Skip to content

Deps: bump the go-dev-dependencies group with 2 updates#326

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dev-dependencies-9e7b901e0d
Open

Deps: bump the go-dev-dependencies group with 2 updates#326
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dev-dependencies-9e7b901e0d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-dev-dependencies group with 2 updates: github.com/opensearch-project/opensearch-go/v4 and github.com/mattn/go-sqlite3.

Updates github.com/opensearch-project/opensearch-go/v4 from 4.6.0 to 4.7.0

Release notes

Sourced from github.com/opensearch-project/opensearch-go/v4's releases.

v4.7.0

opensearch-go v4.7.0

CRITICAL UPGRADE RELEASE NOTE - The next major release (v5) has substantially expanded error handling capabilities compared to v4.

v4.7.0 is the last v4 release before v5. The v4 -> v5 upgrade changes runtime error-handling behavior and is NOT a drop-in replacement across major versions. If you use this client, read this now - even if you are only upgrading to v4.7.0.

Today, v4 only returns transport-level errors; partial failures (e.g. failed bulk items, failed shards, unconfirmed replica writes) are reported inside the response body, not as Go error values. In v5, those partial failures are returned as errors by default. Code that compiles and passes against v4 can behave differently against v5 without any code change.

Upgrading between v4 releases (any <v4.7.0 to any v4.X.X) does not change the default error-handling semantics. The change lands in v5, which is expected shortly after this release.

This is why v4.7.0 exists: it lets you adopt the v5 error behavior on v4 today - via one environment variable, no code change - so you can validate your error handling before v5 ships and upgrade with no surprises. See Error handling below.

This release covers development from December 2025 through July 2026 (v4.6.0 -> v4.7.0). Three themes dominate the release: a reworked error-handling model that surfaces partial failures as typed Go errors, a rewritten transport layer, and a client-side routing layer that replaces plain round-robin node selection. It also ships a preview of the v5 API surface.

Several of these features are disabled by default in v4 and enabled by default in v5. Each can be turned on in v4 through an environment variable, so users can evaluate the v5 behavior against their own clusters with no code changes before upgrading.

Full Changelog: opensearch-project/opensearch-go@v4.6.0...v4.7.0


1. Error handling

Background

OpenSearch returns HTTP 200 for many operations that only partially succeed: bulk requests where some items fail, searches where some shards error, and writes where a replica fails to confirm. A 2xx status code does not mean the whole operation succeeded.

Before v4.7.0, only transport errors were returned as errors and any partial or shard-level failure required inspecting response fields by hand after every call. v4.7.0 adds a model that turns partial failures into typed Go errors:

Error type Returned by
*PartialBulkError Bulk
*PartialSearchError Search, MSearch, SearchTemplate, Scroll.Get
*ShardFailureError Index, Document.Create, Document.Delete, Update
*MultiSearchItemError MSearch, MSearchTemplate (per sub-response)

Which categories are returned as errors is controlled by a per-category mask on Config.Errors. When a category is masked, the operation returns its response with a nil error even though the response body records failures, and the caller is responsible for inspecting it. When a category is not masked (the default coming in v5), the same partial failure is returned as one of the typed errors above, and the response is still fully populated alongside the error.

v4 -> v5 Migration Path

The default mask in v4 is to mask all errors to preserve the existing v4 behavior of only returning transport errors. The v4.7.0 release exists to catch this change in behavior between v4 and v5 of the library in a forward-compatible way.

Surface Config.Errors == nil means Effect
v4 errmask.All every category masked: partial failures are not returned as errors (preserves pre-4.7 behavior)
v5+ errmask.Empty no category masked: every partial failure is returned as an error

In other words: a v4 program that never sets Config.Errors sees the same silent behavior it always has. The identical program compiled against v5 will begin receiving partial failures as error values. This release lets you adopt the v5 behavior on v4 ahead of time so the upgrade holds no surprises.

Transitioning to v5 error handling

... (truncated)

Changelog

Sourced from github.com/opensearch-project/opensearch-go/v4's changelog.

[4.7.0]

Added

  • Add Close() to opensearch.Client and opensearchapi.Client to release background goroutines (node discovery, health/stats pollers, DNS refresh) and idle connections; opensearchutil.NewBulkIndexer now closes the client it implicitly creates. Backport of #926 without the default-client cache (#928, #893)
  • Add cmd/osgen code generator for typed path builders and API consumer files from the OpenAPI spec
  • v5preview/opensearchapi: NewClient and NewDefaultClient now inject opensearchtransport.NewDefaultRouter when config.Client.Router is nil, opting every v5preview client into intelligent request routing by default. The OPENSEARCH_GO_ROUTER env var preserves its v4 semantics end-to-end: =true/=1 enables auto-discovery (via DiscoverNodesOnStart); =false/=0 suppresses both Router injection and auto-discovery; unset injects the Router without auto-discovery. v4's opensearchapi.NewClient is unchanged. (#816)
  • Add envvars.Falsy(name) helper that distinguishes "explicitly opted out" from "unset" (Truthy collapses both into false). Used by v5preview's router injection rule.
  • Add v5preview/opensearchapi/ package: regenerated v5-track API surface produced by cmd/osgen from the OpenAPI spec. Fully typed Req/Resp/Params structs, sub-clients matching OpenSearch namespaces (client.Cat, client.Cluster, client.Indices, etc.), and a plugins/ subtree for ML/k-NN/security/ISM/etc. Coexists with opensearchapi/ during the v4 -> v5 transition; see v5preview/opensearchapi/README.md for usage and UPGRADING.md for migration guidance (#650)
  • Add primary_terms_map and split_shards_metadata fields to ClusterState index metadata for OpenSearch >=3.6.0 compatibility
  • Add generic opensearch.Do[T]() function for compile-time pointer enforcement on response types, preventing a class of bugs where non-pointer values are silently passed to Client.Do() and fail at runtime during JSON unmarshaling. Includes opensearch.NoBody marker type for calls that expect no response body, unifying all internal dispatch through a single generic path (#809)
  • Add dynamic read cost scoring: primary shard cost scales with write-pool utilization via connScoreFunc, preferring primaries at idle and shedding reads to replicas under write load
  • Add OPENSEARCH_GO_SHARD_COST environment variable and WithShardCosts() router option with r:base/r:amplify/r:exponent curve keys and static cost overrides
  • Add ShardCostConfig field to Config struct for programmatic shard cost override passthrough
  • Add OPENSEARCH_GO_ROUTER environment variable to enable the DefaultRouter without code changes; set to true to opt in (off by default in v4, on by default in v5, removed in v6) (#815)
  • Add client-side metrics guide covering Metrics API, ConnectionMetric, PolicySnapshot, and RouterSnapshot (#812)
  • Add InsecureSkipVerify config option to disable TLS certificate verification without constructing a custom http.Transport, preserving DefaultTransport connection pooling, HTTP/2, and timeout defaults (#786)
  • Add (*opensearchtransport.Client).Stream(*http.Request) (*http.Response, error) and a (*opensearch.Client).Stream passthrough for raw byte forwarding (proxy and streaming use cases). Stream returns the unbuffered response body from RoundTrip; the caller owns reading and closing res.Body. Pairs with opensearch.Do[T] for typed, decoded results (the SDK owns the body). Stream is exposed only on the concrete *Client in v4; v5 will add it to opensearchtransport.Interface and remove the deprecated Perform (#786)
  • Add per-attempt RequestTimeout to bound individual HTTP round-trips, preventing indefinite hangs on stalled connections (#786)
  • Add opensearchutil/shardhash package with exported Hash and ForRouting functions for computing OpenSearch shard routing
  • Enhanced cluster readiness checking for improved test reliability: testutil.NewClient() now includes readiness validation (health + cluster state + nodes info)
  • Add Status field (json.RawMessage) to TasksGetResp, TasksListTask, and TaskCancelInfo for polymorphic task status data; add typed status structs matching the OpenSearch API specification: BulkByScrollTaskStatus, ReplicationTaskStatus, ResyncTaskStatus, PersistentTaskStatus; add Parse* helpers and BulkByScrollTaskStatusOrException for sliced task status (#788)
  • Test parallelization support via TEST_PARALLEL environment variable (default: CPU cores - 1, minimum 1)
  • Add cmd/osgen/emit.TestPerOpErrorTypeName_CatalogConsistency to pin the catalog <-> switch coupling between emit.PerOpErrorTypeName and errwrap.OperationWrappers. Asserts three directions: every group naming a per-op aggregator type has 2+ wrappers in the catalog, every catalog entry with 2+ wrappers names a per-op aggregator type, and every group named by the switch is present in the catalog. Does not pin the runtime emittableWrappers/resolveErrorWrappers paths; today those sets coincide for the only 2+-wrapper groups (msearch / msearch_template) (#857)
  • opensearchapi/testutil package with test suite, client helpers, and JSON comparison utilities
  • Add typed path builders in internal/path/ generated from the OpenAPI spec via cmd/osgen for compile-time URL construction safety (#617, #650)
    • sync.Pool-backed []byte buffers eliminate per-request allocation churn; buffers over 4 KiB are discarded to bound pool growth
  • opensearchtransport/testutil package with PollUntil helper for eventual consistency testing (ISM policies, index readiness, cluster state changes)
  • Configuration option IncludeDedicatedClusterManagers for controlling cluster manager node routing (#765)
  • Policy-based routing system for improved request routing and service availability (#771)
    • Policy interface for composable routing strategies with lifecycle management
    • Router interface with Route() method for request-based connection selection
    • NewPolicy() implementing chain-of-responsibility pattern for composable routing strategies
    • NewIfEnabledPolicy() for conditional routing with runtime evaluation
    • NewMuxPolicy() for trie-based HTTP pattern matching with zero-allocation route lookup
    • NewRolePolicy() for role-based node selection
    • NewRoundRobinRouter() with coordinating node preference and round-robin fallback
    • NewMuxRouter() providing role-based request routing with graceful fallback
      • Automatic routing of bulk, streaming bulk, and reindex operations to ingest nodes
      • Automatic routing of search operations (search, msearch, count, by-query operations, scroll, PIT, validate, rank eval) to search/data nodes
      • Automatic routing of document retrieval operations (get, mget, source, explain, termvectors, mtermvectors) to search/data nodes for read locality
      • Automatic routing of template operations (search template, msearch template) and search shards to search/data nodes
      • Automatic routing of field capabilities to search/data nodes
      • Automatic routing of shard maintenance operations (refresh, flush, synced flush, forcemerge, cache clear, segments) to data nodes
      • Automatic routing of single-document writes (index, create, update, delete) to data nodes
      • Automatic routing of shard diagnostics (recovery, shard stores, stats) and rethrottle operations to data nodes
    • NewDefaultRouter() extending role-based routing with per-index node affinity (recommended for most users)
  • Add consistent hash routing with per-index node affinity for cache locality and AZ-aware load distribution (#786)
    • Rendezvous hashing selects a stable subset of nodes per index, preserving OS page cache and query cache locality
    • RTT-bucketed scoring naturally prefers AZ-local nodes and overflows to remote AZs under load

... (truncated)

Commits
  • f818ecb chore: update go.mod and go.sum dependencies (#960)
  • 81027f8 fix(opensearchtransport): gate single-node pool on reachability so seed fallb...
  • 6c064a4 fix(opensearchtransport): don't let unverified discovered nodes mask seed fal...
  • 6a3f31b chore(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 (#937)
  • f28c9db chore(deps): bump stefanzweifel/git-auto-commit-action (#944)
  • b204729 chore(deps): bump VachaShah/backport from 1.1.4 to 2.2.0 (#943)
  • d64cdb1 chore(deps): bump golangci/golangci-lint-action from 9.2.1 to 9.3.0 (#936)
  • db27130 chore(deps): bump lycheeverse/lychee-action from 2.7.0 to 2.9.0 (#939)
  • 8f39786 chore(deps): bump golang.org/x/sync from 0.21.0 to 0.22.0 (#941)
  • d272ddc chore(deps): bump golang.org/x/mod from 0.37.0 to 0.38.0 (#948)
  • Additional commits viewable in compare view

Updates github.com/mattn/go-sqlite3 from 1.14.47 to 1.14.48

Release notes

Sourced from github.com/mattn/go-sqlite3's releases.

1.14.48

What's Changed

... (truncated)

Commits
  • 0cfec60 Merge pull request #1427 from mattn/sqlite-amalgamation-3053003
  • 603b1ba Upgrade SQLite to version 3053003
  • 3be2bdb Merge pull request #1426 from mattn/fix-load-extension-errmsg-leak
  • 7a3f560 Merge pull request #1425 from mattn/fix-trampoline-abi
  • a5fd1f6 Merge pull request #1424 from mattn/fix-preupdate-null-deref
  • 66371d2 Merge pull request #1423 from mattn/fix-open-error-leak
  • b55096d Merge pull request #1418 from mattn/add-coderabbit-config
  • fa5cf80 Merge pull request #1422 from mattn/fix-bind-unsupported-type
  • 08a4ce4 Add regression tests for bind error paths
  • ca77cf4 Merge pull request #1421 from mattn/fix-callback-named-types
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go-dev-dependencies group with 2 updates: [github.com/opensearch-project/opensearch-go/v4](https://github.com/opensearch-project/opensearch-go) and [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3).


Updates `github.com/opensearch-project/opensearch-go/v4` from 4.6.0 to 4.7.0
- [Release notes](https://github.com/opensearch-project/opensearch-go/releases)
- [Changelog](https://github.com/opensearch-project/opensearch-go/blob/v4.7.0/CHANGELOG.md)
- [Commits](opensearch-project/opensearch-go@v4.6.0...v4.7.0)

Updates `github.com/mattn/go-sqlite3` from 1.14.47 to 1.14.48
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](mattn/go-sqlite3@v1.14.47...v1.14.48)

---
updated-dependencies:
- dependency-name: github.com/opensearch-project/opensearch-go/v4
  dependency-version: 4.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dev-dependencies
- dependency-name: github.com/mattn/go-sqlite3
  dependency-version: 1.14.48
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: go-dev-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 15, 2026
@dependabot dependabot Bot requested review from a team as code owners July 15, 2026 08:07
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 15, 2026
@github-actions

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 9223726.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

go.mod

PackageVersionLicenseIssue Type
github.com/mattn/go-sqlite31.14.48NullUnknown License
Allowed Licenses: 0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, bzip2-1.0.6, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-3.0, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

PackageVersionScoreDetails
gomod/github.com/mattn/go-sqlite3 1.14.48 UnknownUnknown
gomod/github.com/opensearch-project/opensearch-go/v4 4.7.0 🟢 7.1
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Fuzzing🟢 10project is fuzzed
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Branch-Protection🟢 4branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • go.mod

@github-actions

Copy link
Copy Markdown

Conventional Commits Report

Type Number
Dependencies 1

🚀 Conventional commits found.

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.03%. Comparing base (26a48f5) to head (9223726).

Additional details and impacted files
@@             Coverage Diff             @@
##             main     #326       +/-   ##
===========================================
+ Coverage   57.75%   92.03%   +34.28%     
===========================================
  Files          59        3       -56     
  Lines        3082      226     -2856     
===========================================
- Hits         1780      208     -1572     
+ Misses       1165       12     -1153     
+ Partials      137        6      -131     
Flag Coverage Δ
opensearch-tests ?
postgres-tests 92.03% <ø> (ø)
unit-tests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants