From 4fb83354ca37c53e33b58dc5aa318a996cf8bd61 Mon Sep 17 00:00:00 2001
From: Till <2353100+S7evinK@users.noreply.github.com>
Date: Thu, 16 Jan 2025 13:22:53 +0100
Subject: [PATCH 01/10] Update DCO in the GH PR template and the docs (#3496)

---
 .github/PULL_REQUEST_TEMPLATE.md |  2 +-
 docs/development/CONTRIBUTING.md | 52 +++++++++++++++++++++++---------
 2 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index bbbdd82a..96a36171 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,6 +3,6 @@
 <!-- Please read https://matrix-org.github.io/dendrite/development/contributing before submitting your pull request -->
 
 * [ ] I have added Go unit tests or [Complement integration tests](https://github.com/matrix-org/complement) for this PR _or_ I have justified why this PR doesn't need tests
-* [ ] Pull request includes a [sign off below using a legally identifiable name](https://matrix-org.github.io/dendrite/development/contributing#sign-off) _or_ I have already signed off privately
+* [ ] Pull request includes a [sign off below](https://element-hq.github.io/dendrite/development/contributing#sign-off) _or_ I have already signed off privately
 
 Signed-off-by: `Your Name <your@email.example.org>`
diff --git a/docs/development/CONTRIBUTING.md b/docs/development/CONTRIBUTING.md
index 0d6f533c..d12e151d 100644
--- a/docs/development/CONTRIBUTING.md
+++ b/docs/development/CONTRIBUTING.md
@@ -34,27 +34,49 @@ The following items are unlikely to be accepted into a main Dendrite release for
 
 ## Sign off
 
-We require that everyone who contributes to the project signs off their contributions
-in accordance with the [Developer Certificate of Origin](https://github.com/matrix-org/matrix-spec/blob/main/CONTRIBUTING.rst#sign-off).
-In effect, this means adding a statement to your pull requests or commit messages
-along the lines of:
+We ask that everybody who contributes to this project signs off their contributions, as explained below.
+
+We follow a simple 'inbound=outbound' model for contributions: the act of submitting an 'inbound' contribution means that the contributor agrees to license their contribution under the same terms as the project's overall 'outbound' license - in our case, this is Apache Software License v2 (see [LICENSE](../..//LICENSE)).
+
+In order to have a concrete record that your contribution is intentional and you agree to license it under the same terms as the project's license, we've adopted the same lightweight approach used by the [Linux Kernel](https://www.kernel.org/doc/html/latest/process/submitting-patches.html), [Docker](https://github.com/docker/docker/blob/master/CONTRIBUTING.md), and many other projects: the [Developer Certificate of Origin](https://developercertificate.org/) (DCO). This is a simple declaration that you wrote the contribution or otherwise have the right to contribute it to Matrix:
 
 ```
-Signed-off-by: Full Name <email address>
+Developer Certificate of Origin
+Version 1.1
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+Developer's Certificate of Origin 1.1
+By making a contribution to this project, I certify that:
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
 ```
 
-Unfortunately we can't accept contributions without a sign-off.
+If you agree to this for your contribution, then all that's needed is to include the line in your commit or pull request comment:
 
-Please note that we can only accept contributions under a legally identifiable name,
-such as your name as it appears on government-issued documentation or common-law names
-(claimed by legitimate usage or repute). We cannot accept sign-offs from a pseudonym or
-alias and cannot accept anonymous contributions.
+```
+Signed-off-by: Your Name <your@email.example.org>
+```
 
-If you would prefer to sign off privately instead (so as to not reveal your full
-name on a public pull request), you can do so by emailing a sign-off declaration
-and a link to your pull request directly to the [Matrix.org Foundation](https://matrix.org/foundation/)
-at `dco@matrix.org`. Once a private sign-off has been made, you will not be required
-to do so for future contributions.
+Git allows you to add this signoff automatically when using the `-s` flag to `git commit`, which uses the name and email set in your `user.name` and `user.email` git configs.
 
 ## Getting up and running
 

From e9cc37ac52ff1611ddf055a95e65869806041038 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Thu, 16 Jan 2025 11:35:50 -0700
Subject: [PATCH 02/10] Merge commit from fork

* Support configuring allow/deny networks

* Make the DNS cache aware of the allow/deny networks

* Allow all networks in CI

* Update GMSL

* Add missed file

---------

Co-authored-by: Till Faelligen <2353100+S7evinK@users.noreply.github.com>
---
 cmd/dendrite/main.go                 |  2 ++
 cmd/generate-config/main.go          |  4 ++++
 contrib/dendrite-demo-i2p/main.go    |  2 ++
 contrib/dendrite-demo-tor/main.go    |  2 ++
 dendrite-sample.yaml                 | 18 ++++++++++++++++++
 go.mod                               |  2 +-
 go.sum                               |  4 ++--
 setup/base/base.go                   |  1 +
 setup/config/config_federationapi.go | 18 ++++++++++++++++++
 9 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/cmd/dendrite/main.go b/cmd/dendrite/main.go
index da43432f..5badbda2 100644
--- a/cmd/dendrite/main.go
+++ b/cmd/dendrite/main.go
@@ -94,6 +94,8 @@ func main() {
 		dnsCache = fclient.NewDNSCache(
 			cfg.Global.DNSCache.CacheSize,
 			cfg.Global.DNSCache.CacheLifetime,
+			cfg.FederationAPI.AllowNetworkCIDRs,
+			cfg.FederationAPI.DenyNetworkCIDRs,
 		)
 		logrus.Infof(
 			"DNS cache enabled (size %d, lifetime %s)",
diff --git a/cmd/generate-config/main.go b/cmd/generate-config/main.go
index c6399ec5..63e1dde7 100644
--- a/cmd/generate-config/main.go
+++ b/cmd/generate-config/main.go
@@ -71,6 +71,10 @@ func main() {
 			cfg.ClientAPI.RateLimiting.Enabled = false
 			cfg.FederationAPI.DisableTLSValidation = false
 			cfg.FederationAPI.DisableHTTPKeepalives = true
+			// Allow allow networks when running in CI, as otherwise connections
+			// to other servers might be blocked when running Complement/Sytest.
+			cfg.FederationAPI.DenyNetworkCIDRs = []string{}
+			cfg.FederationAPI.AllowNetworkCIDRs = []string{}
 			// don't hit matrix.org when running tests!!!
 			cfg.FederationAPI.KeyPerspectives = config.KeyPerspectives{}
 			cfg.MediaAPI.BasePath = config.Path(filepath.Join(*dirPath, "media"))
diff --git a/contrib/dendrite-demo-i2p/main.go b/contrib/dendrite-demo-i2p/main.go
index 27f69acb..139edacc 100644
--- a/contrib/dendrite-demo-i2p/main.go
+++ b/contrib/dendrite-demo-i2p/main.go
@@ -70,6 +70,8 @@ func main() {
 		dnsCache = fclient.NewDNSCache(
 			cfg.Global.DNSCache.CacheSize,
 			cfg.Global.DNSCache.CacheLifetime,
+			cfg.FederationAPI.AllowNetworkCIDRs,
+			cfg.FederationAPI.DenyNetworkCIDRs,
 		)
 		logrus.Infof(
 			"DNS cache enabled (size %d, lifetime %s)",
diff --git a/contrib/dendrite-demo-tor/main.go b/contrib/dendrite-demo-tor/main.go
index 132b557f..ab32e1db 100644
--- a/contrib/dendrite-demo-tor/main.go
+++ b/contrib/dendrite-demo-tor/main.go
@@ -65,6 +65,8 @@ func main() {
 		dnsCache = fclient.NewDNSCache(
 			cfg.Global.DNSCache.CacheSize,
 			cfg.Global.DNSCache.CacheLifetime,
+			cfg.FederationAPI.AllowNetworkCIDRs,
+			cfg.FederationAPI.DenyNetworkCIDRs,
 		)
 		logrus.Infof(
 			"DNS cache enabled (size %d, lifetime %s)",
diff --git a/dendrite-sample.yaml b/dendrite-sample.yaml
index 0ee381f0..2afdc33f 100644
--- a/dendrite-sample.yaml
+++ b/dendrite-sample.yaml
@@ -254,6 +254,24 @@ federation_api:
   # last resort.
   prefer_direct_fetch: false
 
+  # deny_networks and allow_networks are the CIDR ranges used to prevent requests
+  # from accessing private IPs. If your system has specific IPs it should never
+  # contact, add them here with CIDR notation.
+  #
+  # The deny list is checked before the allow list.
+  deny_networks:
+    - "127.0.0.1/8"
+    - "10.0.0.0/8"
+    - "172.16.0.0/12"
+    - "192.168.0.0/16"
+    - "100.64.0.0/10"
+    - "169.254.0.0/16"
+    - "::1/128"
+    - "fe80::/64"
+    - "fc00::/7"
+  allow_networks:
+    - "0.0.0.0/0" # "Everything". The deny list will help limit this.
+
 # Configuration for the Media API.
 media_api:
   # Storage path for uploaded media. May be relative or absolute.
diff --git a/go.mod b/go.mod
index 04453125..36463adb 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/matrix-org/dugong v0.0.0-20210921133753-66e6b1c67e2e
 	github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91
 	github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530
-	github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8
+	github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d
 	github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7
 	github.com/matrix-org/util v0.0.0-20221111132719-399730281e66
 	github.com/mattn/go-sqlite3 v1.14.24
diff --git a/go.sum b/go.sum
index ff0bbeb3..5d2612d3 100644
--- a/go.sum
+++ b/go.sum
@@ -232,8 +232,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91 h1:s7fexw
 github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo=
 github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U=
 github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8 h1:nC998SaawQwbZ16/V70Pil3pY3rSQwTaeLOpHWp7ZTo=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
+github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d h1:c3Dkci0GDH/6cGGt8zGIiJMP+UOdtX0DPY6dxiJvtZM=
+github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
 github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 h1:6t8kJr8i1/1I5nNttw6nn1ryQJgzVlBmSGgPiiaTdw4=
 github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7/go.mod h1:ReWMS/LoVnOiRAdq9sNUC2NZnd1mZkMNB52QhpTRWjg=
 github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y=
diff --git a/setup/base/base.go b/setup/base/base.go
index 359a6816..ffc2be37 100644
--- a/setup/base/base.go
+++ b/setup/base/base.go
@@ -82,6 +82,7 @@ func CreateFederationClient(cfg *config.Dendrite, dnsCache *fclient.DNSCache) fc
 		fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation),
 		fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives),
 		fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())),
+		fclient.WithAllowDenyNetworks(cfg.FederationAPI.AllowNetworkCIDRs, cfg.FederationAPI.DenyNetworkCIDRs),
 	}
 	if cfg.Global.DNSCache.Enabled {
 		opts = append(opts, fclient.WithDNSCache(dnsCache))
diff --git a/setup/config/config_federationapi.go b/setup/config/config_federationapi.go
index 073c46e0..ed417a74 100644
--- a/setup/config/config_federationapi.go
+++ b/setup/config/config_federationapi.go
@@ -46,6 +46,10 @@ type FederationAPI struct {
 
 	// Should we prefer direct key fetches over perspective ones?
 	PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
+
+	// Deny/Allow lists used for restricting request scopes.
+	DenyNetworkCIDRs  []string `yaml:"deny_networks"`
+	AllowNetworkCIDRs []string `yaml:"allow_networks"`
 }
 
 func (c *FederationAPI) Defaults(opts DefaultOpts) {
@@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) {
 	c.P2PFederationRetriesUntilAssumedOffline = 1
 	c.DisableTLSValidation = false
 	c.DisableHTTPKeepalives = false
+	c.DenyNetworkCIDRs = []string{
+		"127.0.0.1/8",
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"100.64.0.0/10",
+		"169.254.0.0/16",
+		"::1/128",
+		"fe80::/64",
+		"fc00::/7",
+	}
+	c.AllowNetworkCIDRs = []string{
+		"0.0.0.0/0",
+	}
 	if opts.Generate {
 		c.KeyPerspectives = KeyPerspectives{
 			{

From 40bef6a423d91fff69afb1cfb926d0b1612f38ec Mon Sep 17 00:00:00 2001
From: Till <2353100+S7evinK@users.noreply.github.com>
Date: Thu, 16 Jan 2025 19:42:51 +0100
Subject: [PATCH 03/10] Version v0.14.1 (#3501)

---
 CHANGES.md               | 18 ++++++++++++++++++
 helm/dendrite/Chart.yaml |  4 ++--
 helm/dendrite/README.md  |  2 +-
 internal/version.go      |  2 +-
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 7d69459e..b5947c44 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,23 @@
 # Changelog
 
+## Dendrite 0.14.1 (2025-01-16)
+
+### ⚠ Important
+
+This is a security release, [gomatrixserverlib](https://github.com/matrix-org/gomatrixserverlib) was vulnerable to 
+server-side request forgery, serving content from a private network it can access, under certain conditions. 
+
+Upgrading to this version is **highly** recommended.
+
+### Security
+
+- Support for blocking access to certain networks, fixing [CVE-2024-52594](https://www.cve.org/CVERecord?id=CVE-2024-52594) and 
+  [GHSA-4ff6-858j-r822](https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822)
+
+### Fixes
+
+- Speed-up loading server ACLs on startup, this is mostly noticeable on larger instances with many rooms.
+
 ## Dendrite 0.14.0 (2024-12-18)
 
 This is the first release after forking matrix-org/dendrite, this repository is now licensed under AGPLv3.0.
diff --git a/helm/dendrite/Chart.yaml b/helm/dendrite/Chart.yaml
index 9d932462..b9ea7bf3 100644
--- a/helm/dendrite/Chart.yaml
+++ b/helm/dendrite/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: dendrite
-version: "0.15.0"
-appVersion: "0.14.0"
+version: "0.15.1"
+appVersion: "0.14.1"
 description: Dendrite Matrix Homeserver
 type: application
 icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4
diff --git a/helm/dendrite/README.md b/helm/dendrite/README.md
index fd90869b..5cafac9d 100644
--- a/helm/dendrite/README.md
+++ b/helm/dendrite/README.md
@@ -1,7 +1,7 @@
 
 # dendrite
 
-![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
+![Version: 0.15.1](https://img.shields.io/badge/Version-0.15.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.1](https://img.shields.io/badge/AppVersion-0.14.1-informational?style=flat-square)
 Dendrite Matrix Homeserver
 
 Status: **NOT PRODUCTION READY**
diff --git a/internal/version.go b/internal/version.go
index d262146b..5df808d7 100644
--- a/internal/version.go
+++ b/internal/version.go
@@ -18,7 +18,7 @@ var build string
 const (
 	VersionMajor = 0
 	VersionMinor = 14
-	VersionPatch = 0
+	VersionPatch = 1
 	VersionTag   = "" // example: "rc1"
 
 	gitRevLen = 7 // 7 matches the displayed characters on github.com

From 7f4ba1f6ebeffc709e5be97930122711cb8c9d63 Mon Sep 17 00:00:00 2001
From: Till <2353100+S7evinK@users.noreply.github.com>
Date: Thu, 16 Jan 2025 22:43:50 +0100
Subject: [PATCH 04/10] MSC3967: Do not require UIA when first uploading cross
 signing keys (#3471)

Playing around with Copilot, tests are generated.

Requires https://github.com/matrix-org/gomatrixserverlib/pull/444
---
 clientapi/routing/key_crosssigning.go      | 100 +++++--
 clientapi/routing/key_crosssigning_test.go | 316 +++++++++++++++++++++
 clientapi/routing/routing.go               |   2 +-
 3 files changed, 393 insertions(+), 25 deletions(-)
 create mode 100644 clientapi/routing/key_crosssigning_test.go

diff --git a/clientapi/routing/key_crosssigning.go b/clientapi/routing/key_crosssigning.go
index e6f093b5..26e0014b 100644
--- a/clientapi/routing/key_crosssigning.go
+++ b/clientapi/routing/key_crosssigning.go
@@ -7,7 +7,12 @@
 package routing
 
 import (
+	"context"
 	"net/http"
+	"time"
+
+	"github.com/matrix-org/gomatrixserverlib/fclient"
+	"github.com/sirupsen/logrus"
 
 	"github.com/element-hq/dendrite/clientapi/auth"
 	"github.com/element-hq/dendrite/clientapi/auth/authtypes"
@@ -23,10 +28,15 @@ type crossSigningRequest struct {
 	Auth newPasswordAuth `json:"auth"`
 }
 
+type UploadKeysAPI interface {
+	QueryKeys(ctx context.Context, req *api.QueryKeysRequest, res *api.QueryKeysResponse)
+	api.UploadDeviceKeysAPI
+}
+
 func UploadCrossSigningDeviceKeys(
-	req *http.Request, userInteractiveAuth *auth.UserInteractive,
-	keyserverAPI api.ClientKeyAPI, device *api.Device,
-	accountAPI api.ClientUserAPI, cfg *config.ClientAPI,
+	req *http.Request,
+	keyserverAPI UploadKeysAPI, device *api.Device,
+	accountAPI auth.GetAccountByPassword, cfg *config.ClientAPI,
 ) util.JSONResponse {
 	uploadReq := &crossSigningRequest{}
 	uploadRes := &api.PerformUploadDeviceKeysResponse{}
@@ -35,32 +45,59 @@ func UploadCrossSigningDeviceKeys(
 	if resErr != nil {
 		return *resErr
 	}
-	sessionID := uploadReq.Auth.Session
-	if sessionID == "" {
-		sessionID = util.RandomString(sessionIDLength)
-	}
-	if uploadReq.Auth.Type != authtypes.LoginTypePassword {
+
+	// Query existing keys to determine if UIA is required
+	keyResp := api.QueryKeysResponse{}
+	keyserverAPI.QueryKeys(req.Context(), &api.QueryKeysRequest{
+		UserID:        device.UserID,
+		UserToDevices: map[string][]string{device.UserID: {device.ID}},
+		Timeout:       time.Second * 10,
+	}, &keyResp)
+
+	if keyResp.Error != nil {
+		logrus.WithError(keyResp.Error).Error("Failed to query keys")
 		return util.JSONResponse{
-			Code: http.StatusUnauthorized,
-			JSON: newUserInteractiveResponse(
-				sessionID,
-				[]authtypes.Flow{
-					{
-						Stages: []authtypes.LoginType{authtypes.LoginTypePassword},
-					},
-				},
-				nil,
-			),
+			Code: http.StatusBadRequest,
+			JSON: spec.Unknown(keyResp.Error.Error()),
 		}
 	}
-	typePassword := auth.LoginTypePassword{
-		GetAccountByPassword: accountAPI.QueryAccountByPassword,
-		Config:               cfg,
+
+	existingMasterKey, hasMasterKey := keyResp.MasterKeys[device.UserID]
+	requireUIA := false
+	if hasMasterKey {
+		// If we have a master key, check if any of the existing keys differ. If they do,
+		// we need to re-authenticate the user.
+		requireUIA = keysDiffer(existingMasterKey, keyResp, uploadReq, device.UserID)
 	}
-	if _, authErr := typePassword.Login(req.Context(), &uploadReq.Auth.PasswordRequest); authErr != nil {
-		return *authErr
+
+	if requireUIA {
+		sessionID := uploadReq.Auth.Session
+		if sessionID == "" {
+			sessionID = util.RandomString(sessionIDLength)
+		}
+		if uploadReq.Auth.Type != authtypes.LoginTypePassword {
+			return util.JSONResponse{
+				Code: http.StatusUnauthorized,
+				JSON: newUserInteractiveResponse(
+					sessionID,
+					[]authtypes.Flow{
+						{
+							Stages: []authtypes.LoginType{authtypes.LoginTypePassword},
+						},
+					},
+					nil,
+				),
+			}
+		}
+		typePassword := auth.LoginTypePassword{
+			GetAccountByPassword: accountAPI,
+			Config:               cfg,
+		}
+		if _, authErr := typePassword.Login(req.Context(), &uploadReq.Auth.PasswordRequest); authErr != nil {
+			return *authErr
+		}
+		sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypePassword)
 	}
-	sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypePassword)
 
 	uploadReq.UserID = device.UserID
 	keyserverAPI.PerformUploadDeviceKeys(req.Context(), &uploadReq.PerformUploadDeviceKeysRequest, uploadRes)
@@ -96,6 +133,21 @@ func UploadCrossSigningDeviceKeys(
 	}
 }
 
+func keysDiffer(existingMasterKey fclient.CrossSigningKey, keyResp api.QueryKeysResponse, uploadReq *crossSigningRequest, userID string) bool {
+	masterKeyEqual := existingMasterKey.Equal(&uploadReq.MasterKey)
+	if !masterKeyEqual {
+		return true
+	}
+	existingSelfSigningKey := keyResp.SelfSigningKeys[userID]
+	selfSigningEqual := existingSelfSigningKey.Equal(&uploadReq.SelfSigningKey)
+	if !selfSigningEqual {
+		return true
+	}
+	existingUserSigningKey := keyResp.UserSigningKeys[userID]
+	userSigningEqual := existingUserSigningKey.Equal(&uploadReq.UserSigningKey)
+	return !userSigningEqual
+}
+
 func UploadCrossSigningDeviceSignatures(req *http.Request, keyserverAPI api.ClientKeyAPI, device *api.Device) util.JSONResponse {
 	uploadReq := &api.PerformUploadDeviceSignaturesRequest{}
 	uploadRes := &api.PerformUploadDeviceSignaturesResponse{}
diff --git a/clientapi/routing/key_crosssigning_test.go b/clientapi/routing/key_crosssigning_test.go
new file mode 100644
index 00000000..0ebb91e0
--- /dev/null
+++ b/clientapi/routing/key_crosssigning_test.go
@@ -0,0 +1,316 @@
+package routing
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/element-hq/dendrite/setup/config"
+	"github.com/element-hq/dendrite/test"
+	"github.com/element-hq/dendrite/test/testrig"
+	"github.com/element-hq/dendrite/userapi/api"
+	"github.com/matrix-org/gomatrixserverlib"
+	"github.com/matrix-org/gomatrixserverlib/fclient"
+	"github.com/matrix-org/gomatrixserverlib/spec"
+)
+
+type mockKeyAPI struct {
+	t             *testing.T
+	userResponses map[string]api.QueryKeysResponse
+}
+
+func (m mockKeyAPI) QueryKeys(ctx context.Context, req *api.QueryKeysRequest, res *api.QueryKeysResponse) {
+	res.MasterKeys = m.userResponses[req.UserID].MasterKeys
+	res.SelfSigningKeys = m.userResponses[req.UserID].SelfSigningKeys
+	res.UserSigningKeys = m.userResponses[req.UserID].UserSigningKeys
+	if m.t != nil {
+		m.t.Logf("QueryKeys: %+v => %+v", req, res)
+	}
+}
+
+func (m mockKeyAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.PerformUploadDeviceKeysRequest, res *api.PerformUploadDeviceKeysResponse) {
+	// Just a dummy upload which always succeeds
+}
+
+func getAccountByPassword(ctx context.Context, req *api.QueryAccountByPasswordRequest, res *api.QueryAccountByPasswordResponse) error {
+	res.Exists = true
+	res.Account = &api.Account{UserID: fmt.Sprintf("@%s:%s", req.Localpart, req.ServerName)}
+	return nil
+}
+
+// Tests that if there is no existing master key for the user, the request is allowed
+func Test_UploadCrossSigningDeviceKeys_ValidRequest(t *testing.T) {
+	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(`{
+		"master_key": {"user_id": "@user:example.com", "usage": ["master"], "keys": {"ed25519:1": "key1"}},
+		"self_signing_key": {"user_id": "@user:example.com", "usage": ["self_signing"], "keys": {"ed25519:2": "key2"}},
+		"user_signing_key": {"user_id": "@user:example.com", "usage": ["user_signing"], "keys": {"ed25519:3": "key3"}}
+	}`))
+	req.Header.Set("Content-Type", "application/json")
+
+	keyserverAPI := &mockKeyAPI{
+		userResponses: map[string]api.QueryKeysResponse{
+			"@user:example.com": {},
+		},
+	}
+	device := &api.Device{UserID: "@user:example.com", ID: "device"}
+	cfg := &config.ClientAPI{}
+
+	res := UploadCrossSigningDeviceKeys(req, keyserverAPI, device, getAccountByPassword, cfg)
+	if res.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, res.Code)
+	}
+}
+
+// Require UIA if there is an existing master key and there is no auth provided.
+func Test_UploadCrossSigningDeviceKeys_Unauthorised(t *testing.T) {
+	userID := "@user:example.com"
+
+	// Note that there is no auth field.
+	request := fclient.CrossSigningKeys{
+		MasterKey: fclient.CrossSigningKey{
+			Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key1")},
+			Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+			UserID: userID,
+		},
+		SelfSigningKey: fclient.CrossSigningKey{
+			Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key2")},
+			Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeSelfSigning},
+			UserID: userID,
+		},
+		UserSigningKey: fclient.CrossSigningKey{
+			Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key3")},
+			Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeUserSigning},
+			UserID: userID,
+		},
+	}
+
+	b := bytes.Buffer{}
+	m := json.NewEncoder(&b)
+	err := m.Encode(request)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/", &b)
+	req.Header.Set("Content-Type", "application/json")
+
+	keyserverAPI := &mockKeyAPI{
+		t: t,
+		userResponses: map[string]api.QueryKeysResponse{
+			"@user:example.com": {
+				MasterKeys: map[string]fclient.CrossSigningKey{
+					"@user:example.com": {UserID: "@user:example.com", Usage: []fclient.CrossSigningKeyPurpose{"master"}, Keys: map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key1")}},
+				},
+				SelfSigningKeys: nil,
+				UserSigningKeys: nil,
+			},
+		},
+	}
+	device := &api.Device{UserID: "@user:example.com", ID: "device"}
+	cfg := &config.ClientAPI{}
+
+	res := UploadCrossSigningDeviceKeys(req, keyserverAPI, device, getAccountByPassword, cfg)
+	if res.Code != http.StatusUnauthorized {
+		t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, res.Code)
+	}
+}
+
+// Invalid JSON is rejected
+func Test_UploadCrossSigningDeviceKeys_InvalidJSON(t *testing.T) {
+	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(`{
+		"auth": {"type": "m.login.password", "session": "session", "user": "user", "password": "password"},
+		"master_key": {"user_id": "@user:example.com", "usage": ["master"], "keys": {"ed25519:1": "key1"}},
+		"self_signing_key": {"user_id": "@user:example.com", "usage": ["self_signing"], "keys": {"ed25519:2": "key2"}},
+		"user_signing_key": {"user_id": "@user:example.com", "usage": ["user_signing"], "keys": {"ed25519:3": "key3"}
+	}`)) // Missing closing brace
+	req.Header.Set("Content-Type", "application/json")
+
+	keyserverAPI := &mockKeyAPI{}
+	device := &api.Device{UserID: "@user:example.com", ID: "device"}
+	cfg := &config.ClientAPI{}
+
+	res := UploadCrossSigningDeviceKeys(req, keyserverAPI, device, getAccountByPassword, cfg)
+	if res.Code != http.StatusBadRequest {
+		t.Fatalf("expected status %d, got %d", http.StatusBadRequest, res.Code)
+	}
+}
+
+// Require UIA if an existing master key is present and the keys differ.
+func Test_UploadCrossSigningDeviceKeys_ExistingKeysMismatch(t *testing.T) {
+	// Again, no auth provided
+	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(`{
+		"master_key": {"user_id": "@user:example.com", "usage": ["master"], "keys": {"ed25519:1": "key1"}},
+		"self_signing_key": {"user_id": "@user:example.com", "usage": ["self_signing"], "keys": {"ed25519:2": "key2"}},
+		"user_signing_key": {"user_id": "@user:example.com", "usage": ["user_signing"], "keys": {"ed25519:3": "key3"}}
+	}`))
+	req.Header.Set("Content-Type", "application/json")
+
+	keyserverAPI := &mockKeyAPI{
+		userResponses: map[string]api.QueryKeysResponse{
+			"@user:example.com": {
+				MasterKeys: map[string]fclient.CrossSigningKey{
+					"@user:example.com": {UserID: "@user:example.com", Usage: []fclient.CrossSigningKeyPurpose{"master"}, Keys: map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("different_key")}},
+				},
+			},
+		},
+	}
+	device := &api.Device{UserID: "@user:example.com", ID: "device"}
+
+	cfg, _, _ := testrig.CreateConfig(t, test.DBTypeSQLite)
+	cfg.Global.ServerName = "example.com"
+
+	res := UploadCrossSigningDeviceKeys(req, keyserverAPI, device, getAccountByPassword, &cfg.ClientAPI)
+	if res.Code != http.StatusUnauthorized {
+		t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, res.Code)
+	}
+}
+
+func Test_KeysDiffer_MasterKeyMismatch(t *testing.T) {
+	existingMasterKey := fclient.CrossSigningKey{
+		UserID: "@user:example.com",
+		Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+		Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("existing_key")},
+	}
+	keyResp := api.QueryKeysResponse{}
+	uploadReq := &crossSigningRequest{
+		PerformUploadDeviceKeysRequest: api.PerformUploadDeviceKeysRequest{
+			CrossSigningKeys: fclient.CrossSigningKeys{
+				MasterKey: fclient.CrossSigningKey{
+					UserID: "@user:example.com",
+					Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+					Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("new_key")},
+				},
+			},
+		},
+	}
+	userID := "@user:example.com"
+
+	result := keysDiffer(existingMasterKey, keyResp, uploadReq, userID)
+	if !result {
+		t.Fatalf("expected keys to differ, but they did not")
+	}
+}
+
+func Test_KeysDiffer_SelfSigningKeyMismatch(t *testing.T) {
+	existingMasterKey := fclient.CrossSigningKey{
+		UserID: "@user:example.com",
+		Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+		Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key")},
+	}
+	keyResp := api.QueryKeysResponse{
+		SelfSigningKeys: map[string]fclient.CrossSigningKey{
+			"@user:example.com": {
+				UserID: "@user:example.com",
+				Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeSelfSigning},
+				Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:2": spec.Base64Bytes("existing_key")},
+			},
+		},
+	}
+	uploadReq := &crossSigningRequest{
+		PerformUploadDeviceKeysRequest: api.PerformUploadDeviceKeysRequest{
+			CrossSigningKeys: fclient.CrossSigningKeys{
+				SelfSigningKey: fclient.CrossSigningKey{
+					UserID: "@user:example.com",
+					Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeSelfSigning},
+					Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:2": spec.Base64Bytes("new_key")},
+				},
+			},
+		},
+	}
+	userID := "@user:example.com"
+
+	result := keysDiffer(existingMasterKey, keyResp, uploadReq, userID)
+	if !result {
+		t.Fatalf("expected keys to differ, but they did not")
+	}
+}
+
+func Test_KeysDiffer_UserSigningKeyMismatch(t *testing.T) {
+	existingMasterKey := fclient.CrossSigningKey{
+		UserID: "@user:example.com",
+		Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+		Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key")},
+	}
+	keyResp := api.QueryKeysResponse{
+		UserSigningKeys: map[string]fclient.CrossSigningKey{
+			"@user:example.com": {
+				UserID: "@user:example.com",
+				Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeUserSigning},
+				Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:3": spec.Base64Bytes("existing_key")},
+			},
+		},
+	}
+	uploadReq := &crossSigningRequest{
+		PerformUploadDeviceKeysRequest: api.PerformUploadDeviceKeysRequest{
+			CrossSigningKeys: fclient.CrossSigningKeys{
+				UserSigningKey: fclient.CrossSigningKey{
+					UserID: "@user:example.com",
+					Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeUserSigning},
+					Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:3": spec.Base64Bytes("new_key")},
+				},
+			},
+		},
+	}
+	userID := "@user:example.com"
+
+	result := keysDiffer(existingMasterKey, keyResp, uploadReq, userID)
+	if !result {
+		t.Fatalf("expected keys to differ, but they did not")
+	}
+}
+
+func Test_KeysDiffer_AllKeysMatch(t *testing.T) {
+	existingMasterKey := fclient.CrossSigningKey{
+		UserID: "@user:example.com",
+		Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+		Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key")},
+	}
+	keyResp := api.QueryKeysResponse{
+		SelfSigningKeys: map[string]fclient.CrossSigningKey{
+			"@user:example.com": {
+				UserID: "@user:example.com",
+				Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeSelfSigning},
+				Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:2": spec.Base64Bytes("key")},
+			},
+		},
+		UserSigningKeys: map[string]fclient.CrossSigningKey{
+			"@user:example.com": {
+				UserID: "@user:example.com",
+				Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeUserSigning},
+				Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:3": spec.Base64Bytes("key")},
+			},
+		},
+	}
+	uploadReq := &crossSigningRequest{
+		PerformUploadDeviceKeysRequest: api.PerformUploadDeviceKeysRequest{
+			CrossSigningKeys: fclient.CrossSigningKeys{
+				MasterKey: fclient.CrossSigningKey{
+					UserID: "@user:example.com",
+					Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeMaster},
+					Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:1": spec.Base64Bytes("key")},
+				},
+				SelfSigningKey: fclient.CrossSigningKey{
+					UserID: "@user:example.com",
+					Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeSelfSigning},
+					Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:2": spec.Base64Bytes("key")},
+				},
+				UserSigningKey: fclient.CrossSigningKey{
+					UserID: "@user:example.com",
+					Usage:  []fclient.CrossSigningKeyPurpose{fclient.CrossSigningKeyPurposeUserSigning},
+					Keys:   map[gomatrixserverlib.KeyID]spec.Base64Bytes{"ed25519:3": spec.Base64Bytes("key")},
+				},
+			},
+		},
+	}
+	userID := "@user:example.com"
+
+	result := keysDiffer(existingMasterKey, keyResp, uploadReq, userID)
+	if result {
+		t.Fatalf("expected keys to match, but they did not")
+	}
+}
diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
index d72638ee..f0aa087d 100644
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@@ -1441,7 +1441,7 @@ func Setup(
 	// Cross-signing device keys
 
 	postDeviceSigningKeys := httputil.MakeAuthAPI("post_device_signing_keys", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
-		return UploadCrossSigningDeviceKeys(req, userInteractiveAuth, userAPI, device, userAPI, cfg)
+		return UploadCrossSigningDeviceKeys(req, userAPI, device, userAPI.QueryAccountByPassword, cfg)
 	})
 
 	postDeviceSigningSignatures := httputil.MakeAuthAPI("post_device_signing_signatures", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {

From 829ecafdc4414b1b26c3aeb66968324f6399f0d6 Mon Sep 17 00:00:00 2001
From: Till <2353100+S7evinK@users.noreply.github.com>
Date: Thu, 16 Jan 2025 22:47:04 +0100
Subject: [PATCH 05/10] Add support for MSC4163 (#3470)

Ignore typing and receipt events from ACL'd servers as per MSC4163
---
 internal/transactionrequest.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/internal/transactionrequest.go b/internal/transactionrequest.go
index 474195f6..bd6e70ce 100644
--- a/internal/transactionrequest.go
+++ b/internal/transactionrequest.go
@@ -216,13 +216,17 @@ func (t *TxnReq) processEDUs(ctx context.Context) {
 				util.GetLogger(ctx).WithError(err).Debug("Failed to unmarshal typing event")
 				continue
 			}
-			if _, serverName, err := gomatrixserverlib.SplitID('@', typingPayload.UserID); err != nil {
+			_, serverName, err := gomatrixserverlib.SplitID('@', typingPayload.UserID)
+			if err != nil {
 				continue
 			} else if serverName == t.ourServerName {
 				continue
 			} else if serverName != t.Origin {
 				continue
 			}
+			if api.IsServerBannedFromRoom(ctx, t.rsAPI, typingPayload.RoomID, serverName) {
+				continue
+			}
 			if err := t.producer.SendTyping(ctx, typingPayload.UserID, typingPayload.RoomID, typingPayload.Typing, 30*1000); err != nil {
 				util.GetLogger(ctx).WithError(err).Error("Failed to send typing event to JetStream")
 			}
@@ -278,6 +282,9 @@ func (t *TxnReq) processEDUs(ctx context.Context) {
 						util.GetLogger(ctx).Debugf("Dropping receipt event where sender domain (%q) doesn't match origin (%q)", domain, t.Origin)
 						continue
 					}
+					if api.IsServerBannedFromRoom(ctx, t.rsAPI, roomID, domain) {
+						continue
+					}
 					if err := t.processReceiptEvent(ctx, userID, roomID, "m.read", mread.Data.TS, mread.EventIDs); err != nil {
 						util.GetLogger(ctx).WithError(err).WithFields(logrus.Fields{
 							"sender":  t.Origin,

From 2ab4219ffc7d352a3ab763a261368e0cfde3673a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 22:59:19 +0100
Subject: [PATCH 06/10] Bump github.com/nats-io/nats.go from 1.37.0 to 1.38.0
 (#3481)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [github.com/nats-io/nats.go](https://github.com/nats-io/nats.go)
from 1.37.0 to 1.38.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nats-io/nats.go/releases">github.com/nats-io/nats.go's
releases</a>.</em></p>
<blockquote>
<h2>v1.38.0</h2>
<h2>Changelog</h2>
<h3>Added</h3>
<ul>
<li>Core NATS:
<ul>
<li>Added <code>UserInfoHandler</code> for dynamically setting
user/password (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1713">#1713</a>)</li>
<li>Added <code>PermissionErrOnSubscribe</code> option, causing
<code>SubscribeSync</code> to return
<code>nats.ErrPermissionViolation</code> on <code>NextMsg()</code> if
there was a permission error (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1728">#1728</a>)</li>
<li>Added <code>Msgs()</code> method on <code>Subscription</code>,
returning an iterator (<code>iter.Seq2[*nats.Msg, error]</code>) for the
subscription. This method is only available for go version &gt;=1.23 (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1728">#1728</a>)</li>
</ul>
</li>
<li>KeyValue:</li>
<li>Added <code>WatchFiltered</code> method to watch for updates with
multiple filters (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1739">#1739</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Core NATS:
<ul>
<li>Fixed closing connections on max subscriptions exceeded (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1709">#1709</a>)</li>
<li>Removed redundant nil checks. Thanks <a
href="https://github.com/ramonberrutti"><code>@​ramonberrutti</code></a>
for the contribution (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1751">#1751</a>)</li>
<li>Add missing nats prefix to error (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1753">#1753</a>)</li>
</ul>
</li>
<li>JetStream:
<ul>
<li>Fixed <code>PublishAsync</code> not closing done and stall channels
after failed retries (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1719">#1719</a>)</li>
<li>Set valid fetch sequence in ordered consumer's <code>Fetch()</code>
and <code>Next()</code> after timeout (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1705">#1705</a>)</li>
<li>Do not overwrite ordered consumer deliver policy if start time is
set (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1742">#1742</a>)</li>
<li>Fixed race condition in <code>MessageBatch</code> (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1743">#1743</a>)</li>
</ul>
</li>
<li>Legacy JetStream:
<ul>
<li>Fixed race condition in <code>MessageBatch</code> (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1743">#1743</a>)</li>
</ul>
</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Legacy Jetstream:
<ul>
<li>Added client retry for jetstream async publish old API. Thanks <a
href="https://github.com/pranavmehta94"><code>@​pranavmehta94</code></a>
for the contribution (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1695">#1695</a>)</li>
</ul>
</li>
</ul>
<h3>Improved</h3>
<ul>
<li>Moved CI to github actions (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1623">#1623</a>,
<a
href="https://redirect.github.com/nats-io/nats.go/issues/1716">#1716</a>)</li>
<li>Use errors.New instead of fmt.Errorf to improve efficiency. Thanks
<a href="https://github.com/canack"><code>@​canack</code></a> for the
contribution (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1707">#1707</a>)</li>
<li>Fixed invalid schemas in Service API documentation (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1720">#1720</a>)</li>
<li>Added mention of TTL reset in <code>kv.Update</code> method. Thanks
<a
href="https://github.com/fmontorsi-equinix"><code>@​fmontorsi-equinix</code></a>
for the contribution (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1727">#1727</a>)</li>
<li>Updated installation commands in <code>README.md</code> (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1745">#1745</a>)</li>
<li>Bump <code>nkeys</code> to v0.4.9 (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1750">#1750</a>)</li>
</ul>
<h3>Complete Changes</h3>
<p><a
href="https://github.com/nats-io/nats.go/compare/v1.37.0...v1.38.0">https://github.com/nats-io/nats.go/compare/v1.37.0...v1.38.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nats-io/nats.go/commit/48391f1b8b390ed4569b5c40f59fcde3e4cf1dc7"><code>48391f1</code></a>
Release v1.38.0 (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1754">#1754</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/6f4e85afdbd6043b2c239512be0d1353d5d9dd54"><code>6f4e85a</code></a>
[FIXED] Add missing nats prefix to error (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1753">#1753</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/074c819479bb5fa69def43ebd821f3945ad02758"><code>074c819</code></a>
[FIXED] twice respMap nil check (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1751">#1751</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/d6eaa84a039e2ff58f1fb278e533b8511d8fa571"><code>d6eaa84</code></a>
[ADDED] Creating iterators for sync subscriptions (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1728">#1728</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/6bc41598ccf73167d509b8568151ef79128a9283"><code>6bc4159</code></a>
[FIXED] Race in MessageBatch (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1743">#1743</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/d05f24af9e77a67d583ee8d25e303355b1caf510"><code>d05f24a</code></a>
Bump nkeys to 0.4.7 (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1750">#1750</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/01fafde03391884a3f425dcf0a8c9cf29189f92e"><code>01fafde</code></a>
[IMPROVED] Update installation commands (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1745">#1745</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/f563c66855dbcc150ae832ca3f4590ce81f09fda"><code>f563c66</code></a>
[FIXED] Do not overwrite ordered consumer deliver policy if start time
is set...</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/e963b776f24fb0166e440842c90b9586b6aba9df"><code>e963b77</code></a>
[ADDED] WatchFiltered method on KV (<a
href="https://redirect.github.com/nats-io/nats.go/issues/1739">#1739</a>)</li>
<li><a
href="https://github.com/nats-io/nats.go/commit/4530ef6abf748afd3b6993a21f8d9ac7f82715c9"><code>4530ef6</code></a>
[FIXED] Invalid fetch sequence in ordered consumer Fetch and Next after
timeo...</li>
<li>Additional commits viewable in <a
href="https://github.com/nats-io/nats.go/compare/v1.37.0...v1.38.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/nats-io/nats.go&package-manager=go_modules&previous-version=1.37.0&new-version=1.38.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 36463adb..598c5cc3 100644
--- a/go.mod
+++ b/go.mod
@@ -30,7 +30,7 @@ require (
 	github.com/matrix-org/util v0.0.0-20221111132719-399730281e66
 	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/nats-io/nats-server/v2 v2.10.23
-	github.com/nats-io/nats.go v1.37.0
+	github.com/nats-io/nats.go v1.38.0
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
@@ -116,7 +116,7 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/nats-io/jwt/v2 v2.5.8 // indirect
-	github.com/nats-io/nkeys v0.4.8 // indirect
+	github.com/nats-io/nkeys v0.4.9 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/onsi/ginkgo/v2 v2.11.0 // indirect
diff --git a/go.sum b/go.sum
index 5d2612d3..472ab9eb 100644
--- a/go.sum
+++ b/go.sum
@@ -270,10 +270,10 @@ github.com/nats-io/jwt/v2 v2.5.8 h1:uvdSzwWiEGWGXf+0Q+70qv6AQdvcvxrv9hPM0RiPamE=
 github.com/nats-io/jwt/v2 v2.5.8/go.mod h1:ZdWS1nZa6WMZfFwwgpEaqBV8EPGVgOTDHN/wTbz0Y5A=
 github.com/nats-io/nats-server/v2 v2.10.23 h1:jvfb9cEi5h8UG6HkZgJGdn9f1UPaX3Dohk0PohEekJI=
 github.com/nats-io/nats-server/v2 v2.10.23/go.mod h1:hMFnpDT2XUXsvHglABlFl/uroQCCOcW6X/0esW6GpBk=
-github.com/nats-io/nats.go v1.37.0 h1:07rauXbVnnJvv1gfIyghFEo6lUcYRY0WXc3x7x0vUxE=
-github.com/nats-io/nats.go v1.37.0/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
-github.com/nats-io/nkeys v0.4.8 h1:+wee30071y3vCZAYRsnrmIPaOe47A/SkK/UBDPdIV70=
-github.com/nats-io/nkeys v0.4.8/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
+github.com/nats-io/nats.go v1.38.0 h1:A7P+g7Wjp4/NWqDOOP/K6hfhr54DvdDQUznt5JFg9XA=
+github.com/nats-io/nats.go v1.38.0/go.mod h1:IGUM++TwokGnXPs82/wCuiHS02/aKrdYUQkU8If6yjw=
+github.com/nats-io/nkeys v0.4.9 h1:qe9Faq2Gxwi6RZnZMXfmGMZkg3afLLOtrU+gDZJ35b0=
+github.com/nats-io/nkeys v0.4.9/go.mod h1:jcMqs+FLG+W5YO36OX6wFIFcmpdAns+w1Wm6D3I/evE=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=

From 24bd07a1d73d41865815a9b85b8df05c87f0de4a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 23:01:10 +0100
Subject: [PATCH 07/10] Bump azure/setup-helm from 3 to 4 (#3477)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3 to
4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/azure/setup-helm/releases">azure/setup-helm's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.0</h2>
<ul>
<li><a
href="https://redirect.github.com/azure/setup-helm/issues/121">#121</a>
update to node20 as node16 is deprecated</li>
</ul>
<h2>v3.5 release</h2>
<p>Bump <code>@​actions/core</code> version to remove output
warning.</p>
<h2>v3.4 release</h2>
<p>Improves the querying method to find the latest Helm release. Takes
advantage of new GitHub api changes.</p>
<h2>v3.3 release</h2>
<p>Add token input. Needed for fetching latest</p>
<h2>v3.1 release</h2>
<p>Swap to GraphQL GitHub API</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Azure/setup-helm/blob/main/CHANGELOG.md">azure/setup-helm's
changelog</a>.</em></p>
<blockquote>
<h1>Change Log</h1>
<h2>[4.2.0] - 2024-04-15</h2>
<ul>
<li><a
href="https://redirect.github.com/azure/setup-helm/issues/124">#124</a>
Fix OS detection and download OS-native archive extension</li>
</ul>
<h2>[4.1.0] - 2024-03-01</h2>
<ul>
<li><a
href="https://redirect.github.com/azure/setup-helm/issues/130">#130</a>
switches to use Helm published file to read latest version instead of
using GitHub releases</li>
</ul>
<h2>[4.0.0] - 2024-02-12</h2>
<ul>
<li><a
href="https://redirect.github.com/azure/setup-helm/issues/121">#121</a>
update to node20 as node16 is deprecated</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Azure/setup-helm/commit/fe7b79cd5ee1e45176fcad797de68ecaf3ca4814"><code>fe7b79c</code></a>
build</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/df50d879fa2c7ad2245510549f2c2eb28d0da618"><code>df50d87</code></a>
Release v4.2.0 (<a
href="https://redirect.github.com/azure/setup-helm/issues/134">#134</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/08d7123a4aed1b6bb351100915be82d2d4438990"><code>08d7123</code></a>
Bump undici from 5.28.2 to 5.28.4 (<a
href="https://redirect.github.com/azure/setup-helm/issues/133">#133</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/0a0c55a4c3e75926d1b0632f44263361a0673245"><code>0a0c55a</code></a>
Fix os detection and archive extension (<a
href="https://redirect.github.com/azure/setup-helm/issues/124">#124</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/d00ce1cb5e61ec3f80ff549e66de9f32345ceef2"><code>d00ce1c</code></a>
update to release workflow major version tag (<a
href="https://redirect.github.com/azure/setup-helm/issues/132">#132</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/4c255dde26f39995a013e04d230147b2a28f62fd"><code>4c255dd</code></a>
publish version 4.1.0 (<a
href="https://redirect.github.com/azure/setup-helm/issues/131">#131</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/ec8dd7c2099c43573cdfe425d7703507bee2b2db"><code>ec8dd7c</code></a>
switching to fetching latest version from the dedicated file (<a
href="https://redirect.github.com/azure/setup-helm/issues/130">#130</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/efbd96d464a46ba08e9937f0a0c7954d10c3b517"><code>efbd96d</code></a>
Fix action version in README.md (<a
href="https://redirect.github.com/azure/setup-helm/issues/129">#129</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/859dc38e9afea5ba802fecdc635016c32c092199"><code>859dc38</code></a>
v4 readme update (<a
href="https://redirect.github.com/azure/setup-helm/issues/127">#127</a>)</li>
<li><a
href="https://github.com/Azure/setup-helm/commit/0788eb3317a269f12de6efd230b2c89eda56ee18"><code>0788eb3</code></a>
v4 release and required workflow updates (<a
href="https://redirect.github.com/azure/setup-helm/issues/125">#125</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/azure/setup-helm/compare/v3...v4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=azure/setup-helm&package-manager=github_actions&previous-version=3&new-version=4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/helm.yml | 2 +-
 .github/workflows/k8s.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
index 10eb7c02..d1964069 100644
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -27,7 +27,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.10.0
 
diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml
index fd97bf7e..41c671e1 100644
--- a/.github/workflows/k8s.yml
+++ b/.github/workflows/k8s.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: azure/setup-helm@v3
+      - uses: azure/setup-helm@v4
         with:
           version: v3.10.0
       - uses: actions/setup-python@v5

From 39bcd5f69d2c2ee67d96c755e2ee964d69796dee Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 23:01:37 +0100
Subject: [PATCH 08/10] Bump github/codeql-action from 2 to 3 (#3473)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 2 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v2.28.0</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<p><strong>This is the last planned release of the <code>v2</code>. To
continue getting updates for the CodeQL Action, please switch to
<code>v3</code>.</strong></p>
<h2>2.28.0 - 20 Dec 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.15.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2655">#2655</a></li>
<li>Don't fail in the unusual case that a file is on the search path. <a
href="https://redirect.github.com/github/codeql-action/pull/2660">#2660</a>.</li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v2.28.0/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v2.27.9</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>2.27.9 - 12 Dec 2024</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v2.27.9/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v2.27.7</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>2.27.7 - 10 Dec 2024</h2>
<ul>
<li>We are rolling out a change in December 2024 that will extract the
CodeQL bundle directly to the toolcache to improve performance. <a
href="https://redirect.github.com/github/codeql-action/pull/2631">#2631</a></li>
<li>Update default CodeQL bundle version to 2.20.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2636">#2636</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v2.27.7/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v2.27.6</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h2>3.28.0 - 20 Dec 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.15.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2655">#2655</a></li>
<li>Don't fail in the unusual case that a file is on the search path. <a
href="https://redirect.github.com/github/codeql-action/pull/2660">#2660</a>.</li>
</ul>
<h2>3.27.9 - 12 Dec 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.8 - 12 Dec 2024</h2>
<ul>
<li>Fixed an issue where streaming the download and extraction of the
CodeQL bundle did not respect proxy settings. <a
href="https://redirect.github.com/github/codeql-action/pull/2624">#2624</a></li>
</ul>
<h2>3.27.7 - 10 Dec 2024</h2>
<ul>
<li>We are rolling out a change in December 2024 that will extract the
CodeQL bundle directly to the toolcache to improve performance. <a
href="https://redirect.github.com/github/codeql-action/pull/2631">#2631</a></li>
<li>Update default CodeQL bundle version to 2.20.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2636">#2636</a></li>
</ul>
<h2>3.27.6 - 03 Dec 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2626">#2626</a></li>
</ul>
<h2>3.27.5 - 19 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.4 - 14 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.3 - 12 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.2 - 12 Nov 2024</h2>
<ul>
<li>Fixed an issue where setting up the CodeQL tools would sometimes
fail with the message &quot;Invalid value 'undefined' for header
'authorization'&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/2590">#2590</a></li>
</ul>
<h2>3.27.1 - 08 Nov 2024</h2>
<ul>
<li>The CodeQL Action now downloads bundles compressed using Zstandard
on GitHub Enterprise Server when using Linux or macOS runners. This
speeds up the installation of the CodeQL tools. This feature is already
available to GitHub.com users. <a
href="https://redirect.github.com/github/codeql-action/pull/2573">#2573</a></li>
<li>Update default CodeQL bundle version to 2.19.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2576">#2576</a></li>
</ul>
<h2>3.27.0 - 22 Oct 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.14.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2549">#2549</a></li>
<li>Fix an issue where the <code>upload-sarif</code> Action would fail
with &quot;upload-sarif post-action step failed: Input required and not
supplied: token&quot; when called in a composite Action that had a
different set of inputs to the ones expected by the
<code>upload-sarif</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2557">#2557</a></li>
<li>Update default CodeQL bundle version to 2.19.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2552">#2552</a></li>
</ul>
<h2>3.26.13 - 14 Oct 2024</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/48fe0d8fb168b9da4713543aa069aed7084890d3"><code>48fe0d8</code></a>
Update changelog and version after v3.27.9</li>
<li><a
href="https://github.com/github/codeql-action/commit/df409f7d9260372bd5f19e5b04e83cb3c43714ae"><code>df409f7</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2649">#2649</a>
from github/update-v3.27.9-7972a42f3</li>
<li><a
href="https://github.com/github/codeql-action/commit/feca44ddf6862ba0707723d320d5c42780fe6499"><code>feca44d</code></a>
Update changelog for v3.27.9</li>
<li><a
href="https://github.com/github/codeql-action/commit/7972a42f3de41c0960aeae9d0efc1705c9d5da62"><code>7972a42</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2648">#2648</a>
from github/aeisenberg/add-environment</li>
<li><a
href="https://github.com/github/codeql-action/commit/44bf16d3a1ed508cdc836322a8e39526f7c301b8"><code>44bf16d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2646">#2646</a>
from github/mergeback/v3.27.8-to-main-8a93837a</li>
<li><a
href="https://github.com/github/codeql-action/commit/f124ad0e7ef6ecb9840fcd1b908d1630211d37c3"><code>f124ad0</code></a>
Adds an environment for creating releases</li>
<li><a
href="https://github.com/github/codeql-action/commit/92753708cf0395732c3e3ea1666edb55192158c5"><code>9275370</code></a>
Update checked-in dependencies</li>
<li><a
href="https://github.com/github/codeql-action/commit/a059a7a0ee19212a3820398327f1ba34fd73676f"><code>a059a7a</code></a>
Update changelog and version after v3.27.8</li>
<li><a
href="https://github.com/github/codeql-action/commit/8a93837afdf1873301a68d777844b43e98cd4313"><code>8a93837</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2645">#2645</a>
from github/update-v3.27.8-9cfbef4bd</li>
<li>See full diff in <a
href="https://github.com/github/codeql-action/compare/v2...v3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index d3969475..fdf77640 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -98,7 +98,7 @@ jobs:
           output: "trivy-results.sarif"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: "trivy-results.sarif"
 

From 315269d8f9f9774b59d7fd1cbf258730bf84bfdf Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 23:21:53 +0100
Subject: [PATCH 09/10] Bump golang.org/x/net from 0.32.0 to 0.33.0 (#3499)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.32.0 to
0.33.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/dfc720dfe0cfc125116068c20efcdcb5e4eab464"><code>dfc720d</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb"><code>8e66b04</code></a>
html: use strings.EqualFold instead of lowering ourselves</li>
<li><a
href="https://github.com/golang/net/commit/b935f7b5d723c82894e1a1fd936a94dd2d1eae46"><code>b935f7b</code></a>
html: avoid endless loop on error token</li>
<li><a
href="https://github.com/golang/net/commit/9af49ef148d7d8b3e4cbbd9cc0cd37f2a520a4a3"><code>9af49ef</code></a>
route: remove unused sizeof* consts</li>
<li><a
href="https://github.com/golang/net/commit/6705db9a4df8f2cf16aed83e773e7a0213788b7a"><code>6705db9</code></a>
quic: clean up crypto streams when dropping packet protection keys</li>
<li><a
href="https://github.com/golang/net/commit/4ef7588d2b3f83775099797baac43c34e2e23200"><code>4ef7588</code></a>
quic: handle ACK frame in packet which drops number space</li>
<li><a
href="https://github.com/golang/net/commit/552d8ac903a11a9fde71a88732f5b58b6b394178"><code>552d8ac</code></a>
Revert &quot;route: change from syscall to x/sys/unix&quot;</li>
<li><a
href="https://github.com/golang/net/commit/13a7c0108bd38aad013797cdb95e6bfca0bbcec6"><code>13a7c01</code></a>
Revert &quot;route: remove unused sizeof* consts on freebsd&quot;</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.32.0...v0.33.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.32.0&new-version=0.33.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/dendrite/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[skip ci]
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 598c5cc3..cd7be5f7 100644
--- a/go.mod
+++ b/go.mod
@@ -142,7 +142,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.32.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
diff --git a/go.sum b/go.sum
index 472ab9eb..e2b0ce7c 100644
--- a/go.sum
+++ b/go.sum
@@ -418,8 +418,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From a41f9cc154f476f3236a8cc2355e3e392f59901f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 23:22:19 +0100
Subject: [PATCH 10/10] Bump modernc.org/sqlite from 1.34.2 to 1.34.5 (#3500)

Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.34.2
to 1.34.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://gitlab.com/cznic/sqlite/commit/15818ab7fe22935c740f0bf5069901a1314799d0"><code>15818ab</code></a>
move the vendor tool into a separate module, updates gc#3</li>
<li><a
href="https://gitlab.com/cznic/sqlite/commit/d3e8a664e8b51225de529ad17338007b5f16c5df"><code>d3e8a66</code></a>
retract v1.34.3</li>
<li><a
href="https://gitlab.com/cznic/sqlite/commit/1fcc86e9d6e8d65d4928c1575b3d4cbdcb0fc70c"><code>1fcc86e</code></a>
fix accidentaly broken openbsd/amd64 build</li>
<li><a
href="https://gitlab.com/cznic/sqlite/commit/7f15e6eb45fa87fd65c5817b56d449a3b80a1d24"><code>7f15e6e</code></a>
linux/arm64: patch libc bug at runtime, updates <a
href="https://gitlab.com/cznic/sqlite/issues/199">#199</a></li>
<li>See full diff in <a
href="https://gitlab.com/cznic/sqlite/compare/v1.34.2...v1.34.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=modernc.org/sqlite&package-manager=go_modules&previous-version=1.34.2&new-version=1.34.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 6 +-----
 go.sum | 8 ++------
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/go.mod b/go.mod
index cd7be5f7..1e1511d7 100644
--- a/go.mod
+++ b/go.mod
@@ -55,7 +55,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.4.0
 	maunium.net/go/mautrix v0.15.1
-	modernc.org/sqlite v1.34.2
+	modernc.org/sqlite v1.34.5
 )
 
 require (
@@ -101,7 +101,6 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect
 	github.com/h2non/filetype v1.1.3 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hjson/hjson-go/v4 v4.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juju/errors v1.0.0 // indirect
@@ -151,12 +150,9 @@ require (
 	gopkg.in/macaroon.v2 v2.1.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	maunium.net/go/maulogger/v2 v2.4.1 // indirect
-	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
 	modernc.org/libc v1.55.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
-	modernc.org/strutil v1.2.0 // indirect
-	modernc.org/token v1.1.0 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )
 
diff --git a/go.sum b/go.sum
index e2b0ce7c..dedb8053 100644
--- a/go.sum
+++ b/go.sum
@@ -197,8 +197,6 @@ github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
 github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
-github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
-github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hjson/hjson-go/v4 v4.4.0 h1:D/NPvqOCH6/eisTb5/ztuIS8GUvmpHaLOcNk1Bjr298=
 github.com/hjson/hjson-go/v4 v4.4.0/go.mod h1:KaYt3bTw3zhBjYqnXkYywcYctk0A2nxeEFTse3rH13E=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -515,8 +513,6 @@ modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
 modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
 modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
 modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
-modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 h1:5D53IMaUuA5InSeMu9eJtlQXS2NxAhyWQvkKEgXZhHI=
-modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
 modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U=
 modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
@@ -527,8 +523,8 @@ modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
 modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
 modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
 modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
-modernc.org/sqlite v1.34.2 h1:J9n76TPsfYYkFkZ9Uy1QphILYifiVEwwOT7yP5b++2Y=
-modernc.org/sqlite v1.34.2/go.mod h1:dnR723UrTtjKpoHCAMN0Q/gZ9MT4r+iRvIBb9umWFkU=
+modernc.org/sqlite v1.34.5 h1:Bb6SR13/fjp15jt70CL4f18JIN7p7dnMExd+UFnF15g=
+modernc.org/sqlite v1.34.5/go.mod h1:YLuNmX9NKs8wRNK2ko1LW1NGYcc9FkBO69JOt1AR9JE=
 modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=