build(deps): bump the gomod-backward-compatible group with 9 updates

[dependabot]

Bumps the gomod-backward-compatible group with 9 updates:

Package	From	To
github.com/brianvoe/gofakeit/v7	7.14.1	7.15.0
github.com/go-chi/chi/v5	5.2.5	5.3.0
github.com/go-co-op/gocron/v2	2.21.1	2.21.2
github.com/mattn/go-sqlite3	1.14.42	1.14.44
github.com/oapi-codegen/runtime	1.4.0	1.4.1
github.com/tidwall/gjson	1.18.0	1.19.0
github.com/urfave/cli/v3	3.8.0	3.9.0
github.com/wneessen/go-mail	0.7.2	0.7.3
golang.org/x/crypto	0.50.0	0.52.0

Updates github.com/brianvoe/gofakeit/v7 from 7.14.1 to 7.15.0

Commits

• 010dc54 email - better email generation with weighted mix and testing valid email gen...
• 794efc9 password - space usage adjustment
• See full diff in compare view

Updates github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Updates github.com/go-co-op/gocron/v2 from 2.21.1 to 2.21.2

Release notes

Sourced from github.com/go-co-op/gocron/v2's releases.

v2.21.2

What's Changed

• fix: defer WithLimitedRuns job removal until task completes (#925) by @​SAY-5 in go-co-op/gocron#926

New Contributors

• @​SAY-5 made their first contribution in go-co-op/gocron#926

Full Changelog: go-co-op/gocron@v2.21.1...v2.21.2

Commits

• 629cfc5 fix: defer WithLimitedRuns job removal until task completes (#925) (#926)
• See full diff in compare view

Updates github.com/mattn/go-sqlite3 from 1.14.42 to 1.14.44

Commits

• 20826e8 Merge pull request #1394 from mattn/sqlite-amalgamation-3053000
• 2d4d220 fix changelog URL when minor or patch version is zero
• 3761cf7 Upgrade SQLite to version 3053000
• 1aa7317 Merge pull request #1388 from mattn/stmt-cache-lru
• c719e20 Merge pull request #1392 from mattn/fix-issue-1390-query-comment-panic
• 869e516 fix panic when querying input with no SQL (only comments/whitespace)
• 6690238 extract finalizeCachedStmt helper and drop redundant tail reset
• 59e8e75 only set stmt cacheKey when cache is enabled
• 2badb4c use slice len/cap for stmt cache instead of separate counters
• 7716c20 evict LRU stmt when stmt cache is full
• Additional commits viewable in compare view

Updates github.com/oapi-codegen/runtime from 1.4.0 to 1.4.1

Release notes

Sourced from github.com/oapi-codegen/runtime's releases.

Bug fixes

This is a bug fix release.

Changes in v1.4.0, coupled with changes in v2.7.0 of oapi-codegen exposed some new problems. deepObject style marshaling behavior now supports encoding unicode. UTF-8 can't be directly included in parameters, so we need to % escape it.

Form binding now detects maps, which makes binding to a Nullable possible. We can't use generics around Nullable[T], so we handle maps generically, assuming they're a Nullable with its behavior assumptions.

🐛 Bug fixes

• Fix form binding of Nullables (#133) @​mromaszewicz
• Percent-encode deepObject parameter wire output (#132) @​mromaszewicz

📦 Dependency updates

• chore(deps): update oapi-codegen/actions action to v0.7.0 (#127) @renovate[bot]
• chore(deps): update github/codeql-action action to v4 (#107) @renovate[bot]
• fix(deps): update module github.com/kataras/iris/v12 to v12.2.11 (#11) @renovate[bot]
• chore(deps): update release-drafter/release-drafter action to v7.2.0 (#122) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

Commits

• 2755f15 Fix form binding of Nullables (#133)
• 17de1dd Percent-encode deepObject parameter wire output (#132)
• d2b7c4c chore(deps): update oapi-codegen/actions action to v0.7.0
• 6fd6c25 chore(deps): update github/codeql-action action to v4
• 19040cc fix(deps): update module github.com/kataras/iris/v12 to v12.2.11
• e05282e chore(deps): update release-drafter/release-drafter action to v7.2.0 (#122)
• See full diff in compare view

Updates github.com/tidwall/gjson from 1.18.0 to 1.19.0

Commits

• 0fac2c9 Add iterator functions All, Keys, and Values
• 4d23028 Add repo url
• 10d2662 Add copyright comment
• 4a91ee1 Update README.md
• See full diff in compare view

Updates github.com/urfave/cli/v3 from 3.8.0 to 3.9.0

Release notes

Sourced from github.com/urfave/cli/v3's releases.

v3.9.0

What's Changed

• chore(deps): bump codecov/codecov-action from 5 to 6 by @​dependabot[bot] in urfave/cli#2300
• chore(deps): bump the python-packages group across 1 directory with 3 updates by @​dependabot[bot] in urfave/cli#2301
• docs: fix typo by @​acrobatstick in urfave/cli#2299
• feat: add descriptions for bash and powershell autocompletion by @​gabelluardo in urfave/cli#2298
• Made command help more consistent by @​markshep-wbg in urfave/cli#2287
• Fix:(issue_2285): correct function and variable naming in fish completion script by @​TimSoethout in urfave/cli#2286
• fix(ci): update docs after bash completion update by @​gabelluardo in urfave/cli#2307
• fix: apply SliceFlagSeparator to env var sources by @​lawrence3699 in urfave/cli#2309
• fix: don't print empty line to stderr when Exit message is empty by @​Yanhu007 in urfave/cli#2310
• flag: prevent BoolWithInverseFlag.String from panicking without a tab by @​alliasgher in urfave/cli#2311
• refactor: bash completion script by @​gabelluardo in urfave/cli#2308
• fix: drop shebang from bash completion template by @​barry3406 in urfave/cli#2317
• fix: show flag completions when completing a double-dash prefix by @​morozov in urfave/cli#2316
• fix: parse flags for help subcommand (#2271) by @​barry3406 in urfave/cli#2319
• fix: show BoolWithInverseFlag aliases in help text by @​wucm667 in urfave/cli#2321

New Contributors

• @​gabelluardo made their first contribution in urfave/cli#2298
• @​markshep-wbg made their first contribution in urfave/cli#2287
• @​lawrence3699 made their first contribution in urfave/cli#2309
• @​Yanhu007 made their first contribution in urfave/cli#2310
• @​alliasgher made their first contribution in urfave/cli#2311
• @​barry3406 made their first contribution in urfave/cli#2317
• @​morozov made their first contribution in urfave/cli#2316
• @​wucm667 made their first contribution in urfave/cli#2321

Full Changelog: urfave/cli@v3.8.0...v3.9.0

Commits

• b5aa710 Merge pull request #2321 from wucm667/fix/bool-inverse-alias-help
• 2f662c8 docs: update testdata/godoc-v3.x.txt for BoolWithInverseFlag alias support
• b6aec8e docs: regenerate godoc-current.txt for BoolWithInverseFlag alias support
• c3a86f7 fix: show BoolWithInverseFlag aliases in help text
• f2cd020 Merge pull request #2319 from barry3406/fix/help-subcommand-flag-parsing
• 5af9500 fix: parse flags for help subcommand (#2271)
• b79d768 Merge pull request #2316 from morozov/fix-completion-double-dash
• 2925d6f Merge pull request #2317 from barry3406/fix/completion-shebang
• 65406c0 Merge pull request #2308 from gabelluardo/refactor-bash
• eb4cfc3 fix: drop shebang from bash completion template
• Additional commits viewable in compare view

Updates github.com/wneessen/go-mail from 0.7.2 to 0.7.3

Release notes

Sourced from github.com/wneessen/go-mail's releases.

v0.7.3: Skippable UTF-8 support, improved Base64LineBreaker, binary size reducing, fixes and more

Welcome to go-mail v0.7.3! 🎉

This release brings some cool improvements, new features, and fixes to go-mail. We hope you enjoy it!

Notable changes/improvements/features/fixes

Deadline fix for connections to a TLS port without TLS

PR #521 fixes a missing deadline in the Client that could cause a deadlock for connections to a TLS port without TLS enabled. Thanks to @​james-d-elliott for finding and fixing this issue!

Preseve EHLO and HELO errors

PR #528 fixes an error for cases in which both the HELO and EHLO fail during a client connect. In this case the first error would be overwritten by the 2nd action, potentially deleting valuable information. In go-mail v0.7.3 both errors are now combined. Thanks to @​Yanhu007 for their contribution!

Improved Base64LineBreaker

In PR #512 @​srpvpn refactored the Base64LineBreaker type to be more performant and easier to read by removing the recursion. Thanks for your contribution!

Reduce binary size by making text/template and html/template support optional

In PR #518 @​sblinch introduced a new compile time flag gomailnotpl which will make the text/template and html/template optional. Background is, that using reflect.Value.Method or reflect.Value.MethodByName prevents Go from performing full dead-code elimination because any exported method of any struct in the codebase could potentially be referenced at runtime. Unfortunately text/template and html/template do exactly this to allow method invocation from within templates. So in case your code does not need template support, you can use the new compile flag to remove the support for both packages completely and same some bytes in the resulting binary. Thanks for your contribution!

Fix nil pointer panic in partWriter

PR #543 fixes a potential nil pointer panic in the partWriter in case the underlying io.Writer returns an error during a multipart message write. Thanks to @​UgurTheG for reporting and fixing the issue!

Provide access to HELO responses in the SMTP client

PR #530 adds support to access the HELO/EHLO responses via the smtp.Client. This feature is useful when using an SMTP servers pool behind a load balancer, to know which instance took the job. Thanks to @​maxatome for submitting this feature!

Multiple addresses support in ReplyTo header

PR #517 adds support for multiple Reply-To addresses within a Msg, as permitted in RFC5322. Thanks to @​christian-heusel for pointing this out and for comitting the PR!

Support to disable SMTPUTF8 in the MAIL FROM even if the server announces it

PR #548 adds support for skipping the SMTPUTF8 extension to MAIL FROM commands. By default, when a server announces SMTPUTF8 support in the EHLO, go-mail will add SMTPUTF8 to the MAIL FROM command. As pointed out in #545, some SMTP servers (e. g. specific MS Exchange versions) announce the SMTPUTF8 extension in the EHLO response but when adding the SMTPUTF8 to the MAIL FROM, they will fail with an error. The PR introduces a new WithoutSMTPUTF8() option for the Client which will make sure to skip the SMTPUTF8 extension in the MAIL FROM, even if the server announced it previously. Thanks @​mkalus for reporting this issue and for their detailed analysis in #545.

What's Changed

• minor fix for func ResetWithSMTPClient and DialAndSendWithContext by @​sarff in wneessen/go-mail#500
• Refactored SendWithSMTPClient to improve error handling and added test cases by @​wneessen in wneessen/go-mail#502
• Refactored test and validation logic for message content checks by @​wneessen in wneessen/go-mail#503
• Fix a docstring typo by @​mitar in wneessen/go-mail#505
• Upstream sync: prevent test failures due to expired test certificate by @​wneessen in wneessen/go-mail#522
• fix: deadline not set for initial connection read by @​james-d-elliott in wneessen/go-mail#521
• Add deadlock test for client connections by @​wneessen in wneessen/go-mail#525
• fix: preserve EHLO error when both EHLO and HELO fail by @​Yanhu007 in wneessen/go-mail#528
• refactor: remove recursion from base64LineBreaker.Write by @​srpvpn in wneessen/go-mail#512
• Make text/template support optional to allow dead-code elimination by @​sblinch in wneessen/go-mail#518
• fix: prevent nil pointer panic in writeBody when partWriter is nil by @​UgurTheG in wneessen/go-mail#543
• feat: add (*smtp.Client).HelloResponse method to get EHLO/HELO response by @​maxatome in wneessen/go-mail#530
• feat: add option to skip SMTPUTF8 in "MAIL FROM" commands by @​wneessen in wneessen/go-mail#548
• Allow multiple Addresses in ReplyTo Header and add GetReplyTo() by @​christian-heusel in wneessen/go-mail#517

CI/CD maintenance changes

• Bump golang.org/x/text from 0.29.0 to 0.30.0 by @​dependabot[bot] in wneessen/go-mail#501
• Bump golang.org/x/text from 0.30.0 to 0.31.0 by @​dependabot[bot] in wneessen/go-mail#506

... (truncated)

Commits

• 52312c1 Update doc.go
• c34d456 Merge pull request #517 from christian-heusel/feat/multiple-reply-to
• c8710cf Update msg_test.go
• 709d037 Merge pull request #548 from wneessen/feature/545_add-support-for-buggy-excha...
• dc452e5 Add tests to validate SMTPUTF8 handling in MAIL FROM scenarios
• de64e2a Add test case for WithoutSMTPUTF8 functionality
• 59ac026 feat: add option to skip SMTPUTF8 in "MAIL FROM" commands
• dff98cb Merge pull request #530 from maxatome/hello-mesg
• 9a51737 Merge pull request #543 from UgurTheG/fix/writeto-nil-panic
• 01cc9d8 Merge pull request #544 from wneessen/dependabot/github_actions/github/codeql...
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.50.0 to 0.52.0

Commits

• a1c0d99 go.mod: update golang.org/x dependencies
• 3c7c869 ssh: fix deadlock on unexpected channel responses
• 533fb3f ssh: fix source-address critical option bypass
• abbc44d ssh: fix incorrect operator order
• e052873 ssh: fix infinite loop on large channel writes due to integer overflow
• b61cf85 ssh: enforce user presence verification for security keys
• 9c2cd33 ssh: enforce strict limits on DSA key parameters
• 8907318 ssh: reject RSA keys with excessively large moduli
• ffd87b4 ssh: fix panic when authority callbacks are nil
• 4e7a738 ssh: fix deadlock on unexpected global responses
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions