Bump github.com/twmb/franz-go from 1.21.3 to 1.21.4 in the go-dependencies group

[dependabot]

Bumps the go-dependencies group with 1 update: github.com/twmb/franz-go.

Updates github.com/twmb/franz-go from 1.21.3 to 1.21.4

Changelog

Sourced from github.com/twmb/franz-go's changelog.

v1.21.4

This release is a "large" (many commits) release that has many small or hard to encounter bugs fixed. I pointed Claude's Fable at this repo and ran some audit rounds while available and thankfully got through the highest value audit rounds before Fable was removed.

For once, I will not be describing every bug fixed nor calling out every relevant commit. Instead, if you are curious, look at #1348. Some worthwhile description is below.

Three important bug fixes to call out:

• In transactional exactly-once consuming, a SetOffsets seek (which happens during GroupTransactSession.End after an aborted transaction) could be undone by a concurrent offset load (via a background list or epoch load) that completed slightly later. This could happen when the client discovers a partition leader moved while you are aborting, which could result in missed records.

• Consuming with read_committed against a broker that returns a partition's aborted-transaction list out of offset order could surface aborted, rolled-back records as if they were committed. Apache Kafka always returns them in order so this was never observed there, but Redpanda does not (when an aborted transaction is still in memory and an earlier one is already on disk). The list is now sorted client-side, matching the Java client, librdkafka, and Sarama.

• GroupTransactSession.End no longer reports a successful commit when the broker answers EndTxn with UNKNOWN_SERVER_ERROR (seen from Redpanda in some older versions). Previously the consumer's offsets were advanced past a transaction that may have aborted; now the commit is reported as failing and the session rewinds for reprocessing.

Beyond those, by area:

• Many transaction-path fixes for coordinator churn and KIP-890 part 2 that would have resulted in not-working (hard client fail) or hung transactions: InitProducerID retries CONCURRENT_TRANSACTIONS when taking over a crashed producer's transaction, retriable producer-id load failures are no longer treated as fatal, KIP-890p2 is opted into only when the negotiated versions actually support it (fixing spurious INVALID_TXN_STATE on 4.0+ clusters running older semantics), a transaction whose every produce failed now aborts instead of hanging until the transaction timeout, and a failed AddPartitionsToTxn no longer drops partitions added by an earlier request.

• GzipCompression().WithLevel(...) was completely broken and would panic.

... (truncated)

Commits

• 2af41df Merge pull request #1351 from twmb/cl
• 2c15b0f cl: note incoming 1.21.4
• 5b5fa28 Merge pull request #1348 from twmb/audit-fixes
• cf46127 fix lints
• 16ee386 kfake: prove pending offset reloads survive a retaining session stop
• f447b25 kgo: apply PR review feedback on the audit fixes
• b694643 kgo: document churn-recovery fix constraints at their code seams
• a1a62ce kgo: anchor intentional-behavior rationales in-code (NOT_BUGS durables)
• 544189e kgo: floor a non-positive KIP-714 telemetry push interval
• a740bc8 kgo: set is_monotonic on KIP-714 sum/total counter metrics
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions