chore(deps): bump the minor-and-patch group across 1 directory with 9 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates in the / directory:

Package	From	To
github.com/goccy/go-json	0.10.5	0.10.6
github.com/itchyny/gojq	0.12.18	0.12.19
github.com/jlaffaye/ftp	0.2.0	0.2.1
github.com/mattn/go-isatty	0.0.20	0.0.22
github.com/modelcontextprotocol/go-sdk	1.3.1	1.6.1
github.com/xuri/excelize/v2	2.10.0	2.10.1
golang.org/x/crypto	0.48.0	0.52.0

Updates github.com/goccy/go-json from 0.10.5 to 0.10.6

Release notes

Sourced from github.com/goccy/go-json's releases.

0.10.6

What's Changed

• fix: panic on embedded struct with recursive by @​NgoKimPhu in goccy/go-json#483

New Contributors

• @​NgoKimPhu made their first contribution in goccy/go-json#483

Full Changelog: goccy/go-json@v0.10.5...v0.10.6

Commits

• e4877d5 fix: panic on embedded struct with recursive (#483)
• See full diff in compare view

Updates github.com/itchyny/gojq from 0.12.18 to 0.12.19

Release notes

Sourced from github.com/itchyny/gojq's releases.

Release v0.12.19

• fix gsub and sub when the replacement emits multiple values
• fix fmax, fmin, modf functions against NaN and infinities
• fix join/1 to use add/0 implementation and handle null separator
• fix del and delpaths on null to emit null
• fix arithmetic operations on the minimum integer
• fix significand function against subnormal numbers
• fix handling of -- in cli flag parsing for jq compatibility
• fix flatten/1 to emit error when the depth is NaN
• fix array slice update to validate index types
• fix string repetition boundary check to match jq behavior
• implement splits/2 using match/2 for better jq compatibility
• implement to_entries and from_entries in jq for simplicity
• improve performance of regexp functions by caching compiled regexps

Changelog

Sourced from github.com/itchyny/gojq's changelog.

v0.12.19 (2026-04-01)

• fix gsub and sub when the replacement emits multiple values
• fix fmax, fmin, modf functions against NaN and infinities
• fix join/1 to use add/0 implementation and handle null separator
• fix del and delpaths on null to emit null
• fix arithmetic operations on the minimum integer
• fix significand function against subnormal numbers
• fix handling of -- in cli flag parsing for jq compatibility
• fix flatten/1 to emit error when the depth is NaN
• fix array slice update to validate index types
• fix string repetition boundary check to match jq behavior
• implement splits/2 using match/2 for better jq compatibility
• implement to_entries and from_entries in jq for simplicity
• improve performance of regexp functions by caching compiled regexps

Commits

• b7ebffb bump up version to 0.12.19
• b02c97b update CHANGELOG.md for v0.12.19
• d7ca9b5 implement to_entries and from_entries in jq for simplicity
• bac8b0b update dependencies
• 183cbec bump up Docker actions
• 40707cf fix repeated argument type any
• b5ece86 fix handling of -- in cli flag parsing for jq compatibility
• cca2307 re-generate the parser.go file
• ca5066d fix gsub and sub when the replacement emits multiple values
• 0878958 improve performance of regexp functions by caching compiled regexps (fix #230)
• Additional commits viewable in compare view

Updates github.com/jlaffaye/ftp from 0.2.0 to 0.2.1

Release notes

Sourced from github.com/jlaffaye/ftp's releases.

v0.2.1

What's Changed

• Fix PASV address like lftp does by @​tgulacsi in jlaffaye/ftp#349
• New date formats for non standard dates returned by LIST by @​esperlu in jlaffaye/ftp#354

• Fix panic when EPSV line was malformed (jlaffaye/ftp#451)

Full Changelog: jlaffaye/ftp@v0.2.0...v0.2.1

Commits

• 0e45063 Fix panic for malformed EPSV response
• e8f8204 Update to Go version 1.26
• 4fbcfbd Replace go-multierror by errors.Join
• e4cd862 Bump actions/checkout from 4.2.2 to 6.0.3 (#458)
• cbfcccb Bump golangci/golangci-lint-action from 8.0.0 to 9.2.1 (#456)
• 6602e98 Bump golangci/golangci-lint-action from 6.1.1 to 8.0.0 (#439)
• a711163 chore: update Go version for unit tests
• 7367ab9 Bump jandelgado/gcov2lcov-action from 1.1.1 to 1.2.0 (#442)
• 7c20eb5 Bump actions/setup-go from 5.4.0 to 6.0.0 (#447)
• 3d06854 Bump actions/cache from 4.2.3 to 4.3.0 (#449)
• Additional commits viewable in compare view

Updates github.com/mattn/go-isatty from 0.0.20 to 0.0.22

Commits

• 9a68506 Fix isCygwinPipeName to accept Windows 7 trailing suffix (#90)
• 4237fb1 Update Go test matrix to current versions (1.24-1.26)
• 433c12b Update GitHub Actions to latest versions
• 1cf5589 Add wasip1 and wasip2 to build constraints in isatty_others.go
• 1237245 Update dependencies: go 1.15 -> 1.21, golang.org/x/sys v0.6.0 -> v0.28.0
• ac9c88d Fix typo in comment: undocomented -> undocumented
• 8b7124e Add availability check for NtQueryObject in init
• 08d0313 Fix isCygwinPipeName to reject names with extra trailing tokens
• See full diff in compare view

Updates github.com/modelcontextprotocol/go-sdk from 1.3.1 to 1.6.1

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.1

This release adds an MCPGODEBUG flag to opt out of the Content-Type check on POST requests.

Behavior Changes

Prior to v1.6.0 (v1.4.0...v1.5.0), the Content-Type check on POST requests was gated by the same disablecrossoriginprotection MCPGODEBUG flag as the cross-origin protection. In v1.6.0, the cross-origin protection was disabled by default (replaced by the opt-in enableoriginverification flag), but the Content-Type check was kept on unconditionally, leaving no way to disable it. This release restores an escape hatch for both the Streamable HTTP and SSE transports: setting MCPGODEBUG=disablecontenttypecheck=1 skips the Content-Type: application/json validation on POST requests. See #957.

What's Changed

• mcp: add MCPGPDEBUG for opt-in Content-Type check by @​guglielmo-san in modelcontextprotocol/go-sdk#972

Full Changelog: modelcontextprotocol/go-sdk@v1.6.0...v1.6.1

v1.6.0

This release is equivalent to v1.6.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

• extauth: add ClientCredentialsHandler for OAuth client credentials grant by @​ravyg in modelcontextprotocol/go-sdk#895

2026-06-30 Release related PRs

• feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

  New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

• feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

  By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

• mcp: preserve existing Content in SetError by @​ravyg in modelcontextprotocol/go-sdk#864

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

• mcp: remove default cross origin protection by @​maciej-kisiel in modelcontextprotocol/go-sdk#906

... (truncated)

Commits

• d454bba mcp: add MCPGPDEBUG for opt-in Content-Type check (#972)
• f5f2015 MCPGODEBUG update for 1.6.0 (#893)
• e01639a feat: HTTP Header Standardization for method and name (#907)
• 93a41b2 internal/jsonrpc2: remove unused code (#910)
• 446beae mcp: Upgrade jsonschema-go (#912)
• 2e21834 extauth: add ClientCredentialsHandler for OAuth client credentials grant (#895)
• 2643b22 feat: add automatic application_type inference (#904)
• db50910 mcp: do not re-prompt OAuth after cancelled Authorize (#885)
• 5f2cd8f mcp: preserve transport errors in Write error chain (#888)
• 0edc597 Update README.md (#896)
• Additional commits viewable in compare view

Updates github.com/xuri/excelize/v2 from 2.10.0 to 2.10.1

Release notes

Sourced from github.com/xuri/excelize/v2's releases.

v2.10.1

We are pleased to announce the release of version 2.10.1. Featured are a handful of new areas of functionality and numerous bug fixes.

A summary of changes is available in the Release Notes. A full list of changes is available in the changelog.

Release Notes

The most notable changes in this release are:

Breaking Change

Removed three exported error variables: ErrStreamSetColStyle, ErrStreamSetColWidth, and ErrStreamSetPanes.

Notable Features

• Added the ChartDataPoint data type
• Added the DataPoint field to ChartSeries
• Added the DropLines and HighLowLines fields to ChartAxis
• Added the Name field to GraphicOptions
• Added two constants: MaxGraphicAltTextLength and MaxGraphicNameLength
• Added 7 exported error variables: ErrFillType, ErrFillGradientColor, ErrFillGradientShading, ErrFillPatternColor, ErrFillPattern, ErrMaxGraphicAltTextLength and ErrMaxGraphicNameLength
• Added the exported function GetHyperLinkCells to retrieve hyperlink cells, related issue #1607
• Added the exported function GetSheetProtection to retrieve sheet protection settings
• The AddComment function now returns an error when adding a comment to a cell that already has one
• Added support for inserting ICO images, related issue #2234
• The CalcCellValue function now supports two formula functions: SORTBY and UNIQUE
• The AddChart and AddChartSheet functions now support setting data point colors for doughnut, pie, and 3D pie charts, related issue #1904
• The AddChart function now supports configuring font families for East Asian and complex-script fonts
• The AddChart function now supports drop lines and high-low lines for area and line charts
• The GetPictures function can now return partial formatting properties, related issue #2157
• Added the SetColVisible function to the streaming writer to set column visibility, related issue #2075
• Added the SetColOutlineLevel function to the streaming writer to group columns, related issue #2212
• The AddShape and AddSlicer functions now support one-cell anchor positioning for shapes and slicers
• The GetSlicers function now supports retrieving slicers with one-cell anchor positioning
• The SetConditionalFormat, GetConditionalFormats, and UnsetConditionalFormat functions now support the 3 triangles, 3 stars, and 5 boxes icon set conditional formats, related issue #2038
• The UnsetConditionalFormat function now supports deleting a conditional format rule or data validation for a specific cell within a cell range
• The AddPicture and AddPictureFromBytes functions now support setting the picture name
• The AddChart and AddShape functions now support setting names and alternative text for charts and shapes
• The AddSlicer function now supports setting alternative text for slicers
• Added validation for graphic names and alternative text length; returns an error when the length exceeds the limit
• Added UTF-16-aware length checking and truncation

Improve the Compatibility

• Removed empty rows on save, reducing the generated workbook file size

Bug Fixes

• Fixed a v2.10.0 regression where the GetCellValue and GetRows functions returned shared string indexes for empty strings, resolve issue #2240
• Fixed GetPivotTables panicking when retrieving pivot tables in some cases

... (truncated)

Commits

• 5ad5ab3 Update GitHub Actions workflow configuration, test on Go 1.26.x (#2262)
• 52dd99a This closes #2259, add value check for prevent using invalid fill type when c...
• 4917cff This closes #2254, fixx duplicate style creation when using default font or f...
• 38eb7c1 Trim single quotes from sheet names to fix calculation engine resolve referen...
• 2dcfb60 This closes #2240, fix GetCellValue returning shared string index for empty s...
• f5f68f8 Ref #1607, introduce new functions GetHyperLinkCells and GetSheetProtection
• 6ad51b2 Support set drop lines and high-low lines for area and line charts (#2250)
• 37b730a Apply font family settings for east asian and complex script fonts (#2249)
• 7b57409 Support delete conditional format rule or data validation by specific cell fr...
• 8b325dc Fix DeleteDataValidation with unordered sqref ranges (#2248)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.48.0 to 0.52.0

Commits

• a1c0d99 go.mod: update golang.org/x dependencies
• 3c7c869 ssh: fix deadlock on unexpected channel responses
• 533fb3f ssh: fix source-address critical option bypass
• abbc44d ssh: fix incorrect operator order
• e052873 ssh: fix infinite loop on large channel writes due to integer overflow
• b61cf85 ssh: enforce user presence verification for security keys
• 9c2cd33 ssh: enforce strict limits on DSA key parameters
• 8907318 ssh: reject RSA keys with excessively large moduli
• ffd87b4 ssh: fix panic when authority callbacks are nil
• 4e7a738 ssh: fix deadlock on unexpected global responses
• Additional commits viewable in compare view

Updates golang.org/x/sys from 0.41.0 to 0.45.0

Commits

• 397d5f8 unix: update to Linux kernel 7.0
• 0a387f7 cpu: detect zbc extension on riscv64
• 758f71c cpu: add LLACQ_SCREL, SCQ, DBAR_HINTS detection for loong64
• 99666ae unix: merge Linux readv/writev implementation with Darwin/OpenBSD
• e4444cb windows: add NtSetEaFile, NtQueryEaFile and NtQueryInformationFile
• 04396e8 unix: add Readv, Writev, Preadv, Pwritev for OpenBSD
• fb1facd windows: avoid uint16 overflow in NewNTUnicodeString
• 94ad893 windows: add GetIfTable2Ex, GetIpInterface{Entry,Table}, GetUnicastIpAddressT...
• 54fe89f cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows
• df7d5d7 unix: automatically remove container created by mkall.sh
• Additional commits viewable in compare view

Updates golang.org/x/text from 0.34.0 to 0.37.0

Commits

• 3ef517e go.mod: update golang.org/x dependencies
• 8577a70 go.mod: update golang.org/x dependencies
• 7ca2c6d go.mod: update golang.org/x dependencies
• 73d1ba9 all: upgrade go directive to at least 1.25.0 [generated]
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions