Skip to content

build(deps): bump github.com/fxamacker/cbor/v2 from 2.8.0 to 2.9.1#301

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/fxamacker/cbor/v2-2.9.1
Open

build(deps): bump github.com/fxamacker/cbor/v2 from 2.8.0 to 2.9.1#301
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/fxamacker/cbor/v2-2.9.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 30, 2026

Bumps github.com/fxamacker/cbor/v2 from 2.8.0 to 2.9.1.

Release notes

Sourced from github.com/fxamacker/cbor/v2's releases.

v2.9.1

This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.

🐞 Bug fixes related to the keyasint feature

These changes only affect Go struct fields tagged with keyasint:

  • [Decoding] Reject integer keys that exceed math.MaxInt64 when decoding CBOR map to a struct with keyasint field (PR #757)
  • [Decoding] Prevent string representation of an integer key from matching the struct field tagged by keyasint (PR #757)
  • [Encoding & Decoding] Deduplicate struct fields with the same normalized keyasint tag values (PR #757)

🐞 Other bug fixes and defensive checks

Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).

NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).

  • [Decoding] Reject decoding epoch time encoded as floats that overflow int64 (PR #753)
  • [Encoding] Return a cloned slice for an empty RawMessage from RawMessage.MarshalCBOR (PR #753)
  • [Encoding] Reject encoding nil inside indefinite-length strings (PR #750)
  • [Diagnostic] Accept valid U+FFFD replacement character (PR #753)

What's Changed

CI / GitHub Actions and Docs

... (truncated)

Commits
  • 63d1c66 Merge pull request #758 from fxamacker/fxamacker/update-readme-for-release
  • e8b10c3 Merge pull request #757 from fxamacker/fxamacker/fix-keyasint
  • 4dd026b Update README status
  • 3076938 Update golangci-lint to v2.10.1
  • 6920cbe Migrate .golangci.yml to version 2
  • 05358b1 Fix several issues related to keyasint
  • 3851e1b Merge pull request #754 from fxamacker/fxamacker/refactor-parseMapToStruct-etc
  • 48a18bf Refactor field
  • 59d62f5 Merge pull request #753 from fxamacker/fxamacker/small-bugfixes
  • 46bc977 Merge pull request #752 from fxamacker/fxamacker/refactor-and-add-tests
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump github.com/fxamacker/cbor/v2 from 2.8.0 to 2.9.1
4b6326b 
Bumps [github.com/fxamacker/cbor/v2](https://github.com/fxamacker/cbor) from 2.8.0 to 2.9.1.
- [Release notes](https://github.com/fxamacker/cbor/releases)
- [Commits](fxamacker/cbor@v2.8.0...v2.9.1)

---
updated-dependencies:
- dependency-name: github.com/fxamacker/cbor/v2
  dependency-version: 2.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 30, 2026
@dependabot dependabot bot requested a review from gokarnm as a code owner March 30, 2026 18:10
@dependabot dependabot bot added the go Pull requests that update Go code label Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gokarnm gokarnm Awaiting requested review from gokarnm gokarnm is a code owner

@NiazFK NiazFK Awaiting requested review from NiazFK NiazFK is a code owner

@priteshbandi priteshbandi Awaiting requested review from priteshbandi priteshbandi is a code owner

@rgnote rgnote Awaiting requested review from rgnote rgnote is a code owner

@shizhMSFT shizhMSFT Awaiting requested review from shizhMSFT shizhMSFT is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

@vaninrao10 vaninrao10 Awaiting requested review from vaninrao10 vaninrao10 is a code owner

@yizha1 yizha1 Awaiting requested review from yizha1 yizha1 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants