dev: bump the safe group across 1 directory with 15 updates

[dependabot]

Bumps the safe group with 7 updates in the / directory:

Package	From	To
github.com/coder/websocket	1.8.12	1.8.13
github.com/jackc/pgx/v5	5.7.2	5.7.4
github.com/nats-io/nats-server/v2	2.10.26	2.11.0
github.com/nats-io/nats.go	1.39.1	1.40.1
github.com/spf13/viper	1.19.0	1.20.1
gocloud.dev	0.40.0	0.41.0
gocloud.dev/pubsub/natspubsub	0.40.0	0.41.0

Updates github.com/coder/websocket from 1.8.12 to 1.8.13

Release notes

Sourced from github.com/coder/websocket's releases.

v1.8.13

Changes

• Use new atomic types from Go 1.19 by @​Jacalz in coder/websocket#444
• Fix coverage by @​mafredri in coder/websocket#466
• Clean out env passed to wasmbrowsertest in TestWasm by @​mafredri in coder/websocket#469
• Sunset the dev branch by @​mafredri in coder/websocket#471
• Replace filepath.Match with path.Match by @​KianYang-Lee in coder/websocket#452
• internal/bpool: add New function by @​bestgopher in coder/websocket#465
• accept: Add unwrapping for hijack like http.ResponseController by @​mafredri in coder/websocket#472
• docs: Fix docs and examples related to r.Context() usage by @​mafredri in coder/websocket#477
• Fix a typo in chat_test.go by @​henrybear327 in coder/websocket#491
• fix: avoid writing messages after close and improve handshake by @​FrauElster and @​mafredri in coder/websocket#476
• Disable AppArmor in CI to allow chrome sandbox by @​igolaizola in coder/websocket#511
• ci: disable AppArmor on daily and static workflows by @​igolaizola in coder/websocket#513
• Fix build with Go 1.24 by @​flyn-org in coder/websocket#508
• Add ping and pong received callbacks by @​igolaizola in coder/websocket#509
• ci: update wasmbrowsertest to a specific commit by @​igolaizola in coder/websocket#514
• ci: lock down staticcheck and govulncheck in lint.sh by @​mafredri in coder/websocket#523

Full Changelog: coder/websocket@v1.8.12...v1.8.13

Commits

• 64d7449 ci: lock down versions in lint.sh and fix ci (#523)
• d1468a7 ci: update wasmbrowsertest to a specific commit (#514)
• 703784f feat: add ping and pong received callbacks (#509)
• aec630d fix: conform to stricter printf usage in Go 1.24 (#508)
• 497ac50 ci: disable AppArmor on daily and static workflows (#513)
• 3e183a9 ci: disable AppArmor to allow Chrome sandbox (#511)
• 11bda98 fix: avoid writing messages after close and improve handshake (#476)
• 1253b77 chore: bump the internal-deps group across 2 directories with 5 updates (#500)
• d67767c chore(.github): group dependabot PRs and reduce frequency (#499)
• 02080e9 Fix a typo in chat_test.go (#491)
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.2 to 5.7.4

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.7.4 (March 24, 2025)

• Fix / revert change to scanning JSON null (Felix Röhrich)

5.7.3 (March 21, 2025)

• Expose EmptyAcquireWaitTime in pgxpool.Stat (vamshiaruru32)
• Improve SQL sanitizer performance (ninedraft)
• Fix Scan confusion with json(b), sql.Scanner, and automatic dereferencing (moukoublen, felix-roehrich)
• Fix Values() for xml type always returning nil instead of []byte
• Add ability to send Flush message in pipeline mode (zenkovev)
• Fix pgtype.Timestamp's JSON behavior to match PostgreSQL (pconstantinou)
• Better error messages when scanning structs (logicbomb)
• Fix handling of error on batch write (bonnefoa)
• Match libpq's connection fallback behavior more closely (felix-roehrich)
• Add MinIdleConns to pgxpool (djahandarie)

Commits

• 04bcc02 Add v5.7.4 to changelog
• 0e0a7d8 Merge pull request #2288 from felix-roehrich/fr/fix-plan-scan
• 63422c7 revert change in if
• 5c1fbf4 Update changelog for v5.7.3
• 05fe5f8 Explain seemingly redundant rows.Close() in CollectOneRow
• 70c9a14 Merge pull request #2279 from djahandarie/min-idle-conns
• 6603ddf add MinIdleConns
• 70f7cad Add link to https://github.com/Arlandaren/pgxWrappy
• 6bf1b0b Add database/sql to overview of scanning
• 14bda65 Correct pgtype docs
• Additional commits viewable in compare view

Updates github.com/nats-io/nats-server/v2 from 2.10.26 to 2.11.0

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.11.0

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

• 1.24.1 (#6629)

Dependencies

• golang.org/x/crypto v0.36.0 (#6618)
• golang.org/x/sys v0.31.0 (#6618)
• golang.org/x/time v0.11.0 (#6618)
• github.com/google/go-tpm v0.9.3 (#6295)
• github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op (#6164)

Added

General

• Distributed message tracing (#5014, #5057)
  • A message with the Nats-Trace-Dest header set to a valid subject will receive events representing what happens to the message as it moves through the system
  • Events contain information such as ingress, subject mapping, stream exports, service imports, egress to subscriptions, routes, gateways or leafnodes
  • An additional Nats-Trace-Only header, if set to true, will produce the same tracing events but will not deliver the message to the final destination
• Configuration state digest (#4325)
  • A hash of the configuration file can be generated using the -t option on the command line
  • The hash of the currently running configuration file can be seen in the config_digest option in varz
• Enable scoped users to have templates that are not limited to a subject token (#5981)
• New js-meta-only option for healthz healthcheck (#6649)

JetStream

• Per-message TTLs (#6272, #6354, #6363, #6370, #6376, #6385, #6400)
  • The Nats-TTL header, provided either as a string duration (1m, 30s) or an integer in seconds, will age out the message independently of stream limits
  • More information on this is available in ADR-43
• Subject delete markers on MaxAge (#6378, #6389, #6393, #6400, #6404, #6428, #6432)
  • The SubjectDeleteMarkerTTL stream configuration option determines whether to place marker messages and how long they should live for
  • The marker message will have a Nats-Marker-Reason header explaining which limit caused the marker to be left behind
  • More information on this is available in ADR-43
• Pull consumer priority groups with pinning and overflow (#5814, #6078, #6081)
  • Allows patterns such as one consumer receiving all messages, but handing over to a second consumer if the first one fails, or groups of clients accessing the same consumer should have different priorities
  • The PriorityGroups and PriorityPolicy options in the consumer configuration control the policy
  • More information on this is available in ADR-42
• Consumer pausing (#5066)
  • The PauseUntil consumer configuration option and $JS.API.CONSUMER.PAUSE endpoint suspends message delivery to the consumer until the time specified is reached, after which point it will resume automatically
• Asset versioning (#5850, #5855, #5857)
  • More information on this is available in ADR-44
• Multi-get directly from a stream (#5107)
  • More information on this is available in ADR-31

... (truncated)

Commits

• 99e836e Release v2.11.0
• 71b9b45 Updates to NATS Server Tests GHA pipeline (#6692)
• 3f97b33 Updates to NATS Server Tests GHA pipeline
• 68dbdcc Release v2.11.0-RC.5
• 2392787 Fix timing inconsistency between Nats-TTL and MaxAge timers (#6690)
• 00ea787 Fix timing inconsistency between Nats-TTL and MaxAge timers
• 78d477f Proposed subject delete markers (#6689)
• 5bbdd87 Add unit tests modelling TTL and rollup behaviour with and without MaxAge
• db52166 Test clustered subject delete marker ordering
• 7a1f5b9 Proposed subject delete markers
• Additional commits viewable in compare view

Updates github.com/nats-io/nats.go from 1.39.1 to 1.40.1

Release notes

Sourced from github.com/nats-io/nats.go's releases.

Release v1.40.1

Changelog

Overview

This release fixes an issue in legacy JetStream Subscribe which did not respect user-set context when creating a consumer.

FIXED

• Legacy JetStream:
  • Set context from option when creating consumer in js.Subscribe (#1835)

Complete Changes

nats-io/nats.go@v1.40.0...v1.40.1

Release v1.40.0

Changelog

Overview

This release focuses on adding support for new features from NATS Server v2.11.0. This includes:

• Per message TTLs
• Consumer pause and resume

Batch direct get will be released in orbit. Support for consumer priority groups will be added in the next minor release.

Added

• JetStream:
  • Pause and resume JetStream consumer. Thanks @​yordis for the contribution (#1571)
  • Per message TTL option for JetStream publish (#1825)
  • Timeout option for async publish (#1819)
• Service API
  • Support for disabling queue groups at service, group, and endpoint levels (#1797)
• Core NATS:
  • ReconnectErrCB for handling failed reconnect attempts in a callback. Thanks @​sschleemilch for the contribution (#1804)

Fixed

• JetStream
  • Invalid subscription on ordered consumer in leaderless cluster (#1808)
  • Ordered consumer not restarting on no responders (#1827)
  • Avoid ack id collision in PublishAsync (#1812)
  • Possible panic in Consumer.Fetch (#1828)
  • Use resp.Error to show NATS error in deleteMsg. Thanks @​imariman for the contribution (#1822)
• KeyValue
  • Deadlock when fetching keys from KV while messages are deleted/purged (#1824)

Changed

• Bump go version to 1.23 and update dependencies (#1821)

Complete Changes

... (truncated)

Commits

• 5efde11 Release v1.40.1 (#1836)
• c758f7a [FIXED] Set context from option when creating consumer in js.Subscribe (#1835)
• 42828a0 Release v1.40.0 (#1833)
• 6b0dbf0 Bump test server dependency to 2.11.0
• 4ed447c [ADDED] Add per msg ttl on publish (#1825)
• dd16477 [FIXED] Fix compiler errors after rebase
• 99294b5 [ADDED] Pause and resume jetstream consumer (#1571)
• aba2067 [ADDED] ReconnectErrCB and AuthErrCB + handler functions (#1804)
• a892461 [ADDED] Timeout option for async publish (#1819)
• 4d1a007 [ADDED] Support for disabling queue groups at service, group, and endpoint le...
• Additional commits viewable in compare view

Updates github.com/spf13/viper from 1.19.0 to 1.20.1

Release notes

Sourced from github.com/spf13/viper's releases.

v1.20.1

What's Changed

Bug Fixes 🐛

• Backport config type fixes to 1.20.x by @​sagikazarmark in spf13/viper#2005

Full Changelog: spf13/viper@v1.20.0...v1.20.1

v1.20.0

[!WARNING] This release includes a few minor breaking changes. Read the upgrade guide for details.

What's Changed

Exciting New Features 🎉

• New encoding layer by @​sagikazarmark in spf13/viper#1869

Enhancements 🚀

• Drop Go 1.20 support by @​sagikazarmark in spf13/viper#1846
• Drop slog shim by @​sagikazarmark in spf13/viper#1848
• Replace file searching API with a finder by @​sagikazarmark in spf13/viper#1849
• Finder feature flag by @​sagikazarmark in spf13/viper#1852
• Allow setting options on the global Viper instance by @​sagikazarmark in spf13/viper#1856
• Add experimental flag for bind struct by @​sagikazarmark in spf13/viper#1854
• Make the remote package a separate module by @​sagikazarmark in spf13/viper#1860
• Add decoder hook option by @​sagikazarmark in spf13/viper#1872
• Encoder improvements by @​sagikazarmark in spf13/viper#1885
• Get uint8 by @​martinconic in spf13/viper#1894

Bug Fixes 🐛

• Fix missing config type when reading from a buffer by @​sagikazarmark in spf13/viper#1857
• fix: do not allow setting dependencies to nil values by @​sagikazarmark in spf13/viper#1871
• feat: copy keydelim from parent chart in viper.Sub() by @​obs-gh-alexlew in spf13/viper#1887

Breaking Changes 🛠

• Drop encoding formats: HCL, Java properties, INI by @​sagikazarmark in spf13/viper#1870

Dependency Updates ⬆️

• chore: update mapstructure by @​sagikazarmark in spf13/viper#1723
• chore: update crypt by @​sagikazarmark in spf13/viper#1834
• build(deps): bump github/codeql-action from 3.25.7 to 3.25.8 by @​dependabot in spf13/viper#1853
• Revert to go-difflib and go-spew releases by @​skitt in spf13/viper#1861
• build(deps): bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @​dependabot in spf13/viper#1862
• build(deps): bump github/codeql-action from 3.25.8 to 3.25.10 by @​dependabot in spf13/viper#1865
• build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @​dependabot in spf13/viper#1864
• chore: update crypt by @​sagikazarmark in spf13/viper#1866
• build(deps): bump github/codeql-action from 3.25.10 to 3.25.11 by @​dependabot in spf13/viper#1876
• build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 in /remote by @​dependabot in spf13/viper#1878
• build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 by @​dependabot in spf13/viper#1879
• build(deps): bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @​dependabot in spf13/viper#1881

... (truncated)

Commits

• 9568cfc fix: config type check when loading any config
• fd05140 fix(config): get config type from v.configType or config file ext
• c038295 docs: add update instructions for 1.20
• 9c07e0f build: disable unused linters
• 48112d6 ci: add Go 1.24 to the test matrix
• 66e3e28 build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
• 17b96ac New Logo
• 8b223a4 build(deps): bump github.com/spf13/cast from 1.7.0 to 1.7.1
• 91fd363 chore: update afero
• e75c48f Fix issues reported by testifylint
• Additional commits viewable in compare view

Updates gocloud.dev from 0.40.0 to 0.41.0

Release notes

Sourced from gocloud.dev's releases.

v0.41.0

What's Changed

Blob

• blob/s3blob: Allow using s3ForcePathStyle as a synonym of use_path_style, for backwards compatibility with V1 by @​vangent in google/go-cloud#3505
• blob/s3blob, gcsblob: Add support for anonymous query param for gcsblob and all AWSv2 providers by @​vangent in google/go-cloud#3513

Docstore

• docstore/aws: Support atomic writes in the docstore by @​sandeepvinayak in google/go-cloud#3500
• docstore/gcp: Support for atomic writes for gcp by @​sandeepvinayak in google/go-cloud#3523
• openurl: fix URL scheme handling case-insensitive by @​Gofastasf in google/go-cloud#3521
• blob/gcsblob: fix error checking for NotFound errors by @​BrennaEpp in google/go-cloud#3529

New Contributors

• @​robertsilen made their first contribution in google/go-cloud#3509
• @​knbr13 made their first contribution in google/go-cloud#3516
• @​sandeepvinayak made their first contribution in google/go-cloud#3500
• @​Gofastasf made their first contribution in google/go-cloud#3521
• @​BrennaEpp made their first contribution in google/go-cloud#3529

Full Changelog: google/go-cloud@v0.40.0...v0.41.0

Commits

• 29a0e12 all: prerelease (#3531)
• 0251368 all: update dependencies (#3530)
• c838139 blob/gcsblob: Use errors.Is instead of direct equality check (#3529)
• da0b8ec support for atomic writes for gcp (#3523)
• 5350a7e all: update links for AWS URL docs (#3527)
• cbd7084 all: update to go 1.24 (#3522)
• af15ad4 all: make URL scheme handling case-insensitive (#3521)
• 4d1f585 Support atomic writes in the docstore (#3500)
• eaaf976 pubsub/all: remove unnecessary nil check (#3517)
• 674f414 all: remove duplicate imports (#3516)
• Additional commits viewable in compare view

Updates gocloud.dev/pubsub/natspubsub from 0.40.0 to 0.41.0

Release notes

Sourced from gocloud.dev/pubsub/natspubsub's releases.

v0.41.0

What's Changed

Blob

• blob/s3blob: Allow using s3ForcePathStyle as a synonym of use_path_style, for backwards compatibility with V1 by @​vangent in google/go-cloud#3505
• blob/s3blob, gcsblob: Add support for anonymous query param for gcsblob and all AWSv2 providers by @​vangent in google/go-cloud#3513

Docstore

• docstore/aws: Support atomic writes in the docstore by @​sandeepvinayak in google/go-cloud#3500
• docstore/gcp: Support for atomic writes for gcp by @​sandeepvinayak in google/go-cloud#3523
• openurl: fix URL scheme handling case-insensitive by @​Gofastasf in google/go-cloud#3521
• blob/gcsblob: fix error checking for NotFound errors by @​BrennaEpp in google/go-cloud#3529

New Contributors

• @​robertsilen made their first contribution in google/go-cloud#3509
• @​knbr13 made their first contribution in google/go-cloud#3516
• @​sandeepvinayak made their first contribution in google/go-cloud#3500
• @​Gofastasf made their first contribution in google/go-cloud#3521
• @​BrennaEpp made their first contribution in google/go-cloud#3529

Full Changelog: google/go-cloud@v0.40.0...v0.41.0

Commits

• 29a0e12 all: prerelease (#3531)
• 0251368 all: update dependencies (#3530)
• c838139 blob/gcsblob: Use errors.Is instead of direct equality check (#3529)
• da0b8ec support for atomic writes for gcp (#3523)
• 5350a7e all: update links for AWS URL docs (#3527)
• cbd7084 all: update to go 1.24 (#3522)
• af15ad4 all: make URL scheme handling case-insensitive (#3521)
• 4d1f585 Support atomic writes in the docstore (#3500)
• eaaf976 pubsub/all: remove unnecessary nil check (#3517)
• 674f414 all: remove duplicate imports (#3516)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.35.0 to 0.36.0

Commits

• 49bf5b8 go.mod: update golang.org/x dependencies
• 24852b6 ssh: add decode support for banners
• bbc689c ssh: use a more straightforward return value
• See full diff in compare view

Updates golang.org/x/net from 0.36.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates golang.org/x/oauth2 from 0.27.0 to 0.28.0

Commits

• 0042180 oauth2: Deep copy context client in NewClient
• ce350bf oauth2: remove unneeded TokenSource implementation in transport test
• 44967ab google: fix typos
• 9c82a8c oauth2.go: use a more straightforward return value
• See full diff in compare view

Updates golang.org/x/sync from 0.11.0 to 0.12.0

Commits

• b637f27 errgroup: drop support for Go versions before 1.20
• 960bf1f all: upgrade go directive to at least 1.23.0 [generated]
• See full diff in compare view

Updates google.golang.org/genproto from 0.0.0-20241118233622-e639e219e697 to 0.0.0-20250324211829-b45e905df463

Commits

• See full diff in compare view

Updates google.golang.org/genproto/googleapis/api from 0.0.0-20250303144028-a0af3efb3deb to 0.0.0-20250324211829-b45e905df463

Commits

• See full diff in compare view

Updates google.golang.org/genproto/googleapis/rpc from 0.0.0-20250303144028-a0af3efb3deb to 0.0.0-20250324211829-b45e905df463

Commits

• See full diff in compare view

Updates google.golang.org/protobuf from 1.36.5 to 1.36.6

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.