Skip to content

build(deps): bump the tools group in /tools with 5 updates#6566

Merged
evankanderson merged 2 commits into
mainfrom
dependabot/go_modules/tools/tools-dbe8943ea3
Jul 3, 2026
Merged

build(deps): bump the tools group in /tools with 5 updates#6566
evankanderson merged 2 commits into
mainfrom
dependabot/go_modules/tools/tools-dbe8943ea3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the tools group in /tools with 5 updates:

Package From To
github.com/bufbuild/buf 1.70.0 1.71.0
github.com/mikefarah/yq/v4 4.53.2 4.53.3
github.com/oapi-codegen/oapi-codegen/v2 2.7.0 2.7.1
github.com/openfga/cli 0.7.15 0.7.16
golang.org/x/tools 0.45.0 0.46.0

Updates github.com/bufbuild/buf from 1.70.0 to 1.71.0

Release notes

Sourced from github.com/bufbuild/buf's releases.

v1.71.0

  • Port new formatter and fix bugs for in-line block comment spacing.
  • Fix handling for an empty rpc input/output.
Changelog

Sourced from github.com/bufbuild/buf's changelog.

[v1.71.0] - 2026-06-16

  • Port new formatter and fix bugs for in-line block comment spacing.
  • Fix handling for an empty rpc input/output.
Commits

Updates github.com/mikefarah/yq/v4 from 4.53.2 to 4.53.3

Release notes

Sourced from github.com/mikefarah/yq/v4's releases.

v4.53.3

Changelog

Sourced from github.com/mikefarah/yq/v4's changelog.

4.53.3:

Commits

Updates github.com/oapi-codegen/oapi-codegen/v2 from 2.7.0 to 2.7.1

Release notes

Sourced from github.com/oapi-codegen/oapi-codegen/v2's releases.

Security fix for Go code injection

This is a security fix for a code injection vulnerability in v2.7.0, please see:

GHSA-rjwr-m7qx-3fjr

[!NOTE] A vulnerability like this requires that it is missed in code review and that you then call the malicious method.

Using an init() function could be enough to not require a direct call to the code, and instead rely on you importing the package, but either way, code review should be performed before any oapi-codegen generated code is executed.

We strongly recommend all users to be reviewing changes to their generated code before they execute anything within it, to protect against supply chain attacks or malicious injected code.

This is also why we recommend oapi-codegen generated code is committed to source control.

We're more strict about escaping strings passed into the OpenAPI specification, so that people can't inject Go code into generated code.

The problem was that it was possible to craft a description for server URL's which would emit arbitrary Go code, so if an attacker controlled your specification, they could inject Go code into your generated code which could do something malicious.

Commits

Updates github.com/openfga/cli from 0.7.15 to 0.7.16

Release notes

Sourced from github.com/openfga/cli's releases.

v0.7.16

Added

  • Add a size field to fga model get and size_kb to fga model validate output, reporting the protobuf-serialized size of an authorization model in KB. (#712)

Changed

  • replace go-multierror with stdlib, remove dep (#705) (2e9afa2)
  • Update bundled OpenFGA to v1.18.0

What's Changed

Full Changelog: openfga/cli@v0.7.15...v0.7.16

Changelog

Sourced from github.com/openfga/cli's changelog.

0.7.16 (2026-06-17)

Added

  • Add a size field to fga model get and size_kb to fga model validate output, reporting the protobuf-serialized size of an authorization model in KB. (#712)

Changed

  • replace go-multierror with stdlib, remove dep (#705) (2e9afa2)
  • Update bundled OpenFGA to v1.18.0
Commits
  • fe7f94d release: v0.7.16 (#710)
  • 6dff890 feat: report serialized model size in fga model get and validate (#712)
  • baaaff4 chore(deps): update bundled openfga to v1.18.0 (#709)
  • 2e9afa2 refactor: replace go-multierror with stdlib, remove dep (#705)
  • f0879ce chore(deps): bump github.com/openfga/go-sdk in the dependencies group (#706)
  • d1fd7d3 chore(deps): bump github.com/openfga/openfga in the dependencies group (#702)
  • 322eb81 chore(deps): bump actions/checkout in the dependencies group (#703)
  • 142ca19 chore: bump go toolchain for vulnerabilities (#701)
  • b93c55f chore: skip github release to push gpg signed tag (#699)
  • f3ae3b5 chore(deps): bump github.com/openfga/openfga in the dependencies group (#700)
  • Additional commits viewable in compare view

Updates golang.org/x/tools from 0.45.0 to 0.46.0

Commits
  • 3d6f8df go/packages: propagate PATH in TestConfigEnvDoesNotInheritProcessEnv
  • 47abf61 gopls: move internal/tool into gopls/internal/tool
  • 19cebc5 go/packages/gopackages: use standard flag package instead of internal/tool
  • e965c10 gopls/internal/test/marker: update hover test
  • 96efd3d gopls/internal/golang/stubmethods: support generic interfaces
  • 83be7b7 go.mod: update golang.org/x dependencies
  • bf05c11 internal/typesinternal: ForEachElement: test generic methods
  • 99df0ab go/callgraph/static: support generic methods
  • 6942095 go/ssa: fix instantiation of generic methods on non-generic receivers
  • 070e85d go/callgraph/rta: skip generic methods in fingerprinting
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the tools group in /tools with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/bufbuild/buf](https://github.com/bufbuild/buf) | `1.70.0` | `1.71.0` |
| [github.com/mikefarah/yq/v4](https://github.com/mikefarah/yq) | `4.53.2` | `4.53.3` |
| [github.com/oapi-codegen/oapi-codegen/v2](https://github.com/oapi-codegen/oapi-codegen) | `2.7.0` | `2.7.1` |
| [github.com/openfga/cli](https://github.com/openfga/cli) | `0.7.15` | `0.7.16` |
| [golang.org/x/tools](https://github.com/golang/tools) | `0.45.0` | `0.46.0` |


Updates `github.com/bufbuild/buf` from 1.70.0 to 1.71.0
- [Release notes](https://github.com/bufbuild/buf/releases)
- [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md)
- [Commits](bufbuild/buf@v1.70.0...v1.71.0)

Updates `github.com/mikefarah/yq/v4` from 4.53.2 to 4.53.3
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.53.2...v4.53.3)

Updates `github.com/oapi-codegen/oapi-codegen/v2` from 2.7.0 to 2.7.1
- [Release notes](https://github.com/oapi-codegen/oapi-codegen/releases)
- [Commits](oapi-codegen/oapi-codegen@v2.7.0...v2.7.1)

Updates `github.com/openfga/cli` from 0.7.15 to 0.7.16
- [Release notes](https://github.com/openfga/cli/releases)
- [Changelog](https://github.com/openfga/cli/blob/main/CHANGELOG.md)
- [Commits](openfga/cli@v0.7.15...v0.7.16)

Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: github.com/bufbuild/buf
  dependency-version: 1.71.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: tools
- dependency-name: github.com/mikefarah/yq/v4
  dependency-version: 4.53.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tools
- dependency-name: github.com/oapi-codegen/oapi-codegen/v2
  dependency-version: 2.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tools
- dependency-name: github.com/openfga/cli
  dependency-version: 0.7.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tools
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: tools
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 06:16
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 1, 2026
@coveralls

coveralls commented Jul 1, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 60.724%. remained the same — dependabot/go_modules/tools/tools-dbe8943ea3 into main

@evankanderson evankanderson merged commit 5dfabf7 into main Jul 3, 2026
27 checks passed
@evankanderson evankanderson deleted the dependabot/go_modules/tools/tools-dbe8943ea3 branch July 3, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants