⬆️ Bump the gomod-deps group across 1 directory with 8 updates

[dependabot]

Bumps the gomod-deps group with 7 updates in the / directory:

Package	From	To
github.com/arran4/golang-ical	0.3.2	0.3.5
github.com/go-sql-driver/mysql	1.9.3	1.10.0
github.com/labstack/echo-contrib	0.17.4	0.50.1
github.com/samber/lo	1.52.0	1.53.0
go.uber.org/zap	1.27.1	1.28.0
golang.org/x/oauth2	0.34.0	0.36.0
google.golang.org/api	0.258.0	0.277.0

Updates github.com/arran4/golang-ical from 0.3.2 to 0.3.5

Release notes

Sourced from github.com/arran4/golang-ical's releases.

v0.3.5

What's Changed

• Added RRULE parsing and docs by @​solarkennedy in arran4/golang-ical#133

New Contributors

• @​solarkennedy made their first contribution in arran4/golang-ical#133

Full Changelog: arran4/golang-ical@v0.3.4...v0.3.5

v0.3.4

What's Changed

• Expose BaseProperty.SerializeTo() by @​gabe565 in arran4/golang-ical#131

Full Changelog: arran4/golang-ical@v0.3.3...v0.3.4

v0.3.3

What's Changed

• Fixed parse URL example by @​tobias-kuendig in arran4/golang-ical#118
• build(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 by @​dependabot[bot] in arran4/golang-ical#121
• Handle all supported types in ParseComponent switch by @​google-labs-jules[bot] in arran4/golang-ical#127
• Update macOS runner in CI to macos-latest by @​google-labs-jules[bot] in arran4/golang-ical#128
• Refactor SetGeo to use generics by @​google-labs-jules[bot] in arran4/golang-ical#125
• Allow properties to exist after components by @​edds in arran4/golang-ical#124

New Contributors

• @​tobias-kuendig made their first contribution in arran4/golang-ical#118
• @​google-labs-jules[bot] made their first contribution in arran4/golang-ical#127
• @​edds made their first contribution in arran4/golang-ical#124

Full Changelog: arran4/golang-ical@v0.3.2...v0.3.3

Commits

• 90ccd98 Merge pull request #133 from solarkennedy/rrule_support
• 4cbb73d Added RRULE parsing and docs
• d999380 Merge pull request #131 from gabe565/expose-base-property-serialize
• 1dfdbab Expose BaseProperty.SerializeTo()
• 3cef482 Merge pull request #124 from edds/allow-properties-after-components
• e117db9 Fix tests for WithUnknownPropertyHandler migration
• b55b780 Update tests to use new unknown property handler
• 8d5c561 Use of fallback call back functions via a type switched varidict arg effectiv...
• e44e014 Merge pull request #125 from arran4/refactor-setgeo-generics-6807043029383642851
• c14752e Merge branch 'master' into refactor-setgeo-generics-6807043029383642851
• Additional commits viewable in compare view

Updates github.com/go-sql-driver/mysql from 1.9.3 to 1.10.0

Release notes

Sourced from github.com/go-sql-driver/mysql's releases.

v1.10.0

What's Changed

• add Go 1.24 to the test matrix by @​shogo82148 in go-sql-driver/mysql#1681
• modernize for Go 1.22 by @​methane in go-sql-driver/mysql#1695
• test stability improvement. by @​methane in go-sql-driver/mysql#1698
• simplify collation tests by @​methane in go-sql-driver/mysql#1700
• fix bigint unsigned null column scan to err type int64 by @​elonnzhang in go-sql-driver/mysql#1612
• Transaction Commit/Rollback returns conn's cached error, if present by @​brad-defined in go-sql-driver/mysql#1691
• add BenchmarkReceive10kRowsCompress by @​methane in go-sql-driver/mysql#1704
• optimize readPacket by @​methane in go-sql-driver/mysql#1705
• MariaDB Metadata skipping and DEPRECATE_EOF by @​rusher in go-sql-driver/mysql#1708
• Optimization: statements reuse previous column name by @​methane in go-sql-driver/mysql#1711
• update outdated MySQL internals documentation links by @​demouth in go-sql-driver/mysql#1714
• fix PING on compressed connections by @​methane in go-sql-driver/mysql#1721
• add DeepWiki badge by @​methane in go-sql-driver/mysql#1722
• Update edwards25519 dependency to v1.1.1 by @​williamhaw in go-sql-driver/mysql#1749
• Configure Dependabot for Go modules by @​methane in go-sql-driver/mysql#1755
• Bump dominikh/staticcheck-action from 1.3.1 to 1.4.1 by @​dependabot[bot] in go-sql-driver/mysql#1759
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in go-sql-driver/mysql#1760
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in go-sql-driver/mysql#1757
• fix staticcheck error by @​methane in go-sql-driver/mysql#1761
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in go-sql-driver/mysql#1758
• Fix getSystemVar buffer reuse by @​morgo in go-sql-driver/mysql#1754
• Consolidate Dependabot update noise by grouping weekly dependency PRs by @​Copilot in go-sql-driver/mysql#1762
• Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0 by @​dependabot[bot] in go-sql-driver/mysql#1756
• CI: Update GitHub Actions Go matrix to 1.24–1.26 by @​Copilot in go-sql-driver/mysql#1763
• Enhance interpolateParams to correctly handle placeholders by @​rusher in go-sql-driver/mysql#1732
• modernize by @​methane in go-sql-driver/mysql#1764
• release v1.10.0 by @​methane in go-sql-driver/mysql#1765

New Contributors

• @​elonnzhang made their first contribution in go-sql-driver/mysql#1612
• @​brad-defined made their first contribution in go-sql-driver/mysql#1691
• @​rusher made their first contribution in go-sql-driver/mysql#1708
• @​demouth made their first contribution in go-sql-driver/mysql#1714
• @​williamhaw made their first contribution in go-sql-driver/mysql#1749
• @​dependabot[bot] made their first contribution in go-sql-driver/mysql#1759
• @​morgo made their first contribution in go-sql-driver/mysql#1754
• @​Copilot made their first contribution in go-sql-driver/mysql#1762

Full Changelog: go-sql-driver/mysql@v1.9.2...v1.10.0

Changelog

Sourced from github.com/go-sql-driver/mysql's changelog.

v1.10.0 (2026-04-28)

• Fix getSystemVar("max_allowed_packet") potentially returned wrong value. (#1754) This affects only when maxAllowedPacket=0 is set.

• Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0. (#1756) While older versions have reported CVEs, they do not affect go-mysql.

• Update Go versions to 1.24-1.26. (#1763)

• Enhance interpolateParams to correctly handle placeholders. (#1732) The question mark (?) within strings and comments will no longer be treated as a placeholder.

Commits

• a065b60 release v1.10.0 (#1765)
• 09e4187 modernize (#1764)
• 6c44a9a Enhance interpolateParams to correctly handle placeholders (#1732)
• 688ce56 Update supported Go version to 1.24–1.26 (#1763)
• 118d07f Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0 (#1756)
• d6b2d3e Consolidate Dependabot update noise by grouping weekly dependency PRs (#1762)
• 037dfd8 Fix getSystemVar buffer reuse (#1754)
• 900f330 Bump actions/checkout from 4 to 6 (#1758)
• ab9e380 fix staticcheck error (#1761)
• f298c66 Bump actions/setup-go from 5 to 6 (#1757)
• Additional commits viewable in compare view

Updates github.com/labstack/echo-contrib from 0.17.4 to 0.50.1

Release notes

Sourced from github.com/labstack/echo-contrib's releases.

Echo 5 support is located in echo-contrib/v5 series

Echo 5 support was introduced in this repository with the v0.50.0 release. However, this also means that users who are still on Echo 4 and run go get -u ./... will inadvertently pull in Echo 5, which they neither want nor need at this time.

v0.50.0 will be retracted in v0.18.0 series and v0+ will only support Echo 4. For Echo 5 support use v5 major version of this repository.

Full Changelog: labstack/echo-contrib@v0.17.4...v0.50.1

Relates to labstack/echo-contrib#142

V5 is out

See: https://github.com/labstack/echo/releases/tag/v5.0.0

Retract v0.50.0

Echo 5 support was introduced in this repository with the v0.50.0 release. However, this also means that users who are still on Echo 4 and run go get -u ./... will inadvertently pull in Echo 5, which they neither want nor need at this time.

v0.50.0 will be retracted in v0.18.0 series and v0+ will only support Echo 4. For Echo 5 support use v5 major version of this repository.

Full Changelog: labstack/echo-contrib@v0.17.4...v0.18.0

Relates to labstack/echo-contrib#142

Commits

• 10a7ed0 Update deps
• 6d55282 Retract v0.50.0 release
• 6c28e2b Update deps (#139)
• 109512b Update deps (last one did not update to latest) (#132)
• See full diff in compare view

Updates github.com/labstack/echo/v4 from 4.14.0 to 4.15.0

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion, eliminating manual string parsing and type assertions.

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,

... (truncated)

Commits

• 482bb46 v4.15.0 changelog
• d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
• f3fc618 CRSF with Sec-Fetch-Site checks
• 4dcb9b4 licence headers
• cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
• 6b14f4e Add Context.Get generic functions
• 321530d disable test - returns different error under Windows
• c8abd9f disable flaky test
• 9fe43f7 fix Rate limiter disallows fractional rates
• 1b5122a document things to reduce false positives
• Additional commits viewable in compare view

Updates github.com/samber/lo from 1.52.0 to 1.53.0

Release notes

Sourced from github.com/samber/lo's releases.

v1.53.0

Announcing the latest release of lo with lots of good gifts! 🎁

🌊 First, a big thanks to @​d-enk for making lots of performance improvements in the recent weeks.

🧪 Second, this release introduces a new simd experimental package. If you run on an amd64 architecture and a recent CPU, you can perform very fast operations thanks to SIMD CPU instructions. -> Documentation: https://lo.samber.dev/docs/experimental/simd

💥 Third, this version adds *Err variants of many lo helpers (like MapErr, FlatMapErr, ReduceErr, etc.) whose callbacks can return an error and short-circuit execution when one occurs.

[!NOTE] The simd sub-package is considered not stable. We might break the initial API based on developers' feedback in the coming months.

---

Features & improvements

• feat: adding SIMD helpers by @​samber in samber/lo#801
• feat: adding Error variants: MapErr, FlatMapErr, ReduceErr... by @​samber in samber/lo#823
• feat: support for buffer iterator by @​mimol91 in samber/lo#824
• feat: add Take, TakeWhile, FilterTake, Window, and Sliding functions by @​juliazadorozhnaya in samber/lo#760
• feat: add a Concat slice function. by @​FGasper in samber/lo#714
• feat: add iterator slice helpers by @​juliazadorozhnaya in samber/lo#791
• feat(it): adding loit.Concat by @​samber in samber/lo#722
• feat: Allow Union/Intersect to take many lists by @​frankywahl in samber/lo#181
• feat: Add Clone function to return shallow copy of slice collections by @​quexer in samber/lo#732
• feat: IntersectBy by @​ghosx in samber/lo#653
• feat: Support Custom Assert by @​RelicOfTesla in samber/lo#755
• feat: Must support Custom error handler. by @​RelicOfTesla in samber/lo#752
• feat: WithoutNth handle non-comparable types by @​urisimchoni in samber/lo#774
• refactor: remove unnecessary type arguments in NewThrottle by @​d-enk in samber/lo#773
• refactor: lo.IntersectBy + adding loit.IntersectBy + adding doc by @​samber in samber/lo#739
• fix: rename IsSortedByKey to IsSortedBy by @​NathanBaulch in samber/lo#735
• fix(iter/tuples): support break iteration over Zip[By] seq by @​d-enk in samber/lo#757
• fix(it.Mode): align behavior with lo.Mode and ensure consistent slice… by @​intojhanurag in samber/lo#711
• fix: improve Clone function to preserve nilness and avoid liveness issues by @​quexer in samber/lo#740
• fix: reset n counter per iteration in it.Replace by @​LikimiaD in samber/lo#799
• fix: make Ellipsis operate on runes instead of bytes to prevent Unicode truncation by @​veeceey in samber/lo#796
• fix: correct DropByIndex handling of negative indices out of bounds by @​d-enk in samber/lo#778

Deprecation

• refactor: remove helpers deprecated for more than 3y by @​samber in samber/lo#810

Performance improvements

• feat: Optimize UniqMap to reduce unnecessary slice preallocation by @​ivolkoff in samber/lo#710
• refactor(it): simplify DropLast, TrimSuffix, TrimPrefix and use range loops by @​d-enk in samber/lo#782
• bench: fix iterators to actually iterate in benchmarks by @​d-enk in samber/lo#781
• refactor: simplify slice cut/trim prefix/suffix functions by @​d-enk in samber/lo#787
• perf: optimize Sliding by pre-allocating result capacity by @​d-enk in samber/lo#783

... (truncated)

Commits

• cf6fb4f bump v1.53.0
• 56ef3be feat: support for buffer iterator (#824)
• 6a9f881 💄
• 7f0c2e0 feat: adding UnzipByErrX helpers
• af46a13 feat: adding RejectErr helpers
• 6f42e74 doc: improve examples
• ff0e293 feat: adding FilterErr helpers
• 4bb58fd feat: adding RepeatByErr helpers
• 72a33aa feat: adding FilterKeysErr + FilterValuesErr helpers
• dd1d58e feat: adding FindDuplicatesByErr helper
• Additional commits viewable in compare view

Updates go.uber.org/zap from 1.27.1 to 1.28.0

Release notes

Sourced from go.uber.org/zap's releases.

v1.28.0

Enhancements:

• #1534[]: Add zapcore.CheckPreWriteHook and CheckedEntry.Before method for transforming entries before they are written to any Cores.

#1534: uber-go/zap#1534

Changelog

Sourced from go.uber.org/zap's changelog.

1.28.0 (27 Apr 2026)

Enhancements:

• #1534[]: Add zapcore.CheckPreWriteHook and CheckedEntry.Before method for transforming entries before they are written to any Cores.

Commits

• 5b81b37 release v1.28.0 (#1547)
• 0ab0d5a zapcore: Add PreWriteHook for transforming entries before write (#1534)
• d278c59 [chore] CI: test on Go 1.26 (#1535)
• 16fb16b chore(dep): replace archived gopkg.in/yaml.v3 with officially maintained go.y...
• See full diff in compare view

Updates golang.org/x/oauth2 from 0.34.0 to 0.36.0

Commits

• 4d954e6 all: upgrade go directive to at least 1.25.0 [generated]
• 89ff2e1 google: add safer credentials JSON loading options.
• See full diff in compare view

Updates google.golang.org/api from 0.258.0 to 0.277.0

Release notes

Sourced from google.golang.org/api's releases.

v0.277.0

0.277.0 (2026-04-29)

Features

• all: Auto-regenerate discovery clients (#3567) (3958295)
• all: Auto-regenerate discovery clients (#3571) (ca9851e)
• all: Auto-regenerate discovery clients (#3574) (8efb1af)
• all: Auto-regenerate discovery clients (#3575) (de49bb5)
• all: Auto-regenerate discovery clients (#3577) (ce68c87)
• all: Auto-regenerate discovery clients (#3578) (8be033e)
• all: Auto-regenerate discovery clients (#3579) (bc6990e)
• all: Auto-regenerate discovery clients (#3580) (2de1a5a)
• all: Auto-regenerate discovery clients (#3581) (0c219d9)

Bug Fixes

• idtoken: Avoid double impersonation in tokenSourceFromBytes (#3576) (75172cf), refs #2301

v0.276.0

0.276.0 (2026-04-14)

Features

• all: Auto-regenerate discovery clients (#3561) (dd3f1bb)
• all: Auto-regenerate discovery clients (#3565) (7c11b5a)
• all: Auto-regenerate discovery clients (#3566) (54188cf)

v0.275.0

0.275.0 (2026-04-07)

Features

• all: Auto-regenerate discovery clients (#3557) (2b2ef99)
• all: Auto-regenerate discovery clients (#3560) (9437d4d)

v0.274.0

0.274.0 (2026-04-02)

Features

• all: Auto-regenerate discovery clients (#3555) (0e634ae)

v0.273.1

0.273.1 (2026-03-31)

... (truncated)

Changelog

Sourced from google.golang.org/api's changelog.

0.277.0 (2026-04-29)

Features

• all: Auto-regenerate discovery clients (#3567) (3958295)
• all: Auto-regenerate discovery clients (#3571) (ca9851e)
• all: Auto-regenerate discovery clients (#3574) (8efb1af)
• all: Auto-regenerate discovery clients (#3575) (de49bb5)
• all: Auto-regenerate discovery clients (#3577) (ce68c87)
• all: Auto-regenerate discovery clients (#3578) (8be033e)
• all: Auto-regenerate discovery clients (#3579) (bc6990e)
• all: Auto-regenerate discovery clients (#3580) (2de1a5a)
• all: Auto-regenerate discovery clients (#3581) (0c219d9)

Bug Fixes

• idtoken: Avoid double impersonation in tokenSourceFromBytes (#3576) (75172cf), refs #2301

0.276.0 (2026-04-14)

Features

• all: Auto-regenerate discovery clients (#3561) (dd3f1bb)
• all: Auto-regenerate discovery clients (#3565) (7c11b5a)
• all: Auto-regenerate discovery clients (#3566) (54188cf)

0.275.0 (2026-04-07)

Features

• all: Auto-regenerate discovery clients (#3557) (2b2ef99)
• all: Auto-regenerate discovery clients (#3560) (9437d4d)

0.274.0 (2026-04-02)

Features

• all: Auto-regenerate discovery clients (#3555) (0e634ae)

0.273.1 (2026-03-31)

Bug Fixes

• Merge duplicate x-goog-request-params header (#3547) (2008108)

... (truncated)

Commits

• dd598a6 chore(main): release 0.277.0 (#3568)
• b208a86 chore(all): update all (#3573)
• 0c219d9 feat(all): auto-regenerate discovery clients (#3581)
• 75172cf fix(idtoken): avoid double impersonation in tokenSourceFromBytes (#3576)
• 2de1a5a feat(all): auto-regenerate discovery clients (#3580)
• 60b0784 chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in /inter...
• bc6990e feat(all): auto-regenerate discovery clients (#3579)
• 8be033e feat(all): auto-regenerate discovery clients (#3578)
• ce68c87 feat(all): auto-regenerate discovery clients (#3577)
• de49bb5 feat(all): auto-regenerate discovery clients (#3575)
• Additional commits viewable in compare view