fix(deps): bump the external group across 1 directory with 26 updates

[dependabot]

Bumps the external group with 18 updates in the /service directory:

Package	From	To
buf.build/go/protovalidate	1.0.0	1.1.3
github.com/casbin/casbin/v2	2.108.0	2.135.0
github.com/docker/docker	28.5.1+incompatible	28.5.2+incompatible
github.com/eko/gocache/lib/v4	4.2.0	4.2.3
github.com/go-chi/cors	1.2.1	1.2.2
github.com/go-playground/validator/v10	10.26.0	10.30.1
github.com/go-viper/mapstructure/v2	2.4.0	2.5.0
github.com/grpc-ecosystem/grpc-gateway/v2	2.27.3	2.28.0
github.com/jackc/pgx/v5	5.7.5	5.8.0
github.com/lib/pq	1.10.9	1.12.0
github.com/mattn/go-sqlite3	1.14.29	1.14.37
github.com/pressly/goose/v3	3.24.3	3.27.0
github.com/spf13/cobra	1.9.1	1.10.2
github.com/testcontainers/testcontainers-go	0.40.0	0.41.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.39.0	1.42.0
go.opentelemetry.io/otel/exporters/stdout/stdouttrace	1.39.0	1.42.0
golang.org/x/net	0.51.0	0.52.0
github.com/go-ldap/ldap/v3	3.4.12	3.4.13

Updates buf.build/go/protovalidate from 1.0.0 to 1.1.3

Release notes

Sourced from buf.build/go/protovalidate's releases.

v1.1.3

What's Changed

• Fix a few godoc comments and update golangci-lint by @​pkwarren in bufbuild/protovalidate-go#306
• Bump the go group across 1 directory with 2 updates by @​dependabot[bot] in bufbuild/protovalidate-go#308
• Fix registry chain for pb.Map in NativeToValue by @​rodaine in bufbuild/protovalidate-go#309

Full Changelog: bufbuild/protovalidate-go@v1.1.2...v1.1.3

v1.1.2

What's Changed

• Fix base type adapter missing builtin types by @​rodaine in bufbuild/protovalidate-go#305

Full Changelog: bufbuild/protovalidate-go@v1.1.1...v1.1.2

v1.1.1

This release is compatible with the v1.1.0 release of Protovalidate.

What's Changed

• Always provide all available variables by @​srikrsna-buf in bufbuild/protovalidate-go#297
• Wrap protoreflect.Map with type information so we don't need to cast to map[any]any by @​rodaine in bufbuild/protovalidate-go#300
• Avoid heap escape on kvPairs evaluation by @​rodaine in bufbuild/protovalidate-go#301
• Implement registry chaining for CEL type isolation by @​rodaine in bufbuild/protovalidate-go#302

Full Changelog: bufbuild/protovalidate-go@v1.1.0...v1.1.1

v1.1.0

This release is compatible with the v1.1.0 release of Protovalidate.

What's Changed

• Improve ValidationError strings by @​bufdev in bufbuild/protovalidate-go#291
• Make it so that you can define expression-only rules by @​bufdev in bufbuild/protovalidate-go#288
• Fix field paths for groups by @​timostamm in bufbuild/protovalidate-go#292
• Update protovalidate by @​srikrsna-buf in bufbuild/protovalidate-go#293

Full Changelog: bufbuild/protovalidate-go@v1.0.1...v1.1.0

v1.0.1

What's Changed

• Bump buf.build/go/hyperpb from 0.1.0 to 0.1.1 in the go group by @​dependabot[bot] in bufbuild/protovalidate-go#281
• Use opaque proto API by @​rodaine in bufbuild/protovalidate-go#283
• Bump buf.build/go/hyperpb from 0.1.1 to 0.1.3 in the go group by @​dependabot[bot] in bufbuild/protovalidate-go#284
• Bump the go group with 2 updates by @​dependabot[bot] in bufbuild/protovalidate-go#285
• Benchmark and performance improvements by @​rodaine in bufbuild/protovalidate-go#289

Full Changelog: bufbuild/protovalidate-go@v1.0.0...v1.0.1

Commits

• 61167be Fix registry chain for pb.Map in NativeToValue (#309)
• 58d9ffb Bump the go group across 1 directory with 2 updates (#308)
• 89a14f7 Fix a few godoc comments and update golangci-lint (#306)
• e666f1a Fix base type adapter missing builtin types (#305)
• 3707b74 Implement registry chaining for CEL type isolation (#302)
• a87f1c9 Avoid heap escape on kvPairs evaluation (#301)
• c2ae600 Wrap protoreflect.Map with type information so we don't need to cast to map[a...
• 5dd4789 Avoid copying types.Registry on env.Extend (#299)
• d9f7a10 Expand benchmark tests (#298)
• b90590a Always provide all available variables (#297)
• Additional commits viewable in compare view

Updates github.com/casbin/casbin/v2 from 2.108.0 to 2.135.0

Release notes

Sourced from github.com/casbin/casbin/v2's releases.

v2.135.0

2.135.0 (2025-12-09)

Features

• remove Travis script and issue templates (5fc9fd8)

v2.134.0

2.134.0 (2025-11-14)

Features

• fix inconsistent backslash handling between matcher literals and CSV-parsed values (#1577) (5d3134d)

v2.133.0

2.133.0 (2025-11-14)

Features

• fix stale g() function cache in BuildRoleLinks causing incorrect permissions (#1580) (0a13664)

v2.132.0

2.132.0 (2025-11-04)

Features

• improve README (4b6c4c8)

v2.131.0

2.131.0 (2025-11-02)

Features

• fix EscapeAssertion (matcher) incorrectly matching p./r. patterns inside quoted strings (#1572) (1eef59a)

v2.130.0

2.130.0 (2025-11-01)

Features

• fix duplicate CI workflow runs and optimize to test only Go 1.21 (#1571) (bb1e443)

v2.129.0

2.129.0 (2025-11-01)

... (truncated)

Commits

• 5fc9fd8 feat: remove Travis script and issue templates
• 5d3134d feat: fix inconsistent backslash handling between matcher literals and CSV-pa...
• 0a13664 feat: fix stale g() function cache in BuildRoleLinks causing incorrect permis...
• 4b6c4c8 feat: improve README
• 1eef59a feat: fix EscapeAssertion (matcher) incorrectly matching p./r. patterns insid...
• bb1e443 feat: fix duplicate CI workflow runs and optimize to test only Go 1.21 (#1571)
• 91b9cf2 feat: add OrBAC (Organisation-Based Access Control) model support (#1567)
• 87e9956 feat: add ContextEnforcer: add ctx to AddPolicy and other APIs (#1553)
• 1ef00ac feat: enable concurrent transactions using optimistic locking, versioning and...
• 0c5a574 feat: add PBAC model support and test (#1548)
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.5.1+incompatible to 28.5.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.5.2

28.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.2 milestone
• moby/moby, 28.5.2 milestone

[!CAUTION] This release contains fixes for three high-severity security vulnerabilities in runc:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Packaging updates

• Update runc to v1.3.3. moby/moby#51394

Bug fixes and enhancements

• dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt). moby/moby#51162
• Update Go runtime to 1.24.9. moby/moby#51387, docker/cli#6613

Deprecations

• Go-SDK: cli/command/image/build: deprecate DefaultDockerfileName, DetectArchiveReader, WriteTempDockerfile, ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release. docker/cli#6610
• Go-SDK: cli/command/image/build: deprecate IsArchive utility. docker/cli#6560
• Go-SDK: opts: deprecate ValidateMACAddress. docker/cli#6560
• Go-SDK: opts: deprecate ListOpts.Delete(). docker/cli#6560

Commits

• 89c5e8f Merge pull request #51396 from thaJeztah/28.x_backport_api_docs
• 9b93878 Merge pull request #51395 from thaJeztah/28.x_backport_rootless_reject
• 6178456 Merge pull request #51398 from vvoland/51397-28.x
• 0cae4e5 vendor: github.com/moby/buildkit v0.25.2
• 33cc06f Merge pull request #51394 from vvoland/51393-28.x
• d525277 api/docs: remove BuildCache.Parent field for API v1.42 and up
• 2fbc51b dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
• bd98008 integration-cli: Adjust nofile limits
• 1967515 Dockerfile: update runc binary to v1.3.3
• 4489660 Merge pull request #51387 from thaJeztah/28.x_bump_go
• Additional commits viewable in compare view

Updates github.com/eko/gocache/lib/v4 from 4.2.0 to 4.2.3

Release notes

Sourced from github.com/eko/gocache/lib/v4's releases.

store/memcache/v4.2.3

What's Changed

• Store memcache: moved from golang/mock to mockery by @​eko in eko/gocache#295

Full Changelog: eko/gocache@lib/v4.2.1...store/memcache/v4.2.3

store/bigcache/v4.2.3

What's Changed

• Hide mock interfaces from users by @​Neo2308 in eko/gocache#296

New Contributors

• @​Neo2308 made their first contribution in eko/gocache#296

Full Changelog: eko/gocache@store/memcache/v4.2.3...store/bigcache/v4.2.3

store/freecache/v4.2.3

What's Changed

• Hide mock interfaces from users by @​Neo2308 in eko/gocache#296

New Contributors

• @​Neo2308 made their first contribution in eko/gocache#296

Full Changelog: eko/gocache@store/memcache/v4.2.3...store/freecache/v4.2.3

store/go_cache/v4.2.3

What's Changed

• Hide mock interfaces from users by @​Neo2308 in eko/gocache#296

New Contributors

• @​Neo2308 made their first contribution in eko/gocache#296

Full Changelog: eko/gocache@store/memcache/v4.2.3...store/go_cache/v4.2.3

lib/v4.2.3

What's Changed

• chore(go-mod): bump outdated dependencies by @​geigerj0 in eko/gocache#300

New Contributors

• @​geigerj0 made their first contribution in eko/gocache#300

Full Changelog: eko/gocache@lib/v4.2.2...lib/v4.2.3

What's Changed

• chore(go-mod): bump outdated dependencies by @​geigerj0 in eko/gocache#300

New Contributors

• @​geigerj0 made their first contribution in eko/gocache#300

Full Changelog: eko/gocache@lib/v4.2.2...lib/v4.2.3

... (truncated)

Commits

• 5654fdf Merge pull request #300 from geigerj0/bump-deps
• 3fabe46 bump all deps
• 7747003 bump deps
• b4334a5 bump deps
• f037427 bump deps
• 003ae39 Merge pull request #296 from Neo2308/feature/master/hide-mock-interfaces
• 42bb50e Rename import to resolve warnings
• 21cb8b5 Added mocks
• c0e14c1 Hide mock interfaces from users
• 277d34a Merge pull request #295 from eko/memcache-mocks
• Additional commits viewable in compare view

Updates github.com/go-chi/cors from 1.2.1 to 1.2.2

Release notes

Sourced from github.com/go-chi/cors's releases.

v1.2.2

What's Changed

• Update README with install by @​Uyutaka in go-chi/cors#22
• Fix broken credits link by @​lordidiot in go-chi/cors#25
• fix test_default error message #28 by @​ablankz in go-chi/cors#29
• Update Go version in CI by @​VojtechVitek in go-chi/cors#32
• Fix Origin header check by @​c2h5oh in go-chi/cors#38

New Contributors

• @​Uyutaka made their first contribution in go-chi/cors#22
• @​lordidiot made their first contribution in go-chi/cors#25
• @​ablankz made their first contribution in go-chi/cors#29
• @​VojtechVitek made their first contribution in go-chi/cors#32
• @​c2h5oh made their first contribution in go-chi/cors#38

Full Changelog: go-chi/cors@v1.2.1...v1.2.2

Commits

• 3a53812 Fix Origin header check (#38)
• f8fbaee Update Go version in CI (#32)
• b41f767 fix test_default error message #28 (#29)
• 76ca797 Fix broken link (#25)
• 9aca617 Update README with install (#22)
• See full diff in compare view

Updates github.com/go-playground/validator/v10 from 10.26.0 to 10.30.1

Release notes

Sourced from github.com/go-playground/validator/v10's releases.

Release 10.30.1

What's Changed

• Feat: uds_exists validator by @​barash-asenov in go-playground/validator#1482
• fix: Revert min limit of e164 regex by @​zemzale in go-playground/validator#1516
• Fix 1513 update ISO 3166-2 codes by @​xyz27900 in go-playground/validator#1514

New Contributors

• @​barash-asenov made their first contribution in go-playground/validator#1482
• @​xyz27900 made their first contribution in go-playground/validator#1514

Full Changelog: go-playground/validator@v10.30.0...v10.30.1

Release 10.30.0

What's Changed

• Bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @​dependabot[bot] in go-playground/validator#1504
• Bump github.com/gabriel-vasile/mimetype from 1.4.11 to 1.4.12 by @​dependabot[bot] in go-playground/validator#1505
• docs: document omitzero by @​minoritea in go-playground/validator#1509
• fix: add missing translations for alpha validators by @​shindonghwi in go-playground/validator#1510
• fix: resolve panic when using aliases with OR operator by @​shindonghwi in go-playground/validator#1507
• fix: resolve panic when using cross-field validators with ValidateMap by @​shindonghwi in go-playground/validator#1508

New Contributors

• @​minoritea made their first contribution in go-playground/validator#1509
• @​shindonghwi made their first contribution in go-playground/validator#1510

Full Changelog: go-playground/validator@v10.29.0...v10.30.0

v10.29.0

What's Changed

• fix: minor spelling fix in docs by @​Perfect5th in go-playground/validator#1472
• Bump golang.org/x/text from 0.29.0 to 0.30.0 by @​dependabot[bot] in go-playground/validator#1473
• Bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @​dependabot[bot] in go-playground/validator#1474
• Fix integer overflows in test when run on 32bit systems by @​gibmat in go-playground/validator#1479
• fix: exclude modernize linter by @​nodivbyzero in go-playground/validator#1487
• Bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in go-playground/validator#1490
• Bump github.com/gabriel-vasile/mimetype from 1.4.10 to 1.4.11 by @​dependabot[bot] in go-playground/validator#1485
• Support for ISO 9362:2022 BIC (SWIFT) codes by @​fira42073 in go-playground/validator#1478
• Bump golang.org/x/crypto from 0.43.0 to 0.44.0 by @​dependabot[bot] in go-playground/validator#1492
• Fix: validation now rejects phone codes starting with +0 by @​nodivbyzero in go-playground/validator#1476
• Bump golang.org/x/crypto from 0.44.0 to 0.45.0 by @​dependabot[bot] in go-playground/validator#1495
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in go-playground/validator#1497
• fix/1500:Update Sierra Leone currency code from SLL to SLE by @​princekm096 in go-playground/validator#1501
• Fix/1481 skip invalid type validations by @​KaranLathiya in go-playground/validator#1498
• Fix 1502 update ccy codes by @​princekm096 in go-playground/validator#1503
• Added alphanumspace string validator by @​haribabuk113 in go-playground/validator#1484
• excluded_unless bug fix by @​chargraves85 in go-playground/validator#1307

New Contributors

• @​Perfect5th made their first contribution in go-playground/validator#1472
• @​gibmat made their first contribution in go-playground/validator#1479

... (truncated)

Commits

• 5010f83 Fix 1513 update ISO 3166-2 codes (#1514)
• e8627a1 fix: Revert min limit of e164 regex (#1516)
• 65b1bcc Feat: uds_exists validator (#1482)
• e9b900c fix: resolve panic when using cross-field validators with ValidateMap (#1508)
• 7aba81c fix: resolve panic when using aliases with OR operator (#1507)
• 4d600be fix: add missing translations for alpha validators (#1510)
• b0e4ba2 docs: document omitzero (#1509)
• 79fba72 Bump github.com/gabriel-vasile/mimetype from 1.4.11 to 1.4.12 (#1505)
• c3c9084 Bump golang.org/x/crypto from 0.45.0 to 0.46.0 (#1504)
• afce000 excluded_unless bug fix (#1307)
• Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.4.0 to 2.5.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.5.0

What's Changed

• Print qualified type name when ErrorUnused=true causes errors for unused keys in embedded fields by @​jmacd in go-viper/mapstructure#113
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in go-viper/mapstructure#126
• build(deps): bump github/codeql-action from 3.29.7 to 3.29.10 by @​dependabot[bot] in go-viper/mapstructure#131
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in go-viper/mapstructure#129
• feat: support for automatically initializing squashed pointer structs by @​tuunit in go-viper/mapstructure#71
• build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in go-viper/mapstructure#134
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in go-viper/mapstructure#142
• Fix slice deep map (owned) by @​jphastings in go-viper/mapstructure#144
• chore: fix lint violations by @​sagikazarmark in go-viper/mapstructure#157
• chore: switch to devenv by @​sagikazarmark in go-viper/mapstructure#158
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in go-viper/mapstructure#151
• build(deps): bump github/codeql-action from 3.29.10 to 4.31.2 by @​dependabot[bot] in go-viper/mapstructure#153
• build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @​dependabot[bot] in go-viper/mapstructure#154
• build(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @​dependabot[bot] in go-viper/mapstructure#160
• build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in go-viper/mapstructure#159
• build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @​dependabot[bot] in go-viper/mapstructure#162
• build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in go-viper/mapstructure#161
• build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in go-viper/mapstructure#163
• feature: Add map field name to convert structs dynamically instead of individually with a tag. by @​thespags in go-viper/mapstructure#149
• feat(decoder): support multiple tag names in order by @​DarkiT in go-viper/mapstructure#59
• feat: optional root object name by @​andreev-fn in go-viper/mapstructure#137
• Add unmarshaler interface by @​sagikazarmark in go-viper/mapstructure#166

New Contributors

• @​jmacd made their first contribution in go-viper/mapstructure#113
• @​tuunit made their first contribution in go-viper/mapstructure#71
• @​jphastings made their first contribution in go-viper/mapstructure#144
• @​thespags made their first contribution in go-viper/mapstructure#149
• @​DarkiT made their first contribution in go-viper/mapstructure#59
• @​andreev-fn made their first contribution in go-viper/mapstructure#137

Full Changelog: go-viper/mapstructure@v2.4.0...v2.5.0

Commits

• 9aa3f77 Merge pull request #166 from go-viper/unmarshal2
• ae32a61 doc: add more documentation
• 320c8c9 test: cover unmarshaler to map
• 5b22829 feat: add unmarshaler interface
• fd74c75 Merge pull request #137 from andreev-fn/opt-root-name
• dee4661 Merge pull request #59 from DarkiT/main
• 5605df4 chore: cover more test cases, fix edge cases, add docs
• 6166631 fix(mapstructure): add multi-tag support and regression tests
• 6471aa6 Merge pull request #149 from thespags/main
• dbffaaa chore: add more tests and clarification to the documentation
• Additional commits viewable in compare view

Updates github.com/grpc-ecosystem/grpc-gateway/v2 from 2.27.3 to 2.28.0

Release notes

Sourced from github.com/grpc-ecosystem/grpc-gateway/v2's releases.

v2.28.0

What's Changed

• feat: add option to disable chunked headers by @​irenarindos in grpc-ecosystem/grpc-gateway#6354
• fix(protoc-gen-openapiv2): fix panic on enum resolution in nested messages by @​franchb in grpc-ecosystem/grpc-gateway#6367

New Contributors

• @​irenarindos made their first contribution in grpc-ecosystem/grpc-gateway#6354

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.8...v2.28.0

v2.27.8

What's Changed

• Fix opaque missing imports casing by @​kellen-miller in grpc-ecosystem/grpc-gateway#6304
• Revert "fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files" by @​johanbrandhorst in grpc-ecosystem/grpc-gateway#6309
• fix(protoc-gen-openapiv2): fix naming cache for multi-file generation by @​franchb in grpc-ecosystem/grpc-gateway#6315
• fix(openapiv2): exclude oneof fields from required with proto3 field semantics by @​sessa in grpc-ecosystem/grpc-gateway#6335

New Contributors

• @​sessa made their first contribution in grpc-ecosystem/grpc-gateway#6335

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.7...v2.27.8

v2.27.7

Re-release of v2.26.7 as v2.27.7 for correct semver ordering.

v2.27.6

What's Changed

• feat(generator): harden opaque imports and fix snake case to go casing by @​kellen-miller in grpc-ecosystem/grpc-gateway#6279
• fix(protoc-gen-openapiv2): prevent panic when generating OpenAPI for multiple files by @​franchb in grpc-ecosystem/grpc-gateway#6275

New Contributors

• @​franchb made their first contribution in grpc-ecosystem/grpc-gateway#6275

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.5...v2.27.6

v2.27.5

What's Changed

• Issue5799 by @​rohitlohar45 in grpc-ecosystem/grpc-gateway#6123
• fix: Add example repo in Java to README by @​majiayu000 in grpc-ecosystem/grpc-gateway#6199
• fix: Use summary/description instead of title for field comments in openapi gen by @​iamrajiv in grpc-ecosystem/grpc-gateway#6223
• fix(gengateway): use pointer for bodyData in OpaqueAPI PATCH requests by @​kop in grpc-ecosystem/grpc-gateway#6246
• fix(gengateway): use opaque chain for setting path params by @​kellen-miller in grpc-ecosystem/grpc-gateway#6215

New Contributors

• @​majiayu000 made their first contribution in grpc-ecosystem/grpc-gateway#6199
• @​kellen-miller made their first contribution in grpc-ecosystem/grpc-gateway#6215

Full Changelog: grpc-ecosystem/grpc-gateway@v2.27.4...v2.27.5

... (truncated)

Commits

• 13a31f4 fix(protoc-gen-openapiv2): fix panic on enum resolution in nested messages (#...
• 8e678ff chore(deps): update googleapis digest to 27ffde2 (#6369)
• 41651ff chore(deps): update googleapis digest to b026ba8 (#6368)
• d083140 chore(deps): update googleapis digest to 537554c (#6365)
• eb2fada chore(deps): update googleapis digest to 7b25d8c (#6364)
• d8dddc9 chore(deps): update googleapis digest to 6781051 (#6363)
• 3c4354f chore(deps): update googleapis digest to 055f92c (#6362)
• b2eb1b5 fix(deps): update module google.golang.org/grpc to v1.79.1 (#6361)
• 61b9d73 chore(deps): update googleapis digest to d84d3c2 (#6360)
• e0880e3 chore(deps): update googleapis digest to 6eead6e (#6359)
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.5 to 5.8.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.8.0 (December 26, 2025)

• Require Go 1.24+
• Remove golang.org/x/crypto dependency
• Add OptionShouldPing to control ResetSession ping behavior (ilyam8)
• Fix: Avoid overflow when MaxConns is set to MaxInt32
• Fix: Close batch pipeline after a query error (Anthonin Bonnefoy)
• Faster shutdown of pgxpool.Pool background goroutines (Blake Gentry)
• Add pgxpool ping timeout (Amirsalar Safaei)
• Fix: Rows.FieldDescriptions for empty query
• Scan unknown types into *any as string or []byte based on format code
• Optimize pgtype.Numeric (Philip Dubé)
• Add AfterNetConnect hook to pgconn.Config
• Fix: Handle for preparing statements that fail during the Describe phase
• Fix overflow in numeric scanning (Ilia Demianenko)
• Fix: json/jsonb sql.Scanner source type is []byte
• Migrate from math/rand to math/rand/v2 (Mathias Bogaert)
• Optimize internal iobufpool (Mathias Bogaert)
• Optimize stmtcache invalidation (Mathias Bogaert)
• Fix: missing error case in interval parsing (Maxime Soulé)
• Fix: invalidate statement/description cache in Exec (James Hartig)
• ColumnTypeLength method return the type length for varbit type (DengChan)
• Array and Composite codecs handle typed nils

5.7.6 (September 8, 2025)

• Use ParseConfigError in pgx.ParseConfig and pgxpool.ParseConfig (Yurasov Ilia)
• Add PrepareConn hook to pgxpool (Jonathan Hall)
• Reduce allocations in QueryContext (Dominique Lefevre)
• Add MarshalJSON and UnmarshalJSON for pgtype.Uint32 (Panos Koutsovasilis)
• Configure ping behavior on pgxpool with ShouldPing (Christian Kiely)
• zeronull int types implement Int64Valuer and Int64Scanner (Li Zeghong)
• Fix panic when receiving terminate connection message during CopyFrom (Michal Drausowski)
• Fix statement cache not being invalidated on error during batch (Muhammadali Nazarov)

Commits

• fe8740a Release v5.8.0
• e5dde5a Skip test on CockroachDB
• 06f2d82 Remove trailing space
• 2cf78dd Merge pull request #2448 from DengChan/column_type_lenth_varbit
• 2d1c4ef Skip tests on CockroachDB
• 1a5fa7f Array and Composite codecs handle typed nils
• 5736d09 ColumnTypeLength method return the type length for varbit type.
• 4c1308c Revert "stdlib matches native pgx scanning support"
• 14ce2b7 Skip test on CockroachDB
• 65b2724 Merge pull request #2443 from jameshartig/x-invalidate-cache-in-exec
• Additional commits viewable in compare view

Updates github.com/lib/pq from 1.10.9 to 1.12.0

Release notes

Sourced from github.com/lib/pq's releases.

v1.12.0

• The next release may change the default sslmode from require to prefer. See #1271 for details.

• CopyIn() and CopyInToSchema() have been marked as deprecated. These are simple query builders and not needed for COPY [..] FROM STDIN support (which is not deprecated). (#1279)

  // Old
  tx.Prepare(CopyIn("temp", "num", "text", "blob", "...
  Description has been truncated

[github-actions]

X-Test Results

✅ go-pull-3170
✅ go-v0.9.0
✅ java-pull-3170
✅ js-pull-3170
✅ java-v0.9.0
✅ js-v0.9.0
bats-test-results
cukes-report
opentdfplatformTT81JP.dockerbuild

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 25 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

service/go.mod

Name	Version	Vulnerability	Severity
google.golang.org/grpc	1.79.2	gRPC-Go has an authorization bypass via missing leading slash in :path	critical

License Issues

service/go.mod

Package	Version	License	Issue Type
github.com/Azure/go-ntlmssp	0.1.0	Null	Unknown License
github.com/casbin/casbin/v2	2.135.0	Null	Unknown License
github.com/docker/docker	28.5.2+incompatible	Null	Unknown License
github.com/ebitengine/purego	0.10.0	Null	Unknown License
github.com/gabriel-vasile/mimetype	1.4.12	Null	Unknown License
github.com/go-chi/cors	1.2.2	Null	Unknown License
github.com/go-ldap/ldap/v3	3.4.13	Null	Unknown License
github.com/go-playground/validator/v10	10.30.1	Null	Unknown License
github.com/go-viper/mapstructure/v2	2.5.0	Null	Unknown License
github.com/golang-jwt/jwt/v5	5.3.0	Null	Unknown License
github.com/google/cel-go	0.27.0	Null	Unknown License
github.com/grpc-ecosystem/grpc-gateway/v2	2.28.0	Null	Unknown License
github.com/jackc/pgx/v5	5.8.0	Null	Unknown License
github.com/klauspost/compress	1.18.4	Null	Unknown License
github.com/lib/pq	1.12.0	Null	Unknown License
github.com/mattn/go-sqlite3	1.14.37	Null	Unknown License
github.com/prometheus/client_golang	1.23.2	Null	Unknown License
github.com/prometheus/common	0.67.4	Null	Unknown License
github.com/prometheus/procfs	0.19.2	Null	Unknown License
github.com/segmentio/asm	1.2.1	Null	Unknown License
github.com/spf13/cobra	1.10.2	Null	Unknown License
github.com/spf13/pflag	1.0.9	Null	Unknown License
github.com/testcontainers/testcontainers-go	0.41.0	Null	Unknown License
github.com/tklauser/numcpus	0.11.0	Null	Unknown License
github.com/pressly/goose/v3	3.27.0	Null	Unknown License

Denied Licenses:

GPL-2.0, AGPL-1.0, AGPL-1.0-or-later, AGPL-1.0-only, AGPL-3.0, AGPL-3.0-only, AGPL-3.0-or-later, GPL-1.0, GPL-1.0+, GPL-1.0-only, GPL-1.0-or-later, CNRI-Python-GPL-Compatible, GPL-2.0+, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0-with-GCC-exception, GPL-2.0-with-autoconf-exception, GPL-2.0-with-bison-exception, GPL-2.0-with-classpath-exception, GPL-2.0-with-font-exception, GPL-3.0, GPL-3.0+, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0-with-GCC-exception, GPL-3.0-with-autoconf-exception, LGPL-2.0, LGPL-2.0+, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1, LGPL-2.1+, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0, LGPL-3.0+, LGPL-3.0-only, LGPL-3.0-or-later, LGPLLR, NGPL

Excluded from license check:

pkg:githubactions/SonarSource/sonarqube-scan-action

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/google.golang.org/grpc	1.79.2	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits
gomod/buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go	1.36.11-20260209202127-80ab13bee0bf.1	Unknown	Unknown
gomod/buf.build/go/protovalidate	1.1.3	🟢 5.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 11 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/cel.dev/expr	0.25.1	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 3 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/Azure/go-ntlmssp	0.1.0	Unknown	Unknown
gomod/github.com/casbin/casbin/v2	2.135.0	Unknown	Unknown
gomod/github.com/docker/docker	28.5.2+incompatible	Unknown	Unknown
gomod/github.com/ebitengine/purego	0.10.0	Unknown	Unknown
gomod/github.com/eko/gocache/lib/v4	4.2.3	🟢 3.4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 6 Found 6/10 approved changesets -- score normalized to 6 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/gabriel-vasile/mimetype	1.4.12	Unknown	Unknown
gomod/github.com/go-chi/cors	1.2.2	Unknown	Unknown
gomod/github.com/go-ldap/ldap/v3	3.4.13	Unknown	Unknown
gomod/github.com/go-playground/validator/v10	10.30.1	Unknown	Unknown
gomod/github.com/go-viper/mapstructure/v2	2.5.0	Unknown	Unknown
gomod/github.com/golang-jwt/jwt/v5	5.3.0	Unknown	Unknown
gomod/github.com/google/cel-go	0.27.0	Unknown	Unknown
gomod/github.com/grpc-ecosystem/grpc-gateway/v2	2.28.0	Unknown	Unknown
gomod/github.com/jackc/pgx/v5	5.8.0	Unknown	Unknown
gomod/github.com/klauspost/compress	1.18.4	Unknown	Unknown
gomod/github.com/lib/pq	1.12.0	Unknown	Unknown
gomod/github.com/mattn/go-sqlite3	1.14.37	Unknown	Unknown
gomod/github.com/moby/go-archive	0.2.0	Unknown	Unknown
gomod/github.com/pressly/goose/v3	3.27.0	🟢 3.9	Details Check Score Reason Code-Review ⚠️ 1 Found 4/21 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 14 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/prometheus/client_golang	1.23.2	Unknown	Unknown
gomod/github.com/prometheus/common	0.67.4	Unknown	Unknown
gomod/github.com/prometheus/procfs	0.19.2	Unknown	Unknown
gomod/github.com/segmentio/asm	1.2.1	Unknown	Unknown
gomod/github.com/shirou/gopsutil/v4	4.26.2	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/spf13/cobra	1.10.2	Unknown	Unknown
gomod/github.com/spf13/pflag	1.0.9	Unknown	Unknown
gomod/github.com/testcontainers/testcontainers-go	0.41.0	Unknown	Unknown
gomod/github.com/tklauser/go-sysconf	0.3.16	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 0 Found 0/9 approved changesets -- score normalized to 0 Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/tklauser/numcpus	0.11.0	Unknown	Unknown
gomod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	0.65.0	🟢 8.8	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool is run on all commits Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Vulnerabilities 🟢 10 0 existing vulnerabilities detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
gomod/go.opentelemetry.io/otel	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	1.41.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/stdout/stdouttrace	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/sdk	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.42.0	🟢 9.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/go.yaml.in/yaml/v2	2.4.3	Unknown	Unknown
gomod/golang.org/x/crypto	0.49.0	Unknown	Unknown
gomod/golang.org/x/exp	0.0.0-20260218203240-3dfff04db8fa	Unknown	Unknown
gomod/golang.org/x/net	0.52.0	Unknown	Unknown
gomod/golang.org/x/oauth2	0.35.0	Unknown	Unknown
gomod/golang.org/x/sync	0.20.0	Unknown	Unknown
gomod/golang.org/x/sys	0.42.0	Unknown	Unknown
gomod/golang.org/x/text	0.35.0	Unknown	Unknown
gomod/google.golang.org/genproto/googleapis/api	0.0.0-20260209200024-4cfbd4190f57	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 21 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20260217215200-42d3e9bedb6d	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 21 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3
gomod/google.golang.org/protobuf	1.36.11	Unknown	Unknown

Scanned Files

• service/go.mod

[github-actions]

X-Test Results

✅ go-pull-3170
✅ go-v0.9.0
✅ java-pull-3170
✅ java-v0.9.0
✅ js-pull-3170
✅ js-v0.9.0
bats-test-results
cukes-report
opentdfplatformL2ZQ8M.dockerbuild

[github-actions]

X-Test Results

✅ go-pull-3170
✅ go-v0.9.0
✅ java-pull-3170
✅ java-v0.9.0
✅ js-pull-3170
✅ js-v0.9.0
bats-test-results
cukes-report
opentdfplatformTNS09G.dockerbuild

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.