fix(deps): update go modules (non-major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/adobe/ims-go	v0.19.2 → v0.24.0
github.com/go-viper/mapstructure/v2	v2.4.0 → v2.5.0
github.com/knadh/koanf/providers/file	v1.2.0 → v1.2.1
github.com/knadh/koanf/v2	v2.3.0 → v2.3.4
github.com/twmb/franz-go	v1.20.6 → v1.21.0
github.com/twmb/franz-go/pkg/kadm	v1.17.1 → v1.18.0
github.com/twmb/franz-go/pkg/kmsg	v1.12.0 → v1.13.1
go.uber.org/zap	v1.27.1 → v1.28.0
golang.org/x/sync	v0.19.0 → v0.20.0

---

Release Notes

adobe/ims-go (github.com/adobe/ims-go)

v0.24.0

Compare Source

v0.23.0

Compare Source

v0.22.0

Compare Source

v0.21.0

Compare Source

v0.20.0

Compare Source

go-viper/mapstructure (github.com/go-viper/mapstructure/v2)

v2.5.0

Compare Source

What's Changed

• Print qualified type name when ErrorUnused=true causes errors for unused keys in embedded fields by @​jmacd in #​113
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in #​126
• build(deps): bump github/codeql-action from 3.29.7 to 3.29.10 by @​dependabot[bot] in #​131
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​129
• feat: support for automatically initializing squashed pointer structs by @​tuunit in #​71
• build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in #​134
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in #​142
• Fix slice deep map (owned) by @​jphastings in #​144
• chore: fix lint violations by @​sagikazarmark in #​157
• chore: switch to devenv by @​sagikazarmark in #​158
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in #​151
• build(deps): bump github/codeql-action from 3.29.10 to 4.31.2 by @​dependabot[bot] in #​153
• build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​154
• build(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @​dependabot[bot] in #​160
• build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​159
• build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @​dependabot[bot] in #​162
• build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​161
• build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in #​163
• feature: Add map field name to convert structs dynamically instead of individually with a tag. by @​thespags in #​149
• feat(decoder): support multiple tag names in order by @​DarkiT in #​59
• feat: optional root object name by @​andreev-fn in #​137
• Add unmarshaler interface by @​sagikazarmark in #​166

New Contributors

• @​jmacd made their first contribution in #​113
• @​tuunit made their first contribution in #​71
• @​jphastings made their first contribution in #​144
• @​thespags made their first contribution in #​149
• @​DarkiT made their first contribution in #​59
• @​andreev-fn made their first contribution in #​137

Full Changelog: go-viper/mapstructure@v2.4.0...v2.5.0

knadh/koanf (github.com/knadh/koanf/providers/file)

v1.2.1

Compare Source

changelog for v1.2.0 -> v1.2.1

• 29cce50 Merge pull request #​101 from e-nikolov/fix-pflag-map-types
• 0202243 posflag: add support for pflag map types

twmb/franz-go (github.com/twmb/franz-go)

v1.21.0

Compare Source

===

This is a relatively "major" minor release. It adds support for Kafka 4.2,
adds full support for KIP-932 share groups, adds
KIP-881 rack-aware partition assignment, adds a handful of other
features / options, and fixes several niche bugs.

The companion kfake package has also been significantly extended; it now
supports everything except delegation tokens, streams APIs, and broker
internal APIs. kfake can be used as a dumb localhost broker; it has an option
to persist to disk to tolerate restarts (and it even handles quick restarts
without interrupting any client state). See the run_tests.sh script and the
main.go file in pkg/kfake if you want to see about bootstrapping this yourself.
I may create some tiny 'dumbkafka' binary that supports running on localhost
with a few options. Regardless, kfake is quite neat.

The kadm package has been extended with new share APIs. See the
incoming kadm tag for full details.

As a meta note, this was a significant time investment (>4w most evenings and
weekends for KIP-932 alone). I hope future releases require less work; 932 is
the last major feature this library has been missing for a while, and of
upcoming KIPs, only transactional support for 932 looks to maybe be some
effort. That said, if you get a lot of value from this and have a spare
quarter, please consider sponsoring.

API additions

Share groups (KIP-932)

franz-go now fully supports KIP-932 share groups for consuming.
Share groups are the "queue-like" alternative to consumer groups: many
consumers can share a single partition, records are individually
acknowledged, and unacknowledged records are automatically redelivered.

The new share group API mirrors the existing consumer group shape; see
full documentation on pkg.go.dev:

type AckStatus int8

const (
    AckAccept  AckStatus = 1
    AckRelease AckStatus = 2
    AckReject  AckStatus = 3
    AckRenew   AckStatus = 4
)

type ShareAckResult struct { Topic string; Partition int32; Err error }
type ShareAckResults []ShareAckResult

func (ShareAckResults) Ok() bool
func (ShareAckResults) Error() error

func ShareGroup(group string) GroupOpt
func ShareMaxRecords(n int32) GroupOpt
func ShareMaxRecordsStrict() GroupOpt
func ShareAckCallback(fn func(*Client, ShareAckResults)) GroupOpt

func (*Client) MarkAcks(status AckStatus, rs ...*Record)
func (*Client) FlushAcks(ctx context.Context) error

func (*Record) Ack(status AckStatus)
func (*Record) DeliveryCount() int32
func (*Record) AcquisitionDeadline() time.Time

Two new RecordFormatter verbs were added alongside this:

• %D - share group delivery count
• %A - share group acquisition deadline (timestamp; supports the same
  strftime/Go formatting as %d)

Rack-aware partition assignment (KIP-881)

Both the range and sticky balancers now understand consumer racks. If you
set kgo.Rack, the leader will preferentially assign you partitions whose
leader is in the same rack, preserving the existing priority of balance
over locality over stickiness. I was originally not planning to support this
in franz-go since the next generation rebalancer was releasing at a similar
time, but I suspect it's worth it to keep the client-driven rebalancing for
a while.

Custom balancers that use the consumer protocol can use the new
(*ConsumerBalancer).PartitionRacks() method to access the computed
partition-rack map.

Other new kgo APIs

func AllowIdempotentProduceCancellation() ProducerOpt
func ProducerBatchMaxBytesFn(fn func(string) int32) ProducerOpt
func AlwaysRetryEOF() Opt

type HookPollStart interface {
    OnPollStart(ctx context.Context)
}

• AllowIdempotentProduceCancellation permits cancellation of in-flight
  idempotent records, at the cost of breaking idempotency's duplicate
  guarantee. When a record is in-flight, the client cannot tell "never
  written" from "written but reply lost". Cancelling leaves the client's
  sequence window inconsistent with the broker: the next produce either
  silently gap-accepts (broker wrote the cancelled records) or hits
  OUT_OF_ORDER_SEQUENCE and forces a producer ID reload (broker did
  not). Any application-level retry of a cancelled record that the
  broker actually stored will duplicate on the broker - idempotent
  dedupe cannot help because the window has reset. By default the
  client refuses to cancel in this state and waits for the record's
  outcome. Use this when time-bounded delivery matters more than
  duplicate-avoidance. Incompatible with a transactional id.
• ProducerBatchMaxBytesFn takes a topic name and returns the max batch
  size for that topic, following the RetryTimeout / RetryTimeoutFn
  pattern. Useful when you produce to multiple topics with different
  broker-side max.message.bytes.
• AlwaysRetryEOF keeps retrying EOF errors indefinitely for users whose
  infrastructure considers EOF always transient. This option is actually
  generally recommended for all users, BUT you really have to ensure your
  SASL and TLS is setup correctly when using this option. Invalid SASL or
  TLS is only visible as an EOF error, so the client by default uses
  heuristics to hard fail requests without retrying if the first write triggers
  an EOF. This has bit some users over time due to an EOF ALSO being seen
  during restarts; this new option allows you to say "trust me, I know
  my configuration is correct: keep retrying".
• HookPollStart fires at the start of each PollFetches /
  PollRecords call. Thanks @​rarguellof91!

Misc additions

• kadm gained a RequireStable option for offset fetching.
• kfake.VirtualNetwork plus a new kgo xsync package enable full
  testing/synctest support against an in-process kfake cluster. See
  examples/testing_with_kfake_and_synctest. Thanks
  @​cupcicm!

Behavior changes

• ApiVersions is now sent on every new broker connection, not just
  the first one per broker. The broker uses the ApiVersions request's
  ClientSoftwareName / ClientSoftwareVersion fields to scope KIP-714
  metric subscriptions; caching and skipping ApiVersions meant later
  connections (fetch, group, etc.) registered as software=unknown, and
  one kgo.Client appeared as two software entities to the broker.
  Versions are still cached for request-version selection, so this is
  only a one-extra-request-per-connection cost.

• Group consumer OffsetFetch now hardcodes RequireStable=true. The
  prior behavior could return stale committed offsets during a
  rebalance, and in the worst case, result in duplicate messages.
  You no longer need to use the RequireStableFetchOffsets option.

• ErrRecordTimeout now wraps the last retry error seen while waiting
  on metadata in waitUnknownTopic. errors.Is continues to work for
  ErrRecordTimeout; you can now also errors.Is the underlying cause
  (e.g. SASL auth errors that previously disappeared).

• BlockRebalanceOnPoll no longer gates the assign-side callback if the
  user did not register OnPartitionsAssigned. Assign only adds
  partitions, so a user's in-flight commit cannot reference anything
  they don't still own; the gate only existed to serialize user
  callbacks with poll.

• MessageTooLarge errors now include the uncompressed and compressed
  message sizes. Thanks @​anubhav21sharma!

Bug fixes

• Fixed a KIP-951 bug where ensureBrokers could destroy unrelated
  broker objects when the broker set changed. This would manifest to you
  as "the broker chosen for the request is dead" (or does not exist).

• listOffsets had two related bugs: a nil cursor panic in the drain
  path, and a race where a metadata signal could be lost. These were
  possible to encounter on extremely fast setups (the bugs were years
  old, and I only encountered via localhost kfake testing).

• The KIP-848 heartbeat path had several bugs that were shaken out by
  long spin loops against the new kfake share/848 support (that said,
  I am still not opting into KIP-848 by default, and will only allow
  an option-based opt-in once KIP-1251 is released in Kafka 4.3).

• fetchOffsets now validates OffsetFetch responses against what was
  requested (brokers have been seen to omit partitions) and correctly
  handles the group-level error code.

• Fixed a TOCTOU race between producerID and createReq that could
  construct a produce request with a stale producer ID.

• failDial now actually clears the stale coordinator / controller
  cache, so a single bad dial does not poison subsequent discovery.

• Various smaller fixes: retrying when broker.go wrote 0 bytes (treat
  as "didn't try"), transient dial errors now retry for the full
  configured retry budget rather than the hard-coded ~1.5s cap (which
  previously caused failures across 5-30s rolling restarts).

Improvements

• batchPromises is now backpressured: the ring is a dynamically-sized
  circular buffer that can block pushes at max(maxBufferedRecords, 8192). Previously it could grow unboundedly and OOM the client when
  records failed faster than finishPromises could process them.

• Two rounds of allocation reductions in hot paths: the produce blocking
  path no longer forces its closure onto the heap, recBuf's linger
  timer is reused, brokerCxn's 4-byte read buffer is reused,
  headerless records no longer allocate an empty header slice, and some
  deprecated APIs were swapped out.

• InitProducerID failures caused by transient broker errors (dial
  refused, EOF across a broker restart, etc.) no longer surface as a
  fatal "unrecoverable producer ID" error. The client now marks the
  producer ID for reload on these errors so the next produce or begin
  re-runs InitProducerID against the (probably now-available) broker.

Relevant commits

• 8854973c improvement kgo: recover producer ID from transient broker errors in maybeRecoverProducerID
• c9a91d11 feature kgo: add xsync package + kfake: add VirtualNetwork for synctest (thanks @​manuc-conf!)
• a5a7c6f2 kgo: send ApiVersions on every new broker connection
• 14346ddc feature kgo: add rack-aware partition assignment (KIP-881)
• 40bf3e52 feature kgo: add HookPollStart hook (thanks @​rarguellof91!)
• 68c85147 behavior change kgo: skip BlockRebalanceOnPoll gate on assign with no OnPartitionsAssigned
• 6d9a0188 feature kgo: add %D (delivery count) and %A (acquisition deadline) to RecordFormatter
• 0f0bca22 feature kgo: add support for share groups (KIP-932)
• 8762d567 kgo: retry if we failed at 0 bytes written
• 3e2f61a8 kgo: retry transient dial errors for the configured retry budget
• 857ed6dc behavior change kgo: wrap last retry error into ErrRecordTimeout
• d922b883 kgo: fix failDial to actually clear stale coordinator/controller cache
• af5abf66 bugfix kgo: fix KIP-951 ensureBrokers destroying unrelated broker objects
• 6c7aab54 bugfix kgo: fix listOrEpoch drain and nil cursor panic in listOffsets
• 416e8269 kgo: do not cancel prior in-flight offset commits
• 2f666797 kgo: simplify STALE_MEMBER_EPOCH retry in offset commit
• 9dde6ad8 behavior change kgo: hardcode RequireStable for group consumer OffsetFetch
• 8a9400df bugfix kgo: fix listOrEpoch race where metadata signal is lost
• 0338467d feature kgo: add AllowIdempotentProduceCancellation option
• bc46151a feature kgo: add ProducerBatchMaxBytesFn for per-topic batch size limits
• de2dff52 bugfix kgo: handle group-level error code in fetchOffsets
• 45ec9cfb bugfix kgo: fix TOCTOU race between producerID and createReq
• 63cf8fa6 kgo: add backpressure to batchPromises ring buffer
• 9f15841b feature kgo: add AlwaysRetryEOF option
• 1de163c3 include uncompressed/compressed message size in MessageTooLarge error (thanks @​anubhav21sharma!)

v1.20.7

Compare Source

===

This patch release fixes numerous niche bugs - some user reported, some found
while investigating other things - contains a few behavior improvements,
extensive kfake additions, and many test additions / improvements.

There have been extensive additions to kfake over the course of the past
month; kfake now supports transactions, the next generation consumer group
protocol, and more Kafka APIs. franz-go integration tests now run and pass
against kfake in CI.

Testing has further been extensively improved: integration tests now run
against the latest patch version of Kafka for all major Kafka versions going
back to 0.11.0. The existing test suite has been extended to run while opting
into the next generation consumer group. An integration test against Kerberos
has been added. For ~roughly the past year (maybe half year), all bugs found
have had regression tests added in kfake. This release massively extends the
kfake test suite -- both with behavior tests that were ported via Claude
directly to franz-go (with license attribution!) and with behavior tests that
Claude generated specifically for kfake.

The "next generation" (KIP-848) consumer group code in franz-go itself has some
improvements. These improvements were found after adding 848 code to kfake,
which allowed for much faster integration test looping. This looping was still
very slow for what it's worth; towards the end, integration tests would pass
~40+ times with race mode over the course of two hours before failing once.
Claude was instrumental with adding appropriate log lines and tracing logs for
diagnosing extremely niche failures; things also got slower when a few specific
log lines that would've helped weren't added the first time...

Anyway,

Bug fixes

• Returns from PollRecords / PollFetches that contained ONLY an error (context
  cancellation or something) previously did not block rebalances, even if you
  opted into BlockRebalanceOnPoll.

• If, while idempotently producing, the client encountered TIMED_OUT while
  producing (retryable), the client considered this a "we definitively did not
  produce" state, and allowed you to cancel the records. Well, maybe the records
  actually did get produced broker side eventually, and now you re-produce new
  records - the NEW records could be "deduplicated" due to how idempotency works.
  This one is a bit niche, if you're interested, you should read #​1217 and the
  two PRs that address it.

• My original implementation of how Kerberos handled authentication was
  correct... for the time. I missed how it should have been touched up years
  ago and now 4.0 hard deprecates the old auth flow. So, that's been found,
  reported, and now fixed.

• If a partition returned a retryable error in a metadata request (odd behavior
  already) the first time the client is discovering the partition (i.e. on
  startup), the client would not retry loading the partition right away (it
  would, but much later on standard metadata refresh).

• There was a very subtle, basically un-encounterable data race while
  consuming. That was fixed in 5caaa1e0. It's so niche it's not worth
  writing more about here.

• RequestCachedMetadata, broken for a few releases, has been fixed. I plan to
  switch kadm back to using it in the next kadm release.

• There was a data race on client shutdown while leaving the group if you canceled
  the client context.

Improvements

• ConnIdleTimeout is now obeyed more exactly, allowing you to more reliably reason
  about the maximum idle time. Thanks @​carsonip!

• At the end of a group transact session, I force a heartbeat to kinda "force
  detect" the group is still alive (with some timing bounds). If the heartbeat
  detected any error - including REBALANCE_IN_PROGRESS - the session would
  abort no matter what. This has been changed to actually allow a commit (if
  that's what you're doing) in certain scenarios (notably: the client detects
  KIP-447 support on the broker and you are using RequireStable).

• SetOffsets now does not let you set offsets for partitions that are not being
  consumed. Previously, you could, but it'd just create entries in a map that were
  never used. Those entries are no longer created.

• ProduceSync now automatically un-lingers any partition that is produced to,
  causing more immediate flushes. This should resolve lag that was introduced
  from v1.20.0 where linger was set to 10ms by default. There are many usages of
  franz-go I've seen in the wild where ProduceSync is used in random places to
  produce one message before going back to other things.

• 764eb29d improvement kgo: unlinger partitions in ProduceSync to avoid linger delay
• d996bf71 bugfix kgo: fix data race during client shutdown with canceled context
• 85b2c855 behavior change kgo: fix applySetOffsets to skip partitions not being consumed
• 05de202b improvement kgo: allow commit despite rebalance with KIP-447 and RequireStable
• e8a00cd6 improvement kgo: do not reuse idle connection after connIdleTimeout (thanks @​carsonip!)
• 787ab9fe bugfix kgo: fix and enhance RequestCachedMetadata
• 5caaa1e0 bugfix kgo: fix data race in allowUsable reading c.source after Swap
• 40c144d3 bugfix kgo: check loadErr for new partitions on first metadata load
• e430ea93 bugfix kgo: send SaslHandshake for GSSAPI mechanism
• 702c4f75 bugfix kgo: error returns from polling should block rebalance
• 32e1580a 0c086b05 bugfix kgo: poison batches to prevent future cancelation on two errors

uber-go/zap (go.uber.org/zap)

v1.28.0

Compare Source

Enhancements:

• #​1534: Add zapcore.CheckPreWriteHook and CheckedEntry.Before method for transforming entries before they are written to any Cores.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated

Details:

Package	Change
github.com/golang-jwt/jwt/v5	v5.3.0 -> v5.3.1
github.com/klauspost/compress	v1.18.3 -> v1.18.5
github.com/pierrec/lz4/v4	v4.1.25 -> v4.1.26
golang.org/x/crypto	v0.47.0 -> v0.50.0
golang.org/x/net	v0.49.0 -> v0.52.0
golang.org/x/sys	v0.40.0 -> v0.43.0