fix(deps): update backend dependencies

[renovate-sh-app]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
github.com/apache/arrow-go/v18	v18.5.2 → v18.6.0			indirect	minor
github.com/bradleyfalzon/ghinstallation/v2	v2.18.0 → v2.19.0			require	minor
github.com/clipperhouse/displaywidth	v0.10.0 → v0.11.0			indirect	minor
github.com/clipperhouse/uax29/v2	v2.6.0 → v2.7.0			indirect	minor
github.com/emicklei/go-restful/v3	v3.11.0 → v3.13.0			indirect	minor
github.com/fatih/color	v1.18.0 → v1.19.0			indirect	minor
github.com/go-openapi/jsonpointer	v0.22.5 → v0.23.1			indirect	minor
github.com/go-openapi/jsonreference	v0.21.5 → v0.21.6			indirect	patch
github.com/go-openapi/swag	v0.23.0 → v0.26.1			indirect	minor
github.com/go-openapi/swag/jsonname	v0.25.5 → v0.26.1			indirect	minor
github.com/goccy/go-json	v0.10.5 → v0.10.6			indirect	patch
github.com/google/gnostic-models	v0.7.0 → v0.7.1			indirect	patch
github.com/grafana/grafana-plugin-sdk-go	v0.291.1 → v0.292.1			require	minor
github.com/grafana/otel-profiling-go	v0.5.1 → v0.6.0			indirect	minor
github.com/grafana/pyroscope-go/godeltaprof	v0.1.9 → v0.1.11			indirect	patch
github.com/grafana/schemads	v0.0.8 → v0.2.3			require	minor
github.com/grpc-ecosystem/grpc-gateway/v2	v2.28.0 → v2.29.0			indirect	minor
github.com/hashicorp/go-plugin	v1.7.0 → v1.8.0			indirect	minor
github.com/huandu/go-sqlbuilder	v1.39.1 → v1.42.1			indirect	minor
github.com/huandu/xstrings	v1.4.0 → v1.5.0			indirect	minor
github.com/jaegertracing/jaeger-idl	v0.6.0 → v0.9.0			indirect	minor
github.com/klauspost/compress	v1.18.4 → v1.18.6			indirect	patch
github.com/magefile/mage	v1.16.1 → v1.17.2			indirect	minor
github.com/mailru/easyjson	v0.7.7 → v0.9.2			indirect	minor
github.com/mattn/go-colorable	v0.1.14 → v0.1.15			indirect	patch
github.com/mattn/go-isatty	v0.0.20 → v0.0.22			indirect	patch
github.com/mattn/go-runewidth	v0.0.19 → v0.0.24			indirect	patch
github.com/oklog/run	v1.1.0 → v1.2.0			indirect	minor
github.com/olekukonko/ll	v0.1.6 → v0.1.8			indirect	patch
github.com/pierrec/lz4/v4	v4.1.25 → v4.1.27			indirect	patch
github.com/prometheus/common	v0.67.5 → v0.69.0			indirect	minor
github.com/prometheus/procfs	v0.16.1 → v0.20.1			indirect	minor
github.com/shurcooL/graphql	3cf50f8 → 7ee5256			indirect	digest
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.67.0 → v0.69.0			indirect	minor
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace	v0.67.0 → v0.69.0			indirect	minor
go.opentelemetry.io/contrib/propagators/jaeger	v1.42.0 → v1.44.0			indirect	minor
go.opentelemetry.io/contrib/samplers/jaegerremote	v0.36.0 → v0.37.1			indirect	minor
go.opentelemetry.io/otel	v1.43.0 → v1.44.0			indirect	minor
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.42.0 → v1.44.0			indirect	minor
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.42.0 → v1.44.0			indirect	minor
go.opentelemetry.io/otel/metric	v1.43.0 → v1.44.0			indirect	minor
go.opentelemetry.io/otel/sdk	v1.43.0 → v1.44.0			indirect	minor
go.opentelemetry.io/otel/trace	v1.43.0 → v1.44.0			indirect	minor
go.opentelemetry.io/proto/otlp	v1.9.0 → v1.10.0			indirect	minor
go.yaml.in/yaml/v2	v2.4.3 → v2.4.4			indirect	patch
golang.org/x/exp	716be56 → c48552f			indirect	digest
golang.org/x/mod	v0.34.0 → v0.37.0			indirect	minor
golang.org/x/net	v0.53.0 → v0.55.0			indirect	minor
golang.org/x/sync	v0.20.0 → v0.21.0			indirect	minor
golang.org/x/sys	v0.43.0 → v0.44.0			indirect	minor
golang.org/x/text	v0.36.0 → v0.38.0			indirect	minor
golang.org/x/tools	v0.43.0 → v0.46.0			indirect	minor	v0.47.0
google.golang.org/genproto/googleapis/api	4cfbd41 → b703f56			indirect	digest
google.golang.org/genproto/googleapis/rpc	a57be14 → b703f56			indirect	digest
google.golang.org/grpc	v1.79.3 → v1.81.1			indirect	minor
pgregory.net/rapid	v1.2.0 → v1.3.0			require	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-42506 / GO-2026-5025

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

• https://go.dev/issue/79571
• https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
• https://go.dev/cl/781700

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

CVE-2026-39821 / GO-2026-5026

More information

Details

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

Unknown

References

• https://go.dev/cl/767220
• https://go.dev/issue/78760
• https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-42502 / GO-2026-5027

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

• https://go.dev/issue/79572
• https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
• https://go.dev/cl/781701

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-25680 / GO-2026-5028

More information

Details

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

Unknown

References

• https://go.dev/cl/781702
• https://go.dev/issue/79573
• https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

CVE-2026-25681 / GO-2026-5029

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

• https://go.dev/issue/79574
• https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
• https://go.dev/cl/781703

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-27136 / GO-2026-5030

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

• https://go.dev/issue/79575
• https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
• https://go.dev/cl/781685

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

CVE-2026-39824 / GO-2026-5024

More information

Details

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Severity

Unknown

References

• https://go.dev/issue/78916
• https://go.dev/cl/770080
• https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

apache/arrow-go (github.com/apache/arrow-go/v18)

v18.6.0: Apache Arrow Go 18.6.0

Compare Source

What's Changed

• chore(dev/post-website): improve email generation by @​zeroshade in #​685
• chore(fixup): silly mistake by @​zeroshade in #​686
• chore(dev/release): use release/KEYS instead of dev/KEYS by @​zeroshade in #​683
• chore: Bump github.com/pterm/pterm from 0.12.82 to 0.12.83 by @​dependabot[bot] in #​681
• chore: Bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​678
• chore: Bump github.com/substrait-io/substrait-go/v7 from 7.4.0 to 7.5.0 by @​dependabot[bot] in #​682
• chore: Bump actions/upload-artifact from 6.0.0 to 7.0.0 by @​dependabot[bot] in #​680
• chore: Bump actions/download-artifact from 7.0.0 to 8.0.0 by @​dependabot[bot] in #​679
• fix(arrow/flight/session): fix flaky race condition test by @​zeroshade in #​687
• feat(parquet/file): pre-allocate BinaryBuilder data buffer using column chunk metadata to eliminate resize overhead by @​junyan-ling in #​689
• fix(arrow-go/flightsql): route QueryContext through active transaction by @​wjywbs in #​692
• fix(parquet/file): use adaptive batch sizing to avoid panic by @​zeroshade in #​690
• fix: add nullability to struct type String() by @​Willem-J-an in #​700
• chore: Bump github.com/substrait-io/substrait-go/v7 from 7.5.0 to 7.5.1 by @​dependabot[bot] in #​698
• chore: Bump github.com/pierrec/lz4/v4 from 4.1.25 to 4.1.26 by @​dependabot[bot] in #​696
• chore: Bump docker/login-action from 3 to 4 by @​dependabot[bot] in #​695
• perf(arrow/compute): improve take kernel perf by @​zeroshade in #​702
• perf(arrow/array): pre-alloc bulk appends by @​zeroshade in #​699
• chore: Bump google.golang.org/grpc from 1.79.1 to 1.79.2 by @​dependabot[bot] in #​697
• perf(parquet): dictionary impl cleanup by @​zeroshade in #​701
• fix(parquet/pqarrow): fix Decimal256 sign extension by @​dimakuz in #​711
• perf(parquet): remove string concatenation in hot debug assert by @​starpact in #​708
• fix(avro): correctly set nullability for ListType by @​Willem-J-an in #​709
• perf(parquet/file): avoid double bool bitmap conversion by @​zeroshade in #​707
• fix(compute): fix data race and memory leak in concurrent is_in kernel by @​laskoviymishka in #​712
• perf(parquet/compress): set zstd pool encoder concurrency to 1 by @​dimakuz in #​717
• chore: Bump google.golang.org/grpc from 1.79.2 to 1.79.3 by @​dependabot[bot] in #​724
• perf(parquet): optimize stats and bloom filters for bool columns by @​zeroshade in #​715
• chore: Bump actions/download-artifact from 8.0.0 to 8.0.1 by @​dependabot[bot] in #​718
• fix(parquet): strip repetition_type from root SchemaElement during serialization by @​hcrosse in #​723
• chore: Update CI with Go 1.25/1.26 by @​zeroshade in #​725
• chore: Bump modernc.org/sqlite from 1.46.1 to 1.46.2 by @​dependabot[bot] in #​720
• chore: Bump golang.org/x/sync from 0.19.0 to 0.20.0 by @​dependabot[bot] in #​694
• chore: Bump golang.org/x/tools from 0.42.0 to 0.43.0 by @​dependabot[bot] in #​719
• Test and fix for bug in selectMapimpl by @​wwarner-inf in #​726
• chore: pin docker/login-action for ASF allowlist by @​lidavidm in #​729
• fix(parquet/pqarrow): return an error on pqarrow write calls if the writer is already closed by @​alexandre-normand in #​728
• ci: fix mingw GO_VERSION by @​zeroshade in #​733
• ci: fix tinygo build with maphash by @​zeroshade in #​734
• perf(parquet/internal/encoding): vectorize amd64 bool unpack by @​zeroshade in #​735
• perf(parquet): eliminate per-value allocation in delta bit-pack decoder by @​zeroshade in #​730
• fix(parquet): eagerly release adaptive bloom filter candidate buffers + skip flaky flight tests in CI by @​zeroshade in #​743
• perf(parquet): vectorize ARM64 NEON bool unpacking for ~4x throughput by @​zeroshade in #​731
• chore: Bump github.com/goccy/go-json from 0.10.5 to 0.10.6 by @​dependabot[bot] in #​741
• chore: Bump modernc.org/sqlite from 1.47.0 to 1.48.0 by @​dependabot[bot] in #​740
• chore: Bump github.com/substrait-io/substrait-go/v7 from 7.5.1 to 7.6.0 by @​dependabot[bot] in #​739
• chore: Bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @​dependabot[bot] in #​738
• chore: Bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in #​737
• fix: eliminate per-element heap allocs in is_in kernel for binary types by @​zeroshade in #​745
• chore: Bump docker/login-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​750
• chore: Bump google.golang.org/grpc from 1.79.3 to 1.80.0 by @​dependabot[bot] in #​751
• chore: Bump modernc.org/sqlite from 1.48.0 to 1.48.1 by @​dependabot[bot] in #​752
• chore: Bump github.com/andybalholm/brotli from 1.2.0 to 1.2.1 by @​dependabot[bot] in #​753
• chore: Bump github.com/substrait-io/substrait-go from v7.6.0 to v8.0.0 by @​benbellick in #​754
• chore(deps): replace golang/snappy with klauspost/compress/snappy by @​thaJeztah in #​762
• chore: remove mentions of compatibility with go toolchain < go1.18 by @​thaJeztah in #​760
• fix(arrow/cdata, arrow/flight): fix handling of colons in values and fix potential panics by @​thaJeztah in #​761
• test(parquet/file): add regression test for mixed-size ByteArray WriteBatch by @​kli19 in #​757
• chore: remove tools.go files in favor of go.mod "tool" directive by @​thaJeztah in #​759
• refactor(parquet/cmd): replace uses of github.com/docopt/docopt-go by @​thaJeztah in #​764
• feat(arrow/compute): sort support by @​hamilton-earthscope in #​749
• chore: Bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​765
• chore: Bump actions/upload-artifact from 7.0.0 to 7.0.1 by @​dependabot[bot] in #​766
• chore: Bump golang.org/x/sys from 0.42.0 to 0.43.0 by @​dependabot[bot] in #​767
• chore: Bump modernc.org/sqlite from 1.48.1 to 1.48.2 by @​dependabot[bot] in #​768
• chore: Bump github.com/substrait-io/substrait-go/v8 from 8.0.0 to 8.0.1 by @​dependabot[bot] in #​769
• chore: replace golang.org/x/xerrors for stdlib errors by @​thaJeztah in #​763
• fix(arrow): formatting lint issue by @​zeroshade in #​770
• feat(arrow/array): add Validate/ValidateFull to binary and string arrays by @​zeroshade in #​747
• UnsafeAppendBoolToBitmap for dictionary and REE builders by @​serramatutu in #​758
• perf: optimize ARM64 NEON min/max assembly by @​zeroshade in #​748
• fix(parquet/pqarrow): normalize the element name in the stored ARROW:schema by @​zeroshade in #​746
• chore: Bump github.com/substrait-io/substrait-go/v8 from 8.0.1 to 8.1.0 by @​dependabot[bot] in #​776
• chore: Bump modernc.org/sqlite from 1.48.2 to 1.49.1 by @​dependabot[bot] in #​775
• fix(parquet): clarify docstring on Close method of FileWriter, proper err output by @​zeroshade in #​774
• feat(arrow/array): Add new arreflect package by @​zeroshade in #​771
• chore(arrow): bump to v18.6.0 by @​zeroshade in #​778

New Contributors

• @​junyan-ling made their first contribution in #​689
• @​wjywbs made their first contribution in #​692
• @​dimakuz made their first contribution in #​711
• @​starpact made their first contribution in #​708
• @​laskoviymishka made their first contribution in #​712
• @​hcrosse made their first contribution in #​723
• @​wwarner-inf made their first contribution in #​726
• @​alexandre-normand made their first contribution in #​728
• @​benbellick made their first contribution in #​754
• @​thaJeztah made their first contribution in #​762
• @​kli19 made their first contribution in #​757
• @​serramatutu made their first contribution in #​758

Full Changelog: apache/arrow-go@v18.5.2...v18.6.0

bradleyfalzon/ghinstallation (github.com/bradleyfalzon/ghinstallation/v2)

v2.19.0

Compare Source

What's Changed

• Update go-github to v85 by @​asvoboda in #​188
• Update go-github to v88 by @​asvoboda in #​192
• Bump the actions group across 1 directory with 2 updates by @​dependabot[bot] in #​190

Full Changelog: bradleyfalzon/ghinstallation@v2.18.0...v2.19.0

clipperhouse/displaywidth (github.com/clipperhouse/displaywidth)

v0.11.0

Compare Source

clipperhouse/uax29 (github.com/clipperhouse/uax29/v2)

v2.7.0

Compare Source

emicklei/go-restful (github.com/emicklei/go-restful/v3)

v3.13.0

Compare Source

• optimize performance of path matching in CurlyRouter ( thanks @​wenhuang, Wen Huang)

v3.12.2

Compare Source

• allow empty payloads in post,put,patch, issue #​580 ( thanks @​liggitt, Jordan Liggitt)

v3.12.1

Compare Source

• fix misroute when dealing multiple webservice with regex (#​549) (thanks Haitao Chen)

v3.12.0

Compare Source

• add Flush method #​529 (#​538)
• fix: Improper handling of empty POST requests (#​543)

v3.11.3

Compare Source

• better not have 2 tags on one commit

v3.11.2

Compare Source

• fix by restoring custom JSON handler functions (Mike Beaumont #​540)

v3.11.1

Compare Source

• fix by restoring custom JSON handler functions (Mike Beaumont #​540)

fatih/color (github.com/fatih/color)

v1.19.0

Compare Source

What's Changed

• Bump golang.org/x/sys from 0.25.0 to 0.28.0 by @​dependabot[bot] in #​246
• Fix for issue #​230 set/unsetwriter symmetric wrt color support detection by @​ataypamart in #​243
• chore: go mod cleanup by @​sashamelentyev in #​244
• Bump golang.org/x/sys from 0.28.0 to 0.30.0 by @​dependabot[bot] in #​249
• Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 by @​dependabot[bot] in #​248
• Update CI and go deps by @​fatih in #​254
• Bump golang.org/x/sys from 0.31.0 to 0.37.0 by @​dependabot[bot] in #​268
• fix: include escape codes in byte counts from Fprint, Fprintf by @​qualidafial in #​282
• Bump golang.org/x/sys from 0.37.0 to 0.40.0 by @​dependabot[bot] in #​277
• fix: add nil check for os.Stdout to prevent panic on Windows services by @​majiayu000 in #​275
• Bump dominikh/staticcheck-action from 1.3.1 to 1.4.0 by @​dependabot[bot] in #​259
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​273
• Optimize Color.Equals performance (O(n²) → O(n)) by @​UnSubble in #​269
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in #​266

New Contributors

• @​ataypamart made their first contribution in #​243
• @​sashamelentyev made their first contribution in #​244
• @​qualidafial made their first contribution in #​282
• @​majiayu000 made their first contribution in #​275
• @​UnSubble made their first contribution in #​269

Full Changelog: fatih/color@v1.18.0...v1.19.0

go-openapi/jsonpointer (github.com/go-openapi/jsonpointer)

v0.23.1

Compare Source

0.23.1 - 2026-04-18

Full Changelog: go-openapi/jsonpointer@v0.23.0...v0.23.1

5 commits in this release.

---

Fixed bugs

• fix(offset): in Offset method, fixed index of value of array element. by @​fredbi in #​128 ...

Documentation

• doc: project status update by @​fredbi in #​127 ...
• docs: point to organization-wide documentations, added missing godocs by @​fredbi in #​126 ...
• doc: updated contributors file by @​bot-go-openapi[bot] i

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.26.1 -> 1.26.3