Skip to content

Bump the minor-and-patch group with 4 updates#206

Merged
wesm merged 2 commits intomainfrom
dependabot/go_modules/minor-and-patch-64714910f9
Mar 18, 2026
Merged

Bump the minor-and-patch group with 4 updates#206
wesm merged 2 commits intomainfrom
dependabot/go_modules/minor-and-patch-64714910f9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026

Bumps the minor-and-patch group with 4 updates: github.com/mattn/go-sqlite3, golang.org/x/mod, golang.org/x/term and golang.org/x/text.

Updates github.com/mattn/go-sqlite3 from 1.14.34 to 1.14.37

Commits
  • bb8d0b2 Bump Go test matrix versions from 1.23-1.25 to 1.24-1.26
  • bc7436e Bump GitHub Actions versions to latest
  • 0f12d4e Ensure Close always removes runtime finalizer to prevent memory leak
  • d71eda8 Fix upgrade.sh: add already-up-to-date check and fix changelog URL format
  • 4ea2a9f Upgrade SQLite to version 3051003
  • 8c99a68 Call sqlite3_clear_bindings() in bind() to reset parameters
  • 5a1f4d3 use unsafe.Slice
  • 8366a00 create pull-request
  • See full diff in compare view

Updates golang.org/x/mod from 0.33.0 to 0.34.0

Commits
  • 1ac721d go.mod: update golang.org/x dependencies
  • fb1fac8 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates golang.org/x/term from 0.40.0 to 0.41.0

Commits
  • 9d2dc07 go.mod: update golang.org/x dependencies
  • d954e03 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates golang.org/x/text from 0.34.0 to 0.35.0

Commits
  • 7ca2c6d go.mod: update golang.org/x dependencies
  • 73d1ba9 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the minor-and-patch group with 4 updates
bc2fd3c 
Bumps the minor-and-patch group with 4 updates: [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3), [golang.org/x/mod](https://github.com/golang/mod), [golang.org/x/term](https://github.com/golang/term) and [golang.org/x/text](https://github.com/golang/text).


Updates `github.com/mattn/go-sqlite3` from 1.14.34 to 1.14.37
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](mattn/go-sqlite3@v1.14.34...v1.14.37)

Updates `golang.org/x/mod` from 0.33.0 to 0.34.0
- [Commits](golang/mod@v0.33.0...v0.34.0)

Updates `golang.org/x/term` from 0.40.0 to 0.41.0
- [Commits](golang/term@v0.40.0...v0.41.0)

Updates `golang.org/x/text` from 0.34.0 to 0.35.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.34.0...v0.35.0)

---
updated-dependencies:
- dependency-name: github.com/mattn/go-sqlite3
  dependency-version: 1.14.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: golang.org/x/term
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: golang.org/x/text
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 16, 2026
@dependabot dependabot bot requested a review from wesm as a code owner March 16, 2026 19:51
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 16, 2026
@roborev-ci
Copy link
Copy Markdown

roborev-ci bot commented Mar 16, 2026

roborev: Combined Review (bc2fd3c)

The dependency updates introduce a medium-severity security vulnerability in a transitive dependency.

Medium

  • go.mod#L71
    The
    change bumps the indirect dependency golang.org/x/net from v0.49.0 to v0.50.0. The Go vulnerability database marks golang.org/x/net/http2 as vulnerable in >= v0.50.0, < v0.51.0 under GO-2026-4559 / CVE-2026-27141. In this range, malformed HTTP/2 frames can panic an affected server, leading to a potential remote DoS.
    *
    Suggested remediation:* Pin golang.org/x/net to v0.51.0 or newer, or revert to v0.49.0 until transitive dependencies can be updated safely. (Source: [GO-2026-4559](https://pkg.go
    .dev/vuln/GO-2026-4559))

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm @claude
Update nix flake vendorHash for dependency updates
d3034fc 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@roborev-ci
Copy link
Copy Markdown

roborev-ci bot commented Mar 18, 2026

roborev: Combined Review (d3034fc)

Summary Verdict: The PR updates Go dependencies and the Nix vendorHash, but introduces a high-severity build issue due
to missing go.sum changes.

High

  • Location: go.mod
  • Problem: Dependencies were updated in go.mod, but the corresponding checksum updates in go.sum are missing from the diff. This will cause build failures during checksum verification.

Fix:** Run go mod tidy and include the go.sum changes in the commit.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm
Copy link
Copy Markdown
Owner

wesm commented Mar 18, 2026

false positive

@wesm wesm merged commit bc9e377 into main Mar 18, 2026
4 checks passed
@dependabot dependabot bot deleted the dependabot/go_modules/minor-and-patch-64714910f9 branch March 18, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wesm wesm Awaiting requested review from wesm wesm is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wesm