Sync upstream amacneil/dbmate by Ragge-dev · Pull Request #28 · annotell/dbmate

Ragnar Englund (Ragge-dev) · 2026-04-07T11:33:36Z

Summary

Merges upstream amacneil/dbmate up to v2.32.0 (30 commits)
Preserves our fork's --set-role feature
Key upstream changes: ClickHouse HTTP/S scheme support, extra args for mysqldump/pgdump, SQLite URL path fix, dependency updates

Conflict resolution

All conflicts were version bumps — resolved by taking upstream's newer versions while keeping our --set-role code paths intact.

This fixes the issue of using a generated `schema.sql` with ClickHouse in Docker. The ClickHouse entrypoint runs every `.sql` file in `/docker-entrypoint-initdb.d` during server startup, but it executes them against the default database. It works if the schema dump was created from the default database, but it fails otherwise: ``` /entrypoint.sh: running /docker-entrypoint-initdb.d/schema.sql Received exception from server (version 25.3.6): Code: 60. DB::Exception: Received from 127.0.0.1:9000. DB::Exception: Table default.schema_migrations does not exist. Maybe you meant my_database_name.schema_migrations?. (UNKNOWN_TABLE) ``` This fix prefixes `migrations_table_name` with `db_name.` in the generated schema, making it consistent with the table creation statements and with other drivers.  --- > [!NOTE] > **Low Risk** > Low risk: changes are limited to ClickHouse schema dump SQL generation and corresponding test expectations, with no changes to migration execution or connection handling. > > **Overview** > Fixes ClickHouse `DumpSchema` output to be usable when executed against the default DB (e.g., Docker init scripts) by **fully qualifying the schema migrations insert** as `db_name.table`. > > Also standardizes database DDL generation by introducing `quotedDatabaseName()` and using it in `CreateDatabase`, `DropDatabase`, and schema dump output, and updates ClickHouse (cluster) tests to expect the qualified `INSERT` statement. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 7748b83. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/cc482e775913e6625137572a3712d2826170e53a"><code>cc482e7</code></a> 4.1.1 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/50968b862e75866ef90e626572fe0b2f97b55f9f"><code>50968b8</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/d092d866031751cb27c12d93f3e2470ad74d678b"><code>d092d86</code></a> lint fix</li> <li><a href="https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"><code>383665f</code></a> fix prototype pollution in merge (<<)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/0d3ca7a27b03a6c974790a30a89e456007d62976"><code>0d3ca7a</code></a> README.md: HTTP => HTTPS (<a href="https://redirect.github.com/nodeca/js-yaml/issues/678">#678</a>)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/49baadd52af887d2991e2c39a6639baa56d6c71b"><code>49baadd</code></a> doc: 'empty' style option for !!null</li> <li><a href="https://github.com/nodeca/js-yaml/commit/ba3460eb9d3e4478edcbc29edabe17c2157fc9ce"><code>ba3460e</code></a> Fix demo link (<a href="https://redirect.github.com/nodeca/js-yaml/issues/618">#618</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=js-yaml&package-manager=npm_and_yarn&previous-version=4.1.0&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details>  --- > [!NOTE] > **Low Risk** > Low risk dependency patch limited to the TypeScript workspace lockfile (dev tooling). Main impact is updated YAML parsing behavior in tooling, including a security fix for prototype pollution. > > **Overview** > Updates `typescript/package-lock.json` to bump the dev dependency `js-yaml` from `4.1.0` to `4.1.1` (including updated tarball/integrity metadata and added `license` field). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 53c200e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps alpine from 3.23.2 to 3.23.3. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=alpine&package-manager=docker&previous-version=3.23.2&new-version=3.23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > **Low Risk** > Low risk dependency bump limited to the Docker release stage; main risk is unexpected package/runtime differences in the base image. > > **Overview** > Updates the Docker `release` stage base image from `alpine:3.23.2` to `alpine:3.23.3`, keeping the build and installed runtime packages unchanged. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 42785ab. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

lib/pq v1.11.1 broke connecting to Supavisor. Pin to lib/pq v1.10.9 until upstream fix is available. Closes amacneil#746 **Update:** lib/pq v1.11.2 released which fixes the connection issue, so rather than pinning to v1.10.9, we'll bump the depenency to v1.11.2, instead.  --- > [!NOTE] > **Low Risk** > Primarily a dependency patch bump plus test/infra tweaks; production logic is unchanged, with minimal risk beyond potential CI/environment differences in Postgres error messages. > > **Overview** > Updates the Postgres driver dependency by bumping `github.com/lib/pq` from `v1.11.1` to `v1.11.2` (with matching `go.sum` changes) to address Supavisor connection breakage. > > Adds `docker-compose.supavisor.yml` to spin up Supavisor + Postgres, auto-provision a dev tenant, and create a `dbmate_test` database; and relaxes several Postgres driver tests to use `require.ErrorContains` instead of exact error-string equality to reduce brittleness across environments/driver versions. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6bea788. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Create release v2.30.0 by bumping the version and updating Go and TypeScript dependencies. --- <p><a href="https://cursor.com/background-agent?bcId=bc-2cd27417-09d1-4fba-aa21-a007839a18ef"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-2cd27417-09d1-4fba-aa21-a007839a18ef"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p>  --- > [!NOTE] > **Low Risk** > Release/version bump with dependency-only updates; risk is limited to potential behavioral changes from updated Google Cloud/OpenTelemetry libraries. > > **Overview** > Bumps the `dbmate` version constant from `2.29.5` to `2.30.0` for the new release. > > Updates Go module dependencies, primarily in the Google Cloud stack (e.g., `cloud.google.com/go/bigquery`, `google.golang.org/api`, `github.com/googleapis/gax-go/v2`, `google.golang.org/genproto`) and related OpenTelemetry instrumentation versions, with corresponding `go.sum` changes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2ce03d0. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

…er flag + env var (amacneil#713) This PR addresses issue amacneil#489 by adding comprehensive support for ClickHouse HTTP/S protocols and allowing users to explicitly specify the driver via a CLI flag. Key Changes: 1. New Driver Schemes: - Added support for clickhouse+http:// and clickhouse+https:// schemes. - Added support for clickhouse+tcp:// alias. - When these schemes are detected, the driver automatically normalizes the URL for the underlying clickhouse-go driver and sets the appropriate default ports (8123 for HTTP, 8443 for HTTPS) if not specified. 2. Explicit Driver Selection (--driver flag): - Introduced a new global flag: --driver (env: DBMATE_DRIVER). - This allows users to force a specific driver, overriding the default behavior of inferring the driver from the database URL scheme. - Use Case: Enabling ClickHouse users to provide a standard http:// URL while explicitly telling dbmate to use the ClickHouse driver. ``` # Using new schemes (auto-detection) dbmate -u "clickhouse+http://localhost:8123/default" status # Using standard HTTP scheme with explicit driver flag dbmate --driver clickhouse -u "http://localhost:8123/default" status ``` Related Issue Fixes amacneil#489 Type of change [x] New feature (non-breaking change which adds functionality) [ ] Bug fix (non-breaking change which fixes an issue) Checklist [x] I have added tests to cover the new schemes, port defaults, and flag logic. [x] I have updated the README.md with documentation for the new feature. [x] Existing tests passed locally. [x] Refactored main.go logic into configureDB for better testability.  --- > [!NOTE] > **Medium Risk** > Changes driver selection logic in `dbmate.DB.Driver()` and expands ClickHouse connection URL handling, which could affect connectivity for existing CLI/library users if misconfigured; coverage is improved via new tests. > > **Overview** > Adds a new global `--driver` flag (and `DBMATE_DRIVER` env var) to force the database driver instead of inferring it from the URL scheme, refactoring CLI DB initialization into `configureDB` and plumbing the chosen driver through `dbmate.DB.Driver()`. > > Extends the ClickHouse driver to recognize `clickhouse+http://` and `clickhouse+https://` schemes (and to normalize `http`/`https` URLs for ClickHouse with appropriate default ports), updates documentation, and adds unit tests covering the new driver override and URL variants. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3cf3793. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

Bumps golang from 1.25.5 to 1.25.6. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.25.5&new-version=1.25.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > **Low Risk** > Low risk: this is a patch-level Go toolchain update affecting build/runtime compatibility, with no functional code changes in the repo. > > **Overview** > Updates the Go toolchain patch version from `1.25.5` to `1.25.6` for local/dev and module builds. > > This bumps the `golang` base image tag in `Dockerfile` and the `toolchain` directive in `go.mod` to keep builds consistent. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3ee1bd3. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jeff Zellner <jeff@foxglove.dev>

## Summary `DumpSchema` and `DatabaseExists` were passing a full connection string (including query parameters) where a bare file path is expected, causing `sqlite3` CLI calls and `os.Stat` checks to fail when the URL contained query parameters like `?mode=ro`. ## Changes - Introduce `normalizeSQLiteURL` to properly handle all URL forms (relative, absolute, 1–4 leading slashes, spaces, percent-encoding), replacing the previous regexp-based slash collapsing in `ConnectionString` - Add `filePathFromURL` to extract just the file path, and use it in `DumpSchema` and `DatabaseExists` instead of `ConnectionString` - Rebuild `ConnectionString` on top of the same normalizer ## Test improvements - Use `t.TempDir()` so tests don't write into the working directory - Pass `*Driver` into `prepTestSQLiteDB` for consistent test setup - Convert `ConnectionString` tests to table-driven with `t.Parallel()` and add corresponding `filePathFromURL` table-driven tests - Use `require.False`/`True`/`NoFileExists` for clearer assertions - Extend `DatabaseExists` test to cover the full create/drop cycle  --- > [!NOTE] > **Medium Risk** > Touches SQLite URL/DSN parsing used for opening and managing DB files; subtle path normalization changes could affect edge-case URLs across platforms. > > **Overview** > Fixes SQLite operations that require a filesystem path by introducing `filePathFromURL` and using it for `DumpSchema` (the `sqlite3` CLI call) and `DatabaseExists` (`os.Stat`), avoiding query/fragment connection params being treated as part of the filename. > > Refactors `ConnectionString` to be built from a normalized SQLite URL (`normalizeSQLiteURL`), improving handling of absolute vs relative paths, escaped characters, and extra leading slashes; updates/expands tests to cover path extraction vs DSN generation and makes SQLite tests use per-test temp DB files. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 15d3e41. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

Add shortened URL syntax examples for passwordless PostgreSQL Unix socket connections. ## Changes Corrects and improves the original PR (amacneil#459) examples: - **Fixed missing `@` in username URL**: `postgres://username/db` parses `username` as a hostname, not userinfo. The correct form is `postgres://username@/db` — the `@` is required to place `username` in the userinfo portion of the URL. - **Fixed misleading explanation**: The original PR claimed the username could be omitted "when the username and database name are identical." In reality, when the username is omitted, `lib/pq` (matching `libpq` behavior) defaults to the `PGUSER` environment variable if set, otherwise the OS username. The database name is irrelevant. - **Fixed typo**: "Additionaly" → "Additionally" (moot, sentence was rewritten) - **Removed extra blank line** ## Examples added ```sh # Passwordless (e.g. peer auth), explicit username (note the @ is required) DATABASE_URL="postgres://username@/database_name?socket=/var/run/postgresql" # Username omitted — defaults to PGUSER env var, or OS username DATABASE_URL="postgres:///database_name?socket=/var/run/postgresql" ```  --- > [!NOTE] > **Low Risk** > Documentation-only changes with no impact to runtime behavior. > > **Overview** > Updates `README.md` PostgreSQL connection documentation to include **passwordless unix-socket** `DATABASE_URL` examples, clarifying that the `@` is required when omitting the password (e.g., peer auth). > > Adds guidance that omitting the username falls back to `PGUSER` or the OS username (per `lib/pq`/`libpq` behavior), with an example URL showing the shortened form. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0696152. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

…macneil#752) ## Summary - The `versions: ["*rc*"]` glob pattern in the Docker ignore condition is invalid syntax, causing Dependabot to fail parsing the config entirely - Commented out the ignore block with a reference to the upstream feature request ## Context - Dependabot suggests RC versions of golang (e.g., `1.26rc2` in amacneil#733) even from stable tags - Docker ignore conditions use Bundler version syntax which does not support glob patterns - Upstream issue tracking pre-release ignore support: dependabot/dependabot-core#8677 ## Test plan - [ ] Verify Dependabot no longer reports a config parse error - [ ] Verify Dependabot resumes creating Docker update PRs  --- > [!NOTE] > **Low Risk** > Config-only change that removes a broken ignore rule; main impact is Dependabot may surface Go RC updates again until upstream support exists. > > **Overview** > Fixes Dependabot config parsing for Docker updates by commenting out an invalid `ignore` rule that tried to match Golang RC tags via `versions: ["*rc*"]`. > > Adds inline comments documenting the limitation (no glob patterns for Docker `versions`) and links to the upstream Dependabot issue for future re-enablement. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit fcd6c96. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Bumps golang from 1.25.6 to 1.26.0. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.25.6&new-version=1.26.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > **Low Risk** > Primarily a toolchain/linter version bump; risk is limited to potential CI/build or lint behavior differences under Go 1.26. > > **Overview** > Updates the development Docker image from Go `1.25.6` to `1.26.0` and bumps `golangci-lint` from `v2.8.0` to `v2.9.0`. > > Aligns module tooling by changing `go.mod` `toolchain` from `go1.25.6` to `go1.26.0` (no dependency changes included in the diff). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 900ebfe. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Dossy Shiobara <dossy@panoptic.com>

@amacneil

feat: allow passing extra arguments to mysqldump/pgdump & fix broken tests (mysql & postgres) Allow passing extra arguments to the dump command as follows: `dbmate dump -- --flag1 --flag2` Everything after `--` will be passed to pgdump or mysqldump. We can further allow passing extra arguments for other subcommands. Fixes: amacneil#678 Fixes: amacneil#688 @amacneil  --- > [!NOTE] > **Medium Risk** > Changes the public `Driver` interface and how `dump` shells out to `mysqldump`/`pg_dump`, which could affect downstream driver implementations and schema dump behavior across databases. > > **Overview** > `dbmate dump` now supports pass-through flags (`dbmate dump -- --flag1 ...`) that are forwarded to `mysqldump`/`pg_dump`, wired from the CLI into a new `DB.Args` field and through the `Driver.DumpSchema(*sql.DB, ...string)` interface. > > MySQL and Postgres drivers were updated to append these extra args to the underlying dump command invocation (other drivers ignore them), README documentation was expanded accordingly, and new MySQL/Postgres tests validate that invalid extra args surface expected tool errors. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f5e2e52. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Release for v2.31.0, includes amacneil#753

Bumps [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519) from 1.1.0 to 1.1.1. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb"><code>d1c650a</code></a> extra: initialize receiver in MultiScalarMult</li> <li>See full diff in <a href="https://github.com/FiloSottile/edwards25519/compare/v1.1.0...v1.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=filippo.io/edwards25519&package-manager=go_modules&previous-version=1.1.0&new-version=1.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps golang from 1.26.0 to 1.26.1. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.26.0&new-version=1.26.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/v6...v7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=6&new-version=7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v8.0.0</h2> <h2>v8 - What's new</h2> <h3>Direct downloads</h3> <p>To support direct uploads in <code>actions/upload-artifact</code>, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the <code>Content-Type</code> header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new <code>skip-decompress</code> parameter to <code>false</code>.</p> <h3>Enforced checks (breaking)</h3> <p>A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the <code>digest-mismatch</code> parameter. To be secure by default, we are now defaulting the behavior to <code>error</code> which will fail the workflow run.</p> <h3>ESM</h3> <p>To support new versions of the @actions/* packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Don't attempt to un-zip non-zipped downloads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li> <li>Add a setting to specify what to do on hash mismatch and default it to <code>error</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a> from actions/danwkennedy/digest-mismatch-behavior</li> <li><a href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a> Add change docs</li> <li><a href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a> Fix linting issues</li> <li><a href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a> Add a setting to specify what to do on hash mismatch and default it to <code>error</code></li> <li><a href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a> from actions/danwkennedy/download-no-unzip</li> <li><a href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a> Add note about package bumps</li> <li><a href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a> Bump the version to <code>v8</code> and add release notes</li> <li><a href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a> Update test names to make it clearer what they do</li> <li><a href="https://github.com/actions/download-artifact/commit/96bf374a614d4360e225874c3efd6893a3f285e7"><code>96bf374</code></a> One more test fix</li> <li><a href="https://github.com/actions/download-artifact/commit/b8c4819ef592cbe04fd93534534b38f853864332"><code>b8c4819</code></a> Fix skip decompress test</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/v7...v8">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=7&new-version=8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/minimatch/commit/7bba97888a27a6162983056bcce2a6e28f668712"><code>7bba978</code></a> 3.1.5</li> <li><a href="https://github.com/isaacs/minimatch/commit/bd259425b2ca17b42897997f93e890314155522d"><code>bd25942</code></a> docs: add warning about ReDoS</li> <li><a href="https://github.com/isaacs/minimatch/commit/1a9c27c75725474dbde57db2995b6281b267756d"><code>1a9c27c</code></a> fix partial matching of globstar patterns</li> <li><a href="https://github.com/isaacs/minimatch/commit/1a2e084af579731af66c221214e3ca8222c9bf23"><code>1a2e084</code></a> 3.1.4</li> <li><a href="https://github.com/isaacs/minimatch/commit/ae24656237c3d58067442f790ce17eff84463a47"><code>ae24656</code></a> update lockfile</li> <li><a href="https://github.com/isaacs/minimatch/commit/b1003749228b2a79e1f237963a0d559ef7a0941e"><code>b100374</code></a> limit recursion for **, improve perf considerably</li> <li><a href="https://github.com/isaacs/minimatch/commit/26ffeaa091b9f660833e23f42e07165b33e85c13"><code>26ffeaa</code></a> lockfile update</li> <li><a href="https://github.com/isaacs/minimatch/commit/9eca892a4e5dbb20534f9f30483b85cdeee6c2eb"><code>9eca892</code></a> lock node version to 14</li> <li><a href="https://github.com/isaacs/minimatch/commit/00c323b188b704e5d4bc534ecec2268cfa70a32a"><code>00c323b</code></a> 3.1.3</li> <li><a href="https://github.com/isaacs/minimatch/commit/30486b2048929264f44d18822891cfffa02af78b"><code>30486b2</code></a> update CI matrix and actions</li> <li>Additional commits viewable in <a href="https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=minimatch&package-manager=npm_and_yarn&previous-version=3.1.2&new-version=3.1.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a> 3.4.2</li> <li><a href="https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a> fix CWE-1321</li> <li><a href="https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a> added flatted-view to the benchmark</li> <li><a href="https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a> 3.4.1</li> <li><a href="https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a> Merge pull request <a href="https://redirect.github.com/WebReflection/flatted/issues/89">#89</a> from WebReflection/python-fix</li> <li><a href="https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a> added "when in Rome" also a test for PHP</li> <li><a href="https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a> some minor improvement</li> <li><a href="https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a> Fixing recursion issue in Python too</li> <li><a href="https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a> Add SECURITY.md for security policy and reporting</li> <li><a href="https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a> Create dependabot.yml for version updates</li> <li>Additional commits viewable in <a href="https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=flatted&package-manager=npm_and_yarn&previous-version=3.3.3&new-version=3.4.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.78.0 to 1.79.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.79.3</h2> <h1>Security</h1> <ul> <li>server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like <code>grpc/authz</code>. Any request with a non-canonical path is now immediately rejected with an <code>Unimplemented</code> error. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8981">#8981</a>)</li> </ul> <h2>Release 1.79.2</h2> <h1>Bug Fixes</h1> <ul> <li>stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8874">grpc/grpc-go#8874</a>)</li> </ul> <h2>Release 1.79.1</h2> <h1>Bug Fixes</h1> <ul> <li>grpc: Remove the <code>-dev</code> suffix from the User-Agent header. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8902">grpc/grpc-go#8902</a>)</li> </ul> <h2>Release 1.79.0</h2> <h1>API Changes</h1> <ul> <li>mem: Add experimental API <code>SetDefaultBufferPool</code> to change the default buffer pool. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8806">#8806</a>) <ul> <li>Special Thanks: <a href="https://github.com/vanja-p"><code>@vanja-p</code></a></li> </ul> </li> <li>experimental/stats: Update <code>MetricsRecorder</code> to require embedding the new <code>UnimplementedMetricsRecorder</code> (a no-op struct) in all implementations for forward compatibility. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> </ul> <h1>Behavior Changes</h1> <ul> <li>balancer/weightedtarget: Remove handling of <code>Addresses</code> and only handle <code>Endpoints</code> in resolver updates. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8841">#8841</a>)</li> </ul> <h1>New Features</h1> <ul> <li>experimental/stats: Add support for asynchronous gauge metrics through the new <code>AsyncMetricReporter</code> and <code>RegisterAsyncReporter</code> APIs. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> <li>pickfirst: Add support for weighted random shuffling of endpoints, as described in <a href="https://redirect.github.com/grpc/proposal/pull/535">gRFC A113</a>. <ul> <li>This is enabled by default, and can be turned off using the environment variable <code>GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING</code>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8864">#8864</a>)</li> </ul> </li> <li>xds: Implement <code>:authority</code> rewriting, as specified in <a href="https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md">gRFC A81</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8779">#8779</a>)</li> <li>balancer/randomsubsetting: Implement the <code>random_subsetting</code> LB policy, as specified in <a href="https://github.com/grpc/proposal/blob/master/A68-random-subsetting.md">gRFC A68</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8650">#8650</a>) <ul> <li>Special Thanks: <a href="https://github.com/marek-szews"><code>@marek-szews</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8726">#8726</a>) <ul> <li>Special Thanks: <a href="https://github.com/Atul1710"><code>@Atul1710</code></a></li> </ul> </li> <li>xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in <code>CONNECTING</code> state. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8813">#8813</a>)</li> <li>health: Fix a bug where health checks failed for clients using legacy compression options (<code>WithDecompressor</code> or <code>RPCDecompressor</code>). (<a href="https://redirect.github.com/grpc/grpc-go/issues/8765">#8765</a>) <ul> <li>Special Thanks: <a href="https://github.com/sanki92"><code>@sanki92</code></a></li> </ul> </li> <li>transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8769">#8769</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> <li>server: Propagate status detail headers, if available, when terminating a stream during request header processing. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8754">#8754</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> </ul> <h1>Performance Improvements</h1> <ul> <li>credentials/alts: Optimize read buffer alignment to reduce copies. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8791">#8791</a>)</li> <li>mem: Optimize pooling and creation of <code>buffer</code> objects. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8784">#8784</a>)</li> <li>transport: Reduce slice re-allocations by reserving slice capacity. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8797">#8797</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc-go/commit/dda86dbd9cecb8b35b58c73d507d81d67761205f"><code>dda86db</code></a> Change version to 1.79.3 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8983">#8983</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5"><code>72186f1</code></a> grpc: enforce strict path checking for incoming requests on the server (<a href="https://redirect.github.com/grpc/grpc-go/issues/8981">#8981</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/97ca3522b239edf6813e2b1106924e9d55e89d43"><code>97ca352</code></a> Changing version to 1.79.3-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/8954">#8954</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/8902ab6efea590f5b3861126559eaa26fa9783b2"><code>8902ab6</code></a> Change the version to release 1.79.2 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8947">#8947</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/a9286705aa689bee321ec674323b6896284f3e02"><code>a928670</code></a> Cherry-pick <a href="https://redirect.github.com/grpc/grpc-go/issues/8874">#8874</a> to v1.79.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/8904">#8904</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/06df3638c0bcee88197b1033b3ba83e1eb8bc010"><code>06df363</code></a> Change version to 1.79.2-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/8903">#8903</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/782f2de44f597af18a120527e7682a6670d84289"><code>782f2de</code></a> Change version to 1.79.1 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8902">#8902</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/850eccbb2257bd2de6ac28ee88a7172ab6175629"><code>850eccb</code></a> Change version to 1.79.1-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/8851">#8851</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/765ff056b6890f6c8341894df4e9668e9bfc18ef"><code>765ff05</code></a> Change version to 1.79.0 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8850">#8850</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/68804be0e78ed0365bb5a576dedc12e2168ed63e"><code>68804be</code></a> Cherry pick <a href="https://redirect.github.com/grpc/grpc-go/issues/8864">#8864</a> to v1.79.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/8896">#8896</a>)</li> <li>Additional commits viewable in <a href="https://github.com/grpc/grpc-go/compare/v1.78.0...v1.79.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/grpc&package-manager=go_modules&previous-version=1.78.0&new-version=1.79.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amacneil/dbmate/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Release v2.32.0

Closes amacneil#773.

Merge upstream/main (up to v2.32.0) into our fork, preserving the --set-role feature. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Ilia Ablamonov (Flamefork) and others added 30 commits February 6, 2026 07:48

bump version to v2.31.0 (amacneil#754)

5dc429d

Release for v2.31.0, includes amacneil#753

Release v2.32.0 (amacneil#777)

c89e2fd

Release v2.32.0

Update Go dependencies. (amacneil#779)

2036c59

Closes amacneil#773.

Ragge-dev and others added 3 commits April 7, 2026 13:32

Sync upstream amacneil/dbmate

4c8f80d

Merge upstream/main (up to v2.32.0) into our fork, preserving the --set-role feature. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Delete docs/plans/2026-02-04-set-role-validation-design.md

018a72c

Delete docs/plans/2026-02-04-set-role-validation.md

67f380c

Fredrik Beiron (beironf) approved these changes Apr 7, 2026

View reviewed changes

Ragnar Englund (Ragge-dev) merged commit 7469e2e into main Apr 7, 2026
15 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync upstream amacneil/dbmate#28

Sync upstream amacneil/dbmate#28
Ragnar Englund (Ragge-dev) merged 33 commits intomainfrom
sync-upstream-dbmate

Ragnar Englund (Ragge-dev) commented Apr 7, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Conversation

Ragnar Englund (Ragge-dev) commented Apr 7, 2026

Summary

Conflict resolution

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants