Update gomod dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
github.com/aws/aws-sdk-go-v2	v1.41.7 → v1.42.0			require	minor
github.com/aws/aws-sdk-go-v2/config	v1.32.18 → v1.32.25			require	patch
github.com/aws/aws-sdk-go-v2/credentials	v1.19.17 → v1.19.24			require	patch
github.com/aws/aws-sdk-go-v2/feature/rds/auth	v1.6.23 → v1.6.29			require	patch
github.com/aws/aws-sdk-go-v2/service/kms	v1.52.0 → v1.53.4			require	minor
github.com/aws/aws-sdk-go-v2/service/s3	v1.101.0 → v1.103.3			require	minor	v1.104.0
github.com/aws/aws-sdk-go-v2/service/ses	v1.34.24 → v1.35.2			require	minor
github.com/aws/aws-sdk-go-v2/service/sns	v1.39.17 → v1.40.1			require	minor
github.com/aws/aws-sdk-go-v2/service/sts	v1.42.1 → v1.43.3			require	minor
github.com/aws/smithy-go	v1.25.1 → v1.27.2			require	minor
github.com/cockroachdb/pebble/v2	v2.1.5 → v2.1.6			require	patch
github.com/go-mysql-org/go-mysql	06b4fb6 → ace1fb4			require	digest
github.com/lestrrat-go/httprc/v3	v3.0.5 → v3.0.6			require	patch
github.com/slack-go/slack	v0.24.0 → v0.25.0			require	minor	v0.26.0
github.com/snowflakedb/gosnowflake/v2	v2.0.2 → v2.1.0			require	minor
github.com/twmb/franz-go	v1.21.2 → v1.21.3			require	patch
github.com/urfave/cli/v3	v3.9.0 → v3.9.1			require	patch	v3.10.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.68.0 → v0.69.0			require	minor
go.opentelemetry.io/otel	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/metric	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/sdk	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/sdk/metric	v1.43.0 → v1.44.0			require	minor
go.opentelemetry.io/otel/trace	v1.43.0 → v1.44.0			require	minor
go.temporal.io/api	v1.62.12 → v1.62.14			require	patch
go.temporal.io/sdk	v1.44.0 → v1.44.1			require	patch	v1.45.0
golang.org/x/crypto	v0.52.0 → v0.53.0			require	minor
golang.org/x/exp	74f9aab → c48552f			require	digest
golang.org/x/mod	v0.36.0 → v0.37.0			require	minor
golang.org/x/sync	v0.20.0 → v0.21.0			require	minor
golang.org/x/tools	v0.45.0 → v0.46.0			require	minor
k8s.io/apimachinery	v0.36.1 → v0.36.2			require	patch

---

Release Notes

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)

v1.42.0

Compare Source

General Highlights

• Dependency Update: Bump smithy-go to 1.25.0 to support endpointBdd trait
• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/cleanrooms: v1.43.0
  • Feature: This release adds support for configurable spark properties for Cleanrooms PySpark workloads.
• github.com/aws/aws-sdk-go-v2/service/connect: v1.171.0
  • Feature: Fixes in SDK for customers using TestCase APIs
• github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2: v1.12.0
  • Feature: This release adds support for campaign entry limits configuration and hourly refresh frequency in Amazon Connect Outbound Campaigns.
• github.com/aws/aws-sdk-go-v2/service/groundstation: v1.41.0
  • Feature: Adds support for updating contacts, listing antennas, and listing ground station reservations. New API operations - UpdateContact, ListContactVersions, DescribeContactVersion, ListAntennas, and ListGroundStationReservations.
• github.com/aws/aws-sdk-go-v2/service/imagebuilder: v1.53.0
  • Feature: ImportDiskImage API adds registerImageOptions for Secure Boot control and custom UEFI data. It adds windowsConfiguration for selecting a specific edition from multi-image .wim files during ISO import.
• github.com/aws/aws-sdk-go-v2/service/neptune: v1.44.4
  • Documentation: Improving Documentation for Neptune
• github.com/aws/aws-sdk-go-v2/service/quicksight: v1.107.0
  • Feature: Public release of dashboard customization summary, S3 Tables data source type, Athena cross-account connector, custom sorting for controls, and AI-powered analysis generation.
• github.com/aws/aws-sdk-go-v2/service/sagemaker: v1.241.0
  • Feature: Adds support for providing NetworkInterface for efa enabled instances and Simplified cluster creation for Slurm-orchestrated clusters with optional Lifecycle Script (LCS) configuration.
• github.com/aws/aws-sdk-go-v2/service/sts: v1.42.0
  • Feature: The STS client now supports configuring SigV4a through the auth scheme preference setting. SigV4a uses asymmetric cryptography, enabling customers using long-term IAM credentials to continue making STS API calls even when a region is isolated from the partition leader.

v1.41.12

Compare Source

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2: v1.41.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/accessanalyzer: v1.45.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/account: v1.30.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/acm: v1.37.23
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/acmpca: v1.46.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/aiops: v1.6.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/amp: v1.42.9
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/amplify: v1.38.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/amplifybackend: v1.32.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/amplifyuibuilder: v1.28.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/apigateway: v1.39.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/apigatewaymanagementapi: v1.29.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/apigatewayv2: v1.34.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appconfig: v1.43.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appconfigdata: v1.23.22
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appfabric: v1.16.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appflow: v1.51.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appintegrations: v1.37.7
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/applicationautoscaling: v1.41.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/applicationcostprofiler: v1.27.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/applicationdiscoveryservice: v1.35.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/applicationinsights: v1.34.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/applicationsignals: v1.19.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appmesh: v1.35.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/apprunner: v1.39.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appstream: v1.54.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/appsync: v1.53.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/arcregionswitch: v1.6.3
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/arczonalshift: v1.22.23
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/artifact: v1.15.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/athena: v1.57.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/auditmanager: v1.46.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/autoscaling: v1.64.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/autoscalingplans: v1.30.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/b2bi: v1.0.0-preview.100
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/backup: v1.54.11
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/backupgateway: v1.26.3
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/backupsearch: v1.6.23
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/batch: v1.63.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bcmdashboards: v1.1.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bcmdataexports: v1.14.0
  • Feature: With this release we are providing an option to accounts to have their export delivered to an S3 bucket that is not owned by the account.
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator: v1.10.9
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bcmrecommendedactions: v1.1.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrock: v1.57.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockagent: v1.52.7
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockagentcore: v1.15.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol: v1.25.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime: v1.51.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockdataautomation: v1.13.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockdataautomationruntime: v1.10.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/bedrockruntime: v1.50.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/billing: v1.10.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/billingconductor: v1.28.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/braket: v1.39.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/budgets: v1.43.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chatbot: v1.14.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chime: v1.41.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chimesdkidentity: v1.27.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines: v1.26.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chimesdkmeetings: v1.33.15
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chimesdkmessaging: v1.32.17
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/chimesdkvoice: v1.28.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cleanrooms: v1.42.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cleanroomsml: v1.22.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloud9: v1.33.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudcontrol: v1.29.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/clouddirectory: v1.30.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudformation: v1.71.9
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudfront: v1.60.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore: v1.12.24
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudhsm: v1.29.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudhsmv2: v1.34.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudsearch: v1.32.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudsearchdomain: v1.28.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudtrail: v1.55.9
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudtraildata: v1.17.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudwatch: v1.55.3
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudwatchevents: v1.32.23
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.65.0
  • Feature: This release adds parameter support to saved queries in CloudWatch Logs Insights. Define reusable query templates with named placeholders, invoke them using start query. Available in Console, CLI and SDK
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codeartifact: v1.38.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codebuild: v1.68.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codecatalyst: v1.21.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codecommit: v1.33.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codeconnections: v1.10.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codedeploy: v1.35.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codeguruprofiler: v1.29.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codegurureviewer: v1.34.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codegurusecurity: v1.16.24
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codepipeline: v1.46.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codestarconnections: v1.35.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/codestarnotifications: v1.31.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cognitoidentity: v1.33.22
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider: v1.59.3
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/cognitosync: v1.29.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/comprehend: v1.40.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/comprehendmedical: v1.31.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/computeoptimizer: v1.49.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/computeoptimizerautomation: v1.0.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/configservice: v1.62.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connect: v1.166.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connectcampaigns: v1.20.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2: v1.11.4
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connectcases: v1.39.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connectcontactlens: v1.33.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connecthealth: v1.0.3
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/connectparticipant: v1.36.7
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/controlcatalog: v1.14.9
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/controltower: v1.28.9
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/costandusagereportservice: v1.34.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/costexplorer: v1.63.6
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/costoptimizationhub: v1.22.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/customerprofiles: v1.57.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/databasemigrationservice: v1.61.10
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/databrew: v1.39.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/dataexchange: v1.40.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/datapipeline: v1.30.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/datasync: v1.58.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/datazone: v1.54.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/dax: v1.29.16
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/deadline: v1.26.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/detective: v1.38.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/devicefarm: v1.38.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/devopsguru: v1.40.12
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/directconnect: v1.38.15
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/directoryservice: v1.38.16
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/directoryservicedata: v1.7.21
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/dlm: v1.35.16
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/docdb: v1.48.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/docdbelastic: v1.20.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/drs: v1.36.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/dsql: v1.12.8
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/dynamodb: v1.57.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/dynamodbstreams: v1.32.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/ebs: v1.33.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/ec2: v1.296.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect: v1.32.20
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/ecr: v1.56.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/ecrpublic: v1.38.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/ecs: v1.74.1
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/efs: v1.41.14
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/eks: v1.81.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/eksauth: v1.12.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/elasticache: v1.51.13
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/elasticbeanstalk: v1.34.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing: v1.33.23
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2: v1.54.10
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/elasticsearchservice: v1.39.2
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/elementalinference: v1.0.3
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/emr: v1.59.0
  • Feature: Add StepExecutionRoleArn to RunJobFlow API
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/emrcontainers: v1.40.17
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/emrserverless: v1.39.6
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/entityresolution: v1.26.5
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• github.com/aws/aws-sdk-go-v2/service/eventbridge: v1.45.23
  • Bug Fix: Fix a bug where a recorded clock skew could persist on the client even if the client and server clock ended up realigning.
• `github.com/aw

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • "after 5pm on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: flow/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 20 additional dependencies were updated

Details:

Package	Change
google.golang.org/genproto/googleapis/api	v0.0.0-20260414002931-afd174a4e478 -> v0.0.0-20260526163538-3dc84a4a5aaa
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.10 -> v1.7.13
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.23 -> v1.18.29
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.23 -> v1.4.29
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.23 -> v2.7.29
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.24 -> v1.4.30
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.9 -> v1.13.12
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.15 -> v1.9.22
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.23 -> v1.13.29
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.23 -> v1.19.29
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.11 -> v1.2.0
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.17 -> v1.31.3
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.36.0 -> v1.36.6
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.43.0 -> v1.44.0
golang.org/x/net	v0.54.0 -> v0.56.0
golang.org/x/sys	v0.45.0 -> v0.46.0
golang.org/x/telemetry	v0.0.0-20260508192327-42602be52be6 -> v0.0.0-20260610154732-fb80ec83bdd9
golang.org/x/term	v0.43.0 -> v0.44.0
golang.org/x/text	v0.37.0 -> v0.38.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260526163538-3dc84a4a5aaa

File name: flow/pkg/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated

Details:

Package	Change
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.10 -> v1.7.13
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.23 -> v1.4.29
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.23 -> v2.7.29
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.24 -> v1.4.30
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.9 -> v1.13.12
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.15 -> v1.9.22
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.23 -> v1.13.29
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.23 -> v1.19.29
github.com/aws/smithy-go	v1.25.1 -> v1.27.1

[claude]

Dependency Bump Review

Reviewed all upstream changelogs for the bumped range. Summary of findings:

Packages reviewed

Package	Bump	Notes
aws-sdk-go-v2 (core + services)	v1.41.7 → v1.41.9	Routine service model updates, BDD endpoint rulesets, SHA-512 support for S3. No breaking changes relevant to PeerDB's usage. credentials v1.19.18 adds restricted file permissions (0600) for login cache — positive security improvement.
aws/smithy-go	v1.25.1 → v1.26.0	Adds StringSlice to endpoint rules functions. Benign.
cockroachdb/pebble/v2	v2.1.5 → v2.1.6	Single bug fix: rowblk: fix IsLowerBound to account for synthetic suffix. Bug-fix-only patch.
go.temporal.io/sdk	v1.44.0 → v1.44.1	Graceful worker shutdown now drains already-polled tasks when the server supports it (requires server flag frontend.enableCancelWorkerPollsOnShutdown=true). Backwards-compatible improvement.
go.temporal.io/api	v1.62.12 → v1.62.13	Patch bump, no notable changes.
google.golang.org/genproto	date bump	Routine regeneration.

Notable behavioral change: OpenTelemetry v1.43.0 → v1.44.0

OTel v1.44.0 introduces a default cardinality limit of 2000 per metric instrument (previously unlimited). PeerDB does not explicitly configure WithCardinalityLimit on its metric views, so this new default will apply. Attribute sets exceeding the limit are dropped and aggregated into an overflow set with otel.metric.overflow=true.

Risk assessment: Low. PeerDB's metric cardinality is driven by unique combinations of flow name, source/destination peer, status, and operation — per instrument, this is very unlikely to approach 2000 for typical deployments. However, large-scale deployments with many concurrent mirrors should be aware. If needed, WithCardinalityLimit(0) can restore unlimited behavior.

Other OTel v1.44.0 changes: Value.Emit() deprecated (PeerDB does not use it), new BYTESLICE/SLICE attribute types, WithMaxRequestSize option for OTLP exporters (default 64 MiB), and various bug fixes (race condition in exemplar reservoir, gzip replay on HTTP redirects).

Security check

• No PII or secret logging introduced — changes are limited to go.mod and go.sum.
• No new stdout/stderr/log outputs added.

Verdict: No regressions found. Looks clean to merge.

🤖 Generated with Claude Code

[claude]

Renovate dependency bump reviewed. Checked upstream release notes for all bumped packages.

AWS SDK Go v2 (v1.41.7 to v1.41.9) - patch. Bug fix for AWS_RESTRICT_FILE_PERMISSIONS and credential cache file permissions. No regressions.

smithy-go (v1.25.1 to v1.26.0) - minor. Dependency update only. No regressions.

cockroachdb/pebble (v2.1.5 to v2.1.6) - patch. Single correctness fix for IsLowerBound with synthetic suffix. No breaking changes.

OpenTelemetry Go (v1.43.0 to v1.44.0) - behavioral changes worth noting:

• Default cardinality limit of 2000 now enforced on all metric instruments. Previously there was no limit. Attribute sets beyond 2000 unique combinations per instrument are dropped into an overflow bucket. PeerDB metrics are keyed by flow name, source/destination peer info, operation type, pipe name, and temporal activity info. The MeterProvider is shared across flows (created once in SetupPeerDBMetricsProvider), so cardinality accumulates across all mirrors. For deployments with many active mirrors, the 2000 default could be hit on some instruments. To restore the old unlimited behavior, pass sdkmetric.WithCardinalityLimit(0) to NewMeterProvider.
• OTLP exporters now enforce a 64 MiB default max request size (pre-compression).
• Baggage extraction enforces an 8192-byte size limit (PeerDB does not use baggage — no impact).
• Value.Emit() deprecated in favor of Value.String() (PeerDB does not use it — no impact).

OpenTelemetry Go Contrib / otelgrpc (v0.68.0 to v0.69.0) - WithSpanOptions was removed, but PeerDB does not use it. Safe.

Temporal SDK (v1.44.0 to v1.44.1) + API (v1.62.12 to v1.62.13) - patch. Improved graceful worker shutdown (opt-in, requires server flag). No breaking changes.

google.golang.org/genproto - routine digest update. No regressions.

No PII/secret logging concerns — diff is limited to go.mod and go.sum.

[claude]

Code review

Upstream behavioral changes in OTel SDK v1.44.0 (REVIEW.md compliance — dependency regression check)

Two notable behavioral changes in this version bump:

1. Default cardinality limit of 2000 (high impact) — flow/go.mod:71
The metrics SDK now enforces a default cardinality limit of 2000 unique attribute sets per instrument (previously unlimited). When exceeded, new attribute sets are silently dropped and aggregated into an overflow bucket.

PeerDB's MeterProvider in flow/otel_metrics/otel_manager.go does not configure an explicit WithCardinalityLimit(). Metrics like RecordsSyncedPerTableGauge and RecordsSyncedPerTableCounter are emitted with {FlowName, DestinationTableName, RecordOperationType} plus ~12 contextual attributes from buildContextualAttributes. Deployments with many flows and tables could approach or exceed 2000 unique combinations per instrument, causing silent metric data loss.

Consider either verifying that no instrument exceeds 2000 attribute sets in your deployments, or explicitly setting WithCardinalityLimit(0) on the MeterProvider to restore the previous unlimited behavior.

2. 64 MiB default OTLP request size cap (moderate impact) — flow/go.mod:66-68
All OTLP exporters now cap request payloads at 64 MiB (previously unlimited). Requests exceeding this are treated as non-retryable errors. PeerDB's exporters are created with default options (no WithMaxRequestSize override). The panicOnFailureExporter wrapper could escalate this to a process panic if enabled.

[claude]

Code review

1 issue found. Checked for bugs and CLAUDE.md compliance.

---

Breaking change: OTel SDK v1.44.0 default cardinality limit

File: flow/go.mod, line 71 (go.opentelemetry.io/otel/sdk/metric v1.44.0)

go.opentelemetry.io/otel/sdk/metric v1.44.0 introduces a default cardinality limit of 2000 per metric instrument (upstream changelog). Previously, the default was unlimited. When the limit is exceeded, new attribute sets are silently dropped and merged into an overflow bucket with otel.metric.overflow=true.

PeerDB NewMeterProvider does not set a cardinality limit:

peerdb/flow/otel_metrics/otel_manager.go

Lines 709 to 715 in e78178c

	setupOtelHandlers(ctx)
	meterProvider := sdkmetric.NewMeterProvider(
	sdkmetric.WithReader(sdkmetric.NewPeriodicReader(metricExporter)),
	sdkmetric.WithResource(otelResource),
	sdkmetric.WithView(views...),
	)
	return meterProvider, nil

PeerDB emits metrics with high-cardinality attributes - per-flow, per-table, per-peer combinations (e.g. RecordsSyncedPerTableGauge). A deployment with 10 flows each replicating 100 tables x 3 operation types = 3,000 unique attribute sets per instrument, exceeding the new default. This would cause silent metric data loss with no errors.

Suggested fix: Add sdkmetric.WithCardinalityLimit(0) to the NewMeterProvider call in otel_manager.go to restore unlimited cardinality, or set it to a sufficiently high value for your deployments.

Flagged per REVIEW.md - upstream regression check for dependency bumps.

[ilidemi]

The 2000 limit would need a check, how we're doing across production

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[claude]

Informational — OTel v1.44.0 introduces a default cardinality limit of 2000 per metric instrument.

Previously unlimited, new attribute sets beyond 2000 unique combinations per instrument are now dropped and aggregated under otel.metric.overflow=true. PeerDB uses attributes like DestinationTableName, FlowName, PeerName, and SlotName on its metrics. For typical deployments this should be well under 2000 per instrument, but deployments with a very large number of mirrors/tables could hit this.

To restore the old unlimited behavior if needed: metric.WithCardinalityLimit(0) or env OTEL_GO_X_CARDINALITY_LIMIT=0.

Also: OTLP exporters now cap request size at 64 MiB (configurable via WithMaxRequestSize). Oversized requests fail as non-retryable errors.

[claude]

Dependency Bump Review — Upstream Changelog Analysis

Reviewed all upstream release notes for the bumped range of each dependency. No regressions or breaking changes that affect PeerDB were found. Summary of notable upstream changes below.

golang.org/x/net v0.54.0 → v0.55.0 — Security fixes

Fixes multiple CVEs in the x/net/html parser: XSS via namespace handling (CVE-2026-42506), XSS via duplicate attributes / sanitizer bypass (CVE-2026-27136), DoS via cubic-complexity tree construction (CVE-2026-25680), XSS via foreign content elements (CVE-2026-42502), and a DOCTYPE fix (CVE-2026-25681). Also includes IDNA and QUIC fixes. This bump is beneficial for security.

OpenTelemetry Go v1.43.0 → v1.44.0 — Behavioral changes (see inline comment)

• Security: Fixes file descriptor leak in schema parsing and baggage log flooding.
• Behavior: Default metric cardinality limit of 2000 per instrument (see inline comment). OTLP exporters cap request size at 64 MiB. Baggage 8192-byte limit now enforced during extraction.
• Deprecation: Value.Emit deprecated in favor of Value.String — PeerDB does not use it.
• otelgrpc v0.68.0 → v0.69.0: Removed WithSpanOptions — PeerDB does not use it. No compile-time impact.

AWS SDK Go v2 (multiple packages) — Patch-level, safe

All patch/minor bumps. Notable: credential cache files now created with 0600 permissions (security hardening), S3 outpost access point name validation enforced, KMS adds service principal grant parameters. smithy-go v1.26.0 fixes a memory leak in its LRU cache. No breaking changes.

cockroachdb/pebble v2.1.5 → v2.1.6 — Single bug fix

Fixes IsLowerBound correctness when synthetic suffix is active (PR cockroachdb/pebble#6082). Targeted fix with a new randomized test. Low risk.

Temporal SDK v1.44.0 → v1.44.1 — Graceful shutdown improvement

Worker shutdown now drains already-polled tasks when the server supports it. No breaking changes. Temporal API v1.62.13 is infrastructure-only.

Other

• google.golang.org/genproto: Routine proto regeneration, no functional changes.
• github.com/nexus-rpc/nexus-proto-annotations v0.1.0: New indirect dep via Temporal — protobuf annotations for the Nexus RPC protocol. Benign.

PII / Secret Logging Check

No source code changes — only go.mod and go.sum modified. No risk of PII or secret exposure.

[claude]

Dependency Bump Review

Reviewed upstream release notes for all bumped packages. Summary of findings:

OpenTelemetry v1.43.0 -> v1.44.0 -- Breaking change: default cardinality limit (see inline comment)

go.opentelemetry.io/otel/sdk/metric now enforces a default cardinality limit of 2000 per instrument. When the limit is reached, new attribute sets are silently dropped into an overflow bucket (otel.metric.overflow=true). Previously the default was unlimited. PeerDB defines 40+ instruments, some keyed by dynamic attributes (per-table, per-flow). If any single instrument exceeds 2000 unique attribute sets in practice, metrics will be silently lost. See inline comment on flow/go.mod for details.

Positive: this release also includes two security fixes (GHSA-995v-fvrw-c78m, GHSA-5wrp-cwcj-q835) and several race condition fixes in the metric SDK.

otelgrpc v0.68.0 -> v0.69.0 -- Removed WithSpanOptions

The deprecated WithSpanOptions option was removed. PeerDB does not use it (only NewServerHandler + WithMeterProvider in flow/cmd/api.go), so no compilation issue.

cockroachdb/pebble v2.1.5 -> v2.1.6 -- Bug fix

Fixes IsLowerBound to account for synthetic suffix. A correctness fix -- beneficial to pick up.

Temporal SDK v1.44.0 -> v1.44.1 -- Graceful shutdown improvement

Workers now drain already-polled tasks during shutdown (when server supports it). Backward-compatible, no breaking changes.

Temporal API v1.62.12 -> v1.62.13 -- Maintenance

Bug fixes and generated Nexus service definitions. No breaking changes.

AWS SDK Go v2 (multiple packages) -- Patch bumps

Bug fix for AWS_RESTRICT_FILE_PERMISSIONS support, credential file permissions set to 0600, various service-specific features. No breaking changes for packages used by PeerDB.

smithy-go v1.25.1 -> v1.26.0

Added StringSlice to endpoint rulesfn. No breaking changes.

New transitive dependencies

• github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (from Temporal SDK)
• go.opentelemetry.io/otel/metric/x v0.66.0 (from OTel)

PII / Secrets check:
No source code changes -- only go.mod and go.sum files modified. No PII or secret exposure concerns.

[claude]

Warning: go.opentelemetry.io/otel/sdk/metric v1.44.0 introduces a default cardinality limit of 2000 per instrument. When the limit is reached, new attribute sets are silently dropped into an overflow bucket. PeerDB defines 40+ metric instruments in flow/otel_metrics/otel_manager.go, some keyed by dynamic attributes (per-table, per-flow). If any single instrument exceeds 2000 unique attribute combinations, metrics will be silently lost. For most deployments this is probably fine (2000 is generous), but worth verifying for large multi-tenant deployments. If needed, override with sdkmetric.WithCardinalityLimit(0) in setupMetricsAndProvider().

[claude]

Reviewed this Renovate dependency bump. Upstream release notes checked for all bumped packages. Two findings noted as separate PR comments below.

Summary of bumps reviewed:

• AWS SDK Go v2 (core v1.41.7 to v1.41.9, smithy-go v1.25.1 to v1.27.0, S3/KMS/SES/SNS/STS patches): No breaking changes. Includes a smithy-go LRU cache memory leak fix (good).
• CockroachDB Pebble (v2.1.5 to v2.1.6): Single correctness bug fix in row-block iterator IsLowerBound. No API changes. Safe.
• OpenTelemetry (v1.43.0 to v1.44.0): New default cardinality limit of 2000 per instrument. This is the main finding -- see follow-up comment.
• Temporal SDK (v1.44.0 to v1.44.1, api v1.62.12 to v1.62.13): Patch release improving graceful shutdown drain. New nexus-proto-annotations indirect dep is expected. No breaking changes.
• golang.org/x/net (v0.54.0 to v0.55.0), google.golang.org/genproto updates: Routine. No breaking changes.

[claude]

[medium] flow/go.mod:65 -- OTel v1.44.0 introduces a default metrics cardinality limit of 2000 per instrument.

Previously there was no limit. New attribute-set combinations beyond 2000 are silently dropped and aggregated into an overflow bucket tagged otel.metric.overflow=true.

PeerDB uses high-cardinality attributes like FlowNameKey and DestinationTableNameKey. The highest-risk instrument is RecordsSyncedPerTableCounter with cardinality O(mirrors x tables x 3). A deployment with ~100 mirrors averaging ~10 tables would exceed 2000 on that single instrument alone, silently losing per-table sync metrics.

No existing WithCardinalityLimit configuration was found in flow/otel_metrics/otel_manager.go.

Suggested action: Either (a) confirm 2000 is acceptable for all expected deployments, or (b) add sdkmetric.WithCardinalityLimit(0) (unlimited, restoring old behavior) or a higher bound to the sdkmetric.NewMeterProvider call in otel_manager.go.

Ref: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.44.0

[claude]

[info] flow/go.mod:30 -- smithy-go v1.27.0 note:

This version introduced schema-based serialization and CBOR max-nesting-depth enforcement. Subsequent patches v1.27.1 and v1.27.2 fix CBOR/JSON union deserialization bugs (including a panic). PeerDB AWS usage (S3, KMS, SES, SNS, STS) primarily uses JSON/XML, so risk is very low, but worth noting in case CBOR-related issues surface -- those patches exist upstream.

[claude]

Re-reviewed this Renovate bump. Upstream changelogs checked for all packages — confirming prior findings and adding a note on golang.org/x/net:

Confirmed safe (no regressions found):

• AWS SDK Go v2 (core v1.41.7→v1.41.10, smithy-go v1.25.1→v1.27.0, S3 v1.101.0→v1.103.0, STS v1.42.1→v1.43.0): No breaking changes. Adds AWS_RESTRICT_FILE_PERMISSIONS env var, S3 SHA-512 checksum support, CBOR nesting depth hardening in smithy-go. io/ioutil deprecation cleanup.
• Pebble v2.1.5→v2.1.6: Single correctness fix in rowblk.IsLowerBound for synthetic suffix replacement. No API changes.
• Temporal SDK v1.44.0→v1.44.1, API v1.62.12→v1.62.13: Graceful worker shutdown now drains already-polled tasks. Additive proto fields. New nexus-proto-annotations transitive dep is expected.
• google.golang.org/genproto: Routine generated proto update.

Security-positive — golang.org/x/net v0.54.0→v0.55.0 fixes 5 CVEs (all in HTML tokenizer/parser):

• CVE-2026-27136, CVE-2026-42506, CVE-2026-42502, CVE-2026-25680 (DoS), CVE-2026-25681 (sanitizer bypass). PeerDB doesn't use the HTML parser directly, but good to pick up.

Previously flagged (still valid): OTel v1.44.0 default cardinality limit of 2000 per instrument + 64 MiB OTLP request size cap — see earlier comments on this PR.

No new concerns found beyond what was already flagged.

[claude]

Dependency Bump Review — PR #4399

Reviewed upstream release notes for all bumped packages. No PII/secret logging concerns (changes are go.mod/go.sum only).

Findings

1. OpenTelemetry v1.43.0 → v1.44.0 — New default cardinality limit (medium severity)

OTel v1.44.0 introduces a default 2000-attribute cardinality limit in the metric SDK. Exceeding this drops new attribute sets into an overflow bucket (otel.metric.overflow=true). PeerDB does not currently configure an explicit cardinality limit (WithCardinalityLimit). If any PeerDB metric has more than 2000 distinct attribute combinations (e.g. per-mirror or per-table metrics with many mirrors), some attribute sets will silently be dropped into the overflow bucket after this upgrade. Worth confirming whether any high-cardinality metrics exist, or explicitly setting a limit if needed.

Other OTel changes: attribute.INVALID deprecated (use EMPTY), Value.Emit() deprecated (use Value.String()), data race fixes in Prometheus exporter and exemplar reservoir.

2. smithy-go v1.25.1 → v1.27.0 — Known post-release fixes (low severity)

smithy-go v1.27.0 adds schema-based serialization and enforces max CBOR nesting depth of 128. However, v1.27.1 (panic in nested union deserialization for JSON/CBOR) and v1.27.2 (improper CBOR union serialization) fixed issues introduced in v1.27.0. PeerDB primarily uses AWS services with restxml/awsquery/awsjson protocols (S3, KMS, SES, SNS, STS), so impact is likely low, but worth being aware of. Also includes a memory leak fix in LRU cache (v1.25.2) and file permission hardening (aws-sdk-go-v2 v1.41.8).

3. Temporal SDK v1.44.0 → v1.44.1 — Graceful shutdown improvement (no action needed)

Workers now drain already-polled tasks on shutdown when the server supports it (requires server flag frontend.enableCancelWorkerPollsOnShutdown=true). Backward-compatible — without the flag, behavior is unchanged.

4. New transitive dependency: github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (info)

Pulled in by temporalio/api-go v1.62.13 for Nexus service definition generation. Contains only protobuf annotation definitions — no runtime behavior. Very new package (v0.1.0, April 2026).

5. cockroachdb/pebble v2.1.5 → v2.1.6 — Correctness fix (no action needed)

Single bug fix: IsLowerBound now properly accounts for synthetic suffix in rowblk. Pure correctness improvement.

6. Other bumps (no concerns)

• golang.org/x/net v0.54.0 → v0.55.0 — routine update
• google.golang.org/genproto — routine regeneration

Summary

The OTel cardinality limit (finding #1) is the most actionable item — recommend verifying PeerDB's metric attribute cardinality won't exceed 2000 combinations per instrument, or explicitly configuring limits. All other changes are low-risk.

🤖 Generated with Claude Code

[claude]

Dependency Bump Review

Reviewed all upstream changelogs for the dependency bumps in this PR. Here are the findings:

Security Fixes (positive reasons to merge)

• golang.org/x/net v0.55.0: 5 CVEs fixed (CVE-2026-27136, CVE-2026-42506, CVE-2026-42502, CVE-2026-25681, CVE-2026-25680) — all in the html package (sanitizer bypasses + DoS). PeerDB doesn't appear to use x/net/html directly, but transitive dependencies may benefit.
• go.temporal.io/api v1.62.13: Vulnerability fix (VLN-1396, "missing-dependency-cooldown").
• OpenTelemetry v1.44.0: Two security advisories fixed — GHSA-995v-fvrw-c78m (schema file descriptor leak, Low) and GHSA-5wrp-cwcj-q835 (unbounded baggage parsing causing CPU/memory exhaustion, Medium).
• smithy-go v1.27.0: CBOR max nesting depth enforcement (128 levels) — hardening against resource exhaustion.

Notable Behavioral Changes

• OpenTelemetry v1.44.0 — new default cardinality limit of 2000: The metrics SDK now caps unique attribute combinations at 2000 per instrument, aggregating overflow into otel.metric.overflow=true. PeerDB's metrics use flow-level attributes (flow name, peer names, activity types); verified this should be well within the 2000 limit for typical deployments. For very large deployments with many concurrent flows, the limit can be configured via WithCardinalityLimit() on the metric reader.
• OpenTelemetry v1.44.0 — OTLP 64 MiB request size limit: OTLP exporters now enforce a 64 MiB max request size (configurable via WithMaxRequestSize). Unlikely to affect PeerDB but worth knowing.
• Temporal SDK v1.44.1: Worker shutdown now drains already-polled tasks (two-stage shutdown). This is capability-gated behind a server flag (frontend.enableCancelWorkerPollsOnShutdown=true) — no behavioral change unless the server enables it.

Regressions Check

• smithy-go v1.27.0 schema-serde rollout: AWS rolled out schema-based serialization on June 2 and then temporarily reverted it due to a P0 regression in CBOR-based services with tagged unions. However, this only affected lower-usage services (e.g., Interconnect). S3, KMS, STS, SES, SNS — all services PeerDB uses — were not part of the initial rollout and are unaffected.
• OTel WithSpanOptions removed from otelgrpc: Verified PeerDB does not use this API — no impact.
• cockroachdb/pebble v2.1.6: Single correctness fix for IsLowerBound with synthetic suffixes — safe, no regressions.

Breaking Changes Affecting PeerDB

None found. Verified that PeerDB does not use any removed/deprecated APIs (WithSpanOptions, Value.Emit, otelhttp).

New Dependencies

• github.com/nexus-rpc/nexus-proto-annotations v0.1.0 (indirect) — pulled in by go.temporal.io/api v1.62.13 for Nexus service protobuf definitions. No runtime impact.

Verdict

No regressions or breaking changes affecting PeerDB. Multiple security fixes make this a beneficial upgrade. The OTel cardinality limit (2000 default) is the only behavioral change worth monitoring in production, but PeerDB's metric cardinality appears well within bounds.

🤖 Generated with Claude Code

[claude]

test

[claude]

test comment

[claude]

Reviewed upstream release notes for all bumped dependencies. One notable behavioral change flagged inline; everything else looks clean.

[claude]

Note (informational, non-blocking): OpenTelemetry SDK v1.44.0 introduces a default cardinality limit of 2000 for the metrics SDK. When more than 2000 unique attribute sets are recorded for a single metric instrument, new attribute sets are dropped and aggregated into an overflow bucket. Previously there was no limit. If PeerDB has any high-cardinality metrics (e.g. metrics tagged per-table, per-peer, or per-flow), this could silently truncate metric data. To restore old behavior use WithCardinalityLimit(0). Also: attribute.Value.Emit() is deprecated in favor of Value.String(); security fixes for schema file handle leak and baggage extraction DoS; new default 64 MiB OTLP request size limit. All other bumps are clean - see review summary comment for details.

[claude]

Renovate dependency bump review

Reviewed upstream release notes for all bumped packages. No regressions or breaking changes that affect PeerDB were found. One behavioral change worth noting on the OTel bump (details below).

PII/Secrets check: Diff is entirely go.mod/go.sum — no source code changes, no new logging.

Upstream changelog summary

Package	Bump	Upstream highlights
aws-sdk-go-v2	v1.41.7 → v1.42.0	No breaking changes. New retry behavior preview behind opt-in AWS_NEW_RETRIES_2026 flag. Bug fixes for schema serialization and union deserialization.
smithy-go	v1.25.1 → v1.27.2	Union-related deserialization bug fixes.
gosnowflake/v2	v2.0.2 → v2.1.0	No breaking changes. New: OCSP env var, ArrowStreamBatch.Reset(), connection telemetry. Fixes: OCSP cache lock, query cancellation, file handling.
pebble/v2	v2.1.5 → v2.1.6	Single correctness fix for row block boundary detection.
slack-go/slack	v0.24.0 → v0.25.0	Breaking: TableBlock.Rows type changed. PeerDB does not use TableBlock, so no impact.
franz-go	v1.21.2 → v1.21.3	Important correctness fix: prevents treating -1 no-leader sentinel as leader-epoch rewind. Positive fix.
temporal SDK	v1.44.0 → v1.44.1	Graceful worker shutdown now drains already-polled tasks. No breaking changes.
opentelemetry-go	v1.43.0 → v1.44.0	See note below. New default cardinality limit (2000) and OTLP 64 MiB request size limit.
httprc/v3	v3.0.5 → v3.0.6	Patch bump, details not available in release notes.

Note: OTel v1.44.0 behavioral change — new default cardinality limit

Applies to flow/go.mod line 71: go.opentelemetry.io/otel/sdk/metric v1.44.0

The OTel metrics SDK now enforces a default cardinality limit of 2000 unique attribute sets per instrument. Previously there was no limit. Attribute sets exceeding this are dropped and aggregated into a special overflow set.

Additionally, OTLP exporters now enforce a default 64 MiB request size limit (before compression); oversized requests become non-retryable errors.

I checked PeerDB OTel setup (flow/otel_metrics/otel_manager.go): ~50 metric instruments, most keyed by flow/slot/table attributes. For typical deployments this should be well within 2000 per instrument, but very large deployments (2000+ distinct table mappings emitting on a single instrument like records_synced_per_table) could theoretically hit the cap and silently drop metrics.

Likely fine for current usage, but worth being aware of. If needed, the limit can be raised per-instrument via WithCardinalityLimit() or set to 0 for unlimited.

[claude]

Dependency Bump Review

Reviewed all upstream release notes for the bumped range. No regressions found.

Key findings from upstream changelogs:

Package	Bump	Notes
gosnowflake/v2	v2.0.2 → v2.1.0	Bug fixes (context cancellation now interrupts stalled chunk downloads — useful for large result sets), new features (OCSP env var, ArrowStreamBatch.Reset, SPCS_TOKEN). No breaking changes.
franz-go	v1.21.2 → v1.21.3	Fixes potential permanent hang in PollRecords/PollFetches (triggered with MaxConcurrentFetches(0) or ShareMaxRecordsStrict). Also fixes produce retry and consumer group rejoin behavior. No breaking changes.
smithy-go	v1.25.1 → v1.27.2	New schema-based serialization, CBOR nesting depth security hardening. Union serialization bugs introduced in v1.27.0 are fixed in v1.27.1/v1.27.2. No breaking changes.
slack-go/slack	v0.24.0 → v0.25.0	Breaking change: TableBlock.Rows type changed from []TableCell to [][]TableCell. No impact on PeerDB — confirmed via grep that PeerDB does not use the slack TableBlock type.
temporal.io/sdk	v1.44.0 → v1.44.1	Graceful worker shutdown improvement (drains polled tasks within WorkerStopTimeout). No breaking changes.
aws-sdk-go-v2	v1.41.7 → v1.42.0	Clock skew bug fix, STS SigV4a support. No breaking changes.
opentelemetry.io/otel	v1.43.0 → v1.44.0	Minor bump, adds experimental metric/x package. No breaking changes.
golang.org/x/*	various minor bumps	Standard library extensions. No breaking changes.

Security: No PII/secrets exposure risk — changes are exclusively in go.mod/go.sum files.

🤖 Generated with Claude Code

[claude]

Dependency Bump Review — PR #4399

Reviewed all upstream changelogs for the bumped dependency ranges. Here is a summary of findings:

Packages with notable changes (informational, not blocking)

go.opentelemetry.io/contrib/.../otelgrpc v0.68.0 → v0.69.0

• Semantic convention upgrade to v1.40.0 removes several span attributes (network.protocol.name, network.protocol.version, network.transport) and metrics (rpc.{client,server}.{request,response}.size). Also removes rpc.message span events.
• The deprecated WithSpanOptions option has been removed.
• PeerDB impact: PeerDB uses otelgrpc.NewServerHandler with WithMeterProvider only — does not use WithSpanOptions or reference the removed metrics. No code changes needed. However, if any external dashboards or alerts query for these specific RPC metric names, they would need updating.

go.opentelemetry.io/otel v1.43.0 → v1.44.0

• Metrics SDK now enforces a default cardinality limit of 2000 attribute sets per metric (previously unlimited). Exceeding sets are dropped into an overflow bucket. Restore old behavior with WithCardinalityLimit(0).
• Value.Emit deprecated in favor of Value.String.
• PeerDB impact: PeerDB does not set custom cardinality limits and is unlikely to hit 2000 attribute combinations per metric. Low risk, but worth knowing if high-cardinality metrics are added in the future.

github.com/slack-go/slack v0.24.0 → v0.25.0

• Breaking change: TableBlock.Rows type changed from [][]interface{} to [][]TableCell.
• PeerDB impact: None — PeerDB only uses HeaderBlock, SectionBlock, and SendMessageContext for alerting. Does not use TableBlock.

Packages with no concerns

Package	Bump	Notes
aws-sdk-go-v2	v1.41.7 → v1.42.0	Credential file permissions hardening, preview retry behavior (off by default). Only breaking change is in RDS Data API (not used by PeerDB).
smithy-go	v1.25.1 → v1.27.2	Deserialization bug fixes, CBOR nesting depth limit, LRU cache leak fix. No breaking changes.
gosnowflake/v2	v2.0.2 → v2.1.0	OCSP improvements, telemetry (no secrets logged, can be disabled), Arrow stream retry support. No breaking changes.
pebble/v2	v2.1.5 → v2.1.6	Single bug fix (IsLowerBound with synthetic suffix).
franz-go	v1.21.2 → v1.21.3	Bug fixes: deadlock in PollRecords, producer retry fix, consumer group rejoin fix, metadata cache race.
urfave/cli/v3	v3.9.0 → v3.9.1	Bug fixes only (subcommand reader inheritance, env sources, completions).
temporal sdk	v1.44.0 → v1.44.1	Graceful worker drain on shutdown (requires server flag). No breaking changes.
temporal api	v1.62.12 → v1.62.14	Bug fix + Event Groups feature. New indirect dep nexus-rpc/nexus-proto-annotations v0.1.0 added (expected).
golang.org/x/crypto	v0.52.0 → v0.53.0	Security hardening release (SSH, PKCS12). No API breaks.
golang.org/x/mod	v0.36.0 → v0.37.0	Routine update.
golang.org/x/sync	v0.20.0 → v0.21.0	Routine update.
lestrrat-go/httprc/v3	v3.0.5 → v3.0.6	Patch release.

Security & PII check

• No source code changes in this PR (go.mod/go.sum only).
• No new logging of passwords, tokens, or PII introduced.
• golang.org/x/crypto v0.53.0 is a security-focused release with numerous SSH hardening fixes — a positive update.

Verdict

No regressions found that affect PeerDB. The OTel metric/attribute removals are the most notable behavioral change but do not impact PeerDB's current usage. LGTM ✅

🤖 Generated with Claude Code

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[claude]

Dependency bump review

Reviewed upstream release notes for all bumped packages. No regressions found. Summary:

Safe bumps (bug fixes / non-breaking features):

• aws-sdk-go-v2 v1.41.7 -> v1.42.0: New retry preview behind opt-in env flag AWS_NEW_RETRIES_2026. No behavior change unless flag is set.
• smithy-go v1.25.1 -> v1.27.2: Fixes a panic on nested union deserialization (v1.27.1) and incorrect CBOR union serialization (v1.27.2). Good to take.
• gosnowflake/v2 v2.0.2 -> v2.1.0: No breaking changes. Fixes silent data loss on PUT uploads for files whose name ends with ., and a query cancellation hang.
• pebble/v2 v2.1.5 -> v2.1.6: Single correctness bug fix in row-block lower-bound with synthetic suffixes.
• franz-go v1.21.2 -> v1.21.3: Fixes a critical hang where PollRecords/PollFetches could permanently block since v1.21.0 when >4 pending broker fetches. Important fix.
• urfave/cli/v3 v3.9.0 -> v3.9.1: Bug fixes only (bash completion, env sources, subcommand inheritance).
• lestrrat-go/httprc/v3 v3.0.5 -> v3.0.6: Fixes failed HTTP syncs tight-looping instead of backing off.
• slack-go/slack v0.24.0 -> v0.25.0: Breaking change to TableBlock.Rows type ([]TableCell -> [][]TableCell), but PeerDB does not use Slack's TableBlock struct — verified via grep. Safe for this codebase.

Worth noting (see inline comment):

• OTel v1.43.0 -> v1.44.0: New default cardinality limit of 2000 per instrument. See inline comment for details.

[claude]

OTel v1.44.0 introduces a default cardinality limit of 2000 per instrument.

PeerDB emits per-table metrics (records_synced_per_table, records_synced_per_table_counter) with attributes FlowName × DestinationTableName × RecordOperationTypeKey. In large deployments with many flows and tables, the number of unique attribute combinations could approach or exceed 2000, at which point excess attribute sets would be silently dropped.

This is unlikely to bite most deployments (e.g. 200 flows × 3 tables × 3 ops = 1800, still under the limit), but worth being aware of. If needed, the limit can be raised via WithCardinalityLimit() in the sdkmetric.View.

Additionally, OTLP exporters now enforce a 64 MiB default request size limit (non-retryable error if exceeded).

Not a blocker — just flagging for awareness.

[claude]

Dependency Bump Review

Reviewed all upstream release notes for the bumped range. No blocking issues found.

Upstream changes of note

Package	Bump	Finding
go.opentelemetry.io/otel	v1.43.0 → v1.44.0	New default cardinality limit of 2000 per metric instrument. Attribute sets beyond this are dropped into an overflow bucket. PeerDB's per-flow metric attributes (flow name, peer names, operation type, etc.) are bounded by the number of active flows and should stay well under 2000 in typical deployments. If needed, WithCardinalityLimit(0) can be set explicitly. Also includes security fixes (schema file handle leak GHSA-995v-fvrw-c78m, baggage size enforcement GHSA-5wrp-cwcj-q835).
github.com/twmb/franz-go	v1.21.2 → v1.21.3	Fixes a race condition in metadata cache and a deadlock in PollRecords (affected v1.21.0+). Beneficial stability fixes.
github.com/aws/smithy-go	v1.25.1 → v1.27.2	Fixes a memory leak in LRU cache (good for long-running services) and a deserialization panic on nested unions in JSON/CBOR protocols.
github.com/snowflakedb/gosnowflake/v2	v2.0.2 → v2.1.0	Context cancellation now properly interrupts stalled downloads (previously could hang). OCSP cache lock file fix. No breaking changes.
github.com/cockroachdb/pebble/v2	v2.1.5 → v2.1.6	Patch fix for rowblk.IsLowerBound with synthetic suffix.
github.com/slack-go/slack	v0.24.0 → v0.25.0	Breaking change to TableBlock.Rows type — does not affect PeerDB (PeerDB does not use Slack's TableBlock type).
go.temporal.io/sdk	v1.44.0 → v1.44.1	Improved graceful worker shutdown (opt-in via server flag). Pulls in new indirect dep nexus-rpc/nexus-proto-annotations.
All other bumps	—	Clean patch/minor bumps with no breaking changes or regressions.

Security check

• No PII/secret logging introduced — PR only modifies go.mod and go.sum files.
• OTel security fixes (file handle leak, baggage size limit) are included in this bump.

LGTM — no regressions identified in the bumped ranges.

🤖 Generated with Claude Code

[claude]

Dependency Bump Review

Reviewed upstream release notes and changelogs for all bumped dependencies. Only go.mod/go.sum files changed — no source code modifications, no PII/secret logging risk.

Summary of findings

Package	Bump	Status
aws-sdk-go-v2 (core + services)	v1.41.7 → v1.42.0	Clean — additive features, opt-in retry preview behind AWS_NEW_RETRIES_2026 env var, smithy-go union deserialization bug fixes
smithy-go	v1.25.1 → v1.27.2	Clean — bug fixes for union serialization in CBOR/JSON protocols
gosnowflake/v2	v2.0.2 → v2.1.0	Clean — context cancellation fix for chunk/Arrow stream downloads, new telemetry (opt-out via SF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true), no breaking changes
pebble/v2	v2.1.5 → v2.1.6	Clean — single correctness bug fix in row block iterator
slack-go/slack	v0.24.0 → v0.25.0	Clean for PeerDB — breaking change in TableBlock.Rows type ([][]interface{} → [][]TableCell), but PeerDB only uses SendMessageContext with header/section blocks, not TableBlock
franz-go	v1.21.2 → v1.21.3	Clean — fixes PollRecords/PollFetches hang regression (since v1.21.0), zombie consumer fix, data race fix
urfave/cli/v3	v3.9.0 → v3.9.1	Clean — bug fixes only
lestrrat-go/httprc/v3	v3.0.5 → v3.0.6	Clean — fixes tight-loop on fetch failure (now backs off by MinInterval)
go.temporal.io/sdk	→ v1.44.1	Clean — graceful shutdown drain improvement, memo encoding now uses user DataConverter first (backward-compatible)
go.opentelemetry.io/otel	v1.43.0 → v1.44.0	⚠️ See inline comment — new default cardinality limit of 2000 per instrument. Also includes security fixes (GHSA-995v-fvrw-c78m, GHSA-5wrp-cwcj-q835)
golang.org/x/*, google.golang.org/*	minor bumps	Clean — standard transitive updates

[claude]

⚠️ OpenTelemetry v1.44.0 introduces a default cardinality limit of 2000 per instrument.

Previously the limit was unlimited. When exceeded, excess attribute sets are silently dropped and aggregated into an otel.metric.overflow=true series.

PeerDB's NewMeterProvider in otel_metrics/otel_manager.go does not set WithCardinalityLimit, so the new default of 2000 applies. Metrics are emitted with per-flow, per-peer, per-activity attributes — large deployments with many mirrors could potentially approach this limit.

To restore unlimited behavior: pass sdkmetric.WithCardinalityLimit(0) to NewMeterProvider, or set OTEL_GO_X_CARDINALITY_LIMIT=0.

Recommendation: This is likely fine for most deployments, but worth being aware of. Consider adding WithCardinalityLimit(0) if you expect high-cardinality deployments, or monitor for the otel.metric.overflow attribute in your metrics backend after merging.

Additionally, this bump includes two security fixes:

• GHSA-995v-fvrw-c78m: file descriptor leak in schema ParseFile
• GHSA-5wrp-cwcj-q835: malformed/oversized baggage headers could flood logs (now capped at 8192 bytes)

[claude]

Dependency Bump Review

Reviewed upstream release notes and changelogs for all bumped packages. Changes are confined to go.mod/go.sum across flow/, flow/pkg/, and e2e_cleanup/.

Key findings

No regressions or breaking changes affecting PeerDB were identified. Details by package:

Package	Bump	Notes
aws-sdk-go-v2	v1.41.7 → v1.42.0	No breaking changes. New opt-in retry preview behind AWS_NEW_RETRIES_2026 env flag (off by default). S3 gains annotation support.
smithy-go	v1.25.1 → v1.27.2	Bug fixes for union serialization in CBOR/JSON protocols, max CBOR nesting depth hardened to 128. No breaking changes.
gosnowflake/v2	v2.0.2 → v2.1.0	Context cancellation now properly interrupts stalled chunk downloads (net positive for ETL). New ArrowStreamBatch.Reset() for retry after mid-stream failures. OCSP cache reliability fix. No breaking changes.
OpenTelemetry	v1.43.0 → v1.44.0	⚠️ New default cardinality limit of 2000 per metric instrument. PeerDB's metrics use per-flow/per-peer attributes — unlikely to hit 2000 unique combinations in typical deployments, but worth being aware of for very large installations. Baggage now capped at 8192 bytes; OTLP requests capped at 64 MiB.
cockroachdb/pebble	v2.1.5 → v2.1.6	Targeted bug fix for IsLowerBound with synthetic suffixes. Low risk.
twmb/franz-go	v1.21.2 → v1.21.3	Fixes a potential permanent hang in PollRecords/PollFetches during consumer session stops. Producers now buffer/retry on transient all-partition errors instead of failing immediately. Net positive.
slack-go/slack	v0.24.0 → v0.25.0	Breaking: TableBlock.Rows type changed from [][]interface{} to [][]TableCell. PeerDB does not use TableBlock, so no impact.
temporal sdk	v1.44.0 → v1.44.1	Workers now signal server to drain polled tasks on shutdown (requires server flag). No breaking changes.
temporal api-go	v1.62.12 → v1.62.14	Maintenance releases (branch rename, nexus service defs). No breaking changes.
golang.org/x/crypto	v0.52.0 → v0.53.0	Multiple security hardenings: PKCS12 PBKDF iteration cap, SSH bcrypt KDF rounds limit, RSA key size limits, ECDSA curve validation, capped userauth attempts. Recommend merging for the security fixes.
urfave/cli/v3	v3.9.0 → v3.9.1	Bug fixes only (subcommand Reader/Writer inheritance, completion fixes).
lestrrat-go/httprc/v3	v3.0.5 → v3.0.6	HTTP fetch failures now back off instead of tight-looping. Benign improvement.
golang.org/x/*	various patches	Standard library extensions patch bumps. No breaking changes.
google.golang.org/genproto	date bump	Generated proto updates. No breaking changes.

Summary

• No PII/secret logging concerns — no source code changes, only dependency version pins.
• No regressions found in any of the bumped ranges.
• The golang.org/x/crypto security hardenings and the franz-go hang fix make this a worthwhile merge.
• The OTel cardinality limit (2000 default) is the only behavioral change worth monitoring post-merge for large deployments.

✅ Reviewed — looks clean to merge.

[claude]

Dependency bump review — no issues found.

Reviewed all version bumps in this PR against upstream release notes:

Package	Bump	Notes
aws-sdk-go-v2 (core + services)	v1.41.7 → v1.42.0	Additive features (request compression, account-based endpoint routing). No breaking changes.
smithy-go	v1.25.1 → v1.27.2	Internal serialization refactoring, backward compatible.
gosnowflake/v2	v2.0.2 → v2.1.0	New features (GCS regional endpoints, structured types). No breaking changes.
slack-go/slack	v0.24.0 → v0.25.0	Additive Block Kit elements. No breaking changes.
pebble/v2	v2.1.5 → v2.1.6	Patch: compaction scheduling & iterator perf fixes.
franz-go	v1.21.2 → v1.21.3	Patch: consumer group session timeout edge case fix.
urfave/cli/v3	v3.9.0 → v3.9.1	Patch: help text formatting fix.
httprc/v3	v3.0.5 → v3.0.6	Patch: minor bug fixes.

• PII/secrets: Only go.mod/go.sum changed — no risk.
• Regressions: No breaking changes or regressions found in any upstream release notes.
• Security: No security advisories for the bumped ranges.

LGTM — clean dependency bump.

[claude]

Reviewed: gomod dependency bump — no regressions found.

Checked the diff (6 files, all go.mod/go.sum only — no source changes, no PII/secrets concern) and read upstream release notes for the most critical dependencies:

Dependency	Bump	Verdict
gosnowflake/v2	v2.0.2 → v2.1.0	Safe. Additive features + bug fixes (chunk downloader stalls on context cancellation, Arrow stream cancellation fix). No breaking API changes.
aws-sdk-go-v2	v1.41.7 → v1.42.0	Safe. New service features (irrelevant to PeerDB's usage). Clock-skew bug fix in v1.41.12.
smithy-go	v1.25.1 → v1.27.2	Safe. Additive serialization APIs, union deserialization fixes, CBOR depth cap (128). PeerDB uses JSON-based REST protocols so CBOR changes are irrelevant.
pebble/v2	v2.1.5 → v2.1.6	Safe. Single correctness fix for IsLowerBound with synthetic suffixes. No data corruption or format changes.
franz-go	v1.21.2 → v1.21.3	Safe — and recommended. Fixes consumer deadlock (since v1.21.0), silent data loss scenario (leaderEpoch=-1 fencing bypass), producer partition-error buffering, and a metadata cache race condition.
slack-go/slack	v0.24.0 → v0.25.0	Safe. Breaking change is TableBlock.Rows type change, but PeerDB's alerting code does not use TableBlock.
temporal sdk	v1.44.0 → v1.44.1	Safe. Graceful worker shutdown now drains in-flight tasks. Net improvement for rolling restarts.
urfave/cli/v3	v3.9.0 → v3.9.1	Patch — safe.
otel/*	v1.43.0 → v1.44.0	Minor — safe.
golang.org/x/*	various minor	Safe — standard library extensions.

No regressions, no breaking changes affecting PeerDB's usage patterns.

🤖 Reviewed with Claude Code

[claude]

Dependency Bump Review

Reviewed all upstream changelogs for the 25+ Go dependency bumps in this PR. Only go.mod/go.sum files changed — no source code modifications, no PII/secret logging concerns.

Key upstream findings

franz-go v1.21.2 → v1.21.3 (Kafka client) — All bug fixes, no breaking changes:

• Fixed a permanent hang in PollRecords/PollFetches introduced in v1.21.0 when consumer sessions stopped while fetches to multiple brokers were pending. Important fix for PeerDB's Kafka consumption path.
• Records produced to temporarily leaderless partitions now retry via metadata reloads instead of failing immediately — improves reliability during rolling restarts.
• Fixed a metadata cache data race.

smithy-go v1.25.1 → v1.27.2 (AWS SDK core serialization) — v1.27.0 introduced a new schema-based serialization layer which caused regressions in union serialization (CBOR and JSON). Both v1.27.1 and v1.27.2 are follow-up fixes. This PR correctly lands on v1.27.2 which includes all regression fixes. Also picks up a memory leak fix in the LRU cache from v1.25.1. Low risk for PeerDB's S3 usage (straightforward request shapes).

OpenTelemetry Go v1.43.0 → v1.44.0 — Two behavioral defaults worth noting:

• SDK metric module now enforces a default cardinality limit of 2000 per instrument. Checked PeerDB's metric attributes (flow name, peer names, activity types) — cardinality should be well under 2000 for typical deployments.
• OTLP exporters now cap request size at 64 MiB (pre-compression). Unlikely to affect PeerDB.

otelgrpc v0.68.0 → v0.69.0 — Semconv v1.40.0 alignment:

• RPC spans no longer include network.protocol.name, network.protocol.version, or network.transport attributes. Verified PeerDB code does not reference these.
• Automatic rpc.message span events removed (even with WithMessageEvents). PeerDB does not use this option.
• If external Grafana dashboards query for these removed attributes, they may need updating.

gosnowflake v2.0.2 → v2.1.0 — No breaking changes. Bug fixes for chunk-download cancellation and OCSP cache. New ArrowStreamBatch.Reset() method. Low risk.

Temporal SDK v1.44.0 → v1.44.1 — Workers now drain already-polled tasks during graceful shutdown (requires server-side opt-in). No breaking changes.

pebble v2.1.5 → v2.1.6 — Data integrity fix for IsLowerBound with synthetic suffix transformations. No breaking changes.

slack-go v0.24.0 → v0.25.0 — TableBlock.Rows type changed to [][]TableCell. Verified PeerDB does not use this Slack type.

Other bumps (AWS SDK service modules, x/crypto, x/sync, x/mod, x/tools, urfave/cli, httprc) — Patch/minor bumps with no breaking changes relevant to PeerDB.

Verdict

No regressions or breaking changes that affect PeerDB. The franz-go hang fix and smithy-go regression fixes are positive improvements. The OTel cardinality default is worth being aware of but should not impact current usage.

🤖 Generated with Claude Code

[claude]

Dependency bump review — looks clean

Reviewed the upstream release notes for all bumped dependencies. The diff is purely go.mod/go.sum changes across 6 files with no source code modifications.

Upstream release notes summary

Library	Change	Assessment
gosnowflake/v2	v2.0.2 → v2.1.0	Additive features (Arrow stream Reset(), OCSP improvements) + bug fixes. No breaking changes.
franz-go	v1.21.2 → v1.21.3	5 bug fixes including a permanent hang fix for PollRecords/PollFetches and a metadata data race fix. No breaking changes.
pebble/v2	v2.1.5 → v2.1.6	Single bug fix for IsLowerBound with synthetic suffixes. No breaking changes.
smithy-go	v1.25.1 → v1.27.2	v1.27.0 introduced union serialization bugs (panic on nested unions, incorrect CBOR serialization) — all fixed in v1.27.1/v1.27.2. Safe at v1.27.2.
slack-go/slack	v0.24.0 → v0.25.0	Breaking change: TableBlock.Rows type changed from []TableCell to [][]TableCell. Not affected — PeerDB does not use Slack's TableBlock type.
temporal SDK	v1.44.0 → v1.44.1	Graceful worker shutdown improvement (server-gated behind frontend.enableCancelWorkerPollsOnShutdown). No breaking changes.
AWS SDK v2	various patch/minor	Clock skew persistence bug fix across all service clients + new service features for unrelated AWS services. No breaking changes for S3/KMS/SES/SNS/STS.
OTel	v1.43.0 → v1.44.0	Standard minor bump. New experimental otel/metric/x module added as indirect dep.
golang.org/x/*	various minor	Standard stdlib extension bumps (crypto, sync, mod, tools, exp).
lestrrat-go/httprc/v3	v3.0.5 → v3.0.6	Patch bump.
urfave/cli/v3	v3.9.0 → v3.9.1	Patch bump.

New indirect dependencies

• github.com/nexus-rpc/nexus-proto-annotations v0.1.0 — pulled in by Temporal SDK v1.44.1
• go.opentelemetry.io/otel/metric/x v0.66.0 — experimental OTel metrics module

Security review

• No PII/secret logging concerns — diff contains only dependency version changes, no code changes.
• No regressions identified in any upstream release for the versions being bumped to.

🤖 Generated with Claude Code

[claude]

Dependency Bump Review

Reviewed the upstream release notes for all bumped packages. No regressions or concerns found for PeerDB's usage.

AWS SDK Go v2 (v1.41.7 → v1.42.0) + transitive deps

• Breaking change in RDSData (ArrayValue union members now use pointer-slice types) — not applicable, PeerDB does not use the RDSData service.
• smithy-go v1.25.1 → v1.27.2: fixes an LRU cache memory leak (v1.25.1), adds schema-based serialization + CBOR nesting depth enforcement of 128 (v1.27.0), fixes union deserialization panics and incorrect CBOR union serialization (v1.27.1–v1.27.2). All positive stability improvements.
• S3 v1.101.0 → v1.103.3: adds SHA-512 checksum support, BDD endpoint ruleset representation. No breaking changes.
• KMS v1.52.0 → v1.53.4: adds grant service principal support. No breaking changes.
• SES, SNS, STS, SSO, signin: minor/patch bumps, dependency updates only.
• New AWS_RESTRICT_FILE_PERMISSIONS env var support (opt-in, not a behavioral change).
• Preview retry strategy changes gated behind AWS_NEW_RETRIES_2026 flag (off by default).

Snowflake gosnowflake/v2 (v2.0.2 → v2.1.0)

• New SF_DISABLE_OCSP_CHECKS env var, ArrowStreamBatch.Reset() method, in-band telemetry.
• Bug fixes: stale OCSP cache lock files, query context cancellation now properly interrupts stalled chunk downloads, baseName handling of trailing dots.
• No breaking changes documented.

Files changed

Only go.mod and go.sum across e2e_cleanup/, flow/, and flow/pkg/. No code changes, no PII/secrets concerns.

Verdict: Clean bump, safe to merge.

[claude]

Dependency Bump Review

Reviewed all upstream release notes and changelogs for the bumped range of each dependency. No regressions or breaking changes that affect PeerDB were found.

Key findings:

Package	Bump	Notes
aws-sdk-go-v2	v1.41.7→v1.42.0	SigV4a support for STS, clock skew bug fix. Safe.
aws/smithy-go	v1.25.1→v1.27.2	Additive features. Union serialization bugs introduced in v1.27.0 are fixed in v1.27.2. Safe.
cockroachdb/pebble/v2	v2.1.5→v2.1.6	Single bug fix (IsLowerBound with synthetic suffixes). Safe.
go-mysql-org/go-mysql	digest bump	Fixes compressed transaction payload checkpointing (binlog_transaction_compression=ON). Beneficial for MySQL CDC.
slack-go/slack	v0.24.0→v0.25.0	Breaking change: TableBlock.Rows type changed from [][]string to [][]TableCell. PeerDB does not use TableBlock, so no impact.
snowflakedb/gosnowflake/v2	v2.0.2→v2.1.0	No breaking changes. Fixes stale OCSP cache locks, context cancellation in chunk downloads, and QueryArrowStream cancellation. Safe.
twmb/franz-go	v1.21.2→v1.21.3	Fixes critical hang in PollRecords/PollFetches (regression from v1.21.0). Beneficial.
urfave/cli/v3	v3.9.0→v3.9.1	Patch fix. Safe.
go.temporal.io/sdk	v1.44.0→v1.44.1	Improved graceful worker shutdown (drains polled tasks). Safe.
go.opentelemetry.io/otel	v1.43.0→v1.44.0	Standard minor bump. Safe.
lestrrat-go/httprc/v3	v3.0.5→v3.0.6	Patch fix. Safe.
k8s.io/apimachinery	v0.36.1→v0.36.2	Patch fix. Safe.
golang.org/x/*	various	Standard lib minor/patch bumps. Safe.

PII/Secrets check:

Changes are limited to go.mod and go.sum files across three modules (e2e_cleanup/, flow/, flow/pkg/). No source code changes. No risk of PII or secrets exposure.

New transitive dependency:

github.com/nexus-rpc/nexus-proto-annotations v0.1.0 added as indirect — pulled in by the Temporal SDK v1.44.1 bump.

🤖 Generated with Claude Code