chore: sync with upstream amacneil/dbmate (v2.29.0 - v2.31.0) by diptanu · Pull Request #13 · tensorlakeai/dbmate

diptanu · 2026-03-02T18:44:45Z

Summary

Syncs fork with upstream amacneil/dbmate (41 commits)
Brings in releases v2.29.0 through v2.31.0
Conflicts resolved by taking upstream versions (fork only had dependency bumps, no custom code)

Notable upstream changes

feat: clickhouse HTTP/S schemes and --driver flag
feat: allow passing extra arguments to mysqldump/pgdump
feat: postgres --restrict-key support
fix: lib/pq v1.11.1 Supavisor compatibility
fix: SQLite URL file path extraction for shell commands
fix: clickhouse schema dump with non-default database
fix: MySQL/MariaDB specific schema dump handling
fix: ESM compatibility in resolveBinary
fix: strip psql meta-commands on load

Test plan

CI passes (Docker build + lint + full test suite)

🤖 Generated with Claude Code

…neil#679) It looks like the default for `--ssl-verify-server-cert` was changed from `FALSE` to `TRUE` in MariaDB Connector/C in version 3.4, corresponding to MariaDB 11.4: mariadb-corporation/mariadb-connector-c@1287c90 > Since version 3.4 peer certificate verification is enabled by default. https://mariadb.com/docs/server/security/securing-mariadb/securing-mariadb-encryption/data-in-transit-encryption/securing-connections-for-client-and-server#enabling-one-way-tls-for-mariadb-clients > Starting from [MariaDB 11.4](https://mariadb.com/docs/release-notes/community-server/mariadb-11-4-series/what-is-mariadb-114) (Connector/C version 3.4) this mode is enabled by default. As `dbmate` uses the `go-sql-driver/mysql` driver for executing queries, which sets [tls=false](https://github.com/go-sql-driver/mysql?tab=readme-ov-file#tls) by default, we don't see a change when applying migrations. However, `dbmate` executes `mysqldump` to dump schemas, and that's where the change in MariaDB hits us. We should disable SSL/TLS when invoking `mysqldump` if `tls` is `false`, and we should use `--ssl-verify-server-cert=false` if `tls` is `skip-verify`. This fixes the following CI test failures: ``` === RUN TestMySQLDumpSchema Dropping: dbmate_test Creating: dbmate_test mysql_test.go:202: Error Trace: /src/pkg/driver/mysql/mysql_test.go:202 Error: Received unexpected error: mysqldump: Got error: 2026: "TLS/SSL error: self-signed certificate in certificate chain" when trying to connect Test: TestMySQLDumpSchema --- FAIL: TestMySQLDumpSchema (0.04s) === RUN TestMySQLDumpSchemaContainsNoAutoIncrement Dropping: dbmate_test Creating: dbmate_test mysql_test.go:246: Error Trace: /src/pkg/driver/mysql/mysql_test.go:246 Error: Received unexpected error: mysqldump: Got error: 2026: "TLS/SSL error: self-signed certificate in certificate chain" when trying to connect Test: TestMySQLDumpSchemaContainsNoAutoIncrement --- FAIL: TestMySQLDumpSchemaContainsNoAutoIncrement (0.04s) ```

…eil#716) Same as amacneil#704 PostgreSQL 17.6 added \restrict and \unrestrict commands to pg_dump output as a security measure for CVE-2025-8714. This breaks tests that expect exact string matching between the "PostgreSQL database dump complete" comment and the "Dbmate schema migrations" section. Split the assertion into two separate require.Contains calls to allow any content between these sections. See https://www.postgresql.org/docs/17/release-17-6.html and https://www.postgresql.org/support/security/CVE-2025-8714/ Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.40.0 to 0.45.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/4e0068c0098be10d7025c99ab7c50ce454c1f0f9"><code>4e0068c</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/e79546e28b85ea53dd37afe1c4102746ef553b9c"><code>e79546e</code></a> ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li> <li><a href="https://github.com/golang/crypto/commit/f91f7a7c31bf90b39c1de895ad116a2bacc88748"><code>f91f7a7</code></a> ssh/agent: prevent panic on malformed constraint</li> <li><a href="https://github.com/golang/crypto/commit/2df4153a0311bdfea44376e0eb6ef2faefb0275b"><code>2df4153</code></a> acme/autocert: let automatic renewal work with short lifetime certs</li> <li><a href="https://github.com/golang/crypto/commit/bcf6a849efcf4702fa5172cb0998b46c3da1e989"><code>bcf6a84</code></a> acme: pass context to request</li> <li><a href="https://github.com/golang/crypto/commit/b4f2b62076abeee4e43fb59544dac565715fbf1e"><code>b4f2b62</code></a> ssh: fix error message on unsupported cipher</li> <li><a href="https://github.com/golang/crypto/commit/79ec3a51fcc7fbd2691d56155d578225ccc542e2"><code>79ec3a5</code></a> ssh: allow to bind to a hostname in remote forwarding</li> <li><a href="https://github.com/golang/crypto/commit/122a78f140d9d3303ed3261bc374bbbca149140f"><code>122a78f</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/c0531f9c34514ad5c5551e2d6ce569ca673a8afd"><code>c0531f9</code></a> all: eliminate vet diagnostics</li> <li><a href="https://github.com/golang/crypto/commit/0997000b45e3a40598272081bcad03ffd21b8adb"><code>0997000</code></a> all: fix some comments</li> <li>Additional commits viewable in <a href="https://github.com/golang/crypto/compare/v0.40.0...v0.45.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.40.0&new-version=0.45.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Zellner <jeff@foxglove.dev>

Bumps alpine from 3.22.1 to 3.23.0. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=alpine&package-manager=docker&previous-version=3.22.1&new-version=3.23.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > Updates the release-stage base image in `Dockerfile`. > > - Bumps `alpine` from `3.22.1` to `3.23.2` while keeping installed packages and entrypoint unchanged > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 297b001. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README for download-artifact v5 changes by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/417">actions/download-artifact#417</a></li> <li>Update README with artifact extraction details by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/424">actions/download-artifact#424</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/431">actions/download-artifact#431</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v6.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/438">actions/download-artifact#438</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/download-artifact/pull/431">actions/download-artifact#431</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v5...v6.0.0">https://github.com/actions/download-artifact/compare/v5...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53"><code>018cc2c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/438">#438</a> from actions/danwkennedy/prepare-6.0.0</li> <li><a href="https://github.com/actions/download-artifact/commit/815651c680ffe1c95719d0ed08aba1a2f9d5c177"><code>815651c</code></a> Revert "Remove <code>github.dep.yml</code>"</li> <li><a href="https://github.com/actions/download-artifact/commit/bb3a066a8babc8ed7b3e4218896c548fe34e7115"><code>bb3a066</code></a> Remove <code>github.dep.yml</code></li> <li><a href="https://github.com/actions/download-artifact/commit/fa1ce46bbd11b8387539af12741055a76dfdf804"><code>fa1ce46</code></a> Prepare <code>v6.0.0</code></li> <li><a href="https://github.com/actions/download-artifact/commit/4a24838f3d5601fd639834081e118c2995d51e1c"><code>4a24838</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/431">#431</a> from danwkennedy/patch-1</li> <li><a href="https://github.com/actions/download-artifact/commit/5e3251c4ff5a32e4cf8dd4adaee0e692365237ae"><code>5e3251c</code></a> Readme: spell out the first use of GHES</li> <li><a href="https://github.com/actions/download-artifact/commit/abefc31eafcfbdf6c5336127c1346fdae79ff41c"><code>abefc31</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/424">#424</a> from actions/yacaovsnc/update_readme</li> <li><a href="https://github.com/actions/download-artifact/commit/ac43a6070aa7db8a41e756e7a2846221edca7027"><code>ac43a60</code></a> Update README with artifact extraction details</li> <li><a href="https://github.com/actions/download-artifact/commit/de96f4613b77ec03b5cf633e7c350c32bd3c5660"><code>de96f46</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/417">#417</a> from actions/yacaovsnc/update_readme</li> <li><a href="https://github.com/actions/download-artifact/commit/7993cb44e9052f2f08f9b828ae5ef3ecca7d2ac7"><code>7993cb4</code></a> Remove migration guide for artifact download changes</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/v5...v6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.  --- > [!NOTE] > Upgrades CI workflow to use the latest `actions/download-artifact@v7` in the `npm` job. > > - In `.github/workflows/ci.yml`, replace `actions/download-artifact@v5` with `@v7` to fetch build artifacts before TypeScript tasks > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6cd8b5c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README.md by <a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v5.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/734">actions/upload-artifact#734</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li><a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li><a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v5.0.0">https://github.com/actions/upload-artifact/compare/v4...v5.0.0</a></p> <h2>v4.6.2</h2> <h2>What's Changed</h2> <ul> <li>Update to use artifact 2.3.2 package & prepare for new upload-artifact release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/685">actions/upload-artifact#685</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/685">actions/upload-artifact#685</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v4.6.2">https://github.com/actions/upload-artifact/compare/v4...v4.6.2</a></p> <h2>v4.6.1</h2> <h2>What's Changed</h2> <ul> <li>Update to use artifact 2.2.2 package by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/673">actions/upload-artifact#673</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v4.6.1">https://github.com/actions/upload-artifact/compare/v4...v4.6.1</a></p> <h2>v4.6.0</h2> <h2>What's Changed</h2> <ul> <li>Expose env vars to control concurrency and timeout by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/662">actions/upload-artifact#662</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v4.6.0">https://github.com/actions/upload-artifact/compare/v4...v4.6.0</a></p> <h2>v4.5.0</h2> <h2>What's Changed</h2> <ul> <li>fix: deprecated <code>Node.js</code> version in action by <a href="https://github.com/hamirmahal"><code>@hamirmahal</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/578">actions/upload-artifact#578</a></li> <li>Add new <code>artifact-digest</code> output by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/656">actions/upload-artifact#656</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/hamirmahal"><code>@hamirmahal</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/578">actions/upload-artifact#578</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/330a01c490aca151604b8cf639adc76d48f6c5d4"><code>330a01c</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/734">#734</a> from actions/danwkennedy/prepare-5.0.0</li> <li><a href="https://github.com/actions/upload-artifact/commit/03f282445299bbefc96171af272a984663b63a26"><code>03f2824</code></a> Update <code>github.dep.yml</code></li> <li><a href="https://github.com/actions/upload-artifact/commit/905a1ecb5915b264cbc519e4eb415b5d82916018"><code>905a1ec</code></a> Prepare <code>v5.0.0</code></li> <li><a href="https://github.com/actions/upload-artifact/commit/2d9f9cdfa99fedaddba68e9b5b5c281eca26cc63"><code>2d9f9cd</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/725">#725</a> from patrikpolyak/patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/9687587dec67f2a8bc69104e183d311c42af6d6f"><code>9687587</code></a> Merge branch 'main' into patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/2848b2cda0e5190984587ec6bb1f36730ca78d50"><code>2848b2c</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/727">#727</a> from danwkennedy/patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/9b511775fd9ce8c5710b38eea671f856de0e70a7"><code>9b51177</code></a> Spell out the first use of GHES</li> <li><a href="https://github.com/actions/upload-artifact/commit/cd231ca1eda77976a84805c4194a1954f56b0727"><code>cd231ca</code></a> Update GHES guidance to include reference to Node 20 version</li> <li><a href="https://github.com/actions/upload-artifact/commit/de65e23aa2b7e23d713bb51fbfcb6d502f8667d8"><code>de65e23</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/712">#712</a> from actions/nebuk89-patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/8747d8cd7632611ad6060b528f3e0f654c98869c"><code>8747d8c</code></a> Update README.md</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v4...v5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.  --- > [!NOTE] > **CI workflow maintenance** > > - In `github/workflows/ci.yml`, upgrade `actions/upload-artifact` from `v4` to `v6` for the "Upload build artifacts" step. > - No other workflow logic or build steps changed. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 8b8c6fb. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <p><strong>Breaking Changes</strong></p> <ul> <li>Limit automatic caching to npm, update workflows and documentation by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1374">actions/setup-node#1374</a></li> </ul> <p><strong>Dependency Upgrades</strong></p> <ul> <li>Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1336">#1336</a></li> <li>Upgrade prettier from 2.8.8 to 3.6.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1334">#1334</a></li> <li>Upgrade actions/publish-action from 0.3.0 to 0.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1362">#1362</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v5...v6.0.0">https://github.com/actions/setup-node/compare/v5...v6.0.0</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <h3>Breaking Changes</h3> <ul> <li>Enhance caching in setup-node with automatic package manager detection by <a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li> </ul> <p>This update, introduces automatic caching when a valid <code>packageManager</code> field is present in your <code>package.json</code>. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set <code>package-manager-cache: false</code></p> <pre lang="yaml"><code>steps: - uses: actions/checkout@v5 - uses: actions/setup-node@v5 with: package-manager-cache: false </code></pre> <ul> <li>Upgrade action to use node24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li> </ul> <p>Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">See Release Notes</a></p> <h3>Dependency Upgrades</h3> <ul> <li>Upgrade <code>@octokit/request-error</code> and <code>@actions/github</code> by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1227">actions/setup-node#1227</a></li> <li>Upgrade uuid from 9.0.1 to 11.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1273">actions/setup-node#1273</a></li> <li>Upgrade undici from 5.28.5 to 5.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1295">actions/setup-node#1295</a></li> <li>Upgrade form-data to bring in fix for critical vulnerability by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1332">actions/setup-node#1332</a></li> <li>Upgrade actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1345">actions/setup-node#1345</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v5.0.0">https://github.com/actions/setup-node/compare/v4...v5.0.0</a></p> <h2>v4.4.0</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-node/commit/2028fbc5c25fe9cf00d9f06a71cc4710d4507903"><code>2028fbc</code></a> Limit automatic caching to npm, update workflows and documentation (<a href="https://redirect.github.com/actions/setup-node/issues/1374">#1374</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/13427813f706a0f6c9b74603b31103c40ab1c35a"><code>1342781</code></a> Bump actions/publish-action from 0.3.0 to 0.4.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1362">#1362</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/89d709d423dc495668cd762a18dd4a070611be3f"><code>89d709d</code></a> Bump prettier from 2.8.8 to 3.6.2 (<a href="https://redirect.github.com/actions/setup-node/issues/1334">#1334</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/cd2651c46231bc0d6f48d6b34433b845331235fe"><code>cd2651c</code></a> Bump ts-jest from 29.1.2 to 29.4.1 (<a href="https://redirect.github.com/actions/setup-node/issues/1336">#1336</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/a0853c24544627f65ddf259abe73b1d18a591444"><code>a0853c2</code></a> Bump actions/checkout from 4 to 5 (<a href="https://redirect.github.com/actions/setup-node/issues/1345">#1345</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/b7234cc9fe124f0f4932554b4e5284543083ae7b"><code>b7234cc</code></a> Upgrade action to use node24 (<a href="https://redirect.github.com/actions/setup-node/issues/1325">#1325</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/d7a11313b581b306c961b506cfc8971208bb03f6"><code>d7a1131</code></a> Enhance caching in setup-node with automatic package manager detection (<a href="https://redirect.github.com/actions/setup-node/issues/1348">#1348</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/5e2628c959b9ade56971c0afcebbe5332d44b398"><code>5e2628c</code></a> Bumps form-data (<a href="https://redirect.github.com/actions/setup-node/issues/1332">#1332</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/65beceff8e91358525397bdce9103d999507ab03"><code>65becef</code></a> Bump undici from 5.28.5 to 5.29.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1295">#1295</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/7e24a656e1c7a0d6f3eaef8d8e84ae379a5b035b"><code>7e24a65</code></a> Bump uuid from 9.0.1 to 11.1.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1273">#1273</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/setup-node/compare/v4...v6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=4&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.  --- > [!NOTE] > Upgrades the CI NPM job to the latest setup-node action. > > - Replace `actions/setup-node@v4` with `@v6` in `/.github/workflows/ci.yml` under the `npm` job > - Node remains at `node-version: 20`; caching and registry settings unchanged > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2745493. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/cc482e775913e6625137572a3712d2826170e53a"><code>cc482e7</code></a> 4.1.1 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/50968b862e75866ef90e626572fe0b2f97b55f9f"><code>50968b8</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/d092d866031751cb27c12d93f3e2470ad74d678b"><code>d092d86</code></a> lint fix</li> <li><a href="https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"><code>383665f</code></a> fix prototype pollution in merge (<<)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/0d3ca7a27b03a6c974790a30a89e456007d62976"><code>0d3ca7a</code></a> README.md: HTTP => HTTPS (<a href="https://redirect.github.com/nodeca/js-yaml/issues/678">#678</a>)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/49baadd52af887d2991e2c39a6639baa56d6c71b"><code>49baadd</code></a> doc: 'empty' style option for !!null</li> <li><a href="https://github.com/nodeca/js-yaml/commit/ba3460eb9d3e4478edcbc29edabe17c2157fc9ce"><code>ba3460e</code></a> Fix demo link (<a href="https://redirect.github.com/nodeca/js-yaml/issues/618">#618</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=js-yaml&package-manager=npm_and_yarn&previous-version=4.1.0&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details>  --- > [!NOTE] > Updates dependency resolution for `js-yaml` in `typescript/package-lock.json` from `4.1.0` to `4.1.1`; lockfile regenerated (includes `license` metadata for `js-yaml`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1ae97c0. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from 1.24.6 to 1.25.1. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.24.6&new-version=1.25.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > Upgrades the development stage Go toolchain in `Dockerfile` to `golang:1.25.5`. > > - Replaces base image `golang:1.24.6` with `golang:1.25.5` in `Dockerfile` (dev stage only) > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f166954. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [glob](https://github.com/isaacs/node-glob) from 11.0.0 to 11.1.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/isaacs/node-glob/blob/main/changelog.md">glob's changelog</a>.</em></p> <blockquote> <h1>changeglob</h1> <h2>12</h2> <ul> <li>Remove the unsafe <code>--shell</code> option. The <code>--shell</code> option is now ONLY supported on known shells where the behavior can be implemented safely.</li> </ul> <h2>11.1</h2> <p><a href="https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2">GHSA-5j98-mcp5-4vw2</a></p> <ul> <li>Add the <code>--shell</code> option for the command line, with a warning that this is unsafe. (It will be removed in v12.)</li> <li>Add the <code>--cmd-arg</code>/<code>-g</code> as a way to <em>safely</em> add positional arguments to the command provided to the CLI tool.</li> <li>Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding <code>shell:true</code> execution.</li> </ul> <h2>11.0</h2> <ul> <li>Drop support for node before v20</li> </ul> <h2>10.4</h2> <ul> <li>Add <code>includeChildMatches: false</code> option</li> <li>Export the <code>Ignore</code> class</li> </ul> <h2>10.3</h2> <ul> <li>Add <code>--default -p</code> flag to provide a default pattern</li> <li>exclude symbolic links to directories when <code>follow</code> and <code>nodir</code> are both set</li> </ul> <h2>10.2</h2> <ul> <li>Add glob cli</li> </ul> <h2>10.1</h2> <ul> <li>Return <code>'.'</code> instead of the empty string <code>''</code> when the current working directory is returned as a match.</li> <li>Add <code>posix: true</code> option to return <code>/</code> delimited paths, even on Windows.</li> </ul> <h2>10.0.0</h2> <ul> <li>No default exports, only named exports</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/node-glob/commit/2551fb51440d402fa2120457bf460e546ee9964d"><code>2551fb5</code></a> 11.1.0</li> <li><a href="https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146"><code>47473c0</code></a> bin: Do not expose filenames to shell expansion</li> <li><a href="https://github.com/isaacs/node-glob/commit/bc33fe1c6a47abd497703d79ad96036e7891ff62"><code>bc33fe1</code></a> skip tilde test on systems that lack tilde expansion</li> <li><a href="https://github.com/isaacs/node-glob/commit/59bf9ca211bda5636c4fe9e32d41530c90a4f30d"><code>59bf9ca</code></a> fix notes</li> <li><a href="https://github.com/isaacs/node-glob/commit/dde4fa66c87e24b37bb5be28ed10c6e12019edac"><code>dde4fa6</code></a> docs(README): add #anchor and improve <code>note</code>s</li> <li><a href="https://github.com/isaacs/node-glob/commit/0559b0ed13c0f8147cd2ac9d48bb49684caaf20e"><code>0559b0e</code></a> docs: add better links to path-scurry docs</li> <li><a href="https://github.com/isaacs/node-glob/commit/c9773c249b4b9ed6b2447222c226f9d20c6ce916"><code>c9773c2</code></a> fix: correct typos in <code>README.md</code></li> <li><a href="https://github.com/isaacs/node-glob/commit/13e68eadbc4f0aacd9d6ffbcb4b28a34d5d8512c"><code>13e68ea</code></a> Fix punctuation in traversal function documentation</li> <li><a href="https://github.com/isaacs/node-glob/commit/1527e2b8107e95122ab6e9b6f6312f121693d53d"><code>1527e2b</code></a> fix repo url</li> <li><a href="https://github.com/isaacs/node-glob/commit/7e190e8776a7fa66fba40827de5f9effd1c52f9d"><code>7e190e8</code></a> fix typo <code>maths</code> → <code>paths</code></li> <li>Additional commits viewable in <a href="https://github.com/isaacs/node-glob/compare/v11.0.0...v11.1.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=glob&package-manager=npm_and_yarn&previous-version=11.0.0&new-version=11.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details>  --- > [!NOTE] > **Dependency update** > > - Upgrades `glob` from `11.0.0` to `11.1.0` in `typescript/package-lock.json` > - Refreshes transitive deps (e.g., `minimatch`, `jackspeak`, `foreground-child`, `ansi-regex`, `strip-ansi`, `ansi-styles`) and adds license metadata entries > - No source code changes > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit cf367a0. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Remove redundant `t.Chdir(cwd)` call and add comments to clarify directory cleanup in `TestLoadEnvFiles`. Identified by amacneil#709 (comment) although that bugbot comment was incorrect. The `t.Chdir` function automatically registers a cleanup to restore the original directory, making the explicit `t.Chdir(cwd)` call in the `t.Cleanup` block redundant. This change simplifies the test setup and clarifies that `t.Chdir` handles its own directory restoration. --- <a href="https://cursor.com/background-agent?bcId=bc-43db5ef2-82e0-4c1a-b568-b39d4f0df70e"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-43db5ef2-82e0-4c1a-b568-b39d4f0df70e"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Bump version to `2.29.0` and upgrade Go, TypeScript, and `golangci-lint` dependencies to prepare for a new release. --- <a href="https://cursor.com/background-agent?bcId=bc-7318e3fb-ca8a-4a43-b84d-7987029de5fa"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-7318e3fb-ca8a-4a43-b84d-7987029de5fa"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a>  --- > [!NOTE] > **Release: 2.29.0** > > - Bump `pkg/dbmate/version.go` to `2.29.0` > - Upgrade `golangci-lint` in `Dockerfile` to `v2.8.0` > - Refresh `go.mod` with dependency updates (and regenerate `go.sum`), including `cloud.google.com/go/*`, `google.golang.org/api`, `github.com/ClickHouse/*`, `github.com/mattn/go-sqlite3`, `github.com/stretchr/testify`, OpenTelemetry libs, `google.golang.org/grpc`/`protobuf`, and `gorm.io/gorm` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 178f3fb. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Docker image is built with 1.25.5, but go.mod needs to also be updated for people building dbmate from source.  --- > [!NOTE] > **Build tooling update** > > - Bumps Go `toolchain` in `go.mod` from `go1.24.3` to `go1.25.5` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 8e4aa8b. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Automate updating the go.mod `toolchain` when Dependabot (or anyone else) bumps the Dockerfile go version Avoid needing manual PRs like amacneil#723 Tested by pushing an update to Dockerfile. I'm not 100% sure this will work with 3rd party PRs (i.e. Dependabot) but we will find out soon enough.

NPM classic tokens are no more, trusted publishing is the future. Prevent failures like https://github.com/amacneil/dbmate/actions/runs/20837451898/job/59865223681  > [!NOTE] > Adopts NPM OIDC trusted publishing and tidies GitHub workflows and package metadata. > > - CI `npm` job: grants `id-token` permissions, enables `corepack`, removes registry/token usage; `typescript/publish.ts` unsets `NODE_AUTH_TOKEN` and publishes via `corepack npm publish --provenance` > - Moves Dependabot auto-approve into new `dependabot.yml`; minor naming tweaks in post-release workflow > - Adds empty `.prettierrc.json`; sets `packageManager` in `typescript/package.json` > - Updates package metadata for `dbmate` and template packages (repository format, bin mapping, homepage/author) > - Bumps `pkg/dbmate/version.go` to `2.29.1` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 00b792f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

This line was not actually necessary. I didn't notice that it worked fine without. Turns out upgrading NPM was the main required step to get this working.  --- > [!NOTE] > Adjusts release pipeline and TypeScript publish behavior, plus a patch version bump. > > - `typescript/publish.ts`: remove `NODE_AUTH_TOKEN` unsetting and `npm --version` check; add `--dry-run` to `npm publish` > - `.github/workflows/ci.yml`: comment out the tag-only condition for the NPM publish step > - `pkg/dbmate/version.go`: bump `Version` to `2.29.2` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9f226dc. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Fixes amacneil#678 Use `--restrict-key` for `pgdump` > `17.6` so that we can generate deterministic dumps. --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>

…l#730)  > [!NOTE] > Adds version-aware dump behavior and testability to MySQL driver. > > - Introduces `getMysqldumpVersion` to parse dump client output, determine `mysql` vs `mariadb`, version, and select `mysqldump` or `mariadb-dump` > - Changes `mysqldumpArgs` to accept version info and switch to `--ssl-mode=*` for MySQL ≥ 8 while retaining legacy flags otherwise; preserves existing host/port/socket/user/pass handling > - Updates `DumpSchema` to invoke the detected dump command with version-appropriate args > - Adds exec command/lookpath indirection for tests and comprehensive unit tests for version detection and args across MySQL/MariaDB variants > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit da6e82b. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Expand `pg_dump --restrict-key` detection to PostgreSQL 15.14+ and 16.10+ to ensure deterministic schema dumps. Fixes: amacneil#728 --- <a href="https://cursor.com/background-agent?bcId=bc-aacb38de-028b-487e-9c78-f4dc974d64d5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-aacb38de-028b-487e-9c78-f4dc974d64d5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> Co-authored-by: Cursor Agent <cursoragent@cursor.com>

…candidate (amacneil#734)  > [!NOTE] > Prevents Dependabot from proposing Go release-candidate bumps in Dockerfiles. > > - Updates `.github/dependabot.yml` to ignore `golang` versions matching `*rc*` for the `docker` ecosystem, schedule unchanged > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit eeb1f91. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Strip psql meta-commands from schema files to fix `dbmate load` failures on newer PostgreSQL versions. PostgreSQL 15.14+/16.10+/17.6+ `pg_dump` outputs `\restrict` and `\unrestrict` commands as a security measure (CVE-2025-8714). These are `psql` client meta-commands, not SQL statements, causing `sqlDB.Exec()` to fail with a syntax error when `dbmate load` attempts to execute them directly against the database server. This PR adds a filter to remove these lines before execution. Fixes amacneil#735

> [!NOTE] > **Medium Risk** > Primarily dependency upgrades (notably `github.com/lib/pq` and ClickHouse client libs) plus a Go patch version bump, which could subtly change driver behavior/error formats at runtime. > > **Overview** > Bumps the module/release version to `2.29.4` and updates the Go version in `go.mod` from `1.24.0` to `1.24.1`. > > Refreshes several dependencies (notably `github.com/lib/pq`, `clickhouse-go`, `google.golang.org/api`, and various `golang.org/x/*` modules) and updates tests to match new driver behaviors: adds MySQL `mysqldump` version fixtures (8.3/9.6) and adjusts Postgres assertions to include SQLSTATE codes now present in `pq` error strings. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f3414fe. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

…l#743) Replace bare require.resolve() with createRequire(import.meta.url) to fix ReferenceError when running as an ES module (package.json has "type": "module"). Add an npm test script that imports the built output and calls resolveBinary() to catch ESM/CJS incompatibilities before publish.  --- > [!NOTE] > **Low Risk** > Low risk: small, targeted change to module resolution plus a new CI test step; main risk is potential path-resolution differences across Node environments. > > **Overview** > Fixes ESM compatibility in the TypeScript `dbmate` package by switching `resolveBinary()` to use `createRequire(import.meta.url)` for `require.resolve()`. > > Adds a lightweight `npm test` smoke test (and runs it in the GitHub Actions NPM job) that imports the built `dist` output and verifies `resolveBinary()` can resolve the platform binary before `publish`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 538facd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

- **v2.29.5** - **Update dependencies.**  --- > [!NOTE] > **Low Risk** > Low risk: changes are limited to version/dependency bumps and lockfile regeneration, with no functional code changes beyond `Version` string updates. > > **Overview** > Bumps the dbmate release version to `2.29.5`. > > Updates dependency pins, notably upgrading OpenTelemetry (`go.opentelemetry.io/otel*` to `v1.40.0`) and `google.golang.org/genproto` to a newer snapshot, and refreshes `go.sum`. > > Regenerates the `typescript/package-lock.json` (adds missing root `name` and removes many platform-specific optional entries), reflecting dependency/lockfile normalization. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b4e642a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

This fixes the issue of using a generated `schema.sql` with ClickHouse in Docker. The ClickHouse entrypoint runs every `.sql` file in `/docker-entrypoint-initdb.d` during server startup, but it executes them against the default database. It works if the schema dump was created from the default database, but it fails otherwise: ``` /entrypoint.sh: running /docker-entrypoint-initdb.d/schema.sql Received exception from server (version 25.3.6): Code: 60. DB::Exception: Received from 127.0.0.1:9000. DB::Exception: Table default.schema_migrations does not exist. Maybe you meant my_database_name.schema_migrations?. (UNKNOWN_TABLE) ``` This fix prefixes `migrations_table_name` with `db_name.` in the generated schema, making it consistent with the table creation statements and with other drivers.  --- > [!NOTE] > **Low Risk** > Low risk: changes are limited to ClickHouse schema dump SQL generation and corresponding test expectations, with no changes to migration execution or connection handling. > > **Overview** > Fixes ClickHouse `DumpSchema` output to be usable when executed against the default DB (e.g., Docker init scripts) by **fully qualifying the schema migrations insert** as `db_name.table`. > > Also standardizes database DDL generation by introducing `quotedDatabaseName()` and using it in `CreateDatabase`, `DropDatabase`, and schema dump output, and updates ClickHouse (cluster) tests to expect the qualified `INSERT` statement. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 7748b83. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/cc482e775913e6625137572a3712d2826170e53a"><code>cc482e7</code></a> 4.1.1 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/50968b862e75866ef90e626572fe0b2f97b55f9f"><code>50968b8</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/d092d866031751cb27c12d93f3e2470ad74d678b"><code>d092d86</code></a> lint fix</li> <li><a href="https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"><code>383665f</code></a> fix prototype pollution in merge (<<)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/0d3ca7a27b03a6c974790a30a89e456007d62976"><code>0d3ca7a</code></a> README.md: HTTP => HTTPS (<a href="https://redirect.github.com/nodeca/js-yaml/issues/678">#678</a>)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/49baadd52af887d2991e2c39a6639baa56d6c71b"><code>49baadd</code></a> doc: 'empty' style option for !!null</li> <li><a href="https://github.com/nodeca/js-yaml/commit/ba3460eb9d3e4478edcbc29edabe17c2157fc9ce"><code>ba3460e</code></a> Fix demo link (<a href="https://redirect.github.com/nodeca/js-yaml/issues/618">#618</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=js-yaml&package-manager=npm_and_yarn&previous-version=4.1.0&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details>  --- > [!NOTE] > **Low Risk** > Low risk dependency patch limited to the TypeScript workspace lockfile (dev tooling). Main impact is updated YAML parsing behavior in tooling, including a security fix for prototype pollution. > > **Overview** > Updates `typescript/package-lock.json` to bump the dev dependency `js-yaml` from `4.1.0` to `4.1.1` (including updated tarball/integrity metadata and added `license` field). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 53c200e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps alpine from 3.23.2 to 3.23.3. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=alpine&package-manager=docker&previous-version=3.23.2&new-version=3.23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > **Low Risk** > Low risk dependency bump limited to the Docker release stage; main risk is unexpected package/runtime differences in the base image. > > **Overview** > Updates the Docker `release` stage base image from `alpine:3.23.2` to `alpine:3.23.3`, keeping the build and installed runtime packages unchanged. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 42785ab. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

lib/pq v1.11.1 broke connecting to Supavisor. Pin to lib/pq v1.10.9 until upstream fix is available. Closes amacneil#746 **Update:** lib/pq v1.11.2 released which fixes the connection issue, so rather than pinning to v1.10.9, we'll bump the depenency to v1.11.2, instead.  --- > [!NOTE] > **Low Risk** > Primarily a dependency patch bump plus test/infra tweaks; production logic is unchanged, with minimal risk beyond potential CI/environment differences in Postgres error messages. > > **Overview** > Updates the Postgres driver dependency by bumping `github.com/lib/pq` from `v1.11.1` to `v1.11.2` (with matching `go.sum` changes) to address Supavisor connection breakage. > > Adds `docker-compose.supavisor.yml` to spin up Supavisor + Postgres, auto-provision a dev tenant, and create a `dbmate_test` database; and relaxes several Postgres driver tests to use `require.ErrorContains` instead of exact error-string equality to reduce brittleness across environments/driver versions. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6bea788. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Create release v2.30.0 by bumping the version and updating Go and TypeScript dependencies. --- <p><a href="https://cursor.com/background-agent?bcId=bc-2cd27417-09d1-4fba-aa21-a007839a18ef"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-2cd27417-09d1-4fba-aa21-a007839a18ef"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p>  --- > [!NOTE] > **Low Risk** > Release/version bump with dependency-only updates; risk is limited to potential behavioral changes from updated Google Cloud/OpenTelemetry libraries. > > **Overview** > Bumps the `dbmate` version constant from `2.29.5` to `2.30.0` for the new release. > > Updates Go module dependencies, primarily in the Google Cloud stack (e.g., `cloud.google.com/go/bigquery`, `google.golang.org/api`, `github.com/googleapis/gax-go/v2`, `google.golang.org/genproto`) and related OpenTelemetry instrumentation versions, with corresponding `go.sum` changes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2ce03d0. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

…er flag + env var (amacneil#713) This PR addresses issue amacneil#489 by adding comprehensive support for ClickHouse HTTP/S protocols and allowing users to explicitly specify the driver via a CLI flag. Key Changes: 1. New Driver Schemes: - Added support for clickhouse+http:// and clickhouse+https:// schemes. - Added support for clickhouse+tcp:// alias. - When these schemes are detected, the driver automatically normalizes the URL for the underlying clickhouse-go driver and sets the appropriate default ports (8123 for HTTP, 8443 for HTTPS) if not specified. 2. Explicit Driver Selection (--driver flag): - Introduced a new global flag: --driver (env: DBMATE_DRIVER). - This allows users to force a specific driver, overriding the default behavior of inferring the driver from the database URL scheme. - Use Case: Enabling ClickHouse users to provide a standard http:// URL while explicitly telling dbmate to use the ClickHouse driver. ``` # Using new schemes (auto-detection) dbmate -u "clickhouse+http://localhost:8123/default" status # Using standard HTTP scheme with explicit driver flag dbmate --driver clickhouse -u "http://localhost:8123/default" status ``` Related Issue Fixes amacneil#489 Type of change [x] New feature (non-breaking change which adds functionality) [ ] Bug fix (non-breaking change which fixes an issue) Checklist [x] I have added tests to cover the new schemes, port defaults, and flag logic. [x] I have updated the README.md with documentation for the new feature. [x] Existing tests passed locally. [x] Refactored main.go logic into configureDB for better testability.  --- > [!NOTE] > **Medium Risk** > Changes driver selection logic in `dbmate.DB.Driver()` and expands ClickHouse connection URL handling, which could affect connectivity for existing CLI/library users if misconfigured; coverage is improved via new tests. > > **Overview** > Adds a new global `--driver` flag (and `DBMATE_DRIVER` env var) to force the database driver instead of inferring it from the URL scheme, refactoring CLI DB initialization into `configureDB` and plumbing the chosen driver through `dbmate.DB.Driver()`. > > Extends the ClickHouse driver to recognize `clickhouse+http://` and `clickhouse+https://` schemes (and to normalize `http`/`https` URLs for ClickHouse with appropriate default ports), updates documentation, and adds unit tests covering the new driver override and URL variants. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3cf3793. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

Bumps golang from 1.25.5 to 1.25.6. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.25.5&new-version=1.25.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > **Low Risk** > Low risk: this is a patch-level Go toolchain update affecting build/runtime compatibility, with no functional code changes in the repo. > > **Overview** > Updates the Go toolchain patch version from `1.25.5` to `1.25.6` for local/dev and module builds. > > This bumps the `golang` base image tag in `Dockerfile` and the `toolchain` directive in `go.mod` to keep builds consistent. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3ee1bd3. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jeff Zellner <jeff@foxglove.dev>

## Summary `DumpSchema` and `DatabaseExists` were passing a full connection string (including query parameters) where a bare file path is expected, causing `sqlite3` CLI calls and `os.Stat` checks to fail when the URL contained query parameters like `?mode=ro`. ## Changes - Introduce `normalizeSQLiteURL` to properly handle all URL forms (relative, absolute, 1–4 leading slashes, spaces, percent-encoding), replacing the previous regexp-based slash collapsing in `ConnectionString` - Add `filePathFromURL` to extract just the file path, and use it in `DumpSchema` and `DatabaseExists` instead of `ConnectionString` - Rebuild `ConnectionString` on top of the same normalizer ## Test improvements - Use `t.TempDir()` so tests don't write into the working directory - Pass `*Driver` into `prepTestSQLiteDB` for consistent test setup - Convert `ConnectionString` tests to table-driven with `t.Parallel()` and add corresponding `filePathFromURL` table-driven tests - Use `require.False`/`True`/`NoFileExists` for clearer assertions - Extend `DatabaseExists` test to cover the full create/drop cycle  --- > [!NOTE] > **Medium Risk** > Touches SQLite URL/DSN parsing used for opening and managing DB files; subtle path normalization changes could affect edge-case URLs across platforms. > > **Overview** > Fixes SQLite operations that require a filesystem path by introducing `filePathFromURL` and using it for `DumpSchema` (the `sqlite3` CLI call) and `DatabaseExists` (`os.Stat`), avoiding query/fragment connection params being treated as part of the filename. > > Refactors `ConnectionString` to be built from a normalized SQLite URL (`normalizeSQLiteURL`), improving handling of absolute vs relative paths, escaped characters, and extra leading slashes; updates/expands tests to cover path extraction vs DSN generation and makes SQLite tests use per-test temp DB files. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 15d3e41. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

Add shortened URL syntax examples for passwordless PostgreSQL Unix socket connections. ## Changes Corrects and improves the original PR (amacneil#459) examples: - **Fixed missing `@` in username URL**: `postgres://username/db` parses `username` as a hostname, not userinfo. The correct form is `postgres://username@/db` — the `@` is required to place `username` in the userinfo portion of the URL. - **Fixed misleading explanation**: The original PR claimed the username could be omitted "when the username and database name are identical." In reality, when the username is omitted, `lib/pq` (matching `libpq` behavior) defaults to the `PGUSER` environment variable if set, otherwise the OS username. The database name is irrelevant. - **Fixed typo**: "Additionaly" → "Additionally" (moot, sentence was rewritten) - **Removed extra blank line** ## Examples added ```sh # Passwordless (e.g. peer auth), explicit username (note the @ is required) DATABASE_URL="postgres://username@/database_name?socket=/var/run/postgresql" # Username omitted — defaults to PGUSER env var, or OS username DATABASE_URL="postgres:///database_name?socket=/var/run/postgresql" ```  --- > [!NOTE] > **Low Risk** > Documentation-only changes with no impact to runtime behavior. > > **Overview** > Updates `README.md` PostgreSQL connection documentation to include **passwordless unix-socket** `DATABASE_URL` examples, clarifying that the `@` is required when omitting the password (e.g., peer auth). > > Adds guidance that omitting the username falls back to `PGUSER` or the OS username (per `lib/pq`/`libpq` behavior), with an example URL showing the shortened form. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0696152. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

…macneil#752) ## Summary - The `versions: ["*rc*"]` glob pattern in the Docker ignore condition is invalid syntax, causing Dependabot to fail parsing the config entirely - Commented out the ignore block with a reference to the upstream feature request ## Context - Dependabot suggests RC versions of golang (e.g., `1.26rc2` in amacneil#733) even from stable tags - Docker ignore conditions use Bundler version syntax which does not support glob patterns - Upstream issue tracking pre-release ignore support: dependabot/dependabot-core#8677 ## Test plan - [ ] Verify Dependabot no longer reports a config parse error - [ ] Verify Dependabot resumes creating Docker update PRs  --- > [!NOTE] > **Low Risk** > Config-only change that removes a broken ignore rule; main impact is Dependabot may surface Go RC updates again until upstream support exists. > > **Overview** > Fixes Dependabot config parsing for Docker updates by commenting out an invalid `ignore` rule that tried to match Golang RC tags via `versions: ["*rc*"]`. > > Adds inline comments documenting the limitation (no glob patterns for Docker `versions`) and links to the upstream Dependabot issue for future re-enablement. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit fcd6c96. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Bumps golang from 1.25.6 to 1.26.0. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.25.6&new-version=1.26.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > **Low Risk** > Primarily a toolchain/linter version bump; risk is limited to potential CI/build or lint behavior differences under Go 1.26. > > **Overview** > Updates the development Docker image from Go `1.25.6` to `1.26.0` and bumps `golangci-lint` from `v2.8.0` to `v2.9.0`. > > Aligns module tooling by changing `go.mod` `toolchain` from `go1.25.6` to `go1.26.0` (no dependency changes included in the diff). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 900ebfe. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

@amacneil

feat: allow passing extra arguments to mysqldump/pgdump & fix broken tests (mysql & postgres) Allow passing extra arguments to the dump command as follows: `dbmate dump -- --flag1 --flag2` Everything after `--` will be passed to pgdump or mysqldump. We can further allow passing extra arguments for other subcommands. Fixes: amacneil#678 Fixes: amacneil#688 @amacneil  --- > [!NOTE] > **Medium Risk** > Changes the public `Driver` interface and how `dump` shells out to `mysqldump`/`pg_dump`, which could affect downstream driver implementations and schema dump behavior across databases. > > **Overview** > `dbmate dump` now supports pass-through flags (`dbmate dump -- --flag1 ...`) that are forwarded to `mysqldump`/`pg_dump`, wired from the CLI into a new `DB.Args` field and through the `Driver.DumpSchema(*sql.DB, ...string)` interface. > > MySQL and Postgres drivers were updated to append these extra args to the underlying dump command invocation (other drivers ignore them), README documentation was expanded accordingly, and new MySQL/Postgres tests validate that invalid extra args surface expected tool errors. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f5e2e52. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Release for v2.31.0, includes amacneil#753

Bumps [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519) from 1.1.0 to 1.1.1. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb"><code>d1c650a</code></a> extra: initialize receiver in MultiScalarMult</li> <li>See full diff in <a href="https://github.com/FiloSottile/edwards25519/compare/v1.1.0...v1.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=filippo.io/edwards25519&package-manager=go_modules&previous-version=1.1.0&new-version=1.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Brings in all upstream changes including: - v2.29.0 through v2.31.0 releases - feat: clickhouse HTTP/S schemes and --driver flag - feat: allow passing extra arguments to mysqldump/pgdump - feat: postgres --restrict-key support - fix: lib/pq v1.11.1 Supavisor compatibility - fix: SQLite URL file path extraction for shell commands - fix: clickhouse schema dump with non-default database - fix: MySQL/MariaDB specific schema dump handling - fix: ESM compatibility in resolveBinary - fix: strip psql meta-commands on load Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dossy and others added 30 commits January 8, 2026 14:55

Support --restrict-key (amacneil#727)

3af1181

Fixes amacneil#678 Use `--restrict-key` for `pgdump` > `17.6` so that we can generate deterministic dumps. --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>

dossy and others added 12 commits February 10, 2026 21:15

bump version to v2.31.0 (amacneil#754)

5dc429d

Release for v2.31.0, includes amacneil#753

diptanu merged commit 50eb91e into main Mar 2, 2026
11 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: sync with upstream amacneil/dbmate (v2.29.0 - v2.31.0)#13

chore: sync with upstream amacneil/dbmate (v2.29.0 - v2.31.0)#13
diptanu merged 42 commits intomainfrom
sync-upstream

diptanu commented Mar 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Conversation

diptanu commented Mar 2, 2026

Summary

Notable upstream changes

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants