chore(deps): bump the security-updates group with 22 updates

[dependabot]

Bumps the security-updates group with 22 updates:

Package	From	To
github.com/BurntSushi/toml	1.5.0	1.6.0
github.com/gin-gonic/gin	1.11.0	1.12.0
github.com/go-sql-driver/mysql	1.9.2	1.10.0
github.com/prometheus/client_golang	1.22.0	1.23.2
github.com/redis/go-redis/v9	9.19.0	9.20.0
go.etcd.io/etcd/api/v3	3.5.21	3.6.12
go.etcd.io/etcd/client/v3	3.5.21	3.6.12
go.etcd.io/etcd/server/v3	3.5.21	3.6.12
go.opentelemetry.io/contrib/propagators/autoprop	0.63.0	0.69.0
go.opentelemetry.io/contrib/samplers/jaegerremote	0.37.0	0.37.1
go.opentelemetry.io/otel	1.43.0	1.44.0
go.opentelemetry.io/otel/bridge/opentracing	1.36.0	1.44.0
go.opentelemetry.io/otel/exporters/jaeger	1.16.0	1.17.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.38.0	1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.38.0	1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	1.36.0	1.44.0
go.opentelemetry.io/otel/sdk	1.43.0	1.44.0
go.opentelemetry.io/otel/trace	1.43.0	1.44.0
go.uber.org/zap	1.27.0	1.28.0
golang.org/x/sys	0.42.0	0.45.0
gorm.io/gorm	1.30.0	1.31.1
k8s.io/client-go	0.34.1	0.36.1

Updates github.com/BurntSushi/toml from 1.5.0 to 1.6.0

Release notes

Sourced from github.com/BurntSushi/toml's releases.

v1.6.0

TOML 1.1 is now enabled by default. The TOML changelog has an overview of changes: https://github.com/toml-lang/toml/blob/main/CHANGELOG.md

Also two small fixes:

• Encode large floats as exponent syntax so that round-tripping things like 5e+22 is correct.

• Using duplicate array keys would not give an error:

  arr = [1]
  arr = [2]
  

  This will now correctly give a "Key 'arr' has already been defined" error.

Commits

• 5253492 Enable TOML 1.1 by default (#457)
• e954445 Reject duplicate arrays (#455)
• 6b16cbd Update toml-test test cases from upstream (#456)
• 011fa2b Ensure constant format strings in wf calls
• 4b439bf Remove itemNil
• a473c12 Add test for out of range float64
• b535ff8 Add some boring tests for lex.go
• 6011ef0 Remove unreachable condition in lexTableNameStart
• c8ca9e6 Remove unreachable condition
• 1121f81 Make tomlv read from stdin
• Additional commits viewable in compare view

Updates github.com/gin-gonic/gin from 1.11.0 to 1.12.0

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.12.0

Changelog

Features

• 192ac89eefc1c30f7c97ae48a9ffb1c6f1c8c8bc: feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203) (@​takanuva15)
• 53410d2e07054369e0960fbe2eed97e1b9966f12: feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502) (@​raju-mechatronics)
• acc55e049e33b401e810dbd8c0d6dcb6b3ba2b05: feat(context): add Protocol Buffers support to content negotiation (#4423) (@​1911860538)
• 38e765119241d990705169bedb5002a29ae0cbd1: feat(context): implemented Delete method (@​Spyder01)
• 771dcc6476d7bc6abb9ec0235ecefa4d38fe6fb0: feat(gin): add option to use escaped path (#4420) (@​ldesauw)
• 4dec17afdff48e8018c83618fbbe69fceeb2b41d: feat(logger): color latency (#4146) (@​wsyqn6)
• d7776de7d444935ea4385999711bd6331a98fecb: feat(render): add bson protocol (#4145) (@​laurentcau)

Bug fixes

• b917b14ff9d189f16a7492be79d123a47806ee19: fix(binding): empty value error (#2169) (@​guonaihong)
• c3d1092b3b48addf6f9cd00fe274ec3bd14650eb: fix(binding): improve empty slice/array handling in form binding (#4380) (@​1911860538)
• 9914178584e42458ff7d23891463a880f58c9d86: fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472) (@​Nurysso)
• 2a794cd0b0faa7d829291375b27a3467ea972b0d: fix(debug): version mismatch (#4403) (@​zeek0x)
• c3d5a28ed6d3849da820195b6774d212bcc038a9: fix(gin): close os.File in RunFd to prevent resource leak (#4422) (@​1911860538)
• 5fad976b372e381312f8de69f0969f1284d229d3: fix(gin): literal colon routes not working with engine.Handler() (#4415) (@​pawannn)
• 63dd3e60cab89c27fb66bce1423bd268d52abad1: fix(recover): suppress http.ErrAbortHandler in recover (#4336) (@​MondayCha)
• 5c00df8afadd06cc5be530dde00fe6d9fa4a2e4a: fix(render): write content length in Data.Render (#4206) (@​dengaleev)
• 234a6d4c00cb77af9852aca0b8289745d5529b4b: fix(response): refine hijack behavior for response lifecycle (#4373) (@​appleboy)
• 472d086af2acd924cb4b9d7be0525f7d790f69bc: fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535) (@​veeceey)
• 8e07d37c63e5536eb25f4af4c91eabeee4011fba: fix: Correct typos, improve documentation clarity, and remove dead code (#4511) (@​mahanadh)

Enhancements

• ba093d19477b896ac89a7fc3246af23d290b8e26: chore(binding): upgrade bson dependency to mongo-driver v2 (#4549) (@​BobDu)
• b2b489dbf4826c2c630717a77fd5e42774625410: chore(context): always trust xff headers from unix socket (#3359) (@​WeidiDeng)
• ecb3f7b5e2f3915bf1db240ed5eee572f8dbea36: chore(deps): upgrade golang.org/x/crypto to v0.45.0 (#4449) (@​appleboy)
• af6e8b70b8261bb0c99ad094fe552ab92991620a: chore(deps): upgrade quic-go to v0.57.1 (@​appleboy)
• db309081bc5c137b2aa15701ef53f7f19788da25: chore(logger): allow skipping query string output (#4547) (@​USA-RedDragon)
• 26c3a628655cad2388380cb8102d6ce7d4875f3b: chore(response): prevent Flush() panic when http.Flusher (#4479) (@​Twacqwq)
• 5dd833f1f26de0eb30eae47b17e05ced2482dc41: chore: bump minimum Go version to 1.24 and update workflows (#4388) (@​appleboy)

Refactor

• 39858a0859c914bd26948fa950477e11bd8d3823: refactor(binding): use maps.Copy for cleaner map handling (#4352) (@​russcoss)
• c0048f645ee945c4db30593afdea10123e2c30a6: refactor(context): omit the return value names (#4395) (@​wanghaolong613)
• 915e4c90d28ec4cffc6eb146e208ab5a65eac772: refactor(context): replace hardcoded localhost IPs with constants (#4481) (@​pauloappbr)
• 414de60574449457f3192a7a1d5528940db2836d: refactor(context): using maps.Clone (#4333) (@​cuiweixie)
• 59e9d4a794f12c4f9a6c7bed441b9644e5f6d99b: refactor(ginS): use sync.OnceValue to simplify engine function (#4314) (@​1911860538)
• 3ab698dc5110af1977d57226e4995c57dd34c233: refactor(recovery): smart error comparison (#4142) (@​zeek0x)
• d1a15347b1e45a8ee816193d3578a93bfd73b70f: refactor(utils): move util functions to utils.go (#4467) (@​zeek0x)
• e3118cc378d263454098924ebbde7e8d1dd2e904: refactor: for loop can be modernized using range over int (#4392) (@​wanghaolong613)
• 488f8c3ffa579a8d19beb2bae95ff8ef36b3d53f: refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529) (@​veeceey)
• 9968c4bf9d5a99edc3eee2c068a4c9160ece8915: refactor: use b.Loop() to simplify the code and improve performance (#4389) (@​reddaisyy)
• a85ef5ce4d0cda8834c59c855068ed48b51192d1: refactor: use b.Loop() to simplify the code and improve performance (#4432) (@​efcking)

Build process updates

• 61b67de522a189b568aced4c5c16917c558e3387: ci(bot): increase frequency and group updates for dependencies (#4367) (@​appleboy)
• fb27ef26c2fdfe25344b4c039d8a53551f9e912c: ci(lint): refactor test assertions and linter configuration (#4436) (@​appleboy)
• 93ff771e6dbf10e432864b30f3719ac5c84a4d4a: ci(sec): improve type safety and server organization in HTTP middleware (#4437) (@​appleboy)
• e88fc8927a52b74f55bec0351604a56ac0aa1c51: ci(sec): schedule Trivy security scans to run daily at midnight UTC (#4439) (@​appleboy)
• 5e5ff3ace496a31b138b0820136a146bfb5de0ef: ci: replace vulnerability scanning workflow with Trivy integration (#4421) (@​appleboy)
• 00900fb3e1ea9dde33985a0e4f6afec793d5e786: ci: update CI workflows and standardize Trivy config quotes (#4531) (@​appleboy)
• ae3f524974fc4f55d18c9e7fae4614503c015226: ci: update Go version support to 1.25+ across CI and docs (#4550) (@​appleboy)

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.12.0

Features

• feat(render): add bson protocol (#4145)
• feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502)
• feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203)
• feat(gin): add option to use escaped path (#4420)
• feat(context): add Protocol Buffers support to content negotiation (#4423)
• feat(context): implemented Delete method (#38e7651)
• feat(logger): color latency (#4146)

Enhancements

• perf(tree): reduce allocations in findCaseInsensitivePath (#4417)
• perf(recovery): optimize line reading in stack function (#4466)
• perf(path): replace regex with custom functions in redirectTrailingSlash (#4414)
• perf(tree): optimize path parsing using strings.Count (#4246)
• chore(logger): allow skipping query string output (#4547)
• chore(context): always trust xff headers from unix socket (#3359)
• chore(response): prevent Flush() panic when the underlying ResponseWriter does not implement http.Flusher (#4479)
• refactor(recovery): smart error comparison (#4142)
• refactor(context): replace hardcoded localhost IPs with constants (#4481)
• refactor(utils): move util functions to utils.go (#4467)
• refactor(binding): use maps.Copy for cleaner map handling (#4352)
• refactor(context): using maps.Clone (#4333)
• refactor(ginS): use sync.OnceValue to simplify engine function (#4314)
• refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529)
• refactor: for loop can be modernized using range over int (#4392)

Bug Fixes

• fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
• fix(render): write content length in Data.Render (#4206)
• fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472)
• fix(binding): empty value error (#2169)
• fix(recover): suppress http.ErrAbortHandler in recover (#4336)
• fix(gin): literal colon routes not working with engine.Handler() (#4415)
• fix(gin): close os.File in RunFd to prevent resource leak (#4422)
• fix(response): refine hijack behavior for response lifecycle (#4373)
• fix(binding): improve empty slice/array handling in form binding (#4380)
• fix(debug): version mismatch (#4403)
• fix: correct typos, improve documentation clarity, and remove dead code (#4511)

Build process updates / CI

• ci: update Go version support to 1.25+ across CI and docs (#4550)
• chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)

Commits

• 73726dc docs: update documentation to reflect Go version changes (#4552)
• e292e5c docs: document and finalize Gin v1.12.0 release (#4551)
• ae3f524 ci: update Go version support to 1.25+ across CI and docs (#4550)
• 38534e2 chore(deps): bump golang.org/x/net from 0.50.0 to 0.51.0 (#4548)
• 472d086 fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
• fb25834 test(context): use http.StatusContinue constant instead of magic number 100 (...
• 6f1d5fe test(render): add comprehensive error handling tests (#4541)
• 5c00df8 fix(render): write content length in Data.Render (#4206)
• db30908 chore(logger): allow skipping query string output (#4547)
• ba093d1 chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)
• Additional commits viewable in compare view

Updates github.com/go-sql-driver/mysql from 1.9.2 to 1.10.0

Release notes

Sourced from github.com/go-sql-driver/mysql's releases.

v1.10.0

What's Changed

• add Go 1.24 to the test matrix by @​shogo82148 in go-sql-driver/mysql#1681
• modernize for Go 1.22 by @​methane in go-sql-driver/mysql#1695
• test stability improvement. by @​methane in go-sql-driver/mysql#1698
• simplify collation tests by @​methane in go-sql-driver/mysql#1700
• fix bigint unsigned null column scan to err type int64 by @​elonnzhang in go-sql-driver/mysql#1612
• Transaction Commit/Rollback returns conn's cached error, if present by @​brad-defined in go-sql-driver/mysql#1691
• add BenchmarkReceive10kRowsCompress by @​methane in go-sql-driver/mysql#1704
• optimize readPacket by @​methane in go-sql-driver/mysql#1705
• MariaDB Metadata skipping and DEPRECATE_EOF by @​rusher in go-sql-driver/mysql#1708
• Optimization: statements reuse previous column name by @​methane in go-sql-driver/mysql#1711
• update outdated MySQL internals documentation links by @​demouth in go-sql-driver/mysql#1714
• fix PING on compressed connections by @​methane in go-sql-driver/mysql#1721
• add DeepWiki badge by @​methane in go-sql-driver/mysql#1722
• Update edwards25519 dependency to v1.1.1 by @​williamhaw in go-sql-driver/mysql#1749
• Configure Dependabot for Go modules by @​methane in go-sql-driver/mysql#1755
• Bump dominikh/staticcheck-action from 1.3.1 to 1.4.1 by @​dependabot[bot] in go-sql-driver/mysql#1759
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in go-sql-driver/mysql#1760
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in go-sql-driver/mysql#1757
• fix staticcheck error by @​methane in go-sql-driver/mysql#1761
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in go-sql-driver/mysql#1758
• Fix getSystemVar buffer reuse by @​morgo in go-sql-driver/mysql#1754
• Consolidate Dependabot update noise by grouping weekly dependency PRs by @​Copilot in go-sql-driver/mysql#1762
• Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0 by @​dependabot[bot] in go-sql-driver/mysql#1756
• CI: Update GitHub Actions Go matrix to 1.24–1.26 by @​Copilot in go-sql-driver/mysql#1763
• Enhance interpolateParams to correctly handle placeholders by @​rusher in go-sql-driver/mysql#1732
• modernize by @​methane in go-sql-driver/mysql#1764
• release v1.10.0 by @​methane in go-sql-driver/mysql#1765

New Contributors

• @​elonnzhang made their first contribution in go-sql-driver/mysql#1612
• @​brad-defined made their first contribution in go-sql-driver/mysql#1691
• @​rusher made their first contribution in go-sql-driver/mysql#1708
• @​demouth made their first contribution in go-sql-driver/mysql#1714
• @​williamhaw made their first contribution in go-sql-driver/mysql#1749
• @​dependabot[bot] made their first contribution in go-sql-driver/mysql#1759
• @​morgo made their first contribution in go-sql-driver/mysql#1754
• @​Copilot made their first contribution in go-sql-driver/mysql#1762

Full Changelog: go-sql-driver/mysql@v1.9.2...v1.10.0

v1.9.3

What's Changed

• [1.9] test stability improvement. by @​methane in go-sql-driver/mysql#1699
• [1.9] Transaction Commit/Rollback returns conn's cached error by @​methane in go-sql-driver/mysql#1702
• backport benchmark_test by @​methane in go-sql-driver/mysql#1706
• [1.9] optimize readPacket (#1705) by @​methane in go-sql-driver/mysql#1707
• [1.9] fix PING on compressed connections by @​methane in go-sql-driver/mysql#1723
• release v1.9.3 by @​methane in go-sql-driver/mysql#1725

... (truncated)

Changelog

Sourced from github.com/go-sql-driver/mysql's changelog.

v1.10.0 (2026-04-28)

• Fix getSystemVar("max_allowed_packet") potentially returned wrong value. (#1754) This affects only when maxAllowedPacket=0 is set.

• Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0. (#1756) While older versions have reported CVEs, they do not affect go-mysql.

• Update Go versions to 1.24-1.26. (#1763)

• Enhance interpolateParams to correctly handle placeholders. (#1732) The question mark (?) within strings and comments will no longer be treated as a placeholder.

v1.9.3 (2025-06-13)

• tx.Commit() and tx.Rollback() returned ErrInvalidConn always. Now they return cached real error if present. (#1690)

• Optimize reading small result sets to fix a performance regression introduced by compression protocol support. ([#1707](https://github.com/go-sql-driver/mysql/issues/1707))

• Fix db.Ping() on compressed connection. (#1723)

Commits

• a065b60 release v1.10.0 (#1765)
• 09e4187 modernize (#1764)
• 6c44a9a Enhance interpolateParams to correctly handle placeholders (#1732)
• 688ce56 Update supported Go version to 1.24–1.26 (#1763)
• 118d07f Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0 (#1756)
• d6b2d3e Consolidate Dependabot update noise by grouping weekly dependency PRs (#1762)
• 037dfd8 Fix getSystemVar buffer reuse (#1754)
• 900f330 Bump actions/checkout from 4 to 6 (#1758)
• ab9e380 fix staticcheck error (#1761)
• f298c66 Bump actions/setup-go from 5 to 6 (#1757)
• Additional commits viewable in compare view

Updates github.com/prometheus/client_golang from 1.22.0 to 1.23.2

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.23.2 - 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

• [release-1.23] Upgrade to prometheus/common@v0.66.1 by @​aknuds1 in prometheus/client_golang#1869
• [release-1.23] Cut v1.23.2 by @​aknuds1 in prometheus/client_golang#1870

Full Changelog: prometheus/client_golang@v1.23.1...v1.23.2

v1.23.1 - 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

• [release-1.23] Upgrade to prometheus/common v0.66 by @​aknuds1 in prometheus/client_golang#1866
• [release-1.23] Cut v1.23.1 by @​aknuds1 in prometheus/client_golang#1867

Full Changelog: prometheus/client_golang@v1.23.0...v1.23.1

v1.23.0 - 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

... (truncated)

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

Commits

• 8179a56 Cut v1.23.2 (#1870)
• 4142b59 Merge pull request #1869 from prometheus/arve/upgrade-common
• 4ff40f0 Cut v1.23.1 (#1867)
• 989b029 Upgrade to prometheus/common v0.66 (#1866)
• e4b2208 Cut v1.23.0 (#1848)
• d9492af cut v1.23.0-rc.1 (#1842)
• aeae8a0 Cut v1.23.0-rc.0 (#1837)
• b157309 Update common Prometheus files (#1832)
• a704e28 build(deps): bump the github-actions group with 3 updates (#1826)
• c774311 Fix errNotImplemented reference (#1835)
• Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.19.0 to 9.20.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.20.0

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

• AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
• INCREX (#3816) — atomic increment with expiration in a single round-trip.
• XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
• XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
• TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
• Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
• JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. RawResult() / RawVal() continue to work for callers that prefer the raw RESP payload.

(#3741) by @​ndyakov

Experimental Array Data Structure Commands

Adds an experimental ArrayCmdable interface with the AR* command family (ARSet, ARGet, ARGetRange, ARMSet, ARMGet, ARDel, ARDelRange, ARScan, ARSeek, ARNext, ARLastItems, ARGrep, ARGrepWithValues, ARInfo/ARInfoFull, and typed reducers AROpSum/AROpMin/AROpMax/AROpAnd/AROpOr/AROpXor/AROpMatch/AROpUsed) for working with Redis 8.8's new array data type. API is experimental and may change in a future release.

(#3813) by @​cxljs

✨ New Features

• RESP3 search parser: First-class RESP3 parsing for FT.SEARCH/FT.AGGREGATE/FT.INFO/FT.SPELLCHECK/FT.SYNDUMP responses with backwards compatibility for RESP2 (#3741) by @​ndyakov
• INCREX: New INCREX command support — atomic increment with expiration (#3816) by @​ndyakov
• XNACK: Client support for the XNACK stream command for explicitly negative-acknowledging pending entries (#3790) by @​elena-kolevska
• TS range multiple aggregators: TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE now accept multiple aggregators in a single call (#3791) by @​elena-kolevska
• XAutoClaim deleted IDs: XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the PEL (#3798) by @​Khukharr
• JSON.SET FPHA: JSON.SET accepts a new FPHA argument that specifies the floating-point type for homogeneous floating-point arrays (#3797) by @​ndyakov
• Sorted-set union/intersection COUNT: ZUNION/ZINTER/ZDIFF aggregator now supports COUNT (#3802) by @​ofekshenawa
• FT.HYBRID vector validation: Validates hybrid-search vector input types and adds proper typed vector parameters (#3756) by @​DengY11
• Cluster pool wait stats: ClusterClient.PoolStats() now accumulates WaitCount and WaitDurationNs across all node pools (previously always zero) (#3809) by @​LINKIWI

🐛 Bug Fixes

• TLS-only Cluster PubSub: CLUSTER SLOTS port-0 entries now fall back to the origin endpoint's port, fixing dial tcp <ip>:0: connection refused on TLS-only clusters started with --port 0 --tls-port <port> (fixes #3726) (#3828) by @​ndyakov
• Sharded PubSub reconnect routing: PubSub.conn() now passes both regular (c.channels) and sharded (c.schannels) channels into the per-PubSub newConn closure. Previously, ClusterClient.SSubscribe-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the SSUBSCRIBE was sent to the wrong shard, and the resulting MOVED reply was silently dropped (#3829) by @​ndyakov
• ClusterClient Watch retry: User errors returned from a Watch callback are no longer subjected to cluster-retry classification; transient cluster errors still retry, but a callback returning e.g. net.ErrClosed short-circuits immediately (#3821) by @​obiyang

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.20.0 (2026-05-28)

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8-rc1 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

• AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
• INCREX (#3816) — atomic increment with expiration in a single round-trip.
• XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
• XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
• TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
• Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
• JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. RawResult() / RawVal() continue to work for callers that prefer the raw RESP payload.

(#3741) by @​ndyakov

Experimental Array Data Structure Commands

Adds an experimental ArrayCmdable interface with the AR* command family (ARSet, ARGet, ARGetRange, ARMSet, ARMGet, ARDel, ARDelRange, ARScan, ARSeek, ARNext, ARLastItems, ARGrep, ARGrepWithValues, ARInfo/ARInfoFull, and typed reducers AROpSum/AROpMin/AROpMax/AROpAnd/AROpOr/AROpXor/AROpMatch/AROpUsed) for working with Redis 8.8's new array data type. API is experimental and may change in a future release.

(#3813) by @​cxljs

✨ New Features

• RESP3 search parser: First-class RESP3 parsing for FT.SEARCH/FT.AGGREGATE/FT.INFO/FT.SPELLCHECK/FT.SYNDUMP responses with backwards compatibility for RESP2 (#3741) by @​ndyakov
• INCREX: New INCREX command support — atomic increment with expiration (#3816) by @​ndyakov
• XNACK: Client support for the XNACK stream command for explicitly negative-acknowledging pending entries (#3790) by @​elena-kolevska
• TS range multiple aggregators: TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE now accept multiple aggregators in a single call (#3791) by @​elena-kolevska
• XAutoClaim deleted IDs: XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the PEL (#3798) by @​Khukharr
• JSON.SET FPHA: JSON.SET accepts a new FPHA argument that specifies the floating-point type for homogeneous floating-point arrays (#3797) by @​ndyakov
• Sorted-set union/intersection COUNT: ZUNION/ZINTER/ZDIFF aggregator now supports COUNT (#3802) by @​ofekshenawa
• FT.HYBRID vector validation: Validates hybrid-search vector input types and adds proper typed vector parameters (#3756) by @​DengY11
• Cluster pool wait stats: ClusterClient.PoolStats() now accumulates WaitCount and WaitDurationNs across all node pools (previously always zero) (#3809) by @​LINKIWI

🐛 Bug Fixes

• TLS-only Cluster PubSub: CLUSTER SLOTS port-0 entries now fall back to the origin endpoint's port, fixing dial tcp <ip>:0: connection refused on TLS-only clusters started with --port 0 --tls-port <port> (fixes #3726) (#3828) by @​ndyakov
• Sharded PubSub reconnect routing: PubSub.conn() now passes both regular (c.channels) and sharded (c.schannels) channels into the per-PubSub newConn closure. Previously, ClusterClient.SSubscribe-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the SSUBSCRIBE was sent to the wrong shard, and the resulting MOVED reply was silently dropped (#3829) by @​ndyakov

... (truncated)

Details

Description has been truncated

Summary by CodeRabbit

• Chores
  • Updated Go version to 1.26.0
  • Refreshed core project dependencies including web framework, database drivers, monitoring and observability packages, caching, and distributed systems tools
  • Updated transitive dependencies across the dependency tree, including migration to newer authentication library version
  • Bumped utility packages for performance and compatibility improvements

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates the Go module file to use Go 1.26.0 and refreshes all direct and indirect dependencies. Direct dependencies including Gin, MySQL driver, Prometheus client, Redis client, etcd, OpenTelemetry suite, gRPC, and GORM are bumped to newer versions. Indirect dependencies are comprehensively updated, including a migration from golang-jwt v4 to v5 and advanced versions of gRPC gateway/middleware modules, Prometheus packages, and OpenTelemetry instrumentation libraries.

Changes

Dependency ecosystem upgrade

Layer / File(s)	Summary
Go version and core direct dependencies go.mod (lines 3–46)	Go toolchain directive updated to 1.26.0; primary direct dependencies refreshed including Gin, MySQL driver, Prometheus client, Redis v9 client, etcd (v3.5.21→v3.6.12), OpenTelemetry (v1.43→v1.44), gRPC, Kubernetes client-go, GORM, zap, and golang.org/x/sys.
Indirect transitive dependencies go.mod (lines 48–65, 75–100, 118–166)	Early indirect deps from bytedance/sonic and coreos modules advanced; mid-range indirects updated for validation, JSON/YAML serializers, and JWT family migration to v5; tail section refreshes Prometheus components, etcd/OpenTelemetry instrumentation, MongoDB driver, golang.org/x libraries, google.golang.org/genproto pseudo-versions, and Kubernetes utilities.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 The dependencies hop and dance,
From etcd three-point-five to three-point-six they prance!
JWT v4 trades in robes of v5,
OpenTelemetry metrics keep telemetry alive,
A spring refresh for the Go garden today!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: a dependency update for 22 packages in the security-updates group, which is precisely what the changeset contains.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/main/security-updates-dc7efa4fdc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

170-170: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Remove (or bump) the gRPC replace pin to v1.63.2

go.mod requires google.golang.org/grpc v1.81.1, but replace google.golang.org/grpc => google.golang.org/grpc v1.63.2 (line 170) downgrades it to a version in the CRITICAL authorization-bypass range (< 1.79.3, first patched 1.79.3).

Recommended actions:

• Remove the replace directive so the dependency stays at v1.81.1.
• If the replace is required, update it to google.golang.org/grpc v1.79.3 (or newer, ideally v1.81.1)—don’t keep v1.63.2.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 170, The go.mod currently forces google.golang.org/grpc to
v1.63.2 via the replace directive, which downgrades the module into a vulnerable
range; remove the "replace google.golang.org/grpc => google.golang.org/grpc
v1.63.2" directive so the module uses the declared v1.81.1, or if a replace is
required update it to at least v1.79.3 (preferably v1.81.1) to eliminate the
authorization-bypass vulnerability—edit the replace entry in go.mod accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 95: go.mod currently resolves github.com/jackc/pgx/v5 to v5.6.0 via
gorm.io/driver/postgres; update dependencies so pgx/v5 resolves to >= v5.9.2
(prefer v5.10.0) by either bumping gorm.io/driver/postgres to a version that
pulls pgx v5.9.2+ or adding an explicit require for github.com/jackc/pgx/v5
v5.9.2 (or v5.10.0) in go.mod and then run go get github.com/jackc/pgx/v5@v5.9.2
(or `@v5.10.0`) and go mod tidy to ensure transitive resolution, verify with go
list -m all that github.com/jackc/pgx/v5 now resolves to v5.9.2+.

---

Outside diff comments:
In `@go.mod`:
- Line 170: The go.mod currently forces google.golang.org/grpc to v1.63.2 via
the replace directive, which downgrades the module into a vulnerable range;
remove the "replace google.golang.org/grpc => google.golang.org/grpc v1.63.2"
directive so the module uses the declared v1.81.1, or if a replace is required
update it to at least v1.79.3 (preferably v1.81.1) to eliminate the
authorization-bypass vulnerability—edit the replace entry in go.mod accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d2cc7190-a2c2-4557-ab26-7b661a3814d1

📥 Commits

Reviewing files that changed from the base of the PR and between 9b825f1 and c53187f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find parent dependency and check for pgx/v5 updates

# Find which direct dependency requires pgx/v5
go mod graph | grep 'jackc/pgx/v5'

# Check for available newer versions
go list -m -versions github.com/jackc/pgx/v5

# Check security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/jackc/pgx") {
    nodes {
      advisory {
        summary
        severity
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: kubeservice-stack/common

Length of output: 2303

---

🌐 Web query:

What is the latest patched version of github.com/jackc/pgx/v5 that fixes CVE-2026-33815 and GHSA-j88v-2chj-qfwx?

💡 Result:

The latest patched version of github.com/jackc/pgx/v5 that addresses the specified vulnerabilities is v5.9.2 or later [1][2]. Regarding the specific identifiers: - CVE-2026-33815 (also tracked as GHSA-xgrm-4fwx-7qm8 and GO-2026-4771) is a memory-safety vulnerability fixed in version 5.9.0 [3][4][5]. - GHSA-j88v-2chj-qfwx (associated with CVE-2026-41889) is an SQL injection vulnerability fixed in version 5.9.2 [2][6]. Since version 5.9.2 includes fixes for both issues (and subsequent versions like v5.10.0 contain all prior security patches), upgrading to v5.9.2 or the latest available version (v5.10.0 as of June 2026) is recommended [7][1][2].

Citations:

• 1: https://github.com/jackc/pgx/blob/master/CHANGELOG.md
• 2: GHSA-j88v-2chj-qfwx
• 3: https://pkg.go.dev/vuln/GO-2026-4771
• 4: GHSA-xgrm-4fwx-7qm8
• 5: https://osv.dev/vulnerability/GO-2026-4771
• 6: https://osv.dev/vulnerability/GHSA-j88v-2chj-qfwx
• 7: https://pkg.go.dev/github.com/jackc/pgx/v5

---

🌐 Web query:

GHSA-9jj7-4m8r-rfcm github.com/jackc/pgx/v5 affected versions fixed version

💡 Result:

The vulnerability GHSA-9jj7-4m8r-rfcm (also identified as CVE-2026-33816) is a critical memory-safety vulnerability affecting the github.com/jackc/pgx/v5 package [1][2]. Affected versions include all versions before 5.9.0 [1][2]. The fixed version is 5.9.0 or later [1][2].

Citations:

• 1: https://osv.dev/vulnerability/GHSA-9jj7-4m8r-rfcm
• 2: https://pkg.go.dev/vuln/GO-2026-4772

---

🌐 Web query:

CVE-2026-33815 github.com/jackc/pgx/v5 fixed in which version affected range

💡 Result:

CVE-2026-33815 is a memory-safety vulnerability in the github.com/jackc/pgx/v5/pgproto3 package [1][2]. It was caused by improper validation of an array index in the Bind.Decode() function, which could allow an attacker to trigger unexpected memory access or a client-side panic by sending specially crafted input with a negative parameter length [2]. The affected range is all versions of github.com/jackc/pgx/v5 prior to v5.9.0 [3][4]. The vulnerability was fixed in version 5.9.0 [1][2].

Citations:

• 1: https://osv.dev/vulnerability/GO-2026-4771
• 2: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5PGPROTO3-15923580
• 3: GHSA-xgrm-4fwx-7qm8
• 4: https://pkg.go.dev/vuln/GO-2026-4771

---

🌐 Web query:

CVE-2026-33816 github.com/jackc/pgx/v5 fixed in which version affected range

💡 Result:

CVE-2026-33816 is a critical memory-safety vulnerability (specifically a use-after-free flaw) identified in the github.com/jackc/pgx/v5 Go library [1][2][3]. This vulnerability has been fixed in version 5.9.0 [1][4][3]. Any version of github.com/jackc/pgx/v5 released prior to 5.9.0 is affected [1][3]. Users are advised to upgrade to version 5.9.0 or later to mitigate the risk [2].

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-33816
• 2: https://www.sentinelone.com/vulnerability-database/cve-2026-33816/
• 3: https://pkg.go.dev/vuln/GO-2026-4772
• 4: https://test.osv.dev/vulnerability/CVE-2026-33816

---

🌐 Web query:

GHSA-j88v-2chj-qfwx github.com/jackc/pgx/v5 fixed in which version affected range

💡 Result:

The vulnerability GHSA-j88v-2chj-qfwx, also tracked as CVE-2026-41889, is a SQL injection issue affecting the github.com/jackc/pgx/v5 Go package [1][2]. The affected range is all versions prior to 5.9.2 (< 5.9.2) [1][3]. The issue was fixed in version 5.9.2 [1][4]. The vulnerability can occur specifically when the non-default simple protocol (pgx.QueryExecModeSimpleProtocol) is used in conjunction with a dollar-quoted string literal that contains content which would be interpreted as a query placeholder outside of that string literal, and the value of that placeholder is controllable by an attacker [1][5].

Citations:

• 1: GHSA-j88v-2chj-qfwx
• 2: https://cve.circl.lu/cve/GHSA-j88v-2chj-qfwx
• 3: https://cve.circl.lu/cve/CVE-2026-41889
• 4: https://osv.dev/vulnerability/GHSA-j88v-2chj-qfwx
• 5: https://www.resolvedsecurity.com/vulnerability-catalog/GHSA-j88v-2chj-qfwx

---

CRITICAL: Upgrade transitive github.com/jackc/pgx/v5 from v5.6.0 to >= v5.9.2.

go.mod has github.com/jackc/pgx/v5 v5.6.0 // indirect (pulled by gorm.io/driver/postgres v1.6.0). v5.6.0 is affected by:

• Memory-safety issues: GHSA-9jj7-4m8r-rfcm / CVE-2026-33815 / CVE-2026-33816 — fixed in v5.9.0+
• SQL injection (placeholder confusion): GHSA-j88v-2chj-qfwx / CVE-2026-41889 — fixed in v5.9.2+

Update gorm.io/driver/postgres (or the dependency that pins pgx) so pgx/v5 resolves to v5.9.2 or later (v5.10.0 is available).

🧰 Tools

🪛 OSV Scanner (2.3.8)

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: CVE-2026-33815 in github.com/jackc/pgx

(GO-2026-4771)

---

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: CVE-2026-33816 in github.com/jackc/pgx

(GO-2026-4772)

---

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: Memory-safety vulnerability in github.com/jackc/pgx/v5.

(GHSA-9jj7-4m8r-rfcm)

---

[CRITICAL] 95-95: github.com/jackc/pgx/v5 5.6.0: pgx: SQL Injection via placeholder confusion with dollar quoted string literals

(GHSA-j88v-2chj-qfwx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 95, go.mod currently resolves github.com/jackc/pgx/v5 to
v5.6.0 via gorm.io/driver/postgres; update dependencies so pgx/v5 resolves to >=
v5.9.2 (prefer v5.10.0) by either bumping gorm.io/driver/postgres to a version
that pulls pgx v5.9.2+ or adding an explicit require for github.com/jackc/pgx/v5
v5.9.2 (or v5.10.0) in go.mod and then run go get github.com/jackc/pgx/v5@v5.9.2
(or `@v5.10.0`) and go mod tidy to ensure transitive resolution, verify with go
list -m all that github.com/jackc/pgx/v5 now resolves to v5.9.2+.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.