chore(deps): bump the go_modules group across 5 directories with 1 update#2921
chore(deps): bump the go_modules group across 5 directories with 1 update#2921dependabot[bot] wants to merge 1 commit into
Conversation
…date Bumps the go_modules group with 1 update in the /packages/api directory: [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go). Bumps the go_modules group with 1 update in the /packages/auth directory: [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go). Bumps the go_modules group with 1 update in the /packages/dashboard-api directory: [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go). Bumps the go_modules group with 1 update in the /packages/orchestrator directory: [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go). Bumps the go_modules group with 1 update in the /packages/shared directory: [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go). Updates `github.com/quic-go/quic-go` from 0.59.0 to 0.59.1 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.59.0...v0.59.1) Updates `github.com/quic-go/quic-go` from 0.59.0 to 0.59.1 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.59.0...v0.59.1) Updates `github.com/quic-go/quic-go` from 0.59.0 to 0.59.1 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.59.0...v0.59.1) Updates `github.com/quic-go/quic-go` from 0.59.0 to 0.59.1 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.59.0...v0.59.1) Updates `github.com/quic-go/quic-go` from 0.59.0 to 0.59.1 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.59.0...v0.59.1) --- updated-dependencies: - dependency-name: github.com/quic-go/quic-go dependency-version: 0.59.1 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/quic-go/quic-go dependency-version: 0.59.1 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/quic-go/quic-go dependency-version: 0.59.1 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/quic-go/quic-go dependency-version: 0.59.1 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/quic-go/quic-go dependency-version: 0.59.1 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
ValentaTomas,
ben-fornefeld,
dobrac and
jakubno
as code owners
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, indirect patch bump of quic-go that adds HTTP/3 trailer validation.
Extended reasoning...
Overview
This is a Dependabot patch-version bump of github.com/quic-go/quic-go from v0.59.0 to v0.59.1 across 5 Go modules (api, auth, dashboard-api, orchestrator, shared). Only go.mod and go.sum files are touched. In every module quic-go is listed as // indirect, meaning it is a transitive dependency — none of the e2b code imports it directly.
Security risks
The upstream release notes describe this as a backport of a single PR (quic-go/quic-go#5642) that adds validation for HTTP/3 trailers. That is a defensive hardening change in a library this repo doesn't even use directly, so the risk profile is minimal. The module hash change in go.sum matches the version bump pattern (only the h1: hash for the new version changes; go.mod hash for the indirect tag stays the same as expected for a patch).
Level of scrutiny
Low. Patch-level transitive dependency bumps from Dependabot with no API surface changes are the canonical auto-merge case. There's no logic change in the repo's own code and no other dependencies shifted as a side effect.
Other factors
The PR is consistent across all 5 modules (same old/new version everywhere), the bug-hunting system found nothing, and there are no outstanding reviewer comments. Safe to shadow-approve.
Bumps the go_modules group with 1 update in the /packages/api directory: github.com/quic-go/quic-go.
Bumps the go_modules group with 1 update in the /packages/auth directory: github.com/quic-go/quic-go.
Bumps the go_modules group with 1 update in the /packages/dashboard-api directory: github.com/quic-go/quic-go.
Bumps the go_modules group with 1 update in the /packages/orchestrator directory: github.com/quic-go/quic-go.
Bumps the go_modules group with 1 update in the /packages/shared directory: github.com/quic-go/quic-go.
Updates
github.com/quic-go/quic-gofrom 0.59.0 to 0.59.1Release notes
Sourced from github.com/quic-go/quic-go's releases.
Commits
438abf0http3: implement trailer validation logic (#5642)Updates
github.com/quic-go/quic-gofrom 0.59.0 to 0.59.1Release notes
Sourced from github.com/quic-go/quic-go's releases.
Commits
438abf0http3: implement trailer validation logic (#5642)Updates
github.com/quic-go/quic-gofrom 0.59.0 to 0.59.1Release notes
Sourced from github.com/quic-go/quic-go's releases.
Commits
438abf0http3: implement trailer validation logic (#5642)Updates
github.com/quic-go/quic-gofrom 0.59.0 to 0.59.1Release notes
Sourced from github.com/quic-go/quic-go's releases.
Commits
438abf0http3: implement trailer validation logic (#5642)Updates
github.com/quic-go/quic-gofrom 0.59.0 to 0.59.1Release notes
Sourced from github.com/quic-go/quic-go's releases.
Commits
438abf0http3: implement trailer validation logic (#5642)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.