (#139)
109512b Update deps (last one did not update to latest) (#132)
See full diff in compare view

Updates github.com/labstack/echo/v4 from 4.14.0 to 4.15.0

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

same-origin or none: Requests are allowed (exact origin match or direct user navigation)

same-site: Falls back to token validation (e.g., subdomain to main domain)

cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)

AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:
e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))
PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

Added generic functions for type-safe parameter extraction and context access by @aldas in labstack/echo#2856

Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion, eliminating manual string parsing and type assertions.

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

same-origin or none: Requests are allowed (exact origin match or direct user navigation)

same-site: Falls back to token validation (e.g., subdomain to main domain)

cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)

AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:
e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))
PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

Added generic functions for type-safe parameter extraction and context access by @aldas in labstack/echo#2856

Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,

... (truncated)

Commits

482bb46 v4.15.0 changelog
d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
f3fc618 CRSF with Sec-Fetch-Site checks
4dcb9b4 licence headers
cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
6b14f4e Add Context.Get generic functions
321530d disable test - returns different error under Windows
c8abd9f disable flaky test
9fe43f7 fix Rate limiter disallows fractional rates
1b5122a document things to reduce false positives
Additional commits viewable in compare view

Updates github.com/swaggo/swag/v2 from 2.0.0-rc4 to 2.0.0-rc5

Release notes

Sourced from github.com/swaggo/swag/v2's releases.

v2.0.0-rc5

What's Changed

feat: remove json-iterator and pkg/errors dependencies by @devhaozi in swaggo/swag#1987

fix: Issue #1980 by @Mozuha in swaggo/swag#1985

fix: enum generation in v3.1 by @dmouraneto in swaggo/swag#1983

refactor: simplify checking of FieldParser interface implementation by @nikpivkin in swaggo/swag#1974

refactor: remove unused parseValidTags method by @nikpivkin in swaggo/swag#1973

fix: avoid panic in ComplementSchema due to nil schema references by @nikpivkin in swaggo/swag#1972

fix: @name does not working for v3.1 by @ehles in swaggo/swag#1966

fix: getSecurityDefinitionKey white space parsing by @s1moe2 in swaggo/swag#1942

[v2] fix: duplicate print version by @martinyonatann in swaggo/swag#1969

feat: v2 top level security field by @0daryo in swaggo/swag#2030

Add missing null check by @koplas in swaggo/swag#1999

Fix for interface-valued schemas by @Cerber-Ursi in swaggo/swag#2054

feat: add multiple securitydefinitions.bearerauth for bearer token setting in V2 by @arsensokolov in swaggo/swag#2027

Fixes list recursion by @addshore in swaggo/swag#2022

feat: Support oneOf for requestBody Schemas in OpenAPI v3 by @codingcn in swaggo/swag#2059

Fix Response Schema Handling with Custom MIME Types by @fosple in swaggo/swag#2019

fix: segmentation error when using Slice as a type for generic (Wrapper[[]T]) in -v3.1 by @OnFireByte in swaggo/swag#1997

fix: parse form name "-" as skipped field by @isqua in swaggo/swag#2090

fix(openapi): honor @description.markdown for info.description by @nishkrishnan in swaggo/swag#2128

New Contributors

@devhaozi made their first contribution in swaggo/swag#1987

@Mozuha made their first contribution in swaggo/swag#1985

@dmouraneto made their first contribution in swaggo/swag#1983

@ehles made their first contribution in swaggo/swag#1966

@s1moe2 made their first contribution in swaggo/swag#1942

@martinyonatann made their first contribution in swaggo/swag#1969

@koplas made their first contribution in swaggo/swag#1999

@Cerber-Ursi made their first contribution in swaggo/swag#2054

@arsensokolov made their first contribution in swaggo/swag#2027

@addshore made their first contribution in swaggo/swag#2022

@codingcn made their first contribution in swaggo/swag#2059

@fosple made their first contribution in swaggo/swag#2019

@OnFireByte made their first contribution in swaggo/swag#1997

@isqua made their first contribution in swaggo/swag#2090

@nishkrishnan made their first contribution in swaggo/swag#2128

Full Changelog: swaggo/swag@v2.0.0-rc4...v2.0.0-rc5

Commits

8c7a6f6 fix(openapi): honor @description.markdown for info.description (#2128)
1cb456d fix: parse form name "-" as skipped field (#2090)
bc4b08e add file field to TypeSpecDef (#1997)
88e5892 Fix Response Schema Handling with Custom MIME Types (#2019)
13ced53 feat: Support oneOf for requestBody Schemas in OpenAPI v3 (#2059)
c0a352b Fixes list recursion (#2022)
bb6330c Added support for multiple Brearer components with the ability to customize e...
46a01f0 Fix for interface-valued schemas (#2054)
aa81c9a Add missing null check (#1999)
ea8c703 feat: v2 top level security field (#2030)
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.46.0 to 0.47.0

Commits

506e022 go.mod: update golang.org/x dependencies
7dacc38 chacha20poly1305: error out in fips140=only mode
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the prod-deps group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/goccy/go-yaml](https://github.com/goccy/go-yaml) | `1.19.1` | `1.19.2` | | [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | `5.3.0` | `5.3.1` | | [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.7.6` | `5.8.0` | | [github.com/labstack/echo-contrib](https://github.com/labstack/echo-contrib) | `0.17.4` | `0.50.0` | | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `4.14.0` | `4.15.0` | | [github.com/swaggo/swag/v2](https://github.com/swaggo/swag) | `2.0.0-rc4` | `2.0.0-rc5` | Updates `github.com/goccy/go-yaml` from 1.19.1 to 1.19.2 - [Release notes](https://github.com/goccy/go-yaml/releases) - [Changelog](https://github.com/goccy/go-yaml/blob/master/CHANGELOG.md) - [Commits](goccy/go-yaml@v1.19.1...v1.19.2) Updates `github.com/golang-jwt/jwt/v5` from 5.3.0 to 5.3.1 - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Commits](golang-jwt/jwt@v5.3.0...v5.3.1) Updates `github.com/jackc/pgx/v5` from 5.7.6 to 5.8.0 - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.7.6...v5.8.0) Updates `github.com/labstack/echo-contrib` from 0.17.4 to 0.50.0 - [Release notes](https://github.com/labstack/echo-contrib/releases) - [Commits](labstack/echo-contrib@v0.17.4...v0.50.0) Updates `github.com/labstack/echo/v4` from 4.14.0 to 4.15.0 - [Release notes](https://github.com/labstack/echo/releases) - [Changelog](https://github.com/labstack/echo/blob/master/CHANGELOG.md) - [Commits](labstack/echo@v4.14.0...v4.15.0) Updates `github.com/swaggo/swag/v2` from 2.0.0-rc4 to 2.0.0-rc5 - [Release notes](https://github.com/swaggo/swag/releases) - [Commits](swaggo/swag@v2.0.0-rc4...v2.0.0-rc5) Updates `golang.org/x/crypto` from 0.46.0 to 0.47.0 - [Commits](golang/crypto@v0.46.0...v0.47.0) --- updated-dependencies: - dependency-name: github.com/goccy/go-yaml dependency-version: 1.19.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-deps - dependency-name: github.com/golang-jwt/jwt/v5 dependency-version: 5.3.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-deps - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: github.com/labstack/echo-contrib dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: github.com/labstack/echo/v4 dependency-version: 4.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps - dependency-name: github.com/swaggo/swag/v2 dependency-version: 2.0.0-rc5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-deps - dependency-name: golang.org/x/crypto dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-deps ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added the dependencies Dependencies need to be updated label Feb 1, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the prod-deps group across 1 directory with 7 updates #89

chore(deps): bump the prod-deps group across 1 directory with 7 updates #89

Uh oh!

dependabot bot commented on behalf of github Feb 1, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

chore(deps): bump the prod-deps group across 1 directory with 7 updates #89

Are you sure you want to change the base?

chore(deps): bump the prod-deps group across 1 directory with 7 updates #89

Uh oh!

Conversation

dependabot bot commented on behalf of github Feb 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

1.19.2

What's Changed

New Contributors

v5.3.1

What's Changed

🔐 Features

👒 Dependencies

New Contributors

5.8.0 (December 26, 2025)

V5 is out

Retract v0.50.0

v4.15.0

v4.15.0 - 2026-01-01

v2.0.0-rc5

What's Changed

New Contributors

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Feb 1, 2026 •

edited

Loading

Retract `v0.50.0`