chore(deps): bump the go_modules group across 1 directory with 5 updates

[dependabot]

Bumps the go_modules group with 5 updates in the / directory:

Package	From	To
github.com/cloudflare/circl	1.6.1	1.6.3
github.com/go-git/go-git/v5	5.16.4	5.16.5
github.com/gofiber/fiber/v2	2.52.9	2.52.12
github.com/quic-go/quic-go	0.54.1	0.57.0
github.com/quic-go/webtransport-go	0.9.0	0.10.0

Updates github.com/cloudflare/circl from 1.6.1 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in cloudflare/circl#582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in cloudflare/circl#583
• Release CIRCL v1.6.3 by @​armfazh in cloudflare/circl#584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

CIRCL v1.6.2

• New SLH-DSA, improvements in ML-DSA for arm64.
• Tested compilation on WASM.

What's Changed

• Optimize pairing product computation by moving exponentiations to G1. by @​dfaranha in cloudflare/circl#547
• sign: Adding SLH-DSA signature by @​armfazh in cloudflare/circl#512
• Update code generators to CIRCL v1.6.1. by @​armfazh in cloudflare/circl#548
• ML-DSA: Add preliminary Wycheproof test vectors by @​bwesterb in cloudflare/circl#552
• go fmt by @​bwesterb in cloudflare/circl#554
• gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @​armfazh in cloudflare/circl#555
• group: Removes use of elliptic Marshal and Unmarshal functions. by @​armfazh in cloudflare/circl#556
• Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @​bwesterb in cloudflare/circl#559
• Update to golangci-lint v2 by @​bwesterb in cloudflare/circl#560
• Preparation for ARM64 Implementation of poly operations for dilithium package. by @​elementrics in cloudflare/circl#562
• prepare power2Round for custom implementations in assembly by @​elementrics in cloudflare/circl#564
• ARM64 implementation for poly.PackLe16 by @​elementrics in cloudflare/circl#563
• add arm64 version of polyMulBy2toD by @​elementrics in cloudflare/circl#565
• add arm64 version of polySub by @​elementrics in cloudflare/circl#566
• group: add byteLen method for short groups and RandomScalar uses rand.Int by @​armfazh in cloudflare/circl#568
• add arm64 version of poly.Add/Sub by @​elementrics in cloudflare/circl#572
• group: Adding cryptobyte marshaling to scalars by @​armfazh in cloudflare/circl#569
• Bumping up to Go1.25 by @​armfazh in cloudflare/circl#574
• ci: Including WASM compilation. by @​armfazh in cloudflare/circl#577
• Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @​harshiniwho in cloudflare/circl#578
• Release v1.6.2 by @​armfazh in cloudflare/circl#579

New Contributors

• @​dfaranha made their first contribution in cloudflare/circl#547
• @​elementrics made their first contribution in cloudflare/circl#562
• @​harshiniwho made their first contribution in cloudflare/circl#578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

Commits

• 24ae53c Release CIRCL v1.6.3
• 581020b Rename method to oddMultiplesProjective.
• 12209a4 Removing unused cmov for jacobian points.
• fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
• 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
• 3416046 Check opts for nil value.
• a763d47 Release CIRCL v1.6.2
• 3c70bf9 Bump x/crypto x/sys dependencies.
• 3f0f15b Revert to using package-declared HPKE errors for shortkem instead of standard...
• 23491bd Adding generic Power2Round method.
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

Commits

• 48a1ae0 Merge pull request #1836 from go-git/check-v5
• 42bdf1f storage: filesystem, Verify idx matches pack file
• 4146a56 plumbing: format/idxfile, Verify idxfile's checksum
• 63d78ec plumbing: format/packfile, Add new ErrMalformedPackFile
• 25f1624 Merge pull request #1800 from Ch00k/no-delete-untracked-v5
• 600fb13 git: worktree, Don't delete local untracked files when resetting worktree
• 390a569 Merge pull request #1746 from pjbgf/bump-go
• 61c8b85 build: Bump Go test versions to 1.23-1.25 (v5)
• e5a05ec Merge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...
• 1495930 plumbing: Remove use of non-constant format strings
• Additional commits viewable in compare view

Updates github.com/gofiber/fiber/v2 from 2.52.9 to 2.52.12

Release notes

Sourced from github.com/gofiber/fiber/v2's releases.

v2.52.12

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

v2.52.11

What's Changed

🧹 Updates

• Improve mount functionality by @​gaby in gofiber/fiber#3900

🐛 Bug Fixes

• Backport defensive copying fixes from #3828 and #3829 to v2 by @​sixcolors in gofiber/fiber#3888
• Fixes and improvements for limiter middleware by @​gaby in gofiber/fiber#3899

Full Changelog: gofiber/fiber@v2.52.10...v2.52.11

v2.52.10

🐛 Bug Fixes

• Handle invalid path in filesystem by @​rokostik in gofiber/fiber#3688
• Fix recover middleware panic output formatting by @​ReneWerner87 in gofiber/fiber#3818
• Fix enforcement of Immutable config for some edge cases by @​gaby in gofiber/fiber#3835

📚 Documentation

• Document RoutePatternMatch by @​ReneWerner87 in gofiber/fiber#3723

New Contributors

• @​rokostik made their first contribution in gofiber/fiber#3688

Full Changelog: gofiber/fiber@v2.52.9...v2.52.10

Commits

• 6cba195 Bump fiber package version to 2.52.12
• 5ebbee7 docs: update image paths to v2 in README files
• 5028167 Merge commit from fork
• 42380aa fix: adapt tests for v2 - use defer/recover pattern and correct Handler signa...
• 7cffe29 refactor: use helper function for param route generation in tests
• 5494de8 🐛 bug: add panic for routes with >30 parameters (GHSA-mrq8-rjmw-wpq3)
• 65b0f3d Bump version to 2.52.11
• 1b53334 Modernize error handling in UUID functions (#3941)
• eb874b6 Merge commit from fork
• 4ff945a 🩹 bug: Fix ErrorHandler invocation for mounted sub-apps (#3907)
• Additional commits viewable in compare view

Updates github.com/quic-go/quic-go from 0.54.1 to 0.57.0

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.57.0

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in quic-go/quic-go#5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in quic-go/quic-go#5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in quic-go/quic-go#5431
• http3: read response after encountering error sending the request by @​marten-seemann in quic-go/quic-go#5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in quic-go/quic-go#5433
• http3: add a benchmark for header parsing by @​marten-seemann in quic-go/quic-go#5435
• update qpack to v0.6.0 by @​marten-seemann in quic-go/quic-go#5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in quic-go/quic-go#5439
• add documentation for Conn.NextConnection by @​marten-seemann in quic-go/quic-go#5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in quic-go/quic-go#5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in quic-go/quic-go#5449
• README: add nodepass to list of projects by @​yosebyte in quic-go/quic-go#5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in quic-go/quic-go#5454
• http3: limit size of decompressed headers by @​marten-seemann in quic-go/quic-go#5452

New Contributors

• @​yosebyte made their first contribution in quic-go/quic-go#5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

This release introduces qlog support for HTTP/3 (#5367, #5372, #5374, #5375, #5376, #5381, #5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#5356, #5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

• replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#5353, #5371)

... (truncated)

Commits

• 5b2d212 http3: limit size of decompressed headers (#5452)
• e80b378 qlogwriter: use synctest to make tests deterministic (#5454)
• d43c589 README: add nodepass to list of projects (#5448)
• ca2835d don’t arm connection timer for connection ID retirement (#5449)
• e84ebae ackhandler: don’t generate an immediate ACK for the first packet (#5447)
• d4d168f add documentation for Conn.NextConnection (#5442)
• 4cdebbe http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors (#5439)
• b7886d5 update qpack to v0.6.0 (#5434)
• 2fc9705 http3: add a benchmark for header parsing (#5435)
• dafdd6f http3: make Transport.MaxResponseBytes an int (#5433)
• Additional commits viewable in compare view

Updates github.com/quic-go/webtransport-go from 0.9.0 to 0.10.0

Release notes

Sourced from github.com/quic-go/webtransport-go's releases.

v0.10.0

This release updates webtransport-go to use the new API introduced in quic-go v0.59.0 (#221): Instead of "hijacking" streams from the HTTP/3 layer, the underlying QUIC connection is now owned by WebTransport, and webtransport-go dispatches incoming streams to either the HTTP/3 layer or an existing or new WebTransport session.

New Features

• Implemented Application Protocol Negotiation: #190
• The QUIC Stream Resets with Partial Delivery is now used to enforce reliable delivery of the WebTransport stream header: #239

Breaking Changes

• Session.ConnectionState was renamed to SessionState: #189
• The StreamID method was removed from Stream, SendStream and ReceiveStream: #226
• The Server now embeds the http3.Server as a pointer (instead of by value): #215

Other Changes

• The Stream and the SendStream now expose a Context method: #176 (thanks to @​Sicilica)
• Delayed streams for already closed sessions are immediately reset: #235
• The Session context now uses the request or dial context, allowing the application to attach values to the context: #199
• When a WebTransport session is closed, streams are reset using the WT_SESSION_GONE error. Stream Read and Write now wait for the WT_CLOSE_SESSION capsule on the CONNECT stream to return a meaningful error: #213

Notable Fixes

• Closed sessions are now properly cleaned up: #198 (thanks to @​rolaechea), #230
• Session errors are now properly propagated to the stream Read and Write calls: #207
• The length limit for WT_CLOSE_SESSION capsules is now enforced: #202
• The dial timeout is now respected while waiting for the server's HTTP/3 settings: #216
• A 10ms deadline is applied before attempting the WT_CLOSE_SESSION capsule, preventing Session.Close from blocking any longer than 10ms: #224
• errors.Is error comparisons were fixed for StreamError and SessionError: #204, #205
• The underlying QUIC connection is now closed when establishing a WebTransport session fails: #236

Changelog

• ci: remove 386 (32 bit x86) by @​marten-seemann in quic-go/webtransport-go#180
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in quic-go/webtransport-go#178
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in quic-go/webtransport-go#177
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in quic-go/webtransport-go#179
• ci: use go mod tidy -diff to check for tidied go.mod by @​marten-seemann in quic-go/webtransport-go#181
• ci: fix setting of OS and Go envs for Codecov by @​marten-seemann in quic-go/webtransport-go#183
• ci: enable Codecov test analysis by @​marten-seemann in quic-go/webtransport-go#182
• update minimum Go version to 1.24, use 1.24 and 1.25 on CI by @​marten-seemann in quic-go/webtransport-go#184
• update quic-go to v0.56.0 by @​marten-seemann in quic-go/webtransport-go#185
• ci: remove unused code generation step from lint job by @​marten-seemann in quic-go/webtransport-go#186
• Bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in quic-go/webtransport-go#187
• README: remove unfunded status section by @​marten-seemann in quic-go/webtransport-go#188
• expose SendStream.Context and Stream.Context by @​Sicilica in quic-go/webtransport-go#176
• replace Session.ConnectionState with Session.SessionState by @​marten-seemann in quic-go/webtransport-go#189
• implement application protocol negotiation by @​marten-seemann in quic-go/webtransport-go#190
• ci: update Chrome to 142.0.7444.162 in interop test by @​marten-seemann in quic-go/webtransport-go#192
• remove header-based draft version negotiation by @​marten-seemann in quic-go/webtransport-go#191

... (truncated)

Commits

• 9d448b1 enable and use the QUIC Stream Resets with Partial Delivery extension (#239)
• 128538a update quic-go to v0.59.0 (#240)
• 5d8d3c4 immediately reject streams for closed sessions (#235)
• af56b7f close client’s QUIC connection on WebTransport session close or failure (#236)
• 093f58b move connection management to client and server (#231)
• 9154cfc ci: update golangci-lint to v2.7.2 (#234)
• acca676 add a security policy (#233)
• f2622e1 remove stray TODO from Session (#232)
• 58df38a simplify stream buffering logic in the session manager (#230)
• 3b5a3df README: add list of notable projects and a release policy (#225)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[netlify]

✅ Deploy Preview for localai ready!

Name	Link
🔨 Latest commit	a3bb2e6
🔍 Latest deploy log	https://app.netlify.com/projects/localai/deploys/69b4773efc17db00084d895d
😎 Deploy Preview	https://deploy-preview-8855--localai.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.