dev: bump the safe group with 7 updates

[dependabot]

Bumps the safe group with 7 updates:

Package	From	To
github.com/aws/aws-sdk-go-v2/config	1.32.17	1.32.18
github.com/nats-io/nats-server/v2	2.14.0	2.14.1
github.com/redis/go-redis/v9	9.18.0	9.19.0
github.com/uptrace/bun/dialect/pgdialect	1.2.15	1.2.18
github.com/uptrace/bun/driver/pgdriver	1.2.15	1.2.18
golang.org/x/crypto	0.51.0	0.52.0
golang.org/x/net	0.54.0	0.55.0

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.18

Commits

• db9f4e5 Release 2026-05-22
• 34e7ddc Regenerated Clients
• f9db036 Update endpoints model
• ae5eae1 Update API model
• 429dbdd Feat discover endpoint partition validation (#3410)
• ab4f5b6 Release 2026-05-21
• 757a099 Regenerated Clients
• 02c8323 Update API model
• f4ac954 Bump smithy-go version and update imports for evenstream protocoltests (#3420)
• 6d93700 Add replace for credentials dependency added on go.mod (#3419)
• Additional commits viewable in compare view

Updates github.com/nats-io/nats-server/v2 from 2.14.0 to 2.14.1

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.14.1

Changelog

Refer to the 2.14 Upgrade Guide for backwards compatibility notes with 2.12.x. Please note that the 2.13.x version was skipped.

Go Version

• 1.26.3 (#8107)

Dependencies

• github.com/klauspost/compress v1.18.6 (#8124)
• golang.org/x/crypto v0.51.0 (#8124)
• golang.org/x/sys v0.44.0 (#8124)

Added

General

• New metrics in_client_msgs, in_client_bytes, out_client_msgs and out_client_bytes are now available via the /varz monitoring endpoint for tracking data to/from normal clients only (#7851)

Improved

General

• Client TLS certificates without subject DNs but with DNS subject alternate names are now permitted (#8100)
• The log level of TLS handshake timeout or non-TLS record errors have been demoted to debug level to reduce noise (#8096)

JetStream

• Num pending is now only calculated on consumer leaders, avoiding unnecessary CPU usage on followers (#8172)
• Snapshot and catchup loops no longer leak timers (#8186, thanks to @​SebTardif)
• Stream and consumer assignment errors are now surfaced (#8208)
• Intersection of sublists and subject trees can now be cancelled early, avoiding high CPU usage in some pathological cases (#8209)

Fixed

General

• Cluster route compression now obeys the cluster max_pings_out option if configured (#8093)
• The internal send loop no longer mutates caller headers, which could corrupt buffers (#8097)
• Removing headers no longer fails to remove later headers if the matching prefix also appeared in an earlier header value (#8103)
• The sublist now correctly maintains negative results in the cache when calculating number of interested subjects (#8119)
• Server shutdown requests are now idempotent, preventing concurrency issues when shutting down in embedded contexts (#8163)
• TLS listeners now work correctly with the PROXY protocol where enabled (#8130)
• Reduced lock contention that could be created between leafnodes and clients (#8139, #8159)
• Fixed a panic that could happen when an error occurs when walking JWT directory resolver folders (#8173, thanks to @​SebTardif)
• In-process connections will no longer unexpectedly revert to TLS required with async INFO (#8205)

Leafnodes

... (truncated)

Commits

• cb557cd Release v2.14.1
• 9182ee9 Cherry-picks for 2.14.1 (#8219)
• 128e855 Add a benchmark for WriteTermVote
• 6bb9af2 Allow cancellation of IntersectGSL, optimise skip block check
• 899bf88 [IMPROVED] Clear stale sa/ca.err after success
• a1e81c0 [IMPROVED] Surface assignment errors in stream/consumer log messages
• 2477ebc [IMPROVED] Surface assignment errors in stream/consumer health checks
• b7d533e [IMPROVED] Consumer's deleteNotActive compares against object-local assignment
• e667787 [FIXED] Async INFO flipped tls_required for in-process clients
• f56faad Release v2.14.1-RC.2
• Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.18.0 to 9.19.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.19.0

🚀 Highlights

FIPS-Compatible Script Helper

Script now supports a FIPS-safe execution mode that avoids client-side SHA-1 computation, which is blocked in strict FIPS environments. A new NewScriptServerSHA constructor uses SCRIPT LOAD to obtain and cache the digest from the server, then runs commands via EVALSHA/EVALSHA_RO. Falls back to EVAL/EVALRO if loading fails, and transparently retries once on NOSCRIPT. The default behavior is unchanged for existing users.

(#3700) by @​chaitanyabodlapati

FT.AGGREGATE Step-Based Pipeline Builder

Added a new step-based FT.AGGREGATE pipeline API via FTAggregateOptions.Steps, allowing LOAD, APPLY, GROUPBY, and SORTBY (with per-step MAX) to be repeated and interleaved in arbitrary order — matching Redis's native multi-stage aggregation semantics. The legacy Load/Apply/GroupBy/SortBy/SortByMax fields are now deprecated.

(#3782) by @​ndyakov

Raw RESP Protocol Access

Added DoRaw and DoRawWriteTo methods for executing arbitrary commands and reading the raw RESP response. Useful for proxying, custom protocol inspection, and working with commands not yet wrapped by go-redis.

(#3713) by @​ofekshenawa

Configurable Dial Retry Backoff

Added DialerRetryBackoff option (plumbed through Options, ClusterOptions, RingOptions, FailoverOptions) to let callers customize the delay between failed dial attempts. Helpers DialRetryBackoffConstant and DialRetryBackoffExponential (with jitter and cap) are provided out of the box. Dial timeout is now also applied per attempt rather than across all retries.

(#3706, #3705) by @​mwhooker

✨ New Features

• FT.AGGREGATE Steps: Step-based pipeline builder for FT.AGGREGATE with support for repeated/interleaved LOAD, APPLY, GROUPBY, and SORTBY stages (#3782) by @​ndyakov
• VectorSet commands: Added VISMEMBER and WITHATTRIBS support (#3753) by @​romanpovol
• FIPS-safe Script: NewScriptServerSHA uses SCRIPT LOAD to obtain the digest from the server, avoiding client-side SHA-1 (#3700) by @​chaitanyabodlapati
• Raw RESP access: DoRaw and DoRawWriteTo for raw RESP protocol access (#3713) by @​ofekshenawa
• Dial retry backoff: DialerRetryBackoff function option with constant and exponential helpers (#3706) by @​mwhooker
• Typed NOSCRIPT error: Redis NOSCRIPT replies are now surfaced as a typed error for easier handling (#3738) by @​LINKIWI
• PubSub ClientSetName: Added ClientSetName method to PubSub (#3727) by @​Flack74
• ReplicaOf: New ReplicaOf method replaces the deprecated SlaveOf (#3720) by @​Copilot
• HSCAN BinaryUnmarshaler: HScan now supports types implementing encoding.BinaryUnmarshaler (#3768) by @​Aaditya-dubey1

🐛 Bug Fixes

• Auto hostname type detection: Improved endpoint type detection for maintenance notifications using DNS-based classification; handles empty hosts and expanded private-IP ranges (#3789) by @​ndyakov
• HELLO fallback: Don't send CLIENT MAINT_NOTIFICATIONS handshake when HELLO fails and connection falls back to RESP2; fail fast when explicitly enabled with RESP3 (#3788) by @​ndyakov
• Dial TCP retry: ShouldRetry now treats net.OpError with Op == "dial" timeout errors as safe to retry since no command was sent (#3787) by @​vladisa88
• wrappedOnClose leak: Fixed resource leak caused by repeatedly wrapping baseClient close logic; replaced with a bounded, concurrency-safe named-hook registry (#3785) by @​ndyakov
• Pool Close() on stale connections: Suppress close errors (e.g., TLS closeNotify timeouts) for connections already dropped by the server due to idle timeout (#3778) by @​ofekshenawa
• FIFO waiter ordering: Fixed race in ConnStateMachine.notifyWaiters that could wake multiple waiters under a single mutex hold and violate FIFO ordering (#3777) by @​0x48core
• Lua READONLY detection: Detect READONLY errors embedded in Lua script error messages on read-only replicas so commands are correctly retried (#3769) by @​zhengjilei
• VectorScoreSliceCmd RESP2: Fixed VSimWithScores, VSimWithArgsWithScores, and VLinksWithScores which were broken on RESP2 connections returning flat arrays instead of maps (#3767) by @​Copilot

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.19.0 (2026-04-27)

🚀 Highlights

FIPS-Compatible Script Helper

Script now supports a FIPS-safe execution mode that avoids client-side SHA-1 computation, which is blocked in strict FIPS environments. A new NewScriptServerSHA constructor uses SCRIPT LOAD to obtain and cache the digest from the server, then runs commands via EVALSHA/EVALSHA_RO. Falls back to EVAL/EVALRO if loading fails, and transparently retries once on NOSCRIPT. The default behavior is unchanged for existing users.

(#3700) by @​chaitanyabodlapati

FT.AGGREGATE Step-Based Pipeline Builder

Added a new step-based FT.AGGREGATE pipeline API via FTAggregateOptions.Steps, allowing LOAD, APPLY, GROUPBY, and SORTBY (with per-step MAX) to be repeated and interleaved in arbitrary order — matching Redis's native multi-stage aggregation semantics. The legacy Load/Apply/GroupBy/SortBy/SortByMax fields are now deprecated.

(#3782) by @​ndyakov

Raw RESP Protocol Access

Added DoRaw and DoRawWriteTo methods for executing arbitrary commands and reading the raw RESP response. Useful for proxying, custom protocol inspection, and working with commands not yet wrapped by go-redis.

(#3713) by @​ofekshenawa

Configurable Dial Retry Backoff

Added DialerRetryBackoff option (plumbed through Options, ClusterOptions, RingOptions, FailoverOptions) to let callers customize the delay between failed dial attempts. Helpers DialRetryBackoffConstant and DialRetryBackoffExponential (with jitter and cap) are provided out of the box. Dial timeout is now also applied per attempt rather than across all retries.

(#3706, #3705) by @​mwhooker

✨ New Features

• FT.AGGREGATE Steps: Step-based pipeline builder for FT.AGGREGATE with support for repeated/interleaved LOAD, APPLY, GROUPBY, and SORTBY stages (#3782) by @​ndyakov
• VectorSet commands: Added VISMEMBER and WITHATTRIBS support (#3753) by @​romanpovol
• FIPS-safe Script: NewScriptServerSHA uses SCRIPT LOAD to obtain the digest from the server, avoiding client-side SHA-1 (#3700) by @​chaitanyabodlapati
• Raw RESP access: DoRaw and DoRawWriteTo for raw RESP protocol access (#3713) by @​ofekshenawa
• Dial retry backoff: DialerRetryBackoff function option with constant and exponential helpers (#3706) by @​mwhooker
• Typed NOSCRIPT error: Redis NOSCRIPT replies are now surfaced as a typed error for easier handling (#3738) by @​LINKIWI
• PubSub ClientSetName: Added ClientSetName method to PubSub (#3727) by @​Flack74
• ReplicaOf: New ReplicaOf method replaces the deprecated SlaveOf (#3720) by @​Copilot
• HSCAN BinaryUnmarshaler: HScan now supports types implementing encoding.BinaryUnmarshaler (#3768) by @​Aaditya-dubey1

🐛 Bug Fixes

• Auto hostname type detection: Improved endpoint type detection for maintenance notifications using DNS-based classification; handles empty hosts and expanded private-IP ranges (#3789) by @​ndyakov
• HELLO fallback: Don't send CLIENT MAINT_NOTIFICATIONS handshake when HELLO fails and connection falls back to RESP2; fail fast when explicitly enabled with RESP3 (#3788) by @​ndyakov
• Dial TCP retry: ShouldRetry now treats net.OpError with Op == "dial" timeout errors as safe to retry since no command was sent (#3787) by @​vladisa88
• wrappedOnClose leak: Fixed resource leak caused by repeatedly wrapping baseClient close logic; replaced with a bounded, concurrency-safe named-hook registry (#3785) by @​ndyakov
• Pool Close() on stale connections: Suppress close errors (e.g., TLS closeNotify timeouts) for connections already dropped by the server due to idle timeout (#3778) by @​ofekshenawa
• FIFO waiter ordering: Fixed race in ConnStateMachine.notifyWaiters that could wake multiple waiters under a single mutex hold and violate FIFO ordering (#3777) by @​0x48core
• Lua READONLY detection: Detect READONLY errors embedded in Lua script error messages on read-only replicas so commands are correctly retried (#3769) by @​zhengjilei
• VectorScoreSliceCmd RESP2: Fixed VSimWithScores, VSimWithArgsWithScores, and VLinksWithScores which were broken on RESP2 connections returning flat arrays instead of maps (#3767) by @​Copilot

... (truncated)

Commits

• e7e9866 chore(release): v9.19.0 (#3796)
• 22b26f4 feat(ft.aggregate): Add Steps for query building (#3782)
• d9d7694 fix(pool): two fixes for closed connection handling (#3764)
• 44e8b73 fix(sch): auto hostname type detection (#3789)
• ad21622 fix(hello): do not send maintnotifications handshake when hello fails (#3788)
• 1a7ac74 fix(pool): suppress pool Close() errors for stale connections (#3778)
• 903d6bd fix(retry): make dial tcp error redirectable (#3786) (#3787)
• 00a551b fix(credentials): leak in wrappedOnClose (#3785)
• b5a6f99 refactor(pool): remove redundant Conn.closed atomic field (#3783)
• 928f27a feat(hscan): add support for encoding.BinaryUnmarshaler (#3768)
• Additional commits viewable in compare view

Updates github.com/uptrace/bun/dialect/pgdialect from 1.2.15 to 1.2.18

Release notes

Sourced from github.com/uptrace/bun/dialect/pgdialect's releases.

v1.2.18

Please refer to CHANGELOG.md for details

v1.2.17

Please refer to CHANGELOG.md for details

v1.2.16

Please refer to CHANGELOG.md for details

Changelog

Sourced from github.com/uptrace/bun/dialect/pgdialect's changelog.

1.2.18 (2026-02-28)

Bug Fixes

• handle []byte and [N]byte in Tuple, separate List from Tuple imp… (uptrace/bun#1340) (bec98b9)
• validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misparse (#1338) (b8da15b), closes #1337

1.2.17 (2026-02-21)

Bug Fixes

• migrator exec error propagation (#1320) (b40f603)
• OrderAscNullsFirst mapping (fixes #1305) (43b6af2)
• panic in indirectAsKey when loading complex models. TypeOf(v) returns nil (2788c5b)
• RunMigration marks migration as applied after running (#1330) (990c2eb)

Features

• add Tuple and List (#1331) (5c2b3d1)
• create unique index on migration name column in Migrator.Init (#1332) (44ac056)
• update: use DEFAULT instead of NULL on databases that support it (#1315) (cabcffd)

1.2.16 (2025-11-20)

Bug Fixes

• data race in db clone stats (e92d910)
• db: data race in db clone stats (a78f382)
• db: move DBStats to noCopyState (c646241)
• return "custom" for unknown dialects instead of "invalid" (#1280) (106cc08), closes #1276
• revert CreateChannel rename (#1248) (a5b2ac6)
• sql injection #1228 (#1263) (c12edf0)
• update SelectQuery.Clone to properly handle non-nil empty arg slices (#1299) (b499cce), closes #1298

Features

• add Context to ConnResolver.ResolveConn (#1275) (d9f273f)
• add materialize cte support (#1260) (16ebb09)
• add SetValues (#1252) (9556d3c)
• add SortDir type to safely build order queries (#1284) (2ad0521)
• add WithQueryHook and deprecated AddQueryHook (#1272) (f662c1e)

... (truncated)

Commits

• 5de0fb9 chore: release v1.2.18 (release.sh) (#1341)
• bec98b9 fix: handle []byte and [N]byte in Tuple, separate List from Tuple imp… (#1340)
• b8da15b fix: validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misp...
• 6b7a19b Add client cert support in postgres dsn (sslcert and sslkey) (#1336)
• 3c9f8fb chore: remove Go 1.24 from CI build matrix
• 43d07be chore: release v1.2.17 (release.sh) (#1333)
• a94579f chore: add doc comments for exported identifiers across sub-packages
• b19d8f7 chore: add doc comments for package, type, and exported functions
• 415f372 chore: re-order features by category and add missing documentation
• 44ac056 feat: create unique index on migration name column in Migrator.Init (#1332)
• Additional commits viewable in compare view

Updates github.com/uptrace/bun/driver/pgdriver from 1.2.15 to 1.2.18

Release notes

Sourced from github.com/uptrace/bun/driver/pgdriver's releases.

v1.2.18

Please refer to CHANGELOG.md for details

v1.2.17

Please refer to CHANGELOG.md for details

v1.2.16

Please refer to CHANGELOG.md for details

Changelog

Sourced from github.com/uptrace/bun/driver/pgdriver's changelog.

1.2.18 (2026-02-28)

Bug Fixes

• handle []byte and [N]byte in Tuple, separate List from Tuple imp… (uptrace/bun#1340) (bec98b9)
• validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misparse (#1338) (b8da15b), closes #1337

1.2.17 (2026-02-21)

Bug Fixes

• migrator exec error propagation (#1320) (b40f603)
• OrderAscNullsFirst mapping (fixes #1305) (43b6af2)
• panic in indirectAsKey when loading complex models. TypeOf(v) returns nil (2788c5b)
• RunMigration marks migration as applied after running (#1330) (990c2eb)

Features

• add Tuple and List (#1331) (5c2b3d1)
• create unique index on migration name column in Migrator.Init (#1332) (44ac056)
• update: use DEFAULT instead of NULL on databases that support it (#1315) (cabcffd)

1.2.16 (2025-11-20)

Bug Fixes

• data race in db clone stats (e92d910)
• db: data race in db clone stats (a78f382)
• db: move DBStats to noCopyState (c646241)
• return "custom" for unknown dialects instead of "invalid" (#1280) (106cc08), closes #1276
• revert CreateChannel rename (#1248) (a5b2ac6)
• sql injection #1228 (#1263) (c12edf0)
• update SelectQuery.Clone to properly handle non-nil empty arg slices (#1299) (b499cce), closes #1298

Features

• add Context to ConnResolver.ResolveConn (#1275) (d9f273f)
• add materialize cte support (#1260) (16ebb09)
• add SetValues (#1252) (9556d3c)
• add SortDir type to safely build order queries (#1284) (2ad0521)
• add WithQueryHook and deprecated AddQueryHook (#1272) (f662c1e)

... (truncated)

Commits

• 5de0fb9 chore: release v1.2.18 (release.sh) (#1341)
• bec98b9 fix: handle []byte and [N]byte in Tuple, separate List from Tuple imp… (#1340)
• b8da15b fix: validate parenthesized content in ReadIdentifier to prevent ?(?, ?) misp...
• 6b7a19b Add client cert support in postgres dsn (sslcert and sslkey) (#1336)
• 3c9f8fb chore: remove Go 1.24 from CI build matrix
• 43d07be chore: release v1.2.17 (release.sh) (#1333)
• a94579f chore: add doc comments for exported identifiers across sub-packages
• b19d8f7 chore: add doc comments for package, type, and exported functions
• 415f372 chore: re-order features by category and add missing documentation
• 44ac056 feat: create unique index on migration name column in Migrator.Init (#1332)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.51.0 to 0.52.0

Commits

• a1c0d99 go.mod: update golang.org/x dependencies
• 3c7c869 ssh: fix deadlock on unexpected channel responses
• 533fb3f ssh: fix source-address critical option bypass
• abbc44d ssh: fix incorrect operator order
• e052873 ssh: fix infinite loop on large channel writes due to integer overflow
• b61cf85 ssh: enforce user presence verification for security keys
• 9c2cd33 ssh: enforce strict limits on DSA key parameters
• 8907318 ssh: reject RSA keys with excessively large moduli
• ffd87b4 ssh: fix panic when authority callbacks are nil
• 4e7a738 ssh: fix deadlock on unexpected global responses
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.54.0 to 0.55.0

Commits

• 7770ec4 go.mod: update golang.org/x dependencies
• 4ece7b6 html: escape greater-than symbol in doctype identifiers
• 08be507 html: improve Noah's Ark clause performance
• a8fb2fe html: properly render fostered elements in foreign content
• 0dc5b7a html: properly check namespace in "in body" any other end tag
• a452f3c html: ignore duplicate attributes during tokenization
• f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
• 210ed3c quic: establish a "happened-before" relationship between stream write and read
• ad8140e quic: fix buffer slicing when handling overlapping stream data
• 23ee2ef http2: avoid API changes when built with go1.27
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions