Bump the gomod-backward-compatible group across 1 directory with 4 updates

[dependabot]

Bumps the gomod-backward-compatible group with 2 updates in the /db directory: github.com/meilisearch/meilisearch-go and github.com/pocketbase/pocketbase.

Updates github.com/meilisearch/meilisearch-go from 0.29.0 to 0.34.2

Release notes

Sourced from github.com/meilisearch/meilisearch-go's releases.

v0.34.2 🐹

🚀 Enhancements

• feat: add index compact (#726) @​ElyarSadig

Thanks again to @​ElyarSadig and @​ja7ad! 🎉

v0.34.1 🐹

🐛 Bug Fixes

• update: fix update typo tolerance (#723) @​ElyarSadig

⚙️ Maintenance/misc

• Update dependabot and release template configuration (#720)
• chore(deps): bump actions/setup-go from 5 to 6 (#721) @dependabot[bot]

Thanks again to @​ElyarSadig, @​dependabot[bot], @​ja7ad, and dependabot[bot]! 🎉

v0.34.0 🐹

• Update version for the next release (v0.34.0) (#718) @​ja7ad

⚠️ Breaking changes

• feat: add renaming indexes & add queryVector field to searchResponse (#717) @​ElyarSadig

🚀 Enhancements

• Add enhanced DecodeInto for hit and hits (#713) @​ja7ad
• Improved examples logics for decode hits (#714) @​ja7ad

⚙️ Maintenance/misc

• Add examples to readme (#715) @​ja7ad

Thanks again to @​ElyarSadig and @​ja7ad! 🎉

v0.33.3 🐹

🚀 Enhancements

• feat: add sharding (#705) @​ElyarSadig

⚙️ Maintenance/misc

• chore: add explicit nil to add documents primarykey in docs (#706) @​ElyarSadig
• feat: add runnable examples for search and chat streaming (#703) @​RISHABH4SAHNI

Thanks again to @​ElyarSadig, @​RISHABH4SAHNI, @​ja7ad, @​r-sahni and dependabot[bot]! 🎉

v0.33.2 🐹

... (truncated)

Commits

• 67c644a Bump version from 0.34.1 to 0.34.2
• 0e78749 chore: add index compact to code-samples
• 4ab50e2 test: add test for index compact
• 2cdaea0 feat: add index compact
• 9a4db78 chore: bump version to 0.34.1
• 7521f85 test: improve typo tolerance test
• 873bb99 update: remove omitempty from typo tolerance
• dbe0e53 chore(deps): bump actions/setup-go from 5 to 6
• dc9c6a4 Update .github/release-draft-template.yml
• 919a827 Update .github/dependabot.yml
• Additional commits viewable in compare view

Updates github.com/pocketbase/pocketbase from 0.30.0 to 0.34.0

Release notes

Sourced from github.com/pocketbase/pocketbase's releases.

v0.34.0 Release

To update the prebuilt executable you can run ./pocketbase update.

• Added @request.body.someField:changed modifier. It could be used when you want to ensure that a body field either wasn't submitted or was submitted with the same value. Or in other words, if you want to disallow a field change the below 2 expressions would be equivalent:

  // (old)
  (@request.body.someField:isset = false || @request.body.someField = someField)
  // (new)
  @​request.body.someField:changed = false

• Added MailerRecordEvent.Meta["info"] property for the OnMailerRecordAuthAlertSend hook.

• Updated the backup restore popup with a short info about the performed restore steps.

• Updated Go deps.

v0.33.0 Release

To update the prebuilt executable you can run ./pocketbase update.

• Added extra id characters validation in addition to the user specified regex pattern (#7312). The following special characters are always forbidden: ./\|"'``<>:?*%$\n\r\t\0 . Common reserved Windows file names such as aux, prn, con, nul, com1-9, lpt1-9 are also not allowed. The list is not exhaustive but it should help minimizing eventual filesystem compatibility issues in case of wildcards or other loose regex patterns.

• Added {ALERT_INFO} placeholder to the auth alert mail template (#7314). ⚠️ mails.SendRecordAuthAlert(app, authRecord, info) also now accepts a 3rd info string argument.

• Updated Go deps.

v0.32.0 Release

To update the prebuilt executable you can run ./pocketbase update.

• ⚠️ Added extra List/Search API rules checks for the client-side filter/sort relations.

  This is continuation of the effort to eliminate the risk of information disclosure (and eventually the side-channel attacks that may originate from that).

  So far this was accepted tradeoff between performance, usability and correctness since the solutions at the time weren't really practical (especially with the back-relations as mentioned in ["Security and performance" section in #4417](Notes about the upcoming back relation support pocketbase/pocketbase#4417)), but with v0.23+ changes we can implement the extra checks without littering the code too much, with very little impact on the performance and at the same time ensuring better out of the box security (especially for the cases where users operate with sensitive fields like "code", "token", "secret", etc.).

  Similar to the previous release, probably for most users with already configured API rules this change won't be breaking, but if you have an intermediate/junction collection that is "locked" (superusers-only) we no longer will allow the client-side relation filter to pass through it and you'll have to set its List/Search API rule to enable the current user to search in it.

  For example, if you have a client-side filter that targets rel1.rel2.token, the client must have not only List/Search API rule access to the main collection BUT also to the collections referenced by "rel1" and "rel2" relation fields.

  Note that this change is only for the client-side filter/sort and doesn't affect the execution of superuser requests, API rules and expand - they continue to work the same as it is.

  An optional environment variable to toggle this behavior was considered but for now I think having 2 ways of resolving client-side filters would introduce maintenance burden and can even cause confusion (this change should actually make things more intuitive and clear because we can simply say something like "you can search by a collection X field only if you have List/Search API rule access to it" no matter whether the targeted collection is the request's main collection, the first or last relation from the filter chain, etc.).

  If you stumble on an error or extreme query performance degradation as a result of the extra checks, please open a Q&A discussion with the failing request and export of your collections configuration as JSON (Settings > Export collections) and I'll try to investigate it.

... (truncated)

Changelog

Sourced from github.com/pocketbase/pocketbase's changelog.

v0.34.0

• Added @request.body.someField:changed modifier. It could be used when you want to ensure that a body field either wasn't submitted or was submitted with the same value. Or in other words, if you want to disallow a field change the below 2 expressions would be equivalent:

  // (old)
  (@request.body.someField:isset = false || @request.body.someField = someField)
  // (new)
  @​request.body.someField:changed = false

• Added MailerRecordEvent.Meta["info"] property for the OnMailerRecordAuthAlertSend hook.

• Updated the backup restore popup with a short info about the performed restore steps.

• Updated Go deps.

v0.33.0

• Added extra id characters validation in addition to the user specified regex pattern (#7312). The following special characters are always forbidden: ./\|"'``<>:?*%$\n\r\t\0 . Common reserved Windows file names such as aux, prn, con, nul, com1-9, lpt1-9 are also not allowed. The list is not exhaustive but it should help minimizing eventual filesystem compatibility issues in case of wildcards or other loose regex patterns.

• Added {ALERT_INFO} placeholder to the auth alert mail template (#7314). ⚠️ mails.SendRecordAuthAlert(app, authRecord, info) also now accepts a 3rd info string argument.

• Updated Go deps.

v0.32.0

• ⚠️ Added extra List/Search API rules checks for the client-side filter/sort relations.

  This is continuation of the effort to eliminate the risk of information disclosure (and eventually the side-channel attacks that may originate from that).

  So far this was accepted tradeoff between performance, usability and correctness since the solutions at the time weren't really practical (especially with the back-relations as mentioned in ["Security and performance" section in #4417](Notes about the upcoming back relation support pocketbase/pocketbase#4417)), but with v0.23+ changes we can implement the extra checks without littering the code too much, with very little impact on the performance and at the same time ensuring better out of the box security (especially for the cases where users operate with sensitive fields like "code", "token", "secret", etc.).

  Similar to the previous release, probably for most users with already configured API rules this change won't be breaking, but if you have an intermediate/junction collection that is "locked" (superusers-only) we no longer will allow the client-side relation filter to pass through it and you'll have to set its List/Search API rule to enable the current user to search in it.

  For example, if you have a client-side filter that targets rel1.rel2.token, the client must have not only List/Search API rule access to the main collection BUT also to the collections referenced by "rel1" and "rel2" relation fields.

  Note that this change is only for the client-side filter/sort and doesn't affect the execution of superuser requests, API rules and expand - they continue to work the same as it is.

  An optional environment variable to toggle this behavior was considered but for now I think having 2 ways of resolving client-side filters would introduce maintenance burden and can even cause confusion (this change should actually make things more intuitive and clear because we can simply say something like "you can search by a collection X field only if you have List/Search API rule access to it" no matter whether the targeted collection is the request's main collection, the first or last relation from the filter chain, etc.).

  If you stumble on an error or extreme query performance degradation as a result of the extra checks, please open a Q&A discussion with the failing request and export of your collections configuration as JSON (Settings > Export collections) and I'll try to investigate it.

... (truncated)

Commits

• 90d896e updated changelog
• c13d83a updated jsvm types
• 9b73295 added dumy request info to directly return an error on invalid API rule
• 3c6ce2d updated go deps
• 63b8953 use TEST_IP for the test auth alert email
• 779059e added short info about the backup restore steps
• 9abdadf updated modernc.org/sqlite
• 6500b8c renamed outdated rate limit struct name and added reminder to reavulate the a...
• 91f1ca2 #7333 updated CHANGELOG with typo fixed for geoDistance url
• 6e739fd added :changed request body modifier
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.44.0 to 0.47.0

Commits

• 9a29643 go.mod: update golang.org/x dependencies
• 07cefd8 context: deprecate
• 5ac9dac publicsuffix: don't treat ip addresses as domain names
• d1f64cc quic: use testing/synctest
• fff0469 http2: document that RFC 7540 prioritization does not work with small payloads
• f35e3a4 http2: fix weight overflow in RFC 7540 write scheduler
• 89adc90 http2: fix typo referring to RFC 9218 as RFC 9128 instead
• 8d76a2c quic: don't defer MAX_STREAMS frames indefinitely
• 027f8b7 quic: fix expected ACK Delay in client's ACK after HANDSHAKE_DONE
• dec9fe7 dns/dnsmessage: update SVCB packing to prohibit name compression
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.17.0 to 0.18.0

Commits

• 1966f53 errgroup: fix some typos in comment
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions