Skip to content

fix(deps): update go minor/patch updates #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update go minor/patch updates #37

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 28, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/labstack/echo/v4 v4.14.0v4.15.0 age confidence
github.com/minio/minio-go/v7 v7.0.97v7.0.98 age confidence
helm.sh/helm/v3 v3.19.4v3.19.5 age confidence
k8s.io/api v0.34.3v0.35.0 age confidence
k8s.io/apiextensions-apiserver v0.34.3v0.35.0 age confidence
k8s.io/apimachinery v0.34.3v0.35.0 age confidence
k8s.io/cli-runtime v0.34.3v0.35.0 age confidence
k8s.io/client-go v0.34.3v0.35.0 age confidence

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.15.0

Compare Source

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF
protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship
between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to
traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},

    // Custom validation for same-site requests
    AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
        // Your custom authorization logic here
        return validateCustomAuth(c), nil
        // return true, err  // blocks request with error
        // return true, nil  // allows CSRF request through
        // return false, nil // falls back to legacy token logic
    },
}))

PR: #​2858

Type-Safe Generic Parameter Binding

  • Added generic functions for type-safe parameter extraction and context access by @​aldas in #​2856

    Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,
    eliminating manual string parsing and type assertions.

    New Functions:

    • Path parameters: PathParam[T], PathParamOr[T]
    • Query parameters: QueryParam[T], QueryParamOr[T], QueryParams[T], QueryParamsOr[T]
    • Form values: FormParam[T], FormParamOr[T], FormParams[T], FormParamsOr[T]
    • Context store: ContextGet[T], ContextGetOr[T]

    Supported Types:
    Primitives (bool, string, int/uint variants, float32/float64), time.Duration, time.Time
    (with custom layouts and Unix timestamp support), and custom types implementing BindUnmarshaler,
    TextUnmarshaler, or JSONUnmarshaler.

    Example:

    // Before: Manual parsing
idStr := c.Param("id")
id, err := strconv.Atoi(idStr)

// After: Type-safe with automatic parsing
id, err := echo.PathParam[int](c, "id")

// With default values
page, err := echo.QueryParamOr[int](c, "page", 1)
limit, err := echo.QueryParamOr[int](c, "limit", 20)

// Type-safe context access (no more panics from type assertions)
user, err := echo.ContextGet[*User](c, "user")

PR: #​2856

DEPRECATION NOTICE Timeout Middleware Deprecated - Use ContextTimeout Instead

The middleware.Timeout middleware has been deprecated due to fundamental architectural issues that cause
data races. Use middleware.ContextTimeout or middleware.ContextTimeoutWithConfig instead.

Why is this being deprecated?

The Timeout middleware manipulates response writers across goroutine boundaries, which causes data races that
cannot be reliably fixed without a complete architectural redesign. The middleware:

  • Swaps the response writer using http.TimeoutHandler
  • Must be the first middleware in the chain (fragile constraint)
  • Can cause races with other middleware (Logger, metrics, custom middleware)
  • Has been the source of multiple race condition fixes over the years

What should you use instead?

The ContextTimeout middleware (available since v4.12.0) provides timeout functionality using Go's standard
context mechanism. It is:

  • Race-free by design
  • Can be placed anywhere in the middleware chain
  • Simpler and more maintainable
  • Compatible with all other middleware

Migration Guide:

// Before (deprecated):
e.Use(middleware.Timeout())

// After (recommended):
e.Use(middleware.ContextTimeout(30 * time.Second))

Important Behavioral Differences:

  1. Handler cooperation required: With ContextTimeout, your handlers must check context.Done() for cooperative
    cancellation. The old Timeout middleware would send a 503 response regardless of handler cooperation, but had
    data race issues.

  2. Error handling: ContextTimeout returns errors through the standard error handling flow. Handlers that receive
    context.DeadlineExceeded should handle it appropriately:

e.GET("/long-task", func(c echo.Context) error {
    ctx := c.Request().Context()

    // Example: database query with context
    result, err := db.QueryContext(ctx, "SELECT * FROM large_table")
    if err != nil {
        if errors.Is(err, context.DeadlineExceeded) {
            // Handle timeout
            return echo.NewHTTPError(http.StatusServiceUnavailable, "Request timeout")
        }
        return err
    }

    return c.JSON(http.StatusOK, result)
})
  1. Background tasks: For long-running background tasks, use goroutines with context:
e.GET("/async-task", func(c echo.Context) error {
    ctx := c.Request().Context()

    resultCh := make(chan Result, 1)
    errCh := make(chan error, 1)

    go func() {
        result, err := performLongTask(ctx)
        if err != nil {
            errCh <- err
            return
        }
        resultCh <- result
    }()

    select {
    case result := <-resultCh:
        return c.JSON(http.StatusOK, result)
    case err := <-errCh:
        return err
    case <-ctx.Done():
        return echo.NewHTTPError(http.StatusServiceUnavailable, "Request timeout")
    }
})

Enhancements

minio/minio-go (github.com/minio/minio-go/v7)

v7.0.98

Compare Source

What's Changed

New Contributors

Full Changelog: minio/minio-go@v7.0.97...v7.0.98

helm/helm (helm.sh/helm/v3)

v3.19.5: Helm v3.19.5

Compare Source

Helm v3.19.5 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Fixed bug where removing subchart value via override resulted in warning #​31118
  • Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12556

Installation and Upgrading

Download Helm v3.19.5. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.0 and 3.20.0 is the next minor releases and will be on January 21, 2026
  • 4.1.1 and 3.20.1 are the next patch releases and will be on March 11, 2026

Changelog

  • fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
  • fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
  • fix null merge 578564e (Ben Foster)
kubernetes/api (k8s.io/api)

v0.35.0

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.35.0

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.35.0

Compare Source

kubernetes/cli-runtime (k8s.io/cli-runtime)

v0.35.0

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.35.0

Compare Source

Configuration

📅 Schedule: Branch creation - "before 3am on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/go-minorpatch-updates branch from 0f55432 to 7e03c68 Compare January 1, 2026 14:07
@renovate renovate bot changed the title fix(deps): update go minor/patch updates to v0.35.0 fix(deps): update go minor/patch updates Jan 1, 2026
@renovate renovate bot force-pushed the renovate/go-minorpatch-updates branch from 7e03c68 to b091840 Compare January 14, 2026 08:30
@renovate
Copy link
Contributor Author

renovate bot commented Jan 14, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 9 additional dependencies were updated

Details:

Package Change
k8s.io/api v0.34.3 -> v0.35.0
go.yaml.in/yaml/v2 v2.4.2 -> v2.4.3
google.golang.org/protobuf v1.36.6 -> v1.36.8
gopkg.in/evanphx/json-patch.v4 v4.12.0 -> v4.13.0
k8s.io/apiserver v0.34.3 -> v0.35.0
k8s.io/component-base v0.34.3 -> v0.35.0
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20250910181357-589584f1c912
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 -> v0.0.0-20251002143259-bc988d571ff4
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730

@renovate renovate bot force-pushed the renovate/go-minorpatch-updates branch from b091840 to 1e9cb46 Compare January 14, 2026 13:13
@renovate
Copy link
Contributor Author

renovate bot commented Jan 14, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: example/complete/go.sum
Command failed: go get -t ./...
go: downloading github.com/minio/minio-go/v7 v7.0.98
go: downloading k8s.io/api v0.35.0
go: downloading github.com/dustin/go-humanize v1.0.1
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/klauspost/compress v1.18.2
go: downloading github.com/klauspost/crc32 v1.3.0
go: downloading github.com/minio/crc64nvme v1.1.1
go: downloading github.com/minio/md5-simd v1.1.2
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading golang.org/x/net v0.48.0
go: downloading helm.sh/helm/v3 v3.19.4
go: downloading k8s.io/cli-runtime v0.34.3
go: downloading k8s.io/client-go v0.34.3
go: downloading k8s.io/apiextensions-apiserver v0.34.3
go: downloading k8s.io/apimachinery v0.35.0
go: downloading github.com/vmware-tanzu/velero v1.17.0
go: downloading sigs.k8s.io/controller-runtime v0.22.4
go: downloading github.com/labstack/echo/v4 v4.14.0
go: downloading k8s.io/klog/v2 v2.130.1
go: downloading golang.org/x/sys v0.39.0
go: downloading github.com/klauspost/cpuid/v2 v2.2.11
go: downloading github.com/go-ini/ini v1.67.0
go: downloading golang.org/x/crypto v0.46.0
go: downloading github.com/rs/xid v1.6.0
go: downloading github.com/tinylib/msgp v1.6.1
go: downloading github.com/joho/godotenv v1.5.1
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/Masterminds/sprig/v3 v3.3.0
go: downloading github.com/gosuri/uitable v0.0.4
go: downloading github.com/pkg/errors v0.9.1
go: downloading golang.org/x/term v0.38.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading sigs.k8s.io/yaml v1.6.0
go: downloading github.com/spf13/pflag v1.0.10
go: downloading github.com/spf13/cobra v1.10.1
go: downloading gopkg.in/evanphx/json-patch.v4 v4.13.0
go: downloading k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading sigs.k8s.io/randfill v1.0.0
go: downloading github.com/evanphx/json-patch/v5 v5.9.11
go: downloading github.com/evanphx/json-patch v5.9.11+incompatible
go: downloading github.com/labstack/gommon v0.4.2
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
go: downloading sigs.k8s.io/structured-merge-diff/v6 v6.3.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/philhofer/fwd v1.2.0
go: downloading golang.org/x/text v0.32.0
go: downloading dario.cat/mergo v1.0.1
go: downloading github.com/Masterminds/goutils v1.1.1
go: downloading github.com/huandu/xstrings v1.5.0
go: downloading github.com/mitchellh/copystructure v1.2.0
go: downloading github.com/shopspring/decimal v1.4.0
go: downloading github.com/spf13/cast v1.7.0
go: downloading github.com/fatih/color v1.18.0
go: downloading github.com/cyphar/filepath-securejoin v0.6.1
go: downloading github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
go: downloading github.com/BurntSushi/toml v1.5.0
go: downloading github.com/gobwas/glob v0.2.3
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading k8s.io/kubectl v0.34.2
go: downloading github.com/containerd/containerd v1.7.29
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading oras.land/oras-go/v2 v2.6.0
go: downloading github.com/Masterminds/squirrel v1.5.4
go: downloading github.com/jmoiron/sqlx v1.4.0
go: downloading github.com/lib/pq v1.10.9
go: downloading github.com/rubenv/sql-migrate v1.8.0
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading github.com/moby/term v0.5.2
go: downloading github.com/google/gnostic-models v0.7.0
go: downloading go.yaml.in/yaml/v2 v2.4.3
go: downloading golang.org/x/sync v0.19.0
go: downloading sigs.k8s.io/kustomize/api v0.20.1
go: downloading sigs.k8s.io/kustomize/kyaml v0.20.1
go: downloading google.golang.org/protobuf v1.36.8
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
go: downloading github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible
go: downloading github.com/fxamacker/cbor/v2 v2.9.0
go: downloading golang.org/x/oauth2 v0.30.0
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/mattn/go-colorable v0.1.14
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading github.com/valyala/fasttemplate v1.2.2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/mitchellh/reflectwalk v1.0.2
go: downloading github.com/mattn/go-runewidth v0.0.15
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading k8s.io/component-base v0.34.3
go: downloading github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f
go: downloading github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
go: downloading k8s.io/apiserver v0.34.3
go: downloading github.com/containerd/log v0.1.0
go: downloading github.com/containerd/platforms v0.2.1
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/lann/builder v0.0.0-20180802200727-47ae307949d0
go: downloading github.com/go-gorp/gorp/v3 v3.1.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/go-openapi/jsonreference v0.20.4
go: downloading github.com/google/btree v1.1.3
go: downloading github.com/x448/float16 v0.8.4
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/valyala/bytebufferpool v1.0.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee
go: downloading github.com/rivo/uniseg v0.4.4
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading github.com/chai2010/gettext-go v1.0.2
go: downloading github.com/MakeNowJust/heredoc v1.0.0
go: downloading github.com/mitchellh/go-wordwrap v1.0.1
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading github.com/containerd/errdefs v0.3.0
go: downloading google.golang.org/grpc v1.73.0
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading github.com/go-errors/errors v1.5.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822
go: downloading github.com/emicklei/go-restful/v3 v3.12.2
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/xlab/treeprint v1.2.0
go: downloading github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
go: downloading github.com/moby/spdystream v0.5.0
go: downloading github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: complete-example imports
	github.com/taking/kubemigrate/pkg/client/velero imports
	k8s.io/client-go/kubernetes/scheme imports
	k8s.io/api/storagemigration/v1alpha1: cannot find module providing package k8s.io/api/storagemigration/v1alpha1
File name: example/kubernetes/go.sum
Command failed: go get -t ./...
go: kubernetes-example imports
	github.com/taking/kubemigrate/pkg/client/kubernetes imports
	k8s.io/client-go/kubernetes imports
	k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1 imports
	k8s.io/api/storagemigration/v1alpha1: cannot find module providing package k8s.io/api/storagemigration/v1alpha1

@renovate renovate bot force-pushed the renovate/go-minorpatch-updates branch from 1e9cb46 to f29f961 Compare January 14, 2026 18:15
@renovate renovate bot force-pushed the renovate/go-minorpatch-updates branch from f29f961 to fccffce Compare January 15, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant