Skip to content

Bump the go_modules group across 10 directories with 5 updates#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go/ql/test/experimental/CWE-321-V2/go_modules-8e91076a0f
Open

Bump the go_modules group across 10 directories with 5 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go/ql/test/experimental/CWE-321-V2/go_modules-8e91076a0f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown

Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5.
Bumps the go_modules group with 1 update in the /go/ql/test/experimental/CWE-1004 directory: github.com/gin-gonic/gin.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/two-go-mods-nested-one-in-root/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/single-go-mod-in-root/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/ninja-sample/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/make-sample/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/go-mod-without-version/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/go-mod-sample/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/bazel-sample-2/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/bazel-sample-1/src directory: golang.org/x/net.

Updates github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.5

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

v3.0.5

What's Changed

Fixes GHSA-78h2-9frx-2jm8

We recommend migrating from v3 to v4, and we will stop support v3 in the near future.

Full Changelog: go-jose/go-jose@v3.0.4...v3.0.5

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

Version 3.0.3

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

  • DecryptMulti: handle decompression error (#19)

Changed

  • jwe/CompactSerialize: improve performance (#67)
  • Increase the default number of PBKDF2 iterations to 600k (#48)
  • Return the proper algorithm for ECDSA keys (#45)
  • Update golang.org/x/crypto to v0.19 (#94)

Added

  • Add Thumbprint support for opaque signers (#38)

Version 3.0.1

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

Commits
  • be2f654 ci: update Go versions for GHA workflows (#221)
  • 0246416 Merge commit from fork
  • 5253038 Backport fix 167 to v3 (#174)
  • 047dc99 CI: Update github actions and go version (#173)
  • 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
  • 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
  • add6a28 v3: backport decompression limit fix (#107)
  • 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
  • 863f73b v3.0.2: Update changelog (#95)
  • bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
  • Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.2.2

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.2.2

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

v5.2.1

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v5.2.0...v5.2.1

v5.2.0

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v5.1.0...v5.2.0

v5.1.0

What's Changed

... (truncated)

Commits

Updates golang.org/x/crypto from 0.12.0 to 0.19.0

Commits
  • 405cb3b go.mod: update golang.org/x dependencies
  • 913d3ae x509roots/fallback: update bundle
  • dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
  • 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
  • 055043d go.mod: update golang.org/x dependencies
  • 08396bb internal/poly1305: drop Go 1.12 compatibility
  • 9d2ee97 ssh: implement strict KEX protocol changes
  • 4e5a261 ssh: close net.Conn on all NewServerConn errors
  • 152cdb1 x509roots/fallback: update bundle
  • fdfe1f8 ssh: defer channel window adjustment
  • Additional commits viewable in compare view

Updates github.com/gin-gonic/gin from 1.7.1 to 1.9.1

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.9.1

Changelog

BUG FIXES

  • fix Request.Context() checks #3512

SECURITY

  • fix lack of escaping of filename in Content-Disposition #3556

ENHANCEMENTS

  • refactor: use bytes.ReplaceAll directly #3455
  • convert strings and slices using the officially recommended way #3344
  • improve render code coverage #3525

DOCS

  • docs: changed documentation link for trusted proxies #3575
  • chore: improve linting, testing, and GitHub Actions setup #3583

v1.9.0

Changelog

BREAK CHANGES

  • Stop useless panicking in context and render #2150

BUG FIXES

  • fix(router): tree bug where loop index is not decremented. #3460
  • fix(context): panic on NegotiateFormat - index out of range #3397
  • Add escape logic for header #3500 and #3503

SECURITY

  • Fix the GO-2022-0969 and GO-2022-0288 vulnerabilities #3333
  • fix(security): vulnerability GO-2023-1571 #3505

ENHANCEMENTS

  • feat: add sonic json support #3184
  • chore(file): Creates a directory named path #3316
  • fix: modify interface check way #3327
  • remove deprecated of package io/ioutil #3395
  • refactor: avoid calling strings.ToLower twice #3343
  • console logger HTTP status code bug fixed #3453
  • chore(yaml): upgrade dependency to v3 version #3456
  • chore(router): match method added to routergroup for multiple HTTP methods supporting #3464

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.9.1

BUG FIXES

  • fix Request.Context() checks #3512

SECURITY

  • fix lack of escaping of filename in Content-Disposition #3556

ENHANCEMENTS

  • refactor: use bytes.ReplaceAll directly #3455
  • convert strings and slices using the officially recommended way #3344
  • improve render code coverage #3525

DOCS

  • docs: changed documentation link for trusted proxies #3575
  • chore: improve linting, testing, and GitHub Actions setup #3583

Gin v1.9.0

BREAK CHANGES

  • Stop useless panicking in context and render #2150

BUG FIXES

  • fix(router): tree bug where loop index is not decremented. #3460
  • fix(context): panic on NegotiateFormat - index out of range #3397
  • Add escape logic for header #3500 and #3503

SECURITY

  • Fix the GO-2022-0969 and GO-2022-0288 vulnerabilities #3333
  • fix(security): vulnerability GO-2023-1571 #3505

ENHANCEMENTS

  • feat: add sonic json support #3184
  • chore(file): Creates a directory named path #3316
  • fix: modify interface check way #3327
  • remove deprecated of package io/ioutil #3395
  • refactor: avoid calling strings.ToLower twice #3343
  • console logger HTTP status code bug fixed #3453
  • chore(yaml): upgrade dependency to v3 version #3456
  • chore(router): match method added to routergroup for multiple HTTP methods supporting #3464
  • chore(http): add support for go1.20 http.rwUnwrapper to gin.responseWriter #3489

... (truncated)

Commits
  • 4ea0e64 Ready release gin 1.9.1 (by: thinkerou) (#3630)
  • bb1fc2e fix Request.Context() checks (#3512)
  • 2d4bbec fix lack of escaping of filename in Content-Disposition (#3556)
  • 9f5ecd4 chore(deps): bump actions/setup-go from 3 to 4 (#3543)
  • 20cd6bc chore(deps): bump github.com/go-playground/validator/v10 (#3610)
  • 6bdc725 Fix typos in ISSUE_TEMPLATE.md (#3616)
  • 1ab2689 chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#3599)
  • 6a0556e improve render code coverage (#3525)
  • eac2daa chore: update dependencies for various packages and libraries (#3585)
  • 757a638 chore: improve linting, testing, and GitHub Actions setup (#3583)
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.55.0

Commits
  • 7770ec4 go.mod: update golang.org/x dependencies
  • 4ece7b6 html: escape greater-than symbol in doctype identifiers
  • 08be507 html: improve Noah's Ark clause performance
  • a8fb2fe html: properly render fostered elements in foreign content
  • 0dc5b7a html: properly check namespace in "in body" any other end tag
  • a452f3c html: ignore duplicate attributes during tokenization
  • f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
  • 210ed3c quic: establish a "happened-before" relationship between stream write and read
  • ad8140e quic: fix buffer slicing when handling overlapping stream data
  • 23ee2ef http2: avoid API changes when built with go1.27
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) and [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt).
Bumps the go_modules group with 1 update in the /go/ql/test/experimental/CWE-1004 directory: [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/two-go-mods-nested-one-in-root/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/single-go-mod-in-root/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/ninja-sample/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/make-sample/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/go-mod-without-version/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/go-mod-sample/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/bazel-sample-2/src directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/bazel-sample-1/src directory: [golang.org/x/net](https://github.com/golang/net).


Updates `github.com/go-jose/go-jose/v3` from 3.0.0 to 3.0.5
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](go-jose/go-jose@v3.0.0...v3.0.5)

Updates `github.com/golang-jwt/jwt/v5` from 5.0.0 to 5.2.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v5.0.0...v5.2.2)

Updates `golang.org/x/crypto` from 0.12.0 to 0.19.0
- [Commits](golang/crypto@v0.12.0...v0.19.0)

Updates `github.com/gin-gonic/gin` from 1.7.1 to 1.9.1
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.7.1...v1.9.1)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

Updates `golang.org/x/net` from 0.23.0 to 0.55.0
- [Commits](golang/net@v0.23.0...v0.55.0)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-version: 3.0.5
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-version: 5.2.2
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.19.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/gin-gonic/gin
  dependency-version: 1.9.1
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants