Skip to content

chore(deps): update all non-major regex dependencies #926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update all non-major regex dependencies #926

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 24, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
air-verse/air minor 1.61.5 -> 1.63.4
authzed/zed minor 0.23.0 -> 0.33.1
bufbuild/buf minor 1.48.0 -> 1.61.0
dapr/cli minor 1.14.1 -> 1.16.5
dapr/dapr minor 1.14.4 -> 1.16.3
dart (source) minor 3.6.0 -> 3.10.3
fullstorydev/grpcurl patch 1.9.2 -> 1.9.3
golang minor 1.23 -> 1.25
golang-migrate/migrate minor 4.18.1 -> 4.19.1
golangci/golangci-lint minor 1.63.4 -> 1.64.8
mvdan/gofumpt minor 0.7.0 -> 0.9.2
sqlc-dev/sqlc minor 1.27.0 -> 1.30.0
superfly/flyctl patch 0.3.57 -> 0.3.227

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

air-verse/air (air-verse/air)

v1.63.4

Compare Source

What's Changed

Full Changelog: air-verse/air@v1.63.3...v1.63.4

v1.63.3

Compare Source

What's Changed

New Contributors

Full Changelog: air-verse/air@v1.63.2...v1.63.3

v1.63.1

Compare Source

What's Changed

New Contributors

Full Changelog: air-verse/air@v1.63.0...v1.63.1

v1.63.0

Compare Source

What's Changed

Full Changelog: air-verse/air@v1.62.0...v1.63.0

v1.62.0

Compare Source

What's Changed

New Contributors

Full Changelog: air-verse/air@v1.61.7...v1.62.0

v1.61.7

Compare Source

What's Changed

New Contributors

Full Changelog: air-verse/air@v1.61.5...v1.61.7

v1.61.6

Compare Source

Changelog

  • ce50989 Add exiter to test os.Exit case
authzed/zed (authzed/zed)

v0.33.1

Compare Source

Highlights
  • Fixed a bug where errors during backup creation would be swallowed instead of displayed
  • Improved error output around PermissionDenied errors
  • You can now write a schema using stdin
What's Changed
New Contributors

Full Changelog: authzed/zed@v0.33.0...v0.33.1

v0.33.0

Compare Source

What's Changed

Full Changelog: authzed/zed@v0.32.0...v0.33.0

v0.32.0

Compare Source

What's Changed
New Contributors

Full Changelog: authzed/zed@v0.31.1...v0.32.0

v0.31.1

Compare Source

Highlights

Fixed a bug where a retryable error during backup creation would cause the client to restart the stream from the beginning, which was unhelpful.

What's Changed

Full Changelog: authzed/zed@v0.31.0...v0.31.1

v0.31.0

Compare Source

Notables
  • Better warning/error output for validation
  • Add --fail-on-warn flag for zed validate so that you can have stricter linting if desired
What's Changed
New Contributors

Full Changelog: authzed/zed@v0.30.2...v0.31.0

v0.30.2

Compare Source

What's Changed

Full Changelog: authzed/zed@v0.30.1...v0.30.2

v0.30.1

Compare Source

What's Changed

Full Changelog: authzed/zed@v0.30.0...v0.30.1

v0.30.0

Compare Source

What's Changed

Full Changelog: authzed/zed@v0.29.0...v0.30.0

v0.29.0

Compare Source

What's Changed

Full Changelog: authzed/zed@v0.28.0...v0.29.0

v0.28.0

Compare Source

Highlights
  • Added resumable backup support to zed backup
  • Added cursor support to zed permission lookup-resources
  • Added socks5 proxy support
What's Changed
New Contributors

Full Changelog: authzed/zed@v0.27.0...v0.28.0

v0.27.0

Compare Source

What's New

Composable schema support! See documentation here: https://authzed.com/docs/spicedb/modeling/composable-schemas

What's Changed

Full Changelog: authzed/zed@v0.26.0...v0.27.0

v0.26.0

Compare Source

What's New

You can now add an expiration to a relationship written by zed with the --expiration flag:

      --expiration-time string   the expiration time for the relationship in RFC 3339 format

In practice:

zed relationship touch resource:1 reader user:1 --expiration-time 2025-12-09T16:09:53+00:00
What's Changed

Full Changelog: authzed/zed@v0.25.0...v0.26.0

v0.25.0

Compare Source

New in this release
  • You can now add --explain to a bulk check call and get the same kind of debug output that you get on a normal check call
  • You can now have a schemaFile key in your validation yaml files that references an external schema by path. This allows for a schema file to be kept separate from the validation file without having to manually concatenate.
  • You can now run zed validate with multiple files as arguments. Together with the previous change, this should mean that you can have a folder full of independent validation files that describe separate test cases and all reference the same schema.
What's Changed

Full Changelog: authzed/zed@v0.24.0...v0.25.0

v0.24.0

Compare Source

What's Changed
New Contributors

Full Changelog: authzed/zed@v0.23.0...v0.24.0

bufbuild/buf (bufbuild/buf)

v1.61.0

Compare Source

  • Disable format on unknown or invalid syntax.
  • Fix regression in LSP functionality for well-known types.
  • Fix browser open for buf registry login in WSL2.
  • Fix panic in LSP for EOF lookups.
  • Fix --create flag for buf push to avoid errors on already existing modules if create is disallowed.

v1.60.0

Compare Source

  • Fix LSP published diagnostics to filter to the opened file.
  • Add textDocument/documentSymbol support for buf lsp serve.
  • Fix LSP navigation for cached modules which could cause import paths to become unresolvable.
  • Update default value of --timeout flag to 0, which results in no timeout by default.

v1.59.0

Compare Source

  • Promote buf beta lsp to buf lsp serve. Command buf beta lsp is now deprecated.
  • Add textDocument/References support for buf lsp serve.
  • Add autocompletion for basic keywords, syntax, package and imports for buf lsp serve.
  • Add workspace symbol queries for buf lsp serve.
  • Fix positional encoding for diagnostics in buf lsp serve.
  • Fix format updates for buf lsp serve.
  • Fix syntax highlighting on semantic tokens for buf lsp serve.
  • Fix buf format to remove extraneous whitespace before the first header node (syntax/package
    declarations).

v1.58.0

Compare Source

  • Update PROTOVALIDATE lint rule to check IGNORE_IF_ZERO_VALUE on fields that track presence.
  • Fix buf format on fields with missing field number tags.
  • Optimize include and exclude path handling for workspaces to avoid unnecessary file system
    operations. This change can result in a performance improvement for large workspaces.
  • Fix buf curl for HTTP/2 services with --http2-prior-knowledge flag set.

v1.57.2

Compare Source

  • Fix buf curl for HTTP/2 services.

v1.57.1

Compare Source

  • Minor bug fixes and dependency upgrades.

v1.57.0

Compare Source

  • Update exclude types to remove unused options reducing the size of generated code.
  • Add gitlab-code-quality error format to print errors in the GitLab Code Quality format
    for buf lint and buf breaking.
  • Add source_control_url to json outputs for buf registry {module, plugin} commit commands.

v1.56.0

Compare Source

  • Add buf export --all flag to include non-proto source files.
  • Add s390x binaries for Linux to releases.
  • Fix ppc64le binaries for Linux released as x86_64 binaries.
  • buf lint will no longer warn about uses of (buf.validate.message).disabled, as it was
    removed in protovalidate v0.14.0. Please update to protovalidate v0.14.0 or higher, using the
    steps outlined in the
    protovalidate release notes.
  • Fix buf breaking --against-registry to work with new modules that have no commits on the
    default branch.

v1.55.1

Compare Source

  • Fix language version for pre-commit hooks.

v1.55.0

Compare Source

  • Promote buf beta stats to buf stats.
  • Update built-in Well-Known Types to Protobuf v31.1.
  • Add buf registry sdk info command.
  • Allow workspaces that are adding new module(s) with no module-specific breaking configurations
    to run buf breaking, ignoring new module(s).

v1.54.0

Compare Source

  • Add CSR category to breaking rules.
  • Add support for local bufplugins for protoc-gen-buf-breaking and protoc-gen-buf-lint.
  • Add RISC-V (64-bit) binaries for Linux to releases.
  • Fix type filtering on buf generate for empty files, files with no declared types.
  • Fix CEL check on buf lint for predefined rules variables.
  • Fix buf config migrate to filter out removed rules.
  • Allow users to set examples without constraints in PROTOVALIDATE lint rule.
  • Add ppc64le binaries for Linux to releases.

v1.53.0

Compare Source

  • Fix buf breaking annotations for JSON format.

v1.52.1

Compare Source

  • Fix language version for pre-commit hooks.

v1.52.0

Compare Source

  • Fix exclude_type on a non imported package.
  • Fix --exclude-type flag for buf generate when an input is specified.
  • Fix type filter import filtering for options.
  • Add OS environment when invoking local buf plugins.
  • Add file path to buf lint and buf breaking output even when source code info is not
    available. This allows buf lint and buf breaking to respect ignore and ignore_only
    configurations when source code info is not available.

v1.51.0

Compare Source

  • Fix buf convert to allow for zero length for binpb, txtpb, and yaml formats.
  • Fix use of deprecated flag --include-types for buf generate.
  • Add --against-registry flag to buf breaking that runs breaking checks against the latest
    commit on the default branch of the corresponding module in the registry.
  • Fix type filter with unused image dependencies for buf generate.
  • Improve type filtering for buf generate. Adds the ability to exclude types with the parameter
    exclude_types in buf.gen.yaml and a flag --exclude-types in the CLI.
    Type filters may now also be specified as plugin parameters in buf.gen.yaml.

v1.50.1

Compare Source

  • Minor fixes and dependency updates.

v1.50.0

Compare Source

  • Add input parameter filter for use with git inputs. This sets the filter
    flag argument for the git fetch command.

v1.49.0

Compare Source

  • Fix buf plugin push --label to allow pushing a plugin with a label.
  • Add --digest-changes-only flag to buf registry {module,plugin} commit list to filter
    out commits that have no digest changes.
  • Fix buf plugin push --source-control-url to allow pushing a plugin with the source
    control url.
dapr/cli (dapr/cli)

v1.16.5: Dapr CLI v1.16.5

Compare Source

v1.16.4: Dapr CLI v1.16.4

Compare Source

What's Changed

Full Changelog: dapr/cli@v1.16.3...v1.16.4

v1.16.3: Dapr CLI v1.16.3

Compare Source

What's Changed

Full Changelog: dapr/cli@v1.16.2...v1.16.3

v1.16.2: Dapr CLI v1.16.2

Compare Source

What's Changed

Full Changelog: dapr/cli@v1.16.1...v1.16.2

v1.16.1: Dapr CLI v1.16.1

Compare Source

What's Changed

Full Changelog: dapr/cli@v1.16.0...v1.16.1

v1.16.0: Dapr CLI v1.16.0

Compare Source

v1.15.2: Dapr CLI v1.15.2

Compare Source

What's Changed

Full Changelog: dapr/cli@v1.15.1...v1.15.2

v1.15.1: Dapr CLI v1.15.1

Compare Source

v1.15.0: Dapr CLI v1.15.0

Compare Source

dapr/dapr (dapr/dapr)

v1.16.3: Dapr Runtime v1.16.3

Compare Source

Dapr 1.16.3

This update includes bug fixes:

Sftp binding not handling reconnections
Problem

The SFTP binding, introduced in v1.15.0, did not correctly handle reconnections.
If the SFTP connection was closed externally (outside the Dapr sidecar), the sidecar would not attempt to reconnect.

Impact

In scenarios where the SFTP server or network closed the connection, the Dapr sidecar lost connectivity permanently and required a restart to restore SFTP communication.

Root Cause

The SFTP binding maintained a single long-lived connection and did not attempt to recreate it when operations failed due to network or server-side disconnects.
Once the underlying SFTP/SSH session was closed, subsequent binding operations continued to use the stale connection instead of establishing a new one, leaving the binding in a permanently broken state until the sidecar was restarted.

Solution

A new reconnection mechanism was added to the SFTP binding (PR).
When an SFTP action fails due to a connection issue, the binding now attempts to reconnect to the server and restore connectivity automatically, avoiding the need to restart the sidecar.

v1.16.2: Dapr Runtime v1.16.2

Compare Source

Dapr 1.16.2

This update includes bug fixes:

HTTP API default CORS behavior
Problem

In the 1.16.0 release a change was introduced that changed the default behavior of CORS in the Dapr HTTP API. Now by default CORS headers were added to all HTTP responses. However this new behavior couldn't be disabled.

Impact

This caused problems in scenarios where CORS is handled outside of the Dapr sidecar, because the Dapr Sidecar always added CORS headers.

Solution

Revert part of the behavior introduced in this PR and change the default value of allowed-origins flag to be an empty string, and disabling the CORS filter by default.

Scheduler External etcd with multiple client endpoints
Problem

Using Scheduler in non-embed mode with multiple etcd client endpoints was not working.

Impact

It was not possible to use multiple etcd endpoints for high availability with an external etcd database for scheduler.

Root Cause

The Scheduler etcd client endpoints CLI flag was typed as an string array, rather than a string slice, causing the given value to be parsed as a single string rather than a slice of strings.

Solution

Changed the type of the etcd client endpoints CLI flag to be a string slice.

Placement not cleaning internal state after host that had actors disconnects
Problem

An actor host that had actors doesn't get properly cleaned up from placement after the sidecar is scaled down and the placement stream is closed.

Impact

This results in the placement server iterating over namespaces that no longer exist for every tick of the disseminate ticker.

Root Cause

The function requiresUpdateInPlacementTables sould not set isActorHost to false once it is set to true, because once a host has actors the placement server keeps internal state for it and cleanup logic must be executed once the host disconnects.

Solution

Update the logic in requiresUpdateInPlacementTables.

Blocked Placement dissemination during high churn
Problem

Placement would fail to ever, or very slowly, disseminate the actor table in high daprd churn scenarios.

Impact

Actors or workflows would fail to be activated, and existing actors or workflows would fail.

Root Cause

Placement used a "small" (100) queue size which when exhausted would cause a deadlock. Placement would also wait for a fully consumed channel queue before disseminating slowing down the dissemination process.

Solution

Increase the queue size to 10000 and change the dissemination logic to not wait for a fully consumed queue before disseminating.

Blocked Placement dissemination with high Scheduler dataset
Problem

Disseminations would hang for long periods of time when the Scheduler dataset was large.

Impact

Dissemination could take up to hours to complete, causing reminders to not be delivered for a long period of time.

Root Cause

The reminder migration of state store to scheduler reminders does a full decoded scan of the Scheduler database, which would take a long time if there were many entries. During this time the dissemination would be blocked.

Solution

Limit the maximum time spent doing the migration to 3 seconds.
Expose a new global.reminders.skipMigration="true" helm chart value which will skip the migration entirely.

Fix panic during actor deactivation
Problem

Daprd could panic during actor deactivation.

Impact

Daprd sidecar would crash, resulting in downtime for the application.

Root Cause

A race in the actor lock cached memory release and claiming logic meant a stale lock could be used during deactivation, double closing it, and causing a panic.

Solution

Tie the lock's lifecycle to the actor's lifecycle, ensuring the lock is only released when the actor is fully deactivated, and claimed with the actor itself.

OpenTelemetry environment variables support
Problem

OpenTelemetry OTEL_* environment variables were not fully respected, and dapr.io/env annotation parsing broke when values contained =.

Impact

OpenTelemetry resource attributes could not be reliably applied to the Dapr sidecar, degrading trace correlation with application containers, especially on Kubernetes. Configuring OTEL_RESOURCE_ATTRIBUTES via annotations did not work.

Root Cause
  • Resource creation used manual logic instead of the OpenTelemetry SDK’s environment-based resource detection.
  • The injector’s environment variable parsing treated = as a hard delimiter, breaking values that include =.
Solution
  • Adopt the OpenTelemetry SDK’s env-based resource detection so OTEL_* variables (including OTEL_RESOURCE_ATTRIBUTES) are honored.
  • Fix dapr.io/env parsing to allow values containing =.
  • Keep the Dapr app ID as the default service name when not overridden.
Fixing goavro bug due to codec state mutation
Problem

The goavro library had a bug where the codec state was mutated during decoding, causing the decoder to panic.

Impact

The goavro library would panic, causing the application to crash.

Root Cause

The goavro library did not correctly handle the codec state, causing it to panic when the codec state was mutated during decoding.

Solution

Update the goavro library to v2.14.1 to fix the bug. Take a more defensive approach, bringing back the old approach that always creates a new codec.

APP_API_TOKEN not passed in gRPC metadata for app callbacks
Problem

When APP_API_TOKEN was configured, the token was not being passed in gRPC metadata for app callbacks including:

  • PubSub subscriptions
  • Bindings
  • Jobs

This meant that applications using gRPC protocol could not authenticate incoming requests from Dapr when using the app API token security feature.

Impact

Applications that configured APP_API_TOKEN to secure their endpoints could not validate that incoming gRPC requests were from their Dapr sidecar. This broke the app API token authentication feature for gRPC applications.

Root Cause

The gRPC subscription delivery, binding, and job callback code paths were directly calling the app's gRPC client without going through the channel layer abstraction. The channel layer is responsible for injecting the APP_API_TOKEN in the dapr-api-token metadata header, but these direct calls bypassed this mechanism.

Solution

Centralized the APP_API_TOKEN injection logic in a helper function (AddAppTokenToContext) in the gRPC channel layer. Updated all gRPC app callback code paths (pubsub subscriptions, bindings, and job callbacks) to use this helper, ensuring the token is consistently added to the outgoing gRPC context metadata. Added comprehensive integration tests to verify token passing for all callback scenarios in both HTTP and gRPC protocols.

Fixed Pulsar OAuth token renewal
Problem

The pulsar pubsub component was not renewing the OAuth token when it expired.

Impact

Applications using the pulsar pubsub component could not receive/publish messages when the OAuth token expired.

Root Cause

There was a bug in the component code that was preventing the OAuth token from being renewed when it expired.

Solution

Fixed the bug in the component code ensuring the OAuth token is renewed when it expires. Also added a test to verify the token renewal functionality. Fixed in dapr/components-contrib#4079

Fix Scheduler connection during non-graceful network interruptions
Problem

Catastrophic failure of scheduler connection during non-graceful network interruptions would not cause the dapr runtime to attempt to reconnect to Scheduler.

Impact

A true host network interruption (e.g. unplugging the network cable) would cause the dapr runtime to only recover connections to Scheduler after roughly 2 hours.

Root Cause

The gRPC KeepAlive parameters were not set correctly, causing the gRPC client to not detect broken connections in a timely manner.

Solution

The server and client KeepAlive parameters are now set to 3 second intervals with a 5 second timeout.

Prevent infinite loop when workflow state is corrupted or destroyed
Problem

Dapr workflows could enter an infinite reminder loop when the workflow state in the actor state store is corrupted or destroyed.

Impact

Dapr workflows would enter an infinite loop of reminder calls.

Root Cause

When a workflow reminder is triggered, the workflow state is loaded from the actor state store. If the state is corrupted or destroyed, the workflow would not be able to progress and would keep re-triggering the same reminder indefinitely.

Solution

Do not retry the reminder if the workflow state cannot be loaded, and instead log an error and exit the workflow execution.

v1.16.1: Dapr Runtime v1.16.1

Compare Source

Dapr 1.16.1

This update includes bug fixes:

Actor Initialization Timing Fix
Problem

When running Dapr with an --app-port specified but no application listening on that port (either due to no server or delayed server startup), the actor runtime would initialize immediately before the app channel was ready. This created a race condition where actors were trying to communicate with an application that wasn't available yet, resulting in repeated error logs:

WARN[0064] Error processing operation DaprBuiltInActorNotFoundRetries. Retrying in 1s…
DEBU[0064] Error for operation DaprBuiltInActorNotFoundRetries was: failed to lookup actor: api error: code = FailedPrecondition desc = did not find address for actor
Impact

This created a poor user experience with confusing error messages when users specified an --app-port but had no application listening on that port.

Root cause

The actor runtime initialization was occurring before the application channel was ready, creating a race condition where actors attempted to communicate with an unavailable application.

Solution

Defer actor runtime initialization until the application channel is ready. The runtime now:

  1. Defers actor runtime initialization until the application is listening on the specified port
  2. Provides informative waiting for application to listen on port XXXX messages instead of confusing error logs
  3. Prevents actor lookup errors during startup
Sidecar Injector Crash with Disabled Scheduler
Problem

The sidecar injector crashes with error (dapr-scheduler-server StatefulSet not found) when the scheduler is disabled via Helm chart (global.scheduler.enabled: false).

Impact

The crash prevents the sidecar injector from functioning correctly when the scheduler is disabled, disrupting deployments.

Root cause

A previous change caused the dapr-scheduler-server StatefulSet to be removed when the scheduler was disabled, inst

Configuration

📅 Schedule: Branch creation - Between 06:00 PM and 09:59 PM, only on Friday ( * 18-21 * * 5 ) in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the deps label Jan 24, 2025
@renovate renovate bot requested a review from a team as a code owner January 24, 2025 17:08
@renovate renovate bot requested review from FoseFx and PaulKalho and removed request for a team January 24, 2025 17:08
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 7 times, most recently from 468087e to ff76b76 Compare February 3, 2025 20:58
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 4 times, most recently from 801dc04 to 43409ce Compare February 10, 2025 20:22
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 8 times, most recently from c4ebd61 to 41c6618 Compare February 17, 2025 19:31
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 4 times, most recently from fcc4d64 to e976775 Compare February 26, 2025 18:01
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 2 times, most recently from e121447 to 493d6c9 Compare February 27, 2025 21:36
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 6 times, most recently from a6fac8e to b60b773 Compare October 1, 2025 21:54
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 6 times, most recently from c777170 to 4e4ba11 Compare October 9, 2025 18:15
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 2 times, most recently from 572ba74 to 4340e98 Compare October 14, 2025 23:02
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 4 times, most recently from 8a7a0e7 to a5ae81d Compare October 28, 2025 22:56
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 7 times, most recently from 035bb56 to c568ca9 Compare November 26, 2025 19:30
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch 3 times, most recently from 1a33015 to ff2c4c7 Compare November 29, 2025 21:40
@renovate renovate bot force-pushed the renovate/all-non-major-regex-dependencies branch from ff2c4c7 to 6f27495 Compare December 2, 2025 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FoseFx FoseFx Awaiting requested review from FoseFx FoseFx is a code owner automatically assigned from helpwave/backend

@PaulKalho PaulKalho Awaiting requested review from PaulKalho PaulKalho is a code owner automatically assigned from helpwave/backend

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant