Bump github.com/openfga/openfga from 1.11.5 to 1.13.1

[dependabot]

Bumps github.com/openfga/openfga from 1.11.5 to 1.13.1.

Release notes

Sourced from github.com/openfga/openfga's releases.

v1.13.1

What's Changed

Security

• Fixed a security vulnerability (CVE-2026-33729) where Check requests with conditions and caching enabled could return incorrect cached results.

Full Changelog: openfga/openfga@v1.13.0...v1.13.1

v1.13.0

What's Changed

• AuthZen v1.0 Implementation by @​aaguiarz in openfga/openfga#2875
• docs: fix typos in RELEASES.md and Makefile by @​kanywst in openfga/openfga#2980
• fix: capture panics in pipeline's base resolver, and return as errors. by @​senojj in openfga/openfga#2994
• observability: aggregate message statistics for each list-objects sender into a single span by @​senojj in openfga/openfga#2993
• docs: fix typos in comments by @​archy-rock3t-cloud in openfga/openfga#2972
• refactor: Separate caches for v1 and v2 Check by @​saad-h1 in openfga/openfga#2968
• release: update changelog for release v1.13.0 by @​poovamraj in openfga/openfga#2997

New Contributors

• @​kanywst made their first contribution in openfga/openfga#2980

Full Changelog: openfga/openfga@v1.12.1...v1.13.0

v1.12.1

Changed

• The ListObjects "pipeline" algorithm ditches its custom Pipe implementation and replaces it with Go native channels. #2977
• Refactor tuple validation and manipulation functions for optimal performance. #2984
• Update grpc-go version to v1.79.3 and grpc-health-probe to v0.4.47. #2988

Fixed

• Fixed OTEL_EXPORTER_OTLP_ENDPOINT not accepting URIs with schemes (e.g. http://host:4317). The scheme is now stripped before passing to the gRPC exporter, and an https:// scheme enables TLS regardless of the trace.otlp.tls.enabled flag. #2981

Full Changelog: openfga/openfga@v1.12.0...v1.12.1

v1.12.0

Added

• Add configuration for maximum size of received gRPC message bytes. #2952

Changed

• HTTP gateway's internal gRPC client now uses dynamic TLS credentials that automatically update on certificate rotation via certwatcher, preventing connection failures when certificates are rotated (e.g., by cert-manager). #2951
• Tuple validation will now fail when any unicode control characters, or null bytes are present within a tuple string. #2963

Fixed

• Fixed swapped format arguments in DecodeParameterType error message that reported required and found generic type counts in the wrong order. #2961
• Fixed a few bugs. Two potential index out of bounds scenarios, and one cache of an invalid result. #2942
• Fixed a race condition in check reducers causing non-deterministic nested handler execution due to canceled parent context. #2947
• Fixed an issue where cache_item_count was incrementing on overwrites, causing the metric to steadily drift upward. #2950
• Set pipeline_list_objects enabled by default in experimentals so that setting new experimental values does not disable it. This is required so that a user may pass in a custom featureflag client where pipeline_list_objects can be disabled on a per store basis. To disable the ListObjects pipeline algorithm entirely, set listObjects-pipeline-enabled to false. #2957

... (truncated)

Changelog

Sourced from github.com/openfga/openfga's changelog.

[1.13.1] - 2026-03-24

Security

• Fixed a security vulnerability (CVE-2026-33729) where Check requests with conditions and caching enabled could return incorrect cached results.

[1.13.0] - 2026-03-23

Added

• Add AuthZen 1.0 experimental support. #2875

Fixed

• Prevent recoverable panics in list objects from terminating the process. Return an error instead. #2994

[1.12.1] - 2026-03-19

Changed

• The ListObjects "pipeline" algorithm ditches its custom Pipe implementation and replaces it with Go native channels. #2977
• Refactor tuple validation and manipulation functions for optimal performance. #2984
• Update grpc-go version to v1.79.3 and grpc-health-probe to v0.4.47. #2988

Fixed

• Fixed OTEL_EXPORTER_OTLP_ENDPOINT not accepting URIs with schemes (e.g. http://host:4317). The scheme is now stripped before passing to the gRPC exporter, and an https:// scheme enables TLS regardless of the trace.otlp.tls.enabled flag. #2981

[1.12.0] - 2026-03-13

Added

• Add AuthZen 1.0 experimental support. #2875
• Add configuration for maximum size of received gRPC message bytes. #2952

Changed

• HTTP gateway's internal gRPC client now uses dynamic TLS credentials that automatically update on certificate rotation via certwatcher, preventing connection failures when certificates are rotated (e.g., by cert-manager). #2951
• Tuple validation will now fail when any unicode control characters, or null bytes are present within a tuple string. #2963

Fixed

• Fixed swapped format arguments in DecodeParameterType error message that reported required and found generic type counts in the wrong order. #2961
• Fixed a few bugs. Two potential index out of bounds scenarios, and one cache of an invalid result. #2942
• Fixed a race condition in check reducers causing non-deterministic nested handler execution due to canceled parent context. #2947
• Fixed an issue where cache_item_count was incrementing on overwrites, causing the metric to steadily drift upward. #2950
• Set pipeline_list_objects enabled by default in experimentals so that setting new experimental values does not disable it. This is required so that a user may pass in a custom featureflag client where pipeline_list_objects can be disabled on a per store basis. To disable the ListObjects pipeline algorithm entirely, set listObjects-pipeline-enabled to false. #2957

Security

• Update toolchain go version to 1.26.1 to be latest. #2975
• Update toolchain go version to 1.25.8 to address std lib vulnerabilities GO-2026-4603 and GO-2026-4601. #2971

[1.11.6] - 2026-02-23

Added

• Set ListObjects pipeline as the default enabled algorithm, can be disabled by setting the listObjects-pipeline-enabled to false. #2921

Changed

• Migrate grpc.DialContext to grpc.NewClient for grpc-gateway client #2714

Security

• Bump grpc-health-probe to v0.4.45 to address nvd.nist.gov/vuln/detail/CVE-2025-68121 affecting grpc_health_probe.

Commits

• cbb16ab release: update changelog for release v1.13.1 (#3002)
• 049b50c Merge commit from fork
• db79b31 release: update changelog for release v1.13.0 (#2997)
• 052a6e7 refactor: Separate caches for v1 and v2 Check (#2968)
• d91d9c8 docs: fix typos in comments (#2972)
• 172ff59 observability: aggregate message statistics for each list-objects sender into...
• e538a88 fix: capture panics in pipeline's base resolver, and return as errors. (#2994)
• 4600682 docs: fix typos in RELEASES.md and Makefile (#2980)
• ff2040a AuthZen v1.0 Implementation (#2875)
• 8f0feee release: update changelog for release v1.12.1 (#2992)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #588.