Bump the backend-updates group across 1 directory with 8 updates

[dependabot]

Bumps the backend-updates group with 8 updates in the / directory:

Package	From	To
github.com/evanw/esbuild	0.21.5	0.23.1
github.com/go-chi/httplog/v2	2.0.11	2.1.1
github.com/go-chi/httprate	0.9.0	0.14.1
golang.org/x/crypto	0.24.0	0.27.0
gorm.io/gorm	1.25.10	1.25.12
github.com/go-chi/chi/v5	5.0.14	5.1.0
github.com/go-webauthn/webauthn	0.10.2	0.11.2
golang.org/x/oauth2	0.21.0	0.23.0

Updates github.com/evanw/esbuild from 0.21.5 to 0.23.1

Release notes

Sourced from github.com/evanw/esbuild's releases.

v0.23.1

• Allow using the node: import prefix with es* targets (#3821)

  The node: prefix on imports is an alternate way to import built-in node modules. For example, import fs from "fs" can also be written import fs from "node:fs". This only works with certain newer versions of node, so esbuild removes it when you target older versions of node such as with --target=node14 so that your code still works. With the way esbuild's platform-specific feature compatibility table works, this was added by saying that only newer versions of node support this feature. However, that means that a target such as --target=node18,es2022 removes the node: prefix because none of the es* targets are known to support this feature. This release adds the support for the node: flag to esbuild's internal compatibility table for es* to allow you to use compound targets like this:

  // Original code
  import fs from 'node:fs'
  fs.open
  // Old output (with --bundle --format=esm --platform=node --target=node18,es2022)
  import fs from "fs";
  fs.open;
  // New output (with --bundle --format=esm --platform=node --target=node18,es2022)
  import fs from "node:fs";
  fs.open;

• Fix a panic when using the CLI with invalid build flags if --analyze is present (#3834)

  Previously esbuild's CLI could crash if it was invoked with flags that aren't valid for a "build" API call and the --analyze flag is present. This was caused by esbuild's internals attempting to add a Go plugin (which is how --analyze is implemented) to a null build object. The panic has been fixed in this release.

• Fix incorrect location of certain error messages (#3845)

  This release fixes a regression that caused certain errors relating to variable declarations to be reported at an incorrect location. The regression was introduced in version 0.18.7 of esbuild.

• Print comments before case clauses in switch statements (#3838)

  With this release, esbuild will attempt to print comments that come before case clauses in switch statements. This is similar to what esbuild already does for comments inside of certain types of expressions. Note that these types of comments are not printed if minification is enabled (specifically whitespace minification).

• Fix a memory leak with pluginData (#3825)

  With this release, the build context's internal pluginData cache will now be cleared when starting a new build. This should fix a leak of memory from plugins that return pluginData objects from onResolve and/or onLoad callbacks.

v0.23.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.22.0 or ~0.22.0. See npm's documentation about semver for more information.

• Revert the recent change to avoid bundling dependencies for node (#3819)

  This release reverts the recent change in version 0.22.0 that made --packages=external the default behavior with --platform=node. The default is now back to --packages=bundle.

  I've just been made aware that Amazon doesn't pin their dependencies in their "AWS CDK" product, which means that whenever esbuild publishes a new release, many people (potentially everyone?) using their SDK around the world instantly starts using it without Amazon checking that it works first. This change in version 0.22.0 happened to break their SDK. I'm amazed that things haven't broken before this point. This revert attempts to avoid these problems for Amazon's customers. Hopefully Amazon will pin their dependencies in the future.

  In addition, this is probably a sign that esbuild is used widely enough that it now needs to switch to a more complicated release model. I may have esbuild use a beta channel model for further development.

• Fix preserving collapsed JSX whitespace (#3818)

  When transformed, certain whitespace inside JSX elements is ignored completely if it collapses to an empty string. However, the whitespace should only be ignored if the JSX is being transformed, not if it's being preserved. This release fixes a bug where esbuild was previously incorrectly ignoring collapsed whitespace with --jsx=preserve. Here is an example:

... (truncated)

Changelog

Sourced from github.com/evanw/esbuild's changelog.

0.23.1

• Allow using the node: import prefix with es* targets (#3821)

  The node: prefix on imports is an alternate way to import built-in node modules. For example, import fs from "fs" can also be written import fs from "node:fs". This only works with certain newer versions of node, so esbuild removes it when you target older versions of node such as with --target=node14 so that your code still works. With the way esbuild's platform-specific feature compatibility table works, this was added by saying that only newer versions of node support this feature. However, that means that a target such as --target=node18,es2022 removes the node: prefix because none of the es* targets are known to support this feature. This release adds the support for the node: flag to esbuild's internal compatibility table for es* to allow you to use compound targets like this:

  // Original code
  import fs from 'node:fs'
  fs.open
  // Old output (with --bundle --format=esm --platform=node --target=node18,es2022)
  import fs from "fs";
  fs.open;
  // New output (with --bundle --format=esm --platform=node --target=node18,es2022)
  import fs from "node:fs";
  fs.open;

• Fix a panic when using the CLI with invalid build flags if --analyze is present (#3834)

  Previously esbuild's CLI could crash if it was invoked with flags that aren't valid for a "build" API call and the --analyze flag is present. This was caused by esbuild's internals attempting to add a Go plugin (which is how --analyze is implemented) to a null build object. The panic has been fixed in this release.

• Fix incorrect location of certain error messages (#3845)

  This release fixes a regression that caused certain errors relating to variable declarations to be reported at an incorrect location. The regression was introduced in version 0.18.7 of esbuild.

• Print comments before case clauses in switch statements (#3838)

  With this release, esbuild will attempt to print comments that come before case clauses in switch statements. This is similar to what esbuild already does for comments inside of certain types of expressions. Note that these types of comments are not printed if minification is enabled (specifically whitespace minification).

• Fix a memory leak with pluginData (#3825)

  With this release, the build context's internal pluginData cache will now be cleared when starting a new build. This should fix a leak of memory from plugins that return pluginData objects from onResolve and/or onLoad callbacks.

0.23.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.22.0 or ~0.22.0. See npm's documentation about semver for more information.

• Revert the recent change to avoid bundling dependencies for node (#3819)

  This release reverts the recent change in version 0.22.0 that made --packages=external the default behavior with --platform=node. The default is now back to --packages=bundle.

  I've just been made aware that Amazon doesn't pin their dependencies in their "AWS CDK" product, which means that whenever esbuild publishes a new release, many people (potentially everyone?) using their SDK around the world instantly starts using it without Amazon checking that it works first. This change in version 0.22.0 happened to break their SDK. I'm amazed that things haven't broken before this point. This revert attempts to avoid these problems for Amazon's customers. Hopefully Amazon will pin their dependencies in the future.

  In addition, this is probably a sign that esbuild is used widely enough that it now needs to switch to a more complicated release model. I may have esbuild use a beta channel model for further development.

• Fix preserving collapsed JSX whitespace (#3818)

... (truncated)

Commits

• 3327274 publish 0.23.1 to npm
• 38e22ed add a warning/debug log message for #3867
• a15bb51 fix #3825: memory leak of pluginData values
• f6e6481 fix #3838: print comments before case clauses
• 9c13ae1 fix #3853: update go 1.22.4 => 1.22.5
• 78f89e4 fix #3845: some incorrect error message locations
• 892d2a7 fix #3834: cli sometimes panics with --analyze
• 360d472 fix a typo in the release notes
• e3f4e2d fix #3821: allow node: prefix with es* targets
• 9d50680 publish 0.23.0 to npm
• Additional commits viewable in compare view

Updates github.com/go-chi/httplog/v2 from 2.0.11 to 2.1.1

Commits

• ba56122 Bugfix/log entry set fields (#38)
• e087811 go.mod back to 1.21 after PR
• 9b213a9 Tracing options (#47)
• See full diff in compare view

Updates github.com/go-chi/httprate from 0.9.0 to 0.14.1

Release notes

Sourced from github.com/go-chi/httprate's releases.

v0.14.0

What's Changed

• Implement rate-limiting from HTTP handler (e.g. by request payload) by @​VojtechVitek in go-chi/httprate#42
• Export http.RateLimiter type by @​VojtechVitek in go-chi/httprate#43
• Introduce RespondOnLimit() vs. OnLimit() methods by @​VojtechVitek in go-chi/httprate#44

Add support to rate-limit by custom key from HTTP handler (e.g. by request payload fields)

// Rate-limiter for login endpoint.
loginRateLimiter := httprate.NewRateLimiter(5, time.Minute)
r.Post("/login", func(w http.ResponseWriter, r *http.Request) {
var payload struct {
Username string json:"username"
Password string json:"password"
}
err := json.NewDecoder(r.Body).Decode(&payload)
if err != nil || payload.Username == "" || payload.Password == "" {
w.WriteHeader(400)
return
}
// Rate-limit login at 5 req/min.
if loginRateLimiter.RespondOnLimit(w, r, payload.Username) {
	return
}
w.Write([]byte("login at 5 req/min\n"))

})

Full Changelog: go-chi/httprate@v0.12.1...v0.14.0

v0.13.1

What's Changed

• Export http.RateLimiter type by @​VojtechVitek in go-chi/httprate#43 so users can pass *http.RateLimiter (or save in their server struct) and use the new .OnLimit() feature from go-chi/httprate#42.

Full Changelog: go-chi/httprate@v0.13.0...v0.13.1

v0.13.0

Full Changelog: go-chi/httprate@v0.13.0...v0.13.0

Add support to rate-limit by custom key from HTTP handler (e.g. by request payload fields)

// Rate-limiter for login endpoint.
loginRateLimiter := httprate.NewRateLimiter(5, time.Minute)
r.Post("/login", func(w http.ResponseWriter, r *http.Request) {
var payload struct {
</tr></table>

... (truncated)

Commits

• ae11543 Add httpate.Key(string) helper for static keys (#45)
• 5e681e3 Introduce RespondOnLimit() vs. OnLimit() (#44)
• c4c778c Export RateLimiter type (#43)
• 80029e2 Implement rate-limiting from HTTP handler (e.g. by request payload) (#42)
• 99b3b69 README: Fix typo
• 62dba55 Implement httprate.WithErrorHandler() (#41)
• 6aa26b0 Local counter: Don't re-allocate maps in Go 1.21+ (#40)
• 9e50ad6 Export in-memory counter for external use (#39)
• 05a79e9 Upgrade to actions/setup-go@v5, improve README (#38)
• 4afd620 Improve example, add go module (#37)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.24.0 to 0.27.0

Commits

• c9da6b9 all: fix printf(var) mistakes detected by latest printf checker
• b35ab4f go.mod: update golang.org/x dependencies
• bcb0f91 internal/poly1305: Port sum_amd64.s to Avo
• 7eace71 chacha20poly1305: Avo port of chacha20poly1305_amd64.s
• 620dfbc salsa20/salsa: Port salsa20_amd64.s to Avo
• 82942cf blake2b: port blake2b_amd64.s to Avo
• 0484c26 blake2b: port blake2bAVX2_amd64.s to Avo
• 38ed1bc blake2s: port blake2s_amd64.s to Avo
• 38a0b5d argon2: Avo port of blamka_amd64.s
• bf5f14f x509roots/fallback: update bundle
• Additional commits viewable in compare view

Updates gorm.io/gorm from 1.25.10 to 1.25.12

Commits

• 0daaf17 fix: AfterQuery using safer right trim while clearing from clause's join adde...
• 0dbfda5 fix memory leaks in PrepareStatementDB (#7142)
• 4a50b36 ci: Add PostgreSQL 14 and 15 to GitHub Actions matrix (#7081)
• 11c4331 feat: add MapColumns method (#6901)
• 8a0af58 fix map fields with clickhouse driver
• 4f62911 Allow to support other field types
• 109f239 add DB level propagation for the Unscoped flag (#7007)
• 79bf7f9 fix CI for sqlserver
• 3d09f79 only listen local port
• 73a988c fix(scan): update Scan function to reset structs to zero values for each scan...
• Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.0.14 to 5.1.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.1.0

What's Changed

• middleware: add Discard method to WrapResponseWriter by @​patrislav in go-chi/chi#926
  • Adds Discard() method to the middleware.WrapResponseWriter interface. This is technically an API breaking change. However after some discussion at go-chi/chi#926, we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.

New Contributors

• @​patrislav made their first contribution in go-chi/chi#926

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

Commits

• 67be7d9 middleware: add Discard method to WrapResponseWriter (#926)
• See full diff in compare view

Updates github.com/go-webauthn/webauthn from 0.10.2 to 0.11.2

Release notes

Sourced from github.com/go-webauthn/webauthn's releases.

v0.11.2

v0.11.2 (2024-08-25)

Bug Fixes

• protocol: out of date tpm manufacturers (#283) (13ad30e)

v0.11.1

v0.11.1 (2024-08-06)

Bug Fixes

• metadata: file closed too early (#273) (9ca2fae), closes #264
• metadata: functional opt sets wrong value (#272) (2b83ee0)

v0.11.0

v0.11.0 (2024-07-29)

Features

• allow empty modality values (#257) (a5c838a), closes #257
• metadata: rework as a provider (#239) (6713911), closes #239 #77 #154
• backup flag validation (#240) (2195f33), closes #240
• remove deprecated values (#233) (f63fbc1), closes #233 #221
• config: allow rpid to be defined at execution time (#234) (c673c3d), closes #165
• parse credential bytes (#258) (b382edc)
• support hints and attestation formats (#216) (824017d)
• top origin verification (#217) (0c97761), closes #205
• webauthn level 3 (#232) (482cf89)

BREAKING CHANGES

While I endeavor to avoid breaking changes some are necessary to support both better outcomes for implementers and fix issues which are not desirable. This release packs a quite a few, so it's important to take the time to read. While the details on adapting are not comprehensive, they should easy to understand and clarification will be added where it makes sense. Feel free to open a discussion if you're having issues migrating.

• MAJOR: A majority of the functionality that exists within the metadata package has been completely reworked. The rework has added a number of great validation options for implementers as well as allowing them to more easily manage metadata blobs and the refresh of these blobs in their own domain logic. This will require substantial work for anyone currently using it. I will aim to make a discussion explaining all of it in the coming days.
• The following fields and backwards compatible elements have been removed; Icon field from the CredentialEntity struct, WebAuthnIcon function from the User interface, RPIcon/RPOrigin/Timeout fields from the Config struct, Transports field from the CredentialCreationResponse (new field has existed in the AuthenticatorAttestationResponse struct for quite some time which matches the spec).
• The Backup Eligible and Backup State flags within the CredentialFlags struct (field of the Credential struct) are now strictly validated to be consistent with the spec. This breaks implementations which do not strictly adhere to the specification. Several major providers either have or are currently "upgrading" existing WebAuthn credential records to BE and BS passkeys.
• The default modality values are now empty by default. This allows additional browser flows to be accessible to implementers. This change will change default behavior. Previously the required resident key value was set to false, and the user verification option was set to 'preferred'. Implementers looking for consistent values should customize the Authenticator Selection Criteria during registration.

Commits

• 33464f5 release: v0.11.2 (#285)
• feff416 build(deps): bump github/codeql-action from 3.26.4 to 3.26.5 (#284)
• 13ad30e fix(protocol): out of date tpm manufacturers (#283)
• 133c7fe build(deps): bump github/codeql-action from 3.26.2 to 3.26.4 (#282)
• e906bfc build(deps): bump github/codeql-action from 3.26.1 to 3.26.2 (#279)
• e65b01b build(deps): update module github.com/go-webauthn/x to v0.1.14 (#278)
• f5c4584 build(deps): update dependency go to v1.23.0 (#276)
• 8a60f45 build(deps): bump github/codeql-action from 3.26.0 to 3.26.1 (#277)
• cf1758a build(deps): update module github.com/go-webauthn/x to v0.1.13 (#274)
• 9ca2fae fix(metadata): file closed too early (#273)
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.21.0 to 0.23.0

Commits

• 3e64809 x/oauth2: add Token.ExpiresIn
• 16a9973 jwt: rename example to avoid vet error
• b52af7d endpoints: add GitLab DeviceAuthURL
• 6d8340f LICENSE: update per Google Legal
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.