build(deps): bump the go-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the go-dependencies group with 7 updates in the / directory:

Package	From	To
github.com/99designs/gqlgen	0.17.90	0.17.91
github.com/aws/aws-sdk-go-v2/config	1.32.23	1.32.25
github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue	1.20.45	1.20.48
github.com/redis/go-redis/v9	9.20.0	9.20.1
github.com/sigstore/cosign/v3	3.0.6	3.1.1
modernc.org/sqlite	1.51.0	1.52.0
sigs.k8s.io/controller-runtime	0.24.0	0.24.1

Updates github.com/99designs/gqlgen from 0.17.90 to 0.17.91

Release notes

Sourced from github.com/99designs/gqlgen's releases.

v0.17.91

What's Changed

• Stop dispatch handler when request context is canceled by @​vvakame in 99designs/gqlgen#4150
• Add PayloadReadLimit to WebSocket transport by @​jayaraman-venkatesan in 99designs/gqlgen#4148
• refactor(codegen): split root and per-schema templates, drop layout guards by @​toga4 in 99designs/gqlgen#4149
• Show deprecated input values in GraphiQL by @​DiscretePython in 99designs/gqlgen#4159
• Issue 4167 document middlewares by @​elwinar in 99designs/gqlgen#4169
• Fix potential panic in batch directive cast by @​jeolted in 99designs/gqlgen#4178
• Add error unwrapping to WebsocketError by @​jrh3k5 in 99designs/gqlgen#4177
• Deprecate github.com/gorilla/websocket by @​UnAfraid in 99designs/gqlgen#4183
• Remove usage of github.com/PuerkitoBio/goquery by @​jeolted in 99designs/gqlgen#4184
• allow custom websocket close code and reason by @​NateScarlet in 99designs/gqlgen#4170
• Fix batch resolvers reusing a single _federationRequires for all parents (#4192) by @​atzedus in 99designs/gqlgen#4193
• Add global batch resolver config under resolver.batch (issue #4044) by @​atzedus in 99designs/gqlgen#4195
• fix: CoerceList drops elements from typed slices past the first by @​c-tonneslan in 99designs/gqlgen#4194
• Add SSE min event interval by @​cyphercodes in 99designs/gqlgen#4196
• chore: remove deprecated GraphQL handler implementation from handler.… by @​atzedus in 99designs/gqlgen#4204
• graphql: add runtime non-null field support via MarkNonNull by @​lbarthon in 99designs/gqlgen#4138
• Update gqlparser to v2.5.34 by @​StevenACoffman in 99designs/gqlgen#4210
• chore(deps-dev): bump typescript from 6.0.2 to 6.0.3 in /integration by @​dependabot[bot] in 99designs/gqlgen#4156
• chore(deps-dev): bump @​apollo/client from 4.1.7 to 4.1.9 in /integration by @​dependabot[bot] in 99designs/gqlgen#4155
• chore(deps): bump golang.org/x/tools from 0.42.0 to 0.44.0 by @​dependabot[bot] in 99designs/gqlgen#4152
• chore(deps-dev): bump vitest from 4.1.4 to 4.1.5 in /integration by @​dependabot[bot] in 99designs/gqlgen#4154
• chore(deps): bump devops-actions/actionlint from 0.1.11 to 0.1.12 by @​dependabot[bot] in 99designs/gqlgen#4166
• chore(deps): bump dawidd6/action-download-artifact from 20 to 21 by @​dependabot[bot] in 99designs/gqlgen#4165
• chore(deps): bump robherley/go-test-action from 1.0.0 to 1.0.1 by @​dependabot[bot] in 99designs/gqlgen#4164
• chore(deps-dev): bump @​graphql-codegen/schema-ast from 5.0.2 to 6.0.0 in /integration by @​dependabot[bot] in 99designs/gqlgen#4163
• chore(deps): bump test-summary/action from 2.4 to 2.6 by @​dependabot[bot] in 99designs/gqlgen#4175
• chore(deps-dev): bump vitest from 4.1.5 to 4.1.6 in /integration by @​dependabot[bot] in 99designs/gqlgen#4180
• chore(deps): bump github.com/urfave/cli/v3 from 3.8.0 to 3.9.0 by @​dependabot[bot] in 99designs/gqlgen#4181
• chore(deps): bump mikepenz/action-junit-report from 6.4.0 to 6.4.1 by @​dependabot[bot] in 99designs/gqlgen#4182
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 in /_examples by @​dependabot[bot] in 99designs/gqlgen#4172
• chore(deps-dev): bump graphql from 16.13.2 to 16.14.0 in /integration by @​dependabot[bot] in 99designs/gqlgen#4171
• chore(deps-dev): bump @​graphql-codegen/introspection from 5.0.2 to 6.0.0 in /integration by @​dependabot[bot] in 99designs/gqlgen#4160
• chore(deps-dev): bump vitest from 4.1.6 to 4.1.7 in /integration by @​dependabot[bot] in 99designs/gqlgen#4188
• chore(deps): bump robherley/go-test-action from 1.0.1 to 1.1.0 by @​dependabot[bot] in 99designs/gqlgen#4189
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @​dependabot[bot] in 99designs/gqlgen#4174
• chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @​dependabot[bot] in 99designs/gqlgen#4190
• chore(deps-dev): bump @​apollo/client from 4.1.9 to 4.2.0 in /integration by @​dependabot[bot] in 99designs/gqlgen#4187
• chore(deps): bump golang.org/x/net from 0.53.0 to 0.55.0 by @​dependabot[bot] in 99designs/gqlgen#4186
• chore(deps): bump golang.org/x/tools from 0.44.0 to 0.45.0 by @​dependabot[bot] in 99designs/gqlgen#4173
• chore(deps-dev): bump @​graphql-codegen/cli from 6.3.1 to 7.0.0 in /integration by @​dependabot[bot] in 99designs/gqlgen#4162
• chore(deps-dev): bump vitest from 4.1.7 to 4.1.8 in /integration by @​dependabot[bot] in 99designs/gqlgen#4200
• chore(deps-dev): bump @​graphql-codegen/introspection from 6.0.0 to 6.0.1 in /integration by @​dependabot[bot] in 99designs/gqlgen#4202
• chore(deps-dev): bump graphql from 16.14.0 to 16.14.1 in /integration by @​dependabot[bot] in 99designs/gqlgen#4198
• chore(deps-dev): bump @​graphql-codegen/cli from 7.0.0 to 7.1.2 in /integration by @​dependabot[bot] in 99designs/gqlgen#4201
• chore(deps-dev): bump @​apollo/client from 4.2.0 to 4.2.2 in /integration by @​dependabot[bot] in 99designs/gqlgen#4206
• chore(deps-dev): bump @​graphql-codegen/client-preset from 5.3.0 to 6.0.1 in /integration by @​dependabot[bot] in 99designs/gqlgen#4208
• chore(deps-dev): bump shell-quote from 1.8.3 to 1.8.4 in /integration in the npm_and_yarn group across 1 directory by @​dependabot[bot] in 99designs/gqlgen#4209

... (truncated)

Commits

• 822e228 release v0.17.91
• 837d8a7 Update gqlparser to v2.5.34 (#4210)
• 7ab1571 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#4207)
• 9de7aa7 chore(deps-dev): bump shell-quote (#4209)
• bcddd87 chore(deps-dev): bump @​graphql-codegen/client-preset in /integration (#4208)
• f06fcae chore(deps-dev): bump @​apollo/client from 4.2.0 to 4.2.2 in /integration (#4206)
• 9f8f94f graphql: add runtime non-null field support via MarkNonNull (#4138)
• c1fa635 chore: remove deprecated GraphQL handler implementation from handler.go, tran...
• e9f372e chore(deps-dev): bump @​graphql-codegen/cli in /integration (#4201)
• 8888c7c chore(deps-dev): bump graphql from 16.14.0 to 16.14.1 in /integration (#4198)
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.23 to 1.32.25

Commits

• 0016334 Release 2026-06-10
• 396a182 Regenerated Clients
• 3eb8533 Update API model
• 7bbea79 Release 2026-06-09
• 1fefa6c Regenerated Clients
• a2cf49f Update endpoints model
• d87be68 Update API model
• 9a3190f Release 2026-06-08
• b20dd5b Regenerated Clients
• 75a45ea Update API model
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue from 1.20.45 to 1.20.48

Commits

• 7bbea79 Release 2026-06-09
• 1fefa6c Regenerated Clients
• a2cf49f Update endpoints model
• d87be68 Update API model
• 9a3190f Release 2026-06-08
• b20dd5b Regenerated Clients
• 75a45ea Update API model
• e736f55 Add preview of changes for standard retry mode behind flag (#3400)
• ba08dc9 Release 2026-06-05.2
• 9a67e21 Revert schema serde (#3442)
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/dynamodb from 1.57.9 to 1.59.0

Commits

• 1d44177 Release 2024-08-15
• bab4916 Regenerated Clients
• 2d4ecf5 Update endpoints model
• df4f4e1 Update API model
• 51ca5b5 bump smithy-go and go version (#2750)
• 39ddd61 Release 2024-08-14
• ffaf282 Regenerated Clients
• 6beafa8 Update API model
• 57f6f2d Release 2024-08-13
• cdeb8a6 Regenerated Clients
• Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.20.0 to 9.20.1

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.20.1

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

(#3842) by @​ndyakov

🐛 Bug Fixes

• RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #3839) (#3842) by @​ndyakov
• FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#3844) by @​ndyakov
• CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#3843) by @​madolson
• PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#3833) by @​cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​cxljs, @​madolson, @​ndyakov

---

Full Changelog: redis/go-redis@v9.20.0...v9.20.1

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.20.1 (2026-06-11)

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

(#3842) by @​ndyakov

🐛 Bug Fixes

• RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #3839) (#3842) by @​ndyakov
• FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#3844) by @​ndyakov
• CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#3843) by @​madolson
• PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#3833) by @​cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​cxljs, @​madolson, @​ndyakov

---

Full Changelog: redis/go-redis@v9.20.0...v9.20.1

Commits

• a13416b chore(release): 9.20.1 (#3847)
• 10dc44f fix(push): fix peeking when push name is truncated (#3842)
• e1a2d68 fix(ft.hybrid): Always generate vector param names if they are not provided b...
• a4b234f chore(deps): bump codecov/codecov-action from 6 to 7 (#3845)
• 974e717 fix(command): ignore unknown fields in CLUSTER SHARDS response (#3843)
• 65d6abd fix(pubsub): prevent double reconnect in releaseConn (#3833)
• See full diff in compare view

Updates github.com/sigstore/cosign/v3 from 3.0.6 to 3.1.1

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.1.1

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

• Initialize PKCS11 slots Before Getting Token Info in sigstore/cosign#4803
• Sign exclusively via sigstore-go in sigstore/cosign#4618
• bundle create: Prevent IgnoreTlog when bundle contains SET in sigstore/cosign#4829
• Require bundle output or registry upload in sigstore/cosign#4785
• fix(load): pass NameOptions to name.ParseReference in sigstore/cosign#4786
• fix: honor --digestAlg when hashing a blob in verify-blob-attestation in sigstore/cosign#4813
• Deprecate Flags for v4: Certificates in sigstore/cosign#4822
• Deprecate flags signing config in sigstore/cosign#4844
• Deprecate flags bundle in sigstore/cosign#4838
• Fix typo in map of verify command fields unsupported for new bundle format in sigstore/cosign#4853
• Add bundle upgrade command in sigstore/cosign#4820
• Deprecate Flags for v4 in sigstore/cosign#4854
• fix: close file descriptor leaked in WriteSignedImageIndexImages loop in sigstore/cosign#4869
• fix: use Header.Set to prevent duplicate Authorization on retry in sigstore/cosign#4870
• feat(cli): add Rekor v2 flag to cosign signing-config create in sigstore/cosign#4868
• Fix crash verifying timestamps when no timestamp was verified in sigstore/cosign#4881
• Deprecate Flags for v4: OCI Referrers in sigstore/cosign#4804
• Use the configured Target Repository more consistently in sigstore/cosign#4836
• fix: check HTTP status code in LoadFileOrURL in sigstore/cosign#4877
• Fix unsafe type assertion in Rego policy evaluation by in sigstore/cosign#4882
• Fix Ed25519ph check to respect custom signing configs in sign-blob in sigstore/cosign#4880
• Enable initialize command output in conformance in sigstore/cosign#4892
• verify: return TUF errors for new bundle trusted roots in sigstore/cosign#4878
• Deprecate subcommands in sigstore/cosign#4894
• Remove docstring references to deprecated flags in sigstore/cosign#4910
• fix(verify): Attach detached certificates to static signatures via wrapped verifier in sigstore/cosign#4737
• fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in sigstore/cosign#4917
• Update sigstore-go to v1.2.0 in sigstore/cosign#4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

Commits

• 7914231 Fix build for Go version 1.26.3 (#4933)
• d8e992a chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 (#4929)
• 305817b chore(deps): bump google.golang.org/api from 0.280.0 to 0.283.0 (#4925)
• 09564f9 chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4926)
• 702cbe0 chore(deps): bump golang in the all group across 1 directory
• f3885a6 chore(deps): bump github.com/go-openapi/swag/conv in the gomod group
• 76a5eec chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.6.0 to 2.7.0
• df2a334 chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0
• 2620da6 chore(deps): bump github.com/open-policy-agent/opa from 1.16.2 to 1.17.1
• 282ff33 chore(deps): bump the actions group across 1 directory with 4 updates
• Additional commits viewable in compare view

Updates github.com/vektah/gqlparser/v2 from 2.5.33 to 2.5.34

Release notes

Sourced from github.com/vektah/gqlparser/v2's releases.

v2.5.34

What's Changed

• fix fragment definition directive variable handling by @​jbellenger in vektah/gqlparser#426
• Remove github.com/andreyvit/diff dependency by @​jeolted in vektah/gqlparser#430
• fix: reject duplicate enum values and repeated non-repeatable directives by @​advoretsky in vektah/gqlparser#436
• build(deps): bump @​babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4 in /validator/imported by @​dependabot[bot] in vektah/gqlparser#428
• build(deps): bump @​babel/preset-env from 7.29.2 to 7.29.3 in /validator/imported in the actions-deps group by @​dependabot[bot] in vektah/gqlparser#427
• build(deps): bump @​babel/preset-env from 7.29.3 to 7.29.5 in /validator/imported in the actions-deps group by @​dependabot[bot] in vektah/gqlparser#429
• build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 in the actions-deps group by @​dependabot[bot] in vektah/gqlparser#433
• build(deps): bump the actions-deps group across 1 directory with 7 updates by @​dependabot[bot] in vektah/gqlparser#434

New Contributors

• @​jbellenger made their first contribution in vektah/gqlparser#426
• @​jeolted made their first contribution in vektah/gqlparser#430
• @​advoretsky made their first contribution in vektah/gqlparser#436

Full Changelog: vektah/gqlparser@v2.5.33...v2.5.34

Commits

• 807d627 fix: reject duplicate enum values and repeated non-repeatable directives (#436)
• 06ffafa Remove github.com/andreyvit/diff dependency (#430)
• 40b51d7 build(deps): bump the actions-deps group across 1 directory with 7 updates (#...
• 34d0454 build(deps): bump golangci/golangci-lint-action (#433)
• 49ea804 build(deps): bump @​babel/preset-env (#429)
• 9e555b8 build(deps): bump @​babel/preset-env (#427)
• e723cfd build(deps): bump @​babel/plugin-transform-modules-systemjs (#428)
• 84821cc Fix fragment definition directive variable usage (#426)
• See full diff in compare view

Updates golang.org/x/crypto from 0.52.0 to 0.53.0

Commits

• 45460e0 go.mod: update golang.org/x dependencies
• d37c95e pkcs12: limit PBKDF iteration count to prevent CPU exhaustion
• e2ffffe ssh: reject incomplete gssapi-with-mic configurations
• 60e158a ssh/test: isolate CLI tests from user SSH config and agent
• 1b77d23 ssh/knownhosts: reject lines with multiple or unknown markers
• 3872a2b ssh/knownhosts: verify declared key type matches decoded key
• 9f72ecc ssh/knownhosts: treat only ASCII space and tab as whitespace
• 8f405a4 ssh: validate ECDSA curve matches expected algorithm
• bb41b3d ssh: improve DH GEX group selection using PreferredBits
• e04e721 ssh/agent: validate ed25519 private key length in Add
• Additional commits viewable in compare view

Updates modernc.org/sqlite from 1.51.0 to 1.52.0

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-06-14 v1.53.0:

  • Add experimental netbsd/amd64 support, resolving the long-standing build break in [GitLab issue #246](https://gitlab.com/cznic/sqlite/-/issues/246). This target is intentionally not yet listed among the supported platforms in the package documentation: the port had been broken for years and is only now revived, and there is as yet no real-world experience running it under production workloads. Green CI is not the same as battle-tested — so while the full test suite (including the pcache and vec packages and the -race concurrency test) passes on NetBSD 10.1 / Go 1.26.3, and the entire upstream toolchain (libc, cc, ccgo, libz, libtcl8.6, libsqlite3, libsqlite_vec) is green on the NetBSD CI builder, the target is offered for evaluation only. If you run NetBSD, please exercise it with your own workloads and report back via #246; the intent is to promote it to a fully supported platform after a period of broader real-world testing (on the order of a month) elapses without surprises.
  • Implementation notes: the previously shipped lib/sqlite_netbsd_amd64.go was a stale old-generator transpile that no longer compiled (the mu.enter/mu.leave break in #246); it is replaced by a fresh new-generator transpile consistent with every other platform, and modernc.org/sqlite/vec (sqlite-vec) is vendored and auto-registers on netbsd. Correct operation requires the matching pinned modernc.org/libc, which carries two NetBSD-specific fixes found during this work: the mmap(2) PAD-argument ABI (without it, concurrent WAL access faults with SIGBUS in the WAL-index shared memory) and a working abort(3) (the prior stub left SQLite's crash-recovery writecrash test unable to terminate by signal). As usual, downstream modules must pin the exact modernc.org/libc version this module's go.mod pins.
  • See [GitLab merge request #82](https://gitlab.com/cznic/sqlite/-/merge_requests/82), thanks Leonardo Taccari (@​iamleot) and Thomas Klausner (@wiz)!
  • Add a Go-facing wrapper for SQLITE_CONFIG_PCACHE2. PageCache is the factory and Cache the per-database instance, both idiomatic Go interfaces; Page exposes the raw Buf and Extra pointers that SQLite reads through the C pcache contract. RegisterPageCache and MustRegisterPageCache install the module process-globally before the first sql.Open; subsequent Open calls are gated through a one-shot Xsqlite3_config(SQLITE_CONFIG_PCACHE2) so a too-late Register returns ErrPageCacheTooLate rather than silently falling through to the built-in pcache1. The binding owns the sqlite3_pcache_page stub and re-consults the implementation on every Fetch, reusing the stub only when the returned Page value is unchanged, which keeps a bounded/evicting purgeable cache safe by construction.
  • See [GitLab merge request #126](https://gitlab.com/cznic/sqlite/-/merge_requests/126), thanks Ian Chechin!
  • Add modernc.org/sqlite/pcache, the reference page-cache implementation that accompanies the #126 SQLITE_CONFIG_PCACHE2 wrapper. pcache.New returns a *Pool satisfying the PageCache interface; register it once with sqlite.MustRegisterPageCache(pcache.New()) and every connection opened afterwards draws its pages from it. Each Pool.Create mints a fresh per-database Cache: a bounded, LRU-evicting page store that honours the PRAGMA cache_size soft cap and releases the least-recently-unpinned page when it must make room. Page memory — the Buf and Extra buffers SQLite reads through — is allocated with libc.Xmalloc/libc.Xcalloc and therefore lives off the Go heap, which keeps SQLite's interior pointer arithmetic on the page extras from tripping the race detector's checkptr enforcement. Pool.Stats reports aggregate lifetime counters (hits, misses, allocs, evictions, rekeys, truncates, caches) across every cache a Pool has created, so hit/miss/eviction behaviour is observable without instrumenting individual caches. Cross-connection page sharing is out of scope for now; each Create returns an independent per-database cache.
  • Validated end-to-end against the #126 stress workload (cache_size=16, 4000 BLOB rows with DELETE and incremental_vacuum, integrity_check clean under -race) and benchmarked for the memory-utilization goal tracked in [GitLab issue #204](https://gitlab.com/cznic/sqlite/-/issues/204).
  • See [GitLab merge request #127](https://gitlab.com/cznic/sqlite/-/merge_requests/127), thanks Ian Chechin!
  • Tighten the modernc.org/sqlite/pcache reference implementation per cznic's !127 review follow-ups. Adds Stats.EasyRefusals, a per-Pool counter for the cases where FetchCreateEasy returns nil at cap; SQLite reacts to a refusal by spilling dirty pages and retrying with FetchCreateForce, so the new field is a direct proxy for the I/O pressure the strict Easy contract imposes vs pcache1's recycle-without-spill behavior. BenchmarkPoolEvictionChurn was reworked to drive a rotating-residue DELETE (k % 3 = i % 3) and re-insert a matching batch each cycle so the spill pressure recurs and easy-refusals/op scales with b.N instead of capping at the seed's one-time first-cycle cost; both existing benchmarks now report easy-refusals/op alongside the page-allocs/evictions metrics. Stats.Evictions documentation was tightened to match the actual behavior (counts LRU eviction, Unpin(discard=true), Shrink releases, and Unpin(discard=false) trimming back to target after a FetchCreateForce overcommit; bulk frees from Truncate, Rekey collisions, and Destroy are not counted). The TestPoolRoundTripIntegrity comment claiming the workload exercises xRekey ~15 times has been corrected; the SQL surface does not reliably emit xRekey here, and that codepath is covered by the unit tests instead.
  • See [GitLab merge request #130](https://gitlab.com/cznic/sqlite/-/merge_requests/130), thanks Ian Chechin!
  • Make modernc.org/sqlite/pcache -race-clean under SQLite's cache=shared mode. The pool already runs correctly under shared-cache because every callback into a given Cache is serialised internally by SQLite's sqlite3BtreeEnter on the BtShared mutex; verified empirically with a lock-free in-flight probe (max-in-flight = 1 on the canonical two-connection workload, 4 on a positive control with goroutines hitting the cache directly). However the Go race detector does not recognise SQLite's libc mutex as a happens-before edge and reports false-positive races on Fetch vs Unpin reads/writes of the per-cache state, which surfaces as DATA RACE failures for any user who registers the pool and runs their suite under -race. A sync.Mutex on the cache type is now taken on every public method (SetSize, PageCount, Fetch, Unpin, Rekey, Truncate, Destroy, Shrink), always. On the common non-shared-cache path the lock is uncontended (one atomic CAS per Lock/Unlock pair, negligible next to the SQLite work it bookends); on the shared-cache path it just rubber-stamps the order SQLite's BtShared mutex already established. A new e2e_test.go TestSharedCacheTwoConns_Integrity drives two sql.Conn against the same cache=shared URI with concurrent writers and asserts PRAGMA integrity_check = ok under -race; passes cleanly with the lock, would surface the false-positive without it. Design notes live in pcache/sharing.go.
  • See [GitLab merge request #131](https://gitlab.com/cznic/sqlite/-/merge_requests/131), thanks Ian Chechin!
  • Add a Go wrapper for sqlite3_db_status, the per-connection runtime counters (cache hit/miss/write/spill rates, schema and prepared-statement memory, lookaside usage, deferred foreign keys). DBStatus is an interface implemented by the driver connection and reached through the database/sql escape hatch (*sql.Conn).Raw(), mirroring the existing FileControl surface; DBStatusOp is a distinct typed enum of the SQLITE_DBSTATUS_* verbs so a counter from a different op family will not compile in its place. Status(op, reset) returns the (current, high) pair and optionally resets the counter. This also lets modernc.org/sqlite/pcache measure real I/O instead of the EasyRefusals proxy: the new BenchmarkPoolSpillIO reads the pager-level SQLITE_DBSTATUS_CACHE_SPILL/_CACHE_WRITE counters, which the pager maintains identically for pcache1 and the pool, making the pcache1-vs-pool comparison cznic raised on the !127 review a genuine apples-to-apples measurement. On the rotating-residue eviction-churn workload at cache_size=16 the pool spills ~3.5x more than pcache1 (cache-spill/op 31.96 vs 8.96) for ~3% more page writes (cache-write/op 450 vs 436) at identical hit/miss, quantifying the I/O cost of the strict Easy contract that EasyRefusals only proxied.
  • See [GitLab merge request #132](https://gitlab.com/cznic/sqlite/-/merge_requests/132), thanks Ian Chechin!
  • Add an opt-in _dqs DSN query parameter that disables SQLite's double-quoted string literal compatibility quirk on a per-connection basis. When _dqs=0 (or any strconv.ParseBool false value) is supplied, the driver calls sqlite3_db_config with SQLITE_DBCONFIG_DQS_DDL and SQLITE_DBCONFIG_DQS_DML set to off before any statement is prepared, so a double-quoted identifier that fails to resolve raises a parse error instead of silently falling back to a string literal. Absence of the parameter, or _dqs=1, leaves SQLite's default behavior unchanged; existing DSNs continue to work byte-for-byte. Resolves [GitLab issue #61](https://gitlab.com/cznic/sqlite/-/issues/61).
  • See [GitLab merge request #128](https://gitlab.com/cznic/sqlite/-/merge_requests/128), thanks Ian Chechin!
  • Add an opt-in _error_rc DSN query parameter for clearer error reporting on open-time failures. When _error_rc=1 (or any strconv.ParseBool true value) is supplied, error strings synthesised from a (rc, db) pair only append sqlite3_errmsg(db) when sqlite3_extended_errcode(db) is consistent with the operation rc (full match first, primary code &0xff as fallback). On mismatch the canonical sqlite3_errstr(rc) is used alone, so an open-time SQLITE_CANTOPEN no longer carries the temporary handle's stale "out of memory" errmsg. Absence of the parameter, or _error_rc=0, preserves the legacy "errstr: errmsg" form byte-for-byte; existing callers that parse error strings are unaffected. The driver's *Error.Code() returns the same SQLite result code in both modes. Parsed before sqlite3_open_v2 so open-time errors are covered. Resolves [GitLab issue #230](https://gitlab.com/cznic/sqlite/-/issues/230).
  • See [GitLab merge request #129](https://gitlab.com/cznic/sqlite/-/merge_requests/129), thanks Ian Chechin!

• 2026-06-06 v1.52.0:

  • Upgrade to SQLite 3.53.2.
  • Add Backup.Remaining and Backup.PageCount, thin wrappers around the existing sqlite3_backup_remaining and sqlite3_backup_pagecount C symbols. Together they expose the per-Step progress counters that the underlying backup object already maintains, enabling progress reporting during online backups without dropping to modernc.org/sqlite/lib directly.
  • See [GitLab merge request #122](https://gitlab.com/cznic/sqlite/-/merge_requests/122), thanks Ian Chechin!
  • Drop the redundant second copy in (*conn).columnText, the path that backs every Rows.Scan into a Go string for a TEXT column. The value's bytes are still copied once out of SQLite-owned memory into a fresh Go buffer; that buffer is then reinterpreted as the result string with unsafe.String rather than copied a second time by the implicit string([]byte) conversion. This removes one allocation per TEXT value per row and roughly halves the bytes allocated on that path; on the new BenchmarkColumnTextScan cases it is ~13–20% faster for payloads of 256 B and larger, with no measurable change for very short strings. Purely internal: no API or behavioral change, and the returned string never aliases SQLite's buffer.
  • See [GitLab merge request #123](https://gitlab.com/cznic/sqlite/-/merge_requests/123), thanks Ian Chechin!
  • Cache each result column's declared type once per result set in newRows instead of recomputing it on every row. The TEXT branch of Rows.Next calls ColumnTypeDatabaseTypeName for every TEXT column on every row (independent of any DSN flag), which previously did a libc.GoString + strings.ToUpper each time; that lookup is now a single index into a cached, pre-uppercased []string, and ColumnTypeScanType reads the same cache and drops its per-call strings.ToLower. The declared type is fixed for the lifetime of a prepared statement, so the C round-trip is paid once per column rather than once per column per row, removing exactly 1 alloc + 8 B per TEXT column per row from the Next hot path. The new BenchmarkTextToTimeScan cases show ~7% faster on a 1000-row DATETIME SELECT under _texttotime=1. Purely internal: ColumnTypeDatabaseTypeName and ColumnTypeScanType return identical values, no API or behavioral change.
  • See [GitLab merge request #124](https://gitlab.com/cznic/sqlite/-/merge_requests/124), thanks Ian Chechin!
  • Cache, per result column, the parseTimeFormats index that first parsed a TEXT-stored DATE/DATETIME/TIMESTAMP value, and try that format first on later rows instead of re-walking the list from the top. (*conn).parseTime previously ran time.Parse down the format list on every such row; for the canonical SQLite TEXT datetime format every row paid two failed time.Parse attempts — each allocating a *time.ParseError — before the match. On a 1000-row DATETIME TEXT SELECT this cuts ~50% of allocs/op and ~57% of B/op and is ~37% faster. The fall-through chain is preserved exactly: the seven formats are mutually exclusive, so the cached hint can never select a different match than the in-order scan, and the parsed driver.Value is identical to before. Purely internal: no API or behavioral change.
  • See [GitLab merge request #125](https://gitlab.com/cznic/sqlite/-/merge_requests/125), thanks Ian Chechin!

• 2026-05-28 v1.51.0:

  • Pool the []driver.Value slice passed to scalar/aggregate UDF callbacks and to vtab Filter/Insert/Update callbacks, eliminating the dominant per-row allocation on UDF-heavy queries. Benchmarks on a 1000-row, 3-arg noop scalar UDF show ~40% fewer bytes/op and ~15% fewer allocs/op.
  • Document the matching "arguments are not valid past return" contract on vtab.Cursor.Filter and vtab.Updater.Insert/Update, consistent with the existing rule for FunctionImpl.Scalar / AggregateFunction.Step / WindowInverse.
  • Resolves [GitLab issue #226](https://gitlab.com/cznic/sqlite/-/issues/226). See [GitLab merge request ...

    Description has been truncated