build(deps): Bump github.com/open-policy-agent/opa from 1.4.2 to 1.17.1 in /authbridge/authlib

[dependabot]

Bumps github.com/open-policy-agent/opa from 1.4.2 to 1.17.1.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.1

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

• https://pkg.go.dev/vuln/GO-2026-5039
• https://pkg.go.dev/vuln/GO-2026-5037

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous

• build: bump go 1.26.3 -> 1.26.4 (authored by @​srenatus)

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.1

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

• https://pkg.go.dev/vuln/GO-2026-5039
• https://pkg.go.dev/vuln/GO-2026-5037

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous

• build: bump go 1.26.3 -> 1.26.4 (authored by @​srenatus)

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

... (truncated)

Commits

• 187c696 Release v1.17.1
• a0c116e build: bump go 1.26.3 -> 1.26.4
• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

Release Notes

• Chores
  • Upgraded the Go toolchain and refreshed direct and indirect dependencies to the latest stable versions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7005134c-de7b-4e87-9c25-2e1a3a79c720

📥 Commits

Reviewing files that changed from the base of the PR and between 0680516 and 2825f16.

⛔ Files ignored due to path filters (1)

• authbridge/authlib/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• authbridge/authlib/go.mod

---

📝 Walkthrough

Walkthrough

This PR updates authbridge/authlib/go.mod to target Go 1.25.0 and refreshes the module dependency graph. Direct dependencies including OPA, gRPC, protobuf, and YAML parsing are bumped, and the indirect dependency block is extensively updated across ecosystem libraries (Prometheus, OpenTelemetry, protobuf, golang.org/x packages). Notable changes include a wasmtime-go major version transition and removal of an OpenTelemetry HTTP instrumentation module.

Changes

Go Module Dependency Refresh

Layer / File(s)	Summary
Go module and dependency version updates authbridge/authlib/go.mod	Go toolchain updated to 1.25.0; direct dependencies (OPA, golang.org/x/sys, google.golang.org/genproto, gRPC, yaml.v3) refreshed; large indirect dependency block updated across JSON handling, Prometheus client stack, OpenTelemetry SDK, multiple golang.org/x/* packages, container/XDS/protobuf ecosystem; wasmtime-go/v3 replaced with v44; otelhttp instrumentation removed.

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly Related PRs

• kagenti/kagenti-extensions#427: Both PRs modify authbridge/authlib/go.mod's dependency declarations—this PR refreshes versions of the OPA module and related transitive dependencies initially added in that PR.
• kagenti/kagenti-extensions#465: Both PRs update authbridge/authlib/go.mod to target Go 1.25.0 and refresh overlapping dependency versions including gRPC and genproto.

Suggested Reviewers

• huang195

🐰 A version bump, oh what a sight,
Dependencies dancing in morning light,
From 1.24 to twenty-five we go,
New wasmtime versions steal the show,
While otelhttp takes its graceful bow. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: bumping the OPA dependency from v1.4.2 to v1.17.1, which is the main focus of this dependency update PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/authbridge/authlib/github.com/open-policy-agent/opa-1.17.1

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}