fix: host metrics should be measured and stored correctly in case of HostAny() predicate#4067
Merged
Conversation
…HostAny() predicate Signed-off-by: Sandor Szuecs <sandor.szuecs@zalando.de>
….MeasureServe implementation Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Member
Author
|
👍 |
Contributor
|
Tests still fail in the pipeline |
Member
Author
not the GH Actions, so maybe a bug in CdP? |
Member
Author
|
I can reproduce it locally, so will fix it |
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Member
Author
|
👍 |
madumalt
approved these changes
Jun 16, 2026
This was referenced Jun 18, 2026
larry-dalmeida
added a commit
to larry-dalmeida/skipper
that referenced
this pull request
Jun 26, 2026
…nes to spec level, introduce Options struct
This commit addresses all open code review comments from PR #4033:
1. **Goroutines on spec level (szuecs)**: Move revalidationWorker and
lruBytesScraper from per-instance (cacheFilter) to per-spec (cacheSpec)
ownership. This prevents 20k+ goroutines for 10k routes and enables
proper cleanup on route reloads. Each filter instance enqueues revalidation
jobs with a doRevalFn closure that captures per-instance logic.
2. **Introduce cache.Options struct (szuecs)**: Replace 5 positional parameters
with a single Options struct containing MaxBytes, ListenAddr, NetOpts,
ValkeyRing, L1TTL, and optional Metrics. This enables future extension
without signature changes.
3. **Inject metrics (szuecs)**: Make metrics.Metrics injectable via Options
(defaults to metrics.Default if nil), removing hidden global dependency
and enabling test-scoped assertions without side effects.
4. **Verify remaining comments**:
- SetWithExpire error handling (net/valkey.go) already correct
- Docs terminology fixed: pod→process, Storage→Cache, dropped "cross-pod"
- Single shared valkeyRing already in place (refactoring merged)
Files modified:
- filters/cache/filter.go: Options struct, spec-level goroutines, doRevalFn closure
- filters/cache/filter_test.go: Updated all NewCacheFilter calls, added cleanup
- skipper.go: Updated instantiation to use cache.Options{}
- docs/reference/filters.md: Terminology and structure fixes
docs: document Valkey L2 storage, write-through L1, and cache metrics
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
fix: address code review findings — vary sentinel invalidation, stub accuracy, dead code
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
style: fix gofmt alignment of bgWg struct field comment
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
style: group cache config fields into dedicated //cache section in config.go
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
fix: add CacheL1TTL to defaultConfig and make Close() synchronous
config_test.go: defaultConfig() was missing CacheL1TTL, so the expected
config had 0s while ParseArgs produced the flag default of 1m0s.
filters/cache/filter.go: Close() only closed the revalJobs and
lruBytesDone channels without waiting for the background goroutines to
finish. Under -race this caused a panic (close of closed channel) when a
test's in-flight doRevalidate called f.fetch after the test's local
channels had been torn down. Adding bgWg tracks both goroutines and
Close() now blocks until both have exited.
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
style: use strings.SplitSeq in stripHopByHop and parseVaryNames
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
refactor: move --cache-l1-ttl config field and flag to Valkey section
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: wire --cache-l1-ttl flag through Options to ValkeyStorage
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
fix: update stale counter assertion after L1-first Get, add l1_hit to godoc
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: L1-first reads with l1_hit counter in ValkeyStorage.Get
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: write-through L1 warming on successful Valkey Set
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
refactor: add l1TTL field to ValkeyStorage (write-through prep)
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
Fix registration of cache filter
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
refactor: ratelimit registry creation to pass ring clients such that we can reuse the valkey ring client in the cache filter creation.
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
cache: injectable metrics, trace spans, lru_bytes scraper
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
Promote log to warn
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
cache: promote storage Set/Delete error logs from Debug to Warn
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: tag cache_status, cache_key, cache_ttl_remaining_ms on trace span
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: reval_dropped and L1 fallback write verification
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: oversized LRU entry increments lru_oversized and is not stored
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: unsafe method + 4xx does not invalidate cached entry
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: must-revalidate forces coalesce when stale
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: log storage errors with per-site messages
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: add periodic lru_bytes gauge scrape every 10s
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
fix: address WP6 code review feedback
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: split valkey_fallback counter and add valkey_miss metric
Replace the single valkey_fallback counter with three distinct counters
for better observability:
- valkey_miss — clean cache miss (key absent in Valkey)
- valkey_get_fallback — Valkey error on Get; L1 consulted instead
- valkey_set_fallback — Valkey error on Set; L1 written instead
Inject metrics.Metrics into ValkeyStorage via NewValkeyStorage so
tests can assert counter values without relying on the global
metrics.Default singleton.
Introduce a valkeyClient interface (Get/SetWithExpire/Expire) so unit
tests can use an in-memory stub instead of a live Valkey/Docker
connection. Two new tests — RecordsValkeyMiss and
SplitFallbackCounters — exercise the counter logic with stubs.
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
fix(cache): add compile-time interface guards; assert valkey_get_fallback fires on fallback
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: add ValkeyStorage with L1 fallback for cache() filter
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: wire ValkeyStorage into NewCacheFilter (nil = in-memory only)
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: wire Valkey ring into cache() filter when swarm Valkey is configured
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
doc: redirect location query examples (#4077)
Feature: mtls filters (#4044)
feature: Add support to opt-out from zone aware routing via Ingress/RouteGroup (#4049)
Introduce the annotation `zalando.org/traffic-zone-aware: "false"` on
Ingress and RouteGroup resources. When set, the resource receives all
endpoints across all zones, bypassing zone filtering both at the
dataclient layer (endpoint fetch) and at the routesrv layer (per-zone
route serving).
Usage:
```
metadata:
annotations:
zalando.org/traffic-zone-aware: "false"
```
Tasks
1. Define `zalando.org/traffic-zone-aware` annotation constant in the
kubernetes package
2. Modify `GetEndpointSlicesByService` and `GetEndpointSlicesByTarget`
in `clusterstate.go` to accept ing and rg context param respectively and
skip zone filtering when value
ing.disableZoneAwareness/rg.disableZoneAwareness is true
3. Add zoneAwarenessAnnotationFilter() helper that returns an annotate()
filter when the zone-aware opt-out annotation is present
4. Modify Ingress v1 path rule conversion (`convertPathRuleV1`) and
default backend conversion (`convertDefaultBackendV1`) to read the
annotation, pass it to endpoint fetch and prepend the annotate() filter
when annotation is set
5. Modify RouteGroup backend application (`applyServiceBackend`) to read
the annotation, pass it to endpoint fetch and prepend the annotate()
filter when annotation is set
6. Add isZoneAwarenessDisabled() in routesrv/polling.go to detect the
opt-out by inspecting the route filter chain
7. Wire isZoneAwarenessDisabled() into getRouteForZone() to skip zone
filtering for opted-out routes
8. Update makeRoute test helper to inject the annotate() filter when the
opt-out flag is passed
9. Add integration test with two Ingresses in zone `eu-central-1a`: one
opted out (expects all endpoints across zones), one default (expects
only zone-local endpoints)
10. Add unit tests for `filterRoutesByZone` covering opt-out scenarios:
both routes opted out, opt-out mixed with normal route, and opt-out with
a below-threshold zone
Tested the changes:
The skipper-ingress with zone aware routing enabled was in Zone-A
1. Deployed ingress with 10 replicas, which means 10 endpoints are
available
```
zkubectl -n gmapp1 get pods -L topology.kubernetes.io/zone
NAME READY STATUS RESTARTS AGE ZONE
app1-v8-5c5965f6d4-7h6zr 1/1 Running 0 69s eu-central-1a
app1-v8-5c5965f6d4-7tnq4 1/1 Running 0 68s eu-central-1a
app1-v8-5c5965f6d4-98mz7 1/1 Running 0 68s eu-central-1c
app1-v8-5c5965f6d4-99n9p 1/1 Running 0 69s eu-central-1c
app1-v8-5c5965f6d4-bvdst 1/1 Running 0 69s eu-central-1a
app1-v8-5c5965f6d4-htn78 1/1 Running 0 68s eu-central-1b
app1-v8-5c5965f6d4-q75b9 1/1 Running 0 69s eu-central-1b
app1-v8-5c5965f6d4-wtgm5 1/1 Running 0 69s eu-central-1a
app1-v8-5c5965f6d4-xhv9q 1/1 Running 0 69s eu-central-1c
app1-v8-5c5965f6d4-zlz9x 1/1 Running 0 69s eu-central-1b
```
This meets the threshold to serve same zone endpoints, but since the
ingress has the opt-out annotation, the route contains all the endpoints
and not just zone filtered
```
kube_gmapp1__app1_v8_traffic_segment__gmapp1_pg9_test_zalan_do____app1_v8: Host(/^(gmapp1[.]pg9-test[.]zalan[.]do[.]?(:[0-9]+)?)$/) && TrafficSegment(0, 1)
-> disableAccessLog(2, 3, 404, 429)
-> fifo(2000, 20, "1s")
-> annotate("zalando.org/traffic-zone-aware", "false")
-> oauthTokeninfoValidate("{optOutAnnotations: [iam.zalando.org/public], optOutHosts: [\"^.*[.]ingress[.]cluster[.]local\"], unauthorizedResponse: \"Authentication required, see https://cloud.docs.zalando.net/howtos/authenticate-requests/#default-authentication\\n\"}")
-> stateBagToTag("auth-user", "client.uid")
-> <powerOfRandomNChoices, "http://[2a05:d024:90:1103:3e99::6]:8080", "http://[2a05:d024:90:1103:3e99::7]:8080", "http://[2a05:d024:90:1103:3e99::8]:8080", "http://[2a05:d024:90:1103:3e99::9]:8080", "http://[2a05:d024:90:1104:2396::a]:8080", "http://[2a05:d024:90:1104:2396::b]:8080", "http://[2a05:d024:90:1104:2396::c]:8080", "http://[2a05:d024:90:1105:4749::4]:8080", "http://[2a05:d024:90:1105:4749::6]:8080", "http://[2a05:d024:90:1105:4749::7]:8080">;
```
2. Deployed a routegroup with 15 replicas, which means 15 endpoints are
available
```
zkubectl -n gmapp2 get pods -L topology.kubernetes.io/zone
NAME READY STATUS RESTARTS AGE ZONE
app2-v2-c9694944-598mc 1/1 Running 0 7m6s eu-central-1c
app2-v2-c9694944-6bcpm 1/1 Running 0 7m6s eu-central-1c
app2-v2-c9694944-7jgpp 1/1 Running 0 7m7s eu-central-1b
app2-v2-c9694944-88xzb 1/1 Running 0 7m7s eu-central-1a
app2-v2-c9694944-8kl6q 1/1 Running 0 7m6s eu-central-1c
app2-v2-c9694944-8wc97 1/1 Running 0 7m7s eu-central-1c
app2-v2-c9694944-cv9g8 1/1 Running 0 7m7s eu-central-1c
app2-v2-c9694944-dkh2h 1/1 Running 0 7m6s eu-central-1a
app2-v2-c9694944-flnx9 1/1 Running 0 7m6s eu-central-1a
app2-v2-c9694944-klk6r 1/1 Running 0 7m7s eu-central-1a
app2-v2-c9694944-kwddv 1/1 Running 0 7m6s eu-central-1b
app2-v2-c9694944-pjbtz 1/1 Running 0 7m6s eu-central-1a
app2-v2-c9694944-q5xrh 1/1 Running 0 7m7s eu-central-1b
app2-v2-c9694944-rs8hk 1/1 Running 0 7m7s eu-central-1a
app2-v2-c9694944-t6crt 1/1 Running 0 7m6s eu-central-1b
```
This meets the threshold to serve same zone endpoints, but since the
routegroup has the opt-out annotation, the route contains all the
endpoints and not just zone filtered
```
kube_rg__gmapp2__app2_v2_traffic_segment__get__0_0: Path("/test") && Host(/^(app2[.]teapot[.]zalan[.]do[.]?(:[0-9]+)?)$/) && Method("GET") && TrafficSegment(0, 1)
-> disableAccessLog(2, 3, 404, 429)
-> fifo(2000, 20, "1s")
-> annotate("zalando.org/traffic-zone-aware", "false")
-> annotate("iam.zalando.org/public", "The application uses its own authentication logic, similar to using Partner IAM.")
-> status(200)
-> inlineContent("Hello from second backend!")
-> oauthTokeninfoValidate("{optOutAnnotations: [iam.zalando.org/public], optOutHosts: [\"^.*[.]ingress[.]cluster[.]local\"], unauthorizedResponse: \"Authentication required, see https://cloud.docs.zalando.net/howtos/authenticate-requests/#default-authentication\\n\"}")
-> stateBagToTag("auth-user", "client.uid")
-> <powerOfRandomNChoices, "http://[2a05:d024:90:1103:3e99::10]:8080", "http://[2a05:d024:90:1103:3e99::11]:8080", "http://[2a05:d024:90:1103:3e99::12]:8080", "http://[2a05:d024:90:1103:3e99::13]:8080", "http://[2a05:d024:90:1103:3e99::14]:8080", "http://[2a05:d024:90:1103:3e99::f]:8080", "http://[2a05:d024:90:1104:2396::10]:8080", "http://[2a05:d024:90:1104:2396::d]:8080", "http://[2a05:d024:90:1104:2396::e]:8080", "http://[2a05:d024:90:1104:2396::f]:8080", "http://[2a05:d024:90:1105:4749::8]:8080", "http://[2a05:d024:90:1105:4749::9]:8080", "http://[2a05:d024:90:1105:4749::a]:8080", "http://[2a05:d024:90:1105:4749::b]:8080", "http://[2a05:d024:90:1105:4749::c]:8080">;
```
ref: https://github.com/zalando/skipper/issues/3971
---------
Signed-off-by: greeshma1196 <greeshma.mathew@gmail.com>
fix: host metrics should be measured and stored correctly in case of HostAny() predicate (#4067)
fix: host metrics should be measured and stored correctly in case of
HostAny() predicate
Before this fix we measured a route like the following in the bucket
`"_unknownhost_"`:
```
r: HostAny("www.example.com") -> <shunt>
```
---------
Signed-off-by: Sandor Szuecs <sandor.szuecs@zalando.de>
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
build(deps): bump oss-fuzz-base/base-builder-go from `972dea5` to `72f8378` in /.clusterfuzzlite (#4068)
Bumps oss-fuzz-base/base-builder-go from `972dea5` to `72f8378`.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#4057)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2
to 6.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Update changelog by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>Update changelog for v6.0.3 by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/yaananth"><code>@yaananth</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<h2>v4.2.0</h2>
<ul>
<li>Add Ref and Commit outputs by <a
href="https://github.com/lucacome"><code>@lucacome</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li>
<li>Dependency updates by <a
href="https://github.com/dependabot"><code>@dependabot</code></a>- <a
href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>,
<a
href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li>
</ul>
<h2>v4.1.7</h2>
<ul>
<li>Bump the minor-npm-dependencies group across 1 directory with 4
updates by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li>
<li>Check out other refs/* by commit by <a
href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/df4cb1c069e1874edd31b4311f1884172cec0e10"><code>df4cb1c</code></a>
Update changelog for v6.0.3 (<a
href="https://redirect.github.com/actions/checkout/issues/2446">#2446</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/1cce3390c2bfda521930d01229c073c7ff920824"><code>1cce339</code></a>
Fix checkout init for SHA-256 repositories (<a
href="https://redirect.github.com/actions/checkout/issues/2439">#2439</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/900f2210b1d28bbbd0bd22d17926b9e224e8f231"><code>900f221</code></a>
fix: expand merge commit SHA regex and add SHA-256 test cases (<a
href="https://redirect.github.com/actions/checkout/issues/2414">#2414</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/0c366fd6a839edf440554fa01a7085ccba70ac98"><code>0c366fd</code></a>
Update changelog (<a
href="https://redirect.github.com/actions/checkout/issues/2357">#2357</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump the all-go-mod-patch-and-minor group with 7 updates (#4069)
Bumps the all-go-mod-patch-and-minor group with 7 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/instana/go-sensor](https://github.com/instana/go-sensor) |
`1.73.1` | `1.73.2` |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) |
`9.20.0` | `9.20.1` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.52.0` |
`0.53.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.55.0` |
`0.56.0` |
| [golang.org/x/sync](https://github.com/golang/sync) | `0.20.0` |
`0.21.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.43.0` |
`0.44.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.37.0` |
`0.38.0` |
Updates `github.com/instana/go-sensor` from 1.73.1 to 1.73.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/instana/go-sensor/releases">github.com/instana/go-sensor's
releases</a>.</em></p>
<blockquote>
<h2>v1.73.2</h2>
<p>New release v1.73.2.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: prevent duplicate meter initialization in InitSensor by <a
href="https://github.com/Angith"><code>@Angith</code></a> in <a
href="https://redirect.github.com/instana/go-sensor/pull/1510">instana/go-sensor#1510</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/instana/go-sensor/commit/a6713a34fdcce14bed4716cd8884de630153b9f1"><code>a6713a3</code></a>
Updated version.go to 1.73.2</li>
<li><a
href="https://github.com/instana/go-sensor/commit/e4775871c9d5588e415518bbe81f0ea00c332bc9"><code>e477587</code></a>
fix: prevent duplicate meter initialization in InitSensor (<a
href="https://redirect.github.com/instana/go-sensor/issues/1510">#1510</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/b8f171d37b3e36f860a2e03aaba476e5bc23e304"><code>b8f171d</code></a>
Updated version.go to 0.48.7</li>
<li><a
href="https://github.com/instana/go-sensor/commit/e60c2a0886bfbf73e77bdef0fb783722bef3eb7b"><code>e60c2a0</code></a>
feat(currency): updated go.mod, go.sum files, README.md for instaawsv2
(<a
href="https://redirect.github.com/instana/go-sensor/issues/1506">#1506</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/871c797457c058626ddc539c184271e17f29ca60"><code>871c797</code></a>
Updated version.go to 1.55.1</li>
<li><a
href="https://github.com/instana/go-sensor/commit/95a6af6f9399d56e98c946e97ec4c0addbf16393"><code>95a6af6</code></a>
feat(currency): updated go.mod, go.sum files, README.md for instasarama
(<a
href="https://redirect.github.com/instana/go-sensor/issues/1504">#1504</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/465241d75a26707bc86c48317df28a8f3ab55970"><code>465241d</code></a>
Updated version.go to 1.55.0</li>
<li><a
href="https://github.com/instana/go-sensor/commit/bf6b4802ce0daa23c3a2d7791c7675188c6f374b"><code>bf6b480</code></a>
feat(currency): updated go.mod, go.sum files, README.md for instasarama
(<a
href="https://redirect.github.com/instana/go-sensor/issues/1503">#1503</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/a4d92189c8698b6edbb32a8775b434571b71b3d9"><code>a4d9218</code></a>
Updated version.go to 1.44.2</li>
<li><a
href="https://github.com/instana/go-sensor/commit/9e04aa63d123f0f47d46009391da3a14beaf8330"><code>9e04aa6</code></a>
chore(deps): bump github.com/quic-go/quic-go (<a
href="https://redirect.github.com/instana/go-sensor/issues/1507">#1507</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/instana/go-sensor/compare/v1.73.1...v1.73.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/redis/go-redis/v9` from 9.20.0 to 9.20.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/redis/go-redis/releases">github.com/redis/go-redis/v9's
releases</a>.</em></p>
<blockquote>
<h2>9.20.1</h2>
<p>This is a patch release containing bug fixes only. There are no new
features or breaking changes; upgrading from 9.20.0 is a drop-in
replacement.</p>
<h2>🚀 Highlights</h2>
<h3>RESP3 pub/sub message loss fixed</h3>
<p><code>PeekPushNotificationName</code> previously inspected only the
bytes already buffered by <code>bufio</code>, so when a push frame
header straddled a buffer fill boundary it could return a
<strong>truncated</strong> notification name (e.g.
<code>"messa"</code> instead of
<code>"message"</code>). The push processor then mis-routed
the frame and <code>ReadReply</code> silently dropped it, causing
intermittent RESP3 pub/sub message loss. The peek now grows its window
(36 bytes → up to 4 KiB) and reads more from the connection until the
header is complete, cleanly separating incomplete prefixes from corrupt
frames (including overflow-safe bulk-length handling). Fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>.</p>
<p>(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>RESP3 push peeking</strong>:
<code>PeekPushNotificationName</code> no longer returns a truncated
notification name when a push frame header spans a buffer boundary,
preventing silent RESP3 pub/sub message loss (fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>)
(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>FT.HYBRID</code> vector params</strong>: Vector data
is now always sent via <code>PARAMS</code> with auto-generated param
names (<code>__vector_param_N</code>, with collision avoidance) when
<code>VectorParamName</code> is omitted, since Redis no longer accepts
inline vector blobs; the <code>FTHybridOptions.Params</code> map is no
longer mutated, so the same options struct can be reused across calls
(<a
href="https://redirect.github.com/redis/go-redis/pull/3844">#3844</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>CLUSTER SHARDS</code> forward compatibility</strong>:
Unknown shard- and node-level attributes in the <code>CLUSTER
SHARDS</code> reply are now skipped via <code>DiscardNext()</code>
instead of erroring, so clients keep working when the server introduces
new fields (<a
href="https://redirect.github.com/redis/go-redis/pull/3843">#3843</a>)
by <a
href="https://github.com/madolson"><code>@madolson</code></a></li>
<li><strong>PubSub double reconnect</strong>:
<code>PubSub.releaseConn</code> no longer reconnects twice when a
connection is both unusable (or pending handoff) and reports a
bad-connection error, avoiding a wasted connection establish-then-close
cycle (<a
href="https://redirect.github.com/redis/go-redis/pull/3833">#3833</a>)
by <a href="https://github.com/cxljs"><code>@cxljs</code></a></li>
</ul>
<h2>👥 Contributors</h2>
<p>We'd like to thank all the contributors who worked on this
release!</p>
<p><a href="https://github.com/cxljs"><code>@cxljs</code></a>, <a
href="https://github.com/madolson"><code>@madolson</code></a>, <a
href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1">https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md">github.com/redis/go-redis/v9's
changelog</a>.</em></p>
<blockquote>
<h1>9.20.1 (2026-06-11)</h1>
<p>This is a patch release containing bug fixes only. There are no new
features or breaking changes; upgrading from 9.20.0 is a drop-in
replacement.</p>
<h2>🚀 Highlights</h2>
<h3>RESP3 pub/sub message loss fixed</h3>
<p><code>PeekPushNotificationName</code> previously inspected only the
bytes already buffered by <code>bufio</code>, so when a push frame
header straddled a buffer fill boundary it could return a
<strong>truncated</strong> notification name (e.g.
<code>"messa"</code> instead of
<code>"message"</code>). The push processor then mis-routed
the frame and <code>ReadReply</code> silently dropped it, causing
intermittent RESP3 pub/sub message loss. The peek now grows its window
(36 bytes → up to 4 KiB) and reads more from the connection until the
header is complete, cleanly separating incomplete prefixes from corrupt
frames (including overflow-safe bulk-length handling). Fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>.</p>
<p>(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>RESP3 push peeking</strong>:
<code>PeekPushNotificationName</code> no longer returns a truncated
notification name when a push frame header spans a buffer boundary,
preventing silent RESP3 pub/sub message loss (fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>)
(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>FT.HYBRID</code> vector params</strong>: Vector data
is now always sent via <code>PARAMS</code> with auto-generated param
names (<code>__vector_param_N</code>, with collision avoidance) when
<code>VectorParamName</code> is omitted, since Redis no longer accepts
inline vector blobs; the <code>FTHybridOptions.Params</code> map is no
longer mutated, so the same options struct can be reused across calls
(<a
href="https://redirect.github.com/redis/go-redis/pull/3844">#3844</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>CLUSTER SHARDS</code> forward compatibility</strong>:
Unknown shard- and node-level attributes in the <code>CLUSTER
SHARDS</code> reply are now skipped via <code>DiscardNext()</code>
instead of erroring, so clients keep working when the server introduces
new fields (<a
href="https://redirect.github.com/redis/go-redis/pull/3843">#3843</a>)
by <a
href="https://github.com/madolson"><code>@madolson</code></a></li>
<li><strong>PubSub double reconnect</strong>:
<code>PubSub.releaseConn</code> no longer reconnects twice when a
connection is both unusable (or pending handoff) and reports a
bad-connection error, avoiding a wasted connection establish-then-close
cycle (<a
href="https://redirect.github.com/redis/go-redis/pull/3833">#3833</a>)
by <a href="https://github.com/cxljs"><code>@cxljs</code></a></li>
</ul>
<h2>👥 Contributors</h2>
<p>We'd like to thank all the contributors who worked on this
release!</p>
<p><a href="https://github.com/cxljs"><code>@cxljs</code></a>, <a
href="https://github.com/madolson"><code>@madolson</code></a>, <a
href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1">https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/redis/go-redis/commit/a13416bf1c0556075b843dd0a9cb6db3b3cf2789"><code>a13416b</code></a>
chore(release): 9.20.1 (<a
href="https://redirect.github.com/redis/go-redis/issues/3847">#3847</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/10dc44f424d58b9c2b4df29e529ca92a2f8fa986"><code>10dc44f</code></a>
fix(push): fix peeking when push name is truncated (<a
href="https://redirect.github.com/redis/go-redis/issues/3842">#3842</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/e1a2d68b27e70ca8f3ff5eec61d0dd2b74554670"><code>e1a2d68</code></a>
fix(ft.hybrid): Always generate vector param names if they are not
provided b...</li>
<li><a
href="https://github.com/redis/go-redis/commit/a4b234f4a4f2551d1179181bbc136db132bf5912"><code>a4b234f</code></a>
chore(deps): bump codecov/codecov-action from 6 to 7 (<a
href="https://redirect.github.com/redis/go-redis/issues/3845">#3845</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/974e717dbf3008497e54aec34636e34452e6872b"><code>974e717</code></a>
fix(command): ignore unknown fields in CLUSTER SHARDS response (<a
href="https://redirect.github.com/redis/go-redis/issues/3843">#3843</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/65d6abde0d812234d26763930b5e84ff05963c96"><code>65d6abd</code></a>
fix(pubsub): prevent double reconnect in releaseConn (<a
href="https://redirect.github.com/redis/go-redis/issues/3833">#3833</a>)</li>
<li>See full diff in <a
href="https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/45460e079737ecb64f30d79d3d6fc2914494fa66"><code>45460e0</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/d37c95e27de65576f42440cdfbc261d810506841"><code>d37c95e</code></a>
pkcs12: limit PBKDF iteration count to prevent CPU exhaustion</li>
<li><a
href="https://github.com/golang/crypto/commit/e2ffffe738fb46531cd8924bab497bdc77d9ecc8"><code>e2ffffe</code></a>
ssh: reject incomplete gssapi-with-mic configurations</li>
<li><a
href="https://github.com/golang/crypto/commit/60e158ad30c226555794539d96f0f104f43395f7"><code>60e158a</code></a>
ssh/test: isolate CLI tests from user SSH config and agent</li>
<li><a
href="https://github.com/golang/crypto/commit/1b77d23dc8afb26a494e331a3c637b6de88398d2"><code>1b77d23</code></a>
ssh/knownhosts: reject lines with multiple or unknown markers</li>
<li><a
href="https://github.com/golang/crypto/commit/3872a2bc69f464352dea49c2856955ef7c5d5851"><code>3872a2b</code></a>
ssh/knownhosts: verify declared key type matches decoded key</li>
<li><a
href="https://github.com/golang/crypto/commit/9f72eccdf6fa09a7c68448a7fdc333dd2deb7d9d"><code>9f72ecc</code></a>
ssh/knownhosts: treat only ASCII space and tab as whitespace</li>
<li><a
href="https://github.com/golang/crypto/commit/8f405a4109d7ce87a44f89185bdc385914ce5c13"><code>8f405a4</code></a>
ssh: validate ECDSA curve matches expected algorithm</li>
<li><a
href="https://github.com/golang/crypto/commit/bb41b3dbe630c21c78e3aeb0ebdd8d06a3a34fcf"><code>bb41b3d</code></a>
ssh: improve DH GEX group selection using PreferredBits</li>
<li><a
href="https://github.com/golang/crypto/commit/e04e7219970912a40f80c4b13029416fdf960eeb"><code>e04e721</code></a>
ssh/agent: validate ed25519 private key length in Add</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.52.0...v0.53.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/net` from 0.55.0 to 0.56.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/9e7fdbfadb32b0cc7524100014c5cf9b6adc7729"><code>9e7fdbf</code></a>
internal/http3: fix wrong argument being given when validating header
value</li>
<li><a
href="https://github.com/golang/net/commit/b686e5f3573e5f55120d664fc283ed7e80c1af3c"><code>b686e5f</code></a>
internal/http3: add gzip support to transport</li>
<li><a
href="https://github.com/golang/net/commit/8a348850ed6818306667722af2b42a6fc63473e0"><code>8a34885</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/72eaf98743302f6e0ad10883163dfc46dc8e8183"><code>72eaf98</code></a>
dns/dnsmessage: correctly validate SVCB record parameter order</li>
<li><a
href="https://github.com/golang/net/commit/82e7868a02167540748b74780b0bf825985256f7"><code>82e7868</code></a>
dns/dnsmessage: avoid panic when parsing SVCB record with truncated
data</li>
<li><a
href="https://github.com/golang/net/commit/b64f1fa4c615965246e5b9e5c9d614916fa8967d"><code>b64f1fa</code></a>
internal/http3: add server support for "Trailer:" magic
prefix</li>
<li><a
href="https://github.com/golang/net/commit/2707ee21efea70599446dd35979b1d1aedf44ada"><code>2707ee2</code></a>
internal/http3: implement HTTP/3 clientConn methods</li>
<li><a
href="https://github.com/golang/net/commit/31358cc259a764905194e3d6c597375b0ff366c1"><code>31358cc</code></a>
internal/http3: snapshot response headers at WriteHeader time</li>
<li><a
href="https://github.com/golang/net/commit/8ecbaa95fea823c19fa74c5c3b53e0bccd473828"><code>8ecbaa9</code></a>
html: don't adjust xml:base</li>
<li><a
href="https://github.com/golang/net/commit/8ae811abe5c2daa55c68d51a101af1c5751a4d55"><code>8ae811a</code></a>
html: properly handle end script tag in fragment mode</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.55.0...v0.56.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sync/commit/5071ed6a9f1617117556b66384f765c934de3698"><code>5071ed6</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.20.0...v0.21.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/term` from 0.43.0 to 0.44.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/term/commit/3b43943a9e7de876a5d5e1f5e7da7cdeae0f542a"><code>3b43943</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.43.0...v0.44.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/text` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/text/commit/f4bb6328041b090f85b93014bd369edfcd24bdef"><code>f4bb632</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/text/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump alpine from `5b10f43` to `a2d49ea` in /packaging (#4064)
Bumps alpine from `5b10f43` to `a2d49ea`.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: apply workaround for readTimeout (#4061)
feature: Use go-brrr as brotli backend (#4066)
test: fix flaky tests in proxylistener (#4055)
test: fix flaky tests in proxylistener
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
migrate: docker image location on GHCR only (#4054)
doc: delete reference to registry.opensource.zalan.do/teapot/skipper
Please everyone migrate to ghcr.io/zalando/skipper
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
doc: routing is not a security feature (#4052)
doc: routing is not a security feature
---------
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
fix: unbounded read of consuming the http.Body in the validation webhook (#4053)
fix: unbounded read of consuming the http.Body in the validation webhook
Reported by @alcls01111
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
doc: templating security (#4050)
doc: templating security
Thanks @alcls01111 for reporting this.
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
doc: setDynamicBackendUrlFromHeader SSRF risk (#4051)
doc: setDynamicBackendUrlFromHeader SSRF risk
It was forgotten to document the risk and we got a second researcher
telling about this filter risk.
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
go: update to 1.26.4 (#4046)
remove not needed replace directive
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Fix oidcClaimsQuery example (#4048)
feature: proxy mTLS support (#4037)
feature: proxy mTLS support implementation based on net.Client and net.CertReloader
Added test cases by ai and validated the code that it is testing as
expected.
---------
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
build(deps): bump oss-fuzz-base/base-builder-go from `3c453ef` to `972dea5` in /.clusterfuzzlite (#4040)
Bumps oss-fuzz-base/base-builder-go from `3c453ef` to `972dea5`.
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: eliminate race in TestCacheFilter_ColdMissCoalescing (#4034)
## Problem
`TestCacheFilter_ColdMissCoalescing` was intermittently failing under
`-race` with:
```
--- FAIL: TestCacheFilter_ColdMissCoalescing (0.00s)
filter_test.go:401: expected 1 upstream fetch, got 2
```
The test asserts that 50 concurrent cold-miss requests coalesce into
exactly one upstream fetch via `singleflight.DoChan`.
The previous synchronization used a `sync.WaitGroup` (`wgIn`) where each
goroutine called `wgIn.Done()` **before** calling `f.Request()`. The
fetch stub blocked on `wgIn.Wait()`, intending to hold the singleflight
open until all goroutines had joined it.
This had a
[TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to-time-of-use)
gap: a goroutine could call `wgIn.Done()`, get preempted, and resume
while the fetch stub had already unblocked from `wgIn.Wait()` but had
not yet called `storage.Set()`. At that point the goroutine would call
`storage.Get()` → `nil` and enter `DoChan()`. If the leader's `fetchFn`
had returned in the interim, `DoChan()` would start a new singleflight
round and fire a second upstream fetch. Under the race detector's
overhead this window was wide enough to trigger reliably.
## Fix
Replaced `wgIn` with a `missCounting` storage wrapper that embeds a
`sync.WaitGroup`. Each goroutine calls `wg.Done()` inside
`storage.Get()` at the exact moment it observes a cache miss - the last
possible point before `coalesce()` → `DoChan()`. The fetch stub calls
`wg.Wait()`, which durably blocks `fetchFn` until all N goroutines have
confirmed a miss and are either inside `DoChan`'s waitlist or in the
scheduler-opaque gap immediately before it. Only then does `fetchFn`
call `storage.Set()` and return, closing the singleflight round.
The main goroutine's spin loop was replaced with a `fetchStarted`
channel closed by the fetch stub on entry, eliminating all busy-waits.
### Before
<img width="6795" height="4395" alt="Goroutine Missed
Window-2026-05-26-141411"
src="https://github.com/user-attachments/assets/0fb1da49-0707-49b3-a49e-c83fc5e42299"
/>
### After
<img width="5770" height="2840" alt="Goroutine Missed
Window-2026-05-26-141426"
src="https://github.com/user-attachments/assets/73b8ffe0-6563-4841-a18d-f2c46f46fe0f"
/>
No production code was changed.
---------
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
build(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0 (#4038)
Bumps
[docker/setup-qemu-action](https://github.com/docker/setup-qemu-action)
from 4.0.0 to 4.1.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.0</h2>
<ul>
<li>Add <code>reset</code> input to uninstall current emulators by <a
href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/21">docker/setup-qemu-action#21</a></li>
<li>Bump <code>@docker/actions-toolkit</code> from 0.77.0 to 0.91.0 in
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/250">docker/setup-qemu-action#250</a>
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/247">docker/setup-qemu-action#247</a></li>
<li>Bump brace-expansion from 1.1.12 to 1.1.15 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/265">docker/setup-qemu-action#265</a></li>
<li>Bump fast-xml-builder from 1.0.0 to 1.2.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/286">docker/setup-qemu-action#286</a></li>
<li>Bump fast-xml-parser from 5.4.2 to 5.8.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/255">docker/setup-qemu-action#255</a></li>
<li>Bump flatted from 3.3.3 to 3.4.2 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/257">docker/setup-qemu-action#257</a></li>
<li>Bump glob from 10.3.15 to 10.5.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/254">docker/setup-qemu-action#254</a></li>
<li>Bump handlebars from 4.7.8 to 4.7.9 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/262">docker/setup-qemu-action#262</a></li>
<li>Bump lodash from 4.17.23 to 4.18.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/273">docker/setup-qemu-action#273</a></li>
<li>Bump postcss from 8.5.6 to 8.5.10 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/285">docker/setup-qemu-action#285</a></li>
<li>Bump tar from 6.2.1 to 7.5.15 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/287">docker/setup-qemu-action#287</a></li>
<li>Bump tmp from 0.2.5 to 0.2.6 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/291">docker/setup-qemu-action#291</a></li>
<li>Bump undici from 6.23.0 to 6.26.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/251">docker/setup-qemu-action#251</a></li>
<li>Bump vite from 7.3.1 to 7.3.2 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/271">docker/setup-qemu-action#271</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-qemu-action/compare/v4.0.0...v4.1.0">https://github.com/docker/setup-qemu-action/compare/v4.0.0...v4.1.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/06116385d9baf250c9f4dcb4858b16962ea869c3"><code>0611638</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/21">#21</a>
from crazy-max/uninst</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ce59c818a5ff16552ddf7407ee7cb00bea682925"><code>ce59c81</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/2ddad4401e17fa807e8a3c4bd289ccdd993f0868"><code>2ddad44</code></a>
uninstall current emulators</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/8c37cd6f3456e1f3f3026250eac496709e9e7e10"><code>8c37cd6</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/250">#250</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/d1a0ff34af591b8e290e46f3fa114ef5bb81cd1c"><code>d1a0ff3</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/0a8f3dc12541cc2c3b19c182a1a2c90a2c8b8d93"><code>0a8f3dc</code></a>
build(deps): bump <code>@docker/actions-toolkit</code> from 0.79.0 to
0.91.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/9430f61a7691bd1bfdc4d6ba70e558659d36fa7a"><code>9430f61</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/291">#291</a>
from docker/dependabot/npm_and_yarn/tmp-0.2.6</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/978bd7796cb6698377e7af6726b726e5ced642d0"><code>978bd77</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/3479febc62cc0fbcb98c7c7fc0dac778c0d79d6a"><code>3479feb</code></a>
build(deps): bump tmp from 0.2.5 to 0.2.6</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/b113c264143c28c2974bed61af25be32d32f4782"><code>b113c26</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/255">#255</a>
from docker/dependabot/npm_and_yarn/fast-xml-parser-5...</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-qemu-action/compare/ce360397dd3f832beb865e1373c09c0e9f86d70a...06116385d9baf250c9f4dcb4858b16962ea869c3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: wait for cipher refresher goroutine to exit on Close (#4036)
# Related Issue
Fixes a goroutine leak found while working on #4034.
## Problem
`Registry.Close()` called `v.Close()` on each encrypter but returned
immediately, leaving the `runCipherRefresher` goroutine running until it
observed the closed channel on its next select iteration. Under `noleak`
this caused a test failure in the `secrets` package.
## Fix
Initialize `closedHook` inside `runCipherRefresher` (only when a
goroutine is actually started) and drain it in `Registry.Close()` so
shutdown blocks until the goroutine has exited. The `nil` guard on the
drain ensures encrypters created without a refresh interval (no
goroutine started) are unaffected.
No behavior change in production - `Close()` is only called at shutdown.
---------
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
introduce timeout for decicion log task (#4035)
## Problem
When asyncDecisionLogging is enabled and a new policy bundle is
deployed, eopa_dl.Reconfigure() calls Stop() on the running Benthos
stream followed by Start() on a new one. If `runDecisionLogger` is
inside stream.Consume() on the old stream at that moment, the Benthos
producer closure tries to write the decision event to an internal
channel whose reader (inproc input) has been destroyed by Stop().
Because `doLogDecision` was called with context.Background() (without
deadline) the blocked send never returns. `runDecisionLogger` is
permanently stuck on that one call and stops draining `decisionLogChan`.
With the goroutine stuck, once the channel fills to capacity
(buffer_size_limit_events), every subsequent `logDecision` call hits the
non-blocking default branch and drops the event, logging "Decision log
dropped: async buffer full." The warning continues indefinitely with no
self-recovery. The only fix prior to this change was a pod restart.
## Fix
Set timeout for the context passed for decision logging. The value for
the timeout is decided using the configured timeout for the eopa_dl
output type
---------
Signed-off-by: nuwandi-wickramasinghe_zse <nuwandi.wickramasinghe@zalando.de>
Co-authored-by: nuwandi-wickramasinghe_zse <nuwandi.wickramasinghe@zalando.de>
build(deps): bump the all-go-mod-patch-and-minor group with 13 updates (#4039)
Bumps the all-go-mod-patch-and-minor group with 13 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) |
`9.19.0` | `9.20.0` |
|
[go.opentelemetry.io/contrib/exporters/autoexport](https://github.com/open-telemetry/opentelemetry-go-contrib)
| `0.68.0` | `0.69.0` |
|
[go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib)
| `0.68.0` | `0.69.0` |
|
[go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/bridge/opentracing](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/stdout/stdouttrace](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
Updates `github.com/redis/go-redis/v9` from 9.19.0 to 9.20.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/redis/go-redis/releases">github.com/redis/go-redis/v9's
releases</a>.</em></p>
<blockquote>
<h2>9.20.0</h2>
<h2>🚀 Highlights</h2>
<h3>Redis 8.8 Support</h3>
<p>This release adds support for <strong>Redis 8.8</strong>. The
README's supported-versions list now includes Redis 8.8 alongside
8.0/8.2/8.4, and CI exercises the <code>8.8</code> client-libs-test
image across the full suite (Makefile, build workflow, doctests,
run-tests action, and docker-compose).</p>
<p>Coverage for the new commands that ship in the 8.x line, rounded out
in this release:</p>
<ul>
<li><strong><code>AR*</code> array data type</strong> (<a
href="https://redirect.github.com/redis/go-redis/pull/3813">#3813</a>) —
new array data structure, exposed via the <code>ArrayCmdable</code>
interface (see the experimental-features highlight below).</li>
<li><strong><code>INCREX</code></strong> (<a
href="https://redirect.github.com/redis/go-redis/pull/3816">#3816</a>) —
atomic increment with expiration in a single round-trip.</li>
<li><strong><code>XNACK</code></strong> (<a
href="https://redirect.github.com/redis/go-redis/pull/3790">#3790</a>) —
explicit negative-acknowledge of pending stream entries.</li>
<li><strong><code>XAUTOCLAIM</code> PEL deletes</…
larry-dalmeida
added a commit
to larry-dalmeida/skipper
that referenced
this pull request
Jun 26, 2026
…c level, introduce Options struct
This commit addresses all open code review comments from PR #4033:
1. **Goroutines on spec level (szuecs)**: Move revalidationWorker and
lruBytesScraper from per-instance (cacheFilter) to per-spec (cacheSpec)
ownership. This prevents 20k+ goroutines for 10k routes and enables
proper cleanup on route reloads. Each filter instance enqueues revalidation
jobs with a doRevalFn closure that captures per-instance logic.
2. **Introduce cache.Options struct (szuecs)**: Replace 5 positional parameters
with a single Options struct containing MaxBytes, ListenAddr, NetOpts,
ValkeyRing, L1TTL, and optional Metrics. This enables future extension
without signature changes.
3. **Inject metrics (szuecs)**: Make metrics.Metrics injectable via Options
(defaults to metrics.Default if nil), removing hidden global dependency
and enabling test-scoped assertions without side effects.
4. **Verify remaining comments**:
- SetWithExpire error handling (net/valkey.go) already correct
- Docs terminology fixed: pod→process, Storage→Cache, dropped "cross-pod"
- Single shared valkeyRing already in place (refactoring merged)
Files modified:
- filters/cache/filter.go: Options struct, spec-level goroutines, doRevalFn closure
- filters/cache/filter_test.go: Updated all NewCacheFilter calls, added cleanup
- skipper.go: Updated instantiation to use cache.Options{}
- docs/reference/filters.md: Terminology and structure fixes
docs: document Valkey L2 storage, write-through L1, and cache metrics
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
fix: address code review findings — vary sentinel invalidation, stub accuracy, dead code
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
style: fix gofmt alignment of bgWg struct field comment
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
style: group cache config fields into dedicated //cache section in config.go
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
fix: add CacheL1TTL to defaultConfig and make Close() synchronous
config_test.go: defaultConfig() was missing CacheL1TTL, so the expected
config had 0s while ParseArgs produced the flag default of 1m0s.
filters/cache/filter.go: Close() only closed the revalJobs and
lruBytesDone channels without waiting for the background goroutines to
finish. Under -race this caused a panic (close of closed channel) when a
test's in-flight doRevalidate called f.fetch after the test's local
channels had been torn down. Adding bgWg tracks both goroutines and
Close() now blocks until both have exited.
Signed-off-by: larry-dalmeida <hello@larrydalmeida.com>
style: use strings.SplitSeq in stripHopByHop and parseVaryNames
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
refactor: move --cache-l1-ttl config field and flag to Valkey section
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: wire --cache-l1-ttl flag through Options to ValkeyStorage
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
fix: update stale counter assertion after L1-first Get, add l1_hit to godoc
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: L1-first reads with l1_hit counter in ValkeyStorage.Get
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: write-through L1 warming on successful Valkey Set
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
refactor: add l1TTL field to ValkeyStorage (write-through prep)
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
Fix registration of cache filter
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
refactor: ratelimit registry creation to pass ring clients such that we can reuse the valkey ring client in the cache filter creation.
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
cache: injectable metrics, trace spans, lru_bytes scraper
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
Promote log to warn
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
cache: promote storage Set/Delete error logs from Debug to Warn
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: tag cache_status, cache_key, cache_ttl_remaining_ms on trace span
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: reval_dropped and L1 fallback write verification
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: oversized LRU entry increments lru_oversized and is not stored
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: unsafe method + 4xx does not invalidate cached entry
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
test: must-revalidate forces coalesce when stale
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: log storage errors with per-site messages
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: add periodic lru_bytes gauge scrape every 10s
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
fix: address WP6 code review feedback
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: split valkey_fallback counter and add valkey_miss metric
Replace the single valkey_fallback counter with three distinct counters
for better observability:
- valkey_miss — clean cache miss (key absent in Valkey)
- valkey_get_fallback — Valkey error on Get; L1 consulted instead
- valkey_set_fallback — Valkey error on Set; L1 written instead
Inject metrics.Metrics into ValkeyStorage via NewValkeyStorage so
tests can assert counter values without relying on the global
metrics.Default singleton.
Introduce a valkeyClient interface (Get/SetWithExpire/Expire) so unit
tests can use an in-memory stub instead of a live Valkey/Docker
connection. Two new tests — RecordsValkeyMiss and
SplitFallbackCounters — exercise the counter logic with stubs.
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
fix(cache): add compile-time interface guards; assert valkey_get_fallback fires on fallback
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: add ValkeyStorage with L1 fallback for cache() filter
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: wire ValkeyStorage into NewCacheFilter (nil = in-memory only)
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
feat: wire Valkey ring into cache() filter when swarm Valkey is configured
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
doc: redirect location query examples (#4077)
Feature: mtls filters (#4044)
feature: Add support to opt-out from zone aware routing via Ingress/RouteGroup (#4049)
Introduce the annotation `zalando.org/traffic-zone-aware: "false"` on
Ingress and RouteGroup resources. When set, the resource receives all
endpoints across all zones, bypassing zone filtering both at the
dataclient layer (endpoint fetch) and at the routesrv layer (per-zone
route serving).
Usage:
```
metadata:
annotations:
zalando.org/traffic-zone-aware: "false"
```
Tasks
1. Define `zalando.org/traffic-zone-aware` annotation constant in the
kubernetes package
2. Modify `GetEndpointSlicesByService` and `GetEndpointSlicesByTarget`
in `clusterstate.go` to accept ing and rg context param respectively and
skip zone filtering when value
ing.disableZoneAwareness/rg.disableZoneAwareness is true
3. Add zoneAwarenessAnnotationFilter() helper that returns an annotate()
filter when the zone-aware opt-out annotation is present
4. Modify Ingress v1 path rule conversion (`convertPathRuleV1`) and
default backend conversion (`convertDefaultBackendV1`) to read the
annotation, pass it to endpoint fetch and prepend the annotate() filter
when annotation is set
5. Modify RouteGroup backend application (`applyServiceBackend`) to read
the annotation, pass it to endpoint fetch and prepend the annotate()
filter when annotation is set
6. Add isZoneAwarenessDisabled() in routesrv/polling.go to detect the
opt-out by inspecting the route filter chain
7. Wire isZoneAwarenessDisabled() into getRouteForZone() to skip zone
filtering for opted-out routes
8. Update makeRoute test helper to inject the annotate() filter when the
opt-out flag is passed
9. Add integration test with two Ingresses in zone `eu-central-1a`: one
opted out (expects all endpoints across zones), one default (expects
only zone-local endpoints)
10. Add unit tests for `filterRoutesByZone` covering opt-out scenarios:
both routes opted out, opt-out mixed with normal route, and opt-out with
a below-threshold zone
Tested the changes:
The skipper-ingress with zone aware routing enabled was in Zone-A
1. Deployed ingress with 10 replicas, which means 10 endpoints are
available
```
zkubectl -n gmapp1 get pods -L topology.kubernetes.io/zone
NAME READY STATUS RESTARTS AGE ZONE
app1-v8-5c5965f6d4-7h6zr 1/1 Running 0 69s eu-central-1a
app1-v8-5c5965f6d4-7tnq4 1/1 Running 0 68s eu-central-1a
app1-v8-5c5965f6d4-98mz7 1/1 Running 0 68s eu-central-1c
app1-v8-5c5965f6d4-99n9p 1/1 Running 0 69s eu-central-1c
app1-v8-5c5965f6d4-bvdst 1/1 Running 0 69s eu-central-1a
app1-v8-5c5965f6d4-htn78 1/1 Running 0 68s eu-central-1b
app1-v8-5c5965f6d4-q75b9 1/1 Running 0 69s eu-central-1b
app1-v8-5c5965f6d4-wtgm5 1/1 Running 0 69s eu-central-1a
app1-v8-5c5965f6d4-xhv9q 1/1 Running 0 69s eu-central-1c
app1-v8-5c5965f6d4-zlz9x 1/1 Running 0 69s eu-central-1b
```
This meets the threshold to serve same zone endpoints, but since the
ingress has the opt-out annotation, the route contains all the endpoints
and not just zone filtered
```
kube_gmapp1__app1_v8_traffic_segment__gmapp1_pg9_test_zalan_do____app1_v8: Host(/^(gmapp1[.]pg9-test[.]zalan[.]do[.]?(:[0-9]+)?)$/) && TrafficSegment(0, 1)
-> disableAccessLog(2, 3, 404, 429)
-> fifo(2000, 20, "1s")
-> annotate("zalando.org/traffic-zone-aware", "false")
-> oauthTokeninfoValidate("{optOutAnnotations: [iam.zalando.org/public], optOutHosts: [\"^.*[.]ingress[.]cluster[.]local\"], unauthorizedResponse: \"Authentication required, see https://cloud.docs.zalando.net/howtos/authenticate-requests/#default-authentication\\n\"}")
-> stateBagToTag("auth-user", "client.uid")
-> <powerOfRandomNChoices, "http://[2a05:d024:90:1103:3e99::6]:8080", "http://[2a05:d024:90:1103:3e99::7]:8080", "http://[2a05:d024:90:1103:3e99::8]:8080", "http://[2a05:d024:90:1103:3e99::9]:8080", "http://[2a05:d024:90:1104:2396::a]:8080", "http://[2a05:d024:90:1104:2396::b]:8080", "http://[2a05:d024:90:1104:2396::c]:8080", "http://[2a05:d024:90:1105:4749::4]:8080", "http://[2a05:d024:90:1105:4749::6]:8080", "http://[2a05:d024:90:1105:4749::7]:8080">;
```
2. Deployed a routegroup with 15 replicas, which means 15 endpoints are
available
```
zkubectl -n gmapp2 get pods -L topology.kubernetes.io/zone
NAME READY STATUS RESTARTS AGE ZONE
app2-v2-c9694944-598mc 1/1 Running 0 7m6s eu-central-1c
app2-v2-c9694944-6bcpm 1/1 Running 0 7m6s eu-central-1c
app2-v2-c9694944-7jgpp 1/1 Running 0 7m7s eu-central-1b
app2-v2-c9694944-88xzb 1/1 Running 0 7m7s eu-central-1a
app2-v2-c9694944-8kl6q 1/1 Running 0 7m6s eu-central-1c
app2-v2-c9694944-8wc97 1/1 Running 0 7m7s eu-central-1c
app2-v2-c9694944-cv9g8 1/1 Running 0 7m7s eu-central-1c
app2-v2-c9694944-dkh2h 1/1 Running 0 7m6s eu-central-1a
app2-v2-c9694944-flnx9 1/1 Running 0 7m6s eu-central-1a
app2-v2-c9694944-klk6r 1/1 Running 0 7m7s eu-central-1a
app2-v2-c9694944-kwddv 1/1 Running 0 7m6s eu-central-1b
app2-v2-c9694944-pjbtz 1/1 Running 0 7m6s eu-central-1a
app2-v2-c9694944-q5xrh 1/1 Running 0 7m7s eu-central-1b
app2-v2-c9694944-rs8hk 1/1 Running 0 7m7s eu-central-1a
app2-v2-c9694944-t6crt 1/1 Running 0 7m6s eu-central-1b
```
This meets the threshold to serve same zone endpoints, but since the
routegroup has the opt-out annotation, the route contains all the
endpoints and not just zone filtered
```
kube_rg__gmapp2__app2_v2_traffic_segment__get__0_0: Path("/test") && Host(/^(app2[.]teapot[.]zalan[.]do[.]?(:[0-9]+)?)$/) && Method("GET") && TrafficSegment(0, 1)
-> disableAccessLog(2, 3, 404, 429)
-> fifo(2000, 20, "1s")
-> annotate("zalando.org/traffic-zone-aware", "false")
-> annotate("iam.zalando.org/public", "The application uses its own authentication logic, similar to using Partner IAM.")
-> status(200)
-> inlineContent("Hello from second backend!")
-> oauthTokeninfoValidate("{optOutAnnotations: [iam.zalando.org/public], optOutHosts: [\"^.*[.]ingress[.]cluster[.]local\"], unauthorizedResponse: \"Authentication required, see https://cloud.docs.zalando.net/howtos/authenticate-requests/#default-authentication\\n\"}")
-> stateBagToTag("auth-user", "client.uid")
-> <powerOfRandomNChoices, "http://[2a05:d024:90:1103:3e99::10]:8080", "http://[2a05:d024:90:1103:3e99::11]:8080", "http://[2a05:d024:90:1103:3e99::12]:8080", "http://[2a05:d024:90:1103:3e99::13]:8080", "http://[2a05:d024:90:1103:3e99::14]:8080", "http://[2a05:d024:90:1103:3e99::f]:8080", "http://[2a05:d024:90:1104:2396::10]:8080", "http://[2a05:d024:90:1104:2396::d]:8080", "http://[2a05:d024:90:1104:2396::e]:8080", "http://[2a05:d024:90:1104:2396::f]:8080", "http://[2a05:d024:90:1105:4749::8]:8080", "http://[2a05:d024:90:1105:4749::9]:8080", "http://[2a05:d024:90:1105:4749::a]:8080", "http://[2a05:d024:90:1105:4749::b]:8080", "http://[2a05:d024:90:1105:4749::c]:8080">;
```
ref: https://github.com/zalando/skipper/issues/3971
---------
Signed-off-by: greeshma1196 <greeshma.mathew@gmail.com>
fix: host metrics should be measured and stored correctly in case of HostAny() predicate (#4067)
fix: host metrics should be measured and stored correctly in case of
HostAny() predicate
Before this fix we measured a route like the following in the bucket
`"_unknownhost_"`:
```
r: HostAny("www.example.com") -> <shunt>
```
---------
Signed-off-by: Sandor Szuecs <sandor.szuecs@zalando.de>
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
build(deps): bump oss-fuzz-base/base-builder-go from `972dea5` to `72f8378` in /.clusterfuzzlite (#4068)
Bumps oss-fuzz-base/base-builder-go from `972dea5` to `72f8378`.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#4057)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2
to 6.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Update changelog by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>Update changelog for v6.0.3 by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/yaananth"><code>@yaananth</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<h2>v4.2.0</h2>
<ul>
<li>Add Ref and Commit outputs by <a
href="https://github.com/lucacome"><code>@lucacome</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li>
<li>Dependency updates by <a
href="https://github.com/dependabot"><code>@dependabot</code></a>- <a
href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>,
<a
href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li>
</ul>
<h2>v4.1.7</h2>
<ul>
<li>Bump the minor-npm-dependencies group across 1 directory with 4
updates by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li>
<li>Check out other refs/* by commit by <a
href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/df4cb1c069e1874edd31b4311f1884172cec0e10"><code>df4cb1c</code></a>
Update changelog for v6.0.3 (<a
href="https://redirect.github.com/actions/checkout/issues/2446">#2446</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/1cce3390c2bfda521930d01229c073c7ff920824"><code>1cce339</code></a>
Fix checkout init for SHA-256 repositories (<a
href="https://redirect.github.com/actions/checkout/issues/2439">#2439</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/900f2210b1d28bbbd0bd22d17926b9e224e8f231"><code>900f221</code></a>
fix: expand merge commit SHA regex and add SHA-256 test cases (<a
href="https://redirect.github.com/actions/checkout/issues/2414">#2414</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/0c366fd6a839edf440554fa01a7085ccba70ac98"><code>0c366fd</code></a>
Update changelog (<a
href="https://redirect.github.com/actions/checkout/issues/2357">#2357</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump the all-go-mod-patch-and-minor group with 7 updates (#4069)
Bumps the all-go-mod-patch-and-minor group with 7 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/instana/go-sensor](https://github.com/instana/go-sensor) |
`1.73.1` | `1.73.2` |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) |
`9.20.0` | `9.20.1` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.52.0` |
`0.53.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.55.0` |
`0.56.0` |
| [golang.org/x/sync](https://github.com/golang/sync) | `0.20.0` |
`0.21.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.43.0` |
`0.44.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.37.0` |
`0.38.0` |
Updates `github.com/instana/go-sensor` from 1.73.1 to 1.73.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/instana/go-sensor/releases">github.com/instana/go-sensor's
releases</a>.</em></p>
<blockquote>
<h2>v1.73.2</h2>
<p>New release v1.73.2.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: prevent duplicate meter initialization in InitSensor by <a
href="https://github.com/Angith"><code>@Angith</code></a> in <a
href="https://redirect.github.com/instana/go-sensor/pull/1510">instana/go-sensor#1510</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/instana/go-sensor/commit/a6713a34fdcce14bed4716cd8884de630153b9f1"><code>a6713a3</code></a>
Updated version.go to 1.73.2</li>
<li><a
href="https://github.com/instana/go-sensor/commit/e4775871c9d5588e415518bbe81f0ea00c332bc9"><code>e477587</code></a>
fix: prevent duplicate meter initialization in InitSensor (<a
href="https://redirect.github.com/instana/go-sensor/issues/1510">#1510</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/b8f171d37b3e36f860a2e03aaba476e5bc23e304"><code>b8f171d</code></a>
Updated version.go to 0.48.7</li>
<li><a
href="https://github.com/instana/go-sensor/commit/e60c2a0886bfbf73e77bdef0fb783722bef3eb7b"><code>e60c2a0</code></a>
feat(currency): updated go.mod, go.sum files, README.md for instaawsv2
(<a
href="https://redirect.github.com/instana/go-sensor/issues/1506">#1506</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/871c797457c058626ddc539c184271e17f29ca60"><code>871c797</code></a>
Updated version.go to 1.55.1</li>
<li><a
href="https://github.com/instana/go-sensor/commit/95a6af6f9399d56e98c946e97ec4c0addbf16393"><code>95a6af6</code></a>
feat(currency): updated go.mod, go.sum files, README.md for instasarama
(<a
href="https://redirect.github.com/instana/go-sensor/issues/1504">#1504</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/465241d75a26707bc86c48317df28a8f3ab55970"><code>465241d</code></a>
Updated version.go to 1.55.0</li>
<li><a
href="https://github.com/instana/go-sensor/commit/bf6b4802ce0daa23c3a2d7791c7675188c6f374b"><code>bf6b480</code></a>
feat(currency): updated go.mod, go.sum files, README.md for instasarama
(<a
href="https://redirect.github.com/instana/go-sensor/issues/1503">#1503</a>)</li>
<li><a
href="https://github.com/instana/go-sensor/commit/a4d92189c8698b6edbb32a8775b434571b71b3d9"><code>a4d9218</code></a>
Updated version.go to 1.44.2</li>
<li><a
href="https://github.com/instana/go-sensor/commit/9e04aa63d123f0f47d46009391da3a14beaf8330"><code>9e04aa6</code></a>
chore(deps): bump github.com/quic-go/quic-go (<a
href="https://redirect.github.com/instana/go-sensor/issues/1507">#1507</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/instana/go-sensor/compare/v1.73.1...v1.73.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `github.com/redis/go-redis/v9` from 9.20.0 to 9.20.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/redis/go-redis/releases">github.com/redis/go-redis/v9's
releases</a>.</em></p>
<blockquote>
<h2>9.20.1</h2>
<p>This is a patch release containing bug fixes only. There are no new
features or breaking changes; upgrading from 9.20.0 is a drop-in
replacement.</p>
<h2>🚀 Highlights</h2>
<h3>RESP3 pub/sub message loss fixed</h3>
<p><code>PeekPushNotificationName</code> previously inspected only the
bytes already buffered by <code>bufio</code>, so when a push frame
header straddled a buffer fill boundary it could return a
<strong>truncated</strong> notification name (e.g.
<code>"messa"</code> instead of
<code>"message"</code>). The push processor then mis-routed
the frame and <code>ReadReply</code> silently dropped it, causing
intermittent RESP3 pub/sub message loss. The peek now grows its window
(36 bytes → up to 4 KiB) and reads more from the connection until the
header is complete, cleanly separating incomplete prefixes from corrupt
frames (including overflow-safe bulk-length handling). Fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>.</p>
<p>(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>RESP3 push peeking</strong>:
<code>PeekPushNotificationName</code> no longer returns a truncated
notification name when a push frame header spans a buffer boundary,
preventing silent RESP3 pub/sub message loss (fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>)
(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>FT.HYBRID</code> vector params</strong>: Vector data
is now always sent via <code>PARAMS</code> with auto-generated param
names (<code>__vector_param_N</code>, with collision avoidance) when
<code>VectorParamName</code> is omitted, since Redis no longer accepts
inline vector blobs; the <code>FTHybridOptions.Params</code> map is no
longer mutated, so the same options struct can be reused across calls
(<a
href="https://redirect.github.com/redis/go-redis/pull/3844">#3844</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>CLUSTER SHARDS</code> forward compatibility</strong>:
Unknown shard- and node-level attributes in the <code>CLUSTER
SHARDS</code> reply are now skipped via <code>DiscardNext()</code>
instead of erroring, so clients keep working when the server introduces
new fields (<a
href="https://redirect.github.com/redis/go-redis/pull/3843">#3843</a>)
by <a
href="https://github.com/madolson"><code>@madolson</code></a></li>
<li><strong>PubSub double reconnect</strong>:
<code>PubSub.releaseConn</code> no longer reconnects twice when a
connection is both unusable (or pending handoff) and reports a
bad-connection error, avoiding a wasted connection establish-then-close
cycle (<a
href="https://redirect.github.com/redis/go-redis/pull/3833">#3833</a>)
by <a href="https://github.com/cxljs"><code>@cxljs</code></a></li>
</ul>
<h2>👥 Contributors</h2>
<p>We'd like to thank all the contributors who worked on this
release!</p>
<p><a href="https://github.com/cxljs"><code>@cxljs</code></a>, <a
href="https://github.com/madolson"><code>@madolson</code></a>, <a
href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1">https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md">github.com/redis/go-redis/v9's
changelog</a>.</em></p>
<blockquote>
<h1>9.20.1 (2026-06-11)</h1>
<p>This is a patch release containing bug fixes only. There are no new
features or breaking changes; upgrading from 9.20.0 is a drop-in
replacement.</p>
<h2>🚀 Highlights</h2>
<h3>RESP3 pub/sub message loss fixed</h3>
<p><code>PeekPushNotificationName</code> previously inspected only the
bytes already buffered by <code>bufio</code>, so when a push frame
header straddled a buffer fill boundary it could return a
<strong>truncated</strong> notification name (e.g.
<code>"messa"</code> instead of
<code>"message"</code>). The push processor then mis-routed
the frame and <code>ReadReply</code> silently dropped it, causing
intermittent RESP3 pub/sub message loss. The peek now grows its window
(36 bytes → up to 4 KiB) and reads more from the connection until the
header is complete, cleanly separating incomplete prefixes from corrupt
frames (including overflow-safe bulk-length handling). Fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>.</p>
<p>(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>RESP3 push peeking</strong>:
<code>PeekPushNotificationName</code> no longer returns a truncated
notification name when a push frame header spans a buffer boundary,
preventing silent RESP3 pub/sub message loss (fixes <a
href="https://redirect.github.com/redis/go-redis/issues/3839">#3839</a>)
(<a
href="https://redirect.github.com/redis/go-redis/pull/3842">#3842</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>FT.HYBRID</code> vector params</strong>: Vector data
is now always sent via <code>PARAMS</code> with auto-generated param
names (<code>__vector_param_N</code>, with collision avoidance) when
<code>VectorParamName</code> is omitted, since Redis no longer accepts
inline vector blobs; the <code>FTHybridOptions.Params</code> map is no
longer mutated, so the same options struct can be reused across calls
(<a
href="https://redirect.github.com/redis/go-redis/pull/3844">#3844</a>)
by <a href="https://github.com/ndyakov"><code>@ndyakov</code></a></li>
<li><strong><code>CLUSTER SHARDS</code> forward compatibility</strong>:
Unknown shard- and node-level attributes in the <code>CLUSTER
SHARDS</code> reply are now skipped via <code>DiscardNext()</code>
instead of erroring, so clients keep working when the server introduces
new fields (<a
href="https://redirect.github.com/redis/go-redis/pull/3843">#3843</a>)
by <a
href="https://github.com/madolson"><code>@madolson</code></a></li>
<li><strong>PubSub double reconnect</strong>:
<code>PubSub.releaseConn</code> no longer reconnects twice when a
connection is both unusable (or pending handoff) and reports a
bad-connection error, avoiding a wasted connection establish-then-close
cycle (<a
href="https://redirect.github.com/redis/go-redis/pull/3833">#3833</a>)
by <a href="https://github.com/cxljs"><code>@cxljs</code></a></li>
</ul>
<h2>👥 Contributors</h2>
<p>We'd like to thank all the contributors who worked on this
release!</p>
<p><a href="https://github.com/cxljs"><code>@cxljs</code></a>, <a
href="https://github.com/madolson"><code>@madolson</code></a>, <a
href="https://github.com/ndyakov"><code>@ndyakov</code></a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1">https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/redis/go-redis/commit/a13416bf1c0556075b843dd0a9cb6db3b3cf2789"><code>a13416b</code></a>
chore(release): 9.20.1 (<a
href="https://redirect.github.com/redis/go-redis/issues/3847">#3847</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/10dc44f424d58b9c2b4df29e529ca92a2f8fa986"><code>10dc44f</code></a>
fix(push): fix peeking when push name is truncated (<a
href="https://redirect.github.com/redis/go-redis/issues/3842">#3842</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/e1a2d68b27e70ca8f3ff5eec61d0dd2b74554670"><code>e1a2d68</code></a>
fix(ft.hybrid): Always generate vector param names if they are not
provided b...</li>
<li><a
href="https://github.com/redis/go-redis/commit/a4b234f4a4f2551d1179181bbc136db132bf5912"><code>a4b234f</code></a>
chore(deps): bump codecov/codecov-action from 6 to 7 (<a
href="https://redirect.github.com/redis/go-redis/issues/3845">#3845</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/974e717dbf3008497e54aec34636e34452e6872b"><code>974e717</code></a>
fix(command): ignore unknown fields in CLUSTER SHARDS response (<a
href="https://redirect.github.com/redis/go-redis/issues/3843">#3843</a>)</li>
<li><a
href="https://github.com/redis/go-redis/commit/65d6abde0d812234d26763930b5e84ff05963c96"><code>65d6abd</code></a>
fix(pubsub): prevent double reconnect in releaseConn (<a
href="https://redirect.github.com/redis/go-redis/issues/3833">#3833</a>)</li>
<li>See full diff in <a
href="https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/45460e079737ecb64f30d79d3d6fc2914494fa66"><code>45460e0</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/d37c95e27de65576f42440cdfbc261d810506841"><code>d37c95e</code></a>
pkcs12: limit PBKDF iteration count to prevent CPU exhaustion</li>
<li><a
href="https://github.com/golang/crypto/commit/e2ffffe738fb46531cd8924bab497bdc77d9ecc8"><code>e2ffffe</code></a>
ssh: reject incomplete gssapi-with-mic configurations</li>
<li><a
href="https://github.com/golang/crypto/commit/60e158ad30c226555794539d96f0f104f43395f7"><code>60e158a</code></a>
ssh/test: isolate CLI tests from user SSH config and agent</li>
<li><a
href="https://github.com/golang/crypto/commit/1b77d23dc8afb26a494e331a3c637b6de88398d2"><code>1b77d23</code></a>
ssh/knownhosts: reject lines with multiple or unknown markers</li>
<li><a
href="https://github.com/golang/crypto/commit/3872a2bc69f464352dea49c2856955ef7c5d5851"><code>3872a2b</code></a>
ssh/knownhosts: verify declared key type matches decoded key</li>
<li><a
href="https://github.com/golang/crypto/commit/9f72eccdf6fa09a7c68448a7fdc333dd2deb7d9d"><code>9f72ecc</code></a>
ssh/knownhosts: treat only ASCII space and tab as whitespace</li>
<li><a
href="https://github.com/golang/crypto/commit/8f405a4109d7ce87a44f89185bdc385914ce5c13"><code>8f405a4</code></a>
ssh: validate ECDSA curve matches expected algorithm</li>
<li><a
href="https://github.com/golang/crypto/commit/bb41b3dbe630c21c78e3aeb0ebdd8d06a3a34fcf"><code>bb41b3d</code></a>
ssh: improve DH GEX group selection using PreferredBits</li>
<li><a
href="https://github.com/golang/crypto/commit/e04e7219970912a40f80c4b13029416fdf960eeb"><code>e04e721</code></a>
ssh/agent: validate ed25519 private key length in Add</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.52.0...v0.53.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/net` from 0.55.0 to 0.56.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/9e7fdbfadb32b0cc7524100014c5cf9b6adc7729"><code>9e7fdbf</code></a>
internal/http3: fix wrong argument being given when validating header
value</li>
<li><a
href="https://github.com/golang/net/commit/b686e5f3573e5f55120d664fc283ed7e80c1af3c"><code>b686e5f</code></a>
internal/http3: add gzip support to transport</li>
<li><a
href="https://github.com/golang/net/commit/8a348850ed6818306667722af2b42a6fc63473e0"><code>8a34885</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/72eaf98743302f6e0ad10883163dfc46dc8e8183"><code>72eaf98</code></a>
dns/dnsmessage: correctly validate SVCB record parameter order</li>
<li><a
href="https://github.com/golang/net/commit/82e7868a02167540748b74780b0bf825985256f7"><code>82e7868</code></a>
dns/dnsmessage: avoid panic when parsing SVCB record with truncated
data</li>
<li><a
href="https://github.com/golang/net/commit/b64f1fa4c615965246e5b9e5c9d614916fa8967d"><code>b64f1fa</code></a>
internal/http3: add server support for "Trailer:" magic
prefix</li>
<li><a
href="https://github.com/golang/net/commit/2707ee21efea70599446dd35979b1d1aedf44ada"><code>2707ee2</code></a>
internal/http3: implement HTTP/3 clientConn methods</li>
<li><a
href="https://github.com/golang/net/commit/31358cc259a764905194e3d6c597375b0ff366c1"><code>31358cc</code></a>
internal/http3: snapshot response headers at WriteHeader time</li>
<li><a
href="https://github.com/golang/net/commit/8ecbaa95fea823c19fa74c5c3b53e0bccd473828"><code>8ecbaa9</code></a>
html: don't adjust xml:base</li>
<li><a
href="https://github.com/golang/net/commit/8ae811abe5c2daa55c68d51a101af1c5751a4d55"><code>8ae811a</code></a>
html: properly handle end script tag in fragment mode</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.55.0...v0.56.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/sync/commit/5071ed6a9f1617117556b66384f765c934de3698"><code>5071ed6</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.20.0...v0.21.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/term` from 0.43.0 to 0.44.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/term/commit/3b43943a9e7de876a5d5e1f5e7da7cdeae0f542a"><code>3b43943</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.43.0...v0.44.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/text` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/text/commit/f4bb6328041b090f85b93014bd369edfcd24bdef"><code>f4bb632</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/text/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump alpine from `5b10f43` to `a2d49ea` in /packaging (#4064)
Bumps alpine from `5b10f43` to `a2d49ea`.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: apply workaround for readTimeout (#4061)
feature: Use go-brrr as brotli backend (#4066)
test: fix flaky tests in proxylistener (#4055)
test: fix flaky tests in proxylistener
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
migrate: docker image location on GHCR only (#4054)
doc: delete reference to registry.opensource.zalan.do/teapot/skipper
Please everyone migrate to ghcr.io/zalando/skipper
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
doc: routing is not a security feature (#4052)
doc: routing is not a security feature
---------
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
fix: unbounded read of consuming the http.Body in the validation webhook (#4053)
fix: unbounded read of consuming the http.Body in the validation webhook
Reported by @alcls01111
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
doc: templating security (#4050)
doc: templating security
Thanks @alcls01111 for reporting this.
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
doc: setDynamicBackendUrlFromHeader SSRF risk (#4051)
doc: setDynamicBackendUrlFromHeader SSRF risk
It was forgotten to document the risk and we got a second researcher
telling about this filter risk.
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
go: update to 1.26.4 (#4046)
remove not needed replace directive
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Fix oidcClaimsQuery example (#4048)
feature: proxy mTLS support (#4037)
feature: proxy mTLS support implementation based on net.Client and net.CertReloader
Added test cases by ai and validated the code that it is testing as
expected.
---------
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
build(deps): bump oss-fuzz-base/base-builder-go from `3c453ef` to `972dea5` in /.clusterfuzzlite (#4040)
Bumps oss-fuzz-base/base-builder-go from `3c453ef` to `972dea5`.
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: eliminate race in TestCacheFilter_ColdMissCoalescing (#4034)
## Problem
`TestCacheFilter_ColdMissCoalescing` was intermittently failing under
`-race` with:
```
--- FAIL: TestCacheFilter_ColdMissCoalescing (0.00s)
filter_test.go:401: expected 1 upstream fetch, got 2
```
The test asserts that 50 concurrent cold-miss requests coalesce into
exactly one upstream fetch via `singleflight.DoChan`.
The previous synchronization used a `sync.WaitGroup` (`wgIn`) where each
goroutine called `wgIn.Done()` **before** calling `f.Request()`. The
fetch stub blocked on `wgIn.Wait()`, intending to hold the singleflight
open until all goroutines had joined it.
This had a
[TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to-time-of-use)
gap: a goroutine could call `wgIn.Done()`, get preempted, and resume
while the fetch stub had already unblocked from `wgIn.Wait()` but had
not yet called `storage.Set()`. At that point the goroutine would call
`storage.Get()` → `nil` and enter `DoChan()`. If the leader's `fetchFn`
had returned in the interim, `DoChan()` would start a new singleflight
round and fire a second upstream fetch. Under the race detector's
overhead this window was wide enough to trigger reliably.
## Fix
Replaced `wgIn` with a `missCounting` storage wrapper that embeds a
`sync.WaitGroup`. Each goroutine calls `wg.Done()` inside
`storage.Get()` at the exact moment it observes a cache miss - the last
possible point before `coalesce()` → `DoChan()`. The fetch stub calls
`wg.Wait()`, which durably blocks `fetchFn` until all N goroutines have
confirmed a miss and are either inside `DoChan`'s waitlist or in the
scheduler-opaque gap immediately before it. Only then does `fetchFn`
call `storage.Set()` and return, closing the singleflight round.
The main goroutine's spin loop was replaced with a `fetchStarted`
channel closed by the fetch stub on entry, eliminating all busy-waits.
### Before
<img width="6795" height="4395" alt="Goroutine Missed
Window-2026-05-26-141411"
src="https://github.com/user-attachments/assets/0fb1da49-0707-49b3-a49e-c83fc5e42299"
/>
### After
<img width="5770" height="2840" alt="Goroutine Missed
Window-2026-05-26-141426"
src="https://github.com/user-attachments/assets/73b8ffe0-6563-4841-a18d-f2c46f46fe0f"
/>
No production code was changed.
---------
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
build(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0 (#4038)
Bumps
[docker/setup-qemu-action](https://github.com/docker/setup-qemu-action)
from 4.0.0 to 4.1.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.0</h2>
<ul>
<li>Add <code>reset</code> input to uninstall current emulators by <a
href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/21">docker/setup-qemu-action#21</a></li>
<li>Bump <code>@docker/actions-toolkit</code> from 0.77.0 to 0.91.0 in
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/250">docker/setup-qemu-action#250</a>
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/247">docker/setup-qemu-action#247</a></li>
<li>Bump brace-expansion from 1.1.12 to 1.1.15 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/265">docker/setup-qemu-action#265</a></li>
<li>Bump fast-xml-builder from 1.0.0 to 1.2.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/286">docker/setup-qemu-action#286</a></li>
<li>Bump fast-xml-parser from 5.4.2 to 5.8.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/255">docker/setup-qemu-action#255</a></li>
<li>Bump flatted from 3.3.3 to 3.4.2 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/257">docker/setup-qemu-action#257</a></li>
<li>Bump glob from 10.3.15 to 10.5.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/254">docker/setup-qemu-action#254</a></li>
<li>Bump handlebars from 4.7.8 to 4.7.9 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/262">docker/setup-qemu-action#262</a></li>
<li>Bump lodash from 4.17.23 to 4.18.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/273">docker/setup-qemu-action#273</a></li>
<li>Bump postcss from 8.5.6 to 8.5.10 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/285">docker/setup-qemu-action#285</a></li>
<li>Bump tar from 6.2.1 to 7.5.15 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/287">docker/setup-qemu-action#287</a></li>
<li>Bump tmp from 0.2.5 to 0.2.6 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/291">docker/setup-qemu-action#291</a></li>
<li>Bump undici from 6.23.0 to 6.26.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/251">docker/setup-qemu-action#251</a></li>
<li>Bump vite from 7.3.1 to 7.3.2 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/271">docker/setup-qemu-action#271</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-qemu-action/compare/v4.0.0...v4.1.0">https://github.com/docker/setup-qemu-action/compare/v4.0.0...v4.1.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/06116385d9baf250c9f4dcb4858b16962ea869c3"><code>0611638</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/21">#21</a>
from crazy-max/uninst</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ce59c818a5ff16552ddf7407ee7cb00bea682925"><code>ce59c81</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/2ddad4401e17fa807e8a3c4bd289ccdd993f0868"><code>2ddad44</code></a>
uninstall current emulators</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/8c37cd6f3456e1f3f3026250eac496709e9e7e10"><code>8c37cd6</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/250">#250</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/d1a0ff34af591b8e290e46f3fa114ef5bb81cd1c"><code>d1a0ff3</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/0a8f3dc12541cc2c3b19c182a1a2c90a2c8b8d93"><code>0a8f3dc</code></a>
build(deps): bump <code>@docker/actions-toolkit</code> from 0.79.0 to
0.91.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/9430f61a7691bd1bfdc4d6ba70e558659d36fa7a"><code>9430f61</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/291">#291</a>
from docker/dependabot/npm_and_yarn/tmp-0.2.6</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/978bd7796cb6698377e7af6726b726e5ced642d0"><code>978bd77</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/3479febc62cc0fbcb98c7c7fc0dac778c0d79d6a"><code>3479feb</code></a>
build(deps): bump tmp from 0.2.5 to 0.2.6</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/b113c264143c28c2974bed61af25be32d32f4782"><code>b113c26</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/255">#255</a>
from docker/dependabot/npm_and_yarn/fast-xml-parser-5...</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-qemu-action/compare/ce360397dd3f832beb865e1373c09c0e9f86d70a...06116385d9baf250c9f4dcb4858b16962ea869c3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: wait for cipher refresher goroutine to exit on Close (#4036)
# Related Issue
Fixes a goroutine leak found while working on #4034.
## Problem
`Registry.Close()` called `v.Close()` on each encrypter but returned
immediately, leaving the `runCipherRefresher` goroutine running until it
observed the closed channel on its next select iteration. Under `noleak`
this caused a test failure in the `secrets` package.
## Fix
Initialize `closedHook` inside `runCipherRefresher` (only when a
goroutine is actually started) and drain it in `Registry.Close()` so
shutdown blocks until the goroutine has exited. The `nil` guard on the
drain ensures encrypters created without a refresh interval (no
goroutine started) are unaffected.
No behavior change in production - `Close()` is only called at shutdown.
---------
Signed-off-by: Larry D Almeida <hello@larrydalmeida.com>
introduce timeout for decicion log task (#4035)
## Problem
When asyncDecisionLogging is enabled and a new policy bundle is
deployed, eopa_dl.Reconfigure() calls Stop() on the running Benthos
stream followed by Start() on a new one. If `runDecisionLogger` is
inside stream.Consume() on the old stream at that moment, the Benthos
producer closure tries to write the decision event to an internal
channel whose reader (inproc input) has been destroyed by Stop().
Because `doLogDecision` was called with context.Background() (without
deadline) the blocked send never returns. `runDecisionLogger` is
permanently stuck on that one call and stops draining `decisionLogChan`.
With the goroutine stuck, once the channel fills to capacity
(buffer_size_limit_events), every subsequent `logDecision` call hits the
non-blocking default branch and drops the event, logging "Decision log
dropped: async buffer full." The warning continues indefinitely with no
self-recovery. The only fix prior to this change was a pod restart.
## Fix
Set timeout for the context passed for decision logging. The value for
the timeout is decided using the configured timeout for the eopa_dl
output type
---------
Signed-off-by: nuwandi-wickramasinghe_zse <nuwandi.wickramasinghe@zalando.de>
Co-authored-by: nuwandi-wickramasinghe_zse <nuwandi.wickramasinghe@zalando.de>
build(deps): bump the all-go-mod-patch-and-minor group with 13 updates (#4039)
Bumps the all-go-mod-patch-and-minor group with 13 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) |
`9.19.0` | `9.20.0` |
|
[go.opentelemetry.io/contrib/exporters/autoexport](https://github.com/open-telemetry/opentelemetry-go-contrib)
| `0.68.0` | `0.69.0` |
|
[go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib)
| `0.68.0` | `0.69.0` |
|
[go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/bridge/opentracing](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/exporters/stdout/stdouttrace](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
|
[go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go)
| `1.43.0` | `1.44.0` |
Updates `github.com/redis/go-redis/v9` from 9.19.0 to 9.20.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/redis/go-redis/releases">github.com/redis/go-redis/v9's
releases</a>.</em></p>
<blockquote>
<h2>9.20.0</h2>
<h2>🚀 Highlights</h2>
<h3>Redis 8.8 Support</h3>
<p>This release adds support for <strong>Redis 8.8</strong>. The
README's supported-versions list now includes Redis 8.8 alongside
8.0/8.2/8.4, and CI exercises the <code>8.8</code> client-libs-test
image across the full suite (Makefile, build workflow, doctests,
run-tests action, and docker-compose).</p>
<p>Coverage for the new commands that ship in the 8.x line, rounded out
in this release:</p>
<ul>
<li><strong><code>AR*</code> array data type</strong> (<a
href="https://redirect.github.com/redis/go-redis/pull/3813">#3813</a>) —
new array data structure, exposed via the <code>ArrayCmdable</code>
interface (see the experimental-features highlight below).</li>
<li><strong><code>INCREX</code></strong> (<a
href="https://redirect.github.com/redis/go-redis/pull/3816">#3816</a>) —
atomic increment with expiration in a single round-trip.</li>
<li><strong><code>XNACK</code></strong> (<a
href="https://redirect.github.com/redis/go-redis/pull/3790">#3790</a>) —
explicit negative-acknowledge of pending stream entries.</li>
<li><strong><code>XAUTOCLAIM</code> PEL deletes</strong> (<…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: host metrics should be measured and stored correctly in case of HostAny() predicate
Before this fix we measured a route like the following in the bucket
"_unknownhost_":