[chore] update go dependencies (#4304)

- github.com/KimMachineGun/automemlimit v0.7.2 => v0.7.3 - github.com/gin-contrib/cors v1.7.5 => v1.7.6 - github.com/minio/minio-go/v7 v7.0.92 => v7.0.94 - github.com/spf13/cast v1.8.0 => v1.9.2 - github.com/uptrace/bun{,/*} v1.2.11 => v1.2.14 - golang.org/x/image v0.27.0 => v0.28.0 - golang.org/x/net v0.40.0 => v0.41.0 - code.superseriousbusiness.org/go-swagger v0.31.0-gts-go1.23-fix => v0.32.3-gts-go1.23-fix Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4304 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com>
author: kim <grufwub@gmail.com> 2025-06-30 15:19:09 +0200
committer: kim <gruf@noreply.codeberg.org> 2025-06-30 15:19:09 +0200
commit: 8b0ea560279a5bf4479555d3924c763ddeecfcad (patch)
tree: 005e26d4a658e565594fb259cc17948659195822 /vendor/github.com/gin-contrib
parent: [chore] bumps ncruces/go-sqlite3 v0.26.1 => v0.26.3 (#4302) (diff)
download: gotosocial-8b0ea560279a5bf4479555d3924c763ddeecfcad.tar.xz
6 files changed, 258 insertions, 57 deletions
diff --git a/vendor/github.com/gin-contrib/cors/README.md b/vendor/github.com/gin-contrib/cors/README.md
index d43523295..a8747dd6a 100644
--- a/vendor/github.com/gin-contrib/cors/README.md
+++ b/vendor/github.com/gin-contrib/cors/README.md
@@ -1,47 +1,89 @@
-# CORS gin's middleware
+# gin-contrib/cors
 
 [![Run Tests](https://github.com/gin-contrib/cors/actions/workflows/go.yml/badge.svg)](https://github.com/gin-contrib/cors/actions/workflows/go.yml)
 [![codecov](https://codecov.io/gh/gin-contrib/cors/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/cors)
 [![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/cors)](https://goreportcard.com/report/github.com/gin-contrib/cors)
 [![GoDoc](https://godoc.org/github.com/gin-contrib/cors?status.svg)](https://godoc.org/github.com/gin-contrib/cors)
 
-Gin middleware/handler to enable CORS support.
+- [gin-contrib/cors](#gin-contribcors)
+  - [Overview](#overview)
+  - [Installation](#installation)
+  - [Quick Start](#quick-start)
+  - [Advanced Usage](#advanced-usage)
+    - [Custom Configuration](#custom-configuration)
+    - [DefaultConfig Reference](#defaultconfig-reference)
+    - [Default() Convenience](#default-convenience)
+  - [Configuration Reference](#configuration-reference)
+    - [Notes on Configuration](#notes-on-configuration)
+    - [Examples](#examples)
+      - [Advanced Options](#advanced-options)
+      - [Custom Origin Validation](#custom-origin-validation)
+      - [With Gin Context](#with-gin-context)
+  - [Helper Methods](#helper-methods)
+  - [Validation \& Error Handling](#validation--error-handling)
+  - [Important Notes](#important-notes)
 
-## Usage
+---
 
-### Start using it
+## Overview
 
-Download and install it:
+**CORS (Cross-Origin Resource Sharing)** middleware for [Gin](https://github.com/gin-gonic/gin).
+
+- Enables flexible CORS handling for your Gin-based APIs.
+- Highly configurable: origins, methods, headers, credentials, and more.
+
+---
+
+## Installation
 
 ```sh
 go get github.com/gin-contrib/cors
 ```
 
-Import it in your code:
+Import in your Go code:
 
 ```go
 import "github.com/gin-contrib/cors"
 ```
 
-### Canonical example
+---
+
+## Quick Start
+
+Allow all origins (default):
 
 ```go
-package main
+import (
+  "github.com/gin-contrib/cors"
+  "github.com/gin-gonic/gin"
+)
+
+func main() {
+  router := gin.Default()
+  router.Use(cors.Default()) // All origins allowed by default
+  router.Run()
+}
+```
+
+> ⚠️ **Warning:** Allowing all origins disables cookies for clients. For credentialed requests, **do not** allow all origins.
+
+---
+
+## Advanced Usage
 
+### Custom Configuration
+
+Configure allowed origins, methods, headers, and more:
+
+```go
 import (
   "time"
-
   "github.com/gin-contrib/cors"
   "github.com/gin-gonic/gin"
 )
 
 func main() {
   router := gin.Default()
-  // CORS for https://foo.com and https://github.com origins, allowing:
-  // - PUT and PATCH methods
-  // - Origin header
-  // - Credentials share
-  // - Preflight requests cached for 12 hours
   router.Use(cors.New(cors.Config{
     AllowOrigins:     []string{"https://foo.com"},
     AllowMethods:     []string{"PUT", "PATCH"},
@@ -57,15 +99,20 @@ func main() {
 }
 ```
 
-### Using DefaultConfig as start point
+---
+
+### DefaultConfig Reference
+
+Start with library defaults and customize as needed:
 
 ```go
+import (
+  "github.com/gin-contrib/cors"
+  "github.com/gin-gonic/gin"
+)
+
 func main() {
   router := gin.Default()
-  // - No origin allowed by default
-  // - GET,POST, PUT, HEAD methods
-  // - Credentials share disabled
-  // - Preflight requests cached for 12 hours
   config := cors.DefaultConfig()
   config.AllowOrigins = []string{"http://google.com"}
   // config.AllowOrigins = []string{"http://google.com", "http://facebook.com"}
@@ -76,20 +123,124 @@ func main() {
 }
 ```
 
-Note: while Default() allows all origins, DefaultConfig() does not and you will still have to use AllowAllOrigins.
+> **Note:** `Default()` allows all origins, but `DefaultConfig()` does **not**. To allow all origins, set `AllowAllOrigins = true`.
+
+---
+
+### Default() Convenience
 
-### Default() allows all origins
+Enable all origins with a single call:
 
 ```go
-func main() {
-  router := gin.Default()
-  // same as
-  // config := cors.DefaultConfig()
-  // config.AllowAllOrigins = true
-  // router.Use(cors.New(config))
-  router.Use(cors.Default())
-  router.Run()
+router.Use(cors.Default()) // Equivalent to AllowAllOrigins = true
+```
+
+---
+
+## Configuration Reference
+
+The middleware is controlled via the `cors.Config` struct. All fields are optional unless otherwise stated.
+
+| Field                         | Type                        | Default                                                   | Description                                                                                   |
+|-------------------------------|-----------------------------|-----------------------------------------------------------|-----------------------------------------------------------------------------------------------|
+| `AllowAllOrigins`             | `bool`                      | `false`                                                   | If true, allows all origins. Credentials **cannot** be used.                                  |
+| `AllowOrigins`                | `[]string`                  | `[]`                                                      | List of allowed origins. Supports exact match, `*`, and wildcards.                            |
+| `AllowOriginFunc`             | `func(string) bool`         | `nil`                                                     | Custom function to validate origin. If set, `AllowOrigins` is ignored.                        |
+| `AllowOriginWithContextFunc`  | `func(*gin.Context,string)bool` | `nil`                                               | Like `AllowOriginFunc`, but with request context.                                             |
+| `AllowMethods`                | `[]string`                  | `[]string{"GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"}` | Allowed HTTP methods.                                   |
+| `AllowPrivateNetwork`         | `bool`                      | `false`                                                   | Adds [Private Network Access](https://wicg.github.io/private-network-access/) CORS header.    |
+| `AllowHeaders`                | `[]string`                  | `[]`                                                      | List of non-simple headers permitted in requests.                                             |
+| `AllowCredentials`            | `bool`                      | `false`                                                   | Allow cookies, HTTP auth, or client certs. Only if precise origins are used.                  |
+| `ExposeHeaders`               | `[]string`                  | `[]`                                                      | Headers exposed to the browser.                                                               |
+| `MaxAge`                      | `time.Duration`             | `12 * time.Hour`                                          | Cache time for preflight requests.                                                            |
+| `AllowWildcard`               | `bool`                      | `false`                                                   | Enables wildcards in origins (e.g. `https://*.example.com`).                                  |
+| `AllowBrowserExtensions`      | `bool`                      | `false`                                                   | Allow browser extension schemes as origins (e.g. `chrome-extension://`).                      |
+| `CustomSchemas`               | `[]string`                  | `nil`                                                     | Additional allowed URI schemes (e.g. `tauri://`).                                             |
+| `AllowWebSockets`             | `bool`                      | `false`                                                   | Allow `ws://` and `wss://` schemas.                                                           |
+| `AllowFiles`                  | `bool`                      | `false`                                                   | Allow `file://` origins (dangerous; use only if necessary).                                   |
+| `OptionsResponseStatusCode`   | `int`                       | `204`                                                     | Custom status code for `OPTIONS` responses.                                                   |
+
+---
+
+### Notes on Configuration
+
+- Only one of `AllowAllOrigins`, `AllowOrigins`, `AllowOriginFunc`, or `AllowOriginWithContextFunc` should be set.
+- If `AllowAllOrigins` is true, other origin settings are ignored and credentialed requests are not allowed.
+- If `AllowWildcard` is enabled, only one `*` is allowed per origin string.
+- Use `AllowBrowserExtensions`, `AllowWebSockets`, or `AllowFiles` to permit non-HTTP(s) protocols as origins.
+- Custom schemas allow, for example, usage in desktop apps via custom URI schemes (`tauri://`, etc.).
+- If both `AllowOriginFunc` and `AllowOriginWithContextFunc` are set, the context-specific function is preferred.
+
+---
+
+### Examples
+
+#### Advanced Options
+
+```go
+config := cors.Config{
+  AllowOrigins:           []string{"https://*.foo.com", "https://bar.com"},
+  AllowWildcard:          true,
+  AllowMethods:           []string{"GET", "POST"},
+  AllowHeaders:           []string{"Authorization", "Content-Type"},
+  AllowCredentials:       true,
+  AllowBrowserExtensions: true,
+  AllowWebSockets:        true,
+  AllowFiles:             false,
+  CustomSchemas:          []string{"tauri://"},
+  MaxAge:                 24 * time.Hour,
+  ExposeHeaders:          []string{"X-Custom-Header"},
+  AllowPrivateNetwork:    true,
+}
+```
+
+#### Custom Origin Validation
+
+```go
+config := cors.Config{
+  AllowOriginFunc: func(origin string) bool {
+    // Allow any github.com subdomain or a custom rule
+    return strings.HasSuffix(origin, "github.com")
+  },
 }
 ```
 
-Using all origins disables the ability for Gin to set cookies for clients. When dealing with credentials, don't allow all origins.
+#### With Gin Context
+
+```go
+config := cors.Config{
+  AllowOriginWithContextFunc: func(c *gin.Context, origin string) bool {
+    // Allow only if a certain header is present
+    return c.Request.Header.Get("X-Allow-CORS") == "yes"
+  },
+}
+```
+
+---
+
+## Helper Methods
+
+Dynamically add methods or headers to the config:
+
+```go
+config.AddAllowMethods("DELETE", "OPTIONS")
+config.AddAllowHeaders("X-My-Header")
+config.AddExposeHeaders("X-Other-Header")
+```
+
+---
+
+## Validation & Error Handling
+
+- Calling `Validate()` on a `Config` checks for misconfiguration (called internally).
+- If `AllowAllOrigins` is set, you cannot also set `AllowOrigins` or any `AllowOriginFunc`.
+- If neither `AllowAllOrigins`, `AllowOriginFunc`, nor `AllowOrigins` is set, an error is raised.
+- If an `AllowOrigin` contains a wildcard but `AllowWildcard` is not enabled, or more than one `*` is present, a panic is triggered.
+- Invalid origin schemas or unsupported wildcards are rejected.
+
+---
+
+## Important Notes
+
+- **Enabling all origins disables cookies:** When `AllowAllOrigins` is enabled, Gin cannot set cookies for clients. If you need credential sharing (cookies, authentication headers), **do not** allow all origins.
+- For detailed documentation and configuration options, see the [GoDoc](https://godoc.org/github.com/gin-contrib/cors).
diff --git a/vendor/github.com/gin-contrib/cors/config.go b/vendor/github.com/gin-contrib/cors/config.go
index a955c3171..76e15a880 100644
--- a/vendor/github.com/gin-contrib/cors/config.go
+++ b/vendor/github.com/gin-contrib/cors/config.go
@@ -87,7 +87,7 @@ func (cors *cors) applyCors(c *gin.Context) {
 		return
 	}
 
-	if c.Request.Method == "OPTIONS" {
+	if c.Request.Method == http.MethodOptions {
 		cors.handlePreflight(c)
 		defer c.AbortWithStatus(cors.optionsResponseStatusCode)
 	} else {
diff --git a/vendor/github.com/gin-contrib/sse/.golangci.yml b/vendor/github.com/gin-contrib/sse/.golangci.yml
index 4c44c5fae..47094ac61 100644
--- a/vendor/github.com/gin-contrib/sse/.golangci.yml
+++ b/vendor/github.com/gin-contrib/sse/.golangci.yml
@@ -1,3 +1,50 @@
+version: "2"
 linters:
-  disable:
+  default: none
+  enable:
+    - bodyclose
+    - dogsled
+    - dupl
     - errcheck
+    - exhaustive
+    - gochecknoinits
+    - goconst
+    - gocritic
+    - gocyclo
+    - goprintffuncname
+    - gosec
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - noctx
+    - nolintlint
+    - rowserrcheck
+    - staticcheck
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/vendor/github.com/gin-contrib/sse/sse-decoder.go b/vendor/github.com/gin-contrib/sse/sse-decoder.go
index fd49b9c37..da2c2d4b6 100644
--- a/vendor/github.com/gin-contrib/sse/sse-decoder.go
+++ b/vendor/github.com/gin-contrib/sse/sse-decoder.go
@@ -7,7 +7,6 @@ package sse
 import (
 	"bytes"
 	"io"
-	"io/ioutil"
 )
 
 type decoder struct {
@@ -22,7 +21,8 @@ func Decode(r io.Reader) ([]Event, error) {
 func (d *decoder) dispatchEvent(event Event, data string) {
 	dataLength := len(data)
 	if dataLength > 0 {
-		//If the data buffer's last character is a U+000A LINE FEED (LF) character, then remove the last character from the data buffer.
+		// If the data buffer's last character is a U+000A LINE FEED (LF) character,
+		// then remove the last character from the data buffer.
 		data = data[:dataLength-1]
 		dataLength--
 	}
@@ -37,13 +37,13 @@ func (d *decoder) dispatchEvent(event Event, data string) {
 }
 
 func (d *decoder) decode(r io.Reader) ([]Event, error) {
-	buf, err := ioutil.ReadAll(r)
+	buf, err := io.ReadAll(r)
 	if err != nil {
 		return nil, err
 	}
 
 	var currentEvent Event
-	var dataBuffer *bytes.Buffer = new(bytes.Buffer)
+	dataBuffer := new(bytes.Buffer)
 	// TODO (and unit tests)
 	// Lines must be separated by either a U+000D CARRIAGE RETURN U+000A LINE FEED (CRLF) character pair,
 	// a single U+000A LINE FEED (LF) character,
@@ -96,7 +96,8 @@ func (d *decoder) decode(r io.Reader) ([]Event, error) {
 			currentEvent.Id = string(value)
 		case "retry":
 			// If the field value consists of only characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9),
-			// then interpret the field value as an integer in base ten, and set the event stream's reconnection time to that integer.
+			// then interpret the field value as an integer in base ten, and set the event stream's
+			// reconnection time to that integer.
 			// Otherwise, ignore the field.
 			currentEvent.Id = string(value)
 		case "data":
@@ -105,7 +106,7 @@ func (d *decoder) decode(r io.Reader) ([]Event, error) {
 			// then append a single U+000A LINE FEED (LF) character to the data buffer.
 			dataBuffer.WriteString("\n")
 		default:
-			//Otherwise. The field is ignored.
+			// Otherwise. The field is ignored.
 			continue
 		}
 	}
diff --git a/vendor/github.com/gin-contrib/sse/sse-encoder.go b/vendor/github.com/gin-contrib/sse/sse-encoder.go
index 0d26c82f0..9ebb49f41 100644
--- a/vendor/github.com/gin-contrib/sse/sse-encoder.go
+++ b/vendor/github.com/gin-contrib/sse/sse-encoder.go
@@ -20,8 +20,10 @@ import (
 
 const ContentType = "text/event-stream;charset=utf-8"
 
-var contentType = []string{ContentType}
-var noCache = []string{"no-cache"}
+var (
+	contentType = []string{ContentType}
+	noCache     = []string{"no-cache"}
+)
 
 var fieldReplacer = strings.NewReplacer(
 	"\n", "\\n",
@@ -48,48 +50,48 @@ func Encode(writer io.Writer, event Event) error {
 
 func writeId(w stringWriter, id string) {
 	if len(id) > 0 {
-		w.WriteString("id:")
-		fieldReplacer.WriteString(w, id)
-		w.WriteString("\n")
+		_, _ = w.WriteString("id:")
+		_, _ = fieldReplacer.WriteString(w, id)
+		_, _ = w.WriteString("\n")
 	}
 }
 
 func writeEvent(w stringWriter, event string) {
 	if len(event) > 0 {
-		w.WriteString("event:")
-		fieldReplacer.WriteString(w, event)
-		w.WriteString("\n")
+		_, _ = w.WriteString("event:")
+		_, _ = fieldReplacer.WriteString(w, event)
+		_, _ = w.WriteString("\n")
 	}
 }
 
 func writeRetry(w stringWriter, retry uint) {
 	if retry > 0 {
-		w.WriteString("retry:")
-		w.WriteString(strconv.FormatUint(uint64(retry), 10))
-		w.WriteString("\n")
+		_, _ = w.WriteString("retry:")
+		_, _ = w.WriteString(strconv.FormatUint(uint64(retry), 10))
+		_, _ = w.WriteString("\n")
 	}
 }
 
 func writeData(w stringWriter, data interface{}) error {
-	w.WriteString("data:")
+	_, _ = w.WriteString("data:")
 
 	bData, ok := data.([]byte)
 	if ok {
-		dataReplacer.WriteString(w, string(bData))
-		w.WriteString("\n\n")
+		_, _ = dataReplacer.WriteString(w, string(bData))
+		_, _ = w.WriteString("\n\n")
 		return nil
 	}
 
-	switch kindOfData(data) {
+	switch kindOfData(data) { //nolint:exhaustive
 	case reflect.Struct, reflect.Slice, reflect.Map:
 		err := json.NewEncoder(w).Encode(data)
 		if err != nil {
 			return err
 		}
-		w.WriteString("\n")
+		_, _ = w.WriteString("\n")
 	default:
-		dataReplacer.WriteString(w, fmt.Sprint(data))
-		w.WriteString("\n\n")
+		_, _ = dataReplacer.WriteString(w, fmt.Sprint(data))
+		_, _ = w.WriteString("\n\n")
 	}
 	return nil
 }
diff --git a/vendor/github.com/gin-contrib/sse/writer.go b/vendor/github.com/gin-contrib/sse/writer.go
index 6f9806c55..724d9d07d 100644
--- a/vendor/github.com/gin-contrib/sse/writer.go
+++ b/vendor/github.com/gin-contrib/sse/writer.go
@@ -12,7 +12,7 @@ type stringWrapper struct {
 }
 
 func (w stringWrapper) WriteString(str string) (int, error) {
-	return w.Writer.Write([]byte(str))
+	return w.Write([]byte(str))
 }
 
 func checkWriter(writer io.Writer) stringWriter {
author	kim <grufwub@gmail.com>	2025-06-30 15:19:09 +0200
committer	kim <gruf@noreply.codeberg.org>	2025-06-30 15:19:09 +0200
commit	8b0ea560279a5bf4479555d3924c763ddeecfcad (patch)
tree	005e26d4a658e565594fb259cc17948659195822 /vendor/github.com/gin-contrib
parent	[chore] bumps ncruces/go-sqlite3 v0.26.1 => v0.26.3 (#4302) (diff)
download	gotosocial-8b0ea560279a5bf4479555d3924c763ddeecfcad.tar.xz