Bump modernc.org/sqlite from 1.46.1 to 1.48.1 in /apps/server

[dependabot]

Bumps modernc.org/sqlite from 1.46.1 to 1.48.1.

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-04-04 v1.48.2:

  • Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.
  • Ensure the Go trampoline signature correctly aligns with the public sqlite3_preupdate_hook C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).
  • See [GitLab merge request #98](https://gitlab.com/cznic/sqlite/-/merge_requests/98), thanks Josh Bleecher Snyder!
  • Fix the memory allocator used in (*conn).Deserialize.
  • Replace tls.Alloc with sqlite3_malloc64 to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the SQLITE_DESERIALIZE_RESIZEABLE and SQLITE_DESERIALIZE_FREEONCLOSE flags.
  • Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.
  • See [GitLab merge request #100](https://gitlab.com/cznic/sqlite/-/merge_requests/100), thanks Josh Bleecher Snyder!
  • Fix (*conn).Deserialize to explicitly reject nil or empty byte slices.
  • Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when sqlite3_deserialize receives a 0-length buffer.
  • See [GitLab merge request #101](https://gitlab.com/cznic/sqlite/-/merge_requests/101), thanks Josh Bleecher Snyder!
  • Fix commitHookTrampoline and rollbackHookTrampoline signatures by removing the unused pCsr parameter.
  • Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.
  • See [GitLab merge request #102](https://gitlab.com/cznic/sqlite/-/merge_requests/102), thanks Josh Bleecher Snyder!

• 2026-04-03 v1.48.1:

  • Fix memory leaks and double-free vulnerabilities in the multi-statement query execution path.
  • Ensure bind-parameter allocations are reliably freed via strict ownership transfer if an error occurs mid-loop or if multiple statements bind parameters.
  • Fix a resource leak where a subsequent statement's error could orphan a previously generated rows object without closing it, leaking the prepared statement handle.
  • See [GitLab merge request #96](https://gitlab.com/cznic/sqlite/-/merge_requests/96), thanks Josh Bleecher Snyder!

• 2026-03-27 v1.48.0:

  • Add _timezone DSN query parameter to apply IANA timezones (e.g., "America/New_York") to both reads and writes.
  • Writes will convert time.Time values to the target timezone before formatting as a string.
  • Reads will interpret timezone-less strings as being in the target timezone.
  • Does not impact _inttotime integer values, which will always safely evaluate as UTC.
  • Add support for _time_format=datetime URI parameter to format time.Time values identically to SQLite's native datetime() function and CURRENT_TIMESTAMP (YYYY-MM-DD HH:MM:SS).
  • See [GitLab merge request #94](https://gitlab.com/cznic/sqlite/-/merge_requests/94) and [GitLab merge request #95](https://gitlab.com/cznic/sqlite/-/merge_requests/95), thanks Josh Bleecher Snyder!

• 2026-03-17 v1.47.0: Add CGO-free version of the vector extensions from https://github.com/asg017/sqlite-vec. See vec_test.go for example usage. From the GitHub project page:

  • Important: sqlite-vec is a pre-v1, so expect breaking changes!
  • Store and query float, int8, and binary vectors in vec0 virtual tables
  • Written in pure C, no dependencies, runs anywhere SQLite runs (Linux/MacOS/Windows, in the browser with WASM, Raspberry Pis, etc.)
  • Store non-vector data in metadata, auxiliary, or partition key columns
  • See [GitLab merge request #93](https://gitlab.com/cznic/sqlite/-/merge_requests/93), thanks Zhenghao Zhang!

• 2026-03-16 v1.46.2: Upgrade to SQLite 3.51.3.

• 2026-02-17 v1.46.1:

  • Ensure connection state is reset if Tx.Commit fails. Previously, errors like SQLITE_BUSY during COMMIT could leave the underlying connection inside a transaction, causing errors when the connection was reused by the database/sql pool. The driver now detects this state and forces a rollback internally.
  • Fixes [GitHub issue #2](modernc-org/sqlite#2), thanks Edoardo Spadolini!

• 2026-02-17 v1.46.0:

  • Enable ColumnTypeScanType to report time.Time instead of string for TEXT columns declared as DATE, DATETIME, TIME, or TIMESTAMP via a new _texttotime URI parameter.
  • See [GitHub pull request #1](modernc-org/sqlite#1), thanks devhaozi!

• 2026-02-09 v1.45.0:

  • Introduce vtab subpackage (modernc.org/sqlite/vtab) exposing Module, Table, Cursor, and IndexInfo API for Go virtual tables.

... (truncated)

Commits

• 51d1f91 CHANGELOG.md: document v1.48.1...
• 50a8b7f CHANGELOG.md: document v1.48.1
• 6050024 Merge branch 'multi-stmt-double-free' into 'master'
• ef93ba8 improve memory safety of allocs in stmt.query
• 2a97c68 add conn.freeAllocs
• 19b8429 update {CHANGELOG,README}.md
• 78ddab8 Merge branch 'datetime-format' into 'master'
• 2e04523 Merge branch 'add-timezone' into 'master'
• 77706c1 add _time_format=datetime support
• 1895822 add _timezone DSN query parameter
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d9239f07b6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Update go.work when raising server Go version

Bumping apps/server/go.mod to go 1.25.0 without updating go.work (still go 1.24.0) makes workspace-mode commands fail immediately (module apps/server listed in go.work file requires go >= 1.25.0). In this repo CI installs Go from go.work and runs go test ./apps/server/... from the root (.github/workflows/ci.yml), so this change breaks normal root-level test/build flows until the workspace Go version is raised as well.

Useful? React with 👍 / 👎.

[dependabot]

Superseded by #55.