chore(release): prepare 1.4.1

- Add changelog/1.4.1
- Update Helm chart CHANGELOG
- Update README.md version references
- Bump Go to 1.26.1
- Bump Alpine base image to 3.23
- Bump direct dependencies (minio-go, go-sdk, oauth2, google API)
- Improve cut-release workflow

Author: ca.mathieu

.agent/workflows/cut-release.md

@@ -49,45 +49,45 @@ Focus on `high` and `critical` severity — `moderate` and below can be noted bu
 
 If vulnerabilities are found, present them to the user and discuss whether to fix, bump, or acknowledge before proceeding.
 
+**Go version bump**: Always check the latest available Go patch version by looking up the [Go downloads page](https://go.dev/dl/) or probing `curl -sI https://go.dev/dl/go<version>.linux-amd64.tar.gz | head -1`. If a newer patch version exists than what `go.mod` currently specifies, propose bumping the `go.mod` Go directive. Include the `go.mod` change in the release commit and use the newer version in the changelog. This ensures the CI Docker image (`golang:1-bookworm`) builds with the latest patched Go version.
+
 **⏸️ Present the vulnerability scan results. Wait for user confirmation before proceeding.**
 
 ### 2. Check dependency freshness
 
 Run a dependency audit to identify available updates:
 
 ```bash
-go list -m -u all 2>&1 | grep '\[v'
+go list -mod=mod -m -u all 2>&1 | grep '\[v'
 ```
 
+> [!IMPORTANT]
+> The `-mod=mod` flag is required because Plik vendors its dependencies. Without it, `go list -u` silently fails in vendored projects.
+
 Categorize the output:
 - **Direct dependencies** — listed in `go.mod` with no `// indirect` comment
 - **Indirect dependencies** — transitive deps, lower priority
 
-This step is **informational only** — it is not a release blocker. If significant updates are available (especially security-related), discuss with the user whether to address them before the release.
-
-> [!TIP]
-> `govulncheck` (from step 1) already flags dependencies with known CVEs. This step complements it by showing all available updates regardless of vulnerability status.
+For each outdated **direct** dependency, check the release notes or changelog for breaking changes or notable behavior changes. Present a summary table of available updates (module, current version, available version, any breaking changes noted) and let the user decide which to bump. After bumping, run `go mod tidy && go mod vendor` and verify the build compiles.
 
 **⏸️ Present the dependency audit summary. Wait for user confirmation before proceeding.**
 
 ### 3. Check build pipeline versions
 
-Before starting the release, check if newer versions are available for the base images in the `Dockerfile`:
+Before starting the release, actively check for newer versions of all base images in the `Dockerfile` and propose updates:
 
-| Image | Current | Check |
-|-------|---------|-------|
-| `node:<major>-alpine` | `node:24-alpine` | [Node.js releases](https://nodejs.org/en/about/previous-releases) — check for new LTS major |
-| `golang:1-bookworm` | Resolves to latest Go 1.x | Run `docker run --rm golang:1-bookworm go version` to see the current Go version |
-| `alpine:<version>` | `alpine:3.21` | [Alpine releases](https://alpinelinux.org/releases/) — check for new stable |
+| Image | How to check |
+|-------|-------------|
+| `node:<major>-alpine` | Search for the current Node.js LTS schedule. If a newer LTS major exists, propose updating the Dockerfile. |
+| `golang:1-bookworm` | The Go version was already checked in Step 1. Ensure `go.mod` is bumped to the latest patch. |
+| `alpine:<version>` | Search for the latest Alpine stable release. If a newer minor/patch exists, propose updating the Dockerfile. |
 
-Also check:
-- `go.mod` Go directive — does it match the Go version from the image?
-- Locally installed Go: `go version`
+**All three must be checked every release.** If any updates are available, propose the Dockerfile changes and include them in the release commit. Do not treat this step as informational — outdated base images should be bumped.
 
-If any updates are available, propose a Dockerfile update and include it in the release commit.
+Also verify that the `go.mod` Go directive matches the version that `golang:1-bookworm` will resolve to in CI.
 
 > [!TIP]
-> The Go version from this step is needed for the changelog ("Binaries will be built with Go X.Y.Z").
+> The Go version from Step 1 is needed for the changelog ("Binaries will be built with Go X.Y.Z").
 
 **⏸️ Present findings to the user. Wait for confirmation before proceeding.**
 

Dockerfile

@@ -70,7 +70,7 @@ FROM scratch AS plik-release-archive
 COPY --from=plik-builder --chown=1000:1000 /go/src/github.com/root-gg/plik/plik-server-*.tar.gz /
 
 ##################################################################################
-FROM alpine:3.21 AS plik-image
+FROM alpine:3.23 AS plik-image
 
 RUN apk add --no-cache ca-certificates
 

Makefile

@@ -79,8 +79,8 @@ lint:
 	if [[ -z "$$OUT" ]]; then echo " OK" ; else echo " FAIL"; echo "$$OUT"; FAIL=1 ; fi ;\
 	echo -n " - go vet :" ; OUT=`go vet ./... 2>&1` ; \
 	if [[ -z "$$OUT" ]]; then echo " OK" ; else echo " FAIL"; echo "$$OUT"; FAIL=1 ; fi ;\
-	echo -n " - go fix :" ; OUT=`go fix ./... 2>&1` ; \
-	if [[ -z "$$OUT" ]]; then echo " OK" ; else echo " FAIL"; echo "$$OUT"; FAIL=1 ; fi ;\
+	echo -n " - go fix :" ; BEFORE=`git diff --name-only` ; go fix ./... 2>&1 ; AFTER=`git diff --name-only` ; \
+	if [[ "$$BEFORE" == "$$AFTER" ]]; then echo " OK" ; else echo " FAIL"; diff <(echo "$$BEFORE") <(echo "$$AFTER") | grep '^>' | sed 's/^> /  /'; FAIL=1 ; fi ;\
 	test $$FAIL -eq 0
 
 ###

README.md

@@ -44,9 +44,9 @@ Plik is a scalable & friendly temporary file upload system — like WeTransfer,
 docker run -p 8080:8080 rootgg/plik
 
 # From release
-wget https://github.com/root-gg/plik/releases/download/1.4.0/plik-server-1.4.0-linux-amd64.tar.gz
-tar xzvf plik-server-1.4.0-linux-amd64.tar.gz
-cd plik-server-1.4.0-linux-amd64/server && ./plikd
+wget https://github.com/root-gg/plik/releases/download/1.4.1/plik-server-1.4.1-linux-amd64.tar.gz
+tar xzvf plik-server-1.4.1-linux-amd64.tar.gz
+cd plik-server-1.4.1-linux-amd64/server && ./plikd
 
 # Debian / Ubuntu
 curl -fsSL https://root-gg.github.io/plik/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/plik.gpg

changelog/1.4.1

@@ -0,0 +1,36 @@
+Plik 1.4.1
+
+Hi, today we're releasing Plik 1.4.1 !
+
+Here is the changelog :
+
+New :
+ - Inline video and audio playback in file viewer (@bodji)
+ - URL deep-linking for file viewer and media timestamps (@bodji)
+ - Runtime settings and webapp customization (branding, themes, custom footer)
+ - 10 built-in themes with dark/light/auto mode and user preference persistence
+ - Improvemets in Home and Admin view (error handling, filtering, bulk token uploads deletion,...)
+ - Show removed/deleted files in download view and Home/Admin views
+ - Configurable streaming timeout, cancellation, and retry
+
+Fix :
+ - Reject E2EE uploads with empty passphrase
+ - Fix file deletion on versioned S3 buckets (#673)
+ - Restore backward compat when only DownloadDomain is set (#676)
+ - Improve mimetype detection with gabriel-vasile/mimetype (#678)
+ - Prevent text editor auto-detection from overwriting user-edited filename (#677)
+ - Close file viewer when viewed file is deleted (#675)
+ - Unify error display with reusable components (#679)
+
+Misc :
+ - Bump Alpine base image to 3.23
+ - Bump Go to 1.26.1 (fixes 5 stdlib vulnerabilities)
+ - Bump minio-go to v7.0.99
+ - Bump MCP go-sdk to v1.4.0
+ - Bump golang.org/x/oauth2 to v0.36.0
+ - Bump google.golang.org/api to v0.269.0
+
+Binaries will be built with Go 1.26.1
+
+Faithfully,
+The Plik team

charts/plik/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.1]
+
+### Changed
+- New `StreamTimeoutStr` server config option (configurable streaming download timeout)
+- `DownloadDomain` behavior fix: UI/API restriction only applies when `PlikDomain` is also set
+- `settings.json` footer support (custom HTML footer takes precedence over `AbuseContact`)
+
 ## [1.4.0]
 
 ### Added

go.mod

@@ -1,6 +1,6 @@
 module github.com/root-gg/plik
 
-go 1.26.0
+go 1.26.1
 
 require (
 	cloud.google.com/go/storage v1.60.0
@@ -18,9 +18,9 @@ require (
 	github.com/iancoleman/strcase v0.3.0
 	github.com/jinzhu/copier v0.4.0
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0
-	github.com/minio/minio-go/v7 v7.0.98
+	github.com/minio/minio-go/v7 v7.0.99
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/modelcontextprotocol/go-sdk v1.3.1
+	github.com/modelcontextprotocol/go-sdk v1.4.0
 	github.com/ncw/swift v1.0.53
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d
 	github.com/pilagod/gorm-cursor-paginator/v2 v2.7.0
@@ -32,8 +32,8 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/xhit/go-str2duration/v2 v2.1.0
 	golang.org/x/crypto v0.48.0
-	golang.org/x/oauth2 v0.35.0
-	google.golang.org/api v0.267.0
+	golang.org/x/oauth2 v0.36.0
+	google.golang.org/api v0.269.0
 	gorm.io/driver/mysql v1.6.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlite v1.6.0
@@ -44,7 +44,7 @@ require (
 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
-	cloud.google.com/go/auth v0.18.1 // indirect
+	cloud.google.com/go/auth v0.18.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
@@ -70,7 +70,7 @@ require (
 	github.com/google/jsonschema-go v0.4.2 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.12 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -111,14 +111,14 @@ require (
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/net v0.50.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect
 	google.golang.org/grpc v1.79.1 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect

go.sum

@@ -19,8 +19,8 @@ cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOY
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
-cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
+cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
+cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
@@ -232,8 +232,8 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.12 h1:Fg+zsqzYEs1ZnvmcztTYxhgCBsx3eEhEwQ1W/lHq/sQ=
+github.com/googleapis/enterprise-certificate-proxy v0.3.12/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
@@ -364,12 +364,12 @@ github.com/minio/crc64nvme v1.1.1 h1:8dwx/Pz49suywbO+auHCBpCtlW1OfpcLN7wYgVR6wAI
 github.com/minio/crc64nvme v1.1.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.98 h1:MeAVKjLVz+XJ28zFcuYyImNSAh8Mq725uNW4beRisi0=
-github.com/minio/minio-go/v7 v7.0.98/go.mod h1:cY0Y+W7yozf0mdIclrttzo1Iiu7mEf9y7nk2uXqMOvM=
+github.com/minio/minio-go/v7 v7.0.99 h1:2vH/byrwUkIpFQFOilvTfaUpvAX3fEFhEzO+DR3DlCE=
+github.com/minio/minio-go/v7 v7.0.99/go.mod h1:EtGNKtlX20iL2yaYnxEigaIvj0G0GwSDnifnG8ClIdw=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/modelcontextprotocol/go-sdk v1.3.1 h1:TfqtNKOIWN4Z1oqmPAiWDC2Jq7K9OdJaooe0teoXASI=
-github.com/modelcontextprotocol/go-sdk v1.3.1/go.mod h1:DgVX498dMD8UJlseK1S5i1T4tFz2fkBk4xogC3D15nw=
+github.com/modelcontextprotocol/go-sdk v1.4.0 h1:u0kr8lbJc1oBcawK7Df+/ajNMpIDFE41OEPxdeTLOn8=
+github.com/modelcontextprotocol/go-sdk v1.4.0/go.mod h1:Nxc2n+n/GdCebUaqCOhTetptS17SXXNu9IfNTaLDi1E=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
@@ -619,8 +619,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -630,8 +630,8 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -795,8 +795,8 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M
 google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
-google.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0=
+google.golang.org/api v0.269.0 h1:qDrTOxKUQ/P0MveH6a7vZ+DNHxJQjtGm/uvdbdGXCQg=
+google.golang.org/api v0.269.0/go.mod h1:N8Wpcu23Tlccl0zSHEkcAZQKDLdquxK+l9r2LkwAauE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -837,8 +837,8 @@ google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH8
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
 google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
 google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

server/handlers/get_archive_test.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"strings"
 
 	"testing"
 
@@ -119,18 +120,18 @@ func TestGetArchiveFileNameTooLong(t *testing.T) {
 	upload := &common.Upload{}
 	ctx.SetUpload(upload)
 
-	archiveName := ""
+	var archiveName strings.Builder
 	for range 10240 {
-		archiveName += "x"
+		archiveName.WriteString("x")
 	}
-	archiveName += ".zip"
+	archiveName.WriteString(".zip")
 
-	req, err := http.NewRequest("GET", "/archive/"+upload.ID+"/"+archiveName, bytes.NewBuffer([]byte{}))
+	req, err := http.NewRequest("GET", "/archive/"+upload.ID+"/"+archiveName.String(), bytes.NewBuffer([]byte{}))
 	require.NoError(t, err, "unable to create new request")
 
 	// Fake gorilla/mux vars
 	vars := map[string]string{
-		"filename": archiveName,
+		"filename": archiveName.String(),
 	}
 	req = mux.SetURLVars(req, vars)