chore(deps): bump the dependencies group with 5 updates

[dependabot]

Bumps the dependencies group with 5 updates:

Package	From	To
github.com/muesli/mango-cobra	1.2.0	1.3.0
github.com/openfga/openfga	1.9.5	1.10.0
github.com/spf13/pflag	1.0.9	1.0.10
github.com/spf13/viper	1.20.1	1.21.0
google.golang.org/protobuf	1.36.8	1.36.9

Updates github.com/muesli/mango-cobra from 1.2.0 to 1.3.0

Release notes

Sourced from github.com/muesli/mango-cobra's releases.

v1.3.0

What's Changed

• Bump github.com/muesli/mango from 0.1.0 to 0.2.0 by @​dependabot[bot] in muesli/mango-cobra#7
• Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @​dependabot[bot] in muesli/mango-cobra#8
• feat: add support for examples by @​jon4hz in muesli/mango-cobra#9
• Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @​dependabot[bot] in muesli/mango-cobra#10
• Bump actions/setup-go from 3 to 4 by @​dependabot[bot] in muesli/mango-cobra#12
• chore: update golangci-lint configs & workflows by @​muesli in muesli/mango-cobra#15
• docs: update README badges by @​muesli in muesli/mango-cobra#16
• chore(deps): bump actions/checkout from 3 to 5 by @​dependabot[bot] in muesli/mango-cobra#19
• chore(deps): bump actions/setup-go from 4 to 6 by @​dependabot[bot] in muesli/mango-cobra#17
• chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.10.1 by @​dependabot[bot] in muesli/mango-cobra#18

New Contributors

• @​jon4hz made their first contribution in muesli/mango-cobra#9

Full Changelog: muesli/mango-cobra@v1.2.0...v1.3.0

Commits

• 6e85b2c chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.10.1
• cf79b82 chore(deps): bump actions/setup-go from 4 to 6
• 5d84810 chore(deps): bump actions/checkout from 3 to 5
• 86d6d88 docs: update README badges
• 4542804 chore: update golangci-lint configs & workflows
• 6d28709 Bump actions/setup-go from 3 to 4
• dccb79f Bump github.com/spf13/cobra from 1.6.0 to 1.6.1
• 40f26de feat: add support for examples
• 3a9d400 Bump github.com/spf13/cobra from 1.5.0 to 1.6.0
• a24f8f0 Bump github.com/muesli/mango from 0.1.0 to 0.2.0
• See full diff in compare view

Updates github.com/openfga/openfga from 1.9.5 to 1.10.0

Release notes

Sourced from github.com/openfga/openfga's releases.

v1.10.0

OpenFGA v1.10.0 Release Notes - 2025-09-11

New Features

• Allow Ignoring Duplicate Writes in Write API openfga/roadmap#79

Added

• Make number of querying goroutines in experimental reverse_expand configurable via resolveNodeBreadthLimit. #2652
• Add microsecond latency numbers and datastore query count in shadow check resolver. #2658 ( reverted )
• Add NewWithDB support for sqlite storage. #2679
• Add planner for selecting check resolution strategies based on runtime statistics, behind the enable-check-optimization flag. #2624
• Add server.WithShadowCheckCacheEnabled to enable creation of a separate cache for shadow check resolver. #2683
• Run weight 2 optimization for cases where there are more than 1 directly assignable userset. #2684

Changed

• Make experimental reverse_expand behave the same as old reverse_expand in case of timeouts. #2649

• Breaking: Changes to storage interface

  NOTE The following breaking changes are related to the storage interface. If you are not implementing a storage adapter, then these changes should not impact your usage of OpenFGA.

  • Changed the RelationshipTupleWriter datastore interface to accept variadic write options (opts ...TupleWriteOption) to customize behavior on duplicate inserts and missing deletes. #2663 Implementers must update the Write method signature to include opts ...TupleWriteOption. Defaults preserve prior behavior (error on duplicates and on missing deletes). Example: Write(ctx, store, deletes, writes, storage.WithOnDuplicateInsert(storage.OnDuplicateInsertIgnore))

Fixed

• Fixed bug in how experimental ReverseExpand support for ttus with multiple parents in the intersection and exclusion for list objects. #2691
• Improve performance by allowing weight 2 optimization if the directly assignable userset types are of different types. #2645
• Update ListObjects' check resolver to use correct environment variable. #2653
• !!REQUIRES MIGRATION!! Collation specification for queries dependent on sort order. #2661
  • PostgreSQL is non-disruptive.
  • MySQL requires a shared lock on the tuple table during the transaction.

Shout outs

• @​le-yams made their contribution in openfga/openfga#2593 which gave inspiration and a push to implement Duplicate Writes openfga/roadmap#79 PR openfga/openfga#2663

New Contributors

• @​vikrantgupta25 made their first contribution in openfga/openfga#2679

Full Changelog: openfga/openfga@v1.9.5...v1.10.0

• perf: weight 2 allows more than multiple usersets with different types by @​adriantam in openfga/openfga#2645
• fix: Allow experimental reverse_expand to return partial results on timeout by @​justincoh in openfga/openfga#2649
• chore(deps): bump the dependencies group across 1 directory with 4 updates by @​dependabot[bot] in openfga/openfga#2646
• chore(deps): bump grpc-ecosystem/grpc-health-probe from v0.4.39 to v0.4.40 in the dependencies group by @​dependabot[bot] in openfga/openfga#2640
• chore: refactor userset by @​elbuo8 in openfga/openfga#2642
• feat: update experimental ListObjects max querying goroutines by @​justincoh in openfga/openfga#2652
• fix: use the correct configuration variable for list objects check resolver by @​justincoh in openfga/openfga#2653
• chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 by @​dependabot[bot] in openfga/openfga#2654
• chore: Benchmarks for ListObjects by @​justincoh in openfga/openfga#2584

... (truncated)

Changelog

Sourced from github.com/openfga/openfga's changelog.

[1.10.0] - 2025-09-11

Added

• Make number of querying goroutines in experimental reverse_expand configurable via resolveNodeBreadthLimit. #2652
• Add microsecond latency numbers and datastore query count in shadow check resolver. #2658
• Add NewWithDB support for sqlite storage. #2679
• Add planner for selecting check resolution strategies based on runtime statistics, behind the enable-check-optimization flag. #2624
• Add server.WithShadowCheckCacheEnabled to enable creation of a separate cache for shadow check resolver. #2683
• Run weight 2 optimization for cases where there are more than 1 directly assignable userset. #2684

Changed

• Make experimental reverse_expand behave the same as old reverse_expand in case of timeouts. #2649

• Breaking: Changes to storage interface

  [!NOTE] The following breaking changes are related to the storage interface. If you are not implementing a storage adapter, then these changes should not impact your usage of OpenFGA.

  • Changed the RelationshipTupleWriter datastore interface to accept variadic write options (opts ...TupleWriteOption) to customize behavior on duplicate inserts and missing deletes. #2663 Implementers must update the Write method signature to include opts ...TupleWriteOption. Defaults preserve prior behavior (error on duplicates and on missing deletes). Example: Write(ctx, store, deletes, writes, storage.WithOnDuplicateInsert(storage.OnDuplicateInsertIgnore))

Fixed

• Fixed bug in how experimental ReverseExpand support for ttus with multiple parents in the intersection and exclusion for list objects. #2691
• Improve performance by allowing weight 2 optimization if the directly assignable userset types are of different types. #2645
• Update ListObjects' check resolver to use correct environment variable. #2653
• !!REQUIRES MIGRATION!! Collation specification for queries dependent on sort order. #2661
  • PostgreSQL is non-disruptive.
  • MySQL requires a shared lock on the tuple table during the transaction.

Commits

• 3a701df release: update changelog for release v1.10.0 (#2699)
• db2fbf2 fix: flaky TestConstructUserset unit test (#2700)
• 92a663b fix collation to always use byte-wise ordering (#2661)
• f7c5f2a chore(deps): bump the dependencies group with 5 updates (#2689)
• 2618482 chore(deps): bump the dependencies group across 1 directory with 24 updates (...
• d197290 Add support for TTUs with multiple parents in LO intersection and exclusion (...
• baa37b9 chore: planner and shadow resolver fixes (#2695)
• 1fca3c7 chore: batch statements for write (#2692)
• c617a33 fix: in-memory condition context not checked correctly for write (#2694)
• 496522e feat: hook up on_duplicate write to API (#2681)
• Additional commits viewable in compare view

Updates github.com/spf13/pflag from 1.0.9 to 1.0.10

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.10

What's Changed

• fix deprecation comment for (FlagSet.)ParseErrorsWhitelist by @​thaJeztah in spf13/pflag#447
• remove uses of errors.Is, which requires go1.13, move go1.16/go1.21 tests to separate file by @​thaJeztah in spf13/pflag#448

New Contributors

• @​thaJeztah made their first contribution in spf13/pflag#447

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

Commits

• 0491e57 Merge pull request #448 from thaJeztah/fix_go_version
• 72abab1 Merge pull request #447 from thaJeztah/fix_deprecation_comment
• 7e4dfb1 Test on Go 1.12
• 18a9d17 move Func, BoolFunc, tests as they require go1.21
• c5b9e98 remove uses of errors.Is, which requires go1.13
• 45a4873 fix deprecation comment for (FlagSet.)ParseErrorsWhitelist
• See full diff in compare view

Updates github.com/spf13/viper from 1.20.1 to 1.21.0

Release notes

Sourced from github.com/spf13/viper's releases.

v1.21.0

What's Changed

Enhancements 🚀

• Add support for flags pflag.BoolSlice, pflag.UintSlice and pflag.Float64Slice by @​nmvalera in spf13/viper#2015
• feat: use maintained yaml library by @​sagikazarmark in spf13/viper#2040

Bug Fixes 🐛

• fix(config): get config type from v.configType or config file ext by @​GuillaumeBAECHLER in spf13/viper#2003
• fix: config type check when loading any config by @​sagikazarmark in spf13/viper#2007

Dependency Updates ⬆️

• Update dependencies by @​sagikazarmark in spf13/viper#1993
• build(deps): bump github.com/spf13/cast from 1.7.1 to 1.8.0 by @​dependabot[bot] in spf13/viper#2017
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 by @​dependabot[bot] in spf13/viper#2013
• build(deps): bump github.com/sagikazarmark/locafero from 0.8.0 to 0.9.0 by @​dependabot[bot] in spf13/viper#2008
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /remote by @​dependabot[bot] in spf13/viper#2016
• build(deps): bump github.com/spf13/cast from 1.8.0 to 1.9.2 by @​dependabot[bot] in spf13/viper#2020
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @​dependabot[bot] in spf13/viper#2028
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 by @​dependabot[bot] in spf13/viper#2035
• build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 by @​dependabot[bot] in spf13/viper#2036
• build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0 by @​dependabot[bot] in spf13/viper#2012
• build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @​dependabot[bot] in spf13/viper#2052
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 in /remote by @​dependabot[bot] in spf13/viper#2048
• build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 by @​dependabot[bot] in spf13/viper#2056
• chore: update dependencies by @​sagikazarmark in spf13/viper#2057

Other Changes

• Update update guide with mapstructure package replacement. by @​aldas in spf13/viper#2004
• refactor: use the built-in max/min to simplify the code by @​yingshanghuangqiao in spf13/viper#2029

New Contributors

• @​GuillaumeBAECHLER made their first contribution in spf13/viper#2003
• @​aldas made their first contribution in spf13/viper#2004
• @​nmvalera made their first contribution in spf13/viper#2015
• @​yingshanghuangqiao made their first contribution in spf13/viper#2029
• @​ccoVeille made their first contribution in spf13/viper#2046
• @​spacez320 made their first contribution in spf13/viper#2050

Full Changelog: spf13/viper@v1.20.0...v1.21.0

Commits

• 394040c ci: build on go 1.25
• 812f548 chore: update dependencies
• d5271ef ci: update stale workflow
• dff303b feat: add a stale issue scheduled action
• 1287976 build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
• 38932cd build(deps): bump github.com/go-viper/mapstructure/v2 in /remote
• 6d014be build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1
• b74c7ee build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0
• acd05e1 fix: linting issues
• ae5a8e2 ci: upgrade golangci-lint
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.8 to 1.36.9

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	google.golang.org/​protobuf@​v1.36.8 ⏵ v1.36.9	+1
	github.com/​openfga/​openfga@​v1.9.5 ⏵ v1.10.0	+1
	github.com/​spf13/​pflag@​v1.0.9 ⏵ v1.0.10	+1
	github.com/​openfga/​api/​proto@​v0.0.0-20250806222926-60b2b183a749 ⏵ v0.0.0-20250909172242-b4b2a12f5c67	+1
	github.com/​spf13/​viper@​v1.20.1 ⏵ v1.21.0
	github.com/​muesli/​mango-cobra@​v1.2.0 ⏵ v1.3.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		github.com/openfga/openfga@v1.10.0 has a License Policy Violation. License: CC-BY-SA-4.0 (NOTICE) License: MPL-2.0 (NOTICE) License: MPL-2.0 (NOTICE) License: CC-BY-4.0 (NOTICE) License: CC-BY-SA-4.0 (NOTICE) License: GPL-2.0-only (NOTICE) License: GPL-2.0-or-later (NOTICE) License: MPL-2.0 (NOTICE) From: go.mod → golang/github.com/openfga/openfga@v1.10.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/openfga/openfga@v1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report