Bump the all-updates group across 1 directory with 12 updates

[dependabot]

Bumps the all-updates group with 9 updates in the / directory:

Package	From	To
github.com/aws/aws-sdk-go	1.41.14	1.55.8
github.com/golang-jwt/jwt/v4	4.1.0	4.5.2
github.com/golangci/golangci-lint/v2	2.7.2	2.8.0
github.com/gosimple/slug	1.11.0	1.15.0
github.com/joho/godotenv	1.4.0	1.5.1
github.com/lib/pq	1.10.9	1.11.1
github.com/microcosm-cc/bluemonday	1.0.16	1.0.27
github.com/prometheus/client_golang	1.12.1	1.23.2
rogchap.com/v8go	0.7.1-0.20211222173054-943fcf9e74cc	0.9.0

Updates github.com/aws/aws-sdk-go from 1.41.14 to 1.55.8

Release notes

Sourced from github.com/aws/aws-sdk-go's releases.

Release v1.55.8 (2025-07-31)

SDK Features

• Mark the module and all packages as deprecated.
  • This SDK has entered end-of-support.

Release v1.55.7 (2025-04-22)

SDK Bugs

• service/s3/s3manager: Abort multipart download if object is modified during download
  • Fixes 4986

Release v1.55.6 (2025-01-15)

SDK Bugs

• Fix broken printf for go1.24

Release v1.55.5 (2024-07-30)

Service Client Updates

• service/appstream: Updates service API and documentation
  • Added support for Red Hat Enterprise Linux 8 on Amazon AppStream 2.0
• service/autoscaling: Updates service API and documentation
  • Increase the length limit for VPCZoneIdentifier from 2047 to 5000
• service/codepipeline: Updates service API, documentation, and paginators
  • AWS CodePipeline V2 type pipelines now support stage level conditions to enable development teams to safely release changes that meet quality and compliance requirements.
• service/elasticache: Updates service documentation
  • Doc only update for changes to deletion API.
• service/elasticloadbalancing: Updates service API
• service/eventbridge: Updates service API
• service/logs: Updates service API
  • Add v2 smoke tests and smithy smokeTests trait for SDK testing.
• service/models.lex.v2: Updates service API and documentation
• service/rolesanywhere: Updates service API and documentation
• service/tnb: Updates service API and documentation
• service/workspaces: Updates service documentation
  • Removing multi-session as it isn't supported for pools

Release v1.55.4 (2024-07-29)

Service Client Updates

• service/elasticache: Updates service documentation
  • Renaming full service name as it appears in developer documentation.
• service/memorydb: Updates service API and documentation

... (truncated)

Commits

• 070853e release v1.55.8 (2025-07-31)
• bb0168e Add deprecation warnings everywhere and remove some README content
• 7ce44f3 aws
• 6d9a26d remove doc issue tmpl
• 239002f deprecate service packages and HLLs
• 70c4177 deprecate main runtime packages
• bbdd4e9 deprecate
• 163aada release v1.55.7 (2025-04-22) (#5346)
• 9eb2bfd Abort multi part download if the object is modified during download
• 8d203cc Update bug-report.yml
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.1.0 to 4.5.2

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

• Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

v4.5.0

What's Changed

• Allow strict base64 decoding by @​AlexanderYastrebov in golang-jwt/jwt#259

Full Changelog: golang-jwt/jwt@v4.4.3...v4.5.0

v4.4.3

What's Changed

• fix: link update for README.md for v4 by @​krokite in golang-jwt/jwt#217
• Implement a BearerExtractor by @​WhyNotHugo in golang-jwt/jwt#226
• Bump matrix to support latest go version (go1.19) by @​mfridman in golang-jwt/jwt#231
• Include https://github.com/golang-jwt/jwe in README by @​oxisto in golang-jwt/jwt#229
• Add doc comment to ParseWithClaims by @​jkopczyn in golang-jwt/jwt#232
• Refactor: removed the unneeded if statement by @​Krout0n in golang-jwt/jwt#241
• No pointer embedding in the example by @​oxisto in golang-jwt/jwt#255

New Contributors

• @​krokite made their first contribution in golang-jwt/jwt#217
• @​WhyNotHugo made their first contribution in golang-jwt/jwt#226
• @​jkopczyn made their first contribution in golang-jwt/jwt#232
• @​Krout0n made their first contribution in golang-jwt/jwt#241

Full Changelog: golang-jwt/jwt@v4.4.2...v4.4.3

v4.4.2

What's Changed

• Added MicahParks/keyfunc to extensions by @​oxisto in golang-jwt/jwt#194
• Update link to v4 on pkg.go.dev page by @​polRk in golang-jwt/jwt#195

... (truncated)

Commits

• 2f0e9ad Backporting 0951d18 to v4
• 7b1c1c0 Merge commit from fork
• 9358574 Allow strict base64 decoding (#259)
• 2f0984a Using tparse for nicer CI test display (#251)
• 2101c1f No pointer embedding in the example (#255)
• 35053d4 Removed unneeded if statement (#241)
• 0c4e387 Add doc comment to ParseWithClaims (#232)
• bfea432 Include https://github.com/golang-jwt/jwe in README (#229)
• d81acbf Bump matrix to support latest go version (go1.19) (#231)
• fdaf0eb Implement a BearerExtractor (#226)
• Additional commits viewable in compare view

Updates github.com/golangci/golangci-lint/v2 from 2.7.2 to 2.8.0

Release notes

Sourced from github.com/golangci/golangci-lint/v2's releases.

v2.8.0

golangci-lint is a free and open-source project built by volunteers.

If you value it, consider supporting us, the maintainers and linter authors.

We appreciate it! ❤️

For key updates, see the changelog.

Changelog

• 6a55b8ba828f05d3ce1e04d94040d833909fe428 build(deps): bump codeberg.org/polyfloyd/go-errorlint from 1.8.0 to 1.9.0 (#6284)
• 57d155c1730ab410db72eebb89eaece3e3f82162 build(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 (#6276)
• 0d43769b688aceaf451c7f088cc8b3870edbc830 build(deps): bump github.com/MirrexOne/unqueryvet from 1.3.0 to 1.4.0 (#6299)
• 6c532812bf9b3f1f3e8a624e535679ceb9c92497 build(deps): bump github.com/alecthomas/chroma/v2 from 2.20.0 to 2.21.1 (#6278)
• 2f5fe9701f996074adba5c12e453084fd2034d65 build(deps): bump github.com/alexkohler/prealloc from 1.0.0 to 1.0.1 (#6289)
• 496ae4438af468a5d5f46664c33b74e5ea95f5dd build(deps): bump github.com/ghostiam/protogetter from 0.3.17 to 0.3.18 (#6277)
• e2fbe0a10c0e26bc9332abbe1c739bf13210c974 build(deps): bump github.com/go-critic/go-critic from 0.14.2 to 0.14.3 (#6300)
• 3cebab943dcd6b78925df4144485fe2d15d6f09a build(deps): bump github.com/godoc-lint/godoc-lint from 0.10.2 to 0.11.1 (#6282)
• 7a6a90c9cd09c19af2f48acf9898ec46541f0a9e build(deps): bump github.com/golangci/golines from 0.0.0-20250217134842-442fd0091d95 to 0.14.0 (#6279)
• b388efe7efa29cc7f7ff53b959aaf538ec88103e build(deps): bump github.com/ldez/gomoddirectives from 0.7.1 to 0.8.0 (#6241)
• 3eae3e942f1867e1a1e8890bfdb452550fafd6ae build(deps): bump github.com/securego/gosec/v2 from 2.22.11-0.20251204091113-daccba6b93d7 to 2.22.11 (#6258)
• e45bbde33d8df48b3f4145f71363bc99dd7816bf build(deps): bump github.com/shirou/gopsutil/v4 from 4.25.11 to 4.25.12 (#6290)
• 0e8e7fd4b7d99cb0ad66b1e58f289b8bcb33cb01 build(deps): bump golang.org/x/mod from 0.30.0 to 0.31.0 (#6253)
• 42866832c90c17df5128fb2d567c956ff14b0b07 build(deps): bump golang.org/x/oauth2 from 0.33.0 to 0.34.0 in /scripts/gen_github_action_config in the scripts group (#6247)
• 7d53213a6a6a65f45cb5ab81ab7806308c8b99a0 build(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0 (#6255)
• 9756d45c3d33e6ec3ee4eed55c2c52230645b0b9 build(deps): bump golang.org/x/sys from 0.38.0 to 0.39.0 (#6254)
• 54af8f39f3e0c1b57bd7532c8f9c11873ef5fdfb build(deps): bump golang.org/x/tools from 0.39.0 to 0.40.0 (#6252)
• df2b36f71128bee5e394ea1cad350645682967ae build(deps): bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 in the github-actions group (#6248)
• 6441d5c9806ead5e137dddc084c1225c4c233c7b build(deps): bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#6270)
• efa78522955caaa57642cc13ce83caca63ca7319 build(deps): bump the linter-testdata group across 5 directories with 8 updates (#6286)
• 246bc086df2dcdad895b087dbdb4bdc90adb6ab2 revive: add missing enable-default-rules setting (#6288)
• 2135d9a37b11c34f76b2d12695b19ef2574bd676 revive: fix suggested fixes (#6295)

Changelog

Sourced from github.com/golangci/golangci-lint/v2's changelog.

v2.8.0

Released on 2026-01-07

1. Linters new features or changes
   • godoc-lint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
   • golines: from 442fd0091d95 to 0.14.0
   • gomoddirectives: from 0.7.1 to 0.8.0
   • gosec: from daccba6b93d7 to 2.22.11 (new rule: G116)
   • modernize: from 0.39.0 to 0.40.0 (new analyzers: stringscut, unsafefuncs)
   • prealloc: from 1.0.0 to 1.0.1 (message changes)
   • unqueryvet: from 1.3.0 to 1.4.0 (new options: check-aliased-wildcard, check-string-concat, check-format-strings, check-string-builder, check-subqueries, ignored-functions, sql-builders)
2. Linters bug fixes
   • go-critic: from 0.14.2 to 0.14.3
   • go-errorlint: from 1.8.0 to 1.9.0
   • govet: from 0.39.0 to 0.40.0
   • protogetter: from 0.3.17 to 0.3.18
   • revive: add missing enable-default-rules setting
3. Documentation
   • docs: split installation page

Commits

• e2e4002 chore: prepare release
• 2135d9a revive: fix suggested fixes (#6295)
• e2fbe0a build(deps): bump github.com/go-critic/go-critic from 0.14.2 to 0.14.3 (#6300)
• 0d43769 build(deps): bump github.com/MirrexOne/unqueryvet from 1.3.0 to 1.4.0 (#6299)
• e45bbde build(deps): bump github.com/shirou/gopsutil/v4 from 4.25.11 to 4.25.12 (#6290)
• 2f5fe97 build(deps): bump github.com/alexkohler/prealloc from 1.0.0 to 1.0.1 (#6289)
• 246bc08 revive: add missing enable-default-rules setting (#6288)
• efa7852 build(deps): bump the linter-testdata group across 5 directories with 8 updat...
• 3cebab9 build(deps): bump github.com/godoc-lint/godoc-lint from 0.10.2 to 0.11.1 (#6282)
• 6a55b8b build(deps): bump codeberg.org/polyfloyd/go-errorlint from 1.8.0 to 1.9.0 (#6...
• Additional commits viewable in compare view

Updates github.com/gosimple/slug from 1.11.0 to 1.15.0

Release notes

Sourced from github.com/gosimple/slug's releases.

v1.15.0

🚀 New features and improvements

• Add option to disable trimming of dashes and underscores (#91) by @​matrixik
• optimize: pre alloc slice (#87) by @​rfyiamcool

v1.14.0

🚀 New features and improvements

• Add portuguese language (#78) by @​guilherme-santos
• Add AppendTimestamp option to make slug unique (#81) by @​phihungtf
• Adds portuguese language & @ symbols (#79) by @​auyer

🐛 Bug Fixes

• Correct substitution for bulgarian 'Щ' (#80) by @​kvalev

🧰 Maintenance

• Remove rebase Github action (#86) by @​matrixik
• Update Github test actions (#85) by @​matrixik

🚦 Tests

• Fix some order dependent tests (#83) by @​vannem-sj

v1.13.1: Fix for panic when MaxLength is greater then string length and SmartTruncate is disabled

🐛 Bug Fixes

• Fixed truncation issue (#77) by @​Aym3nTN

v1.13.0: Ability to disable smart truncate, 3 new languages (bg, it, ro) and bug fixes

Thank you for all contributions.

🚀 New features and improvements

• Added the possibility to disable smart truncate (with the exception of the trimming) (#75) by @​Aym3nTN
• Add Romanian (#69) by @​vasilegoian
• Add Italian language substitutions (#68) by @​TomOne
• Adds support for Bulgarian language (#66) by @​aquilax

🐛 Bug Fixes

• Fix edge case in truncate function allowing too long slugs (#74) by @​Redlinkk
• Fix Greek language to follow ELOT 743 standard (#70) by @​imikod

... (truncated)

Commits

• 62efd7f Add option to disable trimming of dashes and underscores
• 8f2fa2f optimize: pre alloc slice
• 412e31a Add portuguese language (#78)
• a9e699c Add AppendTimestamp option to make slug unique (#81)
• 4a8e359 Adds portuguese language & @ symbols (#79)
• f701be4 Remove rebase Github action (#86)
• 78044c1 Correct substitution for bulgarian 'Щ' (#80)
• 76470d7 Fix some order dependent tests (#83)
• 5b9c2ce Update Github test actions (#85)
• 1eab316 Fixed truncation issue (#77)
• Additional commits viewable in compare view

Updates github.com/joho/godotenv from 1.4.0 to 1.5.1

Release notes

Sourced from github.com/joho/godotenv's releases.

Fix parser regressions from multiline support

Version 1.5 came with a whole new parser, and with a new parser comes new bugs.

Things that were broken in 1.5 that are now fixed:

• unquoted variables with interior whitespace no longer split on the first space (and then break the following line if you have one)
• inline comments now work again for both quoted and unquoted variables
• export statement filtering was made more robust and matched earlier versions behaviour
• FOO.BAR key names are permitted again (i have no idea why you'd do it, but it's explicitly supported in ruby dotenv files)

There's one breaking change: earlier versions of this library would allow unterminated quoted variables in some instances and return a value (ie FOO="bar would set env of FOO: '"bar'), this now returns an error.

What's Changed

• Fix bug where internal unquoted whitespace truncates values by @​joho in joho/godotenv#205

Full Changelog: joho/godotenv@v1.5.0...v1.5.1

v1.5.0 - multiline variables

The big news this release is that godotenv finally, after much procrastination in review, supports multiline variables (fixes #64). Big shoutout to @​x1unix for the bulk of the work on the original PR and also to @​coolaj86 and @​austinsasko for some very helpful review and tweaks.

Also added a -o overload flag (thanks @​2tef)

What's Changed

• Try and fix go get in CI for power8 by @​joho in joho/godotenv#157
• Fix typos in comments and extend README by @​alexandear in joho/godotenv#177
• tune README by @​bikbah in joho/godotenv#170
• Remove renovate, add dependabot by @​joho in joho/godotenv#183
• Setup codeql by @​joho in joho/godotenv#186
• Bump actions/checkout from 2 to 3 by @​dependabot in joho/godotenv#184
• Bump actions/setup-go from 2 to 3 by @​dependabot in joho/godotenv#185
• Add darwin arm64 build by @​statik in joho/godotenv#174
• Sort Go import in README by @​Doarakko in joho/godotenv#193
• Fix godoc formatting by @​joho in joho/godotenv#197
• fix tiny details by @​2tef in joho/godotenv#199
• Multiline string support by @​x1unix in joho/godotenv#156
• Update CI to test go 1.20 by @​joho in joho/godotenv#201
• fix whitespace with gofmt by @​2tef in joho/godotenv#203
• add overload flag by @​2tef in joho/godotenv#200
• • Fix: ioutil.ReadAll() is deprecated, so removed it's dependency by @​dreygur in joho/godotenv#202

New Contributors

• @​x1unix made their first contribution in joho/godotenv#118
• @​alexandear made their first contribution in joho/godotenv#177
• @​bikbah made their first contribution in joho/godotenv#170
• @​dependabot made their first contribution in joho/godotenv#184
• @​statik made their first contribution in joho/godotenv#174
• @​Doarakko made their first contribution in joho/godotenv#193
• @​2tef made their first contribution in joho/godotenv#199
• @​dreygur made their first contribution in joho/godotenv#202

... (truncated)

Commits

• 3fc4292 Fix bug where internal unquoted whitespace truncates values (#205)
• b311b26 Fix: ioutil.ReadAll() is deprecated, so removed it's dependency (#202)
• 4321598 add overload flag (#200)
• 32a3b9b fix whitespace with gofmt (#203)
• 06bf2d6 Update CI to test go 1.20 (#201)
• cc9e9b7 Multiline string support (#156)
• 0f21d20 fix tiny details (#199)
• 5c76d3e Add punctuation to please godoc (#197)
• 85a2237 sort go import in readme (#193)
• add39c6 Remove power8 again as it wasn't fixed
• Additional commits viewable in compare view

Updates github.com/lib/pq from 1.10.9 to 1.11.1

Release notes

Sourced from github.com/lib/pq's releases.

v1.11.1

This fixes two regressions present in the v1.11.0 release:

• Fix build on 32bit systems, Windows, and Plan 9 (#1253).

• Named []byte types and pointers to []byte (e.g. *[]byte, json.RawMessage) would be treated as an array instead of bytea (#1252).

#1252: lib/pq#1252 #1253: lib/pq#1253

v1.11.0

This version of pq requires Go 1.21 or newer.

pq now supports only maintained PostgreSQL releases, which is PostgreSQL 14 and newer. Previously PostgreSQL 8.4 and newer were supported.

Features

• The pq.Error.Error() text includes the position of the error (if reported by PostgreSQL) and SQLSTATE code (#1219, #1224):

  pq: column "columndoesntexist" does not exist at column 8 (42703)
  pq: syntax error at or near ")" at position 2:71 (42601)
  

• The pq.Error.ErrorWithDetail() method prints a more detailed multiline message, with the Detail, Hint, and error position (if any) (#1219):

  ERROR:   syntax error at or near ")" (42601)
  CONTEXT: line 12, column 1:
   10 |     name           varchar,
   11 |     version        varchar,
   12 | );
        ^
  
  

• Add Config, NewConfig(), and NewConnectorConfig() to supply connection details in a more structured way (#1240).

• Support hostaddr and $PGHOSTADDR (#1243).

• Support multiple values in host, port, and hostaddr, which are each tried in order, or randomly if load_balance_hosts=random is set (#1246).

• Support target_session_attrs connection parameter (#1246).

• Support [sslnegotiation] to use SSL without negotiation (#1180).

• Allow using a custom tls.Config, for example for encrypted keys (#1228).

• Add PQGO_DEBUG=1 print the communication with PostgreSQL to stderr, to aid in debugging, testing, and bug reports (#1223).

• Add support for NamedValueChecker interface (#1125, #1238).

Fixes

... (truncated)

Changelog

Sourced from github.com/lib/pq's changelog.

v1.11.1 (2025-01-29)

This fixes two regressions present in the v1.11.0 release:

• Fix build on 32bit systems, Windows, and Plan 9 (#1253).

• Named []byte types and pointers to []byte (e.g. *[]byte, json.RawMessage) would be treated as an array instead of bytea (#1252).

#1252: lib/pq#1252 #1253: lib/pq#1253

v1.11.0 (2025-01-28)

This version of pq requires Go 1.21 or newer.

pq now supports only maintained PostgreSQL releases, which is PostgreSQL 14 and newer. Previously PostgreSQL 8.4 and newer were supported.

Features

• The pq.Error.Error() text includes the position of the error (if reported by PostgreSQL) and SQLSTATE code (#1219, #1224):

  pq: column "columndoesntexist" does not exist at column 8 (42703)
  pq: syntax error at or near ")" at position 2:71 (42601)
  

• The pq.Error.ErrorWithDetail() method prints a more detailed multiline message, with the Detail, Hint, and error position (if any) (#1219):

  ERROR:   syntax error at or near ")" (42601)
  CONTEXT: line 12, column 1:
   10 |     name           varchar,
   11 |     version        varchar,
   12 | );
        ^
  
  

• Add Config, NewConfig(), and NewConnectorConfig() to supply connection details in a more structured way (#1240).

• Support hostaddr and $PGHOSTADDR (#1243).

• Support multiple values in host, port, and hostaddr, which are each tried in order, or randomly if load_balance_hosts=random is set (#1246).

• Support target_session_attrs connection parameter (#1246).

• Support [sslnegotiation] to use SSL without negotiation (#1180).

... (truncated)

Commits

• eec526c Release v1.11.1 (#1255)
• 1928a1d Fix []byte types incorrectly converted to PostgreSQL array (#1252)
• 9e2aa8e Run staticcheck on all GOOS/GOARCH combinations
• c9320c4 Fix build on Windows and Plan9
• 2809526 Fix build on 32bit systems
• 8e88f7e Release 1.11.0
• 0ad3049 Handle pre-protocol errors to prevent memory exhaustion
• f1fae2e Add pqtest.Fake.Close()
• 3815d03 Remove assumption that the auth response is AuthenticateOk
• 589ad43 Implement load_balance_hosts=random
• Additional commits viewable in compare view

Updates github.com/microcosm-cc/bluemonday from 1.0.16 to 1.0.27

Release notes

Sourced from github.com/microcosm-cc/bluemonday's releases.

Update golang.org/x/net to latest and force latest version

Bumping version and ensuring latest golang.org/x/net as the HTTP rapid reset is triggering primitive vuln scanners, we do not implement a HTTP2 server and are not vulnerable but a minor bump can still help reduce noise for those searching for what they need to upgrade and patch.

Nothing else is in this release aside from the dependency updates and some staticcheck messages being resolved that should not modify behaviour.

Added src rewriter to allow for proxying inline assets.

What's Changed

• Bump golang.org/x/net from 0.10.0 to 0.12.0 by @​dependabot in microcosm-cc/bluemonday#178
• Prefer explicit rules over regexp by @​KN4CK3R in microcosm-cc/bluemonday#182
• Added src rewriter by @​yyewolf in microcosm-cc/bluemonday#179

New Contributors

• @​yyewolf made their first contribution in microcosm-cc/bluemonday#179

Full Changelog: microcosm-cc/bluemonday@v1.0.24...v1.0.25

Added AllowURLSchemesMatching

This is a feature release, there are no security fixes in this release.

What's Changed

• Minor bug fix parsing style attribute with trailing spaces by @​sergeyfedotov in microcosm-cc/bluemonday#172
• Allow custom URL schemes by matching regex by @​yardenshoham in microcosm-cc/bluemonday#175
• Bump golang.org/x/net from 0.8.0 to 0.10.0 by @​dependabot in microcosm-cc/bluemonday#173

New Contributors

• @​sergeyfedotov made their first contribution in microcosm-cc/bluemonday#172
• @​yardenshoham made their first contribution in microcosm-cc/bluemonday#175

Full Changelog: microcosm-cc/bluemonday@v1.0.23...v1.0.24

Resolve golang.org/x/net CVE-2022-41723

What's Changed

• Upgrade golang.org/x/net to 0.8.0 by @​barshociaj in microcosm-cc/bluemonday#165 to address CVE-2022-41723 which requires updating the x/net dependency

New Contributors

• @​barshociaj made their first contribution in microcosm-cc/bluemonday#165

Full Changelog: microcosm-cc/bluemonday@v1.0.22...v1.0.23

Add picture to list of elements allowed without attributes

This is not a security update!

This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.

The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #161 .

Very minor bug fix to remove empty elements without attributes

Thanks to @​Gusted for microcosm-cc/bluemonday#151 which fixes a bug that allowed a policy to be defined in a way that input could've allowed an empty and meaningless element to be left in the output when it should not have done so.

This is not a security issue, and the details can be seen in the PR comment.

... (truncated)

Commits

• 10b8ac6 Remove SPDX header from LICENSE to enable GitHub auto-detection
• 30fb5d7 Don't duplicate attrs if multiple global policies allow them
• e244202 Update CONTRIBUTING.md (fixup of 109c9cf)
• 206ce8a Update the security policy
• 109c9cf Clean up developer instructions to a vanilla Go project
• e602a4a Fix RequireCrossOriginAnonymous when crossorigin attr is allowed
• 37251d9 Consistently raise minimum Go version and update CI
• 135e7bb all: upgrade dependencies
• 5703ea6 Merge pull request #207 from silverwind/4hex
• af654ef Merge pull request #202 from caarlos0/tidy
• Additional commits viewable in compare view

Updates github.com/prometheus/client_golang from 1.12.1 to 1.23.2

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.23.2 - 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

• [release-1.23] Upgrade to prometheus/common@v0.66.1 by @​aknuds1 in prometheus/client_golang#1869
• [release-1.23] Cut v1.23.2 by @​aknuds1 in prometheus/client_golang#1870

Full Changelog: prometheus/client_golang@v1.23.1...v1.23.2

v1.23.1 - 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

• [release-1.23] Upgrade to prometheus/common v0.66 by @​aknuds1 in prometheus/client_golang#1866
• [release-1.23] Cut v1.23.1 by @​aknuds1 in prometheus/client_golang#1867

Full Changelog: prometheus/client_golang@v1.23.0...v1.23.1

v1.23.0 - 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

... (truncated)

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.23.2 / 2025-09-05

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

1.23.1 / 2025-09-04

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

1.23.0 / 2025-07-30

• [CHANGE] Minimum required Go version is now 1.23, only the two latest Go versions are supported from now on. #1812
• [FEATURE] Add WrapCollectorWith and WrapCollectorWithPrefix #1766
• [FEATURE] Add exemplars for native histograms #1686
• [ENHANCEMENT] exp/api: Bubble up status code from writeResponse #1823
• [ENHANCEMENT] collector/go: Update runtime metrics for Go v1.23 and v1.24 #1833
• [BUGFIX] exp/api: client prompt return on context cancellation #1729

1.22.0 / 2025-04-07

⚠️ This release contains potential breaking change if you use experimental zstd support introduce in #1496 ⚠️

Experimental support for zstd on scrape was added, controlled by the request Accept-Encoding header. It was enabled by default since version 1.20, but now you need to add a blank import to enable it. The decision to make it opt-in by default was originally made because the Go standard library was expected to have default zstd support added soon, golang/go#62513 however, the work took longer than anticipated and it will be postponed to upcoming major Go versions.

e.g.:

import (
  _ "github.com/prometheus/client_golang/prometheus/promhttp/zstd"
)

• [FEATURE] prometheus: Add new CollectorFunc utility #1724
• [CHANGE] Minimum required Go version is now 1.22 (we also test client_golang against latest go version - 1.24) #1738
• [FEATURE] api: WithLookbackDelta and WithStats options have been added to API client. #1743
• [CHANGE] ⚠️ promhttp: Isolate zstd support and klauspost/compress library use to promhttp/zstd package. #1765

1.21.1 / 2025-03-04

• [BUGFIX] prometheus: Revert of Inc, Add and Observe cumulative metric CAS optimizations (#1661), causing regressions on low contention cases.
• [BUGFIX] prometheus: Fix GOOS=ios build, broken due to process_collector_* wrong build tags.

1.21.0 / 2025-02-17

⚠️ This release contains potential breaking change if you upgrade github.com/prometheus/common to 0.62+ together with client_golang. ⚠️

... (truncated)

Commits

• 8179a56 Cut v1.23.2 (#1870)
• 4142b59 Merge pull request #1869 from prometheus/arve/upgrade-common
• 4ff40f0 Cut v1.23.1 (#1867)
• 989b029 Upgrade to prometheus/common v0.66 (#1866)
• e4b2208 Cut v1.23.0 (#1848)
• d9492af cut v1.23.0-rc.1 (#1842)
• aeae8a0 Cut v1.23.0-rc.0 (#1837)
• b157309 Update common Prometheus files (#1832)
• a704e28 build(deps): bump the github-actions group with 3 updates (#1826)
• c774311 Fix e...

  Description has been truncated

[dependabot]

Superseded by #1462.