chore(deps): update go (major)

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-chi/httplog/v2	v2.1.1 → v3.3.0
github.com/neo4j/neo4j-go-driver/v5	v5.28.4 → v6.0.0

---

Release Notes

go-chi/httplog (github.com/go-chi/httplog/v2)

v3.3.0

Compare Source

What's Changed

• fix: response duration for different schemas by @​JanneAalto in #​71

New Contributors

• @​JanneAalto made their first contribution in #​71

Full Changelog: go-chi/httplog@v3.2.2...v3.3.0

v3.2.2

Compare Source

What's Changed

• Fix GCP source location attribute by @​VojtechVitek in #​61

Full Changelog: go-chi/httplog@v3.2.1...v3.2.2

v3.2.1

Compare Source

What's Changed

• Fix GCP schema for error cause and sourceLocation by @​VojtechVitek in #​60

Full Changelog: go-chi/httplog@v3.2.0...v3.2.1

v3.2.0

Compare Source

What's Changed

• Rename "ClientDisconnected" error to "ClientAborted"
• Rename "error" key according to the schema but don't stringify
  by @​VojtechVitek in #​59

Full Changelog: go-chi/httplog@v3.1.0...v3.2.0

v3.1.0

Compare Source

What's Changed

• Improve errors by @​VojtechVitek in #​57
• Implement schema.ReplaceAttr to enforce schema globally by @​VojtechVitek in #​58

Full Changelog: go-chi/httplog@v3.0.0...v3.1.0

v3.0.0

Compare Source

What's Changed

• v3 by @​VojtechVitek in #​52
  with contributions from @​david-littlefarmer and @​wangfenjin

github.com/go-chi/httplog/v3

Based on prototype at https://github.com/golang-cz/httplog

Fixes #​28
Fixes #​35
Fixes #​36
Fixes #​40

New Contributors

• @​VojtechVitek made their first contribution in #​52

Full Changelog: go-chi/httplog@v2.1.1...v3.0.0

neo4j/neo4j-go-driver (github.com/neo4j/neo4j-go-driver/v5)

v6.0.0

Compare Source

See https://github.com/neo4j/neo4j-go-driver/wiki/6.x-changelog for more information.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on upgrading two key Go dependencies, go-chi/httplog and neo4j-go-driver, to their latest major versions. These updates introduce new features, bug fixes, and potentially breaking changes, ensuring the project leverages the most current and stable versions of these libraries. The changes primarily involve updating the go.mod file to include the new major version imports.

Highlights

• Dependency Update: go-chi/httplog: The github.com/go-chi/httplog dependency has been updated from v2.1.1 to its new major version v3.3.0. This update includes several bug fixes and improvements, such as fixes for response duration, GCP source location attributes, and error handling, as detailed in the release notes.
• Dependency Update: neo4j-go-driver: The github.com/neo4j/neo4j-go-driver dependency has been updated from v5.28.4 to its new major version v6.0.0. This is a significant upgrade, and further details can be found in the 6.x-changelog.

Changelog

• go.mod
  • Added github.com/go-chi/httplog/v3 at version v3.3.0.
  • Added github.com/neo4j/neo4j-go-driver/v6 at version v6.0.0.

Ignored Files

• Ignored by pattern: go.sum (1)
  • go.sum

Activity

• The pull request was automatically generated by Renovate Bot to update Go dependencies.
• Automerge is currently disabled, requiring manual review and merging.
• The bot is configured to rebase the PR if conflicts arise or upon explicit request.
• This PR is 'immortal' and will be recreated if closed without being merged.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, generated by Renovate, updates go-chi/httplog and neo4j-go-driver to new major versions. However, a critical security audit identified a high-severity Cypher Injection flaw in the existing code, allowing attackers to bypass dryRun protections and execute arbitrary write queries. This vulnerability persists because the neo4j-go-driver update is incomplete, leaving the application using the older, vulnerable v5 driver. The PR currently only adds the new dependencies to go.mod without updating the code to use them. Both updates introduce significant breaking changes that require code migration. The new dependencies are unused, and the existing code is incompatible. It is critical to complete the dependency migration to the new v6 driver, update the code to use the new versions, and then remove the old versions from go.mod (e.g., by running go mod tidy) to remediate the injection vulnerability and ensure functionality.

[gemini-code-assist]

This adds httplog/v3, but the codebase still uses v2. v3 is a major rewrite based on Go's structured logging (slog) and introduces breaking changes. The current implementation in internal/server/server.go is incompatible.

For example, httplog.Options has changed significantly in v3. Fields like LogLevel, RequestHeaders, MessageFieldName, SourceFieldName, TimeFieldName, and LevelFieldName are no longer available. These have been replaced by slog-based configuration, primarily using the ReplaceAttr function in httplog.Options.

The code in internal/server/server.go needs to be migrated to use httplog/v3. You can likely adapt the replace function from internal/log/log.go to configure the JSON output format to match the previous one.

[gemini-code-assist]

This PR updates neo4j-go-driver to v6.0.0 in go.mod, but the code in internal/sources/neo4j/neo4j.go still uses v5. This is critical because the existing v5 driver code in internal/sources/neo4j/neo4j.go contains a High severity Cypher Injection vulnerability. Specifically, in the RunQuery function, the cypherStr parameter is concatenated with "EXPLAIN " when dryRun is true (line 123), enabling attackers to bypass dryRun and execute arbitrary write queries (e.g., ...; CREATE ...). Version 6 introduces breaking changes, such as changes to neo4j.ExecuteQuery and neo4j.EagerResult becoming a generic type, which will break the current implementation. To remediate this vulnerability and complete the update, the code must be migrated to import and use github.com/neo4j/neo4j-go-driver/v6/neo4j. After migration, v5 of the driver should be removed from the dependencies.

[dpebot]

/gcbrun