diff --git a/.github/workflows/build-oci.yaml b/.github/workflows/build-oci.yaml
index 8896d8d59..82ada5c22 100644
--- a/.github/workflows/build-oci.yaml
+++ b/.github/workflows/build-oci.yaml
@@ -78,7 +78,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download mapt oci flatten images
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: mapt-*
       - name: copy both artifacts into single directory
@@ -100,7 +100,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Download mapt oci flatten images
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: mapt-*         
         
diff --git a/.github/workflows/push-oci-pr.yml b/.github/workflows/push-oci-pr.yml
index e171b2ac6..bf0482f4d 100644
--- a/.github/workflows/push-oci-pr.yml
+++ b/.github/workflows/push-oci-pr.yml
@@ -35,7 +35,7 @@ jobs:
       packages: write
     steps:
       - name: Download mapt assets
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ github.token }}
diff --git a/Makefile b/Makefile
index 446dd7c00..f65666566 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,7 @@ TKN_IMG ?= quay.io/redhat-developer/mapt:v${VERSION}-tkn
 
 # Integrations
 # renovate: datasource=github-releases depName=cirruslabs/cirrus-cli
-CIRRUS_CLI ?= v0.165.0
+CIRRUS_CLI ?= v0.165.2
 # renovate: datasource=github-releases depName=actions/runner
 GITHUB_RUNNER ?= 2.332.0
 # renovate: datasource=gitlab-releases depName=gitlab-org/gitlab-runner
diff --git a/go.mod b/go.mod
index 4cedd2830..e67d3059b 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/redhat-developer/mapt
 go 1.25.6
 
 require (
-	github.com/coocood/freecache v1.2.5
+	github.com/coocood/freecache v1.2.7
 	github.com/pulumi/pulumi-command/sdk v1.2.1
 	github.com/pulumi/pulumi-random/sdk/v4 v4.19.1
 	github.com/pulumi/pulumi/sdk/v3 v3.225.1
@@ -18,11 +18,11 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
 	github.com/aws/amazon-ec2-instance-selector/v3 v3.1.3
-	github.com/aws/aws-sdk-go-v2 v1.41.3
-	github.com/aws/aws-sdk-go-v2/config v1.32.11
+	github.com/aws/aws-sdk-go-v2 v1.41.4
+	github.com/aws/aws-sdk-go-v2/config v1.32.12
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.96.4
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.8
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
 	github.com/pulumi/pulumi-aws-native/sdk v1.57.0
 	github.com/pulumi/pulumi-aws/sdk/v7 v7.21.0
 	github.com/pulumi/pulumi-awsx/sdk/v3 v3.3.0
@@ -36,8 +36,8 @@ require (
 	github.com/pulumi/pulumi-gitlab/sdk/v8 v8.11.0
 	github.com/pulumi/pulumi-tls/sdk/v5 v5.3.0
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa
-	k8s.io/apimachinery v0.35.2
-	k8s.io/client-go v0.35.2
+	k8s.io/apimachinery v0.35.3
+	k8s.io/client-go v0.35.3
 )
 
 require (
@@ -47,15 +47,15 @@ require (
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/pgavlin/fx/v2 v2.0.12 // indirect
 	github.com/pulumi/pulumi-azure-native-sdk/v3 v3.15.0 // indirect
-	github.com/pulumi/pulumi-docker/sdk/v4 v4.11.0 // indirect
+	github.com/pulumi/pulumi-docker/sdk/v4 v4.11.1 // indirect
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/pricing v1.40.13 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/pricing v1.40.14 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/evertras/bubble-table v0.19.2 // indirect
 	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
@@ -78,23 +78,23 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.11 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.12 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.12 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/bubbles v1.0.0 // indirect
 	github.com/charmbracelet/bubbletea v1.3.10 // indirect
-	github.com/charmbracelet/colorprofile v0.4.2 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
 	github.com/charmbracelet/x/ansi v0.11.6 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
@@ -117,7 +117,7 @@ require (
 	github.com/hashicorp/go-version v1.8.0 // indirect
 	github.com/iwdgo/sigintwindows v0.2.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.4 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
@@ -178,9 +178,9 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProtonMail/go-crypto v1.4.0 // indirect
+	github.com/ProtonMail/go-crypto v1.4.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecs v1.73.1
-	github.com/aws/aws-sdk-go-v2/service/iam v1.53.4
+	github.com/aws/aws-sdk-go-v2/service/iam v1.53.6
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
diff --git a/go.sum b/go.sum
index 9a832a22a..c43bcdbe6 100644
--- a/go.sum
+++ b/go.sum
@@ -37,8 +37,8 @@ github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXY
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProtonMail/go-crypto v1.4.0 h1:Zq/pbM3F5DFgJiMouxEdSVY44MVoQNEKp5d5QxIQceQ=
-github.com/ProtonMail/go-crypto v1.4.0/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo=
+github.com/ProtonMail/go-crypto v1.4.1 h1:9RfcZHqEQUvP8RzecWEUafnZVtEvrBVL9BiF67IQOfM=
+github.com/ProtonMail/go-crypto v1.4.1/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@@ -51,50 +51,50 @@ github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aws/amazon-ec2-instance-selector/v3 v3.1.3 h1:13qtG4reL2+2UiCm2U7gM9QJthDO8hPPzvn7hTjHask=
 github.com/aws/amazon-ec2-instance-selector/v3 v3.1.3/go.mod h1:wdlMRtz9G4IO6H1yZPsqfGBxR8E6B/bdxHlGkls4kGQ=
-github.com/aws/aws-sdk-go-v2 v1.41.3 h1:4kQ/fa22KjDt13QCy1+bYADvdgcxpfH18f0zP542kZA=
-github.com/aws/aws-sdk-go-v2 v1.41.3/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 h1:N4lRUXZpZ1KVEUn6hxtco/1d2lgYhNn1fHkkl8WhlyQ=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
-github.com/aws/aws-sdk-go-v2/config v1.32.11 h1:ftxI5sgz8jZkckuUHXfC/wMUc8u3fG1vQS0plr2F2Zs=
-github.com/aws/aws-sdk-go-v2/config v1.32.11/go.mod h1:twF11+6ps9aNRKEDimksp923o44w/Thk9+8YIlzWMmo=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.11 h1:NdV8cwCcAXrCWyxArt58BrvZJ9pZ9Fhf9w6Uh5W3Uyc=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.11/go.mod h1:30yY2zqkMPdrvxBqzI9xQCM+WrlrZKSOpSJEsylVU+8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19 h1:INUvJxmhdEbVulJYHI061k4TVuS3jzzthNvjqvVvTKM=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19/go.mod h1:FpZN2QISLdEBWkayloda+sZjVJL+e9Gl0k1SyTgcswU=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19 h1:/sECfyq2JTifMI2JPyZ4bdRN77zJmr6SrS1eL3augIA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19/go.mod h1:dMf8A5oAqr9/oxOfLkC/c2LU/uMcALP0Rgn2BD5LWn0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19 h1:AWeJMk33GTBf6J20XJe6qZoRSJo0WfUhsMdUKhoODXE=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19/go.mod h1:+GWrYoaAsV7/4pNHpwh1kiNLXkKaSoppxQq9lbH8Ejw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5 h1:clHU5fm//kWS1C2HgtgWxfQbFbx4b6rx+5jzhgX9HrI=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.20 h1:qi3e/dmpdONhj1RyIZdi6DKKpDXS5Lb8ftr3p7cyHJc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.20/go.mod h1:V1K+TeJVD5JOk3D9e5tsX2KUdL7BlB+FV6cBhdobN8c=
+github.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1hH/k=
+github.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7 h1:3kGOqnh1pPeddVa/E37XNTaWJ8W6vrbYV9lJEkCnhuY=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
+github.com/aws/aws-sdk-go-v2/config v1.32.12 h1:O3csC7HUGn2895eNrLytOJQdoL2xyJy0iYXhoZ1OmP0=
+github.com/aws/aws-sdk-go-v2/config v1.32.12/go.mod h1:96zTvoOFR4FURjI+/5wY1vc1ABceROO4lWgWJuxgy0g=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20/go.mod h1:YJ898MhD067hSHA6xYCx5ts/jEd8BSOLtQDL3iZsvbc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21 h1:SwGMTMLIlvDNyhMteQ6r8IJSBPlRdXX5d4idhIGbkXA=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21/go.mod h1:UUxgWxofmOdAMuqEsSppbDtGKLfR04HGsD0HXzvhI1k=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0 h1:776KnBqePBBR6zEDi0bUIHXzUBOISa2WgAKEgckUF8M=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.294.0/go.mod h1:rB577GvkmJADVOFGY8/j9sPv/ewcsEtQNsd9Lrn7Zx0=
 github.com/aws/aws-sdk-go-v2/service/ecs v1.73.1 h1:TSmcWx+RzhGJrPNoFkuqANafJQ7xY3W2UBg6ShN3ae8=
 github.com/aws/aws-sdk-go-v2/service/ecs v1.73.1/go.mod h1:KWILGx+bRowcGyJU/va2Ift48c658blP5e1qvldnIRE=
-github.com/aws/aws-sdk-go-v2/service/iam v1.53.4 h1:FUWGS7m97SYL0bk9Kb+Q4bVpcSrKOHNiIbEXIRFTRW4=
-github.com/aws/aws-sdk-go-v2/service/iam v1.53.4/go.mod h1:seDE466zJ4haVuAVcRk+yIH4DWb3s6cqt3Od8GxnGAA=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6 h1:XAq62tBTJP/85lFD5oqOOe7YYgWxY9LvWq8plyDvDVg=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.11 h1:BYf7XNsJMzl4mObARUBUib+j2tf0U//JAAtTnYqvqCw=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.11/go.mod h1:aEUS4WrNk/+FxkBZZa7tVgp4pGH+kFGW40Y8rCPqt5g=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19 h1:X1Tow7suZk9UCJHE1Iw9GMZJJl0dAnKXXP1NaSDHwmw=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19/go.mod h1:/rARO8psX+4sfjUQXp5LLifjUt8DuATZ31WptNJTyQA=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.19 h1:JnQeStZvPHFHeyky/7LbMlyQjUa+jIBj36OlWm0pzIk=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.19/go.mod h1:HGyasyHvYdFQeJhvDHfH7HXkHh57htcJGKDZ+7z+I24=
-github.com/aws/aws-sdk-go-v2/service/pricing v1.40.13 h1:zuo2FmpYZfANk5REBqD8OaEoDR+p28WDm799D3ySqUY=
-github.com/aws/aws-sdk-go-v2/service/pricing v1.40.13/go.mod h1:sVKRpoK0drDqf/V7cSBMu0xL/dV3YTNKtRbfF+u5hDA=
+github.com/aws/aws-sdk-go-v2/service/iam v1.53.6 h1:GPQvvxy8+FDnD9xKYzGKJMjIm5xkVM5pd3bFgRldNSo=
+github.com/aws/aws-sdk-go-v2/service/iam v1.53.6/go.mod h1:RJNVc52A0K41fCDJOnsCLeWJf8mwa0q30fM3CfE9U18=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12 h1:qtJZ70afD3ISKWnoX3xB0J2otEqu3LqicRcDBqsj0hQ=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12/go.mod h1:v2pNpJbRNl4vEUWEh5ytQok0zACAKfdmKS51Hotc3pQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20 h1:siU1A6xjUZ2N8zjTHSXFhB9L/2OY8Dqs0xXiLjF30jA=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20/go.mod h1:4TLZCmVJDM3FOu5P5TJP0zOlu9zWgDWU7aUxWbr+rcw=
+github.com/aws/aws-sdk-go-v2/service/pricing v1.40.14 h1:Z3GB0K5jp4NA7h8jF+47NpMFEcEhk2cC/3cp+sNVnZI=
+github.com/aws/aws-sdk-go-v2/service/pricing v1.40.14/go.mod h1:kIKQg3oQXFIQhLS0VHI1oCdml2mApKG9cSgfVPrYuY4=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.96.4 h1:4ExZyubQ6LQQVuF2Qp9OsfEvsTdAWh5Gfwf6PgIdLdk=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.96.4/go.mod h1:NF3JcMGOiARAss1ld3WGORCw71+4ExDD2cbbdKS5PpA=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.7 h1:Y2cAXlClHsXkkOvWZFXATr34b0hxxloeQu/pAZz2row=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.7/go.mod h1:idzZ7gmDeqeNrSPkdbtMp9qWMgcBwykA7P7Rzh5DXVU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.12 h1:iSsvB9EtQ09YrsmIc44Heqlx5ByGErqhPK1ZQLppias=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.12/go.mod h1:fEWYKTRGoZNl8tZ77i61/ccwOMJdGxwOhWCkp6TXAr0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16 h1:EnUdUqRP1CNzt2DkV67tJx6XDN4xlfBFm+bzeNOQVb0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16/go.mod h1:Jic/xv0Rq/pFNCh3WwpH4BEqdbSAl+IyHro8LbibHD8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.8 h1:XQTQTF75vnug2TXS8m7CVJfC2nniYPZnO1D4Np761Oo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.8/go.mod h1:Xgx+PR1NUOjNmQY+tRMnouRp83JRM8pRMw/vCaVhPkI=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=
 github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
 github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
@@ -107,15 +107,14 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/bubbles v1.0.0 h1:12J8/ak/uCZEMQ6KU7pcfwceyjLlWsDLAxB5fXonfvc=
 github.com/charmbracelet/bubbles v1.0.0/go.mod h1:9d/Zd5GdnauMI5ivUIVisuEm3ave1XwXtD1ckyV6r3E=
 github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
 github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
-github.com/charmbracelet/colorprofile v0.4.2 h1:BdSNuMjRbotnxHSfxy+PCSa4xAmz7szw70ktAtWRYrY=
-github.com/charmbracelet/colorprofile v0.4.2/go.mod h1:0rTi81QpwDElInthtrQ6Ni7cG0sDtwAd4C4le060fT8=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8=
@@ -134,8 +133,8 @@ github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJ
 github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
 github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
-github.com/coocood/freecache v1.2.5 h1:FmhRQ8cLLVq9zWhHVYODUEZ0xu6rTPrVeAnX1AEIf7I=
-github.com/coocood/freecache v1.2.5/go.mod h1:RBUWa/Cy+OHdfTGFEhEuE1pMCMX51Ncizj7rthiQ3vk=
+github.com/coocood/freecache v1.2.7 h1:IDP0x1Yg8sgRmsSWzFyhaB+amYJpKS7v5QIXNHxXvM8=
+github.com/coocood/freecache v1.2.7/go.mod h1:+Ga2+A5/0D6MMistGuoeKZaZucAGZ56u+fYKiY+xqNA=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
 github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
@@ -246,8 +245,8 @@ github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXw
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -360,8 +359,8 @@ github.com/pulumi/pulumi-command/sdk v1.2.1 h1:mAziZ91a/9U+5IjZH5Skcar80OSmpBSYl
 github.com/pulumi/pulumi-command/sdk v1.2.1/go.mod h1:hQxv9DXg6bFjcd9BEiNdMImQ/V1rnC9D115q5VXYNps=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.15 h1:K6F/3o44gGj+ljRS4spCGvAXMSwECHITjaCccfjXNyE=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.15/go.mod h1:cZyHs6q34kbQZJYaBjWUJhPsgwUFoL6xyjo7sRqBcv4=
-github.com/pulumi/pulumi-docker/sdk/v4 v4.11.0 h1:I8nJlJcQQiMs0njR1/CvXWk2y0dzhwSXIW62xuVaZQc=
-github.com/pulumi/pulumi-docker/sdk/v4 v4.11.0/go.mod h1:TbjBDNYFkMGmDZdrV6grRy+7AADkGLTcPjLHY9gh8dg=
+github.com/pulumi/pulumi-docker/sdk/v4 v4.11.1 h1:ZLhod/vxak+FxWn3GZIWgWpVyp7nhH0JuN7yb7z6RK4=
+github.com/pulumi/pulumi-docker/sdk/v4 v4.11.1/go.mod h1:Y0BR/VxVVDTtjgXLdMNZAy6g5S/DBwd677AQS1kyv54=
 github.com/pulumi/pulumi-gitlab/sdk/v8 v8.11.0 h1:nR406lhXeltZVfLXH8E4J5JetflNZePBgXz2eyHT7RM=
 github.com/pulumi/pulumi-gitlab/sdk/v8 v8.11.0/go.mod h1:TU9R5gbZHqe1iJ054UW3ygPU8PxQcOi4J2n/YsnTviE=
 github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.27.0 h1:l33vcOD62jlEIiD/POknlKrVF4JG2ZV87khzavYwkR0=
@@ -569,12 +568,12 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw=
-k8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60=
-k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=
-k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
-k8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o=
-k8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g=
+k8s.io/api v0.35.3 h1:pA2fiBc6+N9PDf7SAiluKGEBuScsTzd2uYBkA5RzNWQ=
+k8s.io/api v0.35.3/go.mod h1:9Y9tkBcFwKNq2sxwZTQh1Njh9qHl81D0As56tu42GA4=
+k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8=
+k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.3 h1:s1lZbpN4uI6IxeTM2cpdtrwHcSOBML1ODNTCCfsP1pg=
+k8s.io/client-go v0.35.3/go.mod h1:RzoXkc0mzpWIDvBrRnD+VlfXP+lRzqQjCmKtiwZ8Q9c=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf h1:btPscg4cMql0XdYK2jLsJcNEKmACJz8l+U7geC06FiM=
diff --git a/tools/go.mod b/tools/go.mod
index 8f5f43214..fa3101c03 100644
--- a/tools/go.mod
+++ b/tools/go.mod
@@ -2,7 +2,7 @@ module github.com/redhat-developer/mapt/tools
 
 go 1.25.0
 
-require github.com/golangci/golangci-lint/v2 v2.11.2
+require github.com/golangci/golangci-lint/v2 v2.11.4
 
 require (
 	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
@@ -67,7 +67,7 @@ require (
 	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charithe/durationcheck v0.0.11 // indirect
-	github.com/charmbracelet/colorprofile v0.4.2 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
 	github.com/charmbracelet/x/ansi v0.11.6 // indirect
 	github.com/charmbracelet/x/term v0.2.2 // indirect
@@ -79,7 +79,7 @@ require (
 	// github.com/denis-tingaikin/go-header v1.0.0 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/ettle/strcase v0.2.0 // indirect
-	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/color v1.19.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/firefart/nonamedreturns v1.0.6 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
@@ -165,16 +165,16 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/ryancurrah/gomodguard v1.4.1 // indirect
-	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.6.0 // indirect
 	github.com/sagikazarmark/locafero v0.12.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
 	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
-	github.com/securego/gosec/v2 v2.24.7 // indirect
+	github.com/securego/gosec/v2 v2.24.8-0.20260309165252-619ce2117e08 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sonatard/noctx v0.5.0 // indirect
+	github.com/sonatard/noctx v0.5.1 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
@@ -209,11 +209,11 @@ require (
 	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20260218203240-3dfff04db8fa // indirect
-	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	honnef.co/go/tools v0.7.0 // indirect
diff --git a/tools/go.sum b/tools/go.sum
index 48fd00e8c..0348e22e1 100644
--- a/tools/go.sum
+++ b/tools/go.sum
@@ -84,8 +84,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charithe/durationcheck v0.0.11 h1:g1/EX1eIiKS57NTWsYtHDZ/APfeXKhye1DidBcABctk=
 github.com/charithe/durationcheck v0.0.11/go.mod h1:x5iZaixRNl8ctbM+3B2RrPG5t856TxRyVQEnbIEM2X4=
-github.com/charmbracelet/colorprofile v0.4.2 h1:BdSNuMjRbotnxHSfxy+PCSa4xAmz7szw70ktAtWRYrY=
-github.com/charmbracelet/colorprofile v0.4.2/go.mod h1:0rTi81QpwDElInthtrQ6Ni7cG0sDtwAd4C4le060fT8=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8=
@@ -118,8 +118,8 @@ github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZ
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q=
 github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
+github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/firefart/nonamedreturns v1.0.6 h1:vmiBcKV/3EqKY3ZiPxCINmpS431OcE1S47AQUwhrg8E=
@@ -177,8 +177,8 @@ github.com/golangci/go-printf-func-name v0.1.1 h1:hIYTFJqAGp1iwoIfsNTpoq1xZAarog
 github.com/golangci/go-printf-func-name v0.1.1/go.mod h1:Es64MpWEZbh0UBtTAICOZiB+miW53w/K9Or/4QogJss=
 github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d h1:viFft9sS/dxoYY0aiOTsLKO2aZQAPT4nlQCsimGcSGE=
 github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d/go.mod h1:ivJ9QDg0XucIkmwhzCDsqcnxxlDStoTl89jDMIoNxKY=
-github.com/golangci/golangci-lint/v2 v2.11.2 h1:4Icd3mEqthcFcFww8L67OBtfKB/obXxko8aFUMqP/5w=
-github.com/golangci/golangci-lint/v2 v2.11.2/go.mod h1:wexdFBIQNhHNhDe1oqzlGFE5dYUqlfccWJKWjoWF1GI=
+github.com/golangci/golangci-lint/v2 v2.11.4 h1:GK+UlZBN5y7rh2PBnHA93XLSX6RaF7uhzJQ3JwU1wuA=
+github.com/golangci/golangci-lint/v2 v2.11.4/go.mod h1:ODQDCASMA3VqfZYIbbQLpTRTzV7O/vjmIRF6u8NyFwI=
 github.com/golangci/golines v0.15.0 h1:Qnph25g8Y1c5fdo1X7GaRDGgnMHgnxh4Gk4VfPTtRx0=
 github.com/golangci/golines v0.15.0/go.mod h1:AZjXd23tbHMpowhtnGlj9KCNsysj72aeZVVHnVcZx10=
 github.com/golangci/misspell v0.8.0 h1:qvxQhiE2/5z+BVRo1kwYA8yGz+lOlu5Jfvtx2b04Jbg=
@@ -345,8 +345,8 @@ github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryancurrah/gomodguard v1.4.1 h1:eWC8eUMNZ/wM/PWuZBv7JxxqT5fiIKSIyTvjb7Elr+g=
 github.com/ryancurrah/gomodguard v1.4.1/go.mod h1:qnMJwV1hX9m+YJseXEBhd2s90+1Xn6x9dLz11ualI1I=
-github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9fJfSfdyCU=
-github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ=
+github.com/ryanrolds/sqlclosecheck v0.6.0 h1:pEyL9okISdg1F1SEpJNlrEotkTGerv5BMk7U4AG0eVg=
+github.com/ryanrolds/sqlclosecheck v0.6.0/go.mod h1:xyX16hsDaCMXHrMJ3JMzGf5OpDfHTOTTQrT7HOFUmeU=
 github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=
 github.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=
 github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
@@ -357,8 +357,8 @@ github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tM
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
 github.com/sashamelentyev/usestdlibvars v1.29.0 h1:8J0MoRrw4/NAXtjQqTHrbW9NN+3iMf7Knkq057v4XOQ=
 github.com/sashamelentyev/usestdlibvars v1.29.0/go.mod h1:8PpnjHMk5VdeWlVb4wCdrB8PNbLqZ3wBZTZWkrpZZL8=
-github.com/securego/gosec/v2 v2.24.7 h1:3k5yJnrhT1TTdsG0ZsnenlfCcT+7Y/+zeCPHbL7QAn8=
-github.com/securego/gosec/v2 v2.24.7/go.mod h1:AdDJbjcG/XxFgVv7pW19vMNYlFM6+Q6Qy3t6lWAUcEY=
+github.com/securego/gosec/v2 v2.24.8-0.20260309165252-619ce2117e08 h1:AoLtJX4WUtZkhhUUMFy3GgecAALp/Mb4S1iyQOA2s0U=
+github.com/securego/gosec/v2 v2.24.8-0.20260309165252-619ce2117e08/go.mod h1:+XLCJiRE95ga77XInNELh2M6zQP+PdqiT9Zpm0D9Wpk=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
@@ -367,8 +367,8 @@ github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
-github.com/sonatard/noctx v0.5.0 h1:e/jdaqAsuWVOKQ0P6NWiIdDNHmHT5SwuuSfojFjzwrw=
-github.com/sonatard/noctx v0.5.0/go.mod h1:64XdbzFb18XL4LporKXp8poqZtPKbCrqQ402CV+kJas=
+github.com/sonatard/noctx v0.5.1 h1:wklWg9c9ZYugOAk7qG4yP4PBrlQsmSLPTvW1K4PRQMs=
+github.com/sonatard/noctx v0.5.1/go.mod h1:64XdbzFb18XL4LporKXp8poqZtPKbCrqQ402CV+kJas=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
 github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
@@ -473,8 +473,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -485,8 +485,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -535,8 +535,8 @@ golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
diff --git a/tools/vendor/github.com/charmbracelet/colorprofile/writer.go b/tools/vendor/github.com/charmbracelet/colorprofile/writer.go
index 1a88e2b7b..c96e61a95 100644
--- a/tools/vendor/github.com/charmbracelet/colorprofile/writer.go
+++ b/tools/vendor/github.com/charmbracelet/colorprofile/writer.go
@@ -40,9 +40,11 @@ func (w *Writer) Write(p []byte) (int, error) {
 	case w.Profile == TrueColor:
 		return w.Forward.Write(p) //nolint:wrapcheck
 	case w.Profile <= NoTTY:
-		return io.WriteString(w.Forward, ansi.Strip(string(p))) //nolint:wrapcheck
+		_, err := io.WriteString(w.Forward, ansi.Strip(string(p)))
+		return len(p), err
 	case w.Profile == ASCII, w.Profile == ANSI, w.Profile == ANSI256:
-		return w.downsample(p)
+		_, err := w.downsample(p)
+		return len(p), err
 	default:
 		return 0, fmt.Errorf("invalid profile: %v", w.Profile)
 	}
diff --git a/tools/vendor/github.com/fatih/color/color.go b/tools/vendor/github.com/fatih/color/color.go
index ee39b408e..d3906bfbd 100644
--- a/tools/vendor/github.com/fatih/color/color.go
+++ b/tools/vendor/github.com/fatih/color/color.go
@@ -19,15 +19,15 @@ var (
 	// set (regardless of its value). This is a global option and affects all
 	// colors. For more control over each color block use the methods
 	// DisableColor() individually.
-	NoColor = noColorIsSet() || os.Getenv("TERM") == "dumb" ||
-		(!isatty.IsTerminal(os.Stdout.Fd()) && !isatty.IsCygwinTerminal(os.Stdout.Fd()))
+	NoColor = noColorIsSet() || os.Getenv("TERM") == "dumb" || !stdoutIsTerminal()
 
 	// Output defines the standard output of the print functions. By default,
-	// os.Stdout is used.
-	Output = colorable.NewColorableStdout()
+	// stdOut() is used.
+	Output = stdOut()
 
-	// Error defines a color supporting writer for os.Stderr.
-	Error = colorable.NewColorableStderr()
+	// Error defines the standard error of the print functions. By default,
+	// stdErr() is used.
+	Error = stdErr()
 
 	// colorsCache is used to reduce the count of created Color objects and
 	// allows to reuse already created objects with required Attribute.
@@ -40,6 +40,33 @@ func noColorIsSet() bool {
 	return os.Getenv("NO_COLOR") != ""
 }
 
+// stdoutIsTerminal returns true if os.Stdout is a terminal.
+// Returns false if os.Stdout is nil (e.g., when running as a Windows service).
+func stdoutIsTerminal() bool {
+	if os.Stdout == nil {
+		return false
+	}
+	return isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd())
+}
+
+// stdOut returns a writer for color output.
+// Returns io.Discard if os.Stdout is nil (e.g., when running as a Windows service).
+func stdOut() io.Writer {
+	if os.Stdout == nil {
+		return io.Discard
+	}
+	return colorable.NewColorableStdout()
+}
+
+// stdErr returns a writer for color error output.
+// Returns io.Discard if os.Stderr is nil (e.g., when running as a Windows service).
+func stdErr() io.Writer {
+	if os.Stderr == nil {
+		return io.Discard
+	}
+	return colorable.NewColorableStderr()
+}
+
 // Color defines a custom color object which is defined by SGR parameters.
 type Color struct {
 	params  []Attribute
@@ -220,26 +247,30 @@ func (c *Color) unset() {
 // a low-level function, and users should use the higher-level functions, such
 // as color.Fprint, color.Print, etc.
 func (c *Color) SetWriter(w io.Writer) *Color {
+	_, _ = c.setWriter(w)
+	return c
+}
+
+func (c *Color) setWriter(w io.Writer) (int, error) {
 	if c.isNoColorSet() {
-		return c
+		return 0, nil
 	}
 
-	fmt.Fprint(w, c.format())
-	return c
+	return fmt.Fprint(w, c.format())
 }
 
 // UnsetWriter resets all escape attributes and clears the output with the give
 // io.Writer. Usually should be called after SetWriter().
 func (c *Color) UnsetWriter(w io.Writer) {
-	if c.isNoColorSet() {
-		return
-	}
+	_, _ = c.unsetWriter(w)
+}
 
-	if NoColor {
-		return
+func (c *Color) unsetWriter(w io.Writer) (int, error) {
+	if c.isNoColorSet() {
+		return 0, nil
 	}
 
-	fmt.Fprintf(w, "%s[%dm", escape, Reset)
+	return fmt.Fprintf(w, "%s[%dm", escape, Reset)
 }
 
 // Add is used to chain SGR parameters. Use as many as parameters to combine
@@ -255,10 +286,20 @@ func (c *Color) Add(value ...Attribute) *Color {
 // On Windows, users should wrap w with colorable.NewColorable() if w is of
 // type *os.File.
 func (c *Color) Fprint(w io.Writer, a ...interface{}) (n int, err error) {
-	c.SetWriter(w)
-	defer c.UnsetWriter(w)
+	n, err = c.setWriter(w)
+	if err != nil {
+		return n, err
+	}
+
+	nn, err := fmt.Fprint(w, a...)
+	n += nn
+	if err != nil {
+		return
+	}
 
-	return fmt.Fprint(w, a...)
+	nn, err = c.unsetWriter(w)
+	n += nn
+	return n, err
 }
 
 // Print formats using the default formats for its operands and writes to
@@ -278,10 +319,20 @@ func (c *Color) Print(a ...interface{}) (n int, err error) {
 // On Windows, users should wrap w with colorable.NewColorable() if w is of
 // type *os.File.
 func (c *Color) Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) {
-	c.SetWriter(w)
-	defer c.UnsetWriter(w)
+	n, err = c.setWriter(w)
+	if err != nil {
+		return n, err
+	}
+
+	nn, err := fmt.Fprintf(w, format, a...)
+	n += nn
+	if err != nil {
+		return
+	}
 
-	return fmt.Fprintf(w, format, a...)
+	nn, err = c.unsetWriter(w)
+	n += nn
+	return n, err
 }
 
 // Printf formats according to a format specifier and writes to standard output.
@@ -475,27 +526,24 @@ func (c *Color) Equals(c2 *Color) bool {
 	if c == nil || c2 == nil {
 		return false
 	}
+
 	if len(c.params) != len(c2.params) {
 		return false
 	}
 
+	counts := make(map[Attribute]int, len(c.params))
 	for _, attr := range c.params {
-		if !c2.attrExists(attr) {
-			return false
-		}
+		counts[attr]++
 	}
 
-	return true
-}
-
-func (c *Color) attrExists(a Attribute) bool {
-	for _, attr := range c.params {
-		if attr == a {
-			return true
+	for _, attr := range c2.params {
+		if counts[attr] == 0 {
+			return false
 		}
+		counts[attr]--
 	}
 
-	return false
+	return true
 }
 
 func boolPtr(v bool) *bool {
diff --git a/tools/vendor/github.com/fatih/color/color_windows.go b/tools/vendor/github.com/fatih/color/color_windows.go
index be01c558e..97e5a765a 100644
--- a/tools/vendor/github.com/fatih/color/color_windows.go
+++ b/tools/vendor/github.com/fatih/color/color_windows.go
@@ -9,6 +9,9 @@ import (
 func init() {
 	// Opt-in for ansi color support for current process.
 	// https://learn.microsoft.com/en-us/windows/console/console-virtual-terminal-sequences#output-sequences
+	if os.Stdout == nil {
+		return
+	}
 	var outMode uint32
 	out := windows.Handle(os.Stdout.Fd())
 	if err := windows.GetConsoleMode(out, &outMode); err != nil {
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags/readme.md b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags/readme.md
deleted file mode 100644
index 6035c2226..000000000
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags/readme.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# analysisflags
-
-Extracted from `/go/analysis/internal/analysisflags` (related to `checker`).
-This is just a copy of the code without any changes.
-
-## History
-
-- https://github.com/golangci/golangci-lint/pull/6076
-  - sync with https://github.com/golang/tools/blob/v0.37.0/go/analysis/internal/analysisflags
-- https://github.com/golangci/golangci-lint/pull/5576
-  - sync with https://github.com/golang/tools/blob/v0.28.0/go/analysis/internal/analysisflags
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal/readme.md b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal/readme.md
deleted file mode 100644
index 6c54592d9..000000000
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal/readme.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# analysisinternal
-
-Extracted from `/internal/analysisinternal/` (related to `checker`).
-This is just a copy of the code without any changes.
-
-## History
-
-- https://github.com/golangci/golangci-lint/pull/6076
-  - sync with https://github.com/golang/tools/blob/v0.37.0/internal/analysisinternal/
-- https://github.com/golangci/golangci-lint/pull/5576
-  - sync with https://github.com/golang/tools/blob/v0.28.0/internal/analysisinternal/
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal/analysis.go b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/readfile.go
similarity index 88%
rename from tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal/analysis.go
rename to tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/readfile.go
index b613d1673..dc1d54dd8 100644
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal/analysis.go
+++ b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/readfile.go
@@ -2,9 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package analysisinternal provides gopls' internal analyses with a
-// number of helper functions that operate on typed syntax trees.
-package analysisinternal
+package driverutil
+
+// This file defines helpers for implementing [analysis.Pass.ReadFile].
 
 import (
 	"fmt"
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/readme.md b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/readme.md
new file mode 100644
index 000000000..8720fb6ff
--- /dev/null
+++ b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/readme.md
@@ -0,0 +1,25 @@
+# driverutil
+
+Extracted from `/internal/analysis/driverutil/` (related to `checker`).
+This is just a copy of `readfile.go` and `url.go` without any changes.
+
+Previously, it was `analysisinternal` and `analysisflags` packages.
+
+## History
+
+- https://github.com/golangci/golangci-lint/pull/6434
+  - sync with https://github.com/golang/tools/blob/v0.43.0/internal/analysis/driverutil/readfile.go
+
+## analysisinternal History
+
+- https://github.com/golangci/golangci-lint/pull/6076
+  - sync with https://github.com/golang/tools/blob/v0.37.0/internal/analysisinternal/
+- https://github.com/golangci/golangci-lint/pull/5576
+  - sync with https://github.com/golang/tools/blob/v0.28.0/internal/analysisinternal/
+
+## analysisflags History
+
+- https://github.com/golangci/golangci-lint/pull/6076
+  - sync with https://github.com/golang/tools/blob/v0.37.0/go/analysis/internal/analysisflags
+- https://github.com/golangci/golangci-lint/pull/5576
+  - sync with https://github.com/golang/tools/blob/v0.28.0/go/analysis/internal/analysisflags
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags/url.go b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/url.go
similarity index 97%
rename from tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags/url.go
rename to tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/url.go
index 26a917a99..93b3ecfd4 100644
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags/url.go
+++ b/tools/vendor/github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil/url.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package analysisflags
+package driverutil
 
 import (
 	"fmt"
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/goanalysis/runner_checker.go b/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/goanalysis/runner_checker.go
index 0d3fcdb9e..284aed2e6 100644
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/goanalysis/runner_checker.go
+++ b/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/goanalysis/runner_checker.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //
-// Altered copy of https://github.com/golang/tools/blob/v0.28.0/go/analysis/internal/checker/checker.go
+// Altered copy of https://github.com/golang/tools/blob/v0.43.0/go/analysis/checker/checker.go
 
 package goanalysis
 
@@ -19,8 +19,7 @@ import (
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/packages"
 
-	"github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags"
-	"github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal"
+	"github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil"
 	"github.com/golangci/golangci-lint/v2/pkg/goanalysis/pkgerrors"
 )
 
@@ -134,9 +133,7 @@ func (act *action) analyze() {
 
 	module := &analysis.Module{} // possibly empty (non nil) in go/analysis drivers.
 	if mod := act.Package.Module; mod != nil {
-		module.Path = mod.Path
-		module.Version = mod.Version
-		module.GoVersion = mod.GoVersion
+		module = analysisModuleFromPackagesModule(mod)
 	}
 
 	// Run the analysis.
@@ -161,7 +158,7 @@ func (act *action) analyze() {
 		AllObjectFacts:    act.AllObjectFacts,
 		AllPackageFacts:   act.AllPackageFacts,
 	}
-	pass.ReadFile = analysisinternal.CheckedReadFile(pass, os.ReadFile)
+	pass.ReadFile = driverutil.CheckedReadFile(pass, os.ReadFile)
 	act.pass = pass
 
 	act.runner.passToPkgGuard.Lock()
@@ -199,7 +196,7 @@ func (act *action) analyze() {
 
 		// resolve diagnostic URLs
 		for i := range act.Diagnostics {
-			url, err := analysisflags.ResolveURL(act.Analyzer, act.Diagnostics[i])
+			url, err := driverutil.ResolveURL(act.Analyzer, act.Diagnostics[i])
 			if err != nil {
 				return nil, err
 			}
@@ -324,7 +321,7 @@ func exportedFrom(obj types.Object, pkg *types.Package) bool {
 	switch obj := obj.(type) {
 	case *types.Func:
 		return obj.Exported() && obj.Pkg() == pkg ||
-			obj.Type().(*types.Signature).Recv() != nil
+			obj.Signature().Recv() != nil
 	case *types.Var:
 		if obj.IsField() {
 			return true
@@ -387,8 +384,8 @@ func (act *action) exportObjectFact(obj types.Object, fact analysis.Fact) {
 // See documentation at AllObjectFacts field of [analysis.Pass].
 func (act *action) AllObjectFacts() []analysis.ObjectFact {
 	facts := make([]analysis.ObjectFact, 0, len(act.objectFacts))
-	for k := range act.objectFacts {
-		facts = append(facts, analysis.ObjectFact{Object: k.obj, Fact: act.objectFacts[k]})
+	for k, fact := range act.objectFacts {
+		facts = append(facts, analysis.ObjectFact{Object: k.obj, Fact: fact})
 	}
 	return facts
 }
@@ -445,3 +442,30 @@ func (act *action) AllPackageFacts() []analysis.PackageFact {
 	}
 	return facts
 }
+
+// NOTE(ldez) no alteration.
+func analysisModuleFromPackagesModule(mod *packages.Module) *analysis.Module {
+	if mod == nil {
+		return nil
+	}
+
+	var modErr *analysis.ModuleError
+	if mod.Error != nil {
+		modErr = &analysis.ModuleError{
+			Err: mod.Error.Err,
+		}
+	}
+
+	return &analysis.Module{
+		Path:      mod.Path,
+		Version:   mod.Version,
+		Replace:   analysisModuleFromPackagesModule(mod.Replace),
+		Time:      mod.Time,
+		Main:      mod.Main,
+		Indirect:  mod.Indirect,
+		Dir:       mod.Dir,
+		GoMod:     mod.GoMod,
+		GoVersion: mod.GoVersion,
+		Error:     modErr,
+	}
+}
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/golinters/sqlclosecheck/sqlclosecheck.go b/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/golinters/sqlclosecheck/sqlclosecheck.go
index 4c970cc52..69872733e 100644
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/golinters/sqlclosecheck/sqlclosecheck.go
+++ b/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/golinters/sqlclosecheck/sqlclosecheck.go
@@ -8,6 +8,6 @@ import (
 
 func New() *goanalysis.Linter {
 	return goanalysis.
-		NewLinterFromAnalyzer(analyzer.NewAnalyzer()).
+		NewLinterFromAnalyzer(analyzer.NewDeferOnlyAnalyzer()).
 		WithLoadMode(goanalysis.LoadModeTypesInfo)
 }
diff --git a/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/lint/lintersdb/builder_linter.go b/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/lint/lintersdb/builder_linter.go
index 2581bb74e..44eadecc5 100644
--- a/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/lint/lintersdb/builder_linter.go
+++ b/tools/vendor/github.com/golangci/golangci-lint/v2/pkg/lint/lintersdb/builder_linter.go
@@ -132,7 +132,7 @@ func NewLinterBuilder() *LinterBuilder {
 }
 
 // Build loads all the "internal" linters.
-// The configuration is use for the linter settings.
+// The configuration is used for the linter settings.
 func (LinterBuilder) Build(cfg *config.Config) ([]*linter.Config, error) {
 	if cfg == nil {
 		return nil, nil
diff --git a/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/analyzer.go b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/analyzer.go
index 55e931a89..8dd836255 100644
--- a/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/analyzer.go
+++ b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/analyzer.go
@@ -1,405 +1,35 @@
 package analyzer
 
 import (
-	"go/types"
+	"flag"
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/buildssa"
-	"golang.org/x/tools/go/ssa"
 )
 
-const (
-	rowsName      = "Rows"
-	stmtName      = "Stmt"
-	namedStmtName = "NamedStmt"
-	closeMethod   = "Close"
-)
-
-type action uint8
-
-const (
-	actionUnhandled action = iota
-	actionHandled
-	actionReturned
-	actionPassed
-	actionClosed
-	actionUnvaluedCall
-	actionUnvaluedDefer
-	actionNoOp
-)
+// NewAnalyzer returns a non-configurable analyzer that defaults to the defer-only mode.
+// Deprecated, this will be removed in v1.0.0.
+func NewAnalyzer() *analysis.Analyzer {
+	flags := flag.NewFlagSet("analyzer", flag.ExitOnError)
+	return newAnalyzer(run, flags)
+}
 
-var (
-	sqlPackages = []string{
-		"database/sql",
-		"github.com/jmoiron/sqlx",
-		"github.com/jackc/pgx/v5",
-		"github.com/jackc/pgx/v5/pgxpool",
-	}
-)
+func run(pass *analysis.Pass) (interface{}, error) {
+	opinionatedAnalyzer := &deferOnlyAnalyzer{}
+	return opinionatedAnalyzer.Run(pass)
+}
 
-func NewAnalyzer() *analysis.Analyzer {
+// newAnalyzer returns a new analyzer with the given run function, should be used by all analyzers.
+func newAnalyzer(
+	r func(pass *analysis.Pass) (interface{}, error),
+	flags *flag.FlagSet,
+) *analysis.Analyzer {
 	return &analysis.Analyzer{
 		Name: "sqlclosecheck",
 		Doc:  "Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.",
-		Run:  run,
+		Run:  r,
 		Requires: []*analysis.Analyzer{
 			buildssa.Analyzer,
 		},
 	}
 }
-
-func run(pass *analysis.Pass) (interface{}, error) {
-	pssa, ok := pass.ResultOf[buildssa.Analyzer].(*buildssa.SSA)
-	if !ok {
-		return nil, nil
-	}
-
-	// Build list of types we are looking for
-	targetTypes := getTargetTypes(pssa, sqlPackages)
-
-	// If non of the types are found, skip
-	if len(targetTypes) == 0 {
-		return nil, nil
-	}
-
-	funcs := pssa.SrcFuncs
-	for _, f := range funcs {
-		for _, b := range f.Blocks {
-			for i := range b.Instrs {
-				// Check if instruction is call that returns a target pointer type
-				targetValues := getTargetTypesValues(b, i, targetTypes)
-				if len(targetValues) == 0 {
-					continue
-				}
-
-				// For each found target check if they are closed and deferred
-				for _, targetValue := range targetValues {
-					refs := (*targetValue.value).Referrers()
-					isClosed := checkClosed(refs, targetTypes)
-					if !isClosed {
-						pass.Reportf((targetValue.instr).Pos(), "Rows/Stmt/NamedStmt was not closed")
-					}
-
-					checkDeferred(pass, refs, targetTypes, false)
-				}
-			}
-		}
-	}
-
-	return nil, nil
-}
-
-func getTargetTypes(pssa *buildssa.SSA, targetPackages []string) []any {
-	targets := []any{}
-
-	for _, sqlPkg := range targetPackages {
-		pkg := pssa.Pkg.Prog.ImportedPackage(sqlPkg)
-		if pkg == nil {
-			// the SQL package being checked isn't imported
-			continue
-		}
-
-		rowsPtrType := getTypePointerFromName(pkg, rowsName)
-		if rowsPtrType != nil {
-			targets = append(targets, rowsPtrType)
-		}
-
-		rowsType := getTypeFromName(pkg, rowsName)
-		if rowsType != nil {
-			targets = append(targets, rowsType)
-		}
-
-		stmtType := getTypePointerFromName(pkg, stmtName)
-		if stmtType != nil {
-			targets = append(targets, stmtType)
-		}
-
-		namedStmtType := getTypePointerFromName(pkg, namedStmtName)
-		if namedStmtType != nil {
-			targets = append(targets, namedStmtType)
-		}
-	}
-
-	return targets
-}
-
-func getTypePointerFromName(pkg *ssa.Package, name string) *types.Pointer {
-	pkgType := pkg.Type(name)
-	if pkgType == nil {
-		// this package does not use Rows/Stmt/NamedStmt
-		return nil
-	}
-
-	obj := pkgType.Object()
-	named, ok := obj.Type().(*types.Named)
-	if !ok {
-		return nil
-	}
-
-	return types.NewPointer(named)
-}
-
-func getTypeFromName(pkg *ssa.Package, name string) *types.Named {
-	pkgType := pkg.Type(name)
-	if pkgType == nil {
-		// this package does not use Rows/Stmt
-		return nil
-	}
-
-	obj := pkgType.Object()
-	named, ok := obj.Type().(*types.Named)
-	if !ok {
-		return nil
-	}
-
-	return named
-}
-
-type targetValue struct {
-	value *ssa.Value
-	instr ssa.Instruction
-}
-
-func getTargetTypesValues(b *ssa.BasicBlock, i int, targetTypes []any) []targetValue {
-	targetValues := []targetValue{}
-
-	instr := b.Instrs[i]
-	call, ok := instr.(*ssa.Call)
-	if !ok {
-		return targetValues
-	}
-
-	signature := call.Call.Signature()
-	results := signature.Results()
-	for i := 0; i < results.Len(); i++ {
-		v := results.At(i)
-		varType := v.Type()
-
-		for _, targetType := range targetTypes {
-			var tt types.Type
-
-			switch t := targetType.(type) {
-			case *types.Pointer:
-				tt = t
-			case *types.Named:
-				tt = t
-			default:
-				continue
-			}
-
-			if !types.Identical(varType, tt) {
-				continue
-			}
-
-			for _, cRef := range *call.Referrers() {
-				switch instr := cRef.(type) {
-				case *ssa.Call:
-					if len(instr.Call.Args) >= 1 && types.Identical(instr.Call.Args[0].Type(), tt) {
-						targetValues = append(targetValues, targetValue{
-							value: &instr.Call.Args[0],
-							instr: call,
-						})
-					}
-				case ssa.Value:
-					if types.Identical(instr.Type(), tt) {
-						targetValues = append(targetValues, targetValue{
-							value: &instr,
-							instr: call,
-						})
-					}
-				}
-			}
-		}
-	}
-
-	return targetValues
-}
-
-func checkClosed(refs *[]ssa.Instruction, targetTypes []any) bool {
-	numInstrs := len(*refs)
-	for idx, ref := range *refs {
-		action := getAction(ref, targetTypes)
-		switch action {
-		case actionClosed, actionReturned, actionHandled:
-			return true
-		case actionPassed:
-			// Passed and not used after
-			if numInstrs == idx+1 {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
-func getAction(instr ssa.Instruction, targetTypes []any) action {
-	switch instr := instr.(type) {
-	case *ssa.Defer:
-		if instr.Call.Value != nil {
-			name := instr.Call.Value.Name()
-			if name == closeMethod {
-				return actionClosed
-			}
-		}
-
-		if instr.Call.Method != nil {
-			name := instr.Call.Method.Name()
-			if name == closeMethod {
-				return actionClosed
-			}
-		}
-
-		return actionUnvaluedDefer
-	case *ssa.Call:
-		if instr.Call.Value == nil {
-			return actionUnvaluedCall
-		}
-
-		isTarget := false
-		staticCallee := instr.Call.StaticCallee()
-		if staticCallee != nil {
-			receiver := instr.Call.StaticCallee().Signature.Recv()
-			if receiver != nil {
-				isTarget = isTargetType(receiver.Type(), targetTypes)
-			}
-		}
-
-		name := instr.Call.Value.Name()
-		if isTarget && name == closeMethod {
-			return actionClosed
-		}
-
-		if !isTarget {
-			return actionPassed
-		}
-	case *ssa.Phi:
-		return actionPassed
-	case *ssa.MakeInterface:
-		return actionPassed
-	case *ssa.Store:
-		// A Row/Stmt is stored in a struct, which may be closed later
-		// by a different flow.
-		if _, ok := instr.Addr.(*ssa.FieldAddr); ok {
-			return actionReturned
-		}
-
-		if len(*instr.Addr.Referrers()) == 0 {
-			return actionNoOp
-		}
-
-		for _, aRef := range *instr.Addr.Referrers() {
-			if c, ok := aRef.(*ssa.MakeClosure); ok {
-				if f, ok := c.Fn.(*ssa.Function); ok {
-					for _, b := range f.Blocks {
-						if checkClosed(&b.Instrs, targetTypes) {
-							return actionHandled
-						}
-					}
-				}
-			}
-		}
-	case *ssa.UnOp:
-		instrType := instr.Type()
-		for _, targetType := range targetTypes {
-			var tt types.Type
-
-			switch t := targetType.(type) {
-			case *types.Pointer:
-				tt = t
-			case *types.Named:
-				tt = t
-			default:
-				continue
-			}
-
-			if types.Identical(instrType, tt) {
-				if checkClosed(instr.Referrers(), targetTypes) {
-					return actionHandled
-				}
-			}
-		}
-	case *ssa.FieldAddr:
-		if checkClosed(instr.Referrers(), targetTypes) {
-			return actionHandled
-		}
-	case *ssa.Return:
-		return actionReturned
-	}
-
-	return actionUnhandled
-}
-
-func checkDeferred(pass *analysis.Pass, instrs *[]ssa.Instruction, targetTypes []any, inDefer bool) {
-	for _, instr := range *instrs {
-		switch instr := instr.(type) {
-		case *ssa.Defer:
-			if instr.Call.Value != nil && instr.Call.Value.Name() == closeMethod {
-				return
-			}
-
-			if instr.Call.Method != nil && instr.Call.Method.Name() == closeMethod {
-				return
-			}
-		case *ssa.Call:
-			if instr.Call.Value != nil && instr.Call.Value.Name() == closeMethod {
-				if !inDefer {
-					pass.Reportf(instr.Pos(), "Close should use defer")
-				}
-
-				return
-			}
-		case *ssa.Store:
-			if len(*instr.Addr.Referrers()) == 0 {
-				return
-			}
-
-			for _, aRef := range *instr.Addr.Referrers() {
-				if c, ok := aRef.(*ssa.MakeClosure); ok {
-					if f, ok := c.Fn.(*ssa.Function); ok {
-						for _, b := range f.Blocks {
-							checkDeferred(pass, &b.Instrs, targetTypes, true)
-						}
-					}
-				}
-			}
-		case *ssa.UnOp:
-			instrType := instr.Type()
-			for _, targetType := range targetTypes {
-				var tt types.Type
-
-				switch t := targetType.(type) {
-				case *types.Pointer:
-					tt = t
-				case *types.Named:
-					tt = t
-				default:
-					continue
-				}
-
-				if types.Identical(instrType, tt) {
-					checkDeferred(pass, instr.Referrers(), targetTypes, inDefer)
-				}
-			}
-		case *ssa.FieldAddr:
-			checkDeferred(pass, instr.Referrers(), targetTypes, inDefer)
-		}
-	}
-}
-
-func isTargetType(t types.Type, targetTypes []any) bool {
-	for _, targetType := range targetTypes {
-		switch tt := targetType.(type) {
-		case *types.Pointer:
-			if types.Identical(t, tt) {
-				return true
-			}
-		case *types.Named:
-			if types.Identical(t, tt) {
-				return true
-			}
-		}
-	}
-
-	return false
-}
diff --git a/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/closed.go b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/closed.go
new file mode 100644
index 000000000..72fdbdf9c
--- /dev/null
+++ b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/closed.go
@@ -0,0 +1,25 @@
+package analyzer
+
+import (
+	"flag"
+
+	"golang.org/x/tools/go/analysis"
+)
+
+type closedAnalyzer struct{}
+
+func NewClosedAnalyzer() *analysis.Analyzer {
+	analyzer := &closedAnalyzer{}
+	flags := flag.NewFlagSet("closedAnalyzer", flag.ExitOnError)
+	return newAnalyzer(analyzer.Run, flags)
+}
+
+// Run implements the main analysis pass
+func (a *closedAnalyzer) Run(pass *analysis.Pass) (interface{}, error) {
+	// pssa, ok := pass.ResultOf[buildssa.Analyzer].(*buildssa.SSA)
+	// if !ok {
+	// 	return nil, nil
+	// }
+
+	return nil, nil
+}
diff --git a/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/configurable.go b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/configurable.go
new file mode 100644
index 000000000..d7e96ff12
--- /dev/null
+++ b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/configurable.go
@@ -0,0 +1,40 @@
+package analyzer
+
+import (
+	"flag"
+	"fmt"
+
+	"golang.org/x/tools/go/analysis"
+)
+
+type ConfigurableModeType string
+
+const (
+	ConfigurableAnalyzerDeferOnly ConfigurableModeType = "defer-only"
+	ConfigurableAnalyzerClosed    ConfigurableModeType = "closed"
+)
+
+type ConifgurableAnalyzer struct {
+	Mode string
+}
+
+func NewConfigurableAnalyzer(mode ConfigurableModeType) *analysis.Analyzer {
+	cfgAnalyzer := &ConifgurableAnalyzer{}
+	flags := flag.NewFlagSet("cfgAnalyzer", flag.ExitOnError)
+	flags.StringVar(&cfgAnalyzer.Mode, "mode", string(mode),
+		"Mode to run the analyzer in. (defer-only, closed)")
+	return newAnalyzer(cfgAnalyzer.run, flags)
+}
+
+func (c *ConifgurableAnalyzer) run(pass *analysis.Pass) (interface{}, error) {
+	switch c.Mode {
+	case string(ConfigurableAnalyzerDeferOnly):
+		analyzer := &deferOnlyAnalyzer{}
+		return analyzer.Run(pass)
+	case string(ConfigurableAnalyzerClosed):
+		analyzer := &closedAnalyzer{}
+		return analyzer.Run(pass)
+	default:
+		return nil, fmt.Errorf("invalid mode: %s", c.Mode)
+	}
+}
diff --git a/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/defer_only.go b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/defer_only.go
new file mode 100644
index 000000000..701c7c6f6
--- /dev/null
+++ b/tools/vendor/github.com/ryanrolds/sqlclosecheck/pkg/analyzer/defer_only.go
@@ -0,0 +1,441 @@
+package analyzer
+
+import (
+	"flag"
+	"go/types"
+
+	"golang.org/x/tools/go/analysis"
+	"golang.org/x/tools/go/analysis/passes/buildssa"
+	"golang.org/x/tools/go/ssa"
+)
+
+const (
+	rowsName      = "Rows"
+	stmtName      = "Stmt"
+	namedStmtName = "NamedStmt"
+	closeMethod   = "Close"
+)
+
+type action uint8
+
+const (
+	actionUnhandled action = iota
+	actionHandled
+	actionReturned
+	actionPassed
+	actionClosed
+	actionUnvaluedCall
+	actionUnvaluedDefer
+	actionNoOp
+)
+
+var (
+	sqlPackages = []string{
+		"database/sql",
+		"github.com/jmoiron/sqlx",
+		"github.com/jackc/pgx/v5",
+		"github.com/jackc/pgx/v5/pgxpool",
+	}
+)
+
+type deferOnlyAnalyzer struct{}
+
+func NewDeferOnlyAnalyzer() *analysis.Analyzer {
+	analyzer := &deferOnlyAnalyzer{}
+	flags := flag.NewFlagSet("deferOnlyAnalyzer", flag.ExitOnError)
+	return newAnalyzer(analyzer.Run, flags)
+}
+
+// Run implements the main analysis pass
+func (a *deferOnlyAnalyzer) Run(pass *analysis.Pass) (interface{}, error) {
+	pssa, ok := pass.ResultOf[buildssa.Analyzer].(*buildssa.SSA)
+	if !ok {
+		return nil, nil
+	}
+
+	// Build list of types we are looking for
+	targetTypes := getTargetTypes(pssa, sqlPackages)
+
+	// If non of the types are found, skip
+	if len(targetTypes) == 0 {
+		return nil, nil
+	}
+
+	funcs := pssa.SrcFuncs
+	for _, f := range funcs {
+		for _, b := range f.Blocks {
+			for i := range b.Instrs {
+				// Check if instruction is call that returns a target pointer type
+				targetValues := getTargetTypesValues(b, i, targetTypes)
+				if len(targetValues) == 0 {
+					continue
+				}
+
+				// For each found target check if they are closed and deferred
+				for _, targetValue := range targetValues {
+					refs := (*targetValue.value).Referrers()
+					isClosed := checkClosed(refs, targetTypes)
+					if !isClosed {
+						pass.Reportf((targetValue.instr).Pos(), "Rows/Stmt/NamedStmt was not closed")
+					}
+
+					checkDeferred(pass, refs, targetTypes, false)
+				}
+			}
+		}
+	}
+
+	return nil, nil
+}
+
+func getTargetTypes(pssa *buildssa.SSA, targetPackages []string) []any {
+	targets := []any{}
+
+	for _, sqlPkg := range targetPackages {
+		pkg := pssa.Pkg.Prog.ImportedPackage(sqlPkg)
+		if pkg == nil {
+			// the SQL package being checked isn't imported
+			continue
+		}
+
+		rowsPtrType := getTypePointerFromName(pkg, rowsName)
+		if rowsPtrType != nil {
+			targets = append(targets, rowsPtrType)
+		}
+
+		rowsType := getTypeFromName(pkg, rowsName)
+		if rowsType != nil {
+			targets = append(targets, rowsType)
+		}
+
+		stmtType := getTypePointerFromName(pkg, stmtName)
+		if stmtType != nil {
+			targets = append(targets, stmtType)
+		}
+
+		namedStmtType := getTypePointerFromName(pkg, namedStmtName)
+		if namedStmtType != nil {
+			targets = append(targets, namedStmtType)
+		}
+	}
+
+	return targets
+}
+
+func getTypePointerFromName(pkg *ssa.Package, name string) *types.Pointer {
+	pkgType := pkg.Type(name)
+	if pkgType == nil {
+		// this package does not use Rows/Stmt/NamedStmt
+		return nil
+	}
+
+	obj := pkgType.Object()
+	named, ok := obj.Type().(*types.Named)
+	if !ok {
+		return nil
+	}
+
+	return types.NewPointer(named)
+}
+
+func getTypeFromName(pkg *ssa.Package, name string) *types.Named {
+	pkgType := pkg.Type(name)
+	if pkgType == nil {
+		// this package does not use Rows/Stmt
+		return nil
+	}
+
+	obj := pkgType.Object()
+	named, ok := obj.Type().(*types.Named)
+	if !ok {
+		return nil
+	}
+
+	return named
+}
+
+type targetValue struct {
+	value *ssa.Value
+	instr ssa.Instruction
+}
+
+func getTargetTypesValues(b *ssa.BasicBlock, i int, targetTypes []any) []targetValue {
+	targetValues := []targetValue{}
+
+	instr := b.Instrs[i]
+	call, ok := instr.(*ssa.Call)
+	if !ok {
+		return targetValues
+	}
+
+	signature := call.Call.Signature()
+	results := signature.Results()
+	for i := 0; i < results.Len(); i++ {
+		v := results.At(i)
+		varType := v.Type()
+
+		for _, targetType := range targetTypes {
+			var tt types.Type
+
+			switch t := targetType.(type) {
+			case *types.Pointer:
+				tt = t
+			case *types.Named:
+				tt = t
+			default:
+				continue
+			}
+
+			if !types.Identical(varType, tt) {
+				continue
+			}
+
+			for _, cRef := range *call.Referrers() {
+				switch instr := cRef.(type) {
+				case *ssa.Call:
+					if len(instr.Call.Args) >= 1 && types.Identical(instr.Call.Args[0].Type(), tt) {
+						targetValues = append(targetValues, targetValue{
+							value: &instr.Call.Args[0],
+							instr: call,
+						})
+					}
+				case ssa.Value:
+					if types.Identical(instr.Type(), tt) {
+						targetValues = append(targetValues, targetValue{
+							value: &instr,
+							instr: call,
+						})
+					}
+				}
+			}
+		}
+	}
+
+	return targetValues
+}
+
+func checkClosed(refs *[]ssa.Instruction, targetTypes []any) bool {
+	numInstrs := len(*refs)
+	for idx, ref := range *refs {
+		action := getAction(ref, targetTypes)
+		switch action {
+		case actionClosed, actionReturned, actionHandled:
+			return true
+		case actionPassed:
+			// Passed and not used after
+			if numInstrs == idx+1 {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+func getAction(instr ssa.Instruction, targetTypes []any) action {
+	switch instr := instr.(type) {
+	case *ssa.Defer:
+		if instr.Call.Value != nil {
+			name := instr.Call.Value.Name()
+			if name == closeMethod {
+				return actionClosed
+			}
+		}
+
+		if instr.Call.Method != nil {
+			name := instr.Call.Method.Name()
+			if name == closeMethod {
+				return actionClosed
+			}
+		} else if instr.Call.Value != nil {
+			// If it is a deferred function, go further down the call chain
+			if f, ok := instr.Call.Value.(*ssa.Function); ok {
+				for _, b := range f.Blocks {
+					if checkClosed(&b.Instrs, targetTypes) {
+						return actionHandled
+					}
+				}
+			}
+		}
+
+		return actionUnvaluedDefer
+	case *ssa.Call:
+		if instr.Call.Value == nil {
+			return actionUnvaluedCall
+		}
+
+		isTarget := false
+		staticCallee := instr.Call.StaticCallee()
+		if staticCallee != nil {
+			receiver := instr.Call.StaticCallee().Signature.Recv()
+			if receiver != nil {
+				isTarget = isTargetType(receiver.Type(), targetTypes)
+			}
+		}
+
+		name := instr.Call.Value.Name()
+		if isTarget && name == closeMethod {
+			return actionClosed
+		}
+
+		if !isTarget {
+			return actionPassed
+		}
+	case *ssa.Phi:
+		return actionPassed
+	case *ssa.MakeInterface:
+		return actionPassed
+	case *ssa.Store:
+		// A Row/Stmt is stored in a struct, which may be closed later
+		// by a different flow.
+		if _, ok := instr.Addr.(*ssa.FieldAddr); ok {
+			return actionReturned
+		}
+
+		if instr.Addr.Referrers() == nil {
+			return actionNoOp
+		}
+
+		if len(*instr.Addr.Referrers()) == 0 {
+			return actionNoOp
+		}
+
+		for _, aRef := range *instr.Addr.Referrers() {
+			if c, ok := aRef.(*ssa.MakeClosure); ok {
+				if f, ok := c.Fn.(*ssa.Function); ok {
+					for _, b := range f.Blocks {
+						if checkClosed(&b.Instrs, targetTypes) {
+							return actionHandled
+						}
+					}
+				}
+			}
+		}
+	case *ssa.UnOp:
+		instrType := instr.Type()
+		for _, targetType := range targetTypes {
+			var tt types.Type
+
+			switch t := targetType.(type) {
+			case *types.Pointer:
+				tt = t
+			case *types.Named:
+				tt = t
+			default:
+				continue
+			}
+
+			if types.Identical(instrType, tt) {
+				if checkClosed(instr.Referrers(), targetTypes) {
+					return actionHandled
+				}
+			}
+		}
+	case *ssa.FieldAddr:
+		if checkClosed(instr.Referrers(), targetTypes) {
+			return actionHandled
+		}
+	case *ssa.Return:
+		if len(instr.Results) != 0 {
+			for _, result := range instr.Results {
+				resultType := result.Type()
+				for _, targetType := range targetTypes {
+					var tt types.Type
+
+					switch t := targetType.(type) {
+					case *types.Pointer:
+						tt = t
+					case *types.Named:
+						tt = t
+					default:
+						continue
+					}
+
+					if types.Identical(resultType, tt) {
+						return actionReturned
+					}
+				}
+			}
+		}
+	}
+
+	return actionUnhandled
+}
+
+func checkDeferred(pass *analysis.Pass, instrs *[]ssa.Instruction, targetTypes []any, inDefer bool) {
+	for _, instr := range *instrs {
+		switch instr := instr.(type) {
+		case *ssa.Defer:
+			if instr.Call.Value != nil && instr.Call.Value.Name() == closeMethod {
+				return
+			}
+
+			if instr.Call.Method != nil && instr.Call.Method.Name() == closeMethod {
+				return
+			}
+		case *ssa.Call:
+			if instr.Call.Value != nil && instr.Call.Value.Name() == closeMethod {
+				if !inDefer {
+					pass.Reportf(instr.Pos(), "Close should use defer")
+				}
+
+				return
+			}
+		case *ssa.Store:
+			if instr.Addr.Referrers() == nil {
+				return
+			}
+
+			if len(*instr.Addr.Referrers()) == 0 {
+				return
+			}
+
+			for _, aRef := range *instr.Addr.Referrers() {
+				if c, ok := aRef.(*ssa.MakeClosure); ok {
+					if f, ok := c.Fn.(*ssa.Function); ok {
+						for _, b := range f.Blocks {
+							checkDeferred(pass, &b.Instrs, targetTypes, true)
+						}
+					}
+				}
+			}
+		case *ssa.UnOp:
+			instrType := instr.Type()
+			for _, targetType := range targetTypes {
+				var tt types.Type
+
+				switch t := targetType.(type) {
+				case *types.Pointer:
+					tt = t
+				case *types.Named:
+					tt = t
+				default:
+					continue
+				}
+
+				if types.Identical(instrType, tt) {
+					checkDeferred(pass, instr.Referrers(), targetTypes, inDefer)
+				}
+			}
+		case *ssa.FieldAddr:
+			checkDeferred(pass, instr.Referrers(), targetTypes, inDefer)
+		}
+	}
+}
+
+func isTargetType(t types.Type, targetTypes []any) bool {
+	for _, targetType := range targetTypes {
+		switch tt := targetType.(type) {
+		case *types.Pointer:
+			if types.Identical(t, tt) {
+				return true
+			}
+		case *types.Named:
+			if types.Identical(t, tt) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
diff --git a/tools/vendor/github.com/securego/gosec/v2/README.md b/tools/vendor/github.com/securego/gosec/v2/README.md
index 89c268a94..6f6d27d12 100644
--- a/tools/vendor/github.com/securego/gosec/v2/README.md
+++ b/tools/vendor/github.com/securego/gosec/v2/README.md
@@ -3,9 +3,6 @@
 
 Inspects source code for security problems by scanning the Go AST and SSA code representation.
 
-> ⚠️ Container image migration notice: `gosec` images have been migrated from Docker Hub to `ghcr.io/securego/gosec`.
-> Starting with the next release, Docker Hub images will no longer be published.
-
 <img src="https://securego.io/img/gosec.png" width="320">
 
 ## Quick links
@@ -17,6 +14,9 @@ Inspects source code for security problems by scanning the Go AST and SSA code r
 - [Selecting rules](#selecting-rules)
 - [Output formats](#output-formats)
 
+> ⚠️ Container image migration notice: `gosec` images was migrated from Docker Hub to `ghcr.io/securego/gosec`.
+> Starting with release `v2.24.7` the image is no longer published in Docker Hub.
+
 ## Features
 
 - **Pattern-based rules** for detecting common security issues in Go code
@@ -48,7 +48,7 @@ You may obtain a copy of the License [here](http://www.apache.org/licenses/LICEN
 
 You can run `gosec` as a GitHub action as follows:
 
-Use a versioned tag (for example `@v2`) instead of `@master` for stable behavior.
+Use the versioned  tag with `@master` which is pinned to the latest stable release. This will provide a stable behavior.
 
 ```yaml
 name: Run Gosec
@@ -68,7 +68,7 @@ jobs:
       - name: Checkout Source
         uses: actions/checkout@v3
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@v2
+        uses: securego/gosec@master
         with:
           args: ./...
 ```
diff --git a/tools/vendor/github.com/securego/gosec/v2/action.yml b/tools/vendor/github.com/securego/gosec/v2/action.yml
index 58bd5edc8..dce577945 100644
--- a/tools/vendor/github.com/securego/gosec/v2/action.yml
+++ b/tools/vendor/github.com/securego/gosec/v2/action.yml
@@ -10,7 +10,7 @@ inputs:
 
 runs:
   using: "docker"
-  image: "docker://ghcr.io/securego/gosec:2.24.6"
+  image: "docker://ghcr.io/securego/gosec:2.24.7"
   args:
     - ${{ inputs.args }}
 
diff --git a/tools/vendor/github.com/securego/gosec/v2/analyzer.go b/tools/vendor/github.com/securego/gosec/v2/analyzer.go
index c3c8876b4..ed03efc69 100644
--- a/tools/vendor/github.com/securego/gosec/v2/analyzer.go
+++ b/tools/vendor/github.com/securego/gosec/v2/analyzer.go
@@ -194,8 +194,18 @@ func (m *Metrics) Merge(other *Metrics) {
 // Analyzer object is the main object of gosec. It has methods to load and analyze
 // packages, traverse ASTs, and invoke the correct checking rules on each node as required.
 type Analyzer struct {
-	ignoreNosec       bool
-	ruleset           RuleSet
+	ignoreNosec bool
+	ruleset     RuleSet
+	// ruleBuilders and ruleSuppressed store the original arguments passed to
+	// LoadRules so that checkRules can call buildPackageRuleset to produce a
+	// goroutine-local RuleSet for every concurrent package walk. Each walk
+	// therefore owns its own freshly allocated rule instances, which means
+	// rules are free to keep per-package mutable state (e.g. maps tracking
+	// cleaned or joined variables) without any synchronisation. The shared
+	// gosec.ruleset is kept for callers that use the public CheckRules API
+	// directly (backward-compatible path).
+	ruleBuilders      map[string]RuleBuilder
+	ruleSuppressed    map[string]bool
 	context           *Context
 	config            Config
 	logger            *log.Logger
@@ -254,12 +264,32 @@ func (gosec *Analyzer) Config() Config {
 // LoadRules instantiates all the rules to be used when analyzing source
 // packages
 func (gosec *Analyzer) LoadRules(ruleDefinitions map[string]RuleBuilder, ruleSuppressed map[string]bool) {
+	// Persist the builders so checkRules can produce per-package rule
+	// instances via buildPackageRuleset, eliminating shared mutable state
+	// across concurrent goroutines without requiring locks inside rules.
+	gosec.ruleBuilders = ruleDefinitions
+	gosec.ruleSuppressed = ruleSuppressed
+
 	for id, def := range ruleDefinitions {
 		r, nodes := def(id, gosec.config)
 		gosec.ruleset.Register(r, ruleSuppressed[id], nodes...)
 	}
 }
 
+// buildPackageRuleset constructs a brand-new RuleSet by re-invoking every
+// stored RuleBuilder. The returned ruleset is intended to be used for a single
+// package walk: because each concurrent worker calls buildPackageRuleset
+// independently, every goroutine gets its own rule instances with their own
+// internal state (maps, caches, etc.), so rules require no synchronisation.
+func (gosec *Analyzer) buildPackageRuleset() RuleSet {
+	rs := NewRuleSet()
+	for id, def := range gosec.ruleBuilders {
+		r, nodes := def(id, gosec.config)
+		rs.Register(r, gosec.ruleSuppressed[id], nodes...)
+	}
+	return rs
+}
+
 // LoadAnalyzers instantiates all the analyzers to be used when analyzing source
 // packages
 func (gosec *Analyzer) LoadAnalyzers(analyzerDefinitions map[string]analyzers.AnalyzerDefinition, analyzerSuppressed map[string]bool) {
@@ -460,8 +490,20 @@ func (gosec *Analyzer) checkRules(pkg *packages.Package) ([]*issue.Issue, *Metri
 		callCachePool.Put(callCache)
 	}()
 
+	// Build a goroutine-local RuleSet so this package walk owns its own fresh
+	// rule instances. Rules with internal maps (e.g. readfile.cleanedVar,
+	// joinedVar) are therefore safe to use without any synchronisation: each
+	// concurrent worker has completely independent rule objects. Falls back to
+	// the shared ruleset when builders are unavailable (direct CheckRules path).
+	var pkgRuleset *RuleSet
+	if len(gosec.ruleBuilders) > 0 {
+		rs := gosec.buildPackageRuleset()
+		pkgRuleset = &rs
+	}
+
 	visitor := &astVisitor{
 		gosec:             gosec,
+		ruleset:           pkgRuleset,
 		issues:            make([]*issue.Issue, 0, 16),
 		stats:             stats,
 		ignoreNosec:       gosec.ignoreNosec,
@@ -502,7 +544,7 @@ func (gosec *Analyzer) checkRules(pkg *packages.Package) ([]*issue.Issue, *Metri
 
 		visitor.context = ctx
 		visitor.updateIgnores()
-		if len(gosec.ruleset.Rules) > 0 {
+		if len(visitor.activeRuleset().Rules) > 0 {
 			ast.Walk(visitor, file)
 		}
 		stats.NumFiles++
@@ -811,7 +853,12 @@ func findNoSecTag(text, tag string) (bool, string) {
 
 // astVisitor implements ast.Visitor for per-file rule checking and issue collection.
 type astVisitor struct {
-	gosec             *Analyzer
+	gosec *Analyzer
+	// ruleset is a package-local RuleSet built fresh by buildPackageRuleset
+	// for each concurrent package walk. It is non-nil when invoked through
+	// the normal Process → checkRules path and nil when the public CheckRules
+	// API is called directly (falling back to the shared gosec.ruleset).
+	ruleset           *RuleSet
 	context           *Context
 	issues            []*issue.Issue
 	stats             *Metrics
@@ -820,13 +867,22 @@ type astVisitor struct {
 	trackSuppressions bool
 }
 
+// activeRuleset returns the package-local ruleset when available, falling back
+// to the shared analyzer ruleset for direct CheckRules callers.
+func (v *astVisitor) activeRuleset() *RuleSet {
+	if v.ruleset != nil {
+		return v.ruleset
+	}
+	return &v.gosec.ruleset
+}
+
 func (v *astVisitor) Visit(n ast.Node) ast.Visitor {
 	switch i := n.(type) {
 	case *ast.File:
 		v.context.Imports.TrackFile(i)
 	}
 
-	for _, rule := range v.gosec.ruleset.RegisteredFor(n) {
+	for _, rule := range v.activeRuleset().RegisteredFor(n) {
 		issue, err := rule.Match(n, v.context)
 		if err != nil {
 			file, line := GetLocation(n, v.context)
@@ -1012,5 +1068,7 @@ func (gosec *Analyzer) Reset() {
 	gosec.issues = make([]*issue.Issue, 0, 16)
 	gosec.stats = &Metrics{}
 	gosec.ruleset = NewRuleSet()
+	gosec.ruleBuilders = nil
+	gosec.ruleSuppressed = nil
 	gosec.analyzerSet = analyzers.NewAnalyzerSet()
 }
diff --git a/tools/vendor/github.com/securego/gosec/v2/analyzers/context_propagation.go b/tools/vendor/github.com/securego/gosec/v2/analyzers/context_propagation.go
index 4ece39e08..0136d660d 100644
--- a/tools/vendor/github.com/securego/gosec/v2/analyzers/context_propagation.go
+++ b/tools/vendor/github.com/securego/gosec/v2/analyzers/context_propagation.go
@@ -705,6 +705,11 @@ func isCancelCalled(cancelValue ssa.Value, allFuncs []*ssa.Function) bool {
 					if isCancelCalledViaStructField(fa, allFuncs) {
 						return true
 					}
+					// Check if the struct containing this field is returned,
+					// transferring cancel responsibility to the caller.
+					if isStructFieldReturnedFromFunc(fa) {
+						return true
+					}
 				}
 				queue = append(queue, r.Addr)
 			case *ssa.UnOp:
@@ -725,6 +730,52 @@ func isCancelCalled(cancelValue ssa.Value, allFuncs []*ssa.Function) bool {
 				if r.X == current {
 					queue = append(queue, r)
 				}
+			case *ssa.MakeClosure:
+				// The cancel value is captured as a free variable in a closure.
+				// Find the corresponding FreeVar inside the closure body and
+				// follow it so that calls within the closure are detected.
+				if fn, ok := r.Fn.(*ssa.Function); ok {
+					for i, binding := range r.Bindings {
+						if binding == current && i < len(fn.FreeVars) {
+							queue = append(queue, fn.FreeVars[i])
+						}
+					}
+				}
+			case *ssa.Return:
+				// Cancel function is returned to the caller — responsibility
+				// is transferred; treat as "called".
+				for _, result := range r.Results {
+					if result == current {
+						return true
+					}
+				}
+			}
+		}
+	}
+
+	return false
+}
+
+// isStructFieldReturnedFromFunc checks whether the struct that owns a FieldAddr
+// is loaded and returned from the enclosing function. When a cancel is stored in
+// a struct field and the struct is returned, responsibility for calling the
+// cancel is transferred to the caller.
+func isStructFieldReturnedFromFunc(fa *ssa.FieldAddr) bool {
+	structBase := fa.X
+	if structBase == nil {
+		return false
+	}
+
+	// Follow referrers of the struct base pointer to find loads (*struct)
+	// that are then returned.
+	for _, ref := range safeReferrers(structBase) {
+		load, ok := ref.(*ssa.UnOp)
+		if !ok || load.Op != token.MUL {
+			continue
+		}
+		for _, loadRef := range safeReferrers(load) {
+			if _, ok := loadRef.(*ssa.Return); ok {
+				return true
 			}
 		}
 	}
diff --git a/tools/vendor/github.com/securego/gosec/v2/analyzers/conversion_overflow.go b/tools/vendor/github.com/securego/gosec/v2/analyzers/conversion_overflow.go
index 0881d4904..23a350b47 100644
--- a/tools/vendor/github.com/securego/gosec/v2/analyzers/conversion_overflow.go
+++ b/tools/vendor/github.com/securego/gosec/v2/analyzers/conversion_overflow.go
@@ -17,6 +17,7 @@ package analyzers
 import (
 	"fmt"
 	"go/types"
+	"math"
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/buildssa"
@@ -216,7 +217,11 @@ func (s *overflowState) validateRangeLimits(v ssa.Value, res *rangeResult, dstIn
 	}
 	minSafe := true
 	if srcInt.Min < 0 {
-		minSafe = minValueSet && toInt64(minValue) >= 0
+		minBound := int64(0)
+		if res.isRangeCheck && maxValueSet && toInt64(maxValue) > signedMaxForUnsignedSize(dstInt.Size) {
+			minBound = signedMinForUnsignedSize(dstInt.Size)
+		}
+		minSafe = minValueSet && toInt64(minValue) >= minBound
 	}
 	maxSafe := true
 	if srcInt.Max > dstInt.Max {
@@ -225,36 +230,81 @@ func (s *overflowState) validateRangeLimits(v ssa.Value, res *rangeResult, dstIn
 	return minSafe && maxSafe
 }
 
+func signedMinForUnsignedSize(size int) int64 {
+	if size >= 64 {
+		return math.MinInt64
+	}
+	return -(int64(1) << (size - 1))
+}
+
+func signedMaxForUnsignedSize(size int) int64 {
+	if size >= 64 {
+		return math.MaxInt64
+	}
+	return (int64(1) << (size - 1)) - 1
+}
+
 func (s *overflowState) isSafeFromPredecessor(v ssa.Value, dstInt IntTypeInfo, pred *ssa.BasicBlock, targetBlock *ssa.BasicBlock) bool {
-	if vIf, ok := pred.Instrs[len(pred.Instrs)-1].(*ssa.If); ok {
-		isSrcUnsigned := isUint(v)
-		for i, succ := range pred.Succs {
-			if succ == targetBlock {
-				// We took this specific edge.
-				result := s.Analyzer.getResultRangeForIfEdge(vIf, i == 0, v)
-				defer s.Analyzer.releaseResult(result)
-
-				if result.isRangeCheck {
-					var safe bool
-					if dstInt.Signed {
-						if isSrcUnsigned {
-							safe = result.maxValueSet && result.maxValue <= dstInt.Max
-						} else {
-							safe = (result.minValueSet && toInt64(result.minValue) >= dstInt.Min) && (result.maxValueSet && toInt64(result.maxValue) <= toInt64(dstInt.Max))
-						}
-					} else {
-						if isSrcUnsigned {
-							safe = result.maxValueSet && result.maxValue <= dstInt.Max
-						} else {
-							safe = (result.minValueSet && toInt64(result.minValue) >= 0) && (result.maxValueSet && result.maxValue <= dstInt.Max)
-						}
-					}
-					if safe {
+	edgeValue := v
+	if phi, ok := v.(*ssa.Phi); ok && phi.Block() == targetBlock {
+		for i, p := range targetBlock.Preds {
+			if p == pred && i < len(phi.Edges) {
+				edgeValue = phi.Edges[i]
+				break
+			}
+		}
+	}
+
+	if len(pred.Instrs) > 0 {
+		if vIf, ok := pred.Instrs[len(pred.Instrs)-1].(*ssa.If); ok {
+			for i, succ := range pred.Succs {
+				if succ == targetBlock {
+					result := s.Analyzer.getResultRangeForIfEdge(vIf, i == 0, edgeValue)
+					defer s.Analyzer.releaseResult(result)
+					if s.isSafeIfEdgeResult(edgeValue, dstInt, result) {
 						return true
 					}
 				}
 			}
 		}
 	}
+
+	if len(pred.Preds) == 1 {
+		parent := pred.Preds[0]
+		if len(parent.Instrs) > 0 {
+			if vIf, ok := parent.Instrs[len(parent.Instrs)-1].(*ssa.If); ok {
+				for i, succ := range parent.Succs {
+					if succ == pred {
+						result := s.Analyzer.getResultRangeForIfEdge(vIf, i == 0, edgeValue)
+						defer s.Analyzer.releaseResult(result)
+						if s.isSafeIfEdgeResult(edgeValue, dstInt, result) {
+							return true
+						}
+					}
+				}
+			}
+		}
+	}
+
 	return false
 }
+
+func (s *overflowState) isSafeIfEdgeResult(v ssa.Value, dstInt IntTypeInfo, result *rangeResult) bool {
+	if !result.isRangeCheck {
+		return false
+	}
+
+	isSrcUnsigned := isUint(v)
+	if dstInt.Signed {
+		if isSrcUnsigned {
+			return result.maxValueSet && result.maxValue <= dstInt.Max
+		}
+		return (result.minValueSet && toInt64(result.minValue) >= dstInt.Min) && (result.maxValueSet && toInt64(result.maxValue) <= toInt64(dstInt.Max))
+	}
+
+	if isSrcUnsigned {
+		return result.maxValueSet && result.maxValue <= dstInt.Max
+	}
+
+	return (result.minValueSet && toInt64(result.minValue) >= 0) && (result.maxValueSet && result.maxValue <= dstInt.Max)
+}
diff --git a/tools/vendor/github.com/securego/gosec/v2/taint/taint.go b/tools/vendor/github.com/securego/gosec/v2/taint/taint.go
index d0b669a1b..d53b14f2f 100644
--- a/tools/vendor/github.com/securego/gosec/v2/taint/taint.go
+++ b/tools/vendor/github.com/securego/gosec/v2/taint/taint.go
@@ -1073,6 +1073,12 @@ func (a *Analyzer) isFieldTaintedViaCall(call *ssa.Call, fieldIdx int, callee *s
 		return false
 	}
 
+	// Prevent re-analyzing the same call site
+	if visited[call] {
+		return false
+	}
+	visited[call] = true
+
 	// If we don't have SSA blocks (external function or no body), use fallback logic:
 	// Assume the field is tainted if any argument to the constructor is tainted.
 	if callee.Blocks == nil {
@@ -1114,6 +1120,11 @@ func (a *Analyzer) isFieldOfAllocTaintedInCallee(alloc *ssa.Alloc, fieldIdx int,
 	if alloc.Referrers() == nil || depth > maxTaintDepth {
 		return false
 	}
+
+	if visited[alloc] {
+		return false
+	}
+	visited[alloc] = true
 	for _, ref := range *alloc.Referrers() {
 		fa, ok := ref.(*ssa.FieldAddr)
 		if !ok || fa.Field != fieldIdx {
@@ -1144,6 +1155,12 @@ func (a *Analyzer) isCalleValueTainted(v ssa.Value, callee *ssa.Function, call *
 		return false
 	}
 
+	// Prevent infinite recursion on cyclic SSA value graphs
+	if visited[v] {
+		return false
+	}
+	visited[v] = true
+
 	// If the value is a callee parameter, map it to the caller's argument
 	if param, ok := v.(*ssa.Parameter); ok {
 		for i, p := range callee.Params {
diff --git a/tools/vendor/github.com/sonatard/noctx/.goreleaser.yml b/tools/vendor/github.com/sonatard/noctx/.goreleaser.yml
index 2e3653cde..04f6a0da0 100644
--- a/tools/vendor/github.com/sonatard/noctx/.goreleaser.yml
+++ b/tools/vendor/github.com/sonatard/noctx/.goreleaser.yml
@@ -25,6 +25,8 @@ builds:
     ignore:
       - goos: darwin
         goarch: 386
+      - goos: windows
+        goarch: arm
 
 archives:
   - id: noctx
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/analysis.go b/tools/vendor/golang.org/x/tools/go/analysis/analysis.go
index a7df4d1fe..786c29d55 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/analysis.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/analysis.go
@@ -11,6 +11,7 @@ import (
 	"go/token"
 	"go/types"
 	"reflect"
+	"time"
 )
 
 // An Analyzer describes an analysis function and its options.
@@ -250,7 +251,19 @@ type Fact interface {
 
 // A Module describes the module to which a package belongs.
 type Module struct {
-	Path      string // module path
-	Version   string // module version ("" if unknown, such as for workspace modules)
-	GoVersion string // go version used in module (e.g. "go1.22.0")
+	Path      string       // module path
+	Version   string       // module version ("" if unknown, such as for workspace modules)
+	Replace   *Module      // replaced by this module
+	Time      *time.Time   // time version was created
+	Main      bool         // is this the main module?
+	Indirect  bool         // is this module only an indirect dependency of main module?
+	Dir       string       // directory holding files for this module, if any
+	GoMod     string       // path to go.mod file used when loading this module, if any
+	GoVersion string       // go version used in module (e.g. "go1.22.0")
+	Error     *ModuleError // error loading module
+}
+
+// ModuleError holds errors loading a module.
+type ModuleError struct {
+	Err string // the error itself
 }
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go
index 28a5f6cd9..dfc431367 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go
@@ -16,7 +16,6 @@ import (
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/cfg"
 	"golang.org/x/tools/internal/analysis/analyzerutil"
-	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -84,7 +83,7 @@ func runFunc(pass *analysis.Pass, node ast.Node) {
 	// {FuncDecl,FuncLit,CallExpr,SelectorExpr}.
 
 	// Find the set of cancel vars to analyze.
-	astutil.PreorderStack(node, nil, func(n ast.Node, stack []ast.Node) bool {
+	ast.PreorderStack(node, nil, func(n ast.Node, stack []ast.Node) bool {
 		if _, ok := n.(*ast.FuncLit); ok && len(stack) > 0 {
 			return false // don't stray into nested functions
 		}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/atomic.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/atomic.go
new file mode 100644
index 000000000..3293065c1
--- /dev/null
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/atomic.go
@@ -0,0 +1,255 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package modernize
+
+import (
+	"fmt"
+	"go/ast"
+	"go/token"
+	"go/types"
+	"strings"
+
+	"golang.org/x/tools/go/analysis"
+	"golang.org/x/tools/go/analysis/passes/inspect"
+	"golang.org/x/tools/go/ast/edge"
+	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
+	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
+	"golang.org/x/tools/internal/astutil"
+	"golang.org/x/tools/internal/goplsexport"
+	"golang.org/x/tools/internal/refactor"
+	"golang.org/x/tools/internal/typesinternal"
+	"golang.org/x/tools/internal/typesinternal/typeindex"
+	"golang.org/x/tools/internal/versions"
+)
+
+var atomicAnalyzer = &analysis.Analyzer{
+	Name: "atomic",
+	Doc:  analyzerutil.MustExtractDoc(doc, "atomic"),
+	Requires: []*analysis.Analyzer{
+		inspect.Analyzer,
+		typeindexanalyzer.Analyzer,
+	},
+	Run: runAtomic,
+	URL: "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/modernize#atomic",
+}
+
+func init() {
+	// Export to gopls until this is a published modernizer.
+	goplsexport.AtomicModernizer = atomicAnalyzer
+}
+
+// TODO(mkalil): support the Pointer variants.
+// Consider the following function signatures for pointer loading:
+// func LoadPointer(addr *unsafe.Pointer) (val unsafe.Pointer)
+// func (x *Pointer[T]) Load() *T
+// Since the former uses *unsafe.Pointer while the latter uses *Pointer[T],
+// we would need to determine the type T to apply the transformation, and there
+// will be additional edits required to remove any *unsafe.Pointer casts.
+// 	"LoadPointer", "StorePointer", "SwapPointer", "CompareAndSwapPointer"
+
+// sync/atomic functions of interest. Some added in go1.19, some added in go1.23.
+var syncAtomicFuncs = []string{
+	// Added in go1.19.
+	"AddInt32", "AddInt64", "AddUint32", "AddUint64", "AddUintptr",
+	"CompareAndSwapInt32", "CompareAndSwapInt64", "CompareAndSwapUint32", "CompareAndSwapUint64", "CompareAndSwapUintptr",
+	"LoadInt32", "LoadInt64", "LoadUint32", "LoadUint64", "LoadUintptr",
+	"StoreInt32", "StoreInt64", "StoreUint32", "StoreUint64", "StoreUintptr",
+	"SwapInt32", "SwapInt64", "SwapUint32", "SwapUint64", "SwapUintptr",
+	// Added in go1.23.
+	"AndInt32", "AndInt64", "AndUint32", "AndUint64", "AndUintptr",
+	"OrInt32", "OrInt64", "OrUint32", "OrUint64", "OrUintptr",
+}
+
+func runAtomic(pass *analysis.Pass) (any, error) {
+	if !typesinternal.Imports(pass.Pkg, "sync/atomic") {
+		return nil, nil // doesn't directly import sync/atomic
+	}
+
+	var (
+		index = pass.ResultOf[typeindexanalyzer.Analyzer].(*typeindex.Index)
+		info  = pass.TypesInfo
+	)
+
+	// Gather all candidate variables v appearing
+	// in calls to atomic.AddInt32(&v, ...) et al.
+	var (
+		atomicPkg *types.Package
+		vars      = make(map[*types.Var]string) // maps candidate vars v to the name of the call they appear in
+	)
+	for _, funcName := range syncAtomicFuncs {
+		obj := index.Object("sync/atomic", funcName)
+		if obj == nil {
+			continue
+		}
+		atomicPkg = obj.Pkg()
+		for curCall := range index.Calls(obj) {
+			call := curCall.Node().(*ast.CallExpr)
+			if unary, ok := call.Args[0].(*ast.UnaryExpr); ok && unary.Op == token.AND {
+				var v *types.Var
+				switch x := unary.X.(type) {
+				case *ast.Ident:
+					v, _ = info.Uses[x].(*types.Var)
+				case *ast.SelectorExpr:
+					if seln, ok := info.Selections[x]; ok {
+						v, _ = seln.Obj().(*types.Var)
+					}
+				}
+				if v != nil && !v.Exported() {
+					// v must be a non-exported package or local var, or a struct field.
+					switch v.Kind() {
+					case types.RecvVar, types.ParamVar, types.ResultVar:
+						continue // fix would change func signature
+					}
+					vars[v] = funcName
+				}
+			}
+		}
+	}
+
+	// Check that all uses of each candidate variable
+	// appear in calls of the form atomic.AddInt32(&v, ...).
+nextvar:
+	for v, funcName := range vars {
+		var edits []analysis.TextEdit
+		fixFiles := make(map[*ast.File]bool) // unique files involved in the current fix
+
+		// Check the form of the declaration: var v int or struct { v int }
+		def, ok := index.Def(v)
+		if !ok {
+			continue
+		}
+		var (
+			typ   ast.Expr
+			names []*ast.Ident
+		)
+		switch parent := def.Parent().Node().(type) {
+		case *ast.Field: // struct { v int }
+			names = parent.Names
+			typ = parent.Type
+		case *ast.ValueSpec: // var v int
+			if len(parent.Values) > 0 {
+				// e.g. var v int = 5
+				// skip because rewriting as `var v atomic.Int32 = 5` is invalid
+				continue
+			}
+			names = parent.Names
+			typ = parent.Type
+		}
+		if len(names) != 1 || typ == nil {
+			continue // v is not the sole var declared here (e.g. var x, y int32); or no explicit type
+		}
+		oldType := info.TypeOf(typ)                             // e.g. "int32"
+		newType := strings.Title(oldType.Underlying().String()) // e.g. "Int32"
+
+		// Get package prefix to avoid shadowing.
+		file := astutil.EnclosingFile(def)
+		pkgPrefix, impEdits := refactor.AddImport(pass.TypesInfo, file, "atomic", "sync/atomic", "", def.Node().Pos())
+		if len(impEdits) > 0 {
+			panic("unexpected import edits") // atomic PkgName should be in scope already
+		}
+		// Edit the type.
+		//
+		// var v int32
+		//       ------------
+		// var v atomic.Int32
+		edits = append(edits, analysis.TextEdit{
+			Pos:     typ.Pos(),
+			End:     typ.End(),
+			NewText: fmt.Appendf(nil, "%s%s", pkgPrefix, newType),
+		})
+		fixFiles[file] = true
+
+		// Each valid use is an Ident v or Selector expr.v within an atomic.F(&...) call.
+		var validUses []inspector.Cursor
+		for cur := range index.Uses(v) {
+			if v.IsField() && cur.ParentEdgeKind() == edge.KeyValueExpr_Key {
+				continue nextvar // we cannot fix initial an value assignment T{v: 1}
+			}
+			if cur.ParentEdgeKind() == edge.SelectorExpr_Sel {
+				cur = cur.Parent() // ascend from v to expr.v
+			}
+			// Inv: cur is the l-value expression denoting v.
+			// v must appear beneath atomic.AddInt32(&v, ...) call.
+			valid := false
+			if cur.ParentEdgeKind() == edge.UnaryExpr_X &&
+				cur.Parent().Node().(*ast.UnaryExpr).Op == token.AND {
+				if ek, idx := cur.Parent().ParentEdge(); ek == edge.CallExpr_Args && idx == 0 {
+					curCall := cur.Parent().Parent()
+					call := curCall.Node().(*ast.CallExpr)
+					if fn, ok := typeutil.Callee(info, call).(*types.Func); ok && fn.Pkg() == atomicPkg {
+						valid = true
+					}
+				}
+			}
+
+			if !valid {
+				// More complex case: reject candidate.
+				//
+				// For example, cur may be an unsynchronized load (e.g. v == 0). To
+				// avoid a type conversion error, we'd have to rewrite this as
+				// v.Load(). However, this is an invalid rewrite: if the program is
+				// mixing atomic operations with unsynchronized reads, the author
+				// might have accidentally introduced a data race and the suggested
+				// fix could obscure the mistake. Or, if the usage is intentional,
+				// rewriting may result in a behavior change.
+				continue nextvar
+			}
+			validUses = append(validUses, cur)
+		}
+
+		for _, cur := range validUses {
+			vexpr := cur.Node()
+			call := cur.Parent().Parent().Node().(*ast.CallExpr)
+			fn := typeutil.Callee(info, call).(*types.Func)
+			// atomic.AddInt32(&v,    ...)
+			// ----------------- -----
+			//                  v.Add(...)
+			after := vexpr.End() // LoadInt32(&v⁁)
+			if len(call.Args) > 1 {
+				after = call.Args[1].Pos() // AddInt32(&v, ⁁...)
+			}
+			verb := strings.TrimSuffix(fn.Name(), newType) // "AddInt32" => "Add"
+			edits = append(edits, []analysis.TextEdit{
+				{
+					Pos: call.Pos(),
+					End: vexpr.Pos(),
+				},
+				{
+					Pos:     vexpr.End(),
+					End:     after,
+					NewText: fmt.Appendf(nil, ".%s(", verb),
+				},
+			}...)
+			fixFiles[astutil.EnclosingFile(cur)] = true
+		}
+
+		// Check minimum Go version: go1.19, or 1.23 for the And/Or functions.
+		if !(analyzerutil.FileUsesGoVersion(pass, file, versions.Go1_19) ||
+			analyzerutil.FileUsesGoVersion(pass, file, versions.Go1_23) &&
+				(strings.HasPrefix(funcName, "And") || strings.HasPrefix(funcName, "Or"))) {
+			continue
+		}
+
+		// Skip if v is not local and the package has ignored files as it may be
+		// an incomplete transformation.
+		if !isLocal(v) && len(pass.IgnoredFiles) > 0 {
+			continue
+		}
+
+		pass.Report(analysis.Diagnostic{
+			Pos:     names[0].Pos(),
+			End:     typ.End(),
+			Message: fmt.Sprintf("var %s %s may be simplified using atomic.%s", v.Name(), oldType, newType),
+			SuggestedFixes: []analysis.SuggestedFix{{
+				Message:   fmt.Sprintf("Replace %s by atomic.%s", oldType, newType),
+				TextEdits: edits,
+			}},
+		})
+	}
+
+	return nil, nil
+}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/doc.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/doc.go
index 0425faf8d..826f9f49e 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/doc.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/doc.go
@@ -65,6 +65,26 @@ This analyzer is currently disabled by default as the
 transformation does not preserve the nilness of the base slice in
 all cases; see https://go.dev/issue/73557.
 
+# Analyzer atomic
+
+atomic: replace basic types in sync/atomic calls with atomic types
+
+The atomic analyzer suggests replacing the primitive sync/atomic functions with
+the strongly typed atomic wrapper types introduced in Go1.19 (e.g.
+atomic.Int32). For example,
+
+	var x int32
+	atomic.AddInt32(&x, 1)
+
+would become
+
+	var x atomic.Int32
+	x.Add(1)
+
+The atomic types are safer because they don't allow non-atomic access, which is
+a common source of bugs. These types also resolve memory alignment issues that
+plagued the old atomic functions on 32-bit architectures.
+
 # Analyzer bloop
 
 bloop: replace for-range over b.N with b.Loop
@@ -263,11 +283,15 @@ is known at compile time, for example:
 	reflect.TypeOf(uint32(0))        -> reflect.TypeFor[uint32]()
 	reflect.TypeOf((*ast.File)(nil)) -> reflect.TypeFor[*ast.File]()
 
-It also offers a fix to simplify the construction below, which uses
+It also offers a fix to simplify the constructions below, which use
 reflect.TypeOf to return the runtime type for an interface type,
 
 	reflect.TypeOf((*io.Reader)(nil)).Elem()
 
+or:
+
+	reflect.TypeOf([]io.Reader(nil)).Elem()
+
 to:
 
 	reflect.TypeFor[io.Reader]()
@@ -460,14 +484,15 @@ is replaced by:
 
 This avoids quadratic memory allocation and improves performance.
 
-The analyzer requires that all references to s except the final one
+The analyzer requires that all references to s before the final uses
 are += operations. To avoid warning about trivial cases, at least one
 must appear within a loop. The variable s must be a local
 variable, not a global or parameter.
 
-The sole use of the finished string must be the last reference to the
-variable s. (It may appear within an intervening loop or function literal,
-since even s.String() is called repeatedly, it does not allocate memory.)
+All uses of the finished string must come after the last += operation.
+Each such use will be replaced by a call to strings.Builder's String method.
+(These may appear within an intervening loop or function literal, since even
+if s.String() is called repeatedly, it does not allocate memory.)
 
 Often the addend is a call to fmt.Sprintf, as in this example:
 
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/errorsastype.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/errorsastype.go
index 6e1070fd1..8603d5471 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/errorsastype.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/errorsastype.go
@@ -125,22 +125,11 @@ func errorsastype(pass *analysis.Pass) (any, error) {
 		errtype := types.TypeString(v.Type(), qual)
 
 		// Choose a name for the "ok" variable.
-		// TODO(adonovan): this pattern also appears in stditerators,
-		// and is wanted elsewhere; factor.
-		okName := "ok"
-		if okVar := lookup(info, curCall, "ok"); okVar != nil {
-			// The name 'ok' is already declared, but
-			// don't choose a fresh name unless okVar
-			// is also used within the if-statement.
-			curIf := curCall.Parent()
-			for curUse := range index.Uses(okVar) {
-				if curIf.Contains(curUse) {
-					scope := info.Scopes[curIf.Node().(*ast.IfStmt)]
-					okName = refactor.FreshName(scope, v.Pos(), "ok")
-					break
-				}
-			}
-		}
+		// We generate a new name only if 'ok' is already declared at
+		// curCall and it also used within the if-statement.
+		curIf := curCall.Parent()
+		ifScope := info.Scopes[curIf.Node().(*ast.IfStmt)]
+		okName := freshName(info, index, ifScope, v.Pos(), curCall, curIf, token.NoPos, "ok")
 
 		pass.Report(analysis.Diagnostic{
 			Pos:     call.Fun.Pos(),
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/fmtappendf.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/fmtappendf.go
index 389f70346..821065413 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/fmtappendf.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/fmtappendf.go
@@ -7,6 +7,7 @@ package modernize
 import (
 	"fmt"
 	"go/ast"
+	"go/constant"
 	"go/types"
 	"strings"
 
@@ -16,6 +17,7 @@ import (
 	"golang.org/x/tools/internal/analysis/analyzerutil"
 	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
 	"golang.org/x/tools/internal/astutil"
+	"golang.org/x/tools/internal/fmtstr"
 	"golang.org/x/tools/internal/typesinternal/typeindex"
 	"golang.org/x/tools/internal/versions"
 )
@@ -45,10 +47,24 @@ func fmtappendf(pass *analysis.Pass) (any, error) {
 			if ek, idx := curCall.ParentEdge(); ek == edge.CallExpr_Args && idx == 0 {
 				// Is parent a T(fmt.SprintX(...)) conversion?
 				conv := curCall.Parent().Node().(*ast.CallExpr)
-				tv := pass.TypesInfo.Types[conv.Fun]
-				if tv.IsType() && types.Identical(tv.Type, byteSliceType) &&
-					analyzerutil.FileUsesGoVersion(pass, astutil.EnclosingFile(curCall), versions.Go1_19) {
+				info := pass.TypesInfo
+				tv := info.Types[conv.Fun]
+				if tv.IsType() && types.Identical(tv.Type, byteSliceType) {
 					// Have: []byte(fmt.SprintX(...))
+					if len(call.Args) == 0 {
+						continue
+					}
+					// fmt.Sprint(f) and fmt.Append(f) have different nil semantics
+					// when the format produces an empty string:
+					// []byte(fmt.Sprintf("")) returns an empty but non-nil
+					// []byte{}, while fmt.Appendf(nil, "") returns nil) so we
+					// should skip these cases.
+					if fn.Name() == "Sprint" || fn.Name() == "Sprintf" {
+						format := info.Types[call.Args[0]].Value
+						if format != nil && mayFormatEmpty(constant.StringVal(format)) {
+							continue
+						}
+					}
 
 					// Find "Sprint" identifier.
 					var id *ast.Ident
@@ -62,13 +78,18 @@ func fmtappendf(pass *analysis.Pass) (any, error) {
 					old, new := fn.Name(), strings.Replace(fn.Name(), "Sprint", "Append", 1)
 					edits := []analysis.TextEdit{
 						{
-							// delete "[]byte("
+							// Delete "[]byte(", including any spaces before the first argument.
 							Pos: conv.Pos(),
-							End: conv.Lparen + 1,
+							End: conv.Args[0].Pos(), // always exactly one argument in a valid byte slice conversion
 						},
 						{
-							// remove ")"
-							Pos: conv.Rparen,
+							// Delete ")", including any non-args (space or
+							// commas) that come before the right parenthesis.
+							// Leaving an extra comma here produces invalid
+							// code. (See golang/go#74709)
+							// Unfortunately, this and the edit above may result
+							// in deleting some comments.
+							Pos: conv.Args[0].End(),
 							End: conv.Rparen + 1,
 						},
 						{
@@ -81,19 +102,8 @@ func fmtappendf(pass *analysis.Pass) (any, error) {
 							NewText: []byte("nil, "),
 						},
 					}
-					if len(conv.Args) == 1 {
-						arg := conv.Args[0]
-						// Determine if we have T(fmt.SprintX(...)<non-args,
-						// like a space or a comma>). If so, delete the non-args
-						// that come before the right parenthesis. Leaving an
-						// extra comma here produces invalid code. (See
-						// golang/go#74709)
-						if arg.End() < conv.Rparen {
-							edits = append(edits, analysis.TextEdit{
-								Pos: arg.End(),
-								End: conv.Rparen,
-							})
-						}
+					if !analyzerutil.FileUsesGoVersion(pass, astutil.EnclosingFile(curCall), versions.Go1_19) {
+						continue
 					}
 					pass.Report(analysis.Diagnostic{
 						Pos:     conv.Pos(),
@@ -110,3 +120,43 @@ func fmtappendf(pass *analysis.Pass) (any, error) {
 	}
 	return nil, nil
 }
+
+// mayFormatEmpty reports whether fmt.Sprintf might produce an empty string.
+// It returns false in the following two cases:
+//  1. formatStr contains non-operation characters.
+//  2. formatStr contains formatting verbs besides s, v, x, X (verbs which may
+//     produce empty results)
+//
+// In all other cases it returns true.
+func mayFormatEmpty(formatStr string) bool {
+	if formatStr == "" {
+		return true
+	}
+	operations, err := fmtstr.Parse(formatStr, 0)
+	if err != nil {
+		// If formatStr is malformed, the printf analyzer will report a
+		// diagnostic, so we can ignore this error.
+		// Calling Parse on a string without % formatters also returns an error,
+		// in which case we can safely return false.
+		return false
+	}
+	totalOpsLen := 0
+	for _, op := range operations {
+		totalOpsLen += len(op.Text)
+		if !strings.ContainsRune("svxX", rune(op.Verb.Verb)) && op.Prec.Fixed != 0 {
+			// A non [s, v, x, X] formatter with non-zero precision cannot
+			// produce an empty string.
+			return false
+		}
+	}
+	// If the format string contains non-operation characters, it cannot produce
+	// the empty string.
+	if totalOpsLen != len(formatStr) {
+		return false
+	}
+	// If we get here, it means that all formatting verbs are %s, %v, %x, %X,
+	// and there are no additional non-operation characters. We conservatively
+	// report that this may format as an empty string, ignoring uses of
+	// precision and the values of the formatter args.
+	return true
+}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/minmax.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/minmax.go
index a77ed8389..b4b8dba3d 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/minmax.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/minmax.go
@@ -147,6 +147,13 @@ func minmax(pass *analysis.Pass) (any, error) {
 			lhs0 := fassign.Lhs[0]
 			rhs0 := fassign.Rhs[0]
 
+			// If the assignment occurs within a select
+			// comms clause (like "case lhs0 := <-rhs0:"),
+			// there's no way of rewriting it into a min/max call.
+			if prev.ParentEdgeKind() == edge.CommClause_Comm {
+				return
+			}
+
 			if astutil.EqualSyntax(lhs, lhs0) {
 				if astutil.EqualSyntax(rhs, a) && (astutil.EqualSyntax(rhs0, b) || astutil.EqualSyntax(lhs0, b)) {
 					sign = +sign
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/modernize.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/modernize.go
index ef28a40d1..0c388e96b 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/modernize.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/modernize.go
@@ -20,6 +20,8 @@ import (
 	"golang.org/x/tools/go/ast/edge"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/internal/analysis/analyzerutil"
+	"golang.org/x/tools/internal/refactor"
+	"golang.org/x/tools/internal/typesinternal/typeindex"
 
 	"golang.org/x/tools/internal/moreiters"
 	"golang.org/x/tools/internal/packagepath"
@@ -33,6 +35,7 @@ var doc string
 // Suite lists all modernize analyzers.
 var Suite = []*analysis.Analyzer{
 	AnyAnalyzer,
+	atomicAnalyzer,
 	// AppendClippedAnalyzer, // not nil-preserving!
 	// BLoopAnalyzer, // may skew benchmark results, see golang/go#74967
 	FmtAppendfAnalyzer,
@@ -144,3 +147,37 @@ func lookup(info *types.Info, cur inspector.Cursor, name string) types.Object {
 }
 
 func first[T any](x T, _ any) T { return x }
+
+// freshName returns a fresh name at the given pos and scope based on preferredName.
+// It generates a new name using refactor.FreshName only if:
+// (a) the preferred name is already defined at definedCur, and
+// (b) there are references to it from within usedCur.
+// If useAfterPos.IsValid(), the references must be after
+// useAfterPos within usedCur in order to warrant a fresh name.
+// Otherwise, it returns preferredName, since shadowing is valid in this case.
+// (declaredCur and usedCur may be identical in some use cases).
+func freshName(info *types.Info, index *typeindex.Index, scope *types.Scope, pos token.Pos, defCur inspector.Cursor, useCur inspector.Cursor, useAfterPos token.Pos, preferredName string) string {
+	obj := lookup(info, defCur, preferredName)
+	if obj == nil {
+		// preferredName has not been declared here.
+		return preferredName
+	}
+	for use := range index.Uses(obj) {
+		if useCur.Contains(use) && use.Node().Pos() >= useAfterPos {
+			return refactor.FreshName(scope, pos, preferredName)
+		}
+	}
+	// Name is taken but not used in the given block; shadowing is acceptable.
+	return preferredName
+}
+
+// isLocal reports whether obj is local to some function.
+// Precondition: not a struct field or interface method.
+func isLocal(obj types.Object) bool {
+	// [... 5=stmt 4=func 3=file 2=pkg 1=universe]
+	var depth int
+	for scope := obj.Parent(); scope != nil; scope = scope.Parent() {
+		depth++
+	}
+	return depth >= 4
+}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/rangeint.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/rangeint.go
index 257f9e9ec..03c7fd4f3 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/rangeint.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/rangeint.go
@@ -18,7 +18,6 @@ import (
 	"golang.org/x/tools/internal/analysis/analyzerutil"
 	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
 	"golang.org/x/tools/internal/astutil"
-	"golang.org/x/tools/internal/moreiters"
 	"golang.org/x/tools/internal/typesinternal"
 	"golang.org/x/tools/internal/typesinternal/typeindex"
 	"golang.org/x/tools/internal/versions"
@@ -142,15 +141,12 @@ func rangeint(pass *analysis.Pass) (any, error) {
 
 						// Find references to i within the loop body.
 						v := info.ObjectOf(index).(*types.Var)
-						// TODO(adonovan): use go1.25 v.Kind() == types.PackageVar
-						if typesinternal.IsPackageLevel(v) {
+						switch v.Kind() {
+						case types.PackageVar:
 							continue nextLoop
-						}
-
-						// If v is a named result, it is implicitly
-						// used after the loop (go.dev/issue/76880).
-						// TODO(adonovan): use go1.25 v.Kind() == types.ResultVar.
-						if moreiters.Contains(enclosingSignature(curLoop, info).Results().Variables(), v) {
+						case types.ResultVar:
+							// If v is a named result, it is implicitly
+							// used after the loop (go.dev/issue/76880).
 							continue nextLoop
 						}
 
@@ -230,7 +226,7 @@ func rangeint(pass *analysis.Pass) (any, error) {
 						// such as "const limit = 1e3", its effective type may
 						// differ between the two forms.
 						// In a for loop, it must be comparable with int i,
-						//    for i := 0; i < limit; i++
+						//    for i := 0; i < limit; i++ {}
 						// but in a range loop it would become a float,
 						//    for i := range limit {}
 						// which is a type error. We need to convert it to int
@@ -249,9 +245,24 @@ func rangeint(pass *analysis.Pass) (any, error) {
 							beforeLimit, afterLimit = fmt.Sprintf("%s(", types.TypeString(tVar, qual)), ")"
 							info2 := &types.Info{Types: make(map[ast.Expr]types.TypeAndValue)}
 							if types.CheckExpr(pass.Fset, pass.Pkg, limit.Pos(), limit, info2) == nil {
-								tLimit := types.Default(info2.TypeOf(limit))
-								if types.AssignableTo(tLimit, tVar) {
-									beforeLimit, afterLimit = "", ""
+								tLimit := info2.TypeOf(limit)
+								// Eliminate conversion when safe.
+								//
+								// Redundant conversions are not only unsightly but may in some cases cause
+								// architecture-specific types (e.g. syscall.Timespec.Nsec) to be inserted
+								// into otherwise portable files.
+								//
+								// The operand must have an integer type (not, say, '1e6')
+								// even when assigning to an existing integer variable.
+								if isInteger(tLimit) {
+									// When declaring a new var from an untyped limit,
+									// the limit's default type is what matters.
+									if init.Tok != token.ASSIGN {
+										tLimit = types.Default(tLimit)
+									}
+									if types.AssignableTo(tLimit, tVar) {
+										beforeLimit, afterLimit = "", ""
+									}
 								}
 							}
 						}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/reflect.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/reflect.go
index 1dca2be37..1e9a54bd5 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/reflect.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/reflect.go
@@ -47,6 +47,14 @@ func reflecttypefor(pass *analysis.Pass) (any, error) {
 		// Have: reflect.TypeOf(expr)
 
 		expr := call.Args[0]
+
+		// reflect.TypeFor cannot be instantiated with an untyped nil.
+		// We use type information rather than checking the identifier name
+		// to correctly handle edge cases where "nil" is shadowed (e.g. nil := "nil").
+		if info.Types[expr].IsNil() {
+			continue
+		}
+
 		if !typesinternal.NoEffects(info, expr) {
 			continue // don't eliminate operand: may have effects
 		}
@@ -54,24 +62,30 @@ func reflecttypefor(pass *analysis.Pass) (any, error) {
 		t := info.TypeOf(expr)
 		var edits []analysis.TextEdit
 
-		// Special case for TypeOf((*T)(nil)).Elem(),
-		// needed when T is an interface type.
+		// Special cases for TypeOf((*T)(nil)).Elem(), and
+		// TypeOf([]T(nil)).Elem(), needed when T is an interface type.
 		if curCall.ParentEdgeKind() == edge.SelectorExpr_X {
 			curSel := unparenEnclosing(curCall).Parent()
 			if curSel.ParentEdgeKind() == edge.CallExpr_Fun {
-				call2 := unparenEnclosing(curSel).Parent().Node().(*ast.CallExpr)
+				call2 := unparenEnclosing(curSel).Parent().Node().(*ast.CallExpr) // potentially .Elem()
 				obj := typeutil.Callee(info, call2)
 				if typesinternal.IsMethodNamed(obj, "reflect", "Type", "Elem") {
-					if ptr, ok := t.(*types.Pointer); ok {
+					// reflect.TypeOf(expr).Elem()
+					//                     -------
+					// reflect.TypeOf(expr)
+					removeElem := []analysis.TextEdit{{
+						Pos: call.End(),
+						End: call2.End(),
+					}}
+					switch typ := t.(type) {
+					case *types.Pointer:
 						// Have: TypeOf(expr).Elem() where expr : *T
-						t = ptr.Elem()
-						// reflect.TypeOf(expr).Elem()
-						//                     -------
-						// reflect.TypeOf(expr)
-						edits = []analysis.TextEdit{{
-							Pos: call.End(),
-							End: call2.End(),
-						}}
+						t = typ.Elem()
+						edits = removeElem
+					case *types.Slice:
+						// Have: TypeOf(expr).Elem() where expr : []T
+						t = typ.Elem()
+						edits = removeElem
 					}
 				}
 			}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/slicescontains.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/slicescontains.go
index 3b3268526..19e597831 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/slicescontains.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/slicescontains.go
@@ -231,7 +231,9 @@ func slicescontains(pass *analysis.Pass) (any, error) {
 		// that might affected by melting down the loop.
 		//
 		// TODO(adonovan): relax check by analyzing branch target.
+		numBodyStmts := 0
 		for curBodyStmt := range curBody.Children() {
+			numBodyStmts += 1
 			if curBodyStmt != curLastStmt {
 				for range curBodyStmt.Preorder((*ast.BranchStmt)(nil), (*ast.ReturnStmt)(nil)) {
 					return
@@ -292,7 +294,16 @@ func slicescontains(pass *analysis.Pass) (any, error) {
 		case *ast.BranchStmt:
 			if lastStmt.Tok == token.BREAK && lastStmt.Label == nil { // unlabeled break
 				// Have: for ... { if ... { stmts; break } }
-
+				if numBodyStmts == 1 {
+					// If the only stmt in the body is an unlabeled "break" that
+					// will get deleted in the fix, don't suggest a fix, as it
+					// produces confusing code:
+					//    if slices.Contains(slice, f) {}
+					// Explicitly discarding the result isn't much better:
+					//    _ = slices.Contains(slice, f) // just for effects
+					// See https://go.dev/issue/77677.
+					return
+				}
 				var prevStmt ast.Stmt // previous statement to range (if any)
 				if curPrev, ok := curRange.PrevSibling(); ok {
 					// If the RangeStmt's previous sibling is a Stmt,
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stditerators.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stditerators.go
index 1d1a9ca3b..86e1c8fd4 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stditerators.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stditerators.go
@@ -18,7 +18,6 @@ import (
 	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/goplsexport"
-	"golang.org/x/tools/internal/refactor"
 	"golang.org/x/tools/internal/stdlib"
 	"golang.org/x/tools/internal/typesinternal/typeindex"
 )
@@ -182,22 +181,9 @@ func stditerators(pass *analysis.Pass) (any, error) {
 			}
 
 			loop := curBody.Parent().Node()
-
-			// Choose a fresh name only if
-			// (a) the preferred name is already declared here, and
-			// (b) there are references to it from the loop body.
-			// TODO(adonovan): this pattern also appears in errorsastype,
-			// and is wanted elsewhere; factor.
-			name := row.elemname
-			if v := lookup(info, curBody, name); v != nil {
-				// is it free in body?
-				for curUse := range index.Uses(v) {
-					if curBody.Contains(curUse) {
-						name = refactor.FreshName(info.Scopes[loop], loop.Pos(), name)
-						break
-					}
-				}
-			}
+			// We generate a new name only if the preferred name is already declared here
+			// and is used within the loop body.
+			name := freshName(info, index, info.Scopes[loop], loop.Pos(), curBody, curBody, token.NoPos, row.elemname)
 			return name, nil
 		}
 
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsbuilder.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsbuilder.go
index a6c2c1f86..e89baa9b0 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsbuilder.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsbuilder.go
@@ -22,7 +22,6 @@ import (
 	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/refactor"
-	"golang.org/x/tools/internal/typesinternal"
 	"golang.org/x/tools/internal/typesinternal/typeindex"
 )
 
@@ -57,7 +56,7 @@ func stringsbuilder(pass *analysis.Pass) (any, error) {
 		assign := curAssign.Node().(*ast.AssignStmt)
 		if assign.Tok == token.ADD_ASSIGN && is[*ast.Ident](assign.Lhs[0]) {
 			if v, ok := pass.TypesInfo.Uses[assign.Lhs[0].(*ast.Ident)].(*types.Var); ok &&
-				!typesinternal.IsPackageLevel(v) && // TODO(adonovan): in go1.25, use v.Kind() == types.LocalVar &&
+				v.Kind() == types.LocalVar &&
 				types.Identical(v.Type(), builtinString.Type()) {
 				candidates[v] = true
 			}
@@ -254,8 +253,8 @@ nextcand:
 		//    var s string
 		//    for ... { s += expr }
 		//
-		// - The final use of s must be as an rvalue (e.g. use(s), not &s).
-		//   This will become s.String().
+		// - All uses of s after the last += must be rvalue uses (e.g. use(s), not &s).
+		//   Each of these will become s.String().
 		//
 		//   Perhaps surprisingly, it is fine for there to be an
 		//   intervening loop or lambda w.r.t. the declaration of s:
@@ -270,7 +269,7 @@ nextcand:
 		var (
 			numLoopAssigns int             // number of += assignments within a loop
 			loopAssign     *ast.AssignStmt // first += assignment within a loop
-			seenRvalueUse  bool            // => we've seen the sole final use of s as an rvalue
+			seenRvalueUse  bool            // => we've seen at least one rvalue use of s
 		)
 		for curUse := range index.Uses(v) {
 			// Strip enclosing parens around Ident.
@@ -280,11 +279,6 @@ nextcand:
 				ek = curUse.ParentEdgeKind()
 			}
 
-			// The rvalueUse must be the lexically last use.
-			if seenRvalueUse {
-				continue nextcand
-			}
-
 			// intervening reports whether cur has an ancestor of
 			// one of the given types that is within the scope of v.
 			intervening := func(types ...ast.Node) bool {
@@ -297,6 +291,11 @@ nextcand:
 			}
 
 			if ek == edge.AssignStmt_Lhs {
+				// After an rvalue use, no more assignments are allowed.
+				if seenRvalueUse {
+					continue nextcand
+				}
+
 				assign := curUse.Parent().Node().(*ast.AssignStmt)
 				if assign.Tok != token.ADD_ASSIGN {
 					continue nextcand
@@ -317,9 +316,9 @@ nextcand:
 				//  -------------    -
 				// s.WriteString(expr)
 				edits = append(edits, []analysis.TextEdit{
-					// replace += with .WriteString()
+					// replace " += " with ".WriteString("
 					{
-						Pos:     assign.TokPos,
+						Pos:     assign.Lhs[0].End(),
 						End:     assign.Rhs[0].Pos(),
 						NewText: []byte(".WriteString("),
 					},
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go
index f963b547b..6192c56fa 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go
@@ -22,7 +22,7 @@ import (
 	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/goplsexport"
-	"golang.org/x/tools/internal/refactor"
+	"golang.org/x/tools/internal/moreiters"
 	"golang.org/x/tools/internal/typesinternal"
 	"golang.org/x/tools/internal/typesinternal/typeindex"
 	"golang.org/x/tools/internal/versions"
@@ -124,6 +124,8 @@ func stringscut(pass *analysis.Pass) (any, error) {
 		bytesIndexByte   = index.Object("bytes", "IndexByte")
 	)
 
+	scopeFixCount := make(map[*types.Scope]int) // the number of times we have offered a fix within a given scope in the current pass
+
 	for _, obj := range []types.Object{
 		stringsIndex,
 		stringsIndexByte,
@@ -183,7 +185,7 @@ func stringscut(pass *analysis.Pass) (any, error) {
 			// len(substr)]), then we can replace the call to Index()
 			// with a call to Cut() and use the returned ok, before,
 			// and after variables accordingly.
-			negative, nonnegative, beforeSlice, afterSlice := checkIdxUses(pass.TypesInfo, index.Uses(iObj), s, substr)
+			negative, nonnegative, beforeSlice, afterSlice := checkIdxUses(pass.TypesInfo, index.Uses(iObj), s, substr, iObj)
 
 			// Either there are no uses of before, after, or ok, or some use
 			// of i does not match our criteria - don't suggest a fix.
@@ -194,14 +196,48 @@ func stringscut(pass *analysis.Pass) (any, error) {
 			// If the only uses are ok and !ok, don't suggest a Cut() fix - these should be using Contains()
 			isContains := (len(negative) > 0 || len(nonnegative) > 0) && len(beforeSlice) == 0 && len(afterSlice) == 0
 
+			enclosingBlock, ok := moreiters.First(curCall.Enclosing((*ast.BlockStmt)(nil)))
+			if !ok {
+				continue
+			}
 			scope := iObj.Parent()
-			var (
-				// TODO(adonovan): avoid FreshName when not needed; see errorsastype.
-				okVarName     = refactor.FreshName(scope, iIdent.Pos(), "ok")
-				beforeVarName = refactor.FreshName(scope, iIdent.Pos(), "before")
-				afterVarName  = refactor.FreshName(scope, iIdent.Pos(), "after")
-				foundVarName  = refactor.FreshName(scope, iIdent.Pos(), "found") // for Contains()
-			)
+			// Generate fresh names for ok, before, after, found, but only if
+			// they are defined by the end of the enclosing block and used
+			// within the enclosing block after the Index call. We need a Cursor
+			// for the end of the enclosing block, but we can't just find the
+			// Cursor at scope.End() because it corresponds to the entire
+			// enclosingBlock. Instead, get the last child of the enclosing
+			// block.
+			lastStmtCur, _ := enclosingBlock.LastChild()
+			lastStmt := lastStmtCur.Node()
+
+			fresh := func(preferred string) string {
+				return freshName(info, index, scope, lastStmt.End(), lastStmtCur, enclosingBlock, iIdent.Pos(), preferred)
+			}
+
+			var okVarName, beforeVarName, afterVarName, foundVarName string
+			if isContains {
+				foundVarName = fresh("found")
+			} else {
+				okVarName = fresh("ok")
+				beforeVarName = fresh("before")
+				afterVarName = fresh("after")
+			}
+
+			// If we are already suggesting a fix within the index's scope, we
+			// must get fresh names for before, after and ok.
+			// This is a specific symptom of the general problem that analyzers
+			// can generate conflicting fixes.
+			if scopeFixCount[scope] > 0 {
+				suffix := scopeFixCount[scope] - 1 // start at 0
+				if isContains {
+					foundVarName = fresh(fmt.Sprintf("%s%d", foundVarName, suffix))
+				} else {
+					okVarName = fresh(fmt.Sprintf("%s%d", okVarName, suffix))
+					beforeVarName = fresh(fmt.Sprintf("%s%d", beforeVarName, suffix))
+					afterVarName = fresh(fmt.Sprintf("%s%d", afterVarName, suffix))
+				}
+			}
 
 			// If there will be no uses of ok, before, or after, use the
 			// blank identifier instead.
@@ -313,6 +349,7 @@ func stringscut(pass *analysis.Pass) (any, error) {
 					}...)
 				}
 			}
+			scopeFixCount[scope]++
 			pass.Report(analysis.Diagnostic{
 				Pos: indexCall.Fun.Pos(),
 				End: indexCall.Fun.End(),
@@ -374,14 +411,31 @@ func indexArgValid(info *types.Info, index *typeindex.Index, expr ast.Expr, afte
 // 2. nonnegative - a condition equivalent to i >= 0
 // 3. beforeSlice - a slice of `s` that matches either s[:i], s[0:i]
 // 4. afterSlice - a slice of `s` that matches one of: s[i+len(substr):], s[len(substr) + i:], s[i + const], s[k + i] (where k = len(substr))
-func checkIdxUses(info *types.Info, uses iter.Seq[inspector.Cursor], s, substr ast.Expr) (negative, nonnegative, beforeSlice, afterSlice []ast.Expr) {
+//
+// Additionally, all beforeSlice and afterSlice uses must be dominated by a
+// nonnegative guard on i (i.e., inside the body of an if whose condition
+// checks i >= 0, or in the else of a negative check, or after an
+// early-return negative check). This ensures that the rewrite from
+// s[i+len(sep):] to "after" preserves semantics, since when i == -1,
+// s[i+len(sep):] may yield a valid substring (e.g. s[0:] for single-byte
+// separators), but "after" would be "".
+//
+// When len(substr)==1, it's safe to use s[i+1:] even when i < 0.
+// Otherwise, each replacement of s[i+1:] must be guarded by a check
+// that i is nonnegative.
+func checkIdxUses(info *types.Info, uses iter.Seq[inspector.Cursor], s, substr ast.Expr, iObj types.Object) (negative, nonnegative, beforeSlice, afterSlice []ast.Expr) {
+	requireGuard := true
+	if l := constSubstrLen(info, substr); l != -1 && l != 1 {
+		requireGuard = false
+	}
+
 	use := func(cur inspector.Cursor) bool {
 		ek := cur.ParentEdgeKind()
 		n := cur.Parent().Node()
 		switch ek {
 		case edge.BinaryExpr_X, edge.BinaryExpr_Y:
 			check := n.(*ast.BinaryExpr)
-			switch checkIdxComparison(info, check) {
+			switch checkIdxComparison(info, check, iObj) {
 			case -1:
 				negative = append(negative, check)
 				return true
@@ -397,10 +451,10 @@ func checkIdxUses(info *types.Info, uses iter.Seq[inspector.Cursor], s, substr a
 			if slice, ok := cur.Parent().Parent().Node().(*ast.SliceExpr); ok &&
 				sameObject(info, s, slice.X) &&
 				slice.Max == nil {
-				if isBeforeSlice(info, ek, slice) {
+				if isBeforeSlice(info, ek, slice) && (!requireGuard || isSliceIndexGuarded(info, cur, iObj)) {
 					beforeSlice = append(beforeSlice, slice)
 					return true
-				} else if isAfterSlice(info, ek, slice, substr) {
+				} else if isAfterSlice(info, ek, slice, substr) && (!requireGuard || isSliceIndexGuarded(info, cur, iObj)) {
 					afterSlice = append(afterSlice, slice)
 					return true
 				}
@@ -410,10 +464,10 @@ func checkIdxUses(info *types.Info, uses iter.Seq[inspector.Cursor], s, substr a
 			// Check that the thing being sliced is s and that the slice doesn't
 			// have a max index.
 			if sameObject(info, s, slice.X) && slice.Max == nil {
-				if isBeforeSlice(info, ek, slice) {
+				if isBeforeSlice(info, ek, slice) && (!requireGuard || isSliceIndexGuarded(info, cur, iObj)) {
 					beforeSlice = append(beforeSlice, slice)
 					return true
-				} else if isAfterSlice(info, ek, slice, substr) {
+				} else if isAfterSlice(info, ek, slice, substr) && (!requireGuard || isSliceIndexGuarded(info, cur, iObj)) {
 					afterSlice = append(afterSlice, slice)
 					return true
 				}
@@ -465,8 +519,15 @@ func hasModifyingUses(info *types.Info, uses iter.Seq[inspector.Cursor], afterPo
 // Since strings.Index returns exactly -1 if the substring is not found, we
 // don't need to handle expressions like i <= -3.
 // We return 0 if the expression does not match any of these options.
-// We assume that a check passed to checkIdxComparison has i as one of its operands.
-func checkIdxComparison(info *types.Info, check *ast.BinaryExpr) int {
+func checkIdxComparison(info *types.Info, check *ast.BinaryExpr, iObj types.Object) int {
+	isI := func(e ast.Expr) bool {
+		id, ok := e.(*ast.Ident)
+		return ok && info.Uses[id] == iObj
+	}
+	if !isI(check.X) && !isI(check.Y) {
+		return 0
+	}
+
 	// Ensure that the constant (if any) is on the right.
 	x, op, y := check.X, check.Op, check.Y
 	if info.Types[x].Value != nil {
@@ -515,43 +576,48 @@ func isBeforeSlice(info *types.Info, ek edge.Kind, slice *ast.SliceExpr) bool {
 	return ek == edge.SliceExpr_High && (slice.Low == nil || isZeroIntConst(info, slice.Low))
 }
 
-// isAfterSlice reports whether the SliceExpr is of the form s[i+len(substr):],
-// or s[i + k:] where k is a const is equal to len(substr).
-func isAfterSlice(info *types.Info, ek edge.Kind, slice *ast.SliceExpr, substr ast.Expr) bool {
-	lowExpr, ok := slice.Low.(*ast.BinaryExpr)
-	if !ok || slice.High != nil {
-		return false
-	}
-	// Returns true if the expression is a call to len(substr).
-	isLenCall := func(expr ast.Expr) bool {
-		call, ok := expr.(*ast.CallExpr)
-		if !ok || len(call.Args) != 1 {
-			return false
-		}
-		return sameObject(info, substr, call.Args[0]) && typeutil.Callee(info, call) == builtinLen
-	}
-
+// constSubstrLen returns the constant length of substr, or -1 if unknown.
+func constSubstrLen(info *types.Info, substr ast.Expr) int {
 	// Handle len([]byte(substr))
-	if is[*ast.CallExpr](substr) {
-		call := substr.(*ast.CallExpr)
+	if call, ok := substr.(*ast.CallExpr); ok {
 		tv := info.Types[call.Fun]
 		if tv.IsType() && types.Identical(tv.Type, byteSliceType) {
 			// Only one arg in []byte conversion.
 			substr = call.Args[0]
 		}
 	}
-	substrLen := -1
 	substrVal := info.Types[substr].Value
 	if substrVal != nil {
 		switch substrVal.Kind() {
 		case constant.String:
-			substrLen = len(constant.StringVal(substrVal))
+			return len(constant.StringVal(substrVal))
 		case constant.Int:
 			// constant.Value is a byte literal, e.g. bytes.IndexByte(_, 'a')
 			// or a numeric byte literal, e.g. bytes.IndexByte(_, 65)
-			substrLen = 1
+			// ([]byte(rune) is not legal.)
+			return 1
 		}
 	}
+	return -1
+}
+
+// isAfterSlice reports whether the SliceExpr is of the form s[i+len(substr):],
+// or s[i + k:] where k is a const is equal to len(substr).
+func isAfterSlice(info *types.Info, ek edge.Kind, slice *ast.SliceExpr, substr ast.Expr) bool {
+	lowExpr, ok := slice.Low.(*ast.BinaryExpr)
+	if !ok || slice.High != nil {
+		return false
+	}
+	// Returns true if the expression is a call to len(substr).
+	isLenCall := func(expr ast.Expr) bool {
+		call, ok := expr.(*ast.CallExpr)
+		if !ok || len(call.Args) != 1 {
+			return false
+		}
+		return sameObject(info, substr, call.Args[0]) && typeutil.Callee(info, call) == builtinLen
+	}
+
+	substrLen := constSubstrLen(info, substr)
 
 	switch ek {
 	case edge.BinaryExpr_X:
@@ -578,6 +644,75 @@ func isAfterSlice(info *types.Info, ek edge.Kind, slice *ast.SliceExpr, substr a
 	return false
 }
 
+// isSliceIndexGuarded reports whether a use of the index variable i (at the given cursor)
+// inside a slice expression is dominated by a nonnegative guard.
+// A use is considered guarded if any of the following are true:
+//   - It is inside the Body of an IfStmt whose condition is a nonnegative check on i.
+//   - It is inside the Else of an IfStmt whose condition is a negative check on i.
+//   - It is preceded (in the same block) by an IfStmt whose condition is a
+//     negative check on i with a terminating body (e.g., early return).
+//
+// Conversely, a use is immediately rejected if:
+//   - It is inside the Body of an IfStmt whose condition is a negative check on i.
+//   - It is inside the Else of an IfStmt whose condition is a nonnegative check on i.
+//
+// We have already checked (see [hasModifyingUses]) that there are no
+// intervening uses (incl. via aliases) of i that might alter its value.
+func isSliceIndexGuarded(info *types.Info, cur inspector.Cursor, iObj types.Object) bool {
+	for anc := range cur.Enclosing() {
+		switch anc.ParentEdgeKind() {
+		case edge.IfStmt_Body, edge.IfStmt_Else:
+			ifStmt := anc.Parent().Node().(*ast.IfStmt)
+			check := condChecksIdx(info, ifStmt.Cond, iObj)
+			if anc.ParentEdgeKind() == edge.IfStmt_Else {
+				check = -check
+			}
+			if check > 0 {
+				return true // inside nonnegative-guarded block (i >= 0 here)
+			}
+			if check < 0 {
+				return false // inside negative-guarded block (i < 0 here)
+			}
+		case edge.BlockStmt_List:
+			// Check preceding siblings for early-return negative checks.
+			for sib, ok := anc.PrevSibling(); ok; sib, ok = sib.PrevSibling() {
+				ifStmt, ok := sib.Node().(*ast.IfStmt)
+				if ok && condChecksIdx(info, ifStmt.Cond, iObj) < 0 && bodyTerminates(ifStmt.Body) {
+					return true // preceded by early-return negative check
+				}
+			}
+		case edge.FuncDecl_Body, edge.FuncLit_Body:
+			return false // stop at function boundary
+		}
+	}
+	return false
+}
+
+// condChecksIdx reports whether cond is a BinaryExpr that checks
+// the index variable iObj for negativity or non-negativity.
+// Returns -1 for negative (e.g. i < 0), +1 for nonnegative (e.g. i >= 0), 0 otherwise.
+func condChecksIdx(info *types.Info, cond ast.Expr, iObj types.Object) int {
+	binExpr, ok := cond.(*ast.BinaryExpr)
+	if !ok {
+		return 0
+	}
+	return checkIdxComparison(info, binExpr, iObj)
+}
+
+// bodyTerminates reports whether the given block statement unconditionally
+// terminates execution (via return, break, continue, or goto).
+func bodyTerminates(block *ast.BlockStmt) bool {
+	if len(block.List) == 0 {
+		return false
+	}
+	last := block.List[len(block.List)-1]
+	switch last.(type) {
+	case *ast.ReturnStmt, *ast.BranchStmt:
+		return true // return, break, continue, goto
+	}
+	return false
+}
+
 // sameObject reports whether we know that the expressions resolve to the same object.
 func sameObject(info *types.Info, expr1, expr2 ast.Expr) bool {
 	if ident1, ok := expr1.(*ast.Ident); ok {
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscutprefix.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscutprefix.go
index 7dc11308d..ae6345400 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscutprefix.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscutprefix.go
@@ -201,8 +201,7 @@ func stringscutprefix(pass *analysis.Pass) (any, error) {
 
 					if astutil.EqualSyntax(lhs, bin.X) && astutil.EqualSyntax(call.Args[0], bin.Y) ||
 						(astutil.EqualSyntax(lhs, bin.Y) && astutil.EqualSyntax(call.Args[0], bin.X)) {
-						// TODO(adonovan): avoid FreshName when not needed; see errorsastype.
-						okVarName := refactor.FreshName(info.Scopes[ifStmt], ifStmt.Pos(), "ok")
+						okVarName := freshName(info, index, info.Scopes[ifStmt], ifStmt.Pos(), curIfStmt, curIfStmt, token.NoPos, "ok")
 						// Have one of:
 						//   if rest := TrimPrefix(s, prefix); rest != s { (ditto Suffix)
 						//   if rest := TrimPrefix(s, prefix); s != rest { (ditto Suffix)
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/unsafefuncs.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/unsafefuncs.go
index 0b36908ec..191eba95c 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/unsafefuncs.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/unsafefuncs.go
@@ -56,11 +56,6 @@ func unsafefuncs(pass *analysis.Pass) (any, error) {
 		tUnsafePointer = types.Typ[types.UnsafePointer]
 	)
 
-	isInteger := func(t types.Type) bool {
-		basic, ok := t.Underlying().(*types.Basic)
-		return ok && basic.Info()&types.IsInteger != 0
-	}
-
 	// isConversion reports whether e is a conversion T(x).
 	// If so, it returns T and x.
 	isConversion := func(curExpr inspector.Cursor) (t types.Type, x inspector.Cursor) {
@@ -208,3 +203,8 @@ func deleteConv(cur inspector.Cursor) []analysis.TextEdit {
 		},
 	}
 }
+
+func isInteger(t types.Type) bool {
+	basic, ok := t.Underlying().(*types.Basic)
+	return ok && basic.Info()&types.IsInteger != 0
+}
diff --git a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/waitgroup.go b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/waitgroup.go
index abf5885ce..5e4258710 100644
--- a/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/waitgroup.go
+++ b/tools/vendor/golang.org/x/tools/go/analysis/passes/modernize/waitgroup.go
@@ -97,6 +97,9 @@ func waitgroup(pass *analysis.Pass) (any, error) {
 		if !ok || len(goStmt.Call.Args) != 0 {
 			continue // go argument is not func(){...}()
 		}
+		if lit.Type.Results != nil && len(lit.Type.Results.List) > 0 {
+			continue // function literal has return values; wg.Go requires func()
+		}
 		list := lit.Body.List
 		if len(list) == 0 {
 			continue
diff --git a/tools/vendor/golang.org/x/tools/go/packages/golist.go b/tools/vendor/golang.org/x/tools/go/packages/golist.go
index 680a70ca8..a6c17cf63 100644
--- a/tools/vendor/golang.org/x/tools/go/packages/golist.go
+++ b/tools/vendor/golang.org/x/tools/go/packages/golist.go
@@ -61,13 +61,42 @@ func (r *responseDeduper) addAll(dr *DriverResponse) {
 }
 
 func (r *responseDeduper) addPackage(p *Package) {
-	if r.seenPackages[p.ID] != nil {
+	if prev := r.seenPackages[p.ID]; prev != nil {
+		// Package already seen in a previous response. Merge the file lists,
+		// removing duplicates. This can happen when the same package appears
+		// in multiple driver responses that are being merged together.
+		prev.GoFiles = appendUniqueStrings(prev.GoFiles, p.GoFiles)
+		prev.CompiledGoFiles = appendUniqueStrings(prev.CompiledGoFiles, p.CompiledGoFiles)
+		prev.OtherFiles = appendUniqueStrings(prev.OtherFiles, p.OtherFiles)
+		prev.IgnoredFiles = appendUniqueStrings(prev.IgnoredFiles, p.IgnoredFiles)
+		prev.EmbedFiles = appendUniqueStrings(prev.EmbedFiles, p.EmbedFiles)
+		prev.EmbedPatterns = appendUniqueStrings(prev.EmbedPatterns, p.EmbedPatterns)
 		return
 	}
 	r.seenPackages[p.ID] = p
 	r.dr.Packages = append(r.dr.Packages, p)
 }
 
+// appendUniqueStrings appends elements from src to dst, skipping duplicates.
+func appendUniqueStrings(dst, src []string) []string {
+	if len(src) == 0 {
+		return dst
+	}
+
+	seen := make(map[string]bool, len(dst))
+	for _, s := range dst {
+		seen[s] = true
+	}
+
+	for _, s := range src {
+		if !seen[s] {
+			dst = append(dst, s)
+		}
+	}
+
+	return dst
+}
+
 func (r *responseDeduper) addRoot(id string) {
 	if r.seenRoots[id] {
 		return
@@ -832,6 +861,8 @@ func golistargs(cfg *Config, words []string, goVersion int) []string {
 		// go list doesn't let you pass -test and -find together,
 		// probably because you'd just get the TestMain.
 		fmt.Sprintf("-find=%t", !cfg.Tests && cfg.Mode&findFlags == 0 && !usesExportData(cfg)),
+		// VCS information is not needed when not printing Stale or StaleReason fields
+		"-buildvcs=false",
 	}
 
 	// golang/go#60456: with go1.21 and later, go list serves pgo variants, which
diff --git a/tools/vendor/golang.org/x/tools/go/packages/packages.go b/tools/vendor/golang.org/x/tools/go/packages/packages.go
index b249a5c7e..412ba06b5 100644
--- a/tools/vendor/golang.org/x/tools/go/packages/packages.go
+++ b/tools/vendor/golang.org/x/tools/go/packages/packages.go
@@ -403,6 +403,10 @@ func mergeResponses(responses ...*DriverResponse) *DriverResponse {
 	if len(responses) == 0 {
 		return nil
 	}
+	// No dedup needed
+	if len(responses) == 1 {
+		return responses[0]
+	}
 	response := newDeduper()
 	response.dr.NotHandled = false
 	response.dr.Compiler = responses[0].Compiler
diff --git a/tools/vendor/golang.org/x/tools/go/ssa/builder.go b/tools/vendor/golang.org/x/tools/go/ssa/builder.go
index a75257c8b..3336203b1 100644
--- a/tools/vendor/golang.org/x/tools/go/ssa/builder.go
+++ b/tools/vendor/golang.org/x/tools/go/ssa/builder.go
@@ -1467,13 +1467,14 @@ func (b *builder) switchStmt(fn *Function, s *ast.SwitchStmt, label *lblock) {
 		var nextCond *BasicBlock
 		for _, cond := range cc.List {
 			nextCond = fn.newBasicBlock("switch.next")
-			// TODO(adonovan): opt: when tag==vTrue, we'd
-			// get better code if we use b.cond(cond)
-			// instead of BinOp(EQL, tag, b.expr(cond))
-			// followed by If.  Don't forget conversions
-			// though.
-			cond := emitCompare(fn, token.EQL, tag, b.expr(fn, cond), cond.Pos())
-			emitIf(fn, cond, body, nextCond)
+			// For boolean switches, emit short-circuit control flow,
+			// just like an if/else-chain.
+			if tag == vTrue && !isNonTypeParamInterface(fn.info.Types[cond].Type) {
+				b.cond(fn, cond, body, nextCond)
+			} else {
+				c := emitCompare(fn, token.EQL, tag, b.expr(fn, cond), cond.Pos())
+				emitIf(fn, c, body, nextCond)
+			}
 			fn.currentBlock = nextCond
 		}
 		fn.currentBlock = body
diff --git a/tools/vendor/golang.org/x/tools/internal/astutil/comment.go b/tools/vendor/golang.org/x/tools/internal/astutil/comment.go
index 7e52aeaaa..5ed4765c7 100644
--- a/tools/vendor/golang.org/x/tools/internal/astutil/comment.go
+++ b/tools/vendor/golang.org/x/tools/internal/astutil/comment.go
@@ -31,7 +31,7 @@ func Deprecation(doc *ast.CommentGroup) string {
 
 // -- plundered from the future (CL 605517, issue #68021) --
 
-// TODO(adonovan): replace with ast.Directive after go1.25 (#68021).
+// TODO(adonovan): replace with ast.Directive in go1.26 (#68021).
 // Beware of our local mods to handle analysistest
 // "want" comments on the same line.
 
diff --git a/tools/vendor/golang.org/x/tools/internal/astutil/stringlit.go b/tools/vendor/golang.org/x/tools/internal/astutil/stringlit.go
index ce1e7de88..eb49d4512 100644
--- a/tools/vendor/golang.org/x/tools/internal/astutil/stringlit.go
+++ b/tools/vendor/golang.org/x/tools/internal/astutil/stringlit.go
@@ -40,20 +40,64 @@ func PosInStringLiteral(lit *ast.BasicLit, offset int) (token.Pos, error) {
 		return 0, fmt.Errorf("invalid offset")
 	}
 
+	pos, _ := walkStringLiteral(lit, lit.End(), offset)
+	return pos, nil
+}
+
+// OffsetInStringLiteral returns the byte offset within the logical (unquoted)
+// string corresponding to the specified source position.
+func OffsetInStringLiteral(lit *ast.BasicLit, pos token.Pos) (int, error) {
+	if !NodeContainsPos(lit, pos) {
+		return 0, fmt.Errorf("invalid position")
+	}
+
+	raw := lit.Value
+
+	value, err := strconv.Unquote(raw)
+	if err != nil {
+		return 0, err
+	}
+
+	_, offset := walkStringLiteral(lit, pos, len(value))
+	return offset, nil
+}
+
+// walkStringLiteral iterates through the raw string literal to map between
+// a file position and a logical byte offset. It stops when it reaches
+// either the targetPos or the targetOffset.
+//
+// TODO(hxjiang): consider making an iterator.
+func walkStringLiteral(lit *ast.BasicLit, targetPos token.Pos, targetOffset int) (token.Pos, int) {
+	raw := lit.Value
+	norm := int(lit.End()-lit.Pos()) > len(lit.Value)
+
 	// remove quotes
 	quote := raw[0] // '"' or '`'
 	raw = raw[1 : len(raw)-1]
 
 	var (
-		i   = 0                // byte index within logical value
-		pos = lit.ValuePos + 1 // position within literal
+		i   = 0             // byte index within logical value
+		pos = lit.Pos() + 1 // position within literal
 	)
-	for raw != "" && i < offset {
+
+	for raw != "" {
 		r, _, rest, _ := strconv.UnquoteChar(raw, quote) // can't fail
 		sz := len(raw) - len(rest)                       // length of literal char in raw bytes
-		pos += token.Pos(sz)
+
+		nextPos := pos + token.Pos(sz)
+		if norm && r == '\n' {
+			nextPos++
+		}
+		nextI := i + utf8.RuneLen(r) // length of logical char in "cooked" bytes
+
+		if nextPos > targetPos || nextI > targetOffset {
+			break
+		}
+
 		raw = raw[sz:]
-		i += utf8.RuneLen(r)
+		i = nextI
+		pos = nextPos
 	}
-	return pos, nil
+
+	return pos, i
 }
diff --git a/tools/vendor/golang.org/x/tools/internal/astutil/util.go b/tools/vendor/golang.org/x/tools/internal/astutil/util.go
index 6378b50c5..f211d2cc3 100644
--- a/tools/vendor/golang.org/x/tools/internal/astutil/util.go
+++ b/tools/vendor/golang.org/x/tools/internal/astutil/util.go
@@ -15,40 +15,6 @@ import (
 	"golang.org/x/tools/internal/moreiters"
 )
 
-// PreorderStack traverses the tree rooted at root,
-// calling f before visiting each node.
-//
-// Each call to f provides the current node and traversal stack,
-// consisting of the original value of stack appended with all nodes
-// from root to n, excluding n itself. (This design allows calls
-// to PreorderStack to be nested without double counting.)
-//
-// If f returns false, the traversal skips over that subtree. Unlike
-// [ast.Inspect], no second call to f is made after visiting node n.
-// In practice, the second call is nearly always used only to pop the
-// stack, and it is surprisingly tricky to do this correctly; see
-// https://go.dev/issue/73319.
-//
-// TODO(adonovan): replace with [ast.PreorderStack] when go1.25 is assured.
-func PreorderStack(root ast.Node, stack []ast.Node, f func(n ast.Node, stack []ast.Node) bool) {
-	before := len(stack)
-	ast.Inspect(root, func(n ast.Node) bool {
-		if n != nil {
-			if !f(n, stack) {
-				// Do not push, as there will be no corresponding pop.
-				return false
-			}
-			stack = append(stack, n) // push
-		} else {
-			stack = stack[:len(stack)-1] // pop
-		}
-		return true
-	})
-	if len(stack) != before {
-		panic("push/pop mismatch")
-	}
-}
-
 // NodeContains reports whether the Pos/End range of node n encloses
 // the given range.
 //
diff --git a/tools/vendor/golang.org/x/tools/internal/goplsexport/export.go b/tools/vendor/golang.org/x/tools/internal/goplsexport/export.go
index b0572f596..231e3f218 100644
--- a/tools/vendor/golang.org/x/tools/internal/goplsexport/export.go
+++ b/tools/vendor/golang.org/x/tools/internal/goplsexport/export.go
@@ -14,4 +14,5 @@ var (
 	PlusBuildModernizer    *analysis.Analyzer // = modernize.plusbuildAnalyzer
 	StringsCutModernizer   *analysis.Analyzer // = modernize.stringscutAnalyzer
 	UnsafeFuncsModernizer  *analysis.Analyzer // = modernize.unsafeFuncsAnalyzer
+	AtomicModernizer       *analysis.Analyzer // = modernize.atomicAnalyzer
 )
diff --git a/tools/vendor/golang.org/x/tools/internal/refactor/refactor.go b/tools/vendor/golang.org/x/tools/internal/refactor/refactor.go
index 8664377f8..1d6c05433 100644
--- a/tools/vendor/golang.org/x/tools/internal/refactor/refactor.go
+++ b/tools/vendor/golang.org/x/tools/internal/refactor/refactor.go
@@ -17,10 +17,9 @@ import (
 // FreshName returns the name of an identifier that is undefined
 // at the specified position, based on the preferred name.
 //
-// TODO(adonovan): refine this to choose a fresh name only when there
-// would be a conflict with the existing declaration: it's fine to
-// redeclare a name in a narrower scope so long as there are no free
-// references to the outer name from within the narrower scope.
+// export/use freshName in go/analysis/passes/modernize/modernize.go if you want
+// to generate a fresh name only when necessary (i.e., there is both an existing
+// declaration and some free reference to the name within a narrower scope)
 func FreshName(scope *types.Scope, pos token.Pos, preferred string) string {
 	newName := preferred
 	for i := 0; ; i++ {
diff --git a/tools/vendor/golang.org/x/tools/refactor/satisfy/find.go b/tools/vendor/golang.org/x/tools/refactor/satisfy/find.go
index bb3837553..3d21ce6d2 100644
--- a/tools/vendor/golang.org/x/tools/refactor/satisfy/find.go
+++ b/tools/vendor/golang.org/x/tools/refactor/satisfy/find.go
@@ -395,8 +395,11 @@ func (f *Finder) expr(e ast.Expr) types.Type {
 		f.expr(e.X)
 
 	case *ast.SelectorExpr:
-		if _, ok := f.info.Selections[e]; ok {
-			f.expr(e.X) // selection
+		if seln, ok := f.info.Selections[e]; ok {
+			// If e.X is a type (e.g., e is interface{ m() }.m), don't visit it.
+			if seln.Kind() != types.MethodExpr {
+				f.expr(e.X)
+			}
 		} else {
 			return f.info.Uses[e.Sel].Type() // qualified identifier
 		}
diff --git a/tools/vendor/modules.txt b/tools/vendor/modules.txt
index 879a72e0f..db6e4b574 100644
--- a/tools/vendor/modules.txt
+++ b/tools/vendor/modules.txt
@@ -154,8 +154,8 @@ github.com/cespare/xxhash/v2
 # github.com/charithe/durationcheck v0.0.11
 ## explicit; go 1.16
 github.com/charithe/durationcheck
-# github.com/charmbracelet/colorprofile v0.4.2
-## explicit; go 1.24.2
+# github.com/charmbracelet/colorprofile v0.4.3
+## explicit; go 1.25.0
 github.com/charmbracelet/colorprofile
 # github.com/charmbracelet/lipgloss v1.1.0
 ## explicit; go 1.18
@@ -215,8 +215,8 @@ github.com/dlclark/regexp2/syntax
 # github.com/ettle/strcase v0.2.0
 ## explicit; go 1.12
 github.com/ettle/strcase
-# github.com/fatih/color v1.18.0
-## explicit; go 1.17
+# github.com/fatih/color v1.19.0
+## explicit; go 1.25.0
 github.com/fatih/color
 # github.com/fatih/structtag v1.2.0
 ## explicit; go 1.12
@@ -317,7 +317,7 @@ github.com/golangci/go-printf-func-name/pkg/analyzer
 # github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d
 ## explicit; go 1.22.0
 github.com/golangci/gofmt/gofmt
-# github.com/golangci/golangci-lint/v2 v2.11.2
+# github.com/golangci/golangci-lint/v2 v2.11.4
 ## explicit; go 1.25.0
 github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 github.com/golangci/golangci-lint/v2/internal/cache
@@ -327,10 +327,9 @@ github.com/golangci/golangci-lint/v2/internal/go/cache
 github.com/golangci/golangci-lint/v2/internal/go/cacheprog
 github.com/golangci/golangci-lint/v2/internal/go/mmap
 github.com/golangci/golangci-lint/v2/internal/go/quoted
-github.com/golangci/golangci-lint/v2/internal/x/tools/analysisflags
-github.com/golangci/golangci-lint/v2/internal/x/tools/analysisinternal
 github.com/golangci/golangci-lint/v2/internal/x/tools/diff
 github.com/golangci/golangci-lint/v2/internal/x/tools/diff/lcs
+github.com/golangci/golangci-lint/v2/internal/x/tools/driverutil
 github.com/golangci/golangci-lint/v2/pkg/commands
 github.com/golangci/golangci-lint/v2/pkg/commands/internal
 github.com/golangci/golangci-lint/v2/pkg/commands/internal/migrate
@@ -771,8 +770,8 @@ github.com/rogpeppe/go-internal/robustio
 # github.com/ryancurrah/gomodguard v1.4.1
 ## explicit; go 1.23.0
 github.com/ryancurrah/gomodguard
-# github.com/ryanrolds/sqlclosecheck v0.5.1
-## explicit; go 1.20
+# github.com/ryanrolds/sqlclosecheck v0.6.0
+## explicit; go 1.25.0
 github.com/ryanrolds/sqlclosecheck/pkg/analyzer
 # github.com/sagikazarmark/locafero v0.12.0
 ## explicit; go 1.23.0
@@ -792,7 +791,7 @@ github.com/sashamelentyev/interfacebloat/pkg/analyzer
 ## explicit; go 1.23.0
 github.com/sashamelentyev/usestdlibvars/pkg/analyzer
 github.com/sashamelentyev/usestdlibvars/pkg/analyzer/internal/mapping
-# github.com/securego/gosec/v2 v2.24.7
+# github.com/securego/gosec/v2 v2.24.8-0.20260309165252-619ce2117e08
 ## explicit; go 1.25.0
 github.com/securego/gosec/v2
 github.com/securego/gosec/v2/analyzers
@@ -807,7 +806,7 @@ github.com/sirupsen/logrus
 # github.com/sivchari/containedctx v1.0.3
 ## explicit; go 1.17
 github.com/sivchari/containedctx
-# github.com/sonatard/noctx v0.5.0
+# github.com/sonatard/noctx v0.5.1
 ## explicit; go 1.23.0
 github.com/sonatard/noctx
 # github.com/sourcegraph/go-diff v0.7.0
@@ -946,8 +945,8 @@ go.yaml.in/yaml/v3
 # golang.org/x/exp/typeparams v0.0.0-20260218203240-3dfff04db8fa
 ## explicit; go 1.25.0
 golang.org/x/exp/typeparams
-# golang.org/x/mod v0.33.0
-## explicit; go 1.24.0
+# golang.org/x/mod v0.34.0
+## explicit; go 1.25.0
 golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/modfile
 golang.org/x/mod/module
@@ -984,8 +983,8 @@ golang.org/x/text/runes
 golang.org/x/text/transform
 golang.org/x/text/unicode/norm
 golang.org/x/text/width
-# golang.org/x/tools v0.42.0
-## explicit; go 1.24.0
+# golang.org/x/tools v0.43.0
+## explicit; go 1.25.0
 golang.org/x/tools/go/analysis
 golang.org/x/tools/go/analysis/passes/appends
 golang.org/x/tools/go/analysis/passes/asmdecl
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go
index e28d7c710..1408e1120 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go
@@ -78,7 +78,7 @@ func (c *genericCurve) GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err
 func (c *genericCurve) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
 	xP, yP := elliptic.Unmarshal(c.Curve, point)
 	if xP == nil {
-		panic("invalid point")
+		return nil, nil, errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
 	}
 
 	d, x, y, err := elliptic.GenerateKey(c.Curve, rand)
@@ -99,6 +99,9 @@ func (c *genericCurve) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSe
 
 func (c *genericCurve) Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error) {
 	x, y := elliptic.Unmarshal(c.Curve, ephemeral)
+	if x == nil {
+		return nil, errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
+	}
 	zbBig, _ := c.Curve.ScalarMult(x, y, secret)
 	byteLen := (c.Curve.Params().BitSize + 7) >> 3
 	zb := make([]byte, byteLen)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
index cc5140b70..b46a0afcb 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.41.3"
+const goModuleVersion = "1.41.4"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
index c292c41b6..af105a52d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.7.7 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+
 # v1.7.6 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
index cdac6dbc0..21414d681 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
@@ -3,4 +3,4 @@
 package eventstream
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.7.6"
+const goModuleVersion = "1.7.7"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go
index 360344791..39efd848c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go
@@ -3,7 +3,7 @@ package query
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 
 	"github.com/aws/smithy-go/middleware"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
@@ -52,7 +52,7 @@ func (m *asGetRequest) HandleSerialize(
 		delim = "&"
 	}
 
-	b, err := ioutil.ReadAll(stream)
+	b, err := io.ReadAll(stream)
 	if err != nil {
 		return out, metadata, fmt.Errorf("unable to get request body %w", err)
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go
index c7ef0acc4..49cc31205 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go
@@ -300,6 +300,17 @@ func limitedRedirect(r *http.Request, via []*http.Request) error {
 	switch resp.StatusCode {
 	case 307, 308:
 		// Only allow 307 and 308 redirects as they preserve the method.
+
+		// If redirecting to a different host, remove X-Amz-Security-Token header
+		// to prevent credentials from being sent to a different host, similar to
+		// how Authorization header is handled by the HTTP client.
+		if len(via) > 0 {
+			lastRequest := via[len(via)-1]
+			if lastRequest.URL.Host != r.URL.Host {
+				r.Header.Del("X-Amz-Security-Token")
+			}
+		}
+
 		return nil
 	}
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
index bd9f7eb3c..0c2a7d9f0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
@@ -1,3 +1,8 @@
+# v1.32.12 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.32.11 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
index 511862f49..202b9574b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
@@ -3,4 +3,4 @@
 package config
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.32.11"
+const goModuleVersion = "1.32.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go b/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go
index f56839a4b..a71c105d9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go
@@ -5,7 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 
@@ -69,7 +69,7 @@ func resolveCustomCABundle(ctx context.Context, cfg *aws.Config, cfgs configs) e
 			tr.TLSClientConfig.RootCAs = x509.NewCertPool()
 		}
 
-		b, err := ioutil.ReadAll(pemCerts)
+		b, err := io.ReadAll(pemCerts)
 		if err != nil {
 			appendErr = fmt.Errorf("failed to read custom CA bundle PEM file")
 		}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go b/vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go
index de8398599..4f8c324e0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go
@@ -3,7 +3,6 @@ package config
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/url"
 	"os"
@@ -346,7 +345,7 @@ func resolveHTTPCredProvider(ctx context.Context, cfg *aws.Config, url, authToke
 				options.AuthorizationTokenProvider = endpointcreds.TokenProviderFunc(func() (string, error) {
 					var contents []byte
 					var err error
-					if contents, err = ioutil.ReadFile(authFilePath); err != nil {
+					if contents, err = os.ReadFile(authFilePath); err != nil {
 						return "", fmt.Errorf("failed to read authorization token from %v: %v", authFilePath, err)
 					}
 					return string(contents), nil
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go b/vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go
index 5a0fea222..44c616fd5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -502,7 +501,7 @@ func (c SharedConfig) getCustomCABundle(context.Context) (io.Reader, bool, error
 		return nil, false, nil
 	}
 
-	b, err := ioutil.ReadFile(c.CustomCABundle)
+	b, err := os.ReadFile(c.CustomCABundle)
 	if err != nil {
 		return nil, false, err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
index 28a661c68..a5705a194 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
@@ -1,3 +1,8 @@
+# v1.19.12 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.19.11 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
index 5f3728594..97ad19cb7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
@@ -3,4 +3,4 @@
 package credentials
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.19.11"
+const goModuleVersion = "1.19.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go
index 46ae2f923..1fb6b2f0d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go
@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -145,7 +144,7 @@ func getTokenFieldRFC3339(v interface{}, value **rfc3339) error {
 }
 
 func loadCachedToken(filename string) (token, error) {
-	fileBytes, err := ioutil.ReadFile(filename)
+	fileBytes, err := os.ReadFile(filename)
 	if err != nil {
 		return token{}, fmt.Errorf("failed to read cached SSO token file, %w", err)
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
index 5f4286dda..e3d4a3cd4 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
@@ -3,7 +3,7 @@ package stscreds
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -80,7 +80,7 @@ type IdentityTokenFile string
 
 // GetIdentityToken retrieves the JWT token from the file and returns the contents as a []byte
 func (j IdentityTokenFile) GetIdentityToken() ([]byte, error) {
-	b, err := ioutil.ReadFile(string(j))
+	b, err := os.ReadFile(string(j))
 	if err != nil {
 		return nil, fmt.Errorf("unable to read file at %s: %v", string(j), err)
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
index 4c3fb21d2..a2be438e9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
@@ -1,3 +1,8 @@
+# v1.18.20 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.18.19 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
index 01102aee3..1ce3f98b7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
@@ -3,4 +3,4 @@
 package imds
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.18.19"
+const goModuleVersion = "1.18.20"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/request_middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/request_middleware.go
index b25910afd..0585f144d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/request_middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/request_middleware.go
@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/url"
 	"path"
 	"time"
@@ -176,11 +176,11 @@ func (m *deserializeResponse) HandleDeserialize(
 
 	// read the full body so that any operation timeouts cleanup will not race
 	// the body being read.
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return out, metadata, fmt.Errorf("read response body failed, %w", err)
 	}
-	resp.Body = ioutil.NopCloser(bytes.NewReader(body))
+	resp.Body = io.NopCloser(bytes.NewReader(body))
 
 	// Anything that's not 200 |< 300 is error
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
index 71066a9c6..46942eee7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.4.20 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.4.19 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
index c42653ca4..2a210bd10 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.4.19"
+const goModuleVersion = "1.4.20"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
index f1ea7ea00..2673108d3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v2.7.20 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.7.19 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
index 628a5269b..d4052854e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.7.19"
+const goModuleVersion = "2.7.20"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
index 6983e0d02..fdf434a5e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.8.6 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+
 # v1.8.5 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
index be846f8f3..1dc2e12aa 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
@@ -3,4 +3,4 @@
 package ini
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.8.5"
+const goModuleVersion = "1.8.6"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
index 87e6e587b..48f2bf86c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.4.21 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.4.20 (2026-03-05)
 
 * **Bug Fix**: Read the correct auth property for SigV4A signing names.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
index 87221df0a..7dd2a095b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
@@ -3,4 +3,4 @@
 package v4a
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.4.20"
+const goModuleVersion = "1.4.21"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/CHANGELOG.md
index a85f450ec..b9d519c19 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.53.6 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.5 (2026-03-09)
+
+* **Documentation**: Added support for CloudWatch Logs long-term API keys, currently available in Preview
+
 # v1.53.4 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/api_op_CreateServiceSpecificCredential.go b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/api_op_CreateServiceSpecificCredential.go
index cc007d878..19113286b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/api_op_CreateServiceSpecificCredential.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/api_op_CreateServiceSpecificCredential.go
@@ -18,8 +18,8 @@ import (
 // You can have a maximum of two sets of service-specific credentials for each
 // supported service per user.
 //
-// You can create service-specific credentials for Amazon Bedrock, CodeCommit and
-// Amazon Keyspaces (for Apache Cassandra).
+// You can create service-specific credentials for Amazon Bedrock, Amazon
+// CloudWatch Logs, CodeCommit and Amazon Keyspaces (for Apache Cassandra).
 //
 // You can reset the password to a new service-generated value by calling [ResetServiceSpecificCredential].
 //
@@ -66,8 +66,8 @@ type CreateServiceSpecificCredentialInput struct {
 	UserName *string
 
 	// The number of days until the service specific credential expires. This field is
-	// only valid for Bedrock API keys and must be a positive integer. When not
-	// specified, the credential will not expire.
+	// only valid for Bedrock and CloudWatch Logs API keys and must be a positive
+	// integer. When not specified, the credential will not expire.
 	CredentialAgeDays *int32
 
 	noSmithyDocumentSerde
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/go_module_metadata.go
index 0d63c2a99..8eb5086c0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/go_module_metadata.go
@@ -3,4 +3,4 @@
 package iam
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.53.4"
+const goModuleVersion = "1.53.6"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/types/types.go
index eded7a6a2..32d9d370b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/iam/types/types.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/iam/types/types.go
@@ -310,7 +310,9 @@ type DelegationRequest struct {
 
 	// The expiry time of this delegation request
 	//
-	// See the Understanding the Request Lifecycle for details on the life time of a delegation request at each state.
+	// See the [Understanding the Request Lifecycle] for details on the life time of a delegation request at each state.
+	//
+	// [Understanding the Request Lifecycle]: https://docs.aws.amazon.com/IAM/latest/UserGuide/temporary-delegation-building-integration.html#temporary-delegation-request-lifecycle
 	ExpirationTime *time.Time
 
 	// Notes added to this delegation request, if this request was updated via the [UpdateDelegationRequest]
@@ -364,7 +366,9 @@ type DelegationRequest struct {
 
 	// If the PermissionPolicy includes role creation permissions, this element will
 	// include the list of permissions boundary policies associated with the role
-	// creation. See Permissions boundaries for IAM entitiesfor more details about IAM permission boundaries.
+	// creation. See [Permissions boundaries for IAM entities]for more details about IAM permission boundaries.
+	//
+	// [Permissions boundaries for IAM entities]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
 	RolePermissionRestrictionArns []string
 
 	// The life-time of the requested session credential.
@@ -372,7 +376,9 @@ type DelegationRequest struct {
 
 	// The state of this delegation request.
 	//
-	// See the Understanding the Request Lifecycle for an explanation of how these states are transitioned.
+	// See the [Understanding the Request Lifecycle] for an explanation of how these states are transitioned.
+	//
+	// [Understanding the Request Lifecycle]: https://docs.aws.amazon.com/IAM/latest/UserGuide/temporary-delegation-building-integration.html#temporary-delegation-request-lifecycle
 	State StateType
 
 	// Last updated timestamp of the request.
@@ -1773,17 +1779,18 @@ type ServiceSpecificCredential struct {
 	UserName *string
 
 	// The date and time when the service specific credential expires. This field is
-	// only present for Bedrock API keys that were created with an expiration period.
+	// only present for Bedrock API keys and CloudWatch Logs API keys that were created
+	// with an expiration period.
 	ExpirationDate *time.Time
 
-	// For Bedrock API keys, this is the public portion of the credential that
-	// includes the IAM user name and a suffix containing version and creation
-	// information.
+	// For Bedrock API keys and CloudWatch Logs API keys, this is the public portion
+	// of the credential that includes the IAM user name and a suffix containing
+	// version and creation information.
 	ServiceCredentialAlias *string
 
-	// For Bedrock API keys, this is the secret portion of the credential that should
-	// be used to authenticate API calls. This value is returned only when the
-	// credential is created.
+	// For Bedrock API keys and CloudWatch Logs API keys, this is the secret portion
+	// of the credential that should be used to authenticate API calls. This value is
+	// returned only when the credential is created.
 	ServiceCredentialSecret *string
 
 	// The generated password for the service-specific credential.
@@ -1830,12 +1837,13 @@ type ServiceSpecificCredentialMetadata struct {
 	UserName *string
 
 	// The date and time when the service specific credential expires. This field is
-	// only present for Bedrock API keys that were created with an expiration period.
+	// only present for Bedrock API keys and CloudWatch Logs API keys that were created
+	// with an expiration period.
 	ExpirationDate *time.Time
 
-	// For Bedrock API keys, this is the public portion of the credential that
-	// includes the IAM user name and a suffix containing version and creation
-	// information.
+	// For Bedrock API keys and CloudWatch Logs API keys, this is the public portion
+	// of the credential that includes the IAM user name and a suffix containing
+	// version and creation information.
 	ServiceCredentialAlias *string
 
 	// The generated user name for the service-specific credential.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
index b594dddaa..497d37230 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.13.7 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+
 # v1.13.6 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
index 0ece341c6..5679a2b2b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
@@ -3,4 +3,4 @@
 package acceptencoding
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.13.6"
+const goModuleVersion = "1.13.7"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/CHANGELOG.md
index 768c3716b..7148221e4 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/CHANGELOG.md
@@ -1,3 +1,8 @@
+# v1.9.12 (2026-03-13)
+
+* **Bug Fix**: Replace usages of the old ioutil/ package throughout the SDK.
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.9.11 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/go_module_metadata.go
index 0f45aeabc..bdce1ef6a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/checksum/go_module_metadata.go
@@ -3,4 +3,4 @@
 package checksum
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.9.11"
+const goModuleVersion = "1.9.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
index 6be7fa536..0a52b84b6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.13.20 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.13.19 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
index 983aaa4b6..f65e864d0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.13.19"
+const goModuleVersion = "1.13.20"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/CHANGELOG.md
index da0728750..1e5b70f75 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.19.20 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.19.19 (2026-03-03)
 
 * **Bug Fix**: Modernize non codegen files with go fix
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/go_module_metadata.go
index 87ec0db1c..47ba8ecd7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/s3shared/go_module_metadata.go
@@ -3,4 +3,4 @@
 package s3shared
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.19.19"
+const goModuleVersion = "1.19.20"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/CHANGELOG.md
index e4e01adad..3c716086d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.40.14 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.40.13 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/go_module_metadata.go
index 28e91d2a1..b7b96a9f7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/pricing/go_module_metadata.go
@@ -3,4 +3,4 @@
 package pricing
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.40.13"
+const goModuleVersion = "1.40.14"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/signin/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/signin/CHANGELOG.md
index c0201eb36..6625fa25e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/signin/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/signin/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.0.8 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.0.7 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/signin/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/signin/go_module_metadata.go
index d1b4908f6..fe22d5a36 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/signin/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/signin/go_module_metadata.go
@@ -3,4 +3,4 @@
 package signin
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.0.7"
+const goModuleVersion = "1.0.8"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
index 08fefc644..6c9be3880 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.30.13 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.30.12 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
index ec1582e08..fde08b7d0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sso
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.30.12"
+const goModuleVersion = "1.30.13"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
index 35d0b7c8f..40da3df26 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.35.17 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.35.16 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
index 6d843cd7a..a8373e5b5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
@@ -3,4 +3,4 @@
 package ssooidc
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.35.16"
+const goModuleVersion = "1.35.17"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
index 6d21791e1..32f04b84c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.41.9 (2026-03-13)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.41.8 (2026-03-03)
 
 * **Dependency Update**: Bump minimum Go version to 1.24
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
index 0779e5025..88f4eb9f1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.41.8"
+const goModuleVersion = "1.41.9"
diff --git a/vendor/github.com/charmbracelet/colorprofile/writer.go b/vendor/github.com/charmbracelet/colorprofile/writer.go
index 1a88e2b7b..c96e61a95 100644
--- a/vendor/github.com/charmbracelet/colorprofile/writer.go
+++ b/vendor/github.com/charmbracelet/colorprofile/writer.go
@@ -40,9 +40,11 @@ func (w *Writer) Write(p []byte) (int, error) {
 	case w.Profile == TrueColor:
 		return w.Forward.Write(p) //nolint:wrapcheck
 	case w.Profile <= NoTTY:
-		return io.WriteString(w.Forward, ansi.Strip(string(p))) //nolint:wrapcheck
+		_, err := io.WriteString(w.Forward, ansi.Strip(string(p)))
+		return len(p), err
 	case w.Profile == ASCII, w.Profile == ANSI, w.Profile == ANSI256:
-		return w.downsample(p)
+		_, err := w.downsample(p)
+		return len(p), err
 	default:
 		return 0, fmt.Errorf("invalid profile: %v", w.Profile)
 	}
diff --git a/vendor/github.com/coocood/freecache/.gitignore b/vendor/github.com/coocood/freecache/.gitignore
new file mode 100644
index 000000000..bc8a670e0
--- /dev/null
+++ b/vendor/github.com/coocood/freecache/.gitignore
@@ -0,0 +1 @@
+.idea/*
\ No newline at end of file
diff --git a/vendor/github.com/coocood/freecache/cache.go b/vendor/github.com/coocood/freecache/cache.go
index b58783930..dea114da8 100644
--- a/vendor/github.com/coocood/freecache/cache.go
+++ b/vendor/github.com/coocood/freecache/cache.go
@@ -86,6 +86,47 @@ func (cache *Cache) Get(key []byte) (value []byte, err error) {
 	return
 }
 
+// MultiGet returns values and errors for the given keys. The returned slices
+// have the same length as keys; values[i] and errs[i] correspond to keys[i].
+// A miss is represented by values[i] == nil and errs[i] == ErrNotFound.
+// MultiGet reduces lock contention by grouping keys by segment and acquiring
+// each segment lock at most once.
+// Note that MultiGet holds each segment lock longer than a single Get (for
+// the duration of all keys in that segment), which can increase Get tail
+// latency when MultiGet and Get run concurrently.
+func (cache *Cache) MultiGet(keys [][]byte) (values [][]byte, errs []error) {
+	n := len(keys)
+	if n == 0 {
+		return nil, nil
+	}
+	values = make([][]byte, n)
+	errs = make([]error, n)
+	type keyLoc struct {
+		idx     int
+		hashVal uint64
+	}
+	var groups [segmentCount][]keyLoc
+	for i, key := range keys {
+		hashVal := hashFunc(key)
+		segID := hashVal & segmentAndOpVal
+		groups[segID] = append(groups[segID], keyLoc{idx: i, hashVal: hashVal})
+	}
+	for segID := 0; segID < segmentCount; segID++ {
+		batch := groups[segID]
+		if len(batch) == 0 {
+			continue
+		}
+		cache.locks[segID].Lock()
+		for _, loc := range batch {
+			value, _, err := cache.segments[segID].get(keys[loc.idx], nil, loc.hashVal, false)
+			values[loc.idx] = value
+			errs[loc.idx] = err
+		}
+		cache.locks[segID].Unlock()
+	}
+	return values, errs
+}
+
 // GetFn is equivalent to Get or GetWithBuf, but it attempts to be zero-copy,
 // calling the provided function with slice view over the current underlying
 // value of the key in memory. The slice is constrained in length and capacity.
@@ -176,6 +217,18 @@ func (cache *Cache) Peek(key []byte) (value []byte, err error) {
 	return
 }
 
+// PeekWithExpiration returns the value and expiration time, without updating access time or counters.
+// Warning: No expiry check is performed so if an expired value is found, it will be
+// returned without error
+func (cache *Cache) PeekWithExpiration(key []byte) (value []byte, expireAt uint32, err error) {
+	hashVal := hashFunc(key)
+	segID := hashVal & segmentAndOpVal
+	cache.locks[segID].Lock()
+	value, expireAt, err = cache.segments[segID].get(key, nil, hashVal, true)
+	cache.locks[segID].Unlock()
+	return
+}
+
 // PeekFn is equivalent to Peek, but it attempts to be zero-copy, calling the
 // provided function with slice view over the current underlying value of the
 // key in memory. The slice is constrained in length and capacity.
diff --git a/vendor/github.com/klauspost/compress/.goreleaser.yml b/vendor/github.com/klauspost/compress/.goreleaser.yml
index 4528059ca..804a20181 100644
--- a/vendor/github.com/klauspost/compress/.goreleaser.yml
+++ b/vendor/github.com/klauspost/compress/.goreleaser.yml
@@ -31,6 +31,9 @@ builds:
       - mips64le
     goarm:
       - 7
+    ignore:
+      - goos: windows
+        goarch: arm
   -
     id: "s2d"
     binary: s2d
@@ -57,6 +60,9 @@ builds:
       - mips64le
     goarm:
       - 7
+    ignore:
+      - goos: windows
+        goarch: arm
   -
     id: "s2sx"
     binary: s2sx
@@ -84,6 +90,9 @@ builds:
       - mips64le
     goarm:
       - 7
+    ignore:
+      - goos: windows
+        goarch: arm
 
 archives:
   -
@@ -91,7 +100,7 @@ archives:
     name_template: "s2-{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
     format_overrides:
       - goos: windows
-        format: zip
+        formats: ['zip']
     files:
       - unpack/*
       - s2/LICENSE
diff --git a/vendor/github.com/klauspost/compress/README.md b/vendor/github.com/klauspost/compress/README.md
index 5125c1f26..e839fe9c6 100644
--- a/vendor/github.com/klauspost/compress/README.md
+++ b/vendor/github.com/klauspost/compress/README.md
@@ -26,6 +26,12 @@ This package will support the current Go version and 2 versions back.
 Use the links above for more information on each.
 
 # changelog
+
+* Feb 9th, 2026 [1.18.4](https://github.com/klauspost/compress/releases/tag/v1.18.4)
+	* gzhttp: Add zstandard to server handler wrapper https://github.com/klauspost/compress/pull/1121
+	* zstd: Add ResetWithOptions to encoder/decoder https://github.com/klauspost/compress/pull/1122
+	* gzhttp: preserve qvalue when extra parameters follow in Accept-Encoding by @analytically in https://github.com/klauspost/compress/pull/1116
+
 * Jan 16th, 2026 [1.18.3](https://github.com/klauspost/compress/releases/tag/v1.18.3)
 	* Downstream CVE-2025-61728. See [golang/go#77102](https://github.com/golang/go/issues/77102).
 
@@ -691,3 +697,4 @@ This code is licensed under the same conditions as the original Go code. See LIC
 
 
 
+
diff --git a/vendor/github.com/klauspost/compress/flate/huffman_code.go b/vendor/github.com/klauspost/compress/flate/huffman_code.go
index 5f901bd0f..4b312dea3 100644
--- a/vendor/github.com/klauspost/compress/flate/huffman_code.go
+++ b/vendor/github.com/klauspost/compress/flate/huffman_code.go
@@ -407,8 +407,8 @@ func histogramSplit(b []byte, h []uint16) {
 	for i, t := range x {
 		v0 := &h[t]
 		v1 := &h[y[i]]
-		v3 := &h[w[i]]
 		v2 := &h[z[i]]
+		v3 := &h[w[i]]
 		*v0++
 		*v1++
 		*v2++
diff --git a/vendor/github.com/klauspost/compress/flate/regmask_other.go b/vendor/github.com/klauspost/compress/flate/regmask_other.go
index 1b7a2cbd7..e62caf711 100644
--- a/vendor/github.com/klauspost/compress/flate/regmask_other.go
+++ b/vendor/github.com/klauspost/compress/flate/regmask_other.go
@@ -1,5 +1,4 @@
 //go:build !amd64
-// +build !amd64
 
 package flate
 
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go
index 99ddd4af9..2d6ef64be 100644
--- a/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go
+++ b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go
@@ -1,5 +1,4 @@
 //go:build amd64 && !appengine && !noasm && gc
-// +build amd64,!appengine,!noasm,gc
 
 // This file contains the specialisation of Decoder.Decompress4X
 // and Decoder.Decompress1X that use an asm implementation of thir main loops.
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_generic.go b/vendor/github.com/klauspost/compress/huff0/decompress_generic.go
index 908c17de6..610392322 100644
--- a/vendor/github.com/klauspost/compress/huff0/decompress_generic.go
+++ b/vendor/github.com/klauspost/compress/huff0/decompress_generic.go
@@ -1,5 +1,4 @@
 //go:build !amd64 || appengine || !gc || noasm
-// +build !amd64 appengine !gc noasm
 
 // This file contains a generic implementation of Decoder.Decompress4X.
 package huff0
diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go
index e802579c4..b97f9056f 100644
--- a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go
+++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go
@@ -1,5 +1,4 @@
 //go:build amd64 && !appengine && !noasm && gc
-// +build amd64,!appengine,!noasm,gc
 
 package cpuinfo
 
diff --git a/vendor/github.com/klauspost/compress/zstd/blockenc.go b/vendor/github.com/klauspost/compress/zstd/blockenc.go
index fd35ea148..0e33aea44 100644
--- a/vendor/github.com/klauspost/compress/zstd/blockenc.go
+++ b/vendor/github.com/klauspost/compress/zstd/blockenc.go
@@ -78,6 +78,7 @@ func (b *blockEnc) initNewEncode() {
 	b.recentOffsets = [3]uint32{1, 4, 8}
 	b.litEnc.Reuse = huff0.ReusePolicyNone
 	b.coders.setPrev(nil, nil, nil)
+	b.dictLitEnc = nil
 }
 
 // reset will reset the block for a new encode, but in the same stream,
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_base.go b/vendor/github.com/klauspost/compress/zstd/enc_base.go
index c1192ec38..c4de134a7 100644
--- a/vendor/github.com/klauspost/compress/zstd/enc_base.go
+++ b/vendor/github.com/klauspost/compress/zstd/enc_base.go
@@ -21,7 +21,7 @@ type fastBase struct {
 	crc         *xxhash.Digest
 	tmp         [8]byte
 	blk         *blockEnc
-	lastDictID  uint32
+	lastDict    *dict
 	lowMem      bool
 }
 
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_best.go b/vendor/github.com/klauspost/compress/zstd/enc_best.go
index c1581cfcb..851799322 100644
--- a/vendor/github.com/klauspost/compress/zstd/enc_best.go
+++ b/vendor/github.com/klauspost/compress/zstd/enc_best.go
@@ -479,10 +479,13 @@ func (e *bestFastEncoder) Reset(d *dict, singleBlock bool) {
 	if d == nil {
 		return
 	}
+	dictChanged := d != e.lastDict
 	// Init or copy dict table
-	if len(e.dictTable) != len(e.table) || d.id != e.lastDictID {
+	if len(e.dictTable) != len(e.table) || dictChanged {
 		if len(e.dictTable) != len(e.table) {
 			e.dictTable = make([]prevEntry, len(e.table))
+		} else {
+			clear(e.dictTable)
 		}
 		end := int32(len(d.content)) - 8 + e.maxMatchOff
 		for i := e.maxMatchOff; i < end; i += 4 {
@@ -510,13 +513,14 @@ func (e *bestFastEncoder) Reset(d *dict, singleBlock bool) {
 				offset: i + 3,
 			}
 		}
-		e.lastDictID = d.id
 	}
 
-	// Init or copy dict table
-	if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID {
+	// Init or copy dict long table
+	if len(e.dictLongTable) != len(e.longTable) || dictChanged {
 		if len(e.dictLongTable) != len(e.longTable) {
 			e.dictLongTable = make([]prevEntry, len(e.longTable))
+		} else {
+			clear(e.dictLongTable)
 		}
 		if len(d.content) >= 8 {
 			cv := load6432(d.content, 0)
@@ -538,8 +542,8 @@ func (e *bestFastEncoder) Reset(d *dict, singleBlock bool) {
 				off++
 			}
 		}
-		e.lastDictID = d.id
 	}
+	e.lastDict = d
 	// Reset table to initial state
 	copy(e.longTable[:], e.dictLongTable)
 
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_better.go b/vendor/github.com/klauspost/compress/zstd/enc_better.go
index 85dcd28c3..3305f0924 100644
--- a/vendor/github.com/klauspost/compress/zstd/enc_better.go
+++ b/vendor/github.com/klauspost/compress/zstd/enc_better.go
@@ -1102,10 +1102,13 @@ func (e *betterFastEncoderDict) Reset(d *dict, singleBlock bool) {
 	if d == nil {
 		return
 	}
+	dictChanged := d != e.lastDict
 	// Init or copy dict table
-	if len(e.dictTable) != len(e.table) || d.id != e.lastDictID {
+	if len(e.dictTable) != len(e.table) || dictChanged {
 		if len(e.dictTable) != len(e.table) {
 			e.dictTable = make([]tableEntry, len(e.table))
+		} else {
+			clear(e.dictTable)
 		}
 		end := int32(len(d.content)) - 8 + e.maxMatchOff
 		for i := e.maxMatchOff; i < end; i += 4 {
@@ -1133,14 +1136,15 @@ func (e *betterFastEncoderDict) Reset(d *dict, singleBlock bool) {
 				offset: i + 3,
 			}
 		}
-		e.lastDictID = d.id
 		e.allDirty = true
 	}
 
-	// Init or copy dict table
-	if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID {
+	// Init or copy dict long table
+	if len(e.dictLongTable) != len(e.longTable) || dictChanged {
 		if len(e.dictLongTable) != len(e.longTable) {
 			e.dictLongTable = make([]prevEntry, len(e.longTable))
+		} else {
+			clear(e.dictLongTable)
 		}
 		if len(d.content) >= 8 {
 			cv := load6432(d.content, 0)
@@ -1162,9 +1166,9 @@ func (e *betterFastEncoderDict) Reset(d *dict, singleBlock bool) {
 				off++
 			}
 		}
-		e.lastDictID = d.id
 		e.allDirty = true
 	}
+	e.lastDict = d
 
 	// Reset table to initial state
 	{
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_dfast.go b/vendor/github.com/klauspost/compress/zstd/enc_dfast.go
index cf8cad00d..2fb6da112 100644
--- a/vendor/github.com/klauspost/compress/zstd/enc_dfast.go
+++ b/vendor/github.com/klauspost/compress/zstd/enc_dfast.go
@@ -1040,15 +1040,18 @@ func (e *doubleFastEncoder) Reset(d *dict, singleBlock bool) {
 // ResetDict will reset and set a dictionary if not nil
 func (e *doubleFastEncoderDict) Reset(d *dict, singleBlock bool) {
 	allDirty := e.allDirty
+	dictChanged := d != e.lastDict
 	e.fastEncoderDict.Reset(d, singleBlock)
 	if d == nil {
 		return
 	}
 
 	// Init or copy dict table
-	if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID {
+	if len(e.dictLongTable) != len(e.longTable) || dictChanged {
 		if len(e.dictLongTable) != len(e.longTable) {
 			e.dictLongTable = make([]tableEntry, len(e.longTable))
+		} else {
+			clear(e.dictLongTable)
 		}
 		if len(d.content) >= 8 {
 			cv := load6432(d.content, 0)
@@ -1065,7 +1068,6 @@ func (e *doubleFastEncoderDict) Reset(d *dict, singleBlock bool) {
 				}
 			}
 		}
-		e.lastDictID = d.id
 		allDirty = true
 	}
 	// Reset table to initial state
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_fast.go b/vendor/github.com/klauspost/compress/zstd/enc_fast.go
index 9180a3a58..5e104f1a4 100644
--- a/vendor/github.com/klauspost/compress/zstd/enc_fast.go
+++ b/vendor/github.com/klauspost/compress/zstd/enc_fast.go
@@ -805,9 +805,11 @@ func (e *fastEncoderDict) Reset(d *dict, singleBlock bool) {
 	}
 
 	// Init or copy dict table
-	if len(e.dictTable) != len(e.table) || d.id != e.lastDictID {
+	if len(e.dictTable) != len(e.table) || d != e.lastDict {
 		if len(e.dictTable) != len(e.table) {
 			e.dictTable = make([]tableEntry, len(e.table))
+		} else {
+			clear(e.dictTable)
 		}
 		if true {
 			end := e.maxMatchOff + int32(len(d.content)) - 8
@@ -827,7 +829,7 @@ func (e *fastEncoderDict) Reset(d *dict, singleBlock bool) {
 				}
 			}
 		}
-		e.lastDictID = d.id
+		e.lastDict = d
 		e.allDirty = true
 	}
 
diff --git a/vendor/github.com/klauspost/compress/zstd/encoder.go b/vendor/github.com/klauspost/compress/zstd/encoder.go
index 19e730acc..0f2a00a00 100644
--- a/vendor/github.com/klauspost/compress/zstd/encoder.go
+++ b/vendor/github.com/klauspost/compress/zstd/encoder.go
@@ -138,11 +138,18 @@ func (e *Encoder) Reset(w io.Writer) {
 func (e *Encoder) ResetWithOptions(w io.Writer, opts ...EOption) error {
 	e.o.resetOpt = true
 	defer func() { e.o.resetOpt = false }()
+	hadDict := e.o.dict != nil
 	for _, o := range opts {
 		if err := o(&e.o); err != nil {
 			return err
 		}
 	}
+	hasDict := e.o.dict != nil
+	if hadDict != hasDict {
+		// Dict presence changed — encoder type must be recreated.
+		e.state.encoder = nil
+		e.init = sync.Once{}
+	}
 	e.Reset(w)
 	return nil
 }
@@ -448,6 +455,12 @@ func (e *Encoder) Close() error {
 	if s.encoder == nil {
 		return nil
 	}
+	if s.w == nil {
+		if len(s.filling) == 0 && !s.headerWritten && !s.eofWritten && s.nInput == 0 {
+			return nil
+		}
+		return errors.New("zstd: encoder has no writer")
+	}
 	err := e.nextBlock(true)
 	if err != nil {
 		if errors.Is(s.err, ErrEncoderClosed) {
diff --git a/vendor/github.com/klauspost/compress/zstd/encoder_options.go b/vendor/github.com/klauspost/compress/zstd/encoder_options.go
index 8e0f5cac7..e217be0a1 100644
--- a/vendor/github.com/klauspost/compress/zstd/encoder_options.go
+++ b/vendor/github.com/klauspost/compress/zstd/encoder_options.go
@@ -42,6 +42,7 @@ func (o *encoderOptions) setDefault() {
 		level:         SpeedDefault,
 		allLitEntropy: false,
 		lowMem:        false,
+		fullZero:      true,
 	}
 }
 
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go
index d04a829b0..b8c8607b5 100644
--- a/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go
+++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go
@@ -1,5 +1,4 @@
 //go:build amd64 && !appengine && !noasm && gc
-// +build amd64,!appengine,!noasm,gc
 
 package zstd
 
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go
index 8adfebb02..2138f8091 100644
--- a/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go
+++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go
@@ -1,5 +1,4 @@
 //go:build !amd64 || appengine || !gc || noasm
-// +build !amd64 appengine !gc noasm
 
 package zstd
 
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go
index 0be16cefc..9576426e6 100644
--- a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go
@@ -1,5 +1,4 @@
 //go:build (!amd64 && !arm64) || appengine || !gc || purego || noasm
-// +build !amd64,!arm64 appengine !gc purego noasm
 
 package xxhash
 
diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go
index f41932b7a..1ed18927f 100644
--- a/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go
+++ b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go
@@ -1,5 +1,4 @@
 //go:build amd64 && !appengine && !noasm && gc
-// +build amd64,!appengine,!noasm,gc
 
 // Copyright 2019+ Klaus Post. All rights reserved.
 // License information can be found in the LICENSE file.
diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go b/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go
index bea1779e9..379746c96 100644
--- a/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go
+++ b/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go
@@ -1,5 +1,4 @@
 //go:build !amd64 || appengine || !gc || noasm
-// +build !amd64 appengine !gc noasm
 
 // Copyright 2019+ Klaus Post. All rights reserved.
 // License information can be found in the LICENSE file.
diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go
index 1f8c3cec2..18c3703dd 100644
--- a/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go
+++ b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go
@@ -1,5 +1,4 @@
 //go:build amd64 && !appengine && !noasm && gc
-// +build amd64,!appengine,!noasm,gc
 
 package zstd
 
diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go b/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go
index 7cec2197c..516cd9b07 100644
--- a/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go
+++ b/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go
@@ -1,5 +1,4 @@
 //go:build !amd64 || appengine || !gc || noasm
-// +build !amd64 appengine !gc noasm
 
 package zstd
 
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/container.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/container.go
index 9d9d3f693..002a1caad 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/container.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/container.go
@@ -52,41 +52,59 @@ import (
 //
 // ## Import
 //
+// !/bin/bash
+//
+// ```sh
+// $ pulumi import docker:index/container:Container foo id
+// ```
+//
 // ### Example
 //
 // # Assuming you created a `container` as follows
 //
+// ```sh
 // #!/bin/bash
-//
 // docker run --name foo -p8080:80 -d nginx
-//
-// prints the container ID
-//
+// # prints the container ID
 // 9a550c0f0163d39d77222d3efd58701b625d47676c25c686c95b5b92d1cba6fd
+// ```
 //
 // you provide the definition for the resource as follows
 //
-// terraform
-//
-// resource "docker_container" "foo" {
-//
-//	name  = "foo"
-//
-//	image = "nginx"
+// ```go
+// package main
 //
-//	ports {
+// import (
 //
-//	  internal = "80"
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
-//	  external = "8080"
+// )
 //
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewContainer(ctx, "foo", &docker.ContainerArgs{
+//				Name:  pulumi.String("foo"),
+//				Image: pulumi.String("nginx"),
+//				Ports: docker.ContainerPortArray{
+//					&docker.ContainerPortArgs{
+//						Internal: pulumi.Int(80),
+//						External: pulumi.Int(8080),
+//					},
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
 //	}
 //
-// }
+// ```
 //
 // then the import command is as follows
 //
-// #!/bin/bash
+// !/bin/bash
 //
 // ```sh
 // $ pulumi import docker:index/container:Container foo 9a550c0f0163d39d77222d3efd58701b625d47676c25c686c95b5b92d1cba6fd
@@ -171,8 +189,9 @@ type Container struct {
 	// The total memory limit (memory + swap) for the container in MBs. This setting may compute to `-1` after `pulumi up` if the target host doesn't support memory swap, when that is the case docker will use a soft limitation.
 	MemorySwap pulumi.IntPtrOutput `pulumi:"memorySwap"`
 	// Specification for mounts to be added to containers created as part of the service.
-	Mounts  ContainerMountArrayOutput `pulumi:"mounts"`
-	MustRun pulumi.BoolPtrOutput      `pulumi:"mustRun"`
+	Mounts ContainerMountArrayOutput `pulumi:"mounts"`
+	// If `true`, then the Docker container will be kept running. If `false`, then as long as the container exists, Terraform assumes it is successful. Defaults to `true`.
+	MustRun pulumi.BoolPtrOutput `pulumi:"mustRun"`
 	// The name of the container.
 	Name pulumi.StringOutput `pulumi:"name"`
 	// The data of the networks the container is connected to.
@@ -347,8 +366,9 @@ type containerState struct {
 	// The total memory limit (memory + swap) for the container in MBs. This setting may compute to `-1` after `pulumi up` if the target host doesn't support memory swap, when that is the case docker will use a soft limitation.
 	MemorySwap *int `pulumi:"memorySwap"`
 	// Specification for mounts to be added to containers created as part of the service.
-	Mounts  []ContainerMount `pulumi:"mounts"`
-	MustRun *bool            `pulumi:"mustRun"`
+	Mounts []ContainerMount `pulumi:"mounts"`
+	// If `true`, then the Docker container will be kept running. If `false`, then as long as the container exists, Terraform assumes it is successful. Defaults to `true`.
+	MustRun *bool `pulumi:"mustRun"`
 	// The name of the container.
 	Name *string `pulumi:"name"`
 	// The data of the networks the container is connected to.
@@ -491,7 +511,8 @@ type ContainerState struct {
 	// The total memory limit (memory + swap) for the container in MBs. This setting may compute to `-1` after `pulumi up` if the target host doesn't support memory swap, when that is the case docker will use a soft limitation.
 	MemorySwap pulumi.IntPtrInput
 	// Specification for mounts to be added to containers created as part of the service.
-	Mounts  ContainerMountArrayInput
+	Mounts ContainerMountArrayInput
+	// If `true`, then the Docker container will be kept running. If `false`, then as long as the container exists, Terraform assumes it is successful. Defaults to `true`.
 	MustRun pulumi.BoolPtrInput
 	// The name of the container.
 	Name pulumi.StringPtrInput
@@ -633,8 +654,9 @@ type containerArgs struct {
 	// The total memory limit (memory + swap) for the container in MBs. This setting may compute to `-1` after `pulumi up` if the target host doesn't support memory swap, when that is the case docker will use a soft limitation.
 	MemorySwap *int `pulumi:"memorySwap"`
 	// Specification for mounts to be added to containers created as part of the service.
-	Mounts  []ContainerMount `pulumi:"mounts"`
-	MustRun *bool            `pulumi:"mustRun"`
+	Mounts []ContainerMount `pulumi:"mounts"`
+	// If `true`, then the Docker container will be kept running. If `false`, then as long as the container exists, Terraform assumes it is successful. Defaults to `true`.
+	MustRun *bool `pulumi:"mustRun"`
 	// The name of the container.
 	Name *string `pulumi:"name"`
 	// Network mode of the container. Defaults to `bridge`. If your host OS is any other OS, you need to set this value explicitly, e.g. `nat` when your container will be running on an Windows host. See https://docs.docker.com/engine/network/ for more information.
@@ -770,7 +792,8 @@ type ContainerArgs struct {
 	// The total memory limit (memory + swap) for the container in MBs. This setting may compute to `-1` after `pulumi up` if the target host doesn't support memory swap, when that is the case docker will use a soft limitation.
 	MemorySwap pulumi.IntPtrInput
 	// Specification for mounts to be added to containers created as part of the service.
-	Mounts  ContainerMountArrayInput
+	Mounts ContainerMountArrayInput
+	// If `true`, then the Docker container will be kept running. If `false`, then as long as the container exists, Terraform assumes it is successful. Defaults to `true`.
 	MustRun pulumi.BoolPtrInput
 	// The name of the container.
 	Name pulumi.StringPtrInput
@@ -1116,6 +1139,7 @@ func (o ContainerOutput) Mounts() ContainerMountArrayOutput {
 	return o.ApplyT(func(v *Container) ContainerMountArrayOutput { return v.Mounts }).(ContainerMountArrayOutput)
 }
 
+// If `true`, then the Docker container will be kept running. If `false`, then as long as the container exists, Terraform assumes it is successful. Defaults to `true`.
 func (o ContainerOutput) MustRun() pulumi.BoolPtrOutput {
 	return o.ApplyT(func(v *Container) pulumi.BoolPtrOutput { return v.MustRun }).(pulumi.BoolPtrOutput)
 }
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/getRemoteImage.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/getRemoteImage.go
index 8e3bfb348..7e0e69af2 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/getRemoteImage.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/getRemoteImage.go
@@ -11,7 +11,7 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-// `RemoteImage` provides details about a specific Docker Image which needs to be present on the Docker Host
+// `RemoteImage` provides details about a specific Docker Image which need to be present on the Docker Host
 //
 // ## Example Usage
 //
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/image.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/image.go
index a1b247b66..6c4a7cb22 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/image.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/image.go
@@ -64,7 +64,7 @@ import (
 //				},
 //				ImageName: pulumi.String("username/image:tag1"),
 //				SkipPush:  pulumi.Bool(true),
-//			})
+//			}, pulumi.Version("v4.4.0"))
 //			if err != nil {
 //				return err
 //			}
@@ -93,7 +93,7 @@ import (
 //					Dockerfile: pulumi.String("Dockerfile"),
 //				},
 //				ImageName: pulumi.String("docker.io/username/push-image:tag1"),
-//			})
+//			}, pulumi.Version("v4.4.0"))
 //			if err != nil {
 //				return err
 //			}
@@ -156,7 +156,7 @@ import (
 //						return &authToken.UserName, nil
 //					}).(pulumi.StringPtrOutput),
 //				},
-//			})
+//			}, pulumi.Version("v4.1.2"))
 //			if err != nil {
 //				return err
 //			}
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/internal/pulumiUtilities.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/internal/pulumiUtilities.go
index 447e4f4ba..e2e42d317 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/internal/pulumiUtilities.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/internal/pulumiUtilities.go
@@ -165,7 +165,7 @@ func callPlainInner(
 func PkgResourceDefaultOpts(opts []pulumi.ResourceOption) []pulumi.ResourceOption {
 	defaults := []pulumi.ResourceOption{}
 
-	version := semver.MustParse("4.11.0")
+	version := semver.MustParse("4.11.1")
 	if !version.Equals(semver.Version{}) {
 		defaults = append(defaults, pulumi.Version(version.String()))
 	}
@@ -176,7 +176,7 @@ func PkgResourceDefaultOpts(opts []pulumi.ResourceOption) []pulumi.ResourceOptio
 func PkgInvokeDefaultOpts(opts []pulumi.InvokeOption) []pulumi.InvokeOption {
 	defaults := []pulumi.InvokeOption{}
 
-	version := semver.MustParse("4.11.0")
+	version := semver.MustParse("4.11.1")
 	if !version.Equals(semver.Version{}) {
 		defaults = append(defaults, pulumi.Version(version.String()))
 	}
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/network.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/network.go
index 8977c7f1b..2eb4a58c0 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/network.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/network.go
@@ -42,31 +42,52 @@ import (
 //
 // ## Import
 //
+// !/bin/bash
+//
+// ```sh
+// $ pulumi import docker:index/network:Network foo id
+// ```
+//
 // ### Example
 //
 // # Assuming you created a `network` as follows
 //
+// ```sh
 // #!/bin/bash
-//
 // docker network create foo
-//
-// prints the long ID
-//
+// # prints the long ID
 // 87b57a9b91ecab2db2a6dbf38df74c67d7c7108cbe479d6576574ec2cd8c2d73
+// ```
 //
 // you provide the definition for the resource as follows
 //
-// terraform
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
-// resource "docker_network" "foo" {
+// )
 //
-//	name = "foo"
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewNetwork(ctx, "foo", &docker.NetworkArgs{
+//				Name: pulumi.String("foo"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
 //
-// }
+// ```
 //
 // then the import command is as follows
 //
-// #!/bin/bash
+// !/bin/bash
 //
 // ```sh
 // $ pulumi import docker:index/network:Network foo 87b57a9b91ecab2db2a6dbf38df74c67d7c7108cbe479d6576574ec2cd8c2d73
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/plugin.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/plugin.go
index 2a916acfb..af4954c45 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/plugin.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/plugin.go
@@ -16,10 +16,9 @@ import (
 //
 // ## Import
 //
-// #!/bin/bash
-//
 // ```sh
-// $ pulumi import docker:index/plugin:Plugin sample-volume-plugin "$(docker plugin inspect -f {{.ID}} tiborvass/sample-volume-plugin:latest)"
+// #!/bin/bash
+// terraform import docker_plugin.sample-volume-plugin "$(docker plugin inspect -f {{.ID}} tiborvass/sample-volume-plugin:latest)"
 // ```
 type Plugin struct {
 	pulumi.CustomResourceState
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumi-plugin.json b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumi-plugin.json
index 0129791c0..0b3caa47d 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumi-plugin.json
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumi-plugin.json
@@ -1,5 +1,5 @@
 {
   "resource": true,
   "name": "docker",
-  "version": "4.11.0"
+  "version": "4.11.1"
 }
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumiTypes.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumiTypes.go
index f37e31400..049723668 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumiTypes.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/pulumiTypes.go
@@ -4151,8 +4151,9 @@ func (o PluginGrantPermissionArrayOutput) Index(i pulumi.IntInput) PluginGrantPe
 
 type ProviderRegistryAuth struct {
 	// Address of the registry
-	Address      string `pulumi:"address"`
-	AuthDisabled *bool  `pulumi:"authDisabled"`
+	Address string `pulumi:"address"`
+	// Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.
+	AuthDisabled *bool `pulumi:"authDisabled"`
 	// Path to docker json file for registry auth. Defaults to `~/.docker/config.json`. If `DOCKER_CONFIG` is set, the value of `DOCKER_CONFIG` is used as the path. `configFile` has predencen over all other options.
 	ConfigFile *string `pulumi:"configFile"`
 	// Plain content of the docker json file for registry auth. `configFileContent` has precedence over username/password.
@@ -4176,7 +4177,8 @@ type ProviderRegistryAuthInput interface {
 
 type ProviderRegistryAuthArgs struct {
 	// Address of the registry
-	Address      pulumi.StringInput  `pulumi:"address"`
+	Address pulumi.StringInput `pulumi:"address"`
+	// Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.
 	AuthDisabled pulumi.BoolPtrInput `pulumi:"authDisabled"`
 	// Path to docker json file for registry auth. Defaults to `~/.docker/config.json`. If `DOCKER_CONFIG` is set, the value of `DOCKER_CONFIG` is used as the path. `configFile` has predencen over all other options.
 	ConfigFile pulumi.StringPtrInput `pulumi:"configFile"`
@@ -4244,6 +4246,7 @@ func (o ProviderRegistryAuthOutput) Address() pulumi.StringOutput {
 	return o.ApplyT(func(v ProviderRegistryAuth) string { return v.Address }).(pulumi.StringOutput)
 }
 
+// Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.
 func (o ProviderRegistryAuthOutput) AuthDisabled() pulumi.BoolPtrOutput {
 	return o.ApplyT(func(v ProviderRegistryAuth) *bool { return v.AuthDisabled }).(pulumi.BoolPtrOutput)
 }
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/registryImage.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/registryImage.go
index 05be8086d..96ab77176 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/registryImage.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/registryImage.go
@@ -23,7 +23,6 @@ import (
 //
 // import (
 //
-//	"fmt"
 //	"os"
 //
 //	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
@@ -64,7 +63,8 @@ type RegistryImage struct {
 
 	// Authentication configuration for the Docker registry. It is only used for this resource.
 	AuthConfig RegistryImageAuthConfigPtrOutput `pulumi:"authConfig"`
-	Build      RegistryImageBuildPtrOutput      `pulumi:"build"`
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
+	Build RegistryImageBuildPtrOutput `pulumi:"build"`
 	// If `true`, the verification of TLS certificates of the server/registry is disabled. Defaults to `false`
 	InsecureSkipVerify pulumi.BoolPtrOutput `pulumi:"insecureSkipVerify"`
 	// If true, then the Docker image won't be deleted on destroy operation. If this is false, it will delete the image from the docker registry on destroy operation. Defaults to `false`
@@ -109,7 +109,8 @@ func GetRegistryImage(ctx *pulumi.Context,
 type registryImageState struct {
 	// Authentication configuration for the Docker registry. It is only used for this resource.
 	AuthConfig *RegistryImageAuthConfig `pulumi:"authConfig"`
-	Build      *RegistryImageBuild      `pulumi:"build"`
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
+	Build *RegistryImageBuild `pulumi:"build"`
 	// If `true`, the verification of TLS certificates of the server/registry is disabled. Defaults to `false`
 	InsecureSkipVerify *bool `pulumi:"insecureSkipVerify"`
 	// If true, then the Docker image won't be deleted on destroy operation. If this is false, it will delete the image from the docker registry on destroy operation. Defaults to `false`
@@ -125,7 +126,8 @@ type registryImageState struct {
 type RegistryImageState struct {
 	// Authentication configuration for the Docker registry. It is only used for this resource.
 	AuthConfig RegistryImageAuthConfigPtrInput
-	Build      RegistryImageBuildPtrInput
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
+	Build RegistryImageBuildPtrInput
 	// If `true`, the verification of TLS certificates of the server/registry is disabled. Defaults to `false`
 	InsecureSkipVerify pulumi.BoolPtrInput
 	// If true, then the Docker image won't be deleted on destroy operation. If this is false, it will delete the image from the docker registry on destroy operation. Defaults to `false`
@@ -145,7 +147,8 @@ func (RegistryImageState) ElementType() reflect.Type {
 type registryImageArgs struct {
 	// Authentication configuration for the Docker registry. It is only used for this resource.
 	AuthConfig *RegistryImageAuthConfig `pulumi:"authConfig"`
-	Build      *RegistryImageBuild      `pulumi:"build"`
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
+	Build *RegistryImageBuild `pulumi:"build"`
 	// If `true`, the verification of TLS certificates of the server/registry is disabled. Defaults to `false`
 	InsecureSkipVerify *bool `pulumi:"insecureSkipVerify"`
 	// If true, then the Docker image won't be deleted on destroy operation. If this is false, it will delete the image from the docker registry on destroy operation. Defaults to `false`
@@ -160,7 +163,8 @@ type registryImageArgs struct {
 type RegistryImageArgs struct {
 	// Authentication configuration for the Docker registry. It is only used for this resource.
 	AuthConfig RegistryImageAuthConfigPtrInput
-	Build      RegistryImageBuildPtrInput
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
+	Build RegistryImageBuildPtrInput
 	// If `true`, the verification of TLS certificates of the server/registry is disabled. Defaults to `false`
 	InsecureSkipVerify pulumi.BoolPtrInput
 	// If true, then the Docker image won't be deleted on destroy operation. If this is false, it will delete the image from the docker registry on destroy operation. Defaults to `false`
@@ -263,6 +267,7 @@ func (o RegistryImageOutput) AuthConfig() RegistryImageAuthConfigPtrOutput {
 	return o.ApplyT(func(v *RegistryImage) RegistryImageAuthConfigPtrOutput { return v.AuthConfig }).(RegistryImageAuthConfigPtrOutput)
 }
 
+// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 func (o RegistryImageOutput) Build() RegistryImageBuildPtrOutput {
 	return o.ApplyT(func(v *RegistryImage) RegistryImageBuildPtrOutput { return v.Build }).(RegistryImageBuildPtrOutput)
 }
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/remoteImage.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/remoteImage.go
index 1a70e6aab..5863c951e 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/remoteImage.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/remoteImage.go
@@ -12,9 +12,131 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
+// <!-- Bug: Type and Name are switched -->
+// Manages the lifecycle of a docker image in your docker host. It can be used to build a new docker image or to pull an existing one from a registry.
+//
+//	This resource will *not* pull new layers of the image automatically unless used in conjunction with RegistryImage data source to update the `pullTriggers` field.
+//
+// ## Example Usage
+//
+// ### Basic
+//
+// Finds and downloads the latest `ubuntu:precise` image but does not check
+// for further updates of the image
+//
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewRemoteImage(ctx, "ubuntu", &docker.RemoteImageArgs{
+//				Name: pulumi.String("ubuntu:precise"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
+//
+// ```
+//
+// ### Dynamic updates
+//
+// To be able to update an image dynamically when the `sha256` sum changes,
+// you need to use it in combination with `RegistryImage` as follows:
+//
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			ubuntu, err := docker.LookupRegistryImage(ctx, &docker.LookupRegistryImageArgs{
+//				Name: "ubuntu:precise",
+//			}, nil)
+//			if err != nil {
+//				return err
+//			}
+//			_, err = docker.NewRemoteImage(ctx, "ubuntu", &docker.RemoteImageArgs{
+//				Name: pulumi.String(ubuntu.Name),
+//				PullTriggers: pulumi.StringArray{
+//					pulumi.String(ubuntu.Sha256Digest),
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
+//
+// ```
+//
+// ### Build
+//
+// You can also use the resource to build an image. If you want to use a buildx builder with all of its features, please read the section below.
+//
+// > **Note**: The default timeout for the building is 20 minutes. If you need to increase this, you can use operation timeouts.
+//
+// In this case the image "zoo" and "zoo:develop" are built.
+// The `context` and `dockerfile` arguments are relative to the local Terraform process (`path.cwd`).
+// There is no need to copy the files to remote hosts before creating the resource.
+//
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewRemoteImage(ctx, "zoo", &docker.RemoteImageArgs{
+//				Name: pulumi.String("zoo"),
+//				Build: &docker.RemoteImageBuildArgs{
+//					Context: pulumi.String("."),
+//					Tags: pulumi.StringArray{
+//						pulumi.String("zoo:develop"),
+//					},
+//					BuildArgs: pulumi.StringMap{
+//						"foo": pulumi.String("zoo"),
+//					},
+//					Label: pulumi.StringMap{
+//						"author": pulumi.String("zoo"),
+//					},
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
+//
+// ```
+//
+// You can use the `triggers` argument to specify when the image should be rebuild. This is for example helpful when you want to rebuild the docker image whenever the source code changes.
 type RemoteImage struct {
 	pulumi.CustomResourceState
 
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 	Build RemoteImageBuildPtrOutput `pulumi:"build"`
 	// If true, then the image is removed forcibly when the resource is destroyed.
 	ForceRemove pulumi.BoolPtrOutput `pulumi:"forceRemove"`
@@ -67,6 +189,7 @@ func GetRemoteImage(ctx *pulumi.Context,
 
 // Input properties used for looking up and filtering RemoteImage resources.
 type remoteImageState struct {
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 	Build *RemoteImageBuild `pulumi:"build"`
 	// If true, then the image is removed forcibly when the resource is destroyed.
 	ForceRemove *bool `pulumi:"forceRemove"`
@@ -87,6 +210,7 @@ type remoteImageState struct {
 }
 
 type RemoteImageState struct {
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 	Build RemoteImageBuildPtrInput
 	// If true, then the image is removed forcibly when the resource is destroyed.
 	ForceRemove pulumi.BoolPtrInput
@@ -111,6 +235,7 @@ func (RemoteImageState) ElementType() reflect.Type {
 }
 
 type remoteImageArgs struct {
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 	Build *RemoteImageBuild `pulumi:"build"`
 	// If true, then the image is removed forcibly when the resource is destroyed.
 	ForceRemove *bool `pulumi:"forceRemove"`
@@ -128,6 +253,7 @@ type remoteImageArgs struct {
 
 // The set of arguments for constructing a RemoteImage resource.
 type RemoteImageArgs struct {
+	// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 	Build RemoteImageBuildPtrInput
 	// If true, then the image is removed forcibly when the resource is destroyed.
 	ForceRemove pulumi.BoolPtrInput
@@ -230,6 +356,7 @@ func (o RemoteImageOutput) ToRemoteImageOutputWithContext(ctx context.Context) R
 	return o
 }
 
+// Configuration to build an image. Requires the `Use containerd for pulling and storing images` option to be disabled in the Docker Host(https://github.com/kreuzwerker/terraform-provider-docker/issues/534). Please see [docker build command reference](https://docs.docker.com/engine/reference/commandline/build/#options) too.
 func (o RemoteImageOutput) Build() RemoteImageBuildPtrOutput {
 	return o.ApplyT(func(v *RemoteImage) RemoteImageBuildPtrOutput { return v.Build }).(RemoteImageBuildPtrOutput)
 }
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/secret.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/secret.go
index c34353475..85848956f 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/secret.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/secret.go
@@ -12,11 +12,52 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
+// <!-- Bug: Type and Name are switched -->
+// Manages the secrets of a Docker service in a swarm.
+//
+// ## Example Usage
+//
+// ### Basic
+//
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi-std/sdk/go/std"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			invokeBase64encode, err := std.Base64encode(ctx, map[string]interface{}{
+//				"input": "{\"foo\": \"s3cr3t\"}",
+//			}, nil)
+//			if err != nil {
+//				return err
+//			}
+//			_, err = docker.NewSecret(ctx, "foo", &docker.SecretArgs{
+//				Name: pulumi.String("foo"),
+//				Data: invokeBase64encode.Result,
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
+//
+// ```
+//
 // ## Import
 //
+// ```sh
 // #!/bin/bash
 //
-// Docker secret cannot be imported as the secret data, once set, is never exposed again.
+// # Docker secret cannot be imported as the secret data, once set, is never exposed again.
+// ```
 type Secret struct {
 	pulumi.CustomResourceState
 
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/service.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/service.go
index bdcaaaecf..e70ae469a 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/service.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/service.go
@@ -12,55 +12,425 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-// ## Import
+// <!-- Bug: Type and Name are switched -->
+// This resource manages the lifecycle of a Docker service. By default, the creation, update and delete of services are detached.
 //
-// ### Example
+//	With the Converge Config the behavior of the `docker cli` is imitated to guarantee tha for example, all tasks of a service are running or successfully updated or to inform `terraform` that a service could no be updated and was successfully rolled back.
 //
-// # Assuming you created a `service` as follows
+// ## Example Usage
 //
-// #!/bin/bash
+// ### Basic
 //
-// docker service create --name foo -p 8080:80 nginx
+// # The following configuration starts a Docker Service with
 //
-// prints th ID
+// - the given image,
+// - 1 replica
+// - exposes the port `8080` in `vip` mode to the host machine
+// - moreover, uses the `container` runtime
 //
-// 4pcphbxkfn2rffhbhe6czytgi
+// ```go
+// package main
 //
-// you provide the definition for the resource as follows
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewService(ctx, "foo", &docker.ServiceArgs{
+//				Name: pulumi.String("foo-service"),
+//				TaskSpec: &docker.ServiceTaskSpecArgs{
+//					ContainerSpec: &docker.ServiceTaskSpecContainerSpecArgs{
+//						Image: pulumi.String("repo.mycompany.com:8080/foo-service:v1"),
+//					},
+//				},
+//				EndpointSpec: &docker.ServiceEndpointSpecArgs{
+//					Ports: docker.ServiceEndpointSpecPortArray{
+//						&docker.ServiceEndpointSpecPortArgs{
+//							TargetPort: pulumi.Int(8080),
+//						},
+//					},
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
 //
-// terraform
+// ```
+//
+// The following command is the equivalent:
 //
-// resource "docker_service" "foo" {
+// ### Basic with Datasource
 //
-//	name = "foo"
+// Alternatively, if the image is already present on the Docker Host and not managed
+// by `terraform`, you can also use the `RemoteImage` datasource:
 //
-//	task_spec {
+// ```go
+// package main
 //
-//	  container_spec {
+// import (
 //
-//	    image = "nginx"
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
-//	  }
+// )
 //
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			foo, err := docker.LookupRemoteImage(ctx, &docker.LookupRemoteImageArgs{
+//				Name: "repo.mycompany.com:8080/foo-service:v1",
+//			}, nil)
+//			if err != nil {
+//				return err
+//			}
+//			_, err = docker.NewService(ctx, "foo", &docker.ServiceArgs{
+//				Name: pulumi.String("foo-service"),
+//				TaskSpec: &docker.ServiceTaskSpecArgs{
+//					ContainerSpec: &docker.ServiceTaskSpecContainerSpecArgs{
+//						Image: pulumi.String(foo.RepoDigest),
+//					},
+//				},
+//				EndpointSpec: &docker.ServiceEndpointSpecArgs{
+//					Ports: docker.ServiceEndpointSpecPortArray{
+//						&docker.ServiceEndpointSpecPortArgs{
+//							TargetPort: pulumi.Int(8080),
+//						},
+//					},
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
 //	}
 //
-//	endpoint_spec {
+// ```
+//
+// ### Advanced
+//
+// The following configuration shows the full capabilities of a Docker Service,
+// with a `volume`, `config`, `secret` and `network`
 //
-//	  ports {
+// ```go
+// package main
 //
-//	    target_port    = "80"
+// import (
 //
-//	    published_port = "8080"
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
-//	  }
+// )
 //
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			testVolume, err := docker.NewVolume(ctx, "test_volume", &docker.VolumeArgs{
+//				Name: pulumi.String("tftest-volume"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			testVolume2, err := docker.NewVolume(ctx, "test_volume_2", &docker.VolumeArgs{
+//				Name: pulumi.String("tftest-volume2"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			serviceConfig, err := docker.NewServiceConfig(ctx, "service_config", &docker.ServiceConfigArgs{
+//				Name: pulumi.String("tftest-full-myconfig"),
+//				Data: pulumi.String("ewogICJwcmVmaXgiOiAiMTIzIgp9"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			serviceSecret, err := docker.NewSecret(ctx, "service_secret", &docker.SecretArgs{
+//				Name: pulumi.String("tftest-mysecret"),
+//				Data: pulumi.String("ewogICJrZXkiOiAiUVdFUlRZIgp9"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			testNetwork, err := docker.NewNetwork(ctx, "test_network", &docker.NetworkArgs{
+//				Name:   pulumi.String("tftest-network"),
+//				Driver: pulumi.String("overlay"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			_, err = docker.NewService(ctx, "foo", &docker.ServiceArgs{
+//				Name: pulumi.String("tftest-service-basic"),
+//				TaskSpec: &docker.ServiceTaskSpecArgs{
+//					ContainerSpec: &docker.ServiceTaskSpecContainerSpecArgs{
+//						Configs: docker.ServiceTaskSpecContainerSpecConfigArray{
+//							&docker.ServiceTaskSpecContainerSpecConfigArgs{
+//								ConfigId:   serviceConfig.ID(),
+//								ConfigName: serviceConfig.Name,
+//								FileName:   pulumi.String("/configs.json"),
+//							},
+//							&docker.ServiceTaskSpecContainerSpecConfigArgs{},
+//						},
+//						Secrets: docker.ServiceTaskSpecContainerSpecSecretArray{
+//							&docker.ServiceTaskSpecContainerSpecSecretArgs{
+//								SecretId:   serviceSecret.ID(),
+//								SecretName: serviceSecret.Name,
+//								FileName:   pulumi.String("/secrets.json"),
+//								FileUid:    pulumi.String("0"),
+//								FileGid:    pulumi.String("0"),
+//								FileMode:   pulumi.Int(777),
+//							},
+//							&docker.ServiceTaskSpecContainerSpecSecretArgs{},
+//						},
+//						Image: pulumi.String("repo.mycompany.com:8080/foo-service:v1"),
+//						Labels: docker.ServiceTaskSpecContainerSpecLabelArray{
+//							&docker.ServiceTaskSpecContainerSpecLabelArgs{
+//								Label: pulumi.String("foo.bar"),
+//								Value: pulumi.String("baz"),
+//							},
+//						},
+//						Commands: pulumi.StringArray{
+//							pulumi.String("ls"),
+//						},
+//						Args: pulumi.StringArray{
+//							pulumi.String("-las"),
+//						},
+//						Hostname: pulumi.String("my-fancy-service"),
+//						Env: pulumi.StringMap{
+//							"MYFOO": pulumi.String("BAR"),
+//						},
+//						Dir:  pulumi.String("/root"),
+//						User: pulumi.String("root"),
+//						Groups: pulumi.StringArray{
+//							pulumi.String("docker"),
+//							pulumi.String("foogroup"),
+//						},
+//						Privileges: &docker.ServiceTaskSpecContainerSpecPrivilegesArgs{
+//							SeLinuxContext: &docker.ServiceTaskSpecContainerSpecPrivilegesSeLinuxContextArgs{
+//								Disable: pulumi.Bool(true),
+//								User:    pulumi.String("user-label"),
+//								Role:    pulumi.String("role-label"),
+//								Type:    pulumi.String("type-label"),
+//								Level:   pulumi.String("level-label"),
+//							},
+//						},
+//						ReadOnly: pulumi.Bool(true),
+//						Mounts: docker.ServiceTaskSpecContainerSpecMountArray{
+//							&docker.ServiceTaskSpecContainerSpecMountArgs{
+//								Target:   pulumi.String("/mount/test"),
+//								Source:   testVolume.Name,
+//								Type:     pulumi.String("bind"),
+//								ReadOnly: pulumi.Bool(true),
+//								BindOptions: &docker.ServiceTaskSpecContainerSpecMountBindOptionsArgs{
+//									Propagation: pulumi.String("rprivate"),
+//								},
+//							},
+//							&docker.ServiceTaskSpecContainerSpecMountArgs{
+//								Target:   pulumi.String("/mount/test2"),
+//								Source:   testVolume2.Name,
+//								Type:     pulumi.String("volume"),
+//								ReadOnly: pulumi.Bool(true),
+//								VolumeOptions: &docker.ServiceTaskSpecContainerSpecMountVolumeOptionsArgs{
+//									NoCopy: pulumi.Bool(true),
+//									Labels: docker.ServiceTaskSpecContainerSpecMountVolumeOptionsLabelArray{
+//										&docker.ServiceTaskSpecContainerSpecMountVolumeOptionsLabelArgs{
+//											Label: pulumi.String("foo"),
+//											Value: pulumi.String("bar"),
+//										},
+//									},
+//									DriverName: pulumi.String("random-driver"),
+//									DriverOptions: pulumi.StringMap{
+//										"op1": pulumi.String("val1"),
+//									},
+//								},
+//							},
+//						},
+//						StopSignal:      pulumi.String("SIGTERM"),
+//						StopGracePeriod: pulumi.String("10s"),
+//						Healthcheck: &docker.ServiceTaskSpecContainerSpecHealthcheckArgs{
+//							Tests: pulumi.StringArray{
+//								pulumi.String("CMD"),
+//								pulumi.String("curl"),
+//								pulumi.String("-f"),
+//								pulumi.String("http://localhost:8080/health"),
+//							},
+//							Interval: pulumi.String("5s"),
+//							Timeout:  pulumi.String("2s"),
+//							Retries:  pulumi.Int(4),
+//						},
+//						Hosts: docker.ServiceTaskSpecContainerSpecHostArray{
+//							&docker.ServiceTaskSpecContainerSpecHostArgs{
+//								Host: pulumi.String("testhost"),
+//								Ip:   pulumi.String("10.0.1.0"),
+//							},
+//						},
+//						DnsConfig: &docker.ServiceTaskSpecContainerSpecDnsConfigArgs{
+//							Nameservers: pulumi.StringArray{
+//								pulumi.String("8.8.8.8"),
+//							},
+//							Searches: pulumi.StringArray{
+//								pulumi.String("example.org"),
+//							},
+//							Options: pulumi.StringArray{
+//								pulumi.String("timeout:3"),
+//							},
+//						},
+//					},
+//					Resources: &docker.ServiceTaskSpecResourcesArgs{
+//						Limits: &docker.ServiceTaskSpecResourcesLimitsArgs{
+//							NanoCpus:    pulumi.Int(1000000),
+//							MemoryBytes: pulumi.Int(536870912),
+//						},
+//						Reservation: &docker.ServiceTaskSpecResourcesReservationArgs{
+//							NanoCpus:    pulumi.Int(1000000),
+//							MemoryBytes: pulumi.Int(536870912),
+//							GenericResources: &docker.ServiceTaskSpecResourcesReservationGenericResourcesArgs{
+//								NamedResourcesSpecs: pulumi.StringArray{
+//									pulumi.String("GPU=UUID1"),
+//								},
+//								DiscreteResourcesSpecs: pulumi.StringArray{
+//									pulumi.String("SSD=3"),
+//								},
+//							},
+//						},
+//					},
+//					RestartPolicy: map[string]interface{}{
+//						"condition":   "on-failure",
+//						"delay":       "3s",
+//						"maxAttempts": 4,
+//						"window":      "10s",
+//					}[0],
+//					Placement: &docker.ServiceTaskSpecPlacementArgs{
+//						Constraints: pulumi.StringArray{
+//							pulumi.String("node.role==manager"),
+//						},
+//						Prefs: pulumi.StringArray{
+//							pulumi.String("spread=node.role.manager"),
+//						},
+//						MaxReplicas: pulumi.Int(1),
+//					},
+//					ForceUpdate: pulumi.Int(0),
+//					Runtime:     pulumi.String("container"),
+//					Networks: pulumi.StringArray{
+//						testNetwork.ID(),
+//					},
+//					LogDriver: &docker.ServiceTaskSpecLogDriverArgs{
+//						Name: pulumi.String("json-file"),
+//						Options: pulumi.StringMap{
+//							"max-size": pulumi.String("10m"),
+//							"max-file": pulumi.String("3"),
+//						},
+//					},
+//				},
+//				Mode: &docker.ServiceModeArgs{
+//					Replicated: &docker.ServiceModeReplicatedArgs{
+//						Replicas: pulumi.Int(2),
+//					},
+//				},
+//				UpdateConfig: &docker.ServiceUpdateConfigArgs{
+//					Parallelism:     pulumi.Int(2),
+//					Delay:           pulumi.String("10s"),
+//					FailureAction:   pulumi.String("pause"),
+//					Monitor:         pulumi.String("5s"),
+//					MaxFailureRatio: pulumi.String("0.1"),
+//					Order:           pulumi.String("start-first"),
+//				},
+//				RollbackConfig: &docker.ServiceRollbackConfigArgs{
+//					Parallelism:     pulumi.Int(2),
+//					Delay:           pulumi.String("5ms"),
+//					FailureAction:   pulumi.String("pause"),
+//					Monitor:         pulumi.String("10h"),
+//					MaxFailureRatio: pulumi.String("0.9"),
+//					Order:           pulumi.String("stop-first"),
+//				},
+//				EndpointSpec: &docker.ServiceEndpointSpecArgs{
+//					Ports: docker.ServiceEndpointSpecPortArray{
+//						&docker.ServiceEndpointSpecPortArgs{
+//							Name:          pulumi.String("random"),
+//							Protocol:      pulumi.String("tcp"),
+//							TargetPort:    pulumi.Int(8080),
+//							PublishedPort: pulumi.Int(8080),
+//							PublishMode:   pulumi.String("ingress"),
+//						},
+//						&docker.ServiceEndpointSpecPortArgs{},
+//					},
+//					Mode: pulumi.String("vip"),
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
 //	}
 //
-// }
+// ```
 //
-// then the import command is as follows
+// ## Import
+//
+// !/bin/bash
+//
+// ```sh
+// $ pulumi import docker:index/service:Service foo id
+// ```
+//
+// ### Example
 //
+// # Assuming you created a `service` as follows
+//
+// ```sh
 // #!/bin/bash
+// docker service create --name foo -p 8080:80 nginx
+// # prints th ID
+// 4pcphbxkfn2rffhbhe6czytgi
+// ```
+//
+// you provide the definition for the resource as follows
+//
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewService(ctx, "foo", &docker.ServiceArgs{
+//				Name: pulumi.String("foo"),
+//				TaskSpec: &docker.ServiceTaskSpecArgs{
+//					ContainerSpec: &docker.ServiceTaskSpecContainerSpecArgs{
+//						Image: pulumi.String("nginx"),
+//					},
+//				},
+//				EndpointSpec: &docker.ServiceEndpointSpecArgs{
+//					Ports: docker.ServiceEndpointSpecPortArray{
+//						&docker.ServiceEndpointSpecPortArgs{
+//							TargetPort:    pulumi.Int(80),
+//							PublishedPort: pulumi.Int(8080),
+//						},
+//					},
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
+//
+// ```
+//
+// then the import command is as follows
+//
+// !/bin/bash
 //
 // ```sh
 // $ pulumi import docker:index/service:Service foo 4pcphbxkfn2rffhbhe6czytgi
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/serviceConfig.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/serviceConfig.go
index 5d33274a9..91059d26b 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/serviceConfig.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/serviceConfig.go
@@ -12,35 +12,57 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-// ## Import
+// <!-- Bug: Type and Name are switched -->
+// Manages the configs of a Docker service in a swarm.
 //
-// ### Example
+// ## Example Usage
 //
-// # Assuming you created a `config` as follows
+// ### Basic
 //
-// #!/bin/bash
+// ### Advanced
+// ### Dynamically set config with a template
+// In this example you can use the `${var.foo_port}` variable to dynamically
+// set the `${port}` variable in the `foo.configs.json.tpl` template and create
+// the data of the `fooConfig` with the help of the `base64encode` interpolation
+// function.
 //
-// printf '{"a":"b"}' | docker config create foo -
+// The file `foo.config.json.tpl` has the following content:
 //
-// prints the id
+// and the resource uses it as follows:
 //
-// 08c26c477474478d971139f750984775a7f019dbe8a2e7f09d66a187c009e66d
+// ### Update config with no downtime
+// To update a `config`, Terraform will destroy the existing resource and create a replacement.
+// To effectively use a `ServiceConfig` resource with a `Service` resource, it's recommended
 //
-// you provide the definition for the resource as follows
+//	to specify `createBeforeDestroy` in a `lifecycle` block. Provide a unique `name` attribute,
+//
+// for example with one of the interpolation functions `uuid` or `timestamp` as shown
+// in the example below. The reason is this [issue](https://github.com/moby/moby/issues/35803).
+//
+// ## Import
+//
+// !/bin/bash
 //
-// terraform
+// ```sh
+// $ pulumi import docker:index/serviceConfig:ServiceConfig foo id
+// ```
 //
-// resource "docker_config" "foo" {
+// ### Example
 //
-//	name = "foo"
+// # Assuming you created a `config` as follows
 //
-//	data = base64encode("{\"a\": \"b\"}")
+// ```sh
+// #!/bin/bash
+// printf '{"a":"b"}' | docker config create foo -
+// # prints the id
+// 08c26c477474478d971139f750984775a7f019dbe8a2e7f09d66a187c009e66d
+// ```
 //
-// }
+// you provide the definition for the resource as follows
 //
 // then the import command is as follows
 //
-// #!/bin/bash
+// !/bin/bash
 //
 // ```sh
 // $ pulumi import docker:index/serviceConfig:ServiceConfig foo 08c26c477474478d971139f750984775a7f019dbe8a2e7f09d66a187c009e66d
diff --git a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/volume.go b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/volume.go
index f4a51e59f..4ebb39dc1 100644
--- a/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/volume.go
+++ b/vendor/github.com/pulumi/pulumi-docker/sdk/v4/go/docker/volume.go
@@ -42,31 +42,52 @@ import (
 //
 // ## Import
 //
+// !/bin/bash
+//
+// ```sh
+// $ pulumi import docker:index/volume:Volume foo id
+// ```
+//
 // ### Example
 //
 // # Assuming you created a `volume` as follows
 //
+// ```sh
 // #!/bin/bash
-//
 // docker volume create
-//
-// prints the long ID
-//
+// # prints the long ID
 // 524b0457aa2a87dd2b75c74c3e4e53f406974249e63ab3ed9bf21e5644f9dc7d
+// ```
 //
 // you provide the definition for the resource as follows
 //
-// terraform
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-docker/sdk/v4/go/docker"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
-// resource "docker_volume" "foo" {
+// )
 //
-//	name = "524b0457aa2a87dd2b75c74c3e4e53f406974249e63ab3ed9bf21e5644f9dc7d"
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			_, err := docker.NewVolume(ctx, "foo", &docker.VolumeArgs{
+//				Name: pulumi.String("524b0457aa2a87dd2b75c74c3e4e53f406974249e63ab3ed9bf21e5644f9dc7d"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
 //
-// }
+// ```
 //
 // then the import command is as follows
 //
-// #!/bin/bash
+// !/bin/bash
 //
 // ```sh
 // $ pulumi import docker:index/volume:Volume foo 524b0457aa2a87dd2b75c74c3e4e53f406974249e63ab3ed9bf21e5644f9dc7d
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b3555eb07..434a2a699 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -86,7 +86,7 @@ github.com/Microsoft/go-winio/internal/fs
 github.com/Microsoft/go-winio/internal/socket
 github.com/Microsoft/go-winio/internal/stringbuffer
 github.com/Microsoft/go-winio/pkg/guid
-# github.com/ProtonMail/go-crypto v1.4.0
+# github.com/ProtonMail/go-crypto v1.4.1
 ## explicit; go 1.23.0
 github.com/ProtonMail/go-crypto/bitcurves
 github.com/ProtonMail/go-crypto/brainpool
@@ -128,7 +128,7 @@ github.com/aws/amazon-ec2-instance-selector/v3/pkg/instancetypes
 github.com/aws/amazon-ec2-instance-selector/v3/pkg/selector
 github.com/aws/amazon-ec2-instance-selector/v3/pkg/selector/outputs
 github.com/aws/amazon-ec2-instance-selector/v3/pkg/sorter
-# github.com/aws/aws-sdk-go-v2 v1.41.3
+# github.com/aws/aws-sdk-go-v2 v1.41.4
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/aws
 github.com/aws/aws-sdk-go-v2/aws/arn
@@ -156,14 +156,14 @@ github.com/aws/aws-sdk-go-v2/internal/shareddefaults
 github.com/aws/aws-sdk-go-v2/internal/strings
 github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
 github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6
+# github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/eventstreamapi
-# github.com/aws/aws-sdk-go-v2/config v1.32.11
+# github.com/aws/aws-sdk-go-v2/config v1.32.12
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/config
-# github.com/aws/aws-sdk-go-v2/credentials v1.19.11
+# github.com/aws/aws-sdk-go-v2/credentials v1.19.12
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/credentials
 github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds
@@ -173,20 +173,20 @@ github.com/aws/aws-sdk-go-v2/credentials/logincreds
 github.com/aws/aws-sdk-go-v2/credentials/processcreds
 github.com/aws/aws-sdk-go-v2/credentials/ssocreds
 github.com/aws/aws-sdk-go-v2/credentials/stscreds
-# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.19
+# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.19
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.19
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
-# github.com/aws/aws-sdk-go-v2/internal/ini v1.8.5
+# github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/internal/ini
-# github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.20
+# github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/internal/v4a
 github.com/aws/aws-sdk-go-v2/internal/v4a/internal/crypto
@@ -203,26 +203,26 @@ github.com/aws/aws-sdk-go-v2/service/ecs/document
 github.com/aws/aws-sdk-go-v2/service/ecs/internal/document
 github.com/aws/aws-sdk-go-v2/service/ecs/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ecs/types
-# github.com/aws/aws-sdk-go-v2/service/iam v1.53.4
+# github.com/aws/aws-sdk-go-v2/service/iam v1.53.6
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/iam
 github.com/aws/aws-sdk-go-v2/service/iam/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/iam/types
-# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.6
+# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
-# github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.11
+# github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/internal/checksum
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.19
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
-# github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.19
+# github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared/arn
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared/config
-# github.com/aws/aws-sdk-go-v2/service/pricing v1.40.13
+# github.com/aws/aws-sdk-go-v2/service/pricing v1.40.14
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/pricing
 github.com/aws/aws-sdk-go-v2/service/pricing/internal/endpoints
@@ -234,22 +234,22 @@ github.com/aws/aws-sdk-go-v2/service/s3/internal/arn
 github.com/aws/aws-sdk-go-v2/service/s3/internal/customizations
 github.com/aws/aws-sdk-go-v2/service/s3/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/s3/types
-# github.com/aws/aws-sdk-go-v2/service/signin v1.0.7
+# github.com/aws/aws-sdk-go-v2/service/signin v1.0.8
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/signin
 github.com/aws/aws-sdk-go-v2/service/signin/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/signin/types
-# github.com/aws/aws-sdk-go-v2/service/sso v1.30.12
+# github.com/aws/aws-sdk-go-v2/service/sso v1.30.13
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/sso
 github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/sso/types
-# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.16
+# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/ssooidc
 github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ssooidc/types
-# github.com/aws/aws-sdk-go-v2/service/sts v1.41.8
+# github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
 ## explicit; go 1.24
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints
@@ -314,8 +314,8 @@ github.com/charmbracelet/bubbles/viewport
 # github.com/charmbracelet/bubbletea v1.3.10
 ## explicit; go 1.24.0
 github.com/charmbracelet/bubbletea
-# github.com/charmbracelet/colorprofile v0.4.2
-## explicit; go 1.24.2
+# github.com/charmbracelet/colorprofile v0.4.3
+## explicit; go 1.25.0
 github.com/charmbracelet/colorprofile
 # github.com/charmbracelet/lipgloss v1.1.0
 ## explicit; go 1.18
@@ -353,8 +353,8 @@ github.com/cloudflare/circl/math/mlsbset
 github.com/cloudflare/circl/sign
 github.com/cloudflare/circl/sign/ed25519
 github.com/cloudflare/circl/sign/ed448
-# github.com/coocood/freecache v1.2.5
-## explicit; go 1.13
+# github.com/coocood/freecache v1.2.7
+## explicit; go 1.21
 github.com/coocood/freecache
 # github.com/cyphar/filepath-securejoin v0.6.1
 ## explicit; go 1.18
@@ -532,8 +532,8 @@ github.com/json-iterator/go
 # github.com/kevinburke/ssh_config v1.6.0
 ## explicit; go 1.18
 github.com/kevinburke/ssh_config
-# github.com/klauspost/compress v1.18.4
-## explicit; go 1.23
+# github.com/klauspost/compress v1.18.5
+## explicit; go 1.24
 github.com/klauspost/compress
 github.com/klauspost/compress/flate
 github.com/klauspost/compress/fse
@@ -720,8 +720,8 @@ github.com/pulumi/pulumi-command/sdk/go/command/remote
 ## explicit; go 1.24.1
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild/internal
-# github.com/pulumi/pulumi-docker/sdk/v4 v4.11.0
-## explicit; go 1.24.0
+# github.com/pulumi/pulumi-docker/sdk/v4 v4.11.1
+## explicit; go 1.25.6
 github.com/pulumi/pulumi-docker/sdk/v4/go/docker
 github.com/pulumi/pulumi-docker/sdk/v4/go/docker/internal
 # github.com/pulumi/pulumi-gitlab/sdk/v8 v8.11.0
@@ -1278,7 +1278,7 @@ gopkg.in/warnings.v0
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# k8s.io/apimachinery v0.35.2
+# k8s.io/apimachinery v0.35.3
 ## explicit; go 1.25.0
 k8s.io/apimachinery/pkg/api/errors
 k8s.io/apimachinery/pkg/api/meta
@@ -1322,7 +1322,7 @@ k8s.io/apimachinery/pkg/util/yaml
 k8s.io/apimachinery/pkg/version
 k8s.io/apimachinery/pkg/watch
 k8s.io/apimachinery/third_party/forked/golang/reflect
-# k8s.io/client-go v0.35.2
+# k8s.io/client-go v0.35.3
 ## explicit; go 1.25.0
 k8s.io/client-go/dynamic
 k8s.io/client-go/features