build(deps): bump the production-dependencies group across 1 directory with 6 updates #361

dependabot · 2026-02-09T13:20:40Z

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
cuelang.org/go	`0.15.3`	`0.15.4`
github.com/golang-jwt/jwt/v5	`5.3.0`	`5.3.1`
github.com/klauspost/compress	`1.18.3`	`1.18.4`
go.opentelemetry.io/otel	`1.39.0`	`1.40.0`
golang.org/x/oauth2	`0.34.0`	`0.35.0`

Updates cuelang.org/go from 0.15.3 to 0.15.4

Updates github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.3.1

What's Changed

🔐 Features

Add spellcheck Github action to catch common spelling mistakes by @equalsgibson in golang-jwt/jwt#458

Add WithNotBeforeRequired parser option and add test coverage by @equalsgibson in golang-jwt/jwt#456

Update godoc example func to properly refer to NewWithClaims() by @equalsgibson in golang-jwt/jwt#459

Update github workflows by @mfridman in golang-jwt/jwt#462

Additional test for CustomClaims that validates unmarshalling behaviour by @equalsgibson in golang-jwt/jwt#457

Fix early file close in jwt cli by @mfridman in golang-jwt/jwt#472

Add TPM signature reference by @salrashid123 in golang-jwt/jwt#473

Remove misleading ParserOptions documentation in golang-jwt/jwt#484

Save signature to Token struct after successful signing by @EgorSheff in golang-jwt/jwt#417

Set token.Signature in ParseUnverified by @slickwilli in golang-jwt/jwt#414

👒 Dependencies

Bump crate-ci/typos from 1.34.0 to 1.35.3 by @dependabot[bot] in golang-jwt/jwt#461

Bump crate-ci/typos from 1.35.4 to 1.36.2 by @dependabot[bot] in golang-jwt/jwt#470

Bump github/codeql-action from 3 to 4 by @dependabot[bot] in golang-jwt/jwt#478

Bump crate-ci/typos from 1.36.2 to 1.39.0 by @dependabot[bot] in golang-jwt/jwt#480

Bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in golang-jwt/jwt#481

Bump actions/setup-go from 5 to 6 by @dependabot[bot] in golang-jwt/jwt#469

Bump crate-ci/typos from 1.39.0 to 1.40.0 by @dependabot[bot] in golang-jwt/jwt#488

Bump actions/checkout from 5 to 6 by @dependabot[bot] in golang-jwt/jwt#487

Bump crate-ci/typos from 1.40.0 to 1.41.0 by @dependabot[bot] in golang-jwt/jwt#490

Bump crate-ci/typos from 1.41.0 to 1.42.1 by @dependabot[bot] in golang-jwt/jwt#492

New Contributors

@equalsgibson made their first contribution in golang-jwt/jwt#458

@salrashid123 made their first contribution in golang-jwt/jwt#473

@EgorSheff made their first contribution in golang-jwt/jwt#417

@slickwilli made their first contribution in golang-jwt/jwt#414

Full Changelog: golang-jwt/jwt@v5.3.0...v5.3.1

Commits

7ceae61 Add release.yml for changelog configuration
dce8e4d Set token.Signature in ParseUnverified (#414)
8889e20 Save signature to Token struct after successful signing (#417)
d237f82 ci: update github-actions schedule interval to monthly
d8dce95 Bump crate-ci/typos from 1.41.0 to 1.42.1 (#492)
e931803 Bump crate-ci/typos from 1.40.0 to 1.41.0 (#490)
e6a0afa Bump actions/checkout from 5 to 6 (#487)
9f85c9e Bump crate-ci/typos from 1.39.0 to 1.40.0 (#488)
60a8669 Bump actions/setup-go from 5 to 6 (#469)
76f5828 Remove misleading ParserOptions documentation (#484)
Additional commits viewable in compare view

Updates github.com/klauspost/compress from 1.18.3 to 1.18.4

Release notes

Sourced from github.com/klauspost/compress's releases.

v1.18.4

What's Changed

gzhttp: Add zstandard to server handler wrapper by @klauspost in klauspost/compress#1121

zstd: Add ResetWithOptions to encoder/decoder by @klauspost in klauspost/compress#1122

gzhttp: preserve qvalue when extra parameters follow in Accept-Encoding by @analytically in klauspost/compress#1116

New Contributors

@analytically made their first contribution in klauspost/compress#1116

@ethaizone made their first contribution in klauspost/compress#1124

@zwass made their first contribution in klauspost/compress#1125

Full Changelog: klauspost/compress@v1.18.2...v1.18.4

Commits

c03560f zstd: Add ResetWithOptions to encoder/decoder (#1122)
0874ab8 build(deps): bump the github-actions group with 3 updates (#1126)
4a36836 doc: Clarify documentation in readme (#1125)
4309644 zstd: document concurrency option handling in encoder (#1124)
c262ec6 Update README.md
861ca97 Downstream CVE-2025-61728 (#1123)
03de960 gzhttp: Add zstandard to server handler wrapper (#1121)
bb1ab3b build(deps): bump the github-actions group with 2 updates (#1120)
986a51e fix(gzhttp): preserve qvalue when extra parameters follow in Accept-Encoding ...
fbe3b12 build(deps): bump the github-actions group with 3 updates (#1118)
Additional commits viewable in compare view

Updates go.opentelemetry.io/otel from 1.39.0 to 1.40.0

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)

Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)

Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)

Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)

Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)

Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)

Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)

Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)

Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)

The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)

Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)

Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)

Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)

WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

Deprecated

Deprecate go.opentelemetry.io/otel/exporters/zipkin. For more information, see the OTel blog post deprecating the Zipkin exporter. (#7670)

Commits

a3a5317 Release v1.40.0 (#7859)
77785da chore(deps): update github/codeql-action action to v4.32.1 (#7858)
56fa1c2 chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 (#7857)
298cbed Upgrade semconv use to v1.39.0 (#7854)
3264bf1 refactor: modernize code (#7850)
fd5d030 chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
8d3b4cb chore(deps): update actions/cache action to v5.0.3 (#7847)
91f7cad chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 (#7845)
fdad1eb chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
c46d3ba chore(deps): update golang.org/x/telemetry digest to fcf36f6 (#7843)
Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/trace from 1.39.0 to 1.40.0

Changelog

Sourced from go.opentelemetry.io/otel/trace's changelog.

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)

Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)

Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)

Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)

Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)

Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)

Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)

Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)

Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)

The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)

Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)

Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)

Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)

WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

Deprecated

Deprecate go.opentelemetry.io/otel/exporters/zipkin. For more information, see the OTel blog post deprecating the Zipkin exporter. (#7670)

Commits

a3a5317 Release v1.40.0 (#7859)
77785da chore(deps): update github/codeql-action action to v4.32.1 (#7858)
56fa1c2 chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 (#7857)
298cbed Upgrade semconv use to v1.39.0 (#7854)
3264bf1 refactor: modernize code (#7850)
fd5d030 chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
8d3b4cb chore(deps): update actions/cache action to v5.0.3 (#7847)
91f7cad chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 (#7845)
fdad1eb chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
c46d3ba chore(deps): update golang.org/x/telemetry digest to fcf36f6 (#7843)
Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.34.0 to 0.35.0

Commits

89ff2e1 google: add safer credentials JSON loading options.
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…y with 6 updates Bumps the production-dependencies group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | cuelang.org/go | `0.15.3` | `0.15.4` | | [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | `5.3.0` | `5.3.1` | | [github.com/klauspost/compress](https://github.com/klauspost/compress) | `1.18.3` | `1.18.4` | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.39.0` | `1.40.0` | | [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.34.0` | `0.35.0` | Updates `cuelang.org/go` from 0.15.3 to 0.15.4 Updates `github.com/golang-jwt/jwt/v5` from 5.3.0 to 5.3.1 - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Commits](golang-jwt/jwt@v5.3.0...v5.3.1) Updates `github.com/klauspost/compress` from 1.18.3 to 1.18.4 - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.3...v1.18.4) Updates `go.opentelemetry.io/otel` from 1.39.0 to 1.40.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.40.0) Updates `go.opentelemetry.io/otel/trace` from 1.39.0 to 1.40.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.40.0) Updates `golang.org/x/oauth2` from 0.34.0 to 0.35.0 - [Commits](golang/oauth2@v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-version: 0.15.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: github.com/golang-jwt/jwt/v5 dependency-version: 5.3.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: github.com/klauspost/compress dependency-version: 1.18.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: go.opentelemetry.io/otel dependency-version: 1.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies - dependency-name: go.opentelemetry.io/otel/trace dependency-version: 1.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies - dependency-name: golang.org/x/oauth2 dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Feb 9, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the production-dependencies group across 1 directory with 6 updates #361

build(deps): bump the production-dependencies group across 1 directory with 6 updates #361

Uh oh!

dependabot bot commented on behalf of github Feb 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

build(deps): bump the production-dependencies group across 1 directory with 6 updates #361

Are you sure you want to change the base?

build(deps): bump the production-dependencies group across 1 directory with 6 updates #361

Uh oh!

Conversation

dependabot bot commented on behalf of github Feb 9, 2026

v5.3.1

What's Changed

🔐 Features

👒 Dependencies

New Contributors

v1.18.4

What's Changed

New Contributors

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

Changed

Fixed

Deprecated

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

Changed

Fixed

Deprecated

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants