chore(deps): bump the gomod-minor-patch group with 6 updates

[dependabot]

Bumps the gomod-minor-patch group with 6 updates:

Package	From	To
charm.land/bubbletea/v2	2.0.6	2.0.7
github.com/betterleaks/betterleaks	1.1.2	1.4.0
github.com/entireio/auth-go	0.3.4	0.4.0
github.com/go-git/x/plugin/objectsigner/auto	0.0.0-20260330134459-33df49246da9	0.1.0
github.com/posthog/posthog-go	1.12.1	1.14.0
golang.org/x/mod	0.35.0	0.36.0

Updates charm.land/bubbletea/v2 from 2.0.6 to 2.0.7

Release notes

Sourced from charm.land/bubbletea/v2's releases.

v2.0.7

A few lil’ stability patches

Hi! This is a patch release with a few solid improvements around stability and correctness.

• @​lrstanley, one of our faves, fixed a race condition around mice in the Cursed Renderer
• @​lawrence3699 fixed a panic that could happen when input's not available
• We fixed a correctness issue with regard to mouse releases when Kitty Keyboard was active (thanks, @​mitchellh)

Thanks for using Bubble Tea, and if you see anything awry please do let us know!

—Charm 👋

Changelog

Fixed

• c60f0c53042238305ec13b486326588f12aea0ec: fix: prevent data race with cursedRenderer.onMouse (#1691) (@​lrstanley)
• 074596e14e2f5ca5e3986ee72e7c08f1569c4178: fix: skip input reader restore when input is disabled (#1680) (@​lawrence3699)
• 878d7df2f2b02f3ca8db177fa8553834bc35ea7c: fix(deps): bump ultraviolet for kitty keyboard fix (@​meowgorithm)

---

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

Commits

• a23da80 v2.0.7
• 670963e chore(task): add release and fetch-tags tasks
• 29c4c32 fix(examples/deps): go mod tidy
• 878d7df chore(deps): bump ultraviolet for kitty keyboard fix
• c60f0c5 fix: prevent data race with cursedRenderer.onMouse (#1691)
• 640d879 docs(readme): update footer image
• 0fbefd2 chore: remove CODEOWNERS
• 074596e fix: skip input reader restore when input is disabled (#1680)
• See full diff in compare view

Updates github.com/betterleaks/betterleaks from 1.1.2 to 1.4.0

Release notes

Sourced from github.com/betterleaks/betterleaks's releases.

v1.4.0

What's New

GitLab Source

You can now scan GitLab groups and projects. The GitLab command has a very similar shape to the GitHub command.

Usage:
  betterleaks gitlab <target-url> [flags]
Examples:
Scan a project's git history
betterleaks gitlab https://gitlab.com/group/project
Scan a merge request
betterleaks gitlab https://gitlab.com/group/project/-/merge_requests/42
Scan all projects under a group (recursing into subgroups by default)
betterleaks gitlab https://gitlab.com/mygroup
Scan projects plus issues and MRs
betterleaks gitlab --include=issues,mrs https://gitlab.com/group/project
Scan a self-hosted instance
betterleaks gitlab --base-url=https://gitlab.example.com/ https://gitlab.example.com/group/project

Pretty Printing

Betterleaks got a glowup 💄 Check it

┌─aws-amazon-bedrock-api-key-short-lived──○
│
│ 402 │ regex = '''bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t'''
│     │            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
│
│ attributes:
│   path .......... config/betterleaks.toml
│   resource ...... fs.content
└○

Misc Bug fixes and chores

Changelog

... (truncated)

Commits

• 0f4629c GitLab source + GitLab cmd (#158)
• ac2c13b update example w/ new bindings
• c1fc2e0 cleanup cel env (#156)
• 93d973a Add Betterleaks Playground reference to README
• e61f630 expose attributes in validate cel envs (#154)
• e2905e7 Feat/more cloud rules + small update to pretty print (#153)
• a992d9e Borrowing SECURITY.md from kingfisher, thanks mick :)
• bdc0178 Update CONTRIBUTING.md
• a73f199 clean up docs
• c28da61 looking good (#147)
• Additional commits viewable in compare view

Updates github.com/entireio/auth-go from 0.3.4 to 0.4.0

Changelog

Sourced from github.com/entireio/auth-go's changelog.

v0.4.0 — 2026-05-28

Added

• New refresh package: an RFC 6749 §6 refresh_token grant client (peer of sts/deviceflow) that re-mints the login JWT from a stored refresh token. Exposes refresh.ErrInvalidGrant for rotation-race handling.
• tokenmanager.Token now transparently re-mints an expired/near-expiry login JWT from the stored refresh token before resolving the request, re-prompting login only when the refresh token itself is revoked or expired. New exported tokenmanager.Manager.Refresh lets callers warm the session proactively.
• Cross-process single-flight for refresh: an in-process mutex plus an injectable tokenmanager.ProcessLock (default: an advisory file lock over golang.org/x/sys), with rotation-race tolerance (on invalid_grant, the store is re-read and the refresh retried once against a concurrently-rotated successor before concluding re-login).
• New tokenmanager.Config fields RefreshPath (token endpoint for the refresh grant) and LockDir (advisory-lock directory; defaults under os.UserCacheDir()).
• New sentinels tokenmanager.ErrReauthRequired (refresh exhausted — distinct from ErrNotLoggedIn) and tokenmanager.ErrNoRefreshPath.

Changed

• golang.org/x/sys is now a direct dependency (advisory file lock).
• client_id validation (ValidateClientID / ValidateClientIDConsistency) moved into internal/oauthhttp and shared by sts and refresh; no behavioural change to sts.
• Clamp a server-provided expires_in before converting to a time.Duration (centralised in internal/oauthhttp.ExpiresInDuration), applied across sts, deviceflow, and refresh. Guards against an int64 nanosecond overflow that an absurd value would otherwise wrap into a past expiry.
• tokenmanager.SaveCoreToken and tokenmanager.DeleteCoreToken now acquire the refresh lock (refreshMu in-process, the cross-process file lock) before mutating the store, serialising them against in-flight refreshes. Prevents a refresh whose grant is mid-flight from persisting over a concurrent logout (session resurrection) or overwriting a concurrent re-login. Both methods can now block up to ~30s under contention and may return a wrapped lock-acquire error.

Commits

• a0b110c Merge pull request #11 from entireio/alex/v0.4.0-changelog
• 6d9f767 Finalise v0.4.0 CHANGELOG
• a853917 Merge pull request #10 from entireio/alex/cor-314-auth-go-refresh-tier-persis...
• 251d8ee Coordinate SaveCoreToken/DeleteCoreToken with the refresh lock
• 975ca74 Centralize expires_in overflow clamp across sts/deviceflow/refresh
• 666ff5f Guard against empty AccessToken in ensureFreshLogin
• 1e6666a Clamp server expires_in to avoid time.Duration overflow
• 241ab27 Close refresh/proclock doc + test gaps from PR review
• b4f3eee Refine doRefresh logout semantics; close test + doc gaps from PR review
• 27169af Note JWT-exp refresh trigger in Refresh godoc
• Additional commits viewable in compare view

Updates github.com/go-git/x/plugin/objectsigner/auto from 0.0.0-20260330134459-33df49246da9 to 0.1.0

Release notes

Sourced from github.com/go-git/x/plugin/objectsigner/auto's releases.

plugin/objectsigner/gpg/v0.1.0

What's Changed

• build: Add .gitattributes by @​pjbgf in go-git/x#4

New Contributors

• @​pjbgf made their first contribution in go-git/x#4

Full Changelog: https://github.com/go-git/x/commits/plugin/objectsigner/gpg/v0.1.0

plugin/objectsigner/ssh/v0.1.0

What's Changed

• build: Add .gitattributes by @​pjbgf in go-git/x#4

New Contributors

• @​pjbgf made their first contribution in go-git/x#4

Full Changelog: https://github.com/go-git/x/commits/plugin/objectsigner/ssh/v0.1.0

plugin/objectsigner/auto/v0.1.0

What's Changed

• objectsigner: Add auto ObjectSigner plugin by @​pjbgf in go-git/x#5

Full Changelog: go-git/x@plugin/objectsigner/gpg/v0.1.0...plugin/objectsigner/auto/v0.1.0

Commits

• See full diff in compare view

Updates github.com/posthog/posthog-go from 1.12.1 to 1.14.0

Release notes

Sourced from github.com/posthog/posthog-go's releases.

1.14.0

Unreleased

1.13.2

Unreleased

1.13.1

Unreleased

1.13.0

Unreleased

1.12.6

Unreleased

1.12.5

Unreleased

1.12.4 - 2026-04-30

• Full Changelog

1.12.3 - 2026-04-21

• Full Changelog

1.12.2 - 2026-04-20

• Full Changelog

Changelog

Sourced from github.com/posthog/posthog-go's changelog.

1.14.0

Minor Changes

• 554c99a: Add a configurable $is_server event property (default true) so PostHog can identify server-side events. Set IsServer: false when using posthog-go as a client/CLI so the device OS is attributed normally.

1.13.2

Patch Changes

• df2ae97: Capture with SendFeatureFlags(true) now prefers local evaluation when flag definitions are loaded, falling back to a remote /flags request only for flags that can't be computed locally. OnlyEvaluateLocally remains strictly local with no remote fallback.

  Captured events now exclude flags that evaluate to false from $active_feature_flags (they are still attached as $feature/<key>=false), matching the other PostHog SDKs.

1.13.1

Patch Changes

• 541b82f: Include group context in the $feature_flag_called LRU dedupe key so group-scoped flags fire a separate event for each group a user is evaluated under, instead of being dedup-ed against the first group context the same (distinct_id, flag, device_id) was seen under.

1.13.0

Minor Changes

• dec8ade: Add opt-in panic capture for request context middleware.
• dec8ade: Add server-side request context helpers for net/http capture and exception events, plus EvaluateFlagsWithContext for using request-scoped distinct IDs during flag evaluation. Request-context flag evaluation does not generate personless IDs.

1.12.6

Patch Changes

• 9289d53: Reject semver values with leading zeros in local flag evaluation. Per semver 2.0.0 §2, numeric identifiers must not include leading zeros — values like 1.07.3 are not valid semver and should not match targeting conditions. Both override values and flag values are now validated; invalid inputs surface an InconclusiveMatchError so the condition does not match.

1.12.5

Patch Changes

• 6d243a6: Return ErrSDKDisabled from no-op clients when the project API key is missing, return ErrNoPersonalAPIKey before making requests for Personal API key dependent methods when no Personal API key is configured, and return ErrNoDistinctID from EvaluateFlags when distinct_id is missing.

New Features

• EvaluateFlags: New method on Client that returns a FeatureFlagEvaluations snapshot for a user using a single /flags request. The snapshot powers any number of IsEnabled / GetFlag / GetFlagPayload checks, fires deduped $feature_flag_called events with full v4 metadata (id, version, reason, request_id), and can be attached to a Capture event via the new Capture.Flags field to populate $feature/<key> and $active_feature_flags without another network call.
• Capture.Flags: New optional field on Capture that accepts a *FeatureFlagEvaluations snapshot. Takes precedence over SendFeatureFlags, avoids a hidden /flags request per event, and lets caller-supplied Properties override the auto-generated $feature/<key> values on conflict.

Internal

• Refactored the $feature_flag_called dedup logic into a shared helper so the existing single-flag path and the new snapshot path use identical semantics against the same per-distinct_id LRU cache.
• $feature_flag_called events from the snapshot path combine response-level errors (errors_while_computing_flags, quota_limited) with per-flag errors (flag_missing) comma-joined in $feature_flag_error, matching the granularity of the legacy single-flag path.

1.12.4 - 2026-04-30

... (truncated)

Commits

• 1f1f2fa chore: release v1.14.0 [version bump] [skip ci]
• 554c99a feat: emit $is_server property on captured events (#215)
• 429fce9 chore: release v1.13.2 [version bump] [skip ci]
• df2ae97 fix(flags): prefer local evaluation for SendFeatureFlags capture enrichment (...
• b9d10cf chore: Bump flags-project-board workflow pin to latest (#212)
• 97d126d chore: configure dependency minimum release age / cooldown (#211)
• f68c74f chore: release v1.13.1 [version bump] [skip ci]
• 541b82f fix: include group context in $feature_flag_called dedupe key (#206)
• 4650ca2 chore: use shared semantic PR title workflow (#210)
• ba838c8 chore: validate PR titles with conventional commits (#209)
• Additional commits viewable in compare view

Updates golang.org/x/mod from 0.35.0 to 0.36.0

Commits

• 643da9b go.mod: update golang.org/x dependencies
• ccc3cdf zip: include 'but content has correct sum' note in TestVCS
• ab30318 zip: update zip hashes for new flate compression
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Patel230]

Removing Dependabot from this repository.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml