chore(deps): bump the security-updates group across 1 directory with 20 updates

[dependabot]

Bumps the security-updates group with 16 updates in the / directory:

Package	From	To
github.com/BurntSushi/toml	1.5.0	1.6.0
github.com/gin-gonic/gin	1.11.0	1.12.0
github.com/go-sql-driver/mysql	1.9.2	1.10.0
github.com/redis/go-redis/v9	9.19.0	9.20.0
go.etcd.io/etcd/api/v3	3.5.21	3.6.12
go.etcd.io/etcd/client/v3	3.5.21	3.6.12
go.etcd.io/etcd/server/v3	3.5.21	3.6.12
go.opentelemetry.io/contrib/propagators/autoprop	0.63.0	0.69.0
go.opentelemetry.io/contrib/samplers/jaegerremote	0.37.0	0.37.1
go.opentelemetry.io/otel/bridge/opentracing	1.36.0	1.44.0
go.opentelemetry.io/otel/exporters/jaeger	1.16.0	1.17.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.38.0	1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	1.38.0	1.44.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	1.36.0	1.44.0
go.uber.org/zap	1.27.0	1.28.0
k8s.io/client-go	0.34.1	0.36.1

Updates github.com/BurntSushi/toml from 1.5.0 to 1.6.0

Release notes

Sourced from github.com/BurntSushi/toml's releases.

v1.6.0

TOML 1.1 is now enabled by default. The TOML changelog has an overview of changes: https://github.com/toml-lang/toml/blob/main/CHANGELOG.md

Also two small fixes:

• Encode large floats as exponent syntax so that round-tripping things like 5e+22 is correct.

• Using duplicate array keys would not give an error:

  arr = [1]
  arr = [2]
  

  This will now correctly give a "Key 'arr' has already been defined" error.

Commits

• 5253492 Enable TOML 1.1 by default (#457)
• e954445 Reject duplicate arrays (#455)
• 6b16cbd Update toml-test test cases from upstream (#456)
• 011fa2b Ensure constant format strings in wf calls
• 4b439bf Remove itemNil
• a473c12 Add test for out of range float64
• b535ff8 Add some boring tests for lex.go
• 6011ef0 Remove unreachable condition in lexTableNameStart
• c8ca9e6 Remove unreachable condition
• 1121f81 Make tomlv read from stdin
• Additional commits viewable in compare view

Updates github.com/gin-gonic/gin from 1.11.0 to 1.12.0

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.12.0

Changelog

Features

• 192ac89eefc1c30f7c97ae48a9ffb1c6f1c8c8bc: feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203) (@​takanuva15)
• 53410d2e07054369e0960fbe2eed97e1b9966f12: feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502) (@​raju-mechatronics)
• acc55e049e33b401e810dbd8c0d6dcb6b3ba2b05: feat(context): add Protocol Buffers support to content negotiation (#4423) (@​1911860538)
• 38e765119241d990705169bedb5002a29ae0cbd1: feat(context): implemented Delete method (@​Spyder01)
• 771dcc6476d7bc6abb9ec0235ecefa4d38fe6fb0: feat(gin): add option to use escaped path (#4420) (@​ldesauw)
• 4dec17afdff48e8018c83618fbbe69fceeb2b41d: feat(logger): color latency (#4146) (@​wsyqn6)
• d7776de7d444935ea4385999711bd6331a98fecb: feat(render): add bson protocol (#4145) (@​laurentcau)

Bug fixes

• b917b14ff9d189f16a7492be79d123a47806ee19: fix(binding): empty value error (#2169) (@​guonaihong)
• c3d1092b3b48addf6f9cd00fe274ec3bd14650eb: fix(binding): improve empty slice/array handling in form binding (#4380) (@​1911860538)
• 9914178584e42458ff7d23891463a880f58c9d86: fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472) (@​Nurysso)
• 2a794cd0b0faa7d829291375b27a3467ea972b0d: fix(debug): version mismatch (#4403) (@​zeek0x)
• c3d5a28ed6d3849da820195b6774d212bcc038a9: fix(gin): close os.File in RunFd to prevent resource leak (#4422) (@​1911860538)
• 5fad976b372e381312f8de69f0969f1284d229d3: fix(gin): literal colon routes not working with engine.Handler() (#4415) (@​pawannn)
• 63dd3e60cab89c27fb66bce1423bd268d52abad1: fix(recover): suppress http.ErrAbortHandler in recover (#4336) (@​MondayCha)
• 5c00df8afadd06cc5be530dde00fe6d9fa4a2e4a: fix(render): write content length in Data.Render (#4206) (@​dengaleev)
• 234a6d4c00cb77af9852aca0b8289745d5529b4b: fix(response): refine hijack behavior for response lifecycle (#4373) (@​appleboy)
• 472d086af2acd924cb4b9d7be0525f7d790f69bc: fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535) (@​veeceey)
• 8e07d37c63e5536eb25f4af4c91eabeee4011fba: fix: Correct typos, improve documentation clarity, and remove dead code (#4511) (@​mahanadh)

Enhancements

• ba093d19477b896ac89a7fc3246af23d290b8e26: chore(binding): upgrade bson dependency to mongo-driver v2 (#4549) (@​BobDu)
• b2b489dbf4826c2c630717a77fd5e42774625410: chore(context): always trust xff headers from unix socket (#3359) (@​WeidiDeng)
• ecb3f7b5e2f3915bf1db240ed5eee572f8dbea36: chore(deps): upgrade golang.org/x/crypto to v0.45.0 (#4449) (@​appleboy)
• af6e8b70b8261bb0c99ad094fe552ab92991620a: chore(deps): upgrade quic-go to v0.57.1 (@​appleboy)
• db309081bc5c137b2aa15701ef53f7f19788da25: chore(logger): allow skipping query string output (#4547) (@​USA-RedDragon)
• 26c3a628655cad2388380cb8102d6ce7d4875f3b: chore(response): prevent Flush() panic when http.Flusher (#4479) (@​Twacqwq)
• 5dd833f1f26de0eb30eae47b17e05ced2482dc41: chore: bump minimum Go version to 1.24 and update workflows (#4388) (@​appleboy)

Refactor

• 39858a0859c914bd26948fa950477e11bd8d3823: refactor(binding): use maps.Copy for cleaner map handling (#4352) (@​russcoss)
• c0048f645ee945c4db30593afdea10123e2c30a6: refactor(context): omit the return value names (#4395) (@​wanghaolong613)
• 915e4c90d28ec4cffc6eb146e208ab5a65eac772: refactor(context): replace hardcoded localhost IPs with constants (#4481) (@​pauloappbr)
• 414de60574449457f3192a7a1d5528940db2836d: refactor(context): using maps.Clone (#4333) (@​cuiweixie)
• 59e9d4a794f12c4f9a6c7bed441b9644e5f6d99b: refactor(ginS): use sync.OnceValue to simplify engine function (#4314) (@​1911860538)
• 3ab698dc5110af1977d57226e4995c57dd34c233: refactor(recovery): smart error comparison (#4142) (@​zeek0x)
• d1a15347b1e45a8ee816193d3578a93bfd73b70f: refactor(utils): move util functions to utils.go (#4467) (@​zeek0x)
• e3118cc378d263454098924ebbde7e8d1dd2e904: refactor: for loop can be modernized using range over int (#4392) (@​wanghaolong613)
• 488f8c3ffa579a8d19beb2bae95ff8ef36b3d53f: refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529) (@​veeceey)
• 9968c4bf9d5a99edc3eee2c068a4c9160ece8915: refactor: use b.Loop() to simplify the code and improve performance (#4389) (@​reddaisyy)
• a85ef5ce4d0cda8834c59c855068ed48b51192d1: refactor: use b.Loop() to simplify the code and improve performance (#4432) (@​efcking)

Build process updates

• 61b67de522a189b568aced4c5c16917c558e3387: ci(bot): increase frequency and group updates for dependencies (#4367) (@​appleboy)
• fb27ef26c2fdfe25344b4c039d8a53551f9e912c: ci(lint): refactor test assertions and linter configuration (#4436) (@​appleboy)
• 93ff771e6dbf10e432864b30f3719ac5c84a4d4a: ci(sec): improve type safety and server organization in HTTP middleware (#4437) (@​appleboy)
• e88fc8927a52b74f55bec0351604a56ac0aa1c51: ci(sec): schedule Trivy security scans to run daily at midnight UTC (#4439) (@​appleboy)
• 5e5ff3ace496a31b138b0820136a146bfb5de0ef: ci: replace vulnerability scanning workflow with Trivy integration (#4421) (@​appleboy)
• 00900fb3e1ea9dde33985a0e4f6afec793d5e786: ci: update CI workflows and standardize Trivy config quotes (#4531) (@​appleboy)
• ae3f524974fc4f55d18c9e7fae4614503c015226: ci: update Go version support to 1.25+ across CI and docs (#4550) (@​appleboy)

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.12.0

Features

• feat(render): add bson protocol (#4145)
• feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502)
• feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203)
• feat(gin): add option to use escaped path (#4420)
• feat(context): add Protocol Buffers support to content negotiation (#4423)
• feat(context): implemented Delete method (#38e7651)
• feat(logger): color latency (#4146)

Enhancements

• perf(tree): reduce allocations in findCaseInsensitivePath (#4417)
• perf(recovery): optimize line reading in stack function (#4466)
• perf(path): replace regex with custom functions in redirectTrailingSlash (#4414)
• perf(tree): optimize path parsing using strings.Count (#4246)
• chore(logger): allow skipping query string output (#4547)
• chore(context): always trust xff headers from unix socket (#3359)
• chore(response): prevent Flush() panic when the underlying ResponseWriter does not implement http.Flusher (#4479)
• refactor(recovery): smart error comparison (#4142)
• refactor(context): replace hardcoded localhost IPs with constants (#4481)
• refactor(utils): move util functions to utils.go (#4467)
• refactor(binding): use maps.Copy for cleaner map handling (#4352)
• refactor(context): using maps.Clone (#4333)
• refactor(ginS): use sync.OnceValue to simplify engine function (#4314)
• refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529)
• refactor: for loop can be modernized using range over int (#4392)

Bug Fixes

• fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
• fix(render): write content length in Data.Render (#4206)
• fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472)
• fix(binding): empty value error (#2169)
• fix(recover): suppress http.ErrAbortHandler in recover (#4336)
• fix(gin): literal colon routes not working with engine.Handler() (#4415)
• fix(gin): close os.File in RunFd to prevent resource leak (#4422)
• fix(response): refine hijack behavior for response lifecycle (#4373)
• fix(binding): improve empty slice/array handling in form binding (#4380)
• fix(debug): version mismatch (#4403)
• fix: correct typos, improve documentation clarity, and remove dead code (#4511)

Build process updates / CI

• ci: update Go version support to 1.25+ across CI and docs (#4550)
• chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)

Commits

• 73726dc docs: update documentation to reflect Go version changes (#4552)
• e292e5c docs: document and finalize Gin v1.12.0 release (#4551)
• ae3f524 ci: update Go version support to 1.25+ across CI and docs (#4550)
• 38534e2 chore(deps): bump golang.org/x/net from 0.50.0 to 0.51.0 (#4548)
• 472d086 fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
• fb25834 test(context): use http.StatusContinue constant instead of magic number 100 (...
• 6f1d5fe test(render): add comprehensive error handling tests (#4541)
• 5c00df8 fix(render): write content length in Data.Render (#4206)
• db30908 chore(logger): allow skipping query string output (#4547)
• ba093d1 chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)
• Additional commits viewable in compare view

Updates github.com/go-sql-driver/mysql from 1.9.2 to 1.10.0

Release notes

Sourced from github.com/go-sql-driver/mysql's releases.

v1.10.0

What's Changed

• add Go 1.24 to the test matrix by @​shogo82148 in go-sql-driver/mysql#1681
• modernize for Go 1.22 by @​methane in go-sql-driver/mysql#1695
• test stability improvement. by @​methane in go-sql-driver/mysql#1698
• simplify collation tests by @​methane in go-sql-driver/mysql#1700
• fix bigint unsigned null column scan to err type int64 by @​elonnzhang in go-sql-driver/mysql#1612
• Transaction Commit/Rollback returns conn's cached error, if present by @​brad-defined in go-sql-driver/mysql#1691
• add BenchmarkReceive10kRowsCompress by @​methane in go-sql-driver/mysql#1704
• optimize readPacket by @​methane in go-sql-driver/mysql#1705
• MariaDB Metadata skipping and DEPRECATE_EOF by @​rusher in go-sql-driver/mysql#1708
• Optimization: statements reuse previous column name by @​methane in go-sql-driver/mysql#1711
• update outdated MySQL internals documentation links by @​demouth in go-sql-driver/mysql#1714
• fix PING on compressed connections by @​methane in go-sql-driver/mysql#1721
• add DeepWiki badge by @​methane in go-sql-driver/mysql#1722
• Update edwards25519 dependency to v1.1.1 by @​williamhaw in go-sql-driver/mysql#1749
• Configure Dependabot for Go modules by @​methane in go-sql-driver/mysql#1755
• Bump dominikh/staticcheck-action from 1.3.1 to 1.4.1 by @​dependabot[bot] in go-sql-driver/mysql#1759
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in go-sql-driver/mysql#1760
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in go-sql-driver/mysql#1757
• fix staticcheck error by @​methane in go-sql-driver/mysql#1761
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in go-sql-driver/mysql#1758
• Fix getSystemVar buffer reuse by @​morgo in go-sql-driver/mysql#1754
• Consolidate Dependabot update noise by grouping weekly dependency PRs by @​Copilot in go-sql-driver/mysql#1762
• Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0 by @​dependabot[bot] in go-sql-driver/mysql#1756
• CI: Update GitHub Actions Go matrix to 1.24–1.26 by @​Copilot in go-sql-driver/mysql#1763
• Enhance interpolateParams to correctly handle placeholders by @​rusher in go-sql-driver/mysql#1732
• modernize by @​methane in go-sql-driver/mysql#1764
• release v1.10.0 by @​methane in go-sql-driver/mysql#1765

New Contributors

• @​elonnzhang made their first contribution in go-sql-driver/mysql#1612
• @​brad-defined made their first contribution in go-sql-driver/mysql#1691
• @​rusher made their first contribution in go-sql-driver/mysql#1708
• @​demouth made their first contribution in go-sql-driver/mysql#1714
• @​williamhaw made their first contribution in go-sql-driver/mysql#1749
• @​dependabot[bot] made their first contribution in go-sql-driver/mysql#1759
• @​morgo made their first contribution in go-sql-driver/mysql#1754
• @​Copilot made their first contribution in go-sql-driver/mysql#1762

Full Changelog: go-sql-driver/mysql@v1.9.2...v1.10.0

v1.9.3

What's Changed

• [1.9] test stability improvement. by @​methane in go-sql-driver/mysql#1699
• [1.9] Transaction Commit/Rollback returns conn's cached error by @​methane in go-sql-driver/mysql#1702
• backport benchmark_test by @​methane in go-sql-driver/mysql#1706
• [1.9] optimize readPacket (#1705) by @​methane in go-sql-driver/mysql#1707
• [1.9] fix PING on compressed connections by @​methane in go-sql-driver/mysql#1723
• release v1.9.3 by @​methane in go-sql-driver/mysql#1725

... (truncated)

Changelog

Sourced from github.com/go-sql-driver/mysql's changelog.

v1.10.0 (2026-04-28)

• Fix getSystemVar("max_allowed_packet") potentially returned wrong value. (#1754) This affects only when maxAllowedPacket=0 is set.

• Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0. (#1756) While older versions have reported CVEs, they do not affect go-mysql.

• Update Go versions to 1.24-1.26. (#1763)

• Enhance interpolateParams to correctly handle placeholders. (#1732) The question mark (?) within strings and comments will no longer be treated as a placeholder.

v1.9.3 (2025-06-13)

• tx.Commit() and tx.Rollback() returned ErrInvalidConn always. Now they return cached real error if present. (#1690)

• Optimize reading small result sets to fix a performance regression introduced by compression protocol support. ([#1707](https://github.com/go-sql-driver/mysql/issues/1707))

• Fix db.Ping() on compressed connection. (#1723)

Commits

• a065b60 release v1.10.0 (#1765)
• 09e4187 modernize (#1764)
• 6c44a9a Enhance interpolateParams to correctly handle placeholders (#1732)
• 688ce56 Update supported Go version to 1.24–1.26 (#1763)
• 118d07f Bump filippo.io/edwards25519 from 1.1.1 to 1.2.0 (#1756)
• d6b2d3e Consolidate Dependabot update noise by grouping weekly dependency PRs (#1762)
• 037dfd8 Fix getSystemVar buffer reuse (#1754)
• 900f330 Bump actions/checkout from 4 to 6 (#1758)
• ab9e380 fix staticcheck error (#1761)
• f298c66 Bump actions/setup-go from 5 to 6 (#1757)
• Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.19.0 to 9.20.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.20.0

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

• AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
• INCREX (#3816) — atomic increment with expiration in a single round-trip.
• XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
• XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
• TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
• Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
• JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. RawResult() / RawVal() continue to work for callers that prefer the raw RESP payload.

(#3741) by @​ndyakov

Experimental Array Data Structure Commands

Adds an experimental ArrayCmdable interface with the AR* command family (ARSet, ARGet, ARGetRange, ARMSet, ARMGet, ARDel, ARDelRange, ARScan, ARSeek, ARNext, ARLastItems, ARGrep, ARGrepWithValues, ARInfo/ARInfoFull, and typed reducers AROpSum/AROpMin/AROpMax/AROpAnd/AROpOr/AROpXor/AROpMatch/AROpUsed) for working with Redis 8.8's new array data type. API is experimental and may change in a future release.

(#3813) by @​cxljs

✨ New Features

• RESP3 search parser: First-class RESP3 parsing for FT.SEARCH/FT.AGGREGATE/FT.INFO/FT.SPELLCHECK/FT.SYNDUMP responses with backwards compatibility for RESP2 (#3741) by @​ndyakov
• INCREX: New INCREX command support — atomic increment with expiration (#3816) by @​ndyakov
• XNACK: Client support for the XNACK stream command for explicitly negative-acknowledging pending entries (#3790) by @​elena-kolevska
• TS range multiple aggregators: TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE now accept multiple aggregators in a single call (#3791) by @​elena-kolevska
• XAutoClaim deleted IDs: XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the PEL (#3798) by @​Khukharr
• JSON.SET FPHA: JSON.SET accepts a new FPHA argument that specifies the floating-point type for homogeneous floating-point arrays (#3797) by @​ndyakov
• Sorted-set union/intersection COUNT: ZUNION/ZINTER/ZDIFF aggregator now supports COUNT (#3802) by @​ofekshenawa
• FT.HYBRID vector validation: Validates hybrid-search vector input types and adds proper typed vector parameters (#3756) by @​DengY11
• Cluster pool wait stats: ClusterClient.PoolStats() now accumulates WaitCount and WaitDurationNs across all node pools (previously always zero) (#3809) by @​LINKIWI

🐛 Bug Fixes

• TLS-only Cluster PubSub: CLUSTER SLOTS port-0 entries now fall back to the origin endpoint's port, fixing dial tcp <ip>:0: connection refused on TLS-only clusters started with --port 0 --tls-port <port> (fixes #3726) (#3828) by @​ndyakov
• Sharded PubSub reconnect routing: PubSub.conn() now passes both regular (c.channels) and sharded (c.schannels) channels into the per-PubSub newConn closure. Previously, ClusterClient.SSubscribe-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the SSUBSCRIBE was sent to the wrong shard, and the resulting MOVED reply was silently dropped (#3829) by @​ndyakov
• ClusterClient Watch retry: User errors returned from a Watch callback are no longer subjected to cluster-retry classification; transient cluster errors still retry, but a callback returning e.g. net.ErrClosed short-circuits immediately (#3821) by @​obiyang

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.20.0 (2026-05-28)

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8-rc1 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

• AR* array data type (#3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
• INCREX (#3816) — atomic increment with expiration in a single round-trip.
• XNACK (#3790) — explicit negative-acknowledge of pending stream entries.
• XAUTOCLAIM PEL deletes (#3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
• TS.RANGE multiple aggregators (#3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
• Z(UNION|INTER|DIFF) COUNT aggregator (#3802) — COUNT reducer for sorted-set set operations.
• JSON.SET FPHA (#3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future release and new code should not set it. RawResult() / RawVal() continue to work for callers that prefer the raw RESP payload.

(#3741) by @​ndyakov

Experimental Array Data Structure Commands

Adds an experimental ArrayCmdable interface with the AR* command family (ARSet, ARGet, ARGetRange, ARMSet, ARMGet, ARDel, ARDelRange, ARScan, ARSeek, ARNext, ARLastItems, ARGrep, ARGrepWithValues, ARInfo/ARInfoFull, and typed reducers AROpSum/AROpMin/AROpMax/AROpAnd/AROpOr/AROpXor/AROpMatch/AROpUsed) for working with Redis 8.8's new array data type. API is experimental and may change in a future release.

(#3813) by @​cxljs

✨ New Features

• RESP3 search parser: First-class RESP3 parsing for FT.SEARCH/FT.AGGREGATE/FT.INFO/FT.SPELLCHECK/FT.SYNDUMP responses with backwards compatibility for RESP2 (#3741) by @​ndyakov
• INCREX: New INCREX command support — atomic increment with expiration (#3816) by @​ndyakov
• XNACK: Client support for the XNACK stream command for explicitly negative-acknowledging pending entries (#3790) by @​elena-kolevska
• TS range multiple aggregators: TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE now accept multiple aggregators in a single call (#3791) by @​elena-kolevska
• XAutoClaim deleted IDs: XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the PEL (#3798) by @​Khukharr
• JSON.SET FPHA: JSON.SET accepts a new FPHA argument that specifies the floating-point type for homogeneous floating-point arrays (#3797) by @​ndyakov
• Sorted-set union/intersection COUNT: ZUNION/ZINTER/ZDIFF aggregator now supports COUNT (#3802) by @​ofekshenawa
• FT.HYBRID vector validation: Validates hybrid-search vector input types and adds proper typed vector parameters (#3756) by @​DengY11
• Cluster pool wait stats: ClusterClient.PoolStats() now accumulates WaitCount and WaitDurationNs across all node pools (previously always zero) (#3809) by @​LINKIWI

🐛 Bug Fixes

• TLS-only Cluster PubSub: CLUSTER SLOTS port-0 entries now fall back to the origin endpoint's port, fixing dial tcp <ip>:0: connection refused on TLS-only clusters started with --port 0 --tls-port <port> (fixes #3726) (#3828) by @​ndyakov
• Sharded PubSub reconnect routing: PubSub.conn() now passes both regular (c.channels) and sharded (c.schannels) channels into the per-PubSub newConn closure. Previously, ClusterClient.SSubscribe-only PubSubs reconnected to a random node (because the routing closure saw an empty channel list), the SSUBSCRIBE was sent to the wrong shard, and the resulting MOVED reply was silently dropped (#3829) by @​ndyakov

... (truncated)

Commits

• 7d05dd3 chore(release): v9.20.0 (#3832)
• 9756882 fix(test): make waitForSentinelClusterStable robust to disconnected r… (#3830)
• 875ce21 fix(sentinel): do not close sentinel when replica list is empty (#3795)
• 8a027f2 chore(ci): add govulncheck workflow (#3779)
• d8407df fix(pubsub): include shard channels in newConn routing list (#3829)
• 6af9bdc fix(cluster): fall back to origin port when CLUSTER SLOTS reports port 0 (#3828)
• fa5aa8c chore(doc): Update README and CI image. (#3822)
• fdcc6f9 refactor(keyPos): Enhance key position retrieval with CommandInfo caching (#3...
• 68a8bc1 fix(sentinel): close non-winning sentinel clients in MasterAddr concurrent pr...
• 00bf6d3 fix: avoid retrying ClusterClient Watch callback errors (#3821)
• Additional commits viewable in compare view

Updates go.etcd.io/etcd/api/v3 from 3.5.21 to 3.6.12

Release notes

Sourced from go.etcd.io/etcd/api/v3's releases.

v3.6.12

Please check out CHANGELOG for a full list of changes. And make sure to read upgrade guide before upgrading etcd (there may be breaking changes).

For installation guides, please check out operating etcd. Latest support status for common architectures and operating systems can be found at supported platforms.

Linux

ETCD_VER=v3.6.12
choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1 --no-same-owner
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
/tmp/etcd-download-test/etcd --version
/tmp/etcd-download-test/etcdctl version
/tmp/etcd-download-test/etcdutl version
start a local etcd server
/tmp/etcd-download-test/etcd
write,read to etcd
/tmp/etcd-download-test/etcdctl --endpoints=localhost:2379 put foo bar
/tmp/etcd-download-test/etcdctl --endpoints=localhost:2379 get foo

macOS (Darwin)

ETCD_VER=v3.6.12
choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-darwin-amd64.zip -o /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
unzip /tmp/etcd-${ETCD_VER}-darwin-amd64.zip -d /tmp && rm -f /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
mv /tmp/etcd-${ETCD_VER}-darwin-amd64/* /tmp/etcd-download-test && rm -rf mv /tmp/etcd-${ETCD_VER}-darwin-amd64
</tr></table>

... (truncated)

Commits

• 90b034a version: bump up to 3.6.12
• 8b95963 Merge pull request #21811 from Deln0r/release-3.6-backport-21666
• 576a6a0 server: allow non-admin maintenance status
• 2286051 Merge pull request #21794 from vivekpatani/cherry-pick-21788-release-3.6
• e1468c8 client/pkg/fileutil: use os.Getuid() to skip TestIsDirWriteable as root
• aaf38f8 Merge pull request #21768 from silentred/release-3.6-etcdutl-invalid-datadir
• 449e34b etcdutl: validate data file path and return consistent errors instead of pani...
• 00e1b15 Merge pull request #21736 from silentred/release-3.6-bugfix-memberupdate-learner
• 49cd4a4 bugfix: MemberUpdate implicitly and unexpectedly promotes a learner
• 9bbe31b Merge pull request #21727 from silentred/release-3.6-bump-go-1.25.10
• Additional commits viewable in compare view

Updates go.etcd.io/etcd/client/v3 from 3.5.21 to 3.6.12

Release notes

Sourced from

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the Go module manifest to version 1.26.0 toolchain and bumps a comprehensive set of direct and indirect dependencies. Core dependencies like etcd, OpenTelemetry, and gRPC are upgraded, while transitive dependencies across validation, encoding, infrastructure, and API layers are refreshed with newer versions.

Changes

Dependency Versions

Layer / File(s)	Summary
Direct dependencies upgrade go.mod	Go toolchain updated to go 1.26.0; direct dependencies bumped: Gin, MySQL driver, Redis, etcd to v3.6.12, OpenTelemetry/OTLP/Jaeger exporters to v1.44.0 / v1.17.0 line, zap, and grpc with gRPC replace override preserved.
Indirect dependencies refresh go.mod	Indirect dependencies across multiple layers updated: validation (go-playground/validator/v10), encoding (goccy/go-json, goccy/go-yaml), JWT library switched from v4 to v5, tracing helpers (jaeger-idl, clockwork), QUIC (quic-go), OpenTelemetry contrib propagators/instrumentation, etcd client/pkg/raft/bbolt, protobuf/genproto, Google APIs, and golang.org/x/* libraries refreshed; etcd client v2 and other obsolete modules removed.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 Dependencies dancing, versions bright,
From v3.5 to v3.6 in the night,
Go 1.26 leads the way,
Fresh libraries brighten the day! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary change: a dependency update for the security-updates group. It clearly conveys the main action (bumping dependencies) and scope (security-updates group, 1 directory).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/main/security-updates-34829a80e9

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 38: The go.mod pins grpc to a vulnerable version via the replace
directive "replace google.golang.org/grpc => google.golang.org/grpc v1.63.2"
which overrides the required "google.golang.org/grpc v1.81.1"; remove or update
that replace to a safe release (at minimum v1.79.3, ideally v1.81.1) so the
resolved module is not v1.63.2, then run go mod tidy to refresh go.sum and
verify builds/tests; look for and update the exact "replace
google.golang.org/grpc => google.golang.org/grpc v1.63.2" line and ensure the
require entry "google.golang.org/grpc v1.81.1" is preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2b826bec-6410-4e08-9d97-2bd15baa0293

📥 Commits

Reviewing files that changed from the base of the PR and between afed49a and 29ee846.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod: require/replace for google.golang.org/grpc =="
# Print relevant sections around the reported lines and any grpc-related directives
if [ -f go.mod ]; then
  echo "--- Top (lines 1-120) ---"
  sed -n '1,120p' go.mod | nl -ba | sed -n '1,120p'
  echo "--- Middle (lines 120-220) ---"
  sed -n '120,220p' go.mod | nl -ba | sed -n '1,120p'
  echo "--- Exact matches for grpc ---"
  rg -n "google\.golang\.org/grpc" go.mod || true
else
  echo "go.mod not found at repo root"
fi

Repository: kubeservice-stack/common

Length of output: 212

---

🌐 Web query:

GHSA auth bypass google.golang.org/grpc v1.63.2

💡 Result:

The security vulnerability you are inquiring about is identified as CVE-2026-33186 (also tracked as GHSA-p77j-4mvh-x3m3) [1][2]. It is an authorization bypass vulnerability in the gRPC-Go library (google.golang.org/grpc) that allows an attacker to potentially circumvent path-based authorization policies [3][4][5]. The issue arises because, in versions prior to 1.79.3, the gRPC-Go server was overly permissive when processing the HTTP/2:path pseudo-header [3][6]. According to RFC 7540, this header must begin with a leading slash (e.g., /Service/Method) [6]. However, previous versions of the library accepted requests where this leading slash was omitted (e.g., Service/Method) [3][7]. While the server correctly routed these malformed requests to the appropriate handler, the raw, non-canonical path string was passed to authorization interceptors (such as the official grpc/authz package) [3][8][1]. Consequently, if a server's security policy relied on "deny" rules based on canonical paths (starting with /) but contained a fallback "allow" rule, the policy would fail to match the incoming non-canonical path, resulting in an authorization bypass [3][4][5]. This vulnerability is patched in google.golang.org/grpc version 1.79.3 [3][1][5]. The fix ensures that any request with a:path header lacking a leading slash is immediately rejected with a codes.Unimplemented error, preventing the request from reaching authorization interceptors [3][4][1]. Note: The version 1.63.2 referenced in your query is an affected version, as it is earlier than 1.79.3 [1][2]. Users are strongly advised to upgrade to 1.79.3 or newer [3][1][5]. If an immediate upgrade is not possible, mitigations include implementing a validating interceptor to reject malformed paths, ensuring infrastructure-level normalization of HTTP/2 headers, or hardening authorization policies to default-deny [4][8][5].

Citations:

• 1: GHSA-p77j-4mvh-x3m3
• 2: https://pkg.go.dev/vuln/GO-2026-4762
• 3: https://osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3
• 4: https://osv.dev/vulnerability/CVE-2026-33186
• 5: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172
• 6: https://www.systemshardening.com/articles/kubernetes/grpc-go-path-auth-bypass/
• 7: https://advisories.gitlab.com/golang/google.golang.org/grpc/CVE-2026-33186/
• 8: https://guide.sonatype.com/vulnerability/CVE-2026-33186

---

🌐 Web query:

google.golang.org/grpc 1.63.2 security advisory

💡 Result:

There is no security advisory specifically targeting version 1.63.2 of the google.golang.org/grpc library [1][2]. Version 1.63.2 was released in April 2024 to address minor bug fixes, such as correcting user agent strings and un-deprecating certain API methods [2]. The security-related information you may have encountered is likely conflated with a more recent vulnerability, CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), which affects gRPC-Go versions prior to 1.79.3 [3][4][5]. This vulnerability involves an authorization bypass caused by improper input validation of the HTTP/2:path pseudo-header [3][5]. It specifically impacts servers that use path-based authorization interceptors and have specific "deny" rules for canonical paths [4][5][6]. Users of earlier versions, including 1.63.2, are advised to upgrade to version 1.79.3 or newer to mitigate this issue [3][4][5].

Citations:

• 1: https://pkg.go.dev/google.golang.org/grpc@v1.63.2
• 2: build(deps): Bump google.golang.org/grpc from 1.63.0 to 1.63.2 terraform-linters/tflint#2023
• 3: GHSA-p77j-4mvh-x3m3
• 4: https://osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3
• 5: https://osv.dev/vulnerability/CVE-2026-33186
• 6: https://advisories.gitlab.com/golang/google.golang.org/grpc/CVE-2026-33186/

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod: exact grpc require/replace directives =="

# Show all grpc-related directives with line numbers using awk (no nl dependency)
awk '{ if ($0 ~ /google\.golang\.org\/grpc/) print NR ":" $0 }' go.mod || true

echo
echo "== go.mod: context around reported lines (38 and 170) =="

for ln in 38 170; do
  start=$((ln-5))
  end=$((ln+5))
  echo "--- around line $ln ($start-$end) ---"
  sed -n "${start},${end}p" go.mod | nl -ba
done

Repository: kubeservice-stack/common

Length of output: 476

---

Critical security fix: grpc is still pinned to vulnerable v1.63.2 via replace

go.mod requires google.golang.org/grpc v1.81.1 (line 38), but replace google.golang.org/grpc => google.golang.org/grpc v1.63.2 (line 170) overrides it—so the resolved dependency remains v1.63.2. That version is affected by GHSA-p77j-4mvh-x3m3 / CVE-2026-33186 (patched in grpc v1.79.3).

Suggested fix

-replace google.golang.org/grpc => google.golang.org/grpc v1.63.2
+replace google.golang.org/grpc => google.golang.org/grpc v1.81.1

🧰 Tools

🪛 OSV Scanner (2.3.8)

[CRITICAL] 38-38: google.golang.org/grpc 1.63.2: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

---

[CRITICAL] 38-38: google.golang.org/grpc 1.63.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 38, The go.mod pins grpc to a vulnerable version via the
replace directive "replace google.golang.org/grpc => google.golang.org/grpc
v1.63.2" which overrides the required "google.golang.org/grpc v1.81.1"; remove
or update that replace to a safe release (at minimum v1.79.3, ideally v1.81.1)
so the resolved module is not v1.63.2, then run go mod tidy to refresh go.sum
and verify builds/tests; look for and update the exact "replace
google.golang.org/grpc => google.golang.org/grpc v1.63.2" line and ensure the
require entry "google.golang.org/grpc v1.81.1" is preserved.

Source: Linters/SAST tools