chore(deps): update all non-major dependencies

[renovate-rancher]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cenkalti/backoff/v5	v5.0.2 → v5.0.3
github.com/prometheus/common	v0.67.5 → v0.69.0

---

Release Notes

cenkalti/backoff (github.com/cenkalti/backoff/v5)

v5.0.3

Compare Source

prometheus/common (github.com/prometheus/common)

v0.69.0

Compare Source

Security / behavior changes

• config: credentials are no longer forwarded across cross-host redirects. When FollowRedirects is enabled, the HTTP client now strips Authorization, Cookie, Proxy-Authorization and other sensitive headers, and skips basic-auth, bearer-token and OAuth2 credentials, when a redirect points to a different host. This aligns with Go's net/http behavior. Callers that relied on credentials being sent to a redirect target on another host will need to target that host directly. #​901 #​920 #​921
• config: LoadHTTPConfigFile now resolves relative file paths (e.g. *_file credentials, http_headers files) against the config file's own directory instead of its parent directory. Configs that worked around the old behavior by prefixing paths with the config's directory name must drop that prefix. #​925

Bugfixes

• expfmt: fix nil pointer panic when parsing empty braces {}. #​922
• model: fix Time.UnmarshalJSON for larger negative numbers. #​918

Performance

• model: reduce allocations in Time.UnmarshalJSON. #​918

Internal

• Synchronize common files from prometheus/prometheus. #​917
• Modernize Go. #​919

Full Changelog: prometheus/common@v0.68.1...v0.69.0

v0.68.1

Compare Source

Security / behavior changes

• config: credentials are no longer forwarded across cross-host redirects. When FollowRedirects is enabled, the HTTP client now strips Authorization, Cookie, Proxy-Authorization and other sensitive headers, and skips basic-auth, bearer-token and OAuth2 credentials, when a redirect points to a different host. This aligns with Go's net/http behavior. Callers that relied on credentials being sent to a redirect target on another host will need to target that host directly. #​901 #​920 #​921
• config: LoadHTTPConfigFile now resolves relative file paths (e.g. *_file credentials, http_headers files) against the config file's own directory instead of its parent directory. Configs that worked around the old behavior by prefixing paths with the config's directory name must drop that prefix. #​925

Bugfixes

• expfmt: fix nil pointer panic when parsing empty braces {}. #​922
• model: fix Time.UnmarshalJSON for larger negative numbers. #​918

Performance

• model: reduce allocations in Time.UnmarshalJSON. #​918

Internal

• Synchronize common files from prometheus/prometheus. #​917
• Modernize Go. #​919

Full Changelog: prometheus/common@v0.68.1...v0.69.0

v0.68.0

Compare Source

What's Changed

• Synchronize common files from prometheus/prometheus by @​prombot in #​873
• Synchronize common files from prometheus/prometheus by @​prombot in #​874
• build(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @​dependabot[bot] in #​879
• build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by @​dependabot[bot] in #​878
• Synchronize common files from prometheus/prometheus by @​prombot in #​875
• Synchronize common files from prometheus/prometheus by @​prombot in #​880
• Remove logic adding unit to metrics name by @​vesari in #​877
• Synchronize common files from prometheus/prometheus by @​prombot in #​881
• Update for Go 1.26 by @​SuperQ in #​883
• build(deps): bump golang.org/x/net from 0.49.0 to 0.51.0 by @​dependabot[bot] in #​882
• version: Add a slog helper by @​SuperQ in #​886
• Remove Arthur from maintainers list by @​ArthurSens in #​885
• Synchronize common files from prometheus/prometheus by @​prombot in #​895
• Synchronize common files from prometheus/prometheus by @​prombot in #​896
• config: change NewOAuth2RoundTripper to accept variadic HTTPClientOption by @​alliasgher in #​898
• config: guard against nil oauth2 credential in RoundTrip by @​alliasgher in #​897
• build(deps): bump golang.org/x/net from 0.51.0 to 0.52.0 by @​dependabot[bot] in #​890
• build(deps): bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 by @​dependabot[bot] in #​891
• build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.36.0 by @​dependabot[bot] in #​892
• Move interface assertions to a test file by @​msiegen in #​839
• fix(http_config): fix client cert rotation when no CA is configured by @​machine424 in #​908
• Remove CircleCI by @​ArthurSens in #​910
• Fix: apply DialContextFunc to OAuth2 token-fetch transport by @​yuri-tceretian in #​911

New Contributors

• @​alliasgher made their first contribution in #​898
• @​msiegen made their first contribution in #​839
• @​machine424 made their first contribution in #​908
• @​yuri-tceretian made their first contribution in #​911

Full Changelog: prometheus/common@v0.67.5...v0.68.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[renovate-rancher]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/sys	v0.39.0 -> v0.45.0