fix(go.mod/go.sum): update minor dependencies (golang)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
github.com/cert-manager/cert-manager	v1.19.3 → v1.20.2			require	minor
github.com/onsi/ginkgo/v2	v2.27.5 → v2.31.0			require	minor
github.com/onsi/gomega	v1.39.0 → v1.42.0			require	minor
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring	v0.88.0 → v0.92.0			require	minor
github.com/redis/go-redis/v9	v9.17.3 → v9.20.1			require	minor
go (source)	1.25.6 → 1.26.4			golang	minor
golang.org/x/mod	v0.32.0 → v0.37.0			require	minor
k8s.io/api	v0.35.0 → v0.36.2			require	minor
k8s.io/apiextensions-apiserver	v0.35.0 → v0.36.2			require	minor
k8s.io/apimachinery	v0.35.0 → v0.36.2			require	minor
k8s.io/client-go	v0.35.0 → v0.36.2			require	minor
k8s.io/code-generator	v0.35.0 → v0.36.2			require	minor
k8s.io/kube-aggregator	v0.35.0 → v0.36.2			require	minor
sigs.k8s.io/controller-runtime	v0.23.0 → v0.24.1			require	minor
sigs.k8s.io/controller-runtime/tools/setup-envtest	v0.0.0-20260125161707-82cc073adb06 → v0.24.1			require	minor
sigs.k8s.io/controller-tools	v0.20.0 → v0.21.0			require	minor

---

Release Notes

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.20.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config
and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies
to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#​8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#​8704, @​erikgb)
• Bump go to 1.26.2 (#​8703, @​erikgb)

v1.20.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

• Fixed duplicate parentRef bug when both issuer config and annotations are present. (#​8658, @​hjoshi123)
• Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#​8655, @​erikgb)
• Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#​8657, @​erikgb)

v1.20.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind

Feature

• Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#​8370, @​jcpunk)
• Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#​8256, @​tareksha)
• Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#​8186, @​mathieu-clnk)
• Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#​8355, @​dancmeyers)
• Added parentRef override annotations on the Certificate resource. (#​8518, @​hjoshi123)
• Added support for azure private zones for dns01 issuer. (#​8494, @​hjoshi123)
• Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#​7642, @​robertlestak)
• Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#​7728, @​jcpunk)
• For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#​8301, @​k0da)
• Improve error message when CA issuers are misconfigured to use a clashing secret name (#​8374, @​majiayu000)
• Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#​8244, @​lunarwhite)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8195, @​StingRayZA)
• Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#​8228, @​terinjokes)
• Added experimental XListenerSets feature gate (#​8394, @​hjoshi123)

Documentation

• Add GWAPI documentation to NOTES.TXT in helm chart (#​8353, @​jaxels10)

Bug or Regression

• Adds logs for cases when acme server returns us a fatal error in the order controller (#​8199, @​Peac36)
• Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8160, @​inteon)
• Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. (#​8232, @​eleanor-merry)
• Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. (#​8456, @​tkna)
• Fix unregulated retries with the DigitalOcean DNS-01 solver
  Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#​8221, @​wallrj-cyberark)
• Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8403, @​calm329)
• Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8424, @​SlashNephy)
• Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. (#​8443, @​alviss7)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#​8173, @​erikgb)
• Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8469, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8290, @​octo-sts[bot])
• When Prometheus monitoring is enabled, the metrics label is now set to the intended value of cert-manager. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). (#​8162, @​LiquidPL)

Other (Cleanup or Flake)

• Promoted the OtherNames feature to Beta and enabled it by default (#​8288, @​wallrj-cyberark)
• Promoting XListenerSets feature gate to ListenerSets (#​8501, @​hjoshi123)
• Rebranding of the Venafi Issuer to CyberArk (#​8215, @​iossifbenbassat123)
• Switched to SSA for challenge finalizer updates (#​8519, @​inteon)
• The default container user (UID) is now 65532 (previously 1000) and the default container group (GID) is now 65532 (previously 0) (#​8408, @​wallrj-cyberark)
• The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to GA and can no longer be disabled. (#​8287, @​wallrj-cyberark)
• Update cert-manager's ACME client, forked from golang/x/crypto (#​8268, @​SgtCoDFish)
• Use the latest version of Kyverno (1.16.2) in the best-practice installation tests (#​8389, @​wallrj-cyberark)
• We stopped testing with Coutour due to it not supporting the new XListenerSet resource, and moved to kgateway. (#​8426, @​hjoshi123)

v1.19.5

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This is a simple patch release to fix some reported vulnerabilities. All users are recommended to upgrade.

Changes by Kind

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#​8706, @​erikgb)
• Bump go to 1.25.8 to address several reported vulnerabilities (#​8628, @​SgtCoDFish)
• Bump go to 1.25.9 (#​8705, @​erikgb)

v1.19.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.19.4 is a simple patch release to fix some reported vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should upgrade.

Changes by Kind

Bug or Regression

• Bump go to address CVE-2025-68121 (#​8526, @​SgtCoDFish)
• Bump otel SDK to address GO-2026-4394 (#​8531, @​SgtCoDFish)

onsi/ginkgo (github.com/onsi/ginkgo/v2)

v2.31.0

Compare Source

2.31.0

Add a bunch of Claude Skills via the marketplace:

/plugin marketplace add onsi/ginkgo
/plugin install ginkgo@ginkgo

v2.30.0

Compare Source

2.30.0

Features

Ginkgo now allows extentions/global.Reset to support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.

Thanks @​lawrencejones !

Fixes

• Fix nested --github-output group for progress report nested inside timeline [4f62d7a]

v2.29.0

Compare Source

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

v2.28.3

Compare Source

2.28.3

Maintenance

Bump all dependencies

v2.28.2

Compare Source

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#​1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

v2.28.1

Compare Source

2.28.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

v2.28.0

Compare Source

2.28.0

Ginkgo's SemVer filter now supports filtering multiple components by SemVer version:

It("should work in a specific version range (1.0.0, 2.0.0) and third-party dependency redis in [8.0.0, ~)", SemVerConstraint(">= 3.2.0"), ComponentSemVerConstraint("redis", ">= 8.0.0") func() {
    // This test will only run when version is between 1.0.0 (exclusive) and 2.0.0 (exclusive) and redis version is >= 8.0.0
})

can be filtered in or out with an invocation like:

ginkgo --sem-ver-filter="2.1.1, redis=8.2.0"

Huge thanks to @​Icarus9913 for working on this!

onsi/gomega (github.com/onsi/gomega)

v1.42.0

Compare Source

1.42.0

Add a set of Claude skill as a marketplace plugin

v1.41.0

Compare Source

v1.40.0

Compare Source

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

v1.39.1

Compare Source

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

prometheus-operator/prometheus-operator (github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring)

v0.92.0: 0.92.0 / 2026-06-18

Compare Source

[!NOTE]
The PrometheusTopologySharding and PrometheusShardRetentionPolicy feature gates have been promoted to Beta in this release and are now enabled by default. See the sharding documentation for details.

• [CHANGE] Add URL validation for the tokenUrl field in OAuth2 configuration across all CRDs. #​8579
• [CHANGE] Add URL validation for the url field in RemoteReadSpec in Prometheus CRD. #​8596
• [FEATURE] Migrate retention options from CLI flags to the config file for Prometheus CRD (Prometheus >= v3 uses the config file; older versions continue to use CLI flags). #​8547
• [FEATURE] Add staleSeriesCompactionThreshold field to TSDBSpec in Prometheus and PrometheusAgent CRDs. #​8563
• [FEATURE] Add labelNameUnderscoreSanitization and labelNamePreserveMultipleUnderscores fields to OTLPConfig in Prometheus and PrometheusAgent CRDs. #​8562
• [FEATURE] Add payload field to Webhook receiver in AlertmanagerConfig CRD. #​8507
• [ENHANCEMENT] Use pod topology labels for zone sharding on Kubernetes >= 1.35 when the PrometheusTopologySharding feature gate is enabled (removes the need for attachMetadata.node=true). #​8564
• [ENHANCEMENT] Add validation for the Slack update_message field in Alertmanager configuration Secret. #​8556
• [BUGFIX] Validate target labels in Probe static configuration to prevent invalid Prometheus scrape configs. #​7901
• [BUGFIX] Fix goroutine leak and data race in pollBasedListerWatcher. #​8593
• [BUGFIX] Validate ProxyConfig in OAuth2 configuration. #​8610
• [BUGFIX] Fix SMTP smarthost format error handling in Alertmanager configuration. #​8586
• [BUGFIX] Fix missing return in admission webhook after marshal failure. #​8582
• [BUGFIX] Fix FindOwner to return nil on meta.Accessor error. #​8585
• [BUGFIX] Fix dropped gzip Close errors in GzipConfig and GunzipConfig. #​8573
• [BUGFIX] Fix panic on malformed key=value flag input (e.g. --labels "key"). #​8560

v0.91.0: 0.91.0 / 2026-05-05

Compare Source

• [CHANGE] Enforce mutual exclusion of basicAuth, authorization and oauth2 in ScrapeConfig CRD. #​8480
• [CHANGE] Add minimum length validations to string fields in ScrapeConfig CRD. #​8479
• [CHANGE] Add validations for VictorOps receiver in AlertmanagerConfig CRD. #​8220
• [CHANGE] Add validations for OpsGenie receiver in AlertmanagerConfig CRD. #​8267
• [CHANGE] Add validations for Email receiver in AlertmanagerConfig CRD. #​8270
• [FEATURE] Implement shard retention based on Prometheus data retention (it requires the PrometheusShardRetentionPolicy feature gate). #​8478
• [FEATURE] Configure node selector when sharding mode is Topology for Prometheus and PrometheusAgent custom resources (it requires the PrometheusTopologySharding feature gate). #​8486
• [FEATURE] Configure external label with topology information when sharding mode is Topology for Prometheus and PrometheusAgent custom resources (it requires the PrometheusTopologySharding feature gate). #​8519
• [FEATURE] Distribute scrape targets within topology zones when sharding mode is Topology for Prometheus and PrometheusAgent custom resources (it requires the PrometheusTopologySharding feature gate). #​8538
• [FEATURE] Add --promql-options CLI argument to the admission-webhook binary. #​8531
• [FEATURE] Validate PrometheusRule resources selected by Prometheus resources based on the PromQL enabled features. #​8545
• [FEATURE] Add workload identity authentication method for AzureSD in ScrapeConfig CRD. #​8489
• [ENHANCEMENT] Support strategic merge patch of container probes when workloads are configured with HTTPS. #​8427
• [ENHANCEMENT] Support auth_secret_file field for Email receiver in Alertmanager configuration Secret. #​8394
• [ENHANCEMENT] Support smtp_auth_secret_file field in Alertmanager configuration Secret. #​8396
• [ENHANCEMENT] Add externalId field to SigV4 configuration in Alertmanager, Prometheus, PrometheusAgent and ThanosRuler CRDs. #​8494
• [ENHANCEMENT] Add cipherSuites support for Thanos Sidecars and Rulers. #​8524
• [ENHANCEMENT] Add curves support for Thanos Sidecars and Rulers. #​8542
• [ENHANCEMENT] Speed up configuration reloads by watching the config file's parent directory. #​7366
• [ENHANCEMENT] Support Mattermost global webhook URL support in Alertmanager configuration Secret. #​8501
• [ENHANCEMENT] Add Mattermost global webhook URL support in Alertmanager CRD. #​8503 #​8534
• [ENHANCEMENT] Support payload field for Webhook receiver in Alertmanager configuration Secret. #​8505
• [ENHANCEMENT] Support attachment fields for Mattermost receiver in Alertmanager configuration Secret. #​8508
• [ENHANCEMENT] Support update_message field for Slack receiver in Alertmanager configuration Secret. #​8502
• [ENHANCEMENT] Add threading configuration for email receiver in AlertmanagerConfig CRD. #​8400
• [ENHANCEMENT] Add healthFilter field for ConsulSD in ScrapeConfig CRD. #​8529
• [BUGFIX] Ensure that inactive shards don't scrape any targets when the sharding retention policy is Retain. #​8513
• [BUGFIX] Fix Telegram bot token validation in Alertmanager configuration Secret. #​8465

v0.90.1: 0.90.1 / 2026-03-25

Compare Source

• [BUGFIX] Fix Probe ignoring HTTP client settings in scrape configuration. #​8461

v0.90.0: 0.90.0 / 2026-03-19

Compare Source

• [CHANGE/BUGFIX] Validate that the remote-write URL scheme is either http or https. #​8455
• [FEATURE] Add --repair-policy-for-statefulsets CLI argument to the operator. It defines how the operator manages StatefulSet's pods stuck at an incorrect revision. Users running Kubernetes v1.35+ are encouraged to enable this feature (see troubleshooting guide). #​8443
• [FEATURE] Add schedulerName support to the Prometheus, PrometheusAgent, Alertmanager and ThanosRuler CRDs. #​8451
• [ENHANCEMENT] Add --web.tls-curves CLI argument to the operator and admission-webhook binaries. #​8385
• [ENHANCEMENT] Support minimum TLS version for Thanos gRPC servers. #​8438
• [ENHANCEMENT] Add version label to ThanosRuler pods. #​8441
• [ENHANCEMENT] Add messageText support for Slack receiver in AlertmanagerConfig CRD. #​8374
• [ENHANCEMENT] Add messageText support for Slack receiver in Alertmanager secret config. #​8375
• [ENHANCEMENT] Add forceImplicitTLS support for SMTP email config in Alertmanager secret config. #​8384 #​8404
• [ENHANCEMENT] Add forceImplicitTLS support for SMTP email config in AlertmanagerConfig CRD. #​8386
• [ENHANCEMENT] Add forceImplicitTLS support for SMTP global config in Alertmanager secret config. #​8405
• [ENHANCEMENT] Add forceImplicitTLS support for SMTP global config in Alertmanager CRD. #​8406
• [ENHANCEMENT] Add support for global Telegram bot token in Alertmanager CRD. #​8372
• [ENHANCEMENT] Add chatIDFile support for Telegram receiver in Alertmanager secret config. #​8376
• [ENHANCEMENT] Add wechatAPISecretFile support in Alertmanager global config. #​8377
• [ENHANCEMENT] Add authSecretFile support for email config in Alertmanager secret config. #​8396
• [ENHANCEMENT] Add nested field support for PagerDuty description in Alertmanager secret config. #​8402
• [ENHANCEMENT] Add email threading support in Alertmanager secret config. #​8388
• [ENHANCEMENT] Add field and label selectors for ConfigMap watches. #​8368
• [ENHANCEMENT] Improve ScrapeConfig API consistency and validation. #​8422
• [BUGFIX] Fix ThanosRuler config resource status not being updated on initial StatefulSet creation. #​8358
• [BUGFIX] Preserve LastTransitionTime in Prometheus status conditions. #​8346
• [BUGFIX] Make Mattermost text field optional in AlertmanagerConfig CRD. #​8363
• [BUGFIX] Remove nil error wrapping in v1alpha1 duplicate receiver validation. #​8379
• [BUGFIX] Aggregate Available condition across Prometheus shards. #​8434
• [BUGFIX] Reconcile resources with inconsistent status. #​8397
• [BUGFIX] Fix namespace lister/watcher compatibility with Kubernetes v1.35 client-go. #​8431
• [BUGFIX] Fix missing OAuth2 field in IonosSDConfig generation. #​8433
• [BUGFIX] Fix missing fields in AzureSDConfig. #​8444
• [BUGFIX] Validate Microsoft Teams V2 URL in AlertmanagerConfig CRD. #​8227
• [BUGFIX] Fix labelmap relabel action rejecting valid replacement values with template variables for Prometheus 2.x. #​8337

v0.89.0: 0.89.0 / 2026-02-05

Compare Source

• [ENHANCEMENT] Add hostNetwork field to the Alertmanager CRD. #​8281
• [ENHANCEMENT] Add the crds and full-crds commands to the operator's binary. #​8251
• [ENHANCEMENT] Report deprecated field usage in the Reconciled condition type. #​8236
• [ENHANCEMENT] Avoid unnecessary reconciliation upon creation of the ThanosRuler StatefulSet. #​8347
• [ENHANCEMENT] Add bodySizeLimit to the ScrapeConfig CRD. #​8348
• [ENHANCEMENT] Support http_headers field in the Alertmanager Secret. #​8357
• [ENHANCEMENT] Add the -kubelet-http-metrics flag to enable/disable the HTTP metrics port in the Kubelet endpoint (default=enabled). #​8350
• [ENHANCEMENT] Include operator.prometheus.io/version annotation in the full version of CRDs. #​8279
• [BUGFIX] Validate VictorOps global configuration in the Alertmanager CRD. #​8020
• [BUGFIX] Validate Jira global configuration in the Alertmanager CRD. #​8265
• [BUGFIX] Validate VictorOps receiver's URL in the AlertmanagerConfig CRD. #​8258
• [BUGFIX] Validate Webex receiver's URL in the AlertmanagerConfig CRD. #​8255
• [BUGFIX] Validate Jira receiver's URL configuration in the AlertmanagerConfig CRD. #​8230
• [BUGFIX] Validate OpsGenie receiver configuration in the AlertmanagerConfig CRD. #​8267
• [BUGFIX] Validate WeChat receiver configuration in the AlertmanagerConfig CRD. #​8271
• [BUGFIX] Validate SNS receiver configuration in the AlertmanagerConfig CRD. #​8217
• [BUGFIX] Validate Webex global configuration in the Alertmanager CRD. #​7979
• [BUGFIX] Validate Telegram global configuration in the Alertmanager CRD. #​8268
• [BUGFIX] Restore statefulset's labels if the creation fails with AlreadyExists. #​8343
• [BUGFIX] Fix potential panic due to informer cache races. #​8310
• [BUGFIX] Support probers defined with IPv6 addresses in the Probe CRD. #​8354
• [BUGFIX] Prevent group and repeat intervals with zero duration from breaking Alertmanager. #​8126
• [BUGFIX] Propagate all supported RocketChat attributes for AlertmanagerConfig CRD. #​8016
• [BUGFIX] Add URL validation for WeChat receiver. #​8256
• [BUGFIX] Add URL validation for SNS receiver. #​8259
• [BUGFIX] Fix GCE service discovery for the ScrapeConfig CRD. #​8284
• [BUGFIX] Avoid stale conditions in Alertmanager, ThanosRuler, Prometheus and PrometheusAgent resources. #​8304
• [BUGFIX] Fix race condition when updating rule ConfigMaps. #​8290
• [BUGFIX] Fix race condition when patching finalizers. #​8323
• [BUGFIX] Reconcile ScrapeConfig resources when namespace selection changes. #​8334

v0.88.1: 0.88.1 / 2026-01-27

Compare Source

• [BUGFIX] Validate webhookURL secret for MSTeams receiver in AlertmanagerConfig CRD. #​8294
• [BUGFIX] Revert maximum version check for EC2/Lightsail SD in ScrapeConfig CRD. #​8308
• [BUGFIX] Relax URL validation in Slack receiver in AlertmanagerConfig CRD to support Go templates. #​8299 #​8331
• [BUGFIX] Relax URL validation in PagerDuty in AlertmanagerConfig CRD to support Go templates. #​8319
• [BUGFIX] Relax URL validation in WebhookConfig in AlertmanagerConfig CRD to support Go templates. #​8307 #​8317
• [BUGFIX] Relax URL validation in RocketChat receiver in AlertmanagerConfig CRD to support Go templates. #​8318
• [BUGFIX] Relax URL validation in Pushover receiver in AlertmanagerConfig CRD to support Go templates. #​8307 #​8316

redis/go-redis (github.com/redis/go-redis/v9)

v9.20.1: 9.20.1

Compare Source

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #​3839.

(#​3842) by @​ndyakov

🐛 Bug Fixes

• RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #​3839) (#​3842) by @​ndyakov
• FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#​3844) by @​ndyakov
• CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#​3843) by @​madolson
• PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#​3833) by @​cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​cxljs, @​madolson, @​ndyakov

---

Full Changelog: redis/go-redis@v9.20.0...v9.20.1

v9.20.0: 9.20.0

Compare Source

🚀 Highlights

Redis 8.8 Support

This release adds support for Redis 8.8. The README's supported-versions list now includes Redis 8.8 alongside 8.0/8.2/8.4, and CI exercises the 8.8 client-libs-test image across the full suite (Makefile, build workflow, doctests, run-tests action, and docker-compose).

Coverage for the new commands that ship in the 8.x line, rounded out in this release:

• AR* array data type (#​3813) — new array data structure, exposed via the ArrayCmdable interface (see the experimental-features highlight below).
• INCREX (#​3816) — atomic increment with expiration in a single round-trip.
• XNACK (#​3790) — explicit negative-acknowledge of pending stream entries.
• XAUTOCLAIM PEL deletes (#​3798) — XAUTOCLAIM/XAUTOCLAIMJUSTID now return the list of deleted message IDs from the pending entries list.
• TS.RANGE multiple aggregators (#​3791) — TS.RANGE/TS.REVRANGE/TS.MRANGE/TS.MREVRANGE accept multiple aggregators in a single call.
• Z(UNION|INTER|DIFF) COUNT aggregator (#​3802) — COUNT reducer for sorted-set set operations.
• JSON.SET FPHA (#​3797) — new FPHA argument that specifies the floating-point type for homogeneous FP arrays.

CI image bump (#​3814) by @​ofekshenawa. Command coverage contributions by @​cxljs, @​elena-kolevska, @​Khukharr, @​ndyakov, and @​ofekshenawa.

Stable RESP3 for RediSearch (UnstableResp3 deprecated)

FT.SEARCH, FT.AGGREGATE, FT.INFO, FT.SPELLCHECK, and FT.SYNDUMP now parse RESP3 (map) responses into the same typed result objects as RESP2 — Val() and Result() work uniformly on both protocols, no flag required. Previously, RESP3 search responses required UnstableResp3: true and were returned as opaque maps accessible only via RawResult() / RawVal().

As a result, the UnstableResp3 option is now a no-op across every options struct (Options, ClusterOptions, UniversalOptions, FailoverOptions, RingOptions) and has been marked // Deprecated:. The field is retained for backwards compatibility — existing code that sets UnstableResp3: true will continue to compile and behave identically — but it will be removed in a future

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 30 additional dependencies were updated

Details:

Package	Change
github.com/fatih/color	v1.18.0 -> v1.19.0
github.com/fsnotify/fsnotify	v1.9.0 -> v1.10.0
github.com/fxamacker/cbor/v2	v2.9.0 -> v2.9.2
github.com/go-openapi/jsonpointer	v0.22.1 -> v0.23.1
github.com/go-openapi/jsonreference	v0.21.2 -> v0.21.5
github.com/go-openapi/swag	v0.23.1 -> v0.26.0
github.com/google/gnostic-models	v0.7.0 -> v0.7.1
github.com/google/pprof	v0.0.0-20250820193118-f64d9cf942d6 -> v0.0.0-20260402051712-545e8a4df936
github.com/mailru/easyjson	v0.9.0 -> v0.9.1
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/prometheus/common	v0.66.1 -> v0.67.5
github.com/prometheus/procfs	v0.17.0 -> v0.20.1
go.uber.org/zap	v1.27.0 -> v1.27.1
go.yaml.in/yaml/v2	v2.4.3 -> v2.4.4
golang.org/x/crypto	v0.46.0 -> v0.53.0
golang.org/x/net	v0.48.0 -> v0.56.0
golang.org/x/oauth2	v0.31.0 -> v0.36.0
golang.org/x/sync	v0.19.0 -> v0.21.0
golang.org/x/sys	v0.39.0 -> v0.46.0
golang.org/x/term	v0.38.0 -> v0.44.0
golang.org/x/text	v0.32.0 -> v0.38.0
golang.org/x/time	v0.13.0 -> v0.15.0
golang.org/x/tools	v0.40.0 -> v0.45.0
google.golang.org/protobuf	v1.36.9 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260603220949-865597e52e25
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260507154919-ff6756f316d2
sigs.k8s.io/gateway-api	v1.4.0 -> v1.5.0
sigs.k8s.io/structured-merge-diff/v6	v6.3.1 -> v6.4.0