chore(deps): bump the go-deps group across 1 directory with 5 updates

[dependabot]

Bumps the go-deps group with 5 updates in the / directory:

Package	From	To
github.com/anthropics/anthropic-sdk-go	1.36.0	1.38.0
github.com/getkin/kin-openapi	0.135.0	0.136.0
github.com/jackc/pgx/v5	5.9.1	5.9.2
github.com/rabbitmq/amqp091-go	1.10.0	1.11.0
modernc.org/sqlite	1.48.2	1.50.0

Updates github.com/anthropics/anthropic-sdk-go from 1.36.0 to 1.38.0

Release notes

Sourced from github.com/anthropics/anthropic-sdk-go's releases.

v1.38.0

1.38.0 (2026-04-23)

Full Changelog: v1.37.0...v1.38.0

Features

• add Type() method to API errors for error kind identification (#676) (0db1712)
• api: CMA Memory public beta (180e00c)
• structured outputs via Schema any with auto-parse (#759) (46073d8)

Bug Fixes

• api: fix errors in api spec (e47c178)
• api: restore missing features (0fc6fac)

Chores

• internal: more robust bootstrap script (5bde204)
• tests: bump steady to v0.22.1 (4578c15)

v1.37.0

1.37.0 (2026-04-16)

Full Changelog: v1.36.0...v1.37.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (6e758a9)

Changelog

Sourced from github.com/anthropics/anthropic-sdk-go's changelog.

1.38.0 (2026-04-23)

Full Changelog: v1.37.0...v1.38.0

Features

• add Type() method to API errors for error kind identification (#676) (0db1712)
• api: CMA Memory public beta (180e00c)
• structured outputs via Schema any with auto-parse (#759) (46073d8)

Bug Fixes

• api: fix errors in api spec (e47c178)
• api: restore missing features (0fc6fac)

Chores

• internal: more robust bootstrap script (5bde204)
• tests: bump steady to v0.22.1 (4578c15)

1.37.0 (2026-04-16)

Full Changelog: v1.36.0...v1.37.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (6e758a9)

Commits

• 468905d release: 1.38.0
• 2c6421c fix(api): fix errors in api spec
• 8dd22d4 fix(api): restore missing features
• 6b0457f feat(api): CMA Memory public beta
• b6c5ffb codegen metadata
• eb42d96 chore(internal): more robust bootstrap script
• eefb943 feat: structured outputs via Schema any with auto-parse (#759)
• f5879a2 chore(tests): bump steady to v0.22.1
• 4bef67d feat: add Type() method to API errors for error kind identification (#676)
• 0d114df codegen metadata
• Additional commits viewable in compare view

Updates github.com/getkin/kin-openapi from 0.135.0 to 0.136.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.136.0

What's Changed

• openapi3: stop injecting contentless default in NewResponses() by @​0-don in getkin/kin-openapi#1148
• openapi3: standardize Origin json tag to "-" across all types by @​reuvenharrison in getkin/kin-openapi#1149
• Update usage message in cmd/validate by @​fenollp in getkin/kin-openapi#1150
• openapi3: fix determinism when handling discriminator mappings by @​fenollp in getkin/kin-openapi#1151
• feat: bump Go to 1.26 by @​fenollp in getkin/kin-openapi#1152
• openapi3: use componentNames for deterministic visitings by @​fenollp in getkin/kin-openapi#1153
• feat: add OpenAPI 3.1 support by @​reuvenharrison in getkin/kin-openapi#1125
• openapi3: add JoinFunc for custom $ref path resolution by @​reuvenharrison in getkin/kin-openapi#1154
• Add many many tests from ApisGuruOpenapiDirectory by @​fenollp in getkin/kin-openapi#1155
• openapi3: remove map-iteration order leaks causing flaky tests by @​cloudnativeninja in getkin/kin-openapi#1158
• openapi2conv: nil-guard components lookup in FromV3SchemaRef by @​SAY-5 in getkin/kin-openapi#1156
• Address various lint errors by @​fenollp in getkin/kin-openapi#1157

New Contributors

• @​0-don made their first contribution in getkin/kin-openapi#1148
• @​cloudnativeninja made their first contribution in getkin/kin-openapi#1158
• @​SAY-5 made their first contribution in getkin/kin-openapi#1156

Full Changelog: getkin/kin-openapi@v0.135.0...v0.136.0

Commits

• ff4bce7 fix and upgrade goimports-reviser
• 028df2a refacto(tests): use t.Context instead of context.Background
• cc4f8d9 refacto: replace openapi3.*Ptr(..) funcs with new(..)
• df95b87 address various lint errors
• 3556929 openapi2conv: nil-guard components lookup in FromV3SchemaRef (#1156)
• 5a0a337 openapi3: remove map-iteration order leaks causing flaky tests (#1158)
• 3489553 openapi3: skip v3.1 load/validation flaky tests
• 3aa08cd openapi3: record v3.1 load/validation test failures
• 3179775 openapi3: enable testing for 3.1 documents
• 77e911a openapi3: record failures after rebasing on top of #1125
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Commits

• 0aeabbc Release v5.9.2
• 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
• a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
• e34e452 doc: Add godoc links
• 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
• 96b4dbd Remove unstable test
• acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
• 2f81f1f Update max_protocol_version and min_protocol_version defaults
• See full diff in compare view

Updates github.com/rabbitmq/amqp091-go from 1.10.0 to 1.11.0

Release notes

Sourced from github.com/rabbitmq/amqp091-go's releases.

v1.11.0

What's Changed

• add methods Temporary and Recoverable to amqp.Error by @​peczenyj in rabbitmq/amqp091-go#265
• Small fixes and refactors by @​peczenyj in rabbitmq/amqp091-go#266
• chore: doc typo by @​AndrewWinterman in rabbitmq/amqp091-go#269
• Add test that demonstrates the issue by @​lukebakken in rabbitmq/amqp091-go#274
• Fixing simple errors by @​korolev-d-l in rabbitmq/amqp091-go#280
• Expose delivery not initialised error by @​Zerpet in rabbitmq/amqp091-go#293
• fix: unify receiver methods to avoid conflicts between value and pointer types by @​Raisul191491 in rabbitmq/amqp091-go#292
• Add warning about concurrency with Channels by @​Zerpet in rabbitmq/amqp091-go#294
• Return existing error instead of creating new for the same purpose by @​pingvincible in rabbitmq/amqp091-go#295
• Investigate GH-296 by @​lukebakken in rabbitmq/amqp091-go#297
• Fix linter error after migrating config to v2 by @​Zerpet in rabbitmq/amqp091-go#306
• feat: add MIME types constants for content types by @​YlanzinhoY in rabbitmq/amqp091-go#308
• Fix parseHeaderFrame to consume entire frame payload by @​lukebakken in rabbitmq/amqp091-go#314
• fix: typos in comments and tests by @​alexandear in rabbitmq/amqp091-go#312
• docs: update link to RabbitMQ tutorials by @​alexandear in rabbitmq/amqp091-go#313
• fix: modernize lint issues by @​alexandear in rabbitmq/amqp091-go#315
• Use RabbitMQ 4 in Makefile by @​Zerpet in rabbitmq/amqp091-go#319
• Add support for unsigned type values by @​Zerpet in rabbitmq/amqp091-go#317
• Fix incomplete routing diagram in QueueBind doc comment by @​Copilot in rabbitmq/amqp091-go#320
• refactor: simplify with atomic types by @​alexandear in rabbitmq/amqp091-go#318
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in rabbitmq/amqp091-go#321
• Bump the github-actions group with 4 updates by @​dependabot[bot] in rabbitmq/amqp091-go#326
• Eliminate race condition in Connection.Close() and related methods by @​Zerpet in rabbitmq/amqp091-go#328
• fix: respect context cancellation on publishing with context operations by @​NawafSwe in rabbitmq/amqp091-go#330

New Contributors

• @​peczenyj made their first contribution in rabbitmq/amqp091-go#265
• @​AndrewWinterman made their first contribution in rabbitmq/amqp091-go#269
• @​korolev-d-l made their first contribution in rabbitmq/amqp091-go#280
• @​Raisul191491 made their first contribution in rabbitmq/amqp091-go#292
• @​pingvincible made their first contribution in rabbitmq/amqp091-go#295
• @​YlanzinhoY made their first contribution in rabbitmq/amqp091-go#308
• @​alexandear made their first contribution in rabbitmq/amqp091-go#312
• @​Copilot made their first contribution in rabbitmq/amqp091-go#320
• @​NawafSwe made their first contribution in rabbitmq/amqp091-go#330

Full Changelog: rabbitmq/amqp091-go@v1.10.0...v1.11.0

Changelog

Sourced from github.com/rabbitmq/amqp091-go's changelog.

v1.11.0 (2026-04-21)

Full Changelog

Implemented enhancements:

• add better debug information on DialConfig #245

Fixed bugs:

• Channel error when acking via go-routines #296

Closed issues:

• PR #318 exposes a pre-existing race in Connection.Close(). #327
• Entire header frame isn't always read #309
• Incomplete support of 0-9-1 field type values #302
• Redelivered Flag Not Exposed #301
• consume input basicConsumeOk but response queueBindOk #291
• Channel is closed after Channel.ExchangeDeclarePassive fails #290
• Incomplete example in (*Channel).QueueBind documentation #279
• QueueDeclarePassive does not report queue type mismatch #273
• Release 1.10.0 #261
• Update minimum Go version to 1.18 #146

Merged pull requests:

• fix: respect context cancellation on publishing with context operations #330 (NawafSwe)
• Eliminate race condition in Connection.Close() and related methods #328 (Zerpet)
• Bump the github-actions group with 4 updates #326 (dependabot[bot])
• Bump github/codeql-action from 3 to 4 #321 (dependabot[bot])
• Fix incomplete routing diagram in QueueBind doc comment #320 (Copilot)
• Use RabbitMQ 4 in Makefile #319 (Zerpet)
• refactor: simplify with atomic types #318 (alexandear)
• Add support for unsigned type values #317 (Zerpet)
• fix: modernize lint issues #315 (alexandear)
• Fix parseHeaderFrame to consume entire frame payload #314 (lukebakken)
• docs: update link to RabbitMQ tutorials #313 (alexandear)
• fix: typos in comments and tests #312 (alexandear)
• feat: add MIME types constants for content types #308 (YlanzinhoY)
• Fix linter error after migrating config to v2 #306 (Zerpet)
• Investigate GH-296 #297 (lukebakken)
• Return existing error instead of creating new for the same purpose #295 (pingvincible)
• Add warning about concurrency with Channels #294 (Zerpet)
• Expose delivery not initialised error #293 (Zerpet)
• fix: unify receiver methods to avoid conflicts between value and pointer types #292 (Raisul191491)
• Fixing simple errors #280 (korolev-d-l)
• Add test that demonstrates the issue #274 (lukebakken)
• chore: doc typo #269 (AndrewWinterman)
• Small fixes and refactors #266 (peczenyj)

... (truncated)

Commits

• 5fdceeb Version 1.11.0
• a426238 Merge pull request #330 from NawafSwe/chore-329/publish-with-context-fix
• 6d3ec4f chore: follow gate-keeper approach for context management in publish
• 301e296 chore: respect context cancellation in PublishWithDeferredConfirmWithContext ...
• dbf5f69 chore: respect context cancellation in PublishWithContext function
• 9665ac6 Merge pull request #328 from rabbitmq/fix-race-condition
• 86058c1 go fmt
• e6b63d7 Add a concurrent connection closure test #328
• b5b3c52 Connection: briefly explain the purpose of each sync.Once
• 5f7f528 fix: eliminate race condition in Connection.Close() and related methods
• Additional commits viewable in compare view

Updates modernc.org/sqlite from 1.48.2 to 1.50.0

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-04-24 v1.50.0:

  • Upgrade to sqlite-vec v0.1.9.
  • Introduce ColumnInfo, enabling dynamic query builders and ORMs to retrieve underlying SQLite C-API metadata (OriginName, TableName, DatabaseName, and DeclType).
  • This feature is exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), avoiding custom statement handles and keeping the standard library workflow intact.
  • See [GitLab merge request #113](https://gitlab.com/cznic/sqlite/-/merge_requests/113), thanks Josh Bleecher Snyder!

• 2026-04-17 v1.49.0: Upgrade to SQLite 3.53.0.

  • Added -DSQLITE_ENABLE_DBPAGE_VTAB to the transpilation. See "The SQLITE_DBPAGE Virtual Table" for details.

• 2026-04-06 v1.48.2:

  • Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.
  • Ensure the Go trampoline signature correctly aligns with the public sqlite3_preupdate_hook C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).
  • See [GitLab merge request #98](https://gitlab.com/cznic/sqlite/-/merge_requests/98), thanks Josh Bleecher Snyder!
  • Fix the memory allocator used in (*conn).Deserialize.
  • Replace tls.Alloc with sqlite3_malloc64 to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the SQLITE_DESERIALIZE_RESIZEABLE and SQLITE_DESERIALIZE_FREEONCLOSE flags.
  • Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.
  • See [GitLab merge request #100](https://gitlab.com/cznic/sqlite/-/merge_requests/100), thanks Josh Bleecher Snyder!
  • Fix (*conn).Deserialize to explicitly reject nil or empty byte slices.
  • Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when sqlite3_deserialize receives a 0-length buffer.
  • See [GitLab merge request #101](https://gitlab.com/cznic/sqlite/-/merge_requests/101), thanks Josh Bleecher Snyder!
  • Fix commitHookTrampoline and rollbackHookTrampoline signatures by removing the unused pCsr parameter.
  • Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.
  • See [GitLab merge request #102](https://gitlab.com/cznic/sqlite/-/merge_requests/102), thanks Josh Bleecher Snyder!
  • Fix checkptr instrumentation failures during go test -race when registering and using virtual tables (vtab).
  • Allocate sqlite3_module instances using the C allocator (libc.Xcalloc) instead of the Go heap. This ensures transpiled C code can safely perform pointer operations on the struct without tripping Go's pointer checks.
  • See [GitLab merge request #103](https://gitlab.com/cznic/sqlite/-/merge_requests/103), thanks Josh Bleecher Snyder!
  • Fix data race on mutex.id in the mutexTry non-recursive path.
  • Ensure consistent atomic writes (atomic.StoreInt32) to prevent data races with atomic loads in mutexHeld and mutexNotheld during concurrent execution.
  • See [GitLab merge request #104](https://gitlab.com/cznic/sqlite/-/merge_requests/104), thanks Josh Bleecher Snyder!
  • Fix resource leak in (*Backup).Commit where the destination connection was not closed on error.
  • Ensure dstConn is properly closed when sqlite3_backup_finish fails, preventing file descriptor, TLS, and memory leaks.
  • See [GitLab merge request #105](https://gitlab.com/cznic/sqlite/-/merge_requests/105), thanks Josh Bleecher Snyder!
  • Fix Exec to fully drain rows when encountering SQLITE_ROW, preventing silent data loss in DML statements.
  • Previously, Exec aborted after the first row, meaning INSERT, UPDATE, or DELETE statements with a RETURNING clause would fail to process subsequent rows. The execution path now correctly loops until SQLITE_DONE and properly respects context cancellations during the drain loop, fully aligning with native C sqlite3_exec semantics.
  • See [GitLab merge request #106](https://gitlab.com/cznic/sqlite/-/merge_requests/106), thanks Josh Bleecher Snyder!
  • Fix "Shadowed err value (stmt.go)".
  • See [GitLab issue #249](https://gitlab.com/cznic/sqlite/-/work_items/249), thanks Emrecan BATI!
  • Fix silent omission of virtual table savepoint callbacks by correctly setting the sqlite3_module version.
  • See [GitLab merge request #107](https://gitlab.com/cznic/sqlite/-/merge_requests/107), thanks Josh Bleecher Snyder!
  • Fix vfsRead to properly handle partial and fragmented reads from io.Reader.
  • Replace f.Read with io.ReadFull to ensure the buffer is fully populated, preventing premature SQLITE_IOERR_SHORT_READ errors on valid mid-stream partial reads. Unread tail bytes at EOF are now efficiently zero-filled using the built-in clear function.
  • See [GitLab merge request #108](https://gitlab.com/cznic/sqlite/-/merge_requests/108), thanks Josh Bleecher Snyder!
  • Refactor internal error formatting to safely handle uninitialized or closed database pointers.
  • Prevent a misleading "out of memory" error message when an operation fails and the underlying SQLite database handle is NULL (db == 0).
  • See [GitLab merge request #109](https://gitlab.com/cznic/sqlite/-/merge_requests/109), thanks Josh Bleecher Snyder!
  • Fix error handling in database backup and restore initialization (sqlite3_backup_init).
  • Ensure error codes and messages are accurately read from the destination database handle rather than hardcoding the source or remote handle. This prevents swallowed errors or mismatched "not an error" messages when a backup or restore operation fails to start.
  • See [GitLab merge request #111](https://gitlab.com/cznic/sqlite/-/merge_requests/111), thanks Josh Bleecher Snyder!

... (truncated)

Commits

• e220cc9 CHANGELOG.md: add !113
• a58d5e5 Merge branch 'columns' into 'master'
• 119d8b1 add ColumnInfo, for inspecting query columns
• c353a4f upgrade to sqlite-vec v0.1.9
• fe575e4 doc.go: update SQLite version
• 3ccb9ca upgrade to SQLite 3.53.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions