chore(deps): update all non-major dependencies

[cnap-tech-renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
github.com/oapi-codegen/oapi-codegen/v2	indirect	minor	v2.5.1 → v2.7.0
github.com/oapi-codegen/runtime	require	minor	v1.1.2 → v1.4.0
go		patch	1.26.0 → 1.26.3
golang.org/x/term	require	minor	v0.40.0 → v0.43.0
golangci-lint		minor	2.10.1 → 2.12.2
goreleaser		minor	2.13.3 → 2.15.4
task		minor	3.48.0 → 3.50.0

---

Release Notes

oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)

v2.7.0: : Squashing bugs, many bugs (and adding some features)

Compare Source

Many improvements and even more bug fixes

This v2.7.0 release of oapi-codegen contains quite a bit of internal refactoring, focused on our most historically fragile code paths, which relate to the aggregate types (allOf/anyOf/oneOf), $ref to external specs, enums, and the spec traversal logic missing quite a few leaf nodes where models should have been generated, but were skipped.

The biggest changes are explicitly described in the sections below, and the full list of commits is at the bottom.

Thank you to all contributors, we've been going through all past PR's and updating them and merging where we can, and thanks to all our users for reporting issues that you hit.

I've (@​mromaszewicz) used a lot of LLM help here to scrub through old issues and do some deep internal refactoring to address common problem areas. I intend to continue doing this, since the conditional generation logic is getting quite complicated. When I originally released oapi-codegen, the use case was much simpler, all the models were under #/components/schemas, and all the references to them were in the requests, responses, etc. I never imagine how many things would be external references or unions, and how many complex OpenAPI specifications people would be generating code for. The initial design was never flexible enough to handle that, so ongoing bug fixes are getting increasingly complex due to edge cases. This version has a lot of internal changes you won't see as a user, but the way we handle type generation internally is unifying lots of copy/paste re-implementations into reusable code for consistency. Most of these changes can be done transparently, but some can't, so, onto the changes:

Code generation changes which might require some changes on your end

This release contains three changes, all very narrow in scope, which will require some manual adjustment of your own code. We've decided that these are small enough and uncommon enough not to require opt-in, which causes internal complexity. It's always a judgment call with these. If we got it wrong, we're happy to revisit it in a maintenance release.

Strict-server external response refs require strict-server generation in both packages (#​2357)

If your strict-server spec uses an external $ref to a components/responses/... defined in another spec, that other
spec must also be generated with strict-server: true. Add it to the source spec's config and regenerate:

# config for the spec being $ref'd
generate:
  models: true
  strict-server: true   # now required when imported by a strict-server spec

This restores the v2.0.0 behavior that lets you cast response models across package boundaries — the standard pattern
for sharing error models (e.g. a common 400) across services. PR #​1387 had silently changed the embedded type from N400JSONResponse to the bare externalRef0.N400, so the local and external response structs no longer had
matching types and casts stopped compiling.

Many more anonymous inner schemas are now hoisted into top level schemas

Inline oneOf, anyOf, and additionalProperties schemas embedded directly under an operation's request or response
body now flow through the same boilerplate-emission pipeline as components/schemas, so they get the
As* / From* / Merge* accessor methods they were previously missing. As part of that change, two older naming patterns
are replaced with one pattern, shared with all components:

GetPets_200_Data_Item             →  GetPets200JSONResponseBody_Data_Item
GetPets200JSONResponse_Data_Item  →  GetPets200JSONResponseBody_Data_Item

In practice, we think this shouldn't break anyone, because this change addresses a bug which produced pointless types
with no benefit, and you never interact with these directly, but rather you'd call an accessor on a field of a model.

Strict middleware typedefs are now inlined (#​2271)

StrictHandlerFunc and StrictMiddlewareFunc in generated strict-server code are now inline type definitions instead
of aliases to github.com/oapi-codegen/runtime/strictmiddleware/<framework>. Generated servers no longer import that package.

Before (Echo example):

import strictecho "github.com/oapi-codegen/runtime/strictmiddleware/echo"

type StrictHandlerFunc = strictecho.StrictEchoHandlerFunc
type StrictMiddlewareFunc = strictecho.StrictEchoMiddlewareFunc

After:

type StrictHandlerFunc func(ctx echo.Context, request any) (any, error)
type StrictMiddlewareFunc func(f StrictHandlerFunc, operationID string) StrictHandlerFunc

If your code referenced the per-framework names directly — strictecho.StrictEchoHandlerFunc, strictgin.StrictGinHandlerFunc, strictnethttp.StrictHTTPHandlerFunc, strictiris.StrictIrisHandlerFunc, strictecho5.StrictEcho5HandlerFunc — switch to the local StrictHandlerFunc / StrictMiddlewareFunc exposed by the generated server package, or import runtime/strictmiddleware/<framework> yourself if you really want those names. The underlying signatures are unchanged, so any value satisfying the old type still satisfies the new one.

🎉 Notable changes

Go 1.24 required (#​2264)

oapi-codegen itself now requires Go 1.24.4+ to build and run. The toolchain in your project's go.mod (the one used to invoke the codegen) must be ≥ 1.24.4. The code generated will still likely work on older versions. We had to update to Go 1.24 in order to update some dependencies to address vulnerabilities. Go 1.24 is no longer supported, so our next release will update to Go 1.25,
and the plan is to stay on supported Go versions. I'm not sure if 1.25 will come in v2.8.0 or v2.7.1 yet, but it's imminent. We
have a number of submodules in this repo which exist only to test Go 1.25 routers in a 1.24 module, and it allows us to
simplify.

Unfortunately, some of our transitive dependencies result in a broken build, by default, so you might have to pin these
packages to specific versions:

• github.com/speakeasy-api/jsonpath v0.6.3
• github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 (See #​2015 for some discusion)

Multi-pass type name resolution (#​2213)

Set output-options.resolve-type-name-collisions: true to make the codegen detect identifier collisions across schemas, parameters, request bodies, response components, and operation-derived types — and resolve them deterministically by suffixing the loser. Specs that previously failed to generate because two definitions wanted the same Go name now succeed.

Trivial example. With this spec:

components:
  schemas:
    Status:
      type: string
      enum: [active, archived]
  parameters:
    Status:
      name: status
      in: query
      schema:
        type: string

output-options.resolve-type-name-collisions: true produces:

type Status string                    // from components.schemas.Status
const StatusActive   Status = "active"
const StatusArchived Status = "archived"

type StatusParameter = string         // from components.parameters.Status

Collision resolution is opt-in. Generated identifier names depend on the current set of collisions in the spec;
adding a new schema or parameter later that collides with an existing one will rename the existing one to break the new collision.
That can silently break user code that imports the previously-stable name as the spec drifts. However, despite the drift,
more specs can now correctly generate boilerplate.

Parameter binding matrix (#​2307)

The OpenAPI parameter style × explode × type matrix is now fully supported and round-trips consistently across
every server backend. Path/query/header/cookie parameters across primitive, array, and object types — including
style: form / spaceDelimited / pipeDelimited / deepObject × explode: true/false, and style: simple for headers —
generate the same binding logic on every server, and the client-side encoding is symmetric. The internal parameter test suite (internal/test/parameters/) now exercises every combination through a server round-trip per backend.

If you previously hit an unsupported style error, or saw a parameter serialization work under one backend but not another,
regenerate and the issue should be gone.

You will need to use version v1.4.0 or higher of github.com/oapi-codegen/runtime.

Optional / nullable response headers (#​2301)

For strict-server responses, optional and nullable headers now generate as pointer fields (or nullable.Nullable[T]
when the nullable-types output option is set). The generated server only calls w.Header().Set(...) when the field
is non-nil, so callers can omit optional headers cleanly.

Spec:

responses:
  '200':
    headers:
      X-Required: { required: true, schema: { type: string } }
      X-Optional: { schema: { type: string } }

Before:

type GetFoo200ResponseHeaders struct {
    XRequired string
    XOptional string  // always emitted, even when empty
}

After:

type GetFoo200ResponseHeaders struct {
    XRequired string
    XOptional *string  // nil → header not sent
}

To opt out of this change, set compatibility.headers-implicitly-required: true to restore the previous always-required behavior. This change breaks enough code that we flagified it.

🚀 New features

Echo v5 server support (#​2188)

Echo v5 (the upcoming major version) is now a supported server framework. Generate with generate.echo5-server: true. Echo v4 is unchanged and remains the target of generate.echo-server.

Per-handler middleware in Fiber (#​2302)

Fiber generated servers now accept a HandlerMiddlewares []HandlerMiddlewareFunc slice in FiberServerOptions, applied around every operation handler. The middleware signature is func(c *fiber.Ctx, next fiber.Handler) error, matching Fiber's native middleware pattern. Useful for cross-cutting concerns (auth, logging, metrics) that should run after path-level routing but inside the generated-handler boundary.

Per-operation middleware in Echo (#​2353)

Echo's RegisterHandlersWithOptions now accepts an OperationMiddlewares map[string][]echo.MiddlewareFunc keyed by operationId, attaching middleware to specific operations at registration time:

api.RegisterHandlersWithOptions(e, server, api.RegisterHandlersOptions{
    OperationMiddlewares: map[string][]echo.MiddlewareFunc{
        "createPet": {authMiddleware, auditMiddleware},
        "deletePet": {authMiddleware, adminOnlyMiddleware},
    },
})

Operations with no entry in the map (or a nil map) are registered with no extra middleware. Available for both Echo v4 and Echo v5 generated servers.

Strict-gin error handlers (#​1600)

The Gin strict server now exposes RequestErrorHandlerFunc and ResponseErrorHandlerFunc on StrictServerOptions, matching the pattern already available for the Echo strict server. Bind errors and response-write errors flow through your custom handler instead of using gin's default abort behaviour. Defaults are preserved if you don't set them.

---

☢️ Breaking changes

• Update external-refs to responses in strict-server to fix an old regression (#​2357) @​mromaszewicz
• Overhaul anonymous schema hoisting (#​2348) @​mromaszewicz
• Inline strict middleware typedefs (#​2271) @​mromaszewicz

🎉 Notable changes

• Overhaul anonymous schema hoisting (#​2348) @​mromaszewicz
• fix: clean up and test parameter binding (#​2307) @​mromaszewicz
• support optional/nullable response headers (#​2301) @​mromaszewicz
• Update all dependencies to Go 1.24 (#​2264) @​mromaszewicz
• feat: multi-pass type name resolution (#​2213) @​mromaszewicz

🚀 New features and improvements

• per-operation middleware in Echo (#​2353) @​mromaszewicz
• support all x-* extensions and with ref (#​1880) @​paulmach
• feat(client): Add ContentType() to ClientWithResponses responses (#​2173) @​CJourneaux
• Flagify enum validator generation (#​2334) @​mromaszewicz
• Strictgin error handler (#​1600) @​actatum
• Fix a streaming bug + document streaming through example (#​1765) @​perbu
• Add support for path aliases (#​2312) @​mromaszewicz
• fix: add x-go-name for server urls (#​2304) @​dhpollack
• Support handler-specific middleware for gofiber (#​2302) @​jpetrich
• feat: use http.MethodXXX constants instead of string literals in generated code (#​2294) @​imsugeno
• Generate types from components/securitySchemes to be used as a key in context.WithValue (#​1187) @​nek023
• feat: Support echo/v5 (#​2188) @​jinuthankachan
• feat: multi-pass type name resolution (#​2213) @​mromaszewicz

🐛 Bug fixes

• Route server enums through general enums codegen (#​2358) @​mromaszewicz
• Update external-refs to responses in strict-server to fix an old regression (#​2357) @​mromaszewicz
• respect output file path on gofmt failure (#​2356) @​mromaszewicz
• Strict server: gate no-content response headers on nullable/optional (#​2351) @​mromaszewicz
• Synchronize strict servers (#​2350) @​mromaszewicz
• Overhaul anonymous schema hoisting (#​2348) @​mromaszewicz
• fix: allow x-go-type and x-go-type-skip-optional-pointer for allOf (#​1610) @​turip
• Propagate external refs into allOf (#​2299) @​mromaszewicz
• Add missing case to type generation traversal (#​2298) @​mromaszewicz
• fix: delegate MarshalJSON on strict response types wrapping union refs (#​2332) @​mromaszewicz
• fix: pointer skipping for client query params (#​2330) @​mromaszewicz
• fix: support x-oapi-codegen-extra-tags on path params in strict-server RequestObject (#​2262) @​mromaszewicz
• sanitize param names for http.ServeMux since they must be valid Go identifiers (#​2279) @​mromaszewicz
• Bug Report: demonstration of overlays and allOf not playing together nicely (#​2087) @​nelzblooket
• fix: include additional types for array response type (#​1930) @​viktorasm
• fix: allOf cycle detection oversight (#​2316) @​mromaszewicz
• fix: avoid stack overflow errors when using heavily recursive types (#​1377) @​yoshikipom
• fix: Change FormParams to FormValues for Echo v5 (#​2311) @​nicolasmattelaer
• Fix exploded parameter marshaling and binding inconsistencies (#​2184) @​TelpeNight
• fix(cli): remove unused initialism-overrides option (#​2287) @​gaiaz-iusipov
• fix: getting cookie in fiber middleware (#​2062) @​YATAHAKI
• Fix typo in echo-v5 middleware import (#​2285) @​mromaszewicz
• fix(client): correctly marshal text/plain requests (#​1975) @​jamietanna
• fix: allow response error handler to set status code (#​1963) @​sean-cunniffe
• AllOf : Only stop when merging schemas with multiple discriminators (#​667) @​LelouBil
• fix: use RequiresNilCheck for all params (#​2263) @​mromaszewicz

📝 Documentation updates

• docs: remove non-breaking spaces (#​2328) @​jamietanna
• docs: note that JSON Schema should be pinned (#​2266) @​jamietanna

👻 Maintenance

• refactor(codegen): better Swagger compression, modern naming (#​1909) @​gaiaz-iusipov
• fix example codegen (#​2354) @​mromaszewicz
• Update Greptile settings (#​2345) @​mromaszewicz
• Replace old hand written slice sorting with slices package, and other built-in helpers (#​2305) @​gaiaz-iusipov

📦 Dependency updates

9 changes

• Update YAML package where possible (#​2333) @​mromaszewicz
• chore(deps): update release-drafter/release-drafter action to v7.2.0 (.github/workflows) (#​2322) @​renovate[bot]
• fix(deps): use updated import path for github.com/speakeasy-api/openapi/overlay (#​2231) @​netixx
• fix(deps): update module github.com/getkin/kin-openapi to v0.135.0 (go.mod) (#​2320) @​renovate[bot]
• Update release-drafter config for V7 (#​2317) @​mromaszewicz
• chore(deps): update release-drafter/release-drafter action to v7 (.github/workflows) (#​2293) @​renovate[bot]
• fix(deps): update module github.com/getkin/kin-openapi to v0.134.0 (go.mod) (#​2295) @​ilia-rassadin-rn
• chore(deps): update release-drafter/release-drafter action to v6.3.0 (.github/workflows) (#​2282) @​renovate[bot]
• chore(deps): update oapi-codegen/actions action to v0.6.0 (.github/workflows) (#​2273) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v2.6.0: : 7th anniversary release 🎂

Compare Source

For those that aren't aware, 7 years ago to the day, oapi-codegen was born!

(Well, technically it's tonight at midnight UTC, but who's splitting hairs?)

There's nothing too special planned for today, but we thought it'd be the perfect time to cut a slice of cake a release!

🎉 Notable changes

New generated code requires oapi-codegen/runtime v1.2.0+

As part of #​2256, github.com/oapi-codegen/runtime v1.2.0 is needed alongside github.com/oapi-codegen/oapi-codegen, for new generated code.

This is providing a more future-proofed means to bind parameters.

See the release notes for the runtime package, and #​2256 for more information.

oapi-codegen was part of the GitHub Secure Open Source Fund

oapi-codegen was one of the projects taking part in the third GitHub Secure Open Source Fund session.

We've written up more about what we've learned, and have some more things to share with you over the coming months about lessons we've learned and improvements we've taken that we can share.

We were pretty chuffed to be selected, and it's already helped improve our security posture as a project, which is also very important for the wider ecosystem!

go directive bump in next release

Long-time users will be aware that we work very hard to try and keep our requirement for Go source compatibility, through the go directive, especially as we recommend folks use oapi-codegen as a source-tracked dependency.

For more details about this, see our Support Model docs.

In the next minor release, we'll be setting our minimum go directive to Go 1.24 (End-of-Life on 2026-02-11), as it's required for a number of dependencies of ours to be updated any higher, and a change to the module import path for Speakeasy's OpenAPI Overlay library requires us fix this centrally for our users to be able to continue updating their libraries.

[!NOTE]
Nothing is changing as part of v2.6.0, this is a pre-announcement for v2.7.0.

Behind the scenes cleanup

There's also been some work behind-the-scenes to try and clean up outstanding issues (of which we know there are many!) that have been fixed, as well as Marcin's work on trying to do some more significant rework of the internals with help from Claude.

There's still, as ever, work to go with this - as we've mentioned before, sponsoring our work would be greatly appreciated, so we can continue to put in the work, considering this is a widely used and depended on project.

🚀 New features and improvements

• feat: Pass schema type/formats to runtime v1.2.0 to allow better parameter serialization (#​2256) @​mromaszewicz
• feat: add Valid() method to generated enum types (#​2227) @​mromaszewicz
• Support nullable slice elements and map values (#​2185) @​iamtakingiteasy
• feat: add configurable type mapping for OpenAPI primitive types (#​2223) @​mromaszewicz
• Support unions with multiple mappings pointing to a single underlying type (#​2071) @​tobio
• feat: add support for custom package alias for external ref imports (#​2211) @​InventivetalentDev
• feat(output-options): add resolve-type-name-collisions to avoid name collisions (#​200) @​mgurevin
• Adopt fiber middleware template for updated GetReqHeaders() method signature (#​1419) @​getBolted

🐛 Bug fixes

• fix: qualify external ref schema types in default response codes (#​2241) @​mromaszewicz
• fix: add omitempty to optional nullable fields (#​2221) @​mromaszewicz
• fix(codegen): generate nullable.Nullable in arrays (#​2242) @​jamietanna
• fix: support x-oapi-codegen-extra-tags on parameter schemas (#​2232) (#​2235) @​mromaszewicz
• fix(templates/client): correctly nil check query parameters (#​2237) @​jamietanna
• fix(server-urls): restore generation of constants (#​2239) @​jamietanna
• fix(server-urls): use URL in GoDoc if description is empty (#​2226) @​jamietanna
• fix: set indentation to 2 when marshalling spec for overlay (#​2172) @​wndhydrnt
• fix: handle optional request bodies in strict server mode (#​2222) @​mromaszewicz
• fix(strict-server): generate correct type for $ref text responses (#​2225) @​mromaszewicz
• Fix schema gathering oversight (#​2219) @​mromaszewicz
• fix: handle duplicate path parameters in OpenAPI specs (#​2220) @​mromaszewicz
• fix: escape quoted media type directives (#​2217) @​brahmlower
• Fix Iris strict server for no content case (#​1411) @​ShouheiNishi
• Fixes type collision for enum values that start with _ (underscore) (#​1438) @​ula

📝 Documentation updates

• chore: readme update (#​2209) @​mromaszewicz
• docs: fix link to example (#​1884) @​rkosegi
• docs(extensions): correct links to examples (#​1836) @​yuro241
• docs(sponsors): update section (#​2195) @​jamietanna
• docs(sponsors): remove Elastic as a sponsor (#​2083) @​jamietanna

👻 Maintenance

• chore(renovate): add module path to security updates + override test-only dependencies' label (#​2249) @​jamietanna
• Configure Greptile code review (#​2236) @​mromaszewicz
• style(gofix): Apply go fix (#​2229) @​gaiaz-iusipov
• Run golangci-lint on a supported Go version (#​2215) @​mromaszewicz
• refactor(internal): move Fiber tests into their own modules (#​2212) @​mromaszewicz
• build: use a re-usable, single, workflow for running CI (#​2205) @​jamietanna
• fix(renovate): only run make tidy after Go module updates (#​2159) @​jamietanna
• chore(renovate): run make tidy after dependency updates to go.mod (#​2150) @​jamietanna

📦 Dependency updates

8 changes

• chore(deps): update module github.com/golangci/golangci-lint to v2.10.1 (makefile) (#​2153) @​renovate[bot]
• chore(deps): update github/codeql-action action to v4.32.4 (.github/workflows) (#​2157) @​renovate[bot]
• chore(deps): update actions/setup-go action to v6.3.0 (.github/workflows) (#​2164) @​renovate[bot]
• chore(deps): update actions/checkout action to v6 (.github/workflows) - autoclosed (#​2165) @​renovate[bot]
• chore(deps): update release-drafter/release-drafter action to v6.2.0 (.github/workflows) (#​2253) @​renovate[bot]
• chore(deps): update actions/upload-artifact action to v7 (.github/workflows) (#​2254) @​renovate[bot]
• chore(deps): update dessant/label-actions action to v5 (.github/workflows) (#​2255) @​renovate[bot]
• chore(deps): update release-drafter/release-drafter action to v6.1.0 (.github/workflows) (#​2132) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

oapi-codegen/runtime (github.com/oapi-codegen/runtime)

v1.4.0: Parameter handling improvements and fixes

Compare Source

This release fixes some missing edge cases in parameter binding and styling. We now handle all the permutations of style and explode, for the first time. Lots of tests have been added to catch regressions.

🚀 New features and improvements

• Improve deepobject unmarshalling to support nullable.Nullable and encode.TextUnmarshaler (#​45) @​j-waters
• feat: support spaceDelimited and pipeDelimited query parameter binding (#​117) @​mromaszewicz

🐛 Bug fixes

• Fix form/explode=false incorrectly splitting primitive string values on commas (#​119) @​f-kanari

📦 Dependency updates

• fix(deps): update module github.com/labstack/echo/v4 to v4.15.1 (#​105) @​renovate[bot]
• fix(deps): update module github.com/labstack/echo/v5 to v5.1.0 (#​120) @​renovate[bot]
• chore(deps): update release-drafter/release-drafter action to v7 (#​113) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v1.3.1: Fix a parameter binding regression

Compare Source

v1.3.0 introduced a regression around binding styled parameters into primitive type destinations. This regression was due to a
fix in binding matrix and label parameters. Sorry about that.

🐛 Bug fixes

• Fix regression in binding simple parameters (#​115) @​mromaszewicz

Sponsors

We would like to thank our sponsors for their support during this release.

v1.3.0: Echo V5, more parameter handling options, bug fixes

Compare Source

🚀 New features and improvements

• feat: improve parameter handling (#​109) @​mromaszewicz
  Parameters now support the allowReserved property from OpenAPI 3.0.
• feat: add support for echo v5 (#​89) @​jinuthankachan

🐛 Bug fixes

• Fix: Query param deepObject return without assign on !required (#​68) @​voro015
• fix: strip style prefix for label/matrix primitive parameters (#​99) (#​100) @​mromaszewicz
• fix: parse un-exploded query param to map (#​101) @​alexdulin
• fix: respect Binder interface for primitive types in BindStringToObject (#​86) @​vikstrous

👻 Maintenance

• chore: Update to go 1.24 (#​111) @​mromaszewicz

📦 Dependency updates

• chore: Update to go 1.24 (#​111) @​mromaszewicz

Sponsors

We would like to thank our sponsors for their support during this release.

v1.2.0: Parameter binding extensions, bug fixes, dependency updates

Compare Source

Notable Changes

The main change in this release is the addition of new Parameter binding and styling functions, which allow the code generator to pass in the type and format from the spec. Previously, we inferred what we wanted to do based on the destination type, however, it's not always possible to decide this without information about the specification.

🚀 New features and improvements

• feat: add BindRawQueryParameter for correct comma handling (#​92) @​mromaszewicz
• fix: add TypeHint-aware parameter binding and styling for []byte (#​97) (#​98) @​mromaszewicz
• Support array of objects parameters (#​40) @​danicc097
• Allow BindStyledParameterWithOptions to fill maps (#​72) @​JoZie

🐛 Bug fixes

• fix: bind Date and Time query params as scalar values (#​21) (#​93) @​mromaszewicz
• fix: support non-indexed deepObject array unmarshaling (#​22) (#​96) @​mromaszewicz
• fix: correct time.Time date-only fallback parsing in deepObject (#​95) @​mromaszewicz
• Refactor date parsing error handling (#​88) @​jsnfwlr
• fix: improve email validation using net/mail package (#​60) @​sniperwolf
• Fix deepObject marshalling losing json number format/precision (#​29) @​mgabeler-lee-6rs
• Fix issue 55 (#​56) @​mikhalytch
• fix(deepobject): support nested objects in deepObject arrays (#​84) @​adrianbrad

👻 Maintenance

• feat(fix): bump gin version (#​51) @​Gamawn
• Update golang.org/x/crypto to v0.32.0 (#​59) @​kojustin
• Updated Golang reference to address security vulnerability (#​57) @​ivan-manzhulin
• Fix linter errors (#​85) @​mromaszewicz
• build: capture govulncheck results as Code Scanning alerts (#​80) @​jamietanna

📦 Dependency updates

• chore(deps): update release-drafter/release-drafter action to v6 (#​31) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

golang/go (go)

v1.26.3

Compare Source

v1.26.2

Compare Source

v1.26.1

Compare Source

golangci/golangci-lint (golangci-lint)

v2.12.2

Compare Source

Released on 2026-05-06

1. Linters bug fixes
   • gomodguard_v2: fix blocked configuration
   • gomodguard_v2: from 2.1.0 to 2.1.3
   • iface: from 1.4.1 to 1.4.2

v2.12.1

Compare Source

Released on 2026-05-01

1. Linters bug fixes
   • gomodguard_v2: fix panic with migration suggestion
2. Misc.
   • fix install.sh script (if you are still using an URL based on the branch master, please update to use https://golangci-lint.run/install.sh)

v2.12.0

Compare Source

Released on 2026-05-01

1. New linters
   • Add clickhouselint linter https://github.com/ClickHouse/clickhouse-go-linter
2. Linters new features or changes
   • dupl: from f665c8d to c99c5cf (extended detection)
   • funcorder: from 0.5.0 to 0.6.0 (new option: function)
   • goconst: add an option to ignore strings from tests
   • goconst: from 1.8.2 to 1.10.0 (extended detection)
   • gomodguard_v2: from 1.4.1 to 2.1.0 (major version with new configuration)
   • gosec: from 619ce21 to 2.26.1 (new checks: G124, G708, G709, G710)
   • govet: add inline analyzer
   • makezero: from 2.1.0 to 2.2.1 (support slice type aliases)
   • paralleltest: expose checkcleanup option
   • sloglint: from 0.11.1 to 0.12.0 (new options: allowed-keys, custom-funcs)
   • wsl_v5: from 5.6.0 to 5.8.0 (new option: cuddle-max-statements; new checks: after-decl, after-defer, after-expr, after-go, cuddle-group)
3. Linters bug fixes
   • forbidigo: from 2.3.0 to 2.3.1
   • godot: from 1.5.4 to 1.5.6
   • govet-modernize: from 0.43.0 to 0.44.0
   • ireturn: from 0.4.0 to 0.4.1
   • rowserrcheck: from 1.1.1 to [c5f79b8](https://redirect.github.com/golangci/golangci-lint/commit/c5f7

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[cnap-tech-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[cnap-tech-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
github.com/getkin/kin-openapi	v0.133.0 -> v0.135.0
github.com/mailru/easyjson	v0.9.0 -> v0.9.1
github.com/oasdiff/yaml	v0.0.0-20250309154309-f31be36b4037 -> v0.0.9
github.com/oasdiff/yaml3	v0.0.0-20250309153720-d2182401db90 -> v0.0.9
github.com/speakeasy-api/jsonpath	v0.6.0 -> v0.6.3
github.com/woodsbury/decimal128	v1.3.0 -> v1.4.0
golang.org/x/sys	v0.41.0 -> v0.44.0