Skip to content

chore(deps): update all dependencies to latest#10

Merged
umputun merged 1 commit into
masterfrom
deps/update-latest
Jun 30, 2026
Merged

chore(deps): update all dependencies to latest#10
umputun merged 1 commit into
masterfrom
deps/update-latest

Conversation

@paskal

@paskal paskal commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Updates all dependencies to their latest versions and resolves the open Dependabot alert.

Security

Resolves GHSA-cp6g-7hqx-qxhp (medium) — heap out-of-bounds read in GSSAPI error handling in go.mongodb.org/mongo-driver (vulnerable < 1.17.7). Bumped to v1.17.9.

Dependency updates

Module Old New
go.mongodb.org/mongo-driver v1.16.0 v1.17.9
github.com/go-pkgz/lgr v0.11.1 v0.12.3
github.com/stretchr/testify v1.9.0 v1.11.1
github.com/golang/snappy v0.0.4 v1.0.0
github.com/klauspost/compress v1.17.9 v1.18.7
github.com/montanaflynn/stats v0.7.1 v0.9.0
github.com/xdg-go/scram v1.1.2 v1.2.0
golang.org/x/crypto v0.45.0 v0.53.0
golang.org/x/sync v0.18.0 v0.21.0
golang.org/x/text v0.31.0 v0.38.0

Toolchain

  • go directive 1.24.01.25.0
  • CI go-version 1.231.25 to match the new directive

Verification

  • gofmt -l . clean
  • go build ./... and go vet ./... clean (pre-existing primitive.E unkeyed-field notes already excluded in .golangci.yml)
  • go test -race ./... passes against MongoDB
  • golangci-lint run ./... — 0 issues
  • govulncheck ./... — no vulnerabilities found

Note: go.mongodb.org/mongo-driver v1 is deprecated in favour of v2, but migrating is a breaking API change out of scope here; staying on the supported v1 line (v1.17.9) fully patches the advisory.

Resolves Dependabot alert GHSA-cp6g-7hqx-qxhp (medium): heap out-of-bounds
read in GSSAPI error handling in go.mongodb.org/mongo-driver (<1.17.7).

- go.mongodb.org/mongo-driver v1.16.0 -> v1.17.9
- github.com/go-pkgz/lgr v0.11.1 -> v0.12.3
- github.com/stretchr/testify v1.9.0 -> v1.11.1
- github.com/golang/snappy v0.0.4 -> v1.0.0
- github.com/klauspost/compress v1.17.9 -> v1.18.7
- github.com/montanaflynn/stats v0.7.1 -> v0.9.0
- github.com/xdg-go/scram v1.1.2 -> v1.2.0
- golang.org/x/crypto v0.45.0 -> v0.53.0
- golang.org/x/sync v0.18.0 -> v0.21.0
- golang.org/x/text v0.31.0 -> v0.38.0

go directive 1.24.0 -> 1.25.0; CI go-version 1.23 -> 1.25 to match.
@paskal paskal requested a review from umputun as a code owner June 30, 2026 17:02
@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 28461942997

Coverage remained the same at 89.503%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 181
Covered Lines: 162
Line Coverage: 89.5%
Coverage Strength: 271.17 hits per line

💛 - Coveralls

@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 28461940085

Coverage remained the same at 89.503%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 181
Covered Lines: 162
Line Coverage: 89.5%
Coverage Strength: 273.39 hits per line

💛 - Coveralls

@umputun umputun merged commit dde00ca into master Jun 30, 2026
7 checks passed
@paskal paskal deleted the deps/update-latest branch June 30, 2026 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants