chore(deps): bump the dependencies group with 15 updates

[dependabot]

Bumps the dependencies group with 15 updates:

Package	From	To
github.com/Scalingo/go-scalingo/v9	9.1.0	9.2.0
github.com/Scalingo/go-utils/logger	1.11.0	1.12.0
github.com/go-git/go-git/v5	5.16.5	5.17.0
golang.org/x/crypto	0.47.0	0.48.0
golang.org/x/term	0.39.0	0.40.0
golang.org/x/text	0.33.0	0.34.0
github.com/ProtonMail/go-crypto	1.3.0	1.4.0
github.com/clipperhouse/displaywidth	0.8.0	0.11.0
github.com/clipperhouse/uax29/v2	2.4.0	2.7.0
github.com/go-git/go-billy/v5	5.7.0	5.8.0
github.com/kevinburke/ssh_config	1.4.0	1.6.0
github.com/mattn/go-runewidth	0.0.19	0.0.20
github.com/olekukonko/ll	0.1.4-0.20260115111900-9e59c2286df0	0.1.7
golang.org/x/net	0.49.0	0.51.0
golang.org/x/sys	0.40.0	0.41.0

Updates github.com/Scalingo/go-scalingo/v9 from 9.1.0 to 9.2.0

Release notes

Sourced from github.com/Scalingo/go-scalingo/v9's releases.

v9.2.0

What's Changed

• feat(http-client): add extra headers targeting specific APIs by @​aurelien-reeves-scalingo in Scalingo/go-scalingo#473 and Scalingo/go-scalingo#475

Full Changelog: Scalingo/go-scalingo@v9.1.0...v9.2.0

Changelog

Sourced from github.com/Scalingo/go-scalingo/v9's changelog.

9.2.0

• feat(http-client): add extra headers targeting specific APIs

Commits

• c38c2d0 Merge pull request #474 from Scalingo/release/9.2.0
• 30f642f Merge branch 'master' into release/9.2.0
• 7444993 [STORY-3234] fix(http-client): Make extra-headers targetting specific APIs (#...
• 9ed508d Merge pull request #476 from Scalingo/docs/readme/link_major_version
• 484f7fb docs(readme): reminder to update public doc page
• 509b18f Update README.md
• 5781227 Bump v9.2.0
• 0b823b5 [STORY-3234] feat(http-client): Add possibility to add extra headers to HTTP ...
• f653521 Merge pull request #472 from Scalingo/dependabot/go_modules/dependencies-c144...
• 6baf4f9 chore(deps): bump golang.org/x/text in the dependencies group
• See full diff in compare view

Updates github.com/Scalingo/go-utils/logger from 1.11.0 to 1.12.0

Commits

• 2def015 Merge pull request #1459 from Scalingo/release/logger/1.12.0
• 5e9bf41 [logger] Bump v1.12.0
• ab67728 Merge pull request #1458 from Scalingo/build/errors_v3
• 3e63f5f Merge pull request #1457 from Scalingo/feat/1456/logger_ObjectId_Hex
• 1fe63b9 build(deps): update github.com/Scalingo/go-utils/errors from v2 to v3
• 686b1d2 feat(logger): automatically call Hex on ObjectId values
• 403e83d Merge pull request #1454 from Scalingo/dependabot/go_modules/postgresql/depen...
• 3958a7d Merge pull request #1442 from Scalingo/dependabot/go_modules/gomock_generator...
• dfdf3e1 Merge pull request #1455 from Scalingo/dependabot/go_modules/otel/dependencie...
• 3ef810e Merge pull request #1452 from Scalingo/dependabot/go_modules/nsqconsumer/depe...
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits

• bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
• 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
• 5d20a62 storage: filesystem, Fix permissions for loose and packed objs
• 8ed442c backport, git: Improve Status() speed with new index.ModTime check (#1862)
• c7b5960 build: Align test workflow with main
• 8e71edf git: Add strict checks for supported extensions
• 438a37f git: worktree, optimize infiles function for very large repos (#1853)
• 67c7006 Merge pull request #1839 from go-git/renovate/releases/v5.x-go-github.com-go-...
• 4ca3f02 build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY]
• See full diff in compare view

Updates golang.org/x/crypto from 0.47.0 to 0.48.0

Commits

• e08b067 go.mod: update golang.org/x dependencies
• 7d0074c scrypt: fix panic on parameters <= 0
• See full diff in compare view

Updates golang.org/x/term from 0.39.0 to 0.40.0

Commits

• 3aff304 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates golang.org/x/text from 0.33.0 to 0.34.0

Commits

• 817fba9 go.mod: update golang.org/x dependencies
• 3264de9 all: clean up old Go hacks
• 74af298 all: fix tags in remaining Unicode tables
• 117e03b all: delete old Unicode tables
• 9463ea4 all: update to Unicode 17
• 7278b25 internal/export/idna: update for post-Unicode 10 idna changes
• f964ad8 internal/export/idna: delete old code
• 678d34e unicode/norm: preserve QC Maybe bit in packed forminfo
• See full diff in compare view

Updates github.com/ProtonMail/go-crypto from 1.3.0 to 1.4.0

Release notes

Sourced from github.com/ProtonMail/go-crypto's releases.

Release v1.4.0

What's Changed

• Ignore leading and trailing whitespaces in the armor body in ProtonMail/go-crypto#288
• Update key_generation.go, rename variables to avoid shadowing in ProtonMail/go-crypto#290
• Add InsecureGenerateNonCriticalKeyFlags option to generate non-critical key flags signature subpackets in ProtonMail/go-crypto#291
• Add InsecureGenerateNonCriticalSignatureCreationTime option to generate non-critical signature creation time subpackets in ProtonMail/go-crypto#292
• Bump dependencies and min go version to 1.23 in ProtonMail/go-crypto#294
• ECDHv4: Error on low-order x25519 public key curve points in ProtonMail/go-crypto#299
• Cleartext: Only allow valid hashes in header in ProtonMail/go-crypto#298

Full Changelog: ProtonMail/go-crypto@v1.3.0...v1.4.0

Release v1.4.0-proton

This release is v1.4.0 with support for the following non-standardized features:

• Presistent symmetric keys experimental + latest draft draft-ietf-openpgp-persistent-symmetric-keys-00
• Automatic forwarding draft-wussler-openpgp-forwarding-00
• Post-quantum algorithms draft-ietf-openpgp-pqc (Updated to draft-ietf-openpgp-pqc-09)

Commits

• a8cc4f0 Merge pull request #298 from ProtonMail/feat/cleartext-hash-header
• 57f891b Merge branch 'main' into feat/cleartext-hash-header
• da5c190 Merge pull request #299 from ProtonMail/fix/ecdh-low-order-curve-points
• 3cc59b0 Merge branch 'main' into feat/cleartext-hash-header
• b11bd23 fix(ecdh): Do not allow low order public key points
• b6bdd12 Merge pull request #294 from ProtonMail/chore/bump-go-and-circl
• b1ff3d5 Bump crypto dependencies and min go version to 1.23
• cfb2af9 fix(cleartext): Check hashes in headers
• de87788 Add InsecureGenerateNonCriticalSignatureCreationTime option to generate non-c...
• 0906643 Add InsecureGenerateNonCriticalKeyFlags option to generate non-critical key f...
• Additional commits viewable in compare view

Updates github.com/clipperhouse/displaywidth from 0.8.0 to 0.11.0

Changelog

Sourced from github.com/clipperhouse/displaywidth's changelog.

[0.11.0]

Compare

Added

• New ControlSequences8Bit option to treat 8-bit ECMA-48 (C1) escape sequences as zero-width. (#22)

Changed

• Upgraded uax29 dependency to v2.7.0 for 8-bit escape sequence support in the grapheme iterator.
• Truncation now validates that preserved trailing escape sequences are zero-width, preventing edge cases where non-zero-width sequences could leak into output.

Note

• ControlSequences8Bit is deliberately ignored by TruncateString and TruncateBytes, because C1 byte values (0x80–0x9F) overlap with UTF-8 multi-byte encoding.

[0.10.0]

Compare

Added

• New ControlSequences option to treat ECMA-48/ANSI escape sequences as zero-width. (#20)
• TruncateString and TruncateBytes now preserve trailing ANSI escape sequences (such as SGR resets) when ControlSequences is true, preventing color bleed in terminal output.

Changed

• Removed stringish dependency; generic type constraints are now inline ~string | []byte.
• Upgraded uax29 dependency to v2.6.0 for ANSI escape sequence support in the grapheme iterator.

[0.9.0]

Compare

Changed

• Unicode 17 support: East Asian Width and emoji data updated to Unicode 17.0.0. (#18)
• Upgraded uax29 dependency to v2.5.0 (Unicode 17 grapheme segmentation).

Commits

• b6da6e7 improve fuzz
• 09f66ac Update CHANGELOG.md
• 4b8f6a9 Update AGENTS.md
• 77f9fe2 Adopt 8-bit ANSI option (#22)
• 4af33d5 Update uax29
• 154f35a Subsequent escapes included in Truncate (#21)
• a8c4d02 Update CHANGELOG.md
• 3f6299a reduce stringish dependency
• 21f4a99 update actions
• 41280f9 Option to treat control sequences as 0 width (#20)
• Additional commits viewable in compare view

Updates github.com/clipperhouse/uax29/v2 from 2.4.0 to 2.7.0

Release notes

Sourced from github.com/clipperhouse/uax29/v2's releases.

v2.5.0

What's Changed

• Unicode 17 by @​aymanbagabas in clipperhouse/uax29#44
• Fast paths for ASCII by @​clipperhouse in clipperhouse/uax29#42

Breaking change

The returned iterator type from FromString() and FromBytes() is now a pointer. This will not present a problem if you are just using it in the typical way, which is assigning to a local variable and iterating.

If you are embedding this iterator into another object, and therefore declaring its type, this change might break your compilation. You’ll need to change to a pointer type. Apologies if so — this seems like a small enough change that a v3 would be a bit much.

New Contributors

• @​aymanbagabas made their first contribution in clipperhouse/uax29#44

Full Changelog: clipperhouse/uax29@v2.4.0...v2.5.0

Commits

• b03477d Update iterator.go
• 9378e43 Implement 8-bit ANSI (#49)
• 5f88a8a Remove last of stringish
• 96f513b Simpler SB11 logic, remove one use of stringish
• 3ca6c4b test fewer version
• fce861b update actions
• c935fe1 Implement UTF-8 C1 control sequences (#48)
• a58d485 Update README.md
• 18e08f6 Reduce stringish dependency
• 4a5d8ea ANSI escape sequences as grapheme clusters (#47)
• Additional commits viewable in compare view

Updates github.com/go-git/go-billy/v5 from 5.7.0 to 5.8.0

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.8.0

What's Changed

• build: Update module golang.org/x/net to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-billy#183
• v5: Ensure Chmod behaviour across BoundOS and ChrootOS by @​pjbgf in go-git/go-billy#187

Full Changelog: go-git/go-billy@v5.7.0...v5.8.0

Commits

• 8662784 Merge pull request #187 from pjbgf/windows-rename
• f387d62 build: Update test workflow to rely on oldstable/stable
• 915dae9 polyfill: Add support for Chmod
• f3d5600 osfs: Create dir for BoundOS Tempfiles
• 247a741 Merge pull request #183 from go-git/renovate/releases/v5.x-go-golang.org-x-ne...
• 1c0c9d5 build: Update module golang.org/x/net to v0.45.0 [SECURITY]
• See full diff in compare view

Updates github.com/kevinburke/ssh_config from 1.4.0 to 1.6.0

Changelog

Sourced from github.com/kevinburke/ssh_config's changelog.

Changes

Version 1.7 (unreleased)

Update default values to match current openssh-portable (previously based on OpenSSH 7.4p1 from 2016).

Breaking changes:

• Remove Cipher default (SSH protocol 1 only, deprecated in openssh-portable)
• Remove ChallengeResponseAuthentication default (alias for KbdInteractiveAuthentication)
• Remove CompressionLevel default (unsupported in openssh-portable)
• Remove Protocol default (silently ignored in openssh-portable)
• Remove RhostsRSAAuthentication default (SSH protocol 1 only, unsupported)
• Remove RSAAuthentication default (SSH protocol 1 only, unsupported)
• Remove UsePrivilegedPort default (deprecated in openssh-portable)
• Remove IdentityFile default of ~/.ssh/identity (SSH protocol 1 only)
• Change CheckHostIP default from "yes" to "no"
• Change UpdateHostKeys default from "no" to "yes"
• Change Ciphers default to remove CBC ciphers
• Change KexAlgorithms default to add post-quantum algorithms and remove SHA1 variants
• Change HostKeyAlgorithms default to add sk-, webauthn-, rsa-sha2-* and remove ssh-rsa
• Change HostbasedKeyTypes default (same as HostKeyAlgorithms)
• Change PubkeyAcceptedKeyTypes default (same as HostKeyAlgorithms)
• Change ForwardX11Timeout default from "20m" to "1200" (same duration, now in seconds)
• Rename defaultProtocol2Identities to defaultIdentityFiles
• Remove ~/.ssh/id_dsa from default identity files
• Remove ForwardAgent from strict yes/no validation (now also accepts a socket path)
• Remove CompressionLevel from uint validation

Other changes:

• Add ControlPersist default ("no")
• Add RequestTTY default ("auto")
• Add SessionType default ("default")
• Add CASignatureAlgorithms default
• Add HostbasedAcceptedAlgorithms default (new name for HostbasedKeyTypes)
• Add PubkeyAcceptedAlgorithms default (new name for PubkeyAcceptedKeyTypes)
• Add ~/.ssh/id_ecdsa_sk and ~/.ssh/id_ed25519_sk to default identity files

Version 1.6 (released February 16, 2026)

• Support ~ as the user's home directory in Include directives, matching the behavior described in ssh_config(5). Thanks to Neil Williams for the report (#31).

• Strip surrounding double quotes from parsed values. OpenSSH allows values like IdentityFile "/path/to/file", but Get/GetAll previously returned the quotes as literal characters. Quotes are now stripped from the returned value while preserving the original text for faithful roundtripping via String() and

... (truncated)

Commits

• ac007ea CHANGELOG.md: add v1.6.0 changes, backfill v1.5.0 section
• 6f3abd7 config: support ~ as user's home directory in Include
• cc9f700 config: simplify composite literal in newConfig
• 538d5a7 config: default to a space before '#' in EOL comments
• 04e0fd6 config: strip surrounding double quotes from parsed values
• 568811a ci: disable setup-go cache, update checkout to v6
• e0b4ce9 1.5.0
• f2e12b8 CHANGELOG.md: improve fidelity and dates
• f1fac02 all: implement Match support
• 482de70 SECURITY.md: add
• Additional commits viewable in compare view

Updates github.com/mattn/go-runewidth from 0.0.19 to 0.0.20

Commits

• e24866b Merge pull request #88 from knowledgejunkie/unicode-17.0.0
• 54b775a Support Unicode 17.0.0
• See full diff in compare view

Updates github.com/olekukonko/ll from 0.1.4-0.20260115111900-9e59c2286df0 to 0.1.7

Commits

• See full diff in compare view

Updates golang.org/x/net from 0.49.0 to 0.51.0

Commits

• 60b3f6f internal/http3: prevent Server handler from writing longer body than declared
• b0ca456 internal/http3: fix Write in Server Handler returning the wrong value
• 1558ba7 publicsuffix: update to 2026-02-06
• 4e1c745 internal/http3: make Server response include headers that can be inferred
• 19f580f http2: fix nil panic in typeFrameParser for unassigned frame types
• 818aad7 internal/http3: add server to client trailer header support
• c1bbe1a internal/http3: add client to server trailer header support
• 29181b8 all: remove go1.25 and older build constraints
• 8109305 all: upgrade go directive to at least 1.25.0 [generated]
• 0b37bdf quic: don't run TestStreamsCreateConcurrency in synctest bubble
• Additional commits viewable in compare view

Updates golang.org/x/sys from 0.40.0 to 0.41.0

Commits

• fc646e4 cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows
• f11c7bb windows: add IsProcessorFeaturePresent and processor feature consts
• d25a7aa unix: add IoctlSetString on all platforms
• 6fb913b unix: return early on error in Recvmsg
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions