build(deps): bump the all-updates group with 12 updates

[dependabot]

Bumps the all-updates group with 12 updates:

Package	From	To
github.com/alecthomas/chroma/v2	2.21.1	2.23.1
github.com/cloudflare/circl	1.6.2	1.6.3
github.com/go-chi/chi/v5	5.2.3	5.2.4
github.com/google/cel-go	0.26.1	0.27.0
github.com/klauspost/compress	1.18.2	1.18.3
github.com/yuin/goldmark	1.7.15	1.7.16
go.step.sm/crypto	0.75.0	0.76.0
golang.org/x/crypto	0.46.0	0.47.0
golang.org/x/net	0.48.0	0.49.0
golang.org/x/term	0.38.0	0.39.0
github.com/pires/go-proxyproto	0.8.1	0.9.2
golang.org/x/sys	0.39.0	0.40.0

Updates github.com/alecthomas/chroma/v2 from 2.21.1 to 2.23.1

Release notes

Sourced from github.com/alecthomas/chroma/v2's releases.

v2.23.1

Changelog

• 5b4188b fix: remove AGPL licensed testdata
• b9b4edc Add .env.* pattern to bash lexer (#1197)
• f163adc docs: add AGENTS.md
• fe6f0f3 fix: title link to Chroma

v2.23.0

Changelog

• 610afd8 feat: add light/dark mode toggle
• 1b5aad9 fix: make just commands faster
• 84583c6 fix: wait for WASM runtime to become ready at startup
• 1b6f6e7 fix: need relative import for wasm_exec.js
• 2a78195 fix: wasm builds got broken by the last change
• f8a34ec feat: fix local dev so it falls back to server
• 6827057 refactor: migrate to Just
• a60896f Create a lexer for Markless (#1195)

v2.22.0

Changelog

• 467c878 fix: reverse order of --lexer to name, then file
• 649c24d Add KDL lexer (#1192)
• 249a634 Add MoonBit lexer (#1191)
• 3e1f428 Update Zig lexer and example (#1189)
• 31592d5 fix: no text auto-sizing on webkit (#1186)
• 2e611c1 Add APKBUILD as filename to Bash lexer (#1187)
• c1adec8 chore(deps): update all non-major dependencies (#1185)
• 24cc733 fix(styles): update punctuation in Aura Theme to meet style guidelines (#1184)
• b0358e8 Add lexer for microcad (#1171)

Commits

• 5b4188b fix: remove AGPL licensed testdata
• b9b4edc Add .env.* pattern to bash lexer (#1197)
• f163adc docs: add AGENTS.md
• fe6f0f3 fix: title link to Chroma
• 610afd8 feat: add light/dark mode toggle
• 1b5aad9 fix: make just commands faster
• 84583c6 fix: wait for WASM runtime to become ready at startup
• 1b6f6e7 fix: need relative import for wasm_exec.js
• 2a78195 fix: wasm builds got broken by the last change
• f8a34ec feat: fix local dev so it falls back to server
• Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.6.2 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in cloudflare/circl#582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in cloudflare/circl#583
• Release CIRCL v1.6.3 by @​armfazh in cloudflare/circl#584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

Commits

• 24ae53c Release CIRCL v1.6.3
• 581020b Rename method to oddMultiplesProjective.
• 12209a4 Removing unused cmov for jacobian points.
• fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
• 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
• 3416046 Check opts for nil value.
• See full diff in compare view

Updates github.com/go-chi/chi/v5 from 5.2.3 to 5.2.4

Commits

• 6eb3588 middleware: harden RedirectSlashes handler (#1044)
• de0d16e Update comment about min Go version (#1023)
• 9fb4a15 update reverseMethodMap in RegisterMethod (#1022)
• 51c977c Refactor to use atomic type (#1019)
• 563ab11 Refactor graceful shutdown example (#994)
• a52c582 Bump minimum Go and use new features (#1017)
• See full diff in compare view

Updates github.com/google/cel-go from 0.26.1 to 0.27.0

Release notes

Sourced from github.com/google/cel-go's releases.

Release v0.27.0

Release Summary

This release focuses on improving developer tooling and stability. Key highlights include significant enhancements to the REPL (YAML configuration support and parse-only evaluation), the addition of cost estimation for regex operations, and improved test coverage reporting.

On the stability front, this release addresses race conditions in reference types, improves namespace resolution, and ensures formatting directives align strictly with the CEL specification.

Note: This release includes a breaking change regarding how types are handled as variables. Please review the "Breaking Changes" section below.

⚠ Breaking Changes

Remove types as variables: The logic for handling types has been relaxed to support safe rollout of feature packages which introduce new types whose names may collide with existing variables. Please review your policies if you relied on types behaving strictly as variables in previous versions. [PR #1262](google/cel-go#1262)

Features & Enhancements

REPL & Tooling

• YAML Configuration: The REPL now supports reading and writing YAML environment configurations. [PR #1250](google/cel-go#1250)

• Parse-Only Mode: Added parse-only evaluation capabilities to the REPL. [PR #1254](google/cel-go#1254)

• Test Coverage: Introduced logic for CEL test coverage calculation and updated the reporter to handle error/unknown scenarios.[PR #1209](google/cel-go#1209) & [PR #1215](google/cel-go#1215)

Core Library

• Regex Costing: Added support for cost estimation and tracking within the regex library. [PR #1200](google/cel-go#1200)

• JSON Type Exposure: Exposed CEL JSON types to assist developers in converting to native values. [PR #1261](google/cel-go#1261)

• Policy Composition: Source information is now preserved during CEL policy composition, aiding in debugging. [PR #1253](google/cel-go#1253)

Extensibility:

• Updated extension option factory to resolve by ID (#1249).

• Refactored match output compiling to accept user-defined logic (#1246).

• Exposed Match source ID to callers (#1227).

Build & Maintenance

• Bazel: Migrated to use Bazel module only and improved configuration for dependent builds. [PR #1231](google/cel-go#1231) & [PR #1228](google/cel-go#1228)

• Cleanup: Removed strcase dependency, removed AppEngine code from REPL, and performed general linting. [PR #1230](google/cel-go#1230), #1216, #1251

Bug Fixes

• Concurrency: Fixed a race condition in the checker regarding reference types. [PR #1224](google/cel-go#1224)

• Namespace Resolution: Addressed an issue with namespace resolution. [PR #1256](google/cel-go#1256)

• Spec Compliance: Fixed formatting directives to fully support requirements documented in the cel-spec. [PR #1232](google/cel-go#1232)

... (truncated)

Commits

• 450089b Preserve source information during CEL policy composition. (#1253)
• c66b313 Remove types as variables to allow user-defined variables to shadow type decl...
• bff3a72 Expose the CEL JSON types to assist with conversion to native values (#1261)
• 559cbc9 Remove errant diff checked into a prior PR (#1260)
• fe26efa Simplify the disambiguation logic to a single boolean (#1263)
• 52280ba Clean up unused source info after checker rewrites the AST. (#1258)
• 3cb5705 Namespace resolution fix (#1256)
• 409bcbe Refactor match output compiling to accept user-defined logic. (#1246)
• e9f15ea Enable two var comprehension conformance tests. (#1255)
• 057fa1a Add parse only evaluation to REPL (#1254)
• Additional commits viewable in compare view

Updates github.com/klauspost/compress from 1.18.2 to 1.18.3

Release notes

Sourced from github.com/klauspost/compress's releases.

v1.18.3

Downstream CVE-2025-61728

See golang/go#77102

Full Changelog: klauspost/compress@v1.18.2...v1.18.3

Commits

• 1d6cf28 Downstream CVE-2025-61728
• See full diff in compare view

Updates github.com/yuin/goldmark from 1.7.15 to 1.7.16

Commits

• 246a6f1 fix: #542
• See full diff in compare view

Updates go.step.sm/crypto from 0.75.0 to 0.76.0

Commits

• be45bd7 Merge pull request #939 from smallstep/mariano/cavium-root
• 06d0890 Merge pull request #927 from smallstep/mariano/tpmkms-searchkeys
• 3c1bf7a Update Marvell (Cavium) HSM root certificate
• 3aec72d Merge pull request #936 from smallstep/dependabot/go_modules/modernc.org/sqli...
• 65f3d89 Fix SearchKeys docs and typo
• 3fdb5b8 chore(deps): Bump modernc.org/sqlite from 1.44.0 to 1.44.2
• 975c521 Merge pull request #938 from smallstep/herman/bump-cavium-test-skip-date
• 79419cb Skip the Cavium root validity test until March 19th, 2026
• 8e41a47 Merge pull request #934 from smallstep/dependabot/go_modules/github.com/Azure...
• b1e977d chore(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azcore
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.46.0 to 0.47.0

Commits

• 506e022 go.mod: update golang.org/x dependencies
• 7dacc38 chacha20poly1305: error out in fips140=only mode
• See full diff in compare view

Updates golang.org/x/net from 0.48.0 to 0.49.0

Commits

• d977772 go.mod: update golang.org/x dependencies
• eea413e internal/http3: use go1.25 synctest.Test instead of go1.24 synctest.Run
• 9ace223 websocket: add missing call to resp.Body.Close
• 7d3dbb0 http2: buffer the most recently received PRIORITY_UPDATE frame
• See full diff in compare view

Updates golang.org/x/term from 0.38.0 to 0.39.0

Commits

• a7e5b04 go.mod: update golang.org/x dependencies
• 943f25d x/term: handle transpose
• 9b991dd x/term: handle delete key
• See full diff in compare view

Updates github.com/pires/go-proxyproto from 0.8.1 to 0.9.2

Release notes

Sourced from github.com/pires/go-proxyproto's releases.

v0.9.2

What's Changed

• http2: support http.Server.BaseContext & avoid empty ALPN on TLS by @​emersion and @​pires in pires/go-proxyproto#140

Full Changelog: pires/go-proxyproto@v0.9.1...v0.9.2

v0.9.1

What's Changed

• Add SSL client certificate TLV by @​emersion in pires/go-proxyproto#136
• tlvparse: small cosmetic fixes by @​emersion in pires/go-proxyproto#137

Full Changelog: pires/go-proxyproto@v0.9.0...v0.9.1

v0.9.0

What's Changed

• ci: use local Go toolchain and downgrade Go version by @​gustavosbarreto in pires/go-proxyproto#127
• Add TLS group and sig scheme TLVs by @​emersion in pires/go-proxyproto#133
• Add TrustProxyHeaderFrom policy function by @​gearnode in pires/go-proxyproto#132
• ci: bump to Go 1.24 by @​pires in pires/go-proxyproto#134
• policy: PolicyFunc is deprecated in favor of ConnPolicyFunc by @​pires in pires/go-proxyproto#135

New Contributors

• @​gustavosbarreto made their first contribution in pires/go-proxyproto#127
• @​gearnode made their first contribution in pires/go-proxyproto#132

Full Changelog: pires/go-proxyproto@v0.8.1...v0.9.0

Commits

• f6b536f http2: net/http panics if ConnContext returns nil
• 96b9868 http2: avoid empty ALPN on TLS connections
• 9cd9cbd http2: respect http.Server.BaseContext
• aaf9a7e helper/http2: use http.Server.ConnContext for HTTP/2 if set
• 5b1be82 tlvparse: move comments before PP2SSL fields
• e5f7f96 tlvparse: format azure.go
• f000eed Add SSL client certificate TLV
• 1542a61 policy: PolicyFunc is deprecated in favor of ConnPolicyFunc
• 6dc9050 ci: bump to Go 1.24
• 4165843 Add TrustProxyHeaderFrom policy function
• Additional commits viewable in compare view

Updates golang.org/x/sys from 0.39.0 to 0.40.0

Commits

• 2f44229 sys/cpu: add symbolic constants for remaining cpuid bits
• e5770d2 sys/cpu: use symbolic names for masks
• 714a44c sys/cpu: modify x86 port to match what internal/cpu does
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions