fix(deps): update go dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gofiber/fiber/v2	v2.52.11 → v2.52.12
github.com/securego/gosec/v2	v2.23.0 → v2.24.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.52.12

Compare Source

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

securego/gosec (github.com/securego/gosec/v2)

v2.24.7

Compare Source

Changelog

• bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#​1573)
• e1502ad Add a workflow for action integration test (#​1571)
• f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#​1569)
• ade1d0e chore: migrate gosec container image references to GHCR (#​1567)

v2.24.6

Compare Source

Changelog

• 88835e8 Update gorelease to use the latest cosign bundle argument (#​1565)

v2.24.5

Compare Source

v2.24.4

Compare Source

v2.24.3

Compare Source

v2.24.2

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

Changelog

• 271492b fix: G704 false positive on const URL (#​1551)
• 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#​1550)
• f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#​1547)
• 5b580c7 Fix G602 regression coverage for issue #​1545 and stabilize G117 TOML test dependency (#​1546)
• eba2d15 taint: skip context.Context arguments during taint propagation to fix false positives (#​1543)
• a6381c1 test: add missing rules to formatter report tests (#​1540)
• fea9725 chore(deps): update all dependencies (#​1541)
• f3e2fac Regenrate the TLS config rule (#​1539)
• 200461f Improve documentation (#​1538)
• 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#​1537)
• ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#​1536)
• c13a486 Add G707 taint analyzer for SMTP command/header injection (#​1535)
• f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#​1534)
• b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#​1532)
• 1735e5a fix(G602): avoid false positives for range-over-array indexing (#​1531)
• caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#​1530)
• bd11fbe fix: taint analysis false positives with G703,G705 (#​1522)
• e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#​1529)
• b940702 Fix the G117 rule to take the JSON serialization into account (#​1528)
• 4f84627 (docs) fix justification format (#​1524)
• 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#​1521)
• 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#​1520)
• 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#​1519)
• 14fdd9c Fix G115 false positives and negatives (Issue #​1501) (#​1518)
• cec54ec chore(deps): update all dependencies (#​1517)
• 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#​1516)
• a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#​1515)
• 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#​1513)
• 4f1f362 Add more unit tests to improve coverage (#​1512)
• 9344582 Improve test coverage in various areas (#​1511)
• 8d1b2c6 Imprve the test coverage (#​1510)
• 993c1c4 Fix incorrect detection of fixed iv in G407 (#​1509)
• 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#​1508)
• 514225c Fix the sonar report to follow the latest schema (#​1507)
• 000384e fix: broken taint analysis causing false positives (#​1506)
• 616192c fix: panic on float constants in overflow analyzer (#​1505)
• 79956a3 fix: panic when scanning multi-module repos from root (#​1504)
• 5736e8b fix: G602 false positive for array element access (#​1499)
• 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#​1496)

---

Configuration

📅 Schedule: Branch creation - "before 6am on monday" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated

Details:

Package	Change
github.com/anthropics/anthropic-sdk-go	v1.22.0 -> v1.26.0
github.com/openai/openai-go/v3	v3.18.0 -> v3.23.0
golang.org/x/mod	v0.32.0 -> v0.33.0
golang.org/x/net	v0.49.0 -> v0.51.0
golang.org/x/tools	v0.41.0 -> v0.42.0
google.golang.org/genai	v1.45.0 -> v1.47.0

[github-actions]

PR Label Validation Failed

❌ Missing required area label
Please add a label starting with area/ (e.g., area/handlers, area/models, area/services)

Current labels:

• type/dependencies

Requirements:

• ✅ Must have at least one type/* label
• ✅ Must have at least one area/* label
• ❌ Must NOT have special labels (needs-review, needs-testing, blocked, wip, invalid, wontfix, duplicate)

[github-actions]

📊 Code Coverage Report

Total Coverage: 72.0%

Coverage by Package

github.com/ullbergm/echo-server/handlers/builder.go:8:	BuilderHandler			100.0%
github.com/ullbergm/echo-server/handlers/echo.go:27:	EchoHandler			100.0%
github.com/ullbergm/echo-server/handlers/echo.go:62:	EchoHandlerHead			100.0%
github.com/ullbergm/echo-server/handlers/echo.go:78:	buildEchoResponse		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:94:	buildRequestInfo		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:122:	buildHeadersMap			100.0%
github.com/ullbergm/echo-server/handlers/echo.go:130:	buildServerInfo			83.3%
github.com/ullbergm/echo-server/handlers/echo.go:147:	getHostAddress			75.0%
github.com/ullbergm/echo-server/handlers/echo.go:163:	getEnvironmentVariables		94.1%
github.com/ullbergm/echo-server/handlers/echo.go:199:	getKubernetesInfo		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:245:	getRemoteAddress		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:261:	getCustomStatusCode		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:276:	parseCookies			100.0%
github.com/ullbergm/echo-server/handlers/echo.go:293:	setResponseCookies		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:309:	parseSetCookieHeader		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:380:	parseExpires			100.0%
github.com/ullbergm/echo-server/handlers/echo.go:404:	getCompressionInfo		100.0%
github.com/ullbergm/echo-server/handlers/echo.go:438:	getRequestTLSInfo		33.3%
github.com/ullbergm/echo-server/handlers/echo.go:465:	getServerTLSInfo		100.0%
github.com/ullbergm/echo-server/handlers/metrics.go:17:	Gather				100.0%
github.com/ullbergm/echo-server/handlers/metrics.go:36:	MetricsHandler			100.0%
github.com/ullbergm/echo-server/main.go:32:		main				0.0%
github.com/ullbergm/echo-server/main.go:217:		formatValue			0.0%
github.com/ullbergm/echo-server/main.go:235:		startDualStackServers		0.0%
github.com/ullbergm/echo-server/main.go:309:		storeCertificateInfo		0.0%
github.com/ullbergm/echo-server/services/body.go:37:	NewBodyService			100.0%
github.com/ullbergm/echo-server/services/body.go:53:	ParseBody			91.7%
github.com/ullbergm/echo-server/services/body.go:108:	isBinaryData			100.0%
github.com/ullbergm/echo-server/services/body.go:132:	parseJSON			100.0%
github.com/ullbergm/echo-server/services/body.go:144:	parseXML			100.0%
github.com/ullbergm/echo-server/services/body.go:151:	parseFormURLEncoded		100.0%
github.com/ullbergm/echo-server/services/body.go:170:	parseMultipartForm		100.0%
github.com/ullbergm/echo-server/services/jwt.go:18:	NewJWTService			100.0%
github.com/ullbergm/echo-server/services/jwt.go:35:	ExtractAndDecodeJWTs		100.0%
github.com/ullbergm/echo-server/services/jwt.go:66:	decodeJWT			100.0%
github.com/ullbergm/echo-server/services/jwt.go:99:	decodeBase64URL			100.0%
github.com/ullbergm/echo-server/services/jwt.go:124:	truncateToken			100.0%
github.com/ullbergm/echo-server/services/metrics.go:18:	NewMetricsService		100.0%
github.com/ullbergm/echo-server/services/metrics.go:39:	MetricsMiddleware		90.9%
github.com/ullbergm/echo-server/services/tls.go:24:	NewTLSService			100.0%
github.com/ullbergm/echo-server/services/tls.go:29:	GetOrGenerateCertificate	87.5%
github.com/ullbergm/echo-server/services/tls.go:65:	generateSelfSignedCertificate	75.0%
github.com/ullbergm/echo-server/services/tls.go:135:	logCertificateInfo		100.0%
github.com/ullbergm/echo-server/services/tls.go:158:	ParseCertificate		100.0%
total:							(statements)			72.0%

📁 Download full coverage report