deps(gomod): bump the patch-and-minor group with 8 updates

[dependabot]

Bumps the patch-and-minor group with 8 updates:

Package	From	To
github.com/go-chi/chi/v5	5.2.5	5.3.0
github.com/go-telegram/bot	1.20.0	1.21.0
modernc.org/sqlite	1.50.1	1.51.0
github.com/ncruces/go-sqlite3	0.34.2	0.34.3
github.com/ncruces/go-sqlite3-wasm/v2	2.4.35301	2.5.35301
github.com/rogpeppe/go-internal	1.14.1	1.15.0
github.com/tetratelabs/wazero	1.11.0	1.12.0
modernc.org/libc	1.72.3	1.72.5

Updates github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Updates github.com/go-telegram/bot from 1.20.0 to 1.21.0

Release notes

Sourced from github.com/go-telegram/bot's releases.

v1.21.0

Support Bot API 9.6 & 10.0, multipart fixes — closes #279 #280, fixes #273 #274 #271 #277 (#281)

Changelog

Sourced from github.com/go-telegram/bot's changelog.

v1.21.0 (2026-05-22)

• Support Bot API 9.6 & 10.0, multipart fixes — closes #279 #280, fixes #273 #274 #271 #277 (#281)

Commits

• 007aa4b changelog
• 7867c29 feat: Support Bot API 9.6 & 10.0, multipart fixes — closes #279 #280, fixes #...
• See full diff in compare view

Updates modernc.org/sqlite from 1.50.1 to 1.51.0

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-05-28 v1.52.0:

  • Add Backup.Remaining and Backup.PageCount, thin wrappers around the existing sqlite3_backup_remaining and sqlite3_backup_pagecount C symbols. Together they expose the per-Step progress counters that the underlying backup object already maintains, enabling progress reporting during online backups without dropping to modernc.org/sqlite/lib directly.
  • See [GitLab merge request #122](https://gitlab.com/cznic/sqlite/-/merge_requests/122), thanks Ian Chechin!

• 2026-05-28 v1.51.0:

  • Pool the []driver.Value slice passed to scalar/aggregate UDF callbacks and to vtab Filter/Insert/Update callbacks, eliminating the dominant per-row allocation on UDF-heavy queries. Benchmarks on a 1000-row, 3-arg noop scalar UDF show ~40% fewer bytes/op and ~15% fewer allocs/op.
  • Document the matching "arguments are not valid past return" contract on vtab.Cursor.Filter and vtab.Updater.Insert/Update, consistent with the existing rule for FunctionImpl.Scalar / AggregateFunction.Step / WindowInverse.
  • Resolves [GitLab issue #226](https://gitlab.com/cznic/sqlite/-/issues/226). See [GitLab merge request #114](https://gitlab.com/cznic/sqlite/-/merge_requests/114), thanks Ian Chechin!
  • Add FileControl.FileControlDataVersion, a wrapper around SQLITE_FCNTL_DATA_VERSION for observing pager-cache data-version changes, including those made on the same connection. Useful as a primitive for application-level cache invalidation.
  • Exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), consistent with the existing FileControlPersistWAL.
  • See [GitLab merge request #115](https://gitlab.com/cznic/sqlite/-/merge_requests/115), thanks Ian Chechin!
  • Fix a regression where in-memory connections (:memory:, file::memory:, shared-cache memory URIs) were discarded by database/sql after a context-cancelled query, taking the entire in-memory store with them. The fix for #198 had added an sqlite3_is_interrupted check to the connection validator that mistakenly applied to in-memory connections too, re-introducing the bug originally fixed by !74. File-backed connections keep the existing behaviour and are still discarded after an interrupt.
  • Resolves [GitLab issue #196](https://gitlab.com/cznic/sqlite/-/issues/196). See [GitLab merge request #116](https://gitlab.com/cznic/sqlite/-/merge_requests/116), thanks Ian Chechin!
  • Add an opt-in FunctionImpl.VolatileArgs flag that hands TEXT and BLOB arguments to scalar and aggregate UDF callbacks as zero-copy views (unsafe.String/unsafe.Slice) over SQLite's own value buffers, eliminating the per-argument libc.GoString/make([]byte) copy that the #226 slice-pooling left as the remaining per-row allocation. On the same 1000-row, 3-arg (INTEGER/TEXT/BLOB) noop scalar UDF this removes a further ~35% of allocs/op and ~11% of bytes/op on top of #226.
  • The views are valid only for the duration of the callback and must not be retained past return or across rows; a callback that needs to keep a value must copy it. With VolatileArgs unset (the default) arguments keep the existing copied, caller-owned semantics, so the flag is fully backward compatible; it has no effect on integer, float, time, or NULL arguments.
  • See [GitLab merge request #120](https://gitlab.com/cznic/sqlite/-/merge_requests/120), thanks Ian Chechin!
  • Extend the opt-in VolatileArgs zero-copy TEXT/BLOB argument access from #120 to the virtual-table Cursor.Filter (xFilter) and Updater.Insert/Update (xUpdate) callbacks. A vtab.Module opts in by implementing the new optional vtab.VolatileArgsOpter interface (VolatileArgs() bool); the flag is read once at module registration and shared by every table created from it. On a vtab call carrying one TEXT and one BLOB argument this removes 2 allocs/op (one libc.GoString, one make([]byte)) on each of the Filter and Update paths.
  • The same safety contract as #120 applies: the views are valid only for the duration of the callback and must not be retained past return or across rows; a callback that needs to keep a value must copy it. Modules that do not implement VolatileArgsOpter (the default for all existing modules) are byte-for-byte unchanged, and the flag has no effect on integer, float, time, or NULL arguments.
  • See [GitLab merge request #121](https://gitlab.com/cznic/sqlite/-/merge_requests/121), thanks Ian Chechin!

• 2026-05-10 v1.50.1:

  • Upgrade to SQLite 3.53.1.

• 2026-04-24 v1.50.0:

  • Upgrade to sqlite-vec v0.1.9.
  • Introduce ColumnInfo, enabling dynamic query builders and ORMs to retrieve underlying SQLite C-API metadata (OriginName, TableName, DatabaseName, and DeclType).
  • This feature is exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), avoiding custom statement handles and keeping the standard library workflow intact.
  • See [GitLab merge request #113](https://gitlab.com/cznic/sqlite/-/merge_requests/113), thanks Josh Bleecher Snyder!

• 2026-04-17 v1.49.0: Upgrade to SQLite 3.53.0.

  • Added -DSQLITE_ENABLE_DBPAGE_VTAB to the transpilation. See "The SQLITE_DBPAGE Virtual Table" for details.

• 2026-04-06 v1.48.2:

  • Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.
  • Ensure the Go trampoline signature correctly aligns with the public sqlite3_preupdate_hook C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).
  • See [GitLab merge request #98](https://gitlab.com/cznic/sqlite/-/merge_requests/98), thanks Josh Bleecher Snyder!
  • Fix the memory allocator used in (*conn).Deserialize.
  • Replace tls.Alloc with sqlite3_malloc64 to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the SQLITE_DESERIALIZE_RESIZEABLE and SQLITE_DESERIALIZE_FREEONCLOSE flags.
  • Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.
  • See [GitLab merge request #100](https://gitlab.com/cznic/sqlite/-/merge_requests/100), thanks Josh Bleecher Snyder!
  • Fix (*conn).Deserialize to explicitly reject nil or empty byte slices.
  • Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when sqlite3_deserialize receives a 0-length buffer.
  • See [GitLab merge request #101](https://gitlab.com/cznic/sqlite/-/merge_requests/101), thanks Josh Bleecher Snyder!
  • Fix commitHookTrampoline and rollbackHookTrampoline signatures by removing the unused pCsr parameter.
  • Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.
  • See [GitLab merge request #102](https://gitlab.com/cznic/sqlite/-/merge_requests/102), thanks Josh Bleecher Snyder!
  • Fix checkptr instrumentation failures during go test -race when registering and using virtual tables (vtab).
  • Allocate sqlite3_module instances using the C allocator (libc.Xcalloc) instead of the Go heap. This ensures transpiled C code can safely perform pointer operations on the struct without tripping Go's pointer checks.

... (truncated)

Commits

• a5f439b CHANGELOG.md: fix release tag
• 41e77be CHANGELOG.md: document #121
• 827df98 gofmt -l -s -w vtab/*.go
• 0d384cb Merge branch 'feat/vtab-volatile-args-opt-in' into 'master'
• 06e06d5 extend VolatileArgs opt-in to vtab Filter and Updater Insert/Update
• 2486abd HACKING.md, CLAUDE.md: this repo is not auto-tagged, tagging is manual
• d808a8f CHANGELOG.md: document #120
• fac1cab Merge branch 'feat/volatile-args-opt-in' into 'master'
• 569614c address review: empty-BLOB shape parity + re-entrancy note
• 905960c add FunctionImpl.VolatileArgs opt-in for zero-copy TEXT/BLOB args
• Additional commits viewable in compare view

Updates github.com/ncruces/go-sqlite3 from 0.34.2 to 0.34.3

Release notes

Sourced from github.com/ncruces/go-sqlite3's releases.

v0.34.3

What's Changed

Fix a code generation bug: ncruces/wasm2go#31

Improved support for Go 1.27: golang/go#67546

Full Changelog: ncruces/go-sqlite3@v0.34.2...v0.34.3

Artifact attestations

Commits

• b7dd234 Deps.
• c5396f1 Reflect.
• 89efb65 Driver scanning API (#377)
• a2be335 Typo.
• See full diff in compare view

Updates github.com/ncruces/go-sqlite3-wasm/v2 from 2.4.35301 to 2.5.35301

Commits

• 8e12e24 Regen
• fbc9cbe Add build_cli.sh to build a native sqlite3 CLI with same opts as Wasm (#5)
• See full diff in compare view

Updates github.com/rogpeppe/go-internal from 1.14.1 to 1.15.0

Release notes

Sourced from github.com/rogpeppe/go-internal's releases.

v1.15.0

What's Changed

• hash: do not salt with Go runtime version by @​rogpeppe in rogpeppe/go-internal#292
• testscript: reset verbose on new blocks by @​myitcv in rogpeppe/go-internal#293
• testscript: rewind last block if it was not in error by @​myitcv in rogpeppe/go-internal#294
• testscript: protect against no-op uses of cmp by @​mvdan in rogpeppe/go-internal#295
• goproxytest: add Setup by @​rogpeppe in rogpeppe/go-internal#303
• update Go, fix, add /@latest to goproxytest by @​mvdan in rogpeppe/go-internal#302
• internal/vcs: remove SYSTEMROOT workaround for Windows by @​mvdan in rogpeppe/go-internal#299
• goproxytest: add overlay capability by @​rogpeppe in rogpeppe/go-internal#304

Full Changelog: rogpeppe/go-internal@v1.14.1...v1.15.0

Commits

• 8b1dcd4 goproxytest: make .mod and .info files optional
• 02e5dd4 goproxytest: add overlay capability (#304)
• 3030644 internal/vcs: remove SYSTEMROOT workaround for Windows
• a4c00dc goproxytest: handle /@​latest endpoint
• 19311e8 all: go fix ./...
• 74d1312 test on Go 1.25 and 1.26
• aa1b1e2 goproxytest: add Setup (#303)
• 5223eff testscript: protect against no-op uses of cmp
• ee70938 testscript: rewind last block if it was not in error
• a4ecbfb testscript: add a non-failing block to the end of logging tests
• Additional commits viewable in compare view

Updates github.com/tetratelabs/wazero from 1.11.0 to 1.12.0

Release notes

Sourced from github.com/tetratelabs/wazero's releases.

v1.12.0

Hi wazero friends! The new release of wazero v1.12.0 has arrived.

This release advances us a few more steps towards Wasm 3.0! See wazero/wazero#2426 for where we currently stand.

Behavioral changes

• 929e4000 Extended Constant Expressions (#2468) @​mpoindexter
• bfb20e0b Exception handling (#2489) @​evacchi
• 2c14bbff Typed references (#2497) @​evacchi
• 8ee25086, a877b1b4 non-blocking IO on custom files (#2476, #2479) @​paralin

Bug fixes

• 2bbd517b Fix fd_prestat_get integer overflow on 32-bit platforms (#2491) @​hanxi
• 0bcb5f2a Ensure i32 operations are masked (#2488) @​evacchi
• dafe2caa Fix error when attempting to invoke a start function imported from a host module (#2475) @​mpoindexter
• f7cf1693 Fix error when importing functions which were re-exported (#2463) @​mpoindexter
• aa7ebad5 Don't use compiler when executable mmap is disabled (#2471) @​anuraaga

Commits

• 2ab480b Remove SQLite (#2502)
• 2c14bbf feat: typed function references spec (#2497)
• 475a1f8 fix: compilation cache should store catch clause table (EH) (#2498)
• a3374cf refactor: wasm.ValueType as type definition + widening (uint64) (#2495)
• 8755611 arm64: fix relocation bug when number of args > 8 (#2492)
• e6dd6c0 Update golang.org/x/sys (#2493)
• 2bbd517 Fix fd_prestat_get integer overflow on 32-bit platforms (#2491)
• bfb20e0 feat: exception handling spec (#2489)
• 5cb4bb3 Revert "Added f4 to community/users.md" (#2490)
• 1dc02f0 Added f4 to community/users.md (#2485)
• Additional commits viewable in compare view

Updates modernc.org/libc from 1.72.3 to 1.72.5

Commits

• 862b2a9 builder.json += freebsd/{386,arm}, updates sqlite!119
• 243b968 Merge branch 'freebsd' into 'master'
• a058ba0 libc_freebsd.go: make 32-bit FreeBSD arches (386, arm) compile
• 1ead916 modernc.org/libc: ppc64le auto generate
• 0c653b7 modernc.org/libc: s390x auto generate
• d5055d0 modernc.org/libc: e5-1650 auto generate
• f91c822 fix build
• cc37c0c modernc.org/libc: riscv64 auto generate
• 1f61b03 modernc.org/libc: pi32 auto generate
• 77946ef modernc.org/libc: pi64 auto generate
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions