fix: patch Snyk vulnerabilities and upgrade dependencies

.snyk

@@ -1,19 +1,19 @@
 version: v1.5.0
 ignore:
   # --- License issues (MPL-2.0 from HashiCorp transitive deps) ---
-  snyk:lic:golang:github.com/hashicorp/go-multierror:MPL-2.0:
+  snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0:
     - '*':
         reason: Generated code dependency from entgo.io/contrib entgql templates; cannot remove without forking
         created: 2026-03-20T00:00:00.000Z
-  snyk:lic:golang:github.com/hashicorp/errwrap:MPL-2.0:
+  snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0:
     - '*':
         reason: Transitive dependency of go-multierror; cannot remove without forking
         created: 2026-03-20T00:00:00.000Z
-  snyk:lic:golang:github.com/hashicorp/hcl/v2:MPL-2.0:
+  snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0:
     - '*':
         reason: Transitive dependency of ariga.io/atlas used by ent; cannot remove
         created: 2026-03-20T00:00:00.000Z
-  snyk:lic:golang:github.com/hashicorp/golang-lru/v2:MPL-2.0:
+  snyk:lic:golang:github.com:hashicorp:golang-lru:v2:MPL-2.0:
     - '*':
         reason: Transitive dependency of entgo.io/contrib and github.com/99designs/gqlgen; cannot remove without forking
         created: 2026-03-25T00:00:00.000Z
@@ -88,7 +88,7 @@ ignore:
         created: 2026-04-09T00:00:00.000Z
   # --- OpenTelemetry CVE-2026-39882: Memory Allocation with Excessive Size (CWE-789) ---
   # Affects otel/exporters/otlp/otlpmetric/otlpmetrichttp and otlptrace/otlptracehttp.
-  SNYK-GOLANG-GOOPENTELEMETRYIOTELEXPORTERSOTLPOTLPMETRICOTLPMETRICHTTP-15954197:
+  SNYK-GOLANG-GOOPENTELEMETRYIOOTELEXPORTERSOTLPOTLPMETRICOTLPMETRICHTTP-15954197:
     - '*':
         reason: >-
           CVE-2026-39882 Memory Allocation with Excessive Size Value (CWE-789, CVSS High).
@@ -97,7 +97,7 @@ ignore:
           imported by this project. Not compiled into any binary.
         expires: 2026-10-09T00:00:00.000Z
         created: 2026-04-09T00:00:00.000Z
-  SNYK-GOLANG-GOOPENTELEMETRYIOTELEXPORTERSOTLPOTLPTRACEOTLPTRACEHTTP-15954195:
+  SNYK-GOLANG-GOOPENTELEMETRYIOOTELEXPORTERSOTLPOTLPTRACEOTLPTRACEHTTP-15954196:
     - '*':
         reason: >-
           CVE-2026-39882 Memory Allocation with Excessive Size Value (CWE-789, CVSS High).
@@ -116,57 +116,53 @@ ignore:
           Not compiled into any binary. (Separate CVE from existing ignore -15182758.)
         expires: 2026-10-09T00:00:00.000Z
         created: 2026-04-09T00:00:00.000Z
-  # --- go-jose vulnerabilities (fixed via go.mod pin; ignores retained as safety net) ---
-  # go mod tidy drops the pin because grpc only requires v4.1.3.
+  # --- go-jose vulnerabilities (transitive ghost dep via grpc; not in go.mod) ---
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSE-15875219:
     - '*':
         reason: >-
           Improper Verification of Cryptographic Signature (CVSS 8.0).
-          Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net —
-          go mod tidy reverts this pin because upstream deps (grpc) only require
-          v4.1.3, and lazy module loading does not track the override in go.mod.
+          Transitive dependency of google.golang.org/grpc (requires v4.1.3);
+          not listed in go.mod and not compiled into any binary.
         expires: 2026-10-07T00:00:00.000Z
         created: 2026-04-07T00:00:00.000Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-15875221:
     - '*':
         reason: >-
           CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7).
-          Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net —
-          go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3.
+          Transitive dependency of google.golang.org/grpc (requires v4.1.3);
+          not listed in go.mod and not compiled into any binary.
         expires: 2026-10-09T00:00:00.000Z
         created: 2026-04-09T00:00:00.000Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSECIPHER-15875222:
     - '*':
         reason: >-
           CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7).
-          Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net —
-          go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3.
+          Transitive dependency of google.golang.org/grpc (requires v4.1.3);
+          not listed in go.mod and not compiled into any binary.
         expires: 2026-10-09T00:00:00.000Z
         created: 2026-04-09T00:00:00.000Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4CIPHER-15875234:
     - '*':
         reason: >-
           CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7).
-          Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net —
-          go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3.
+          Transitive dependency of google.golang.org/grpc (requires v4.1.3);
+          not listed in go.mod and not compiled into any binary.
         expires: 2026-10-09T00:00:00.000Z
         created: 2026-04-09T00:00:00.000Z
-  # --- golang.org/x/crypto vulnerabilities (fixed via go.mod pin; ignore retained as safety net) ---
+  # --- golang.org/x/crypto vulnerabilities (transitive ghost dep; not in go.mod) ---
   SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056:
     - '*':
         reason: >-
           CVE-2025-22869 Allocation of Resources Without Limits (CWE-770, CVSS 6.9).
-          Fixed via go.mod pin to golang.org/x/crypto v0.49.0. Ignore retained as safety
-          net — go mod tidy reverts this pin because upstream deps (hashicorp/hcl v2.24.0)
-          only require v0.38.0, and lazy module loading does not track the override in go.mod.
+          Transitive dependency of hashicorp/hcl v2.24.0 (requires x/crypto v0.38.0);
+          not listed in go.mod and not compiled into any binary.
         expires: 2026-10-07T00:00:00.000Z
         created: 2026-04-07T00:00:00.000Z
   SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-12668891:
     - '*':
         reason: >-
           CVE-2025-47913 Improper Handling of Unexpected Data Type (CWE-241, CVSS 7.1).
-          Fixed via go.mod pin to golang.org/x/crypto v0.49.0. Ignore retained as safety
-          net — go mod tidy reverts this pin because upstream deps constrain resolution to
-          v0.38.0, and lazy module loading does not track the override in go.mod.
+          Transitive dependency of hashicorp/hcl v2.24.0 (requires x/crypto v0.38.0);
+          not listed in go.mod and not compiled into any binary.
         expires: 2026-10-07T00:00:00.000Z
         created: 2026-04-07T00:00:00.000Z

_examples/go.mod

@@ -1,6 +1,6 @@
 module _examples
 
-go 1.26.1
+go 1.26.2
 
 require (
 	entgo.io/contrib v0.7.0
@@ -43,7 +43,7 @@ require (
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

_examples/go.sum

@@ -105,8 +105,8 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
 golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 h1:C5I8ORrv1qJ5kwJifN/cE/QIi0gTr1x6y/7l42/epIg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
 google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

go.mod

@@ -1,6 +1,6 @@
 module github.com/flume/enthistory
 
-go 1.26.1
+go 1.26.2
 
 require (
 	entgo.io/contrib v0.7.0
@@ -24,7 +24,6 @@ require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
@@ -41,10 +40,9 @@ require (
 	github.com/zclconf/go-cty v1.18.0 // indirect
 	github.com/zclconf/go-cty-yaml v1.2.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.49.0 // indirect
 	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
 	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -26,8 +26,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=
 github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
-github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
-github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-openapi/inflect v0.21.5 h1:M2RCq6PPS3YbIaL7CXosGL3BbzAcmfBAT0nC3YfesZA=
 github.com/go-openapi/inflect v0.21.5/go.mod h1:GypUyi6bU880NYurWaEH2CmH84zFDNd+EhhmzroHmB4=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
@@ -88,8 +86,6 @@ github.com/zclconf/go-cty-yaml v1.2.0 h1:GDyL4+e/Qe/S0B7YaecMLbVvAR/Mp21CXMOSiCT
 github.com/zclconf/go-cty-yaml v1.2.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
@@ -104,8 +100,8 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
 golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 h1:C5I8ORrv1qJ5kwJifN/cE/QIi0gTr1x6y/7l42/epIg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
 google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

go.work

@@ -1,4 +1,4 @@
-go 1.26.1
+go 1.26.2
 
 use (
 	.