Skip to content
This repository was archived by the owner on Jul 6, 2026. It is now read-only.

build(deps): bump the go_modules group across 1 directory with 5 updates#100

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/go_modules-7ceba06f8d
Open

build(deps): bump the go_modules group across 1 directory with 5 updates#100
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/go_modules-7ceba06f8d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown

Bumps the go_modules group with 3 updates in the / directory: github.com/hashicorp/go-getter, github.com/moby/spdystream and github.com/sirupsen/logrus.

Updates github.com/hashicorp/go-getter from 1.7.1 to 1.8.6

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.6

No release notes provided.

v1.8.5

What's Changed

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

v1.8.4

What's Changed

... (truncated)

Commits
  • d23bff4 Merge pull request #608 from hashicorp/dependabot/go_modules/go-security-9c51...
  • 2c4aba8 Merge pull request #613 from hashicorp/pull/v1.8.6
  • fe61ed9 Merge pull request #611 from hashicorp/SECVULN-41053
  • d533656 Merge pull request #606 from hashicorp/pull/CRT
  • 388f23d Additional test for local branch and head
  • b7ceaa5 harden checkout ref handling and added regression tests
  • 769cc14 Release version bump up
  • 6086a6a Review Comments Addressed
  • e02063c Revert "SECVULN Fix for git checkout argument injection enables arbitrary fil...
  • c93084d [chore] : Bump google.golang.org/grpc
  • Additional commits viewable in compare view

Updates github.com/moby/spdystream from 0.4.0 to 0.5.1

Release notes

Sourced from github.com/moby/spdystream's releases.

v0.5.1

What's Changed

Security

Fix memory amplification in SPDY frame parsing leads to denial of service (CVE-2026-35469 / GHSA-pc3f-x583-g7j2)

Changes

Full Changelog: moby/spdystream@v0.5.0...v0.5.1

[v0.5.0] Avoid leaking timeout timer channels and update github actions

What's Changed

Full Changelog: moby/spdystream@v0.4.0...v0.5.0

Commits
  • c59e5d7 Merge pull request #109 from thaJeztah/use_ioutil
  • 2fd0155 use ioutil.Discard for go1.13 compatibility
  • ef6121f Merge commit from fork
  • 241cec9 compare with signed Int for 32-bit Arm
  • 21c3864 Add options to customize limits
  • acf9b45 spdy: update godoc for MaxDataLength
  • eb63605 spdy: limit header-size and header-count
  • 2f21da4 spdy: fix header block byte accounting
  • 5976b66 spdy: enforce 24-bit frame length limits
  • cf0ec5d Guard against oversized SPDY frames
  • Additional commits viewable in compare view

Updates github.com/sirupsen/logrus from 1.9.0 to 1.9.1

Release notes

Sourced from github.com/sirupsen/logrus's releases.

v1.9.1

What's Changed

New Contributors

Full Changelog: sirupsen/logrus@v1.9.0...v1.9.1

Changelog

Sourced from github.com/sirupsen/logrus's changelog.

1.9.1

Fixes:

  • Fix potential denial of service in logrus.Writer() when logging >64KB single-line payloads without newlines (#1376)
Commits
  • b30aa27 Merge pull request #1339 from xieyuschen/patch-1
  • 6acd903 Merge pull request #1376 from ozfive/master
  • 105e63f Merge pull request #1 from ashmckenzie/ashmckenzie/fix-writer-scanner
  • c052ba6 Scan text in 64KB chunks
  • e59b167 Merge pull request #1372 from tommyblue/syslog_different_loglevels
  • 766cfec This commit fixes a potential denial of service vulnerability in logrus.Write...
  • 70234da Add instructions to use different log levels for local and syslog
  • a448f82 Merge pull request #1362 from FrancoisWagner/fix-data-race-in-hooks-test-pkg
  • ff07b25 Fix data race in hooks.test package
  • d8787af Use text when shows the logrus output
  • See full diff in compare view

Updates golang.org/x/net from 0.26.0 to 0.52.0

Commits
  • 316e20c go.mod: update golang.org/x dependencies
  • 9767a42 internal/http3: add support for plugging into net/http
  • 4a81284 http2: update docs to disrecommend this package
  • dec6603 dns/dnsmessage: reject too large of names early during unpack
  • 8afa12f http2: deprecate write schedulers
  • 38019a2 http2: add missing copyright header to export_test.go
  • 039b87f internal/http3: return error when Write is used after status 304 is set
  • 6267c6c internal/http3: add HTTP 103 Early Hints support to ClientConn
  • 591bdf3 internal/http3: add HTTP 103 Early Hints support to Server
  • 1faa6d8 internal/http3: avoid potential race when aborting RoundTrip
  • Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.56.2 to 1.79.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

  • server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

  • stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

Release 1.79.0

API Changes

  • mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

  • balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

  • experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
  • pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
    • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
  • xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
  • balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)

Bug Fixes

  • credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
  • health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)

Performance Improvements

  • credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
  • mem: Optimize pooling and creation of buffer objects. (#8784)
  • transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the go_modules group with 3 updates in the / directory: [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter), [github.com/moby/spdystream](https://github.com/moby/spdystream) and [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus).


Updates `github.com/hashicorp/go-getter` from 1.7.1 to 1.8.6
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Commits](hashicorp/go-getter@v1.7.1...v1.8.6)

Updates `github.com/moby/spdystream` from 0.4.0 to 0.5.1
- [Release notes](https://github.com/moby/spdystream/releases)
- [Commits](moby/spdystream@v0.4.0...v0.5.1)

Updates `github.com/sirupsen/logrus` from 1.9.0 to 1.9.1
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](sirupsen/logrus@v1.9.0...v1.9.1)

Updates `golang.org/x/net` from 0.26.0 to 0.52.0
- [Commits](golang/net@v0.26.0...v0.52.0)

Updates `google.golang.org/grpc` from 1.56.2 to 1.79.3
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.56.2...v1.79.3)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-version: 1.8.6
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/moby/spdystream
  dependency-version: 0.5.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sirupsen/logrus
  dependency-version: 1.9.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.52.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/grpc
  dependency-version: 1.79.3
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 2, 2026
@dependabot dependabot Bot added the go Pull requests that update go code label Jul 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants