chore(deps): bump the dependencies group with 3 updates

[dependabot]

Bumps the dependencies group with 3 updates: github.com/openfga/go-sdk, github.com/openfga/openfga and google.golang.org/protobuf.

Updates github.com/openfga/go-sdk from 0.7.1 to 0.7.2

Release notes

Sourced from github.com/openfga/go-sdk's releases.

v0.7.2

0.7.2

0.7.2 (2025-09-15)

• feat: add contextual tuples support in Expand requests (openfga/sdk-generator#547) - thanks @​SoulPancake
• feat: Support passing name filter to ListStores (#186, #213) - thanks @​Oscmage!
• fix: 5xx errors were not being properly retried (#204) - thanks @​maxlegault for reporting

What's Changed

• chore(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in openfga/go-sdk#194
• chore(deps): bump codecov/codecov-action from 5.4.0 to 5.4.2 in the dependencies group by @​dependabot[bot] in openfga/go-sdk#197
• chore(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /example/opentelemetry by @​dependabot[bot] in openfga/go-sdk#196
• Update SECURITY-INSIGHTS by @​aaguiarz in openfga/go-sdk#207
• chore(ci): restrict main workflow permissions to only read contents, except for release by @​aaguiarz in openfga/go-sdk#208
• chore(ci): restrict semgrep workflow permissions to only read contents by @​aaguiarz in openfga/go-sdk#209
• chore(ci): restrict main workflow permissions to only read contents, except for release by @​aaguiarz in openfga/go-sdk#210
• chore(deps): bump the dependencies group across 1 directory with 2 updates by @​dependabot[bot] in openfga/go-sdk#202
• chore(deps): bump the dependencies group across 1 directory with 3 updates by @​dependabot[bot] in openfga/go-sdk#205
• chore(ci): add action to update OpenSSF scorecard periodically and on merge to main by @​aaguiarz in openfga/go-sdk#211
• chore(ci): remove semgrep workflow by @​rhamzeh in openfga/go-sdk#212
• chore(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in openfga/go-sdk#215
• chore(deps): bump the dependencies group with 3 updates by @​dependabot[bot] in openfga/go-sdk#214
• ci: update dependabot config by @​evansims in openfga/go-sdk#216
• chore(deps): bump the dependencies group across 1 directory with 2 updates by @​dependabot[bot] in openfga/go-sdk#221
• chore(deps): bump the dependencies group across 1 directory with 3 updates by @​dependabot[bot] in openfga/go-sdk#224
• Support passing name filter to ListStores by @​Oscmage in openfga/go-sdk#213
• chore(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in openfga/go-sdk#228
• chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 in the dependencies group by @​dependabot[bot] in openfga/go-sdk#227
• chore: sync generator changes by @​rhamzeh in openfga/go-sdk#226
• feat: add contextual tuple in exp by @​SoulPancake in openfga/go-sdk#203
• feat: add claude code PR review to repo by @​Tennyx in openfga/go-sdk#225
• chore(docs): add scorecard, deepwiki and socket.dev badges by @​aaguiarz in openfga/go-sdk#238
• chore: update SECURITY-INSIGHTS by @​aaguiarz in openfga/go-sdk#237
• chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 in the dependencies group by @​dependabot[bot] in openfga/go-sdk#232
• fix(retry): ensure 5xx internal errors are retried by @​rhamzeh in openfga/go-sdk#241
• release: v0.7.2 by @​rhamzeh in openfga/go-sdk#231

New Contributors

• @​aaguiarz made their first contribution in openfga/go-sdk#207
• @​Oscmage made their first contribution in openfga/go-sdk#213
• @​SoulPancake made their first contribution in openfga/go-sdk#203
• @​Tennyx made their first contribution in openfga/go-sdk#225

Full Changelog: openfga/go-sdk@v0.7.1...v0.7.2

Changelog

Sourced from github.com/openfga/go-sdk's changelog.

0.7.2

0.7.2 (2025-09-15)

• feat: add contextual tuples support in Expand requests - thanks @​SoulPancake
• feat: Support passing name filter to ListStores (#213) - thanks @​Oscmage
• fix: 5xx errors were not being properly retried

Commits

• 8242aee release: v0.7.2 (#231)
• 4367c98 fix(retry): ensure 5xx internal errors are retried (#241)
• d2ed21c chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 in the dependencies...
• b1c120f chore: update SECURITY-INSIGHTS (#237)
• 57e37cc chore(docs): add scorecard, deepwiki and socket.dev badges (#238)
• 4bda12b feat: add claude code PR review to repo (#225)
• 2e3106c feat: add contextual tuple in exp (#203)
• 87cab93 chore: sync generator changes (#226)
• 0d19cb4 chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 in the dependencies...
• 3593ed9 chore(deps): bump the dependencies group with 2 updates (#228)
• Additional commits viewable in compare view

Updates github.com/openfga/openfga from 1.10.1 to 1.10.2

Release notes

Sourced from github.com/openfga/openfga's releases.

v1.10.2

Changed

• Bumped the version of openfga/language/pkg to a version of the weighted graph that includes recursive relation detection. openfga/openfga#2716
• Log the reason on server failure start openfga/openfga#2703

Fixed

• Fixed a bug where experimental ReverseExpand constructed the underlying check relation incorrectly for intersection and exclusion in ListObjects. openfga/openfga#2721

New Contributors

• @​mblottiere made their first contribution in openfga/openfga#2703

Full Changelog: openfga/openfga@v1.10.1...v1.10.2

Changelog

Sourced from github.com/openfga/openfga's changelog.

[1.10.2] - 2025-09-29

Changed

• Bumped the version of openfga/language/pkg to a version of the weighted graph that includes recursive relation detection. #2716
• Log the reason on server failure start #2703
• Remove zap type conversion on request logger #2717

Fixed

• Fixed a bug where experimental ReverseExpand constructed the underlying check relation incorrectly for intersection and exclusion in ListObjects. #2721

Commits

• 2a454e3 release: update changelog for release v1.10.2 (#2724)
• 7b52513 fix: list objects call check with incorrect relation (#2721)
• 56ffe6d chore: improve server logs (#2703)
• af8ae65 chore: planner adjustments (#2701)
• c16d971 docs: improve readme structure (#2719)
• 7053c81 chore: update language dependency (#2716)
• 0c1d215 chore(docs): Update DeepWiki badge in README (#2710)
• 56f217f chore: move benchmark tests to their own folder (#2709)
• 236abe5 chore: use response headers in create tag workflow (#2638)
• See full diff in compare view

Updates google.golang.org/protobuf from 1.36.9 to 1.36.10

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[fossabot]

You have no credits left. Reach out to autoupdates@​fossa.com and we'll top you up.

Credits are consumed when dependency updates are reviewed or proposed.

Re-run with @​fossabot analyze.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	google.golang.org/​protobuf@​v1.36.9 ⏵ v1.36.10	+1
	github.com/​openfga/​openfga@​v1.10.1 ⏵ v1.10.2	+1
	github.com/​openfga/​go-sdk@​v0.7.1 ⏵ v0.7.2	+1
	github.com/​openfga/​language/​pkg/​go@​v0.2.0-beta.2.0.20250812011519-a7cd7602df5d ⏵ v0.2.0-beta.2.0.20250919191407-efa08b02a76a	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		github.com/openfga/openfga@v1.10.2 has a License Policy Violation. License: CC-BY-4.0 (NOTICE) License: CC-BY-SA-4.0 (NOTICE) License: GPL-2.0-only (NOTICE) License: GPL-2.0-or-later (NOTICE) License: MPL-2.0 (NOTICE) License: MPL-2.0 (NOTICE) License: CC-BY-SA-4.0 (NOTICE) License: MPL-2.0 (NOTICE) From: go.mod → golang/github.com/openfga/openfga@v1.10.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/openfga/openfga@v1.10.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Oct 08 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}