Bump the go_modules group across 10 directories with 5 updates

[dependabot]

Bumps the go_modules group with 1 update in the /go/ql/integration-tests/bazel-sample-1/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/bazel-sample-2/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/go-mod-sample/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/go-mod-without-version/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/make-sample/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/ninja-sample/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/single-go-mod-in-root/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/integration-tests/two-go-mods-nested-one-in-root/src directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /go/ql/test/experimental/CWE-1004 directory: github.com/gin-gonic/gin.
Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5.

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates github.com/gin-gonic/gin from 1.7.1 to 1.9.1

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.9.1

Changelog

BUG FIXES

• fix Request.Context() checks #3512

SECURITY

• fix lack of escaping of filename in Content-Disposition #3556

ENHANCEMENTS

• refactor: use bytes.ReplaceAll directly #3455
• convert strings and slices using the officially recommended way #3344
• improve render code coverage #3525

DOCS

• docs: changed documentation link for trusted proxies #3575
• chore: improve linting, testing, and GitHub Actions setup #3583

v1.9.0

Changelog

BREAK CHANGES

• Stop useless panicking in context and render #2150

BUG FIXES

• fix(router): tree bug where loop index is not decremented. #3460
• fix(context): panic on NegotiateFormat - index out of range #3397
• Add escape logic for header #3500 and #3503

SECURITY

• Fix the GO-2022-0969 and GO-2022-0288 vulnerabilities #3333
• fix(security): vulnerability GO-2023-1571 #3505

ENHANCEMENTS

• feat: add sonic json support #3184
• chore(file): Creates a directory named path #3316
• fix: modify interface check way #3327
• remove deprecated of package io/ioutil #3395
• refactor: avoid calling strings.ToLower twice #3343
• console logger HTTP status code bug fixed #3453
• chore(yaml): upgrade dependency to v3 version #3456
• chore(router): match method added to routergroup for multiple HTTP methods supporting #3464

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.9.1

BUG FIXES

• fix Request.Context() checks #3512

SECURITY

• fix lack of escaping of filename in Content-Disposition #3556

ENHANCEMENTS

• refactor: use bytes.ReplaceAll directly #3455
• convert strings and slices using the officially recommended way #3344
• improve render code coverage #3525

DOCS

• docs: changed documentation link for trusted proxies #3575
• chore: improve linting, testing, and GitHub Actions setup #3583

Gin v1.9.0

BREAK CHANGES

• Stop useless panicking in context and render #2150

BUG FIXES

• fix(router): tree bug where loop index is not decremented. #3460
• fix(context): panic on NegotiateFormat - index out of range #3397
• Add escape logic for header #3500 and #3503

SECURITY

• Fix the GO-2022-0969 and GO-2022-0288 vulnerabilities #3333
• fix(security): vulnerability GO-2023-1571 #3505

ENHANCEMENTS

• feat: add sonic json support #3184
• chore(file): Creates a directory named path #3316
• fix: modify interface check way #3327
• remove deprecated of package io/ioutil #3395
• refactor: avoid calling strings.ToLower twice #3343
• console logger HTTP status code bug fixed #3453
• chore(yaml): upgrade dependency to v3 version #3456
• chore(router): match method added to routergroup for multiple HTTP methods supporting #3464
• chore(http): add support for go1.20 http.rwUnwrapper to gin.responseWriter #3489

... (truncated)

Commits

• 4ea0e64 Ready release gin 1.9.1 (by: thinkerou) (#3630)
• bb1fc2e fix Request.Context() checks (#3512)
• 2d4bbec fix lack of escaping of filename in Content-Disposition (#3556)
• 9f5ecd4 chore(deps): bump actions/setup-go from 3 to 4 (#3543)
• 20cd6bc chore(deps): bump github.com/go-playground/validator/v10 (#3610)
• 6bdc725 Fix typos in ISSUE_TEMPLATE.md (#3616)
• 1ab2689 chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#3599)
• 6a0556e improve render code coverage (#3525)
• eac2daa chore: update dependencies for various packages and libraries (#3585)
• 757a638 chore: improve linting, testing, and GitHub Actions setup (#3583)
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.4

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

Version 3.0.3

Fixed

• Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

• DecryptMulti: handle decompression error (#19)

Changed

• jwe/CompactSerialize: improve performance (#67)
• Increase the default number of PBKDF2 iterations to 600k (#48)
• Return the proper algorithm for ECDSA keys (#45)
• Update golang.org/x/crypto to v0.19 (#94)

Added

• Add Thumbprint support for opaque signers (#38)

Version 3.0.1

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

Commits

• 5253038 Backport fix 167 to v3 (#174)
• 047dc99 CI: Update github actions and go version (#173)
• 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
• 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
• add6a28 v3: backport decompression limit fix (#107)
• 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
• 863f73b v3.0.2: Update changelog (#95)
• bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
• 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
• aa386df jwe/CompactSerialize: improve performance. (#67)
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.2.2

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.2.2

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in golang-jwt/jwt#382
• build: add go1.22 to ci workflows by @​mfridman in golang-jwt/jwt#383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in golang-jwt/jwt#387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in golang-jwt/jwt#389
• chore: bump ci tests to include go1.23 by @​mfridman in golang-jwt/jwt#405
• Fix jwt -show by @​AlexanderYastrebov in golang-jwt/jwt#406
• docs: typo by @​kvii in golang-jwt/jwt#407
• Update SECURITY.md by @​oxisto in golang-jwt/jwt#416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in golang-jwt/jwt#425

New Contributors

• @​Ashikpaul made their first contribution in golang-jwt/jwt#382
• @​kvii made their first contribution in golang-jwt/jwt#407
• @​mattt made their first contribution in golang-jwt/jwt#425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

v5.2.1

What's Changed

• chore: remove unnecessary conversions from tests by @​estensen in golang-jwt/jwt#370
• Trivial: Typo fix for ECDSA error message by @​tjs-cinemo in golang-jwt/jwt#373
• Fix incorrect error return by @​ss49919201 in golang-jwt/jwt#371

New Contributors

• @​tjs-cinemo made their first contribution in golang-jwt/jwt#373
• @​ss49919201 made their first contribution in golang-jwt/jwt#371

Full Changelog: golang-jwt/jwt@v5.2.0...v5.2.1

v5.2.0

What's Changed

• Exported NewValidator by @​oxisto in golang-jwt/jwt#349
• Improve ErrInvalidKeyType error messages by @​Laurin-Notemann in golang-jwt/jwt#361
• Update MIGRATION_GUIDE.md by @​jbarham in golang-jwt/jwt#363

New Contributors

• @​Laurin-Notemann made their first contribution in golang-jwt/jwt#361
• @​jbarham made their first contribution in golang-jwt/jwt#363

Full Changelog: golang-jwt/jwt@v5.1.0...v5.2.0

v5.1.0

What's Changed

• Using jwt's native ErrInvalidType instead of json.UnsupportedTypeError by @​oxisto in golang-jwt/jwt#316
• Fix typos in comments and test names by @​alexandear in golang-jwt/jwt#317
• Format: add whitespaces, remove empty lines by @​alexandear in golang-jwt/jwt#319
• Refactor example: use io.ReadAll instead of io.Copy by @​alexandear in golang-jwt/jwt#320

... (truncated)

Commits

• 0951d18 Merge commit from fork
• c035977 Update Parse example to use WithValidMethods (#425)
• bc8bdca Update SECURITY.md (#416)
• 5ec246c docs: typo (#407)
• 0123f1a Fix jwt -show (#406)
• f961c72 chore: bump ci tests to include go1.23 (#405)
• 62e504c Bump golangci/golangci-lint-action from 5 to 6 (#389)
• 1a56dcf Bump golangci/golangci-lint-action from 4 to 5 (#387)
• c8043ea build: add go1.22 to ci workflows (#383)
• 7c3f6dc Update README.md (#382)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.12.0 to 0.19.0

Commits

• 405cb3b go.mod: update golang.org/x dependencies
• 913d3ae x509roots/fallback: update bundle
• dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
• 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
• 055043d go.mod: update golang.org/x dependencies
• 08396bb internal/poly1305: drop Go 1.12 compatibility
• 9d2ee97 ssh: implement strict KEX protocol changes
• 4e5a261 ssh: close net.Conn on all NewServerConn errors
• 152cdb1 x509roots/fallback: update bundle
• fdfe1f8 ssh: defer channel window adjustment
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.