Skip to content

chore(deps): bump the go-minor-and-patch group in /frontend with 4 updates#140

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/frontend/go-minor-and-patch-16775ce86d
Open

chore(deps): bump the go-minor-and-patch group in /frontend with 4 updates#140
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/frontend/go-minor-and-patch-16775ce86d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-minor-and-patch group in /frontend with 4 updates: github.com/go-chi/chi/v5, github.com/oapi-codegen/oapi-codegen/v2, github.com/oapi-codegen/runtime and golang.org/x/sync.

Updates github.com/go-chi/chi/v5 from 5.3.0 to 5.3.1

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.1

What's Changed

New Contributors

Full Changelog: go-chi/chi@v5.3.0...v5.3.1

Commits
  • 8b258c7 ci: pin GitHub Actions to full commit SHAs (#1116)
  • caf87e6 feat(mux): support http QUERY method ietf rfc10008 (#1132)
  • 7fcb8a2 middleware: document printPrettyStack and harden NoColor panic test (#1131)
  • 878fe71 Fix defaultLogEntry.Panic not respecting NoColor setting (#1050)
  • d7b767b feat(middleware): add text/xml and application/xml to default compressible ty...
  • 3b50c7c Tidy build directives (#1113)
  • 2b9fca2 Honor Discard() in httpFancyWriter.ReadFrom (#1110)
  • See full diff in compare view

Updates github.com/oapi-codegen/oapi-codegen/v2 from 2.7.1 to 2.7.2

Release notes

Sourced from github.com/oapi-codegen/oapi-codegen/v2's releases.

v2.7.2 More fixes for code injection issues

String escaping fixes due to more code injection issues

We've had two more code injection issues reported in oapi-codegen, thanks @​Gal3M, @​mrostamipoor for these findings.

These specific issues are now patches in the main branch and in this v2.7.2 release.

You shouldn't blindly trust OpenAPI specs

This code wasn't originally written assuming code generation from random specs from the internet, and it never took any measures to protect itself from malicious specifications, the assumption being that you control your specification, and that you actually look over generated code.

For example, all these RCE exploits rely on using the package init() function in the generated code to run some malicious code at package startup. A way to test for this is to see whether an init() function is emitted, which we currently don't do.

When working with OpenAPI specifications, especially specs you find on remote servers, you should download the spec locally, run some kind of spec validator on it, like openapi-spec-validator, and only then feed it into oapi-codegen. We're very permissive in accepting broken specifications, intentionally, since people feed a lot of garbage input, but this flexibility also makes us weak to these kinds of attacks. There are hundreds of injection sites in oapi-codegen based on my survey.

For the next minor release, v2.8.0, we're going to validate the spec before code generation (oapi-codegen/oapi-codegen#2435), however, since this introduces a new set of failure modes, I don't want to include it in a maintenance release version. The future release is resilient against many forms of injection, and the spec validation has the added benefit that it can generate meaningful error messages for garbage input, where currently, we generate non-compiling code.

Until then, please do sanity checks on your input specifications, on the generated output, and don't fetch specs from the internet in your build, commit both the spec locally into your source control, and go through code review. In our repo, we've hooked up Greptile to catch issues like this, and you should also use some code quality tool. We can't possibly protect against every kind of attack with simple heuristics.

Sponsors

We would like to thank our sponsors for their support during this release.

We'd also like to thank Greptile for allowing our project to use their code review system.

Commits

Updates github.com/oapi-codegen/runtime from 1.4.2 to 1.5.0

Release notes

Sourced from github.com/oapi-codegen/runtime's releases.

v1.5.0: RFC3339 durations, and bug fixes

This is mainly a bugfix release, but we're bumping the minor version since we also introduce a new type, Duration into our types/ package, which allows for parsing and emitting RFC3339 durations. Rather than trying to parse a duration string into a time.Duration, which requires assumptions that may not be right for everyone, we decided not to make those decisions and just store all possible fields as provided. Users can convert this to Go Duration as they see fit.

🚀 New features and improvements

🐛 Bug fixes

📝 Documentation updates

📦 Dependency updates

  • fix(deps): update module github.com/labstack/echo/v5 to v5.3.0 (#142) @renovate[bot]
  • chore(deps): update golang/govulncheck-action action to v1.1.0 (#137) @renovate[bot]
  • chore(deps): update oapi-codegen/actions action to v0.8.0 (#130) @renovate[bot]
  • fix(deps): update module github.com/labstack/echo/v5 to v5.2.1 - autoclosed (#126) @renovate[bot]
  • chore(deps): update release-drafter/release-drafter action to v7.5.1 - autoclosed (#124) @renovate[bot]
  • chore(deps): update github/codeql-action action to v4.37.0 (#123) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

Commits
  • 540d34a fix(deps): update module github.com/labstack/echo/v5 to v5.3.0 (#142)
  • e89dbb8 Add types.Duration for the RFC 3339 duration format (#144)
  • 324e57f Let generated code declare whether styled parameter values are escaped (#143)
  • 95c13c0 Explain how to send nested objects when style serialization fails (#141)
  • 7c889f3 Prefer the form struct tag over json for form encoding (#140)
  • d0d5c3a chore(deps): update golang/govulncheck-action action to v1.1.0 (#137)
  • 67e86fd chore(deps): update oapi-codegen/actions action to v0.8.0 (#130)
  • df140cb fix(deps): update module github.com/labstack/echo/v5 to v5.2.1 (#126)
  • a90c79a chore(deps): update release-drafter/release-drafter action to v7.5.1 (#124)
  • a6d718f chore(deps): update github/codeql-action action to v4.37.0 (#123)
  • Additional commits viewable in compare view

Updates golang.org/x/sync from 0.21.0 to 0.22.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go-minor-and-patch group in /frontend with 4 updates: [github.com/go-chi/chi/v5](https://github.com/go-chi/chi), [github.com/oapi-codegen/oapi-codegen/v2](https://github.com/oapi-codegen/oapi-codegen), [github.com/oapi-codegen/runtime](https://github.com/oapi-codegen/runtime) and [golang.org/x/sync](https://github.com/golang/sync).


Updates `github.com/go-chi/chi/v5` from 5.3.0 to 5.3.1
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.3.0...v5.3.1)

Updates `github.com/oapi-codegen/oapi-codegen/v2` from 2.7.1 to 2.7.2
- [Release notes](https://github.com/oapi-codegen/oapi-codegen/releases)
- [Commits](oapi-codegen/oapi-codegen@v2.7.1...v2.7.2)

Updates `github.com/oapi-codegen/runtime` from 1.4.2 to 1.5.0
- [Release notes](https://github.com/oapi-codegen/runtime/releases)
- [Commits](oapi-codegen/runtime@v1.4.2...v1.5.0)

Updates `golang.org/x/sync` from 0.21.0 to 0.22.0
- [Commits](golang/sync@v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-and-patch
- dependency-name: github.com/oapi-codegen/oapi-codegen/v2
  dependency-version: 2.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-and-patch
- dependency-name: github.com/oapi-codegen/runtime
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-and-patch
- dependency-name: golang.org/x/sync
  dependency-version: 0.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Go dependencies labels Jul 13, 2026
@dependabot
dependabot Bot requested a review from strausmann as a code owner July 13, 2026 04:19
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Go dependencies labels Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Go dependencies

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants