Skip to content

chore(deps/gin)(deps): bump the gin-deps group across 1 directory with 2 updates#32

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/adapters/gin/gin-deps-8aa9b61dc3
Open

chore(deps/gin)(deps): bump the gin-deps group across 1 directory with 2 updates#32
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/adapters/gin/gin-deps-8aa9b61dc3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps the gin-deps group with 2 updates in the /adapters/gin directory: github.com/devituz/lagodev and github.com/gin-gonic/gin.

Updates github.com/devituz/lagodev from 0.20.2 to 0.26.0

Release notes

Sourced from github.com/devituz/lagodev's releases.

v0.26.0 — production hardening

A fleet of adversarial test agents (load, fuzz, injection, leak, security) probed every subsystem like a real attacker. This release ships the root-cause fixes plus extensive new regression/fuzz/stress tests.

Critical fixes

  • web: panicking handler returned an empty 200 instead of 500 — recovery now writes the 500.
  • web/router: Get("/") crashed net/http at startup — fixed empty-prefix path join.
  • admin: panel was open by default → now fail-closed (no Authorizer = 403); added WithInsecureAllowAll() opt-in. Runtime behavior change.
  • validation: data race on the global regex cache → sync.RWMutex.
  • openapi: stack overflow on recursive types → inline cycle guard.

High / medium fixes

  • query: operator injection via Where(col,op,val) → operator whitelist + strict column quoting.
  • realtime: goroutine flood under broadcast storms to a slow consumer → single CAS-guarded teardown.
  • telescope: unbounded N+1 map → FIFO cap; added RequireBasicAuth.
  • process: timeout leaked the child process tree → process-group kill.
  • cache: thundering herd in Remember → per-key single-flight; tighter TTL sweep.

Production safety

  • graphql: configurable DoS limits (depth/nodes/aliases/bytes/tokens) + introspection toggle. Handler(cs, ...Option) backward-compatible.
  • New fuzz/stress/injection/security suites across the framework.
  • drivers/redis: tests no longer need a live server.

Quality

go test -race green (55 packages) · go vet + gofmt clean · govulncheck: no vulnerabilities.

⚠️ Upgrade note: if you mount the admin panel without an Authorizer, add one (production) or admin.WithInsecureAllowAll() (local) — it is now fail-closed.

v0.25.0 — framework-grade docs + resilience/observability/search

Framework-grade hardening release. All changes are additivego get github.com/devituz/lagodev@v0.25.0 is backward-compatible.

Highlights

  • 24 new documentation guides under docs/ covering every subsystem, plus a Laravel/Django/NestJS/Express comparison and a benchmarks guide with measured numbers.
  • resilience — implemented the advertised primitives: Retry (constant/exponential/jitter backoff), Timeout, Bulkhead, RateLimiter. All compose with Wrap/Do[T].
  • observability — HTTP integration layer: Middleware, NewRoundTripper, MetricsHandler (Prometheus text), Provider.
  • searchSearchable + Indexer model auto-indexing (ORM-agnostic).
  • README rebranded from "template" to a full-stack framework.

Security

Cleared all open Dependabot advisories: grpc → v1.81.1 (critical), fiber → v2.52.13 (2 criticals), go-redis → v9.21.0, chi → v5.3.0, x/crypto + x/net bumped in adapters/grpc.

Quality

go vet + gofmt clean · go test -race green (55 packages) · govulncheck: no vulnerabilities.

Changelog

Sourced from github.com/devituz/lagodev's changelog.

v0.26.0 — 2026-06-25

Production-hardening release. A fleet of adversarial test agents (load, fuzz, injection, leak, and security probes) was run against every subsystem like a real attacker; this release ships the root-cause fixes they surfaced plus extensive new regression/fuzz/stress tests. go test -race ./... green (55 packages), go vet + gofmt clean, govulncheck clean.

Fixed — critical

  • web — panicking handler returned an empty 200. The recovery middleware produced an error that never reached the writer, so a panic surfaced as a blank 200 OK instead of 500. Recovery now writes the 500 directly (guarded against double-write).
  • web / routerGet("/") crashed at startup. A root route rendered an empty mux pattern ("GET "), panicking net/http; any app with a root route died on Run/Test. joinPath now returns / for the empty prefix.
  • admin — panel was open by default. With no Authorizer, every CRUD route served unauthenticated. Changed to fail-closed: no authorizer ⇒ all routes 403. Added WithInsecureAllowAll() as the explicit opt-in. Constructor signature unchanged; this is a runtime behavior change — apps that relied on the open default must add an Authorizer (production) or WithInsecureAllowAll.
  • validation — data race on the regex cache. Concurrent requests using a regex rule raced the package-global cache map (a latent concurrent map writes fatal). Guarded with a sync.RWMutex.
  • openapi — stack overflow on recursive types. SchemaOf/SchemaFor had no cycle guard on the inline path; a self-referential struct crashed the process. Added a recursion guard that emits a bounded object schema on cycle.

Fixed — high / medium

  • query — operator injection. Where(col, op, val) / Having wrote the caller-supplied operator verbatim into the SQL; now validated against a whitelist (normalizeOp), and predicate columns are strictly quoted.
  • realtime — goroutine flood under broadcast storms. A slow consumer under DisconnectClient spawned a teardown goroutine per dropped frame; now a single CAS-guarded teardown per client.
  • telescope — unbounded N+1 map. Query bookkeeping for never-terminating request ids grew without bound; now FIFO-capped. Added RequireBasicAuth for gating the dashboard.
  • process — timeout leaked the child process tree. CommandContext killed only the direct child; a backgrounded grandchild kept the pipe open so Run blocked for the child's full lifetime. Now runs the child in its own process group and kills the group on timeout (WaitDelay backstop; Windows handled).
  • cache — thundering herd + retention window. Concurrent Remember of a missing key ran the producer N times; added per-key single-flight. Tightened the expired-key sweep interval so write-only short-TTL keys are reclaimed promptly.

Added — production safety

... (truncated)

Commits
  • d6685f8 fix: production hardening — adversarial test sweep root-cause fixes (v0.26.0)
  • b50310a feat: framework-grade docs + resilience/observability/search APIs (v0.25.0)
  • 15b3176 chore(deps): clear Dependabot advisories across submodules and examples
  • 434871c feat: complete competitive gap matrix (v0.24.0)
  • 2daf6da docs: CHANGELOG v0.23.0 (API-first)
  • 528b03d feat(openapi,collection): OpenAPI 3.1 generator + generic collections (v0.23)
  • 18babef docs: CHANGELOG v0.22.0 (application core)
  • 79860ca feat(resource): API resource / serializer layer (v0.22 piece 4)
  • f017098 feat(app): application bootstrap + provider/module layer (v0.22 piece 3)
  • b7f1060 feat(orm): eager loading With("posts.comments") to kill N+1 (v0.22 piece 2)
  • Additional commits viewable in compare view

Updates github.com/gin-gonic/gin from 1.10.0 to 1.12.0

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.12.0

Changelog

Features

  • 192ac89eefc1c30f7c97ae48a9ffb1c6f1c8c8bc: feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203) (@​takanuva15)
  • 53410d2e07054369e0960fbe2eed97e1b9966f12: feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502) (@​raju-mechatronics)
  • acc55e049e33b401e810dbd8c0d6dcb6b3ba2b05: feat(context): add Protocol Buffers support to content negotiation (#4423) (@​1911860538)
  • 38e765119241d990705169bedb5002a29ae0cbd1: feat(context): implemented Delete method (@​Spyder01)
  • 771dcc6476d7bc6abb9ec0235ecefa4d38fe6fb0: feat(gin): add option to use escaped path (#4420) (@​ldesauw)
  • 4dec17afdff48e8018c83618fbbe69fceeb2b41d: feat(logger): color latency (#4146) (@​wsyqn6)
  • d7776de7d444935ea4385999711bd6331a98fecb: feat(render): add bson protocol (#4145) (@​laurentcau)

Bug fixes

  • b917b14ff9d189f16a7492be79d123a47806ee19: fix(binding): empty value error (#2169) (@​guonaihong)
  • c3d1092b3b48addf6f9cd00fe274ec3bd14650eb: fix(binding): improve empty slice/array handling in form binding (#4380) (@​1911860538)
  • 9914178584e42458ff7d23891463a880f58c9d86: fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472) (@​Nurysso)
  • 2a794cd0b0faa7d829291375b27a3467ea972b0d: fix(debug): version mismatch (#4403) (@​zeek0x)
  • c3d5a28ed6d3849da820195b6774d212bcc038a9: fix(gin): close os.File in RunFd to prevent resource leak (#4422) (@​1911860538)
  • 5fad976b372e381312f8de69f0969f1284d229d3: fix(gin): literal colon routes not working with engine.Handler() (#4415) (@​pawannn)
  • 63dd3e60cab89c27fb66bce1423bd268d52abad1: fix(recover): suppress http.ErrAbortHandler in recover (#4336) (@​MondayCha)
  • 5c00df8afadd06cc5be530dde00fe6d9fa4a2e4a: fix(render): write content length in Data.Render (#4206) (@​dengaleev)
  • 234a6d4c00cb77af9852aca0b8289745d5529b4b: fix(response): refine hijack behavior for response lifecycle (#4373) (@​appleboy)
  • 472d086af2acd924cb4b9d7be0525f7d790f69bc: fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535) (@​veeceey)
  • 8e07d37c63e5536eb25f4af4c91eabeee4011fba: fix: Correct typos, improve documentation clarity, and remove dead code (#4511) (@​mahanadh)

Enhancements

  • ba093d19477b896ac89a7fc3246af23d290b8e26: chore(binding): upgrade bson dependency to mongo-driver v2 (#4549) (@​BobDu)
  • b2b489dbf4826c2c630717a77fd5e42774625410: chore(context): always trust xff headers from unix socket (#3359) (@​WeidiDeng)
  • ecb3f7b5e2f3915bf1db240ed5eee572f8dbea36: chore(deps): upgrade golang.org/x/crypto to v0.45.0 (#4449) (@​appleboy)
  • af6e8b70b8261bb0c99ad094fe552ab92991620a: chore(deps): upgrade quic-go to v0.57.1 (@​appleboy)
  • db309081bc5c137b2aa15701ef53f7f19788da25: chore(logger): allow skipping query string output (#4547) (@​USA-RedDragon)
  • 26c3a628655cad2388380cb8102d6ce7d4875f3b: chore(response): prevent Flush() panic when http.Flusher (#4479) (@​Twacqwq)
  • 5dd833f1f26de0eb30eae47b17e05ced2482dc41: chore: bump minimum Go version to 1.24 and update workflows (#4388) (@​appleboy)

Refactor

  • 39858a0859c914bd26948fa950477e11bd8d3823: refactor(binding): use maps.Copy for cleaner map handling (#4352) (@​russcoss)
  • c0048f645ee945c4db30593afdea10123e2c30a6: refactor(context): omit the return value names (#4395) (@​wanghaolong613)
  • 915e4c90d28ec4cffc6eb146e208ab5a65eac772: refactor(context): replace hardcoded localhost IPs with constants (#4481) (@​pauloappbr)
  • 414de60574449457f3192a7a1d5528940db2836d: refactor(context): using maps.Clone (#4333) (@​cuiweixie)
  • 59e9d4a794f12c4f9a6c7bed441b9644e5f6d99b: refactor(ginS): use sync.OnceValue to simplify engine function (#4314) (@​1911860538)
  • 3ab698dc5110af1977d57226e4995c57dd34c233: refactor(recovery): smart error comparison (#4142) (@​zeek0x)
  • d1a15347b1e45a8ee816193d3578a93bfd73b70f: refactor(utils): move util functions to utils.go (#4467) (@​zeek0x)
  • e3118cc378d263454098924ebbde7e8d1dd2e904: refactor: for loop can be modernized using range over int (#4392) (@​wanghaolong613)
  • 488f8c3ffa579a8d19beb2bae95ff8ef36b3d53f: refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529) (@​veeceey)
  • 9968c4bf9d5a99edc3eee2c068a4c9160ece8915: refactor: use b.Loop() to simplify the code and improve performance (#4389) (@​reddaisyy)
  • a85ef5ce4d0cda8834c59c855068ed48b51192d1: refactor: use b.Loop() to simplify the code and improve performance (#4432) (@​efcking)

Build process updates

  • 61b67de522a189b568aced4c5c16917c558e3387: ci(bot): increase frequency and group updates for dependencies (#4367) (@​appleboy)
  • fb27ef26c2fdfe25344b4c039d8a53551f9e912c: ci(lint): refactor test assertions and linter configuration (#4436) (@​appleboy)
  • 93ff771e6dbf10e432864b30f3719ac5c84a4d4a: ci(sec): improve type safety and server organization in HTTP middleware (#4437) (@​appleboy)
  • e88fc8927a52b74f55bec0351604a56ac0aa1c51: ci(sec): schedule Trivy security scans to run daily at midnight UTC (#4439) (@​appleboy)
  • 5e5ff3ace496a31b138b0820136a146bfb5de0ef: ci: replace vulnerability scanning workflow with Trivy integration (#4421) (@​appleboy)
  • 00900fb3e1ea9dde33985a0e4f6afec793d5e786: ci: update CI workflows and standardize Trivy config quotes (#4531) (@​appleboy)
  • ae3f524974fc4f55d18c9e7fae4614503c015226: ci: update Go version support to 1.25+ across CI and docs (#4550) (@​appleboy)

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.12.0

Features

  • feat(render): add bson protocol (#4145)
  • feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502)
  • feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203)
  • feat(gin): add option to use escaped path (#4420)
  • feat(context): add Protocol Buffers support to content negotiation (#4423)
  • feat(context): implemented Delete method (#38e7651)
  • feat(logger): color latency (#4146)

Enhancements

  • perf(tree): reduce allocations in findCaseInsensitivePath (#4417)
  • perf(recovery): optimize line reading in stack function (#4466)
  • perf(path): replace regex with custom functions in redirectTrailingSlash (#4414)
  • perf(tree): optimize path parsing using strings.Count (#4246)
  • chore(logger): allow skipping query string output (#4547)
  • chore(context): always trust xff headers from unix socket (#3359)
  • chore(response): prevent Flush() panic when the underlying ResponseWriter does not implement http.Flusher (#4479)
  • refactor(recovery): smart error comparison (#4142)
  • refactor(context): replace hardcoded localhost IPs with constants (#4481)
  • refactor(utils): move util functions to utils.go (#4467)
  • refactor(binding): use maps.Copy for cleaner map handling (#4352)
  • refactor(context): using maps.Clone (#4333)
  • refactor(ginS): use sync.OnceValue to simplify engine function (#4314)
  • refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529)
  • refactor: for loop can be modernized using range over int (#4392)

Bug Fixes

  • fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
  • fix(render): write content length in Data.Render (#4206)
  • fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472)
  • fix(binding): empty value error (#2169)
  • fix(recover): suppress http.ErrAbortHandler in recover (#4336)
  • fix(gin): literal colon routes not working with engine.Handler() (#4415)
  • fix(gin): close os.File in RunFd to prevent resource leak (#4422)
  • fix(response): refine hijack behavior for response lifecycle (#4373)
  • fix(binding): improve empty slice/array handling in form binding (#4380)
  • fix(debug): version mismatch (#4403)
  • fix: correct typos, improve documentation clarity, and remove dead code (#4511)

Build process updates / CI

  • ci: update Go version support to 1.25+ across CI and docs (#4550)
  • chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)

Gin v1.11.0

... (truncated)

Commits
  • 73726dc docs: update documentation to reflect Go version changes (#4552)
  • e292e5c docs: document and finalize Gin v1.12.0 release (#4551)
  • ae3f524 ci: update Go version support to 1.25+ across CI and docs (#4550)
  • 38534e2 chore(deps): bump golang.org/x/net from 0.50.0 to 0.51.0 (#4548)
  • 472d086 fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
  • fb25834 test(context): use http.StatusContinue constant instead of magic number 100 (...
  • 6f1d5fe test(render): add comprehensive error handling tests (#4541)
  • 5c00df8 fix(render): write content length in Data.Render (#4206)
  • db30908 chore(logger): allow skipping query string output (#4547)
  • ba093d1 chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…h 2 updates

Bumps the gin-deps group with 2 updates in the /adapters/gin directory: [github.com/devituz/lagodev](https://github.com/devituz/lagodev) and [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin).


Updates `github.com/devituz/lagodev` from 0.20.2 to 0.26.0
- [Release notes](https://github.com/devituz/lagodev/releases)
- [Changelog](https://github.com/devituz/lagodev/blob/main/CHANGELOG.md)
- [Commits](v0.20.2...v0.26.0)

Updates `github.com/gin-gonic/gin` from 1.10.0 to 1.12.0
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.10.0...v1.12.0)

---
updated-dependencies:
- dependency-name: github.com/devituz/lagodev
  dependency-version: 0.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gin-deps
- dependency-name: github.com/gin-gonic/gin
  dependency-version: 1.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gin-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants