fix(deps): bump the external group across 1 directory with 5 updates

[dependabot]

Bumps the external group with 4 updates in the /examples directory: connectrpc.com/connect, github.com/spf13/cobra, github.com/stretchr/testify and google.golang.org/grpc.

Updates connectrpc.com/connect from 1.18.1 to 1.19.1

Release notes

Sourced from connectrpc.com/connect's releases.

v1.19.1

What's Changed

Bugfixes

• Fix bounds check on envelope for 32-bit archs by @​emcfarlane in #887
• Fix CallInfo header/trailer propagation on error responses by @​emcfarlane in #892

Full Changelog: connectrpc/connect-go@v1.19.0...v1.19.1

v1.19.0

This release introduces the highly requested "simple" flag for code generation, making Connect significantly more ergonomic for everyday RPC development.

The new simple flag in protoc-gen-connect-go generates cleaner, more intuitive client and handler interfaces that eliminate request/response wrappers for most use cases. This addresses community feedback about verbosity and provides a more straightforward API. When enabled, metadata (headers/trailers) can be passed through context instead of explicit wrapper objects, optimizing for the common case where developers don't need direct access to HTTP headers.

What's Changed

Enhancements

• Add simple flag for more ergonomic generated code by @​bufdev and @​smaye81 in connectrpc/connect-go#851
• Update Go to v1.24 and document http.Protocol use removing the dependency on golang.org/x/net/http2 by @​maxbrunet in connectrpc/connect-go#873, connectrpc/connect-go#877
• Add support for Edition 2024 by @​emcfarlane in connectrpc/connect-go#878

Bugfixes

• Include valid spec and headers when calling recover handler for streaming RPCs by @​jhump in connectrpc/connect-go#817

Other changes

• Go version support updated to latest two instead of three by @​jhump in connectrpc/connect-go#837
• CI testing improvements by @​pkwarren and @​jhump in connectrpc/connect-go#838, connectrpc/connect-go#839
• Code quality improvements by @​mattrobenolt and @​bufdev in connectrpc/connect-go#841, connectrpc/connect-go#867
• Documentation improvements by @​adlion and @​stefanvanburen in connectrpc/connect-go#821, connectrpc/connect-go#880

New Contributors

• @​adlion made their first contribution in connectrpc/connect-go#821
• @​maxbrunet made their first contribution in connectrpc/connect-go#873
• @​stefanvanburen made their first contribution in connectrpc/connect-go#880

Full Changelog: connectrpc/connect-go@v1.18.1...v1.19.0

Commits

• ad95987 Prepare for v1.19.1 (#895)
• a19db8a Fix CallInfo header/trailer propagation on error responses (#892)
• af35892 Fix bounds check on envelope for 32-bit archs (#887)
• ab1cd05 Fix README.md (#890)
• 79c4205 Update README.md to use validate-go and codify example in internal/example (#...
• 5efe980 Back to development (#884)
• 0f2c5b2 Prepare for v1.19.0 (#883)
• a9ad76e Update README to show simple flag usage (#864)
• cf078a1 Remove golang.org/x/net/http2 dependency from tests (#877)
• 5cb2412 Fix several GoDoc comments (#880)
• Additional commits viewable in compare view

Updates github.com/spf13/cobra from 1.9.1 to 1.10.1

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.1

🐛 Fix

• chore: upgrade pflags v1.0.9 by @​jpmcb in spf13/cobra#2305

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

What's Changed

🚨 Attention!

• Bump pflag to 1.0.8 by @​tomasaschan in spf13/cobra#2303

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

• If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`
• or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

More details can be found here: spf13/cobra#2303

✨ Features

• Flow context to command in SetHelpFunc by @​Frassle in spf13/cobra#2241
• The default ShellCompDirective can be customized for a command and its subcommands by @​albers in spf13/cobra#2238

🐛 Fix

• Upgrade golangci-lint to v2, address findings by @​scop in spf13/cobra#2279

🪠 Testing

• Test with Go 1.24 by @​harryzcy in spf13/cobra#2236
• chore: Rm GitHub Action PR size labeler by @​jpmcb in spf13/cobra#2256

📝 Docs

• Remove traling curlybrace by @​yedayak in spf13/cobra#2237
• Update command.go by @​styee in spf13/cobra#2248
• feat: Add security policy by @​jpmcb in spf13/cobra#2253
• Update Readme (Warp) by @​ericdachen in spf13/cobra#2267
• Add Periscope to the list of projects using Cobra by @​anishathalye in spf13/cobra#2299

New Contributors

• @​harryzcy made their first contribution in spf13/cobra#2236
• @​yedayak made their first contribution in spf13/cobra#2237
• @​Frassle made their first contribution in spf13/cobra#2241

... (truncated)

Commits

• 7da941c chore: Bump pflag to v1.0.9 (#2305)
• 51d6751 Bump pflag to 1.0.8 (#2303)
• 3f3b818 Update README.md with new logo
• dcaf42e Add Periscope to the list of projects using Cobra (#2299)
• 6dec1ae The default ShellCompDirective can be customized for a command and its subcom...
• c8289c1 chore(golangci-lint): add some exclusion presets
• 4af7b64 refactor: apply golangci-lint autofixes, work around false positives
• 75790e4 chore(golangci-lint): upgrade to v2
• db3ddb5 Adding sponsorship to README.md
• 67171d6 putting sponsorship below header
• Additional commits viewable in compare view

Updates github.com/stretchr/testify from 1.10.0 to 1.11.1

Release notes

Sourced from github.com/stretchr/testify's releases.

v1.11.1

This release fixes #1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

• Backport #1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers by @​brackendawson in stretchr/testify#1788

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

• Call stack perf change for CallerInfo by @​mikeauclair in stretchr/testify#1614
• Lazily render mock diff output on successful match by @​mikeauclair in stretchr/testify#1615
• assert: check early in Eventually, EventuallyWithT, and Never by @​cszczepaniak in stretchr/testify#1427
• assert: add IsNotType by @​bartventer in stretchr/testify#1730
• assert.JSONEq: shortcut if same strings by @​dolmen in stretchr/testify#1754
• assert.YAMLEq: shortcut if same strings by @​dolmen in stretchr/testify#1755
• assert: faster and simpler isEmpty using reflect.Value.IsZero by @​dolmen in stretchr/testify#1761
• suite: faster methods filtering (internal refactor) by @​dolmen in stretchr/testify#1758

Fixes

• assert.ErrorAs: log target type by @​craig65535 in stretchr/testify#1345
• Fix failure message formatting for Positive and Negative asserts in stretchr/testify#1062
• Improve ErrorIs message when error is nil but an error was expected by @​tsioftas in stretchr/testify#1681
• fix Subset/NotSubset when calling with mixed input types by @​siliconbrain in stretchr/testify#1729
• Improve ErrorAs failure message when error is nil by @​ccoVeille in stretchr/testify#1734
• mock.AssertNumberOfCalls: improve error msg by @​3scalation in stretchr/testify#1743

Documentation, Build & CI

• docs: Fix typo in README by @​alexandear in stretchr/testify#1688
• Replace deprecated io/ioutil with io and os by @​alexandear in stretchr/testify#1684
• Document consequences of calling t.FailNow() by @​greg0ire in stretchr/testify#1710
• chore: update docs for Unset #1621 by @​techfg in stretchr/testify#1709
• README: apply gofmt to examples by @​alexandear in stretchr/testify#1687
• refactor: use %q and %T to simplify fmt.Sprintf by @​alexandear in stretchr/testify#1674
• Propose Christophe Colombier (ccoVeille) as approver by @​brackendawson in stretchr/testify#1716
• Update documentation for the Error function in assert or require package by @​architagr in stretchr/testify#1675
• assert: remove deprecated build constraints by @​alexandear in stretchr/testify#1671
• assert: apply gofumpt to internal test suite by @​ccoVeille in stretchr/testify#1739
• CI: fix shebang in .ci.*.sh scripts by @​dolmen in stretchr/testify#1746
• assert,require: enable parallel testing on (almost) all top tests by @​dolmen in stretchr/testify#1747
• suite.Passed: add one more status test report by @​Ararsa-Derese in stretchr/testify#1706
• Add Helper() method in internal mocks and assert.CollectT by @​dolmen in stretchr/testify#1423
• assert.Same/NotSame: improve usage of Sprintf by @​ccoVeille in stretchr/testify#1742
• mock: enable parallel testing on internal testsuite by @​dolmen in stretchr/testify#1756
• suite: cleanup use of 'testing' internals at runtime by @​dolmen in stretchr/testify#1751
• assert: check test failure message for Empty and NotEmpty by @​ccoVeille in stretchr/testify#1745

... (truncated)

Commits

• 2a57335 Merge pull request #1788 from brackendawson/1785-backport-1.11
• af8c912 Backport #1786 to release/1.11
• b7801fb Merge pull request #1778 from stretchr/dependabot/github_actions/actions/chec...
• 69831f3 build(deps): bump actions/checkout from 4 to 5
• a53be35 Improve captureTestingT helper
• aafb604 mock: improve formatting of error message
• 7218e03 improve error msg
• 929a212 Merge pull request #1758 from stretchr/dolmen/suite-faster-method-filtering
• bc7459e suite: faster filtering of methods (-testify.m)
• 7d37b5c suite: refactor methodFilter
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.73.0 to 1.77.0

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.77.0

API Changes

• mem: Replace the Reader interface with a struct for better performance and maintainability. (#8669)

Behavior Changes

• balancer/pickfirst: Remove support for the old pick_first LB policy via the environment variable GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false. The new pick_first has been the default since v1.71.0. (#8672)

Bug Fixes

• xdsclient: Fix a race condition in the ADS stream implementation that could result in resource-not-found errors, causing the gRPC client channel to move to TransientFailure. (#8605)
• client: Ignore HTTP status header for gRPC streams. (#8548)
• client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. (#8534)
  • Special Thanks: @​jgold2-stripe
• client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy.
  • Setting environment variable GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false disables this change; please file a bug if any problems are encountered as we will remove this option soon. (#8613)
• balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. (#8611)
• server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. (#8573)
  • Special Thanks: @​hugehoo
• balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to pick_first but don't set endpoints. (#8610)
• mem: Clear large buffers before re-using. (#8670)

Performance Improvements

• transport: Reduce heap allocations to reduce time spent in garbage collection. (#8624, #8630, #8639, #8668)
• transport: Avoid copies when reading and writing Data frames. (#8657, #8667)
• mem: Avoid clearing newly allocated buffers. (#8670)

New Features

• outlierdetection: Add metrics specified in gRFC A91. (#8644)
  • Special Thanks: @​davinci26, @​PardhuKonakanchi
• stats/opentelemetry: Add support for optional label grpc.lb.backend_service in per-call metrics (#8637)
• xds: Add support for JWT Call Credentials as specified in gRFC A97. Set environment variable GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true to enable this feature. (#8536)
  • Special Thanks: @​dimpavloff
• experimental/stats: Add support for up/down counters. (#8581)

Release 1.76.0

Dependencies

• Minimum supported Go version is now 1.24 (#8509)
  • Special Thanks: @​kevinGC

Bug Fixes

• client: Return status INTERNAL when a server sends zero response messages for a unary or client-streaming RPC. (#8523)
• client: Fail RPCs with status INTERNAL instead of UNKNOWN upon receiving http headers with status 1xx and END_STREAM flag set. (#8518)
  • Special Thanks: @​vinothkumarr227
• pick_first: Fix race condition that could cause pick_first to get stuck in IDLE state on backend address change. (#8615)

... (truncated)

Commits

• 805b1f8 Change version to 1.77.0 (#8677)
• ea7b66e Cherrypick #8702 to v1.77.x (#8709)
• cadae08 Cherry-pick #8536 to v1.77.x (#8691)
• 4288cfc Cherrypick #8657 and #8667 to v1.77.x (#8690)
• f959da6 transport: Reduce heap allocations (#8668)
• 0d49384 deps: update all dependencies (#8673)
• e3e142d pickfirst: Remove old pickfirst (#8672)
• 254ab10 documentation: fix typos in benchmark and auth docs (#8674)
• 2d56bda mem: Remove Reader interface and export the concrete struct (#8669)
• 8ab0c82 mem: Avoid clearing new buffers and clear buffers from simpleBufferPools (#8670)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.6 to 1.36.10

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

X-Test Results

opentdfplatform9WZA44.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformLI3UVG.dockerbuild
✅ js-v0.4.34
cukes-report
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 6 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

examples/go.mod

Name	Version	Vulnerability	Severity
golang.org/x/crypto	0.43.0	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	moderate
		golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	moderate

License Issues

examples/go.mod

Package	Version	License	Issue Type
golang.org/x/crypto	0.43.0	Null	Unknown License
golang.org/x/net	0.46.1-0.20251013234738-63d1a5100f82	Null	Unknown License
golang.org/x/oauth2	0.32.0	Null	Unknown License
golang.org/x/sys	0.37.0	Null	Unknown License
golang.org/x/text	0.30.0	Null	Unknown License
google.golang.org/protobuf	1.36.10	Null	Unknown License

Denied Licenses: GPL-2.0, AGPL-1.0, AGPL-1.0-or-later, AGPL-1.0-only, AGPL-3.0, AGPL-3.0-only, AGPL-3.0-or-later, GPL-1.0, GPL-1.0+, GPL-1.0-only, GPL-1.0-or-later, CNRI-Python-GPL-Compatible, GPL-2.0+, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0-with-GCC-exception, GPL-2.0-with-autoconf-exception, GPL-2.0-with-bison-exception, GPL-2.0-with-classpath-exception, GPL-2.0-with-font-exception, GPL-3.0, GPL-3.0+, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0-with-GCC-exception, GPL-3.0-with-autoconf-exception, LGPL-2.0, LGPL-2.0+, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1, LGPL-2.1+, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0, LGPL-3.0+, LGPL-3.0-only, LGPL-3.0-or-later, LGPLLR, NGPL

Excluded from license check: pkg:githubactions/SonarSource/sonarqube-scan-action

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/golang.org/x/crypto	0.43.0	Unknown	Unknown
gomod/connectrpc.com/connect	1.19.1	🟢 6.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 2 badge detected: InProgress Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/spf13/cobra	1.10.1	🟢 6.9	Details Check Score Reason Maintained 🟢 5 2 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 21/25 approved changesets -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/spf13/pflag	1.0.9	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 11/14 approved changesets -- score normalized to 7 Maintained 🟢 10 21 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/stretchr/testify	1.11.1	🟢 5.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/golang.org/x/net	0.46.1-0.20251013234738-63d1a5100f82	Unknown	Unknown
gomod/golang.org/x/oauth2	0.32.0	Unknown	Unknown
gomod/golang.org/x/sys	0.37.0	Unknown	Unknown
gomod/golang.org/x/text	0.30.0	Unknown	Unknown
gomod/google.golang.org/genproto/googleapis/api	0.0.0-20251022142026-3a174f9686a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20251022142026-3a174f9686a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/grpc	1.77.0	🟢 8.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/protobuf	1.36.10	Unknown	Unknown

Scanned Files

• examples/go.mod

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 6 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

examples/go.mod

Name	Version	Vulnerability	Severity
golang.org/x/crypto	0.43.0	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	moderate
		golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	moderate

License Issues

examples/go.mod

Package	Version	License	Issue Type
golang.org/x/crypto	0.43.0	Null	Unknown License
golang.org/x/net	0.46.1-0.20251013234738-63d1a5100f82	Null	Unknown License
golang.org/x/oauth2	0.32.0	Null	Unknown License
golang.org/x/sys	0.37.0	Null	Unknown License
golang.org/x/text	0.30.0	Null	Unknown License
google.golang.org/protobuf	1.36.10	Null	Unknown License

Denied Licenses: GPL-2.0, AGPL-1.0, AGPL-1.0-or-later, AGPL-1.0-only, AGPL-3.0, AGPL-3.0-only, AGPL-3.0-or-later, GPL-1.0, GPL-1.0+, GPL-1.0-only, GPL-1.0-or-later, CNRI-Python-GPL-Compatible, GPL-2.0+, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0-with-GCC-exception, GPL-2.0-with-autoconf-exception, GPL-2.0-with-bison-exception, GPL-2.0-with-classpath-exception, GPL-2.0-with-font-exception, GPL-3.0, GPL-3.0+, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0-with-GCC-exception, GPL-3.0-with-autoconf-exception, LGPL-2.0, LGPL-2.0+, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1, LGPL-2.1+, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0, LGPL-3.0+, LGPL-3.0-only, LGPL-3.0-or-later, LGPLLR, NGPL

Excluded from license check: pkg:githubactions/SonarSource/sonarqube-scan-action

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/golang.org/x/crypto	0.43.0	Unknown	Unknown
gomod/connectrpc.com/connect	1.19.1	🟢 6.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 2 badge detected: InProgress Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/spf13/cobra	1.10.1	🟢 6.9	Details Check Score Reason Maintained 🟢 5 2 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 21/25 approved changesets -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/spf13/pflag	1.0.9	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 11/14 approved changesets -- score normalized to 7 Maintained 🟢 10 21 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/stretchr/testify	1.11.1	🟢 5.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/golang.org/x/net	0.46.1-0.20251013234738-63d1a5100f82	Unknown	Unknown
gomod/golang.org/x/oauth2	0.32.0	Unknown	Unknown
gomod/golang.org/x/sys	0.37.0	Unknown	Unknown
gomod/golang.org/x/text	0.30.0	Unknown	Unknown
gomod/google.golang.org/genproto/googleapis/api	0.0.0-20251022142026-3a174f9686a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/genproto/googleapis/rpc	0.0.0-20251022142026-3a174f9686a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/grpc	1.77.0	🟢 8.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/google.golang.org/protobuf	1.36.10	Unknown	Unknown

Scanned Files

• examples/go.mod

[github-actions]

X-Test Results

opentdfplatformN6AJYP.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformNEE8BJ.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformUWDBU3.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformK0M6S6.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatform0560OO.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformIN4LET.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
cukes-report
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatform2F8A6O.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformXSLV0Y.dockerbuild
✅ js-v0.4.34
cukes-report
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformPVO7BU.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformWJQOSL.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
cukes-report
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[github-actions]

X-Test Results

opentdfplatformMZ2OG4.dockerbuild
✅ java-v0.4.34
cukes-report
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[jakedoublev]

@dependabot recreate

[github-actions]

X-Test Results

opentdfplatformJSO91X.dockerbuild
✅ js-v0.4.34
cukes-report
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917

[jakedoublev]

@dependabot rebase

[jakedoublev]

@dependabot rebase

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	200.52428ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	112.89155ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	392.864698ms
Throughput	254.54 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	43.014964986s
Average Latency	428.248176ms
Throughput	116.24 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	29.614541707s
Average Latency	295.099208ms
Throughput	168.84 requests/second

[github-actions]

X-Test Results

opentdfplatform2H1F0J.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2917
✅ java-pull-2917
✅ go-pull-2917