chore(deps): bump the go-dependencies group with 2 updates

[dependabot]

Bumps the go-dependencies group with 2 updates: github.com/getkin/kin-openapi and modernc.org/sqlite.

Updates github.com/getkin/kin-openapi from 0.135.0 to 0.139.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.139.0

What's Changed

• feat(openapi3): batch-convert long-tail RequiredFieldError sites by @​reuvenharrison in getkin/kin-openapi#1170
• feat(openapi3): typed validation error clusters (combined: #1171-#1179) by @​reuvenharrison in getkin/kin-openapi#1180
• openapi3gen: skip component export for anonymous types by @​0-don in getkin/kin-openapi#1163
• feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by @​reuvenharrison in getkin/kin-openapi#1181
• openapi3: typed context errors for Validate() wrapper chain by @​reuvenharrison in getkin/kin-openapi#1183
• openapi3: track Origin on the document root (T) by @​reuvenharrison in getkin/kin-openapi#1184
• openapi3: tests flakiness corrected by @​fenollp in getkin/kin-openapi#1159
• openapi3: aggregate independent validation errors via EnableMultiError by @​reuvenharrison in getkin/kin-openapi#1185
• openapi3: fix validation of duplicated path templates by @​reuvenharrison in getkin/kin-openapi#1189
• openapi3: type the remaining bare-error validation sites by @​reuvenharrison in getkin/kin-openapi#1187

Full Changelog: getkin/kin-openapi@v0.138.0...v0.139.0

v0.138.0

What's Changed

• openapi3gen: clear nullable on exported component bodies by @​0-don in getkin/kin-openapi#1164
• openapi3: add test for issue #927 (nullable not respected on $ref schemas) by @​fenollp in getkin/kin-openapi#1165
• test: move public-API tests to external _test packages by @​fenollp in getkin/kin-openapi#1168
• feat(openapi3): add per-type validation errors with cluster wrappers by @​reuvenharrison in getkin/kin-openapi#1166
• feat(openapi3conv): canonicalization pass for 3.0 -> 3.x by @​reuvenharrison in getkin/kin-openapi#1162
• openapi3conv: test Upgrade on many documents by @​fenollp in getkin/kin-openapi#1169

Full Changelog: getkin/kin-openapi@v0.137.0...v0.138.0

v0.137.0

What's Changed

• revert to go 1.25 and revert cc4f8d99 by @​fenollp in getkin/kin-openapi#1161

Full Changelog: getkin/kin-openapi@v0.136.0...v0.137.0

v0.136.0

What's Changed

• openapi3: stop injecting contentless default in NewResponses() by @​0-don in getkin/kin-openapi#1148
• openapi3: standardize Origin json tag to "-" across all types by @​reuvenharrison in getkin/kin-openapi#1149
• Update usage message in cmd/validate by @​fenollp in getkin/kin-openapi#1150
• openapi3: fix determinism when handling discriminator mappings by @​fenollp in getkin/kin-openapi#1151
• feat: bump Go to 1.26 by @​fenollp in getkin/kin-openapi#1152
• openapi3: use componentNames for deterministic visitings by @​fenollp in getkin/kin-openapi#1153
• feat: add OpenAPI 3.1 support by @​reuvenharrison in getkin/kin-openapi#1125
• openapi3: add JoinFunc for custom $ref path resolution by @​reuvenharrison in getkin/kin-openapi#1154
• Add many many tests from ApisGuruOpenapiDirectory by @​fenollp in getkin/kin-openapi#1155
• openapi3: remove map-iteration order leaks causing flaky tests by @​cloudnativeninja in getkin/kin-openapi#1158
• openapi2conv: nil-guard components lookup in FromV3SchemaRef by @​SAY-5 in getkin/kin-openapi#1156
• Address various lint errors by @​fenollp in getkin/kin-openapi#1157

... (truncated)

Commits

• 8381bfc openapi3: type the remaining bare-error validation sites (#1187)
• d29b5c0 openapi3: fix validation of duplicated path templates (#1189)
• e56c2c7 openapi3: aggregate independent validation errors via EnableMultiError (#1185)
• 7ea1ac8 openapi3: tests flakiness corrected (#1159)
• dc70f84 openapi3: track Origin on the document root (T) (#1184)
• 69492df openapi3: typed context errors for Validate() wrapper chain (#1183)
• 0a89925 un-patch YAML serialization of dates (see issue #697)
• 55a4c72 openapi3: re-enable tests disabled due to YAML dates in map keys
• c61836c ci: fixup lint after modifications to marsh.go
• 7633481 feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTim...
• Additional commits viewable in compare view

Updates modernc.org/sqlite from 1.50.1 to 1.51.0

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-05-28 v1.52.0:

  • Add Backup.Remaining and Backup.PageCount, thin wrappers around the existing sqlite3_backup_remaining and sqlite3_backup_pagecount C symbols. Together they expose the per-Step progress counters that the underlying backup object already maintains, enabling progress reporting during online backups without dropping to modernc.org/sqlite/lib directly.
  • See [GitLab merge request #122](https://gitlab.com/cznic/sqlite/-/merge_requests/122), thanks Ian Chechin!
  • Drop the redundant second copy in (*conn).columnText, the path that backs every Rows.Scan into a Go string for a TEXT column. The value's bytes are still copied once out of SQLite-owned memory into a fresh Go buffer; that buffer is then reinterpreted as the result string with unsafe.String rather than copied a second time by the implicit string([]byte) conversion. This removes one allocation per TEXT value per row and roughly halves the bytes allocated on that path; on the new BenchmarkColumnTextScan cases it is ~13–20% faster for payloads of 256 B and larger, with no measurable change for very short strings. Purely internal: no API or behavioral change, and the returned string never aliases SQLite's buffer.
  • See [GitLab merge request #123](https://gitlab.com/cznic/sqlite/-/merge_requests/123), thanks Ian Chechin!

• 2026-05-28 v1.51.0:

  • Pool the []driver.Value slice passed to scalar/aggregate UDF callbacks and to vtab Filter/Insert/Update callbacks, eliminating the dominant per-row allocation on UDF-heavy queries. Benchmarks on a 1000-row, 3-arg noop scalar UDF show ~40% fewer bytes/op and ~15% fewer allocs/op.
  • Document the matching "arguments are not valid past return" contract on vtab.Cursor.Filter and vtab.Updater.Insert/Update, consistent with the existing rule for FunctionImpl.Scalar / AggregateFunction.Step / WindowInverse.
  • Resolves [GitLab issue #226](https://gitlab.com/cznic/sqlite/-/issues/226). See [GitLab merge request #114](https://gitlab.com/cznic/sqlite/-/merge_requests/114), thanks Ian Chechin!
  • Add FileControl.FileControlDataVersion, a wrapper around SQLITE_FCNTL_DATA_VERSION for observing pager-cache data-version changes, including those made on the same connection. Useful as a primitive for application-level cache invalidation.
  • Exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), consistent with the existing FileControlPersistWAL.
  • See [GitLab merge request #115](https://gitlab.com/cznic/sqlite/-/merge_requests/115), thanks Ian Chechin!
  • Fix a regression where in-memory connections (:memory:, file::memory:, shared-cache memory URIs) were discarded by database/sql after a context-cancelled query, taking the entire in-memory store with them. The fix for #198 had added an sqlite3_is_interrupted check to the connection validator that mistakenly applied to in-memory connections too, re-introducing the bug originally fixed by !74. File-backed connections keep the existing behaviour and are still discarded after an interrupt.
  • Resolves [GitLab issue #196](https://gitlab.com/cznic/sqlite/-/issues/196). See [GitLab merge request #116](https://gitlab.com/cznic/sqlite/-/merge_requests/116), thanks Ian Chechin!
  • Add an opt-in FunctionImpl.VolatileArgs flag that hands TEXT and BLOB arguments to scalar and aggregate UDF callbacks as zero-copy views (unsafe.String/unsafe.Slice) over SQLite's own value buffers, eliminating the per-argument libc.GoString/make([]byte) copy that the #226 slice-pooling left as the remaining per-row allocation. On the same 1000-row, 3-arg (INTEGER/TEXT/BLOB) noop scalar UDF this removes a further ~35% of allocs/op and ~11% of bytes/op on top of #226.
  • The views are valid only for the duration of the callback and must not be retained past return or across rows; a callback that needs to keep a value must copy it. With VolatileArgs unset (the default) arguments keep the existing copied, caller-owned semantics, so the flag is fully backward compatible; it has no effect on integer, float, time, or NULL arguments.
  • See [GitLab merge request #120](https://gitlab.com/cznic/sqlite/-/merge_requests/120), thanks Ian Chechin!
  • Extend the opt-in VolatileArgs zero-copy TEXT/BLOB argument access from #120 to the virtual-table Cursor.Filter (xFilter) and Updater.Insert/Update (xUpdate) callbacks. A vtab.Module opts in by implementing the new optional vtab.VolatileArgsOpter interface (VolatileArgs() bool); the flag is read once at module registration and shared by every table created from it. On a vtab call carrying one TEXT and one BLOB argument this removes 2 allocs/op (one libc.GoString, one make([]byte)) on each of the Filter and Update paths.
  • The same safety contract as #120 applies: the views are valid only for the duration of the callback and must not be retained past return or across rows; a callback that needs to keep a value must copy it. Modules that do not implement VolatileArgsOpter (the default for all existing modules) are byte-for-byte unchanged, and the flag has no effect on integer, float, time, or NULL arguments.
  • See [GitLab merge request #121](https://gitlab.com/cznic/sqlite/-/merge_requests/121), thanks Ian Chechin!

• 2026-05-10 v1.50.1:

  • Upgrade to SQLite 3.53.1.

• 2026-04-24 v1.50.0:

  • Upgrade to sqlite-vec v0.1.9.
  • Introduce ColumnInfo, enabling dynamic query builders and ORMs to retrieve underlying SQLite C-API metadata (OriginName, TableName, DatabaseName, and DeclType).
  • This feature is exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), avoiding custom statement handles and keeping the standard library workflow intact.
  • See [GitLab merge request #113](https://gitlab.com/cznic/sqlite/-/merge_requests/113), thanks Josh Bleecher Snyder!

• 2026-04-17 v1.49.0: Upgrade to SQLite 3.53.0.

  • Added -DSQLITE_ENABLE_DBPAGE_VTAB to the transpilation. See "The SQLITE_DBPAGE Virtual Table" for details.

• 2026-04-06 v1.48.2:

  • Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.
  • Ensure the Go trampoline signature correctly aligns with the public sqlite3_preupdate_hook C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).
  • See [GitLab merge request #98](https://gitlab.com/cznic/sqlite/-/merge_requests/98), thanks Josh Bleecher Snyder!
  • Fix the memory allocator used in (*conn).Deserialize.
  • Replace tls.Alloc with sqlite3_malloc64 to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the SQLITE_DESERIALIZE_RESIZEABLE and SQLITE_DESERIALIZE_FREEONCLOSE flags.
  • Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.
  • See [GitLab merge request #100](https://gitlab.com/cznic/sqlite/-/merge_requests/100), thanks Josh Bleecher Snyder!
  • Fix (*conn).Deserialize to explicitly reject nil or empty byte slices.
  • Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when sqlite3_deserialize receives a 0-length buffer.
  • See [GitLab merge request #101](https://gitlab.com/cznic/sqlite/-/merge_requests/101), thanks Josh Bleecher Snyder!
  • Fix commitHookTrampoline and rollbackHookTrampoline signatures by removing the unused pCsr parameter.
  • Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.
  • See [GitLab merge request #102](https://gitlab.com/cznic/sqlite/-/merge_requests/102), thanks Josh Bleecher Snyder!

... (truncated)

Commits

• a5f439b CHANGELOG.md: fix release tag
• 41e77be CHANGELOG.md: document #121
• 827df98 gofmt -l -s -w vtab/*.go
• 0d384cb Merge branch 'feat/vtab-volatile-args-opt-in' into 'master'
• 06e06d5 extend VolatileArgs opt-in to vtab Filter and Updater Insert/Update
• 2486abd HACKING.md, CLAUDE.md: this repo is not auto-tagged, tagging is manual
• d808a8f CHANGELOG.md: document #120
• fac1cab Merge branch 'feat/volatile-args-opt-in' into 'master'
• 569614c address review: empty-BLOB shape parity + re-entrancy note
• 905960c add FunctionImpl.VolatileArgs opt-in for zero-copy TEXT/BLOB args
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[claude]

Claude finished @koinsaari's task in 1m 15s —— View job

---

PR Review

• Read REVIEW.md for review instructions
• Read CLAUDE.md for project context
• Analyze PR changes
• Post review findings
• Set commit status (requires additional permissions — gh api not approved)

---

No blocking issues. This is a routine dependency bump touching only go.mod and go.sum.

modernc.org/sqlite 1.50.1 → 1.51.0

• Performance: []driver.Value slices used in UDF/vtab callbacks are now pooled (~40% fewer bytes/op, ~15% fewer allocs/op on UDF-heavy queries).
• Bug fix: in-memory connections (:memory:, file::memory:) were incorrectly discarded by database/sql after a context-cancelled query, taking the entire in-memory store with them. This regression from the fix for issue #198 is resolved in v1.51.0.
• New opt-in FunctionImpl.VolatileArgs flag for zero-copy TEXT/BLOB argument access in UDF callbacks — no API change for existing callers.

github.com/getkin/kin-openapi 0.135.0 → 0.139.0

• Moves from the direct require block to // indirect, consistent with it being a transitive dependency of oapi-codegen rather than directly imported by this module.
• Adds typed/aggregated validation errors, OpenAPI 3.1 support, and fixes determinism in discriminator mapping and path template validation.
• Pulls in new transitive deps: github.com/santhosh-tekuri/jsonschema/v6 v6.0.2, updated github.com/oasdiff/yaml (0.0.9 → 0.1.0) and github.com/oasdiff/yaml3 (0.0.9 → 0.0.13), and github.com/dlclark/regexp2 v1.11.0. All are legitimate upstream dependencies of kin-openapi's new JSON Schema and YAML features.

No source code changes. No logic, auth, or SQL query concerns to evaluate.

[koinsaari]

LGTM

[claude]

Claude finished @koinsaari's task in 59s —— View job

---

PR Review

• Read REVIEW.md for review instructions
• Read CLAUDE.md for project context
• Analyze PR changes
• Post review findings
• Set commit status (requires additional permissions — gh api not approved)

---

No blocking issues. This is a routine dependency bump touching only go.mod and go.sum — no source code changes.

modernc.org/sqlite 1.50.1 → 1.51.0

• Performance: []driver.Value slices in UDF/vtab callbacks are now pooled (~40% fewer bytes/op, ~15% fewer allocs/op on UDF-heavy queries).
• Bug fix: in-memory connections (:memory:, file::memory:) were incorrectly discarded by database/sql after a context-cancelled query. This regression (from the fix for issue #198) is resolved.
• New opt-in FunctionImpl.VolatileArgs flag for zero-copy TEXT/BLOB argument access — fully backward compatible, no change for existing callers.

github.com/getkin/kin-openapi 0.135.0 → 0.139.0

• Moves from the direct require block to // indirect, correctly reflecting that it is a transitive dependency of oapi-codegen rather than directly imported.
• New transitive deps pulled in: github.com/santhosh-tekuri/jsonschema/v6 v6.0.2, github.com/dlclark/regexp2 v1.11.0, updated oasdiff/yaml (0.0.9 → 0.1.0) and oasdiff/yaml3 (0.0.9 → 0.0.13). All are legitimate upstream dependencies of kin-openapi's new JSON Schema / YAML features.

REVIEW.md checklist:

• No JWT keyfuncs modified — not applicable
• No SQL queries modified — not applicable
• No new API routes — not applicable
• No internal/auth → internal/clients/jellyfin import cycle risk — no source changes