chore(deps/message-bus): bump the message-bus-deps group across 1 directory with 4 updates

[dependabot]

Bumps the message-bus-deps group with 4 updates in the /backend/message-bus directory: gorm.io/gorm, github.com/getkin/kin-openapi, github.com/labstack/echo/v4 and gopkg.in/ini.v1.

Updates gorm.io/gorm from 1.25.7 to 1.31.1

Release notes

Sourced from gorm.io/gorm's releases.

Release v1.31.1

Changes

• Add Namer-based column lookup to Schema.LookUpField @​cmmoran (#7619)
• fix: Allow escaped double quotes in struct tag parser @​kankankanp (#7631)
• Fix slog logger caller frame detection to output correct source file @​ifooth (#7610)
• chore(docs): edited the badge test @​Olexandr88 (#7635)
• Fix AutoMigrate default value comparison for string fields (issue #7590) @​nowindexman (#7591)
• fix(UnixSecondSerializer.Value): Avoid panic when handling unsigned integer values @​dushaoshuai (#7608)
• chore: fix some comments @​wyrapeseed (#7615)
• Rename IsValidDBNameChar to IsInvalidDBNameChar @​mengxunQAQ (#7582)

Release v1.31.0

Changes

• Add association operation support to generics Set API and enable conditional bulk association updates @​jinzhu (#7581)

Release v1.30.5

Changes

• No changes

Release v1.30.4

Changes

• Add Set-based Create and Update support to Generics API @​jinzhu (#7578)
• fix: build failure on Go versions below 1.21 @​iTanken (#7572)
• fix slogLogger to support ParameterizedQueries Config @​EricWvi (#7574)

Release v1.30.3

Changes

• No changes

Release v1.30.2

Changes

• avoid copying structures with embedded mutexs @​drakkan (#7571)
• Add DefaultContextTimeout option @​jinzhu (#7567)
• Update the docker compose file @​moseszane168 (#7524)
• fix: returning all columns with "on conflict do update" @​phongphan (#7534)
• feat(slog-integration) @​rezamokaram (#7537)
• fix data race in some case go-gorm/gorm@725aa5b
• performance improvement

Release v1.30.1

Changes

• optimize: field.ReflectValueOf @​liov (#7530)
• optimize: performance optimization @​liov (#7526)

... (truncated)

Commits

• eabca1f Allow Select/Omit for Generics Create, close #7638, #7633
• a57abbe Add Namer-based column lookup to Schema.LookUpField (#7619)
• 5eaf05a fix: Allow escaped double quotes in struct tag parser (#7631)
• 2c3d109 Fix slog logger caller frame detection to output correct source file (#7610)
• 4808ff5 Update README.md (#7635)
• 141388f Fix AutoMigrate default value comparison for string fields (issue #7590) (#7591)
• d9372f5 fix(UnixSecondSerializer.Value): Avoid panic when handling unsigned integer v...
• d8cdb39 chore: fix some comment (#7615)
• b881483 Rename IsValidDBNameChar to IsInvalidDBNameChar (#7582)
• b289563 Remove unnecessary OpCreateValue mode
• Additional commits viewable in compare view

Updates github.com/getkin/kin-openapi from 0.138.0 to 0.140.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.140.0

What's Changed

• openapi3: document that a custom ReadFromURIFunc bypasses IsExternalRefsAllowed by @​reuvenharrison in getkin/kin-openapi#1191
• openapi3: remove deepcopy dependency by @​alexandear in getkin/kin-openapi#1193
• openapi3: remove decimal128 dependency by @​alexandear in getkin/kin-openapi#1194
• refactor: apply modernize fixes by @​alexandear in getkin/kin-openapi#1195
• openapi2,openapi3: replace marshmallow with encoding/json by @​alexandear in getkin/kin-openapi#1196
• docs: update GoDoc links to Go Reference by @​alexandear in getkin/kin-openapi#1197
• chore: bump jsonpointer to v0.22.5 by @​alexandear in getkin/kin-openapi#1198

Full Changelog: getkin/kin-openapi@v0.139.0...v0.140.0

v0.139.0

What's Changed

• feat(openapi3): batch-convert long-tail RequiredFieldError sites by @​reuvenharrison in getkin/kin-openapi#1170
• feat(openapi3): typed validation error clusters (combined: #1171-#1179) by @​reuvenharrison in getkin/kin-openapi#1180
• openapi3gen: skip component export for anonymous types by @​0-don in getkin/kin-openapi#1163
• feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by @​reuvenharrison in getkin/kin-openapi#1181
• openapi3: typed context errors for Validate() wrapper chain by @​reuvenharrison in getkin/kin-openapi#1183
• openapi3: track Origin on the document root (T) by @​reuvenharrison in getkin/kin-openapi#1184
• openapi3: tests flakiness corrected by @​fenollp in getkin/kin-openapi#1159
• openapi3: aggregate independent validation errors via EnableMultiError by @​reuvenharrison in getkin/kin-openapi#1185
• openapi3: fix validation of duplicated path templates by @​reuvenharrison in getkin/kin-openapi#1189
• openapi3: type the remaining bare-error validation sites by @​reuvenharrison in getkin/kin-openapi#1187

Full Changelog: getkin/kin-openapi@v0.138.0...v0.139.0

Commits

• 5124898 chore: bump jsonpointer to v0.22.5 (#1198)
• 5ece4a3 docs: update GoDoc links to Go Reference (#1197)
• b8600c5 openapi2,openapi3: remove marshmallow dependency (#1196)
• 3a5ddcd refactor: apply modernize fixes (#1195)
• 742704d openapi3: remove decimal128 dependency (#1194)
• 368327b openapi3: remove deepcopy dependency (#1193)
• 4dc207c openapi3: document that a custom ReadFromURIFunc bypasses IsExternalRefsAllow...
• 8381bfc openapi3: type the remaining bare-error validation sites (#1187)
• d29b5c0 openapi3: fix validation of duplicated path templates (#1189)
• e56c2c7 openapi3: aggregate independent validation errors via EnableMultiError (#1185)
• Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits

• ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
• 2714c07 Changelog for v4.15.4 - security fix
• 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
• d16a4ec backport PR 3016 from v4
• 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
• 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
• 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
• 11a3cc4 Update dependencies and add ignore for linting
• 26bd016 Update CI action versions
• aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
• Additional commits viewable in compare view

Updates gopkg.in/ini.v1 from 1.67.2 to 1.67.3

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions