chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.43.0 to 0.45.0. - [Commits](https://github.com/golang/crypto/compare/v0.43.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
2025-12-21 21:33:22 +01:00 · 2025-11-20 03:01:34 +00:00
parent cfc7fdb6b8
commit 837abbe578
21 changed files with 352 additions and 6180 deletions
--- a/go.mod
+++ b/go.mod
@@ -140,13 +140,13 @@ require (
 	go.podman.io/storage v1.60.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/term v0.36.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
--- a/go.sum
+++ b/go.sum
@@ -399,8 +399,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -421,8 +421,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -430,8 +430,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190225065934-cc5685c2db12/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -457,8 +457,8 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
-golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -466,8 +466,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/vendor/golang.org/x/crypto/sha3/doc.go
+++ b/vendor/golang.org/x/crypto/sha3/doc.go
@@ -1,66 +0,0 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package sha3 implements the SHA-3 fixed-output-length hash functions and
 // the SHAKE variable-output-length hash functions defined by FIPS-202.
 //
 // All types in this package also implement [encoding.BinaryMarshaler],
 // [encoding.BinaryAppender] and [encoding.BinaryUnmarshaler] to marshal and
 // unmarshal the internal state of the hash.
 //
 // Both types of hash function use the "sponge" construction and the Keccak
 // permutation. For a detailed specification see http://keccak.noekeon.org/
 //
 // # Guidance
 //
 // If you aren't sure what function you need, use SHAKE256 with at least 64
 // bytes of output. The SHAKE instances are faster than the SHA3 instances;
 // the latter have to allocate memory to conform to the hash.Hash interface.
 //
 // If you need a secret-key MAC (message authentication code), prepend the
 // secret key to the input, hash with SHAKE256 and read at least 32 bytes of
 // output.
 //
 // # Security strengths
 //
 // The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
 // strength against preimage attacks of x bits. Since they only produce "x"
 // bits of output, their collision-resistance is only "x/2" bits.
 //
 // The SHAKE-256 and -128 functions have a generic security strength of 256 and
 // 128 bits against all attacks, provided that at least 2x bits of their output
 // is used.  Requesting more than 64 or 32 bytes of output, respectively, does
 // not increase the collision-resistance of the SHAKE functions.
 //
 // # The sponge construction
 //
 // A sponge builds a pseudo-random function from a public pseudo-random
 // permutation, by applying the permutation to a state of "rate + capacity"
 // bytes, but hiding "capacity" of the bytes.
 //
 // A sponge starts out with a zero state. To hash an input using a sponge, up
 // to "rate" bytes of the input are XORed into the sponge's state. The sponge
 // is then "full" and the permutation is applied to "empty" it. This process is
 // repeated until all the input has been "absorbed". The input is then padded.
 // The digest is "squeezed" from the sponge in the same way, except that output
 // is copied out instead of input being XORed in.
 //
 // A sponge is parameterized by its generic security strength, which is equal
 // to half its capacity; capacity + rate is equal to the permutation's width.
 // Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
 // that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
 //
 // # Recommendations
 //
 // The SHAKE functions are recommended for most new uses. They can produce
 // output of arbitrary length. SHAKE256, with an output length of at least
 // 64 bytes, provides 256-bit security against all attacks.  The Keccak team
 // recommends it for most applications upgrading from SHA2-512. (NIST chose a
 // much stronger, but much slower, sponge instance for SHA3-512.)
 //
 // The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
 // They produce output of the same length, with the same security strengths
 // against all attacks. This means, in particular, that SHA3-256 only has
 // 128-bit collision resistance, because its output length is 32 bytes.
 package sha3
--- a/vendor/golang.org/x/crypto/sha3/hashes.go
+++ b/vendor/golang.org/x/crypto/sha3/hashes.go
@@ -2,127 +2,94 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package sha3 implements the SHA-3 hash algorithms and the SHAKE extendable
 // output functions defined in FIPS 202.
 //
 // Most of this package is a wrapper around the crypto/sha3 package in the
 // standard library. The only exception is the legacy Keccak hash functions.
 package sha3
 // This file provides functions for creating instances of the SHA-3
 // and SHAKE hash functions, as well as utility functions for hashing
 // bytes.
 import (
-	"crypto"
+	"crypto/sha3"
 	"hash"
 )
 // New224 creates a new SHA3-224 hash.
 // Its generic security strength is 224 bits against preimage attacks,
 // and 112 bits against collision attacks.
 //
 // It is a wrapper for the [sha3.New224] function in the standard library.
 //
 //go:fix inline
 func New224() hash.Hash {
-	return new224()
+	return sha3.New224()
 }
 // New256 creates a new SHA3-256 hash.
 // Its generic security strength is 256 bits against preimage attacks,
 // and 128 bits against collision attacks.
 //
 // It is a wrapper for the [sha3.New256] function in the standard library.
 //
 //go:fix inline
 func New256() hash.Hash {
-	return new256()
+	return sha3.New256()
 }
 // New384 creates a new SHA3-384 hash.
 // Its generic security strength is 384 bits against preimage attacks,
 // and 192 bits against collision attacks.
 //
 // It is a wrapper for the [sha3.New384] function in the standard library.
 //
 //go:fix inline
 func New384() hash.Hash {
-	return new384()
+	return sha3.New384()
 }
 // New512 creates a new SHA3-512 hash.
 // Its generic security strength is 512 bits against preimage attacks,
 // and 256 bits against collision attacks.
 //
 // It is a wrapper for the [sha3.New512] function in the standard library.
 //
 //go:fix inline
 func New512() hash.Hash {
-	return new512()
+	return sha3.New512()
 }
 func init() {
 	crypto.RegisterHash(crypto.SHA3_224, New224)
 	crypto.RegisterHash(crypto.SHA3_256, New256)
 	crypto.RegisterHash(crypto.SHA3_384, New384)
 	crypto.RegisterHash(crypto.SHA3_512, New512)
 }
 const (
 	dsbyteSHA3   = 0b00000110
 	dsbyteKeccak = 0b00000001
 	dsbyteShake  = 0b00011111
 	dsbyteCShake = 0b00000100
 	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
 	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
 	rateK256  = (1600 - 256) / 8
 	rateK448  = (1600 - 448) / 8
 	rateK512  = (1600 - 512) / 8
 	rateK768  = (1600 - 768) / 8
 	rateK1024 = (1600 - 1024) / 8
 )
 func new224Generic() *state {
 	return &state{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3}
 }
 func new256Generic() *state {
 	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3}
 }
 func new384Generic() *state {
 	return &state{rate: rateK768, outputLen: 48, dsbyte: dsbyteSHA3}
 }
 func new512Generic() *state {
 	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteSHA3}
 }
 // NewLegacyKeccak256 creates a new Keccak-256 hash.
 //
 // Only use this function if you require compatibility with an existing cryptosystem
 // that uses non-standard padding. All other users should use New256 instead.
 func NewLegacyKeccak256() hash.Hash {
 	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
 }
 // NewLegacyKeccak512 creates a new Keccak-512 hash.
 //
 // Only use this function if you require compatibility with an existing cryptosystem
 // that uses non-standard padding. All other users should use New512 instead.
 func NewLegacyKeccak512() hash.Hash {
 	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
 }
 // Sum224 returns the SHA3-224 digest of the data.
-func Sum224(data []byte) (digest [28]byte) {
+//
-	h := New224()
+// It is a wrapper for the [sha3.Sum224] function in the standard library.
-	h.Write(data)
+//
-	h.Sum(digest[:0])
+//go:fix inline
-	return
+func Sum224(data []byte) [28]byte {
 	return sha3.Sum224(data)
 }
 // Sum256 returns the SHA3-256 digest of the data.
-func Sum256(data []byte) (digest [32]byte) {
+//
-	h := New256()
+// It is a wrapper for the [sha3.Sum256] function in the standard library.
-	h.Write(data)
+//
-	h.Sum(digest[:0])
+//go:fix inline
-	return
+func Sum256(data []byte) [32]byte {
 	return sha3.Sum256(data)
 }
 // Sum384 returns the SHA3-384 digest of the data.
-func Sum384(data []byte) (digest [48]byte) {
+//
-	h := New384()
+// It is a wrapper for the [sha3.Sum384] function in the standard library.
-	h.Write(data)
+//
-	h.Sum(digest[:0])
+//go:fix inline
-	return
+func Sum384(data []byte) [48]byte {
 	return sha3.Sum384(data)
 }
 // Sum512 returns the SHA3-512 digest of the data.
-func Sum512(data []byte) (digest [64]byte) {
+//
-	h := New512()
+// It is a wrapper for the [sha3.Sum512] function in the standard library.
-	h.Write(data)
+//
-	h.Sum(digest[:0])
+//go:fix inline
-	return
+func Sum512(data []byte) [64]byte {
 	return sha3.Sum512(data)
 }
--- a/vendor/golang.org/x/crypto/sha3/hashes_noasm.go
+++ b/vendor/golang.org/x/crypto/sha3/hashes_noasm.go
@@ -1,23 +0,0 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !gc || purego || !s390x
 package sha3
 func new224() *state {
 	return new224Generic()
 }
 func new256() *state {
 	return new256Generic()
 }
 func new384() *state {
 	return new384Generic()
 }
 func new512() *state {
 	return new512Generic()
 }
--- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
+++ b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
@@ -1,13 +0,0 @@
 // Copyright 2015 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build amd64 && !purego && gc
 package sha3
 // This function is implemented in keccakf_amd64.s.
 //go:noescape
 func keccakF1600(a *[25]uint64)
--- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
+++ b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
--- a/vendor/golang.org/x/crypto/sha3/legacy_hash.go
+++ b/vendor/golang.org/x/crypto/sha3/legacy_hash.go
@@ -4,15 +4,46 @@
 package sha3
 // This implementation is only used for NewLegacyKeccak256 and
 // NewLegacyKeccak512, which are not implemented by crypto/sha3.
 // All other functions in this package are wrappers around crypto/sha3.
 import (
 	"crypto/subtle"
 	"encoding/binary"
 	"errors"
 	"hash"
 	"unsafe"
 	"golang.org/x/sys/cpu"
 )
 const (
 	dsbyteKeccak = 0b00000001
 	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
 	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
 	rateK256  = (1600 - 256) / 8
 	rateK512  = (1600 - 512) / 8
 	rateK1024 = (1600 - 1024) / 8
 )
 // NewLegacyKeccak256 creates a new Keccak-256 hash.
 //
 // Only use this function if you require compatibility with an existing cryptosystem
 // that uses non-standard padding. All other users should use New256 instead.
 func NewLegacyKeccak256() hash.Hash {
 	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
 }
 // NewLegacyKeccak512 creates a new Keccak-512 hash.
 //
 // Only use this function if you require compatibility with an existing cryptosystem
 // that uses non-standard padding. All other users should use New512 instead.
 func NewLegacyKeccak512() hash.Hash {
 	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
 }
 // spongeDirection indicates the direction bytes are flowing through the sponge.
 type spongeDirection int
@@ -173,12 +204,9 @@ func (d *state) Sum(in []byte) []byte {
 }
 const (
 	magicSHA3   = "sha\x08"
 	magicShake  = "sha\x09"
 	magicCShake = "sha\x0a"
 	magicKeccak = "sha\x0b"
 	// magic || rate || main state || n || sponge direction
-	marshaledSize = len(magicSHA3) + 1 + 200 + 1 + 1
+	marshaledSize = len(magicKeccak) + 1 + 200 + 1 + 1
 )
 func (d *state) MarshalBinary() ([]byte, error) {
@@ -187,12 +215,6 @@ func (d *state) MarshalBinary() ([]byte, error) {
 func (d *state) AppendBinary(b []byte) ([]byte, error) {
 	switch d.dsbyte {
 	case dsbyteSHA3:
 		b = append(b, magicSHA3...)
 	case dsbyteShake:
 		b = append(b, magicShake...)
 	case dsbyteCShake:
 		b = append(b, magicCShake...)
 	case dsbyteKeccak:
 		b = append(b, magicKeccak...)
 	default:
@@ -210,12 +232,9 @@ func (d *state) UnmarshalBinary(b []byte) error {
 		return errors.New("sha3: invalid hash state")
 	}
-	magic := string(b[:len(magicSHA3)])
+	magic := string(b[:len(magicKeccak)])
-	b = b[len(magicSHA3):]
+	b = b[len(magicKeccak):]
 	switch {
 	case magic == magicSHA3 && d.dsbyte == dsbyteSHA3:
 	case magic == magicShake && d.dsbyte == dsbyteShake:
 	case magic == magicCShake && d.dsbyte == dsbyteCShake:
 	case magic == magicKeccak && d.dsbyte == dsbyteKeccak:
 	default:
 		return errors.New("sha3: invalid hash state identifier")
--- a/vendor/golang.org/x/crypto/sha3/legacy_keccakf.go
+++ b/vendor/golang.org/x/crypto/sha3/legacy_keccakf.go
@@ -2,10 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !amd64 || purego || !gc
 package sha3
 // This implementation is only used for NewLegacyKeccak256 and
 // NewLegacyKeccak512, which are not implemented by crypto/sha3.
 // All other functions in this package are wrappers around crypto/sha3.
 import "math/bits"
 // rc stores the round constants for use in the ι step.
--- a/vendor/golang.org/x/crypto/sha3/sha3_s390x.go
+++ b/vendor/golang.org/x/crypto/sha3/sha3_s390x.go
@@ -1,303 +0,0 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build gc && !purego
 package sha3
 // This file contains code for using the 'compute intermediate
 // message digest' (KIMD) and 'compute last message digest' (KLMD)
 // instructions to compute SHA-3 and SHAKE hashes on IBM Z.
 import (
 	"hash"
 	"golang.org/x/sys/cpu"
 )
 // codes represent 7-bit KIMD/KLMD function codes as defined in
 // the Principles of Operation.
 type code uint64
 const (
 	// function codes for KIMD/KLMD
 	sha3_224  code = 32
 	sha3_256       = 33
 	sha3_384       = 34
 	sha3_512       = 35
 	shake_128      = 36
 	shake_256      = 37
 	nopad          = 0x100
 )
 // kimd is a wrapper for the 'compute intermediate message digest' instruction.
 // src must be a multiple of the rate for the given function code.
 //
 //go:noescape
 func kimd(function code, chain *[200]byte, src []byte)
 // klmd is a wrapper for the 'compute last message digest' instruction.
 // src padding is handled by the instruction.
 //
 //go:noescape
 func klmd(function code, chain *[200]byte, dst, src []byte)
 type asmState struct {
 	a         [200]byte       // 1600 bit state
 	buf       []byte          // care must be taken to ensure cap(buf) is a multiple of rate
 	rate      int             // equivalent to block size
 	storage   [3072]byte      // underlying storage for buf
 	outputLen int             // output length for full security
 	function  code            // KIMD/KLMD function code
 	state     spongeDirection // whether the sponge is absorbing or squeezing
 }
 func newAsmState(function code) *asmState {
 	var s asmState
 	s.function = function
 	switch function {
 	case sha3_224:
 		s.rate = 144
 		s.outputLen = 28
 	case sha3_256:
 		s.rate = 136
 		s.outputLen = 32
 	case sha3_384:
 		s.rate = 104
 		s.outputLen = 48
 	case sha3_512:
 		s.rate = 72
 		s.outputLen = 64
 	case shake_128:
 		s.rate = 168
 		s.outputLen = 32
 	case shake_256:
 		s.rate = 136
 		s.outputLen = 64
 	default:
 		panic("sha3: unrecognized function code")
 	}
 	// limit s.buf size to a multiple of s.rate
 	s.resetBuf()
 	return &s
 }
 func (s *asmState) clone() *asmState {
 	c := *s
 	c.buf = c.storage[:len(s.buf):cap(s.buf)]
 	return &c
 }
 // copyIntoBuf copies b into buf. It will panic if there is not enough space to
 // store all of b.
 func (s *asmState) copyIntoBuf(b []byte) {
 	bufLen := len(s.buf)
 	s.buf = s.buf[:len(s.buf)+len(b)]
 	copy(s.buf[bufLen:], b)
 }
 // resetBuf points buf at storage, sets the length to 0 and sets cap to be a
 // multiple of the rate.
 func (s *asmState) resetBuf() {
 	max := (cap(s.storage) / s.rate) * s.rate
 	s.buf = s.storage[:0:max]
 }
 // Write (via the embedded io.Writer interface) adds more data to the running hash.
 // It never returns an error.
 func (s *asmState) Write(b []byte) (int, error) {
 	if s.state != spongeAbsorbing {
 		panic("sha3: Write after Read")
 	}
 	length := len(b)
 	for len(b) > 0 {
 		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
 			// Hash the data directly and push any remaining bytes
 			// into the buffer.
 			remainder := len(b) % s.rate
 			kimd(s.function, &s.a, b[:len(b)-remainder])
 			if remainder != 0 {
 				s.copyIntoBuf(b[len(b)-remainder:])
 			}
 			return length, nil
 		}
 		if len(s.buf) == cap(s.buf) {
 			// flush the buffer
 			kimd(s.function, &s.a, s.buf)
 			s.buf = s.buf[:0]
 		}
 		// copy as much as we can into the buffer
 		n := len(b)
 		if len(b) > cap(s.buf)-len(s.buf) {
 			n = cap(s.buf) - len(s.buf)
 		}
 		s.copyIntoBuf(b[:n])
 		b = b[n:]
 	}
 	return length, nil
 }
 // Read squeezes an arbitrary number of bytes from the sponge.
 func (s *asmState) Read(out []byte) (n int, err error) {
 	// The 'compute last message digest' instruction only stores the digest
 	// at the first operand (dst) for SHAKE functions.
 	if s.function != shake_128 && s.function != shake_256 {
 		panic("sha3: can only call Read for SHAKE functions")
 	}
 	n = len(out)
 	// need to pad if we were absorbing
 	if s.state == spongeAbsorbing {
 		s.state = spongeSqueezing
 		// write hash directly into out if possible
 		if len(out)%s.rate == 0 {
 			klmd(s.function, &s.a, out, s.buf) // len(out) may be 0
 			s.buf = s.buf[:0]
 			return
 		}
 		// write hash into buffer
 		max := cap(s.buf)
 		if max > len(out) {
 			max = (len(out)/s.rate)*s.rate + s.rate
 		}
 		klmd(s.function, &s.a, s.buf[:max], s.buf)
 		s.buf = s.buf[:max]
 	}
 	for len(out) > 0 {
 		// flush the buffer
 		if len(s.buf) != 0 {
 			c := copy(out, s.buf)
 			out = out[c:]
 			s.buf = s.buf[c:]
 			continue
 		}
 		// write hash directly into out if possible
 		if len(out)%s.rate == 0 {
 			klmd(s.function|nopad, &s.a, out, nil)
 			return
 		}
 		// write hash into buffer
 		s.resetBuf()
 		if cap(s.buf) > len(out) {
 			s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate]
 		}
 		klmd(s.function|nopad, &s.a, s.buf, nil)
 	}
 	return
 }
 // Sum appends the current hash to b and returns the resulting slice.
 // It does not change the underlying hash state.
 func (s *asmState) Sum(b []byte) []byte {
 	if s.state != spongeAbsorbing {
 		panic("sha3: Sum after Read")
 	}
 	// Copy the state to preserve the original.
 	a := s.a
 	// Hash the buffer. Note that we don't clear it because we
 	// aren't updating the state.
 	switch s.function {
 	case sha3_224, sha3_256, sha3_384, sha3_512:
 		klmd(s.function, &a, nil, s.buf)
 		return append(b, a[:s.outputLen]...)
 	case shake_128, shake_256:
 		d := make([]byte, s.outputLen, 64)
 		klmd(s.function, &a, d, s.buf)
 		return append(b, d[:s.outputLen]...)
 	default:
 		panic("sha3: unknown function")
 	}
 }
 // Reset resets the Hash to its initial state.
 func (s *asmState) Reset() {
 	for i := range s.a {
 		s.a[i] = 0
 	}
 	s.resetBuf()
 	s.state = spongeAbsorbing
 }
 // Size returns the number of bytes Sum will return.
 func (s *asmState) Size() int {
 	return s.outputLen
 }
 // BlockSize returns the hash's underlying block size.
 // The Write method must be able to accept any amount
 // of data, but it may operate more efficiently if all writes
 // are a multiple of the block size.
 func (s *asmState) BlockSize() int {
 	return s.rate
 }
 // Clone returns a copy of the ShakeHash in its current state.
 func (s *asmState) Clone() ShakeHash {
 	return s.clone()
 }
 // new224 returns an assembly implementation of SHA3-224 if available,
 // otherwise it returns a generic implementation.
 func new224() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_224)
 	}
 	return new224Generic()
 }
 // new256 returns an assembly implementation of SHA3-256 if available,
 // otherwise it returns a generic implementation.
 func new256() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_256)
 	}
 	return new256Generic()
 }
 // new384 returns an assembly implementation of SHA3-384 if available,
 // otherwise it returns a generic implementation.
 func new384() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_384)
 	}
 	return new384Generic()
 }
 // new512 returns an assembly implementation of SHA3-512 if available,
 // otherwise it returns a generic implementation.
 func new512() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_512)
 	}
 	return new512Generic()
 }
 // newShake128 returns an assembly implementation of SHAKE-128 if available,
 // otherwise it returns a generic implementation.
 func newShake128() ShakeHash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(shake_128)
 	}
 	return newShake128Generic()
 }
 // newShake256 returns an assembly implementation of SHAKE-256 if available,
 // otherwise it returns a generic implementation.
 func newShake256() ShakeHash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(shake_256)
 	}
 	return newShake256Generic()
 }
--- a/vendor/golang.org/x/crypto/sha3/sha3_s390x.s
+++ b/vendor/golang.org/x/crypto/sha3/sha3_s390x.s
@@ -1,33 +0,0 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build gc && !purego
 #include "textflag.h"
 // func kimd(function code, chain *[200]byte, src []byte)
 TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40
 	MOVD function+0(FP), R0
 	MOVD chain+8(FP), R1
 	LMG  src+16(FP), R2, R3 // R2=base, R3=len
 continue:
 	WORD $0xB93E0002 // KIMD --, R2
 	BVS  continue    // continue if interrupted
 	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
 	RET
 // func klmd(function code, chain *[200]byte, dst, src []byte)
 TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64
 	// TODO: SHAKE support
 	MOVD function+0(FP), R0
 	MOVD chain+8(FP), R1
 	LMG  dst+16(FP), R2, R3 // R2=base, R3=len
 	LMG  src+40(FP), R4, R5 // R4=base, R5=len
 continue:
 	WORD $0xB93F0024 // KLMD R2, R4
 	BVS  continue    // continue if interrupted
 	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
 	RET
--- a/vendor/golang.org/x/crypto/sha3/shake.go
+++ b/vendor/golang.org/x/crypto/sha3/shake.go
@@ -4,24 +4,10 @@
 package sha3
 // This file defines the ShakeHash interface, and provides
 // functions for creating SHAKE and cSHAKE instances, as well as utility
 // functions for hashing bytes to arbitrary-length output.
 //
 //
 // SHAKE implementation is based on FIPS PUB 202 [1]
 // cSHAKE implementations is based on NIST SP 800-185 [2]
 //
 // [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
 // [2] https://doi.org/10.6028/NIST.SP.800-185
 import (
-	"bytes"
+	"crypto/sha3"
 	"encoding/binary"
 	"errors"
 	"hash"
 	"io"
 	"math/bits"
 )
 // ShakeHash defines the interface to hash functions that support
@@ -32,7 +18,7 @@ type ShakeHash interface {
 	hash.Hash
 	// Read reads more output from the hash; reading affects the hash's
-	// state. (ShakeHash.Read is thus very different from Hash.Sum)
+	// state. (ShakeHash.Read is thus very different from Hash.Sum.)
 	// It never returns an error, but subsequent calls to Write or Sum
 	// will panic.
 	io.Reader
@@ -41,115 +27,18 @@ type ShakeHash interface {
 	Clone() ShakeHash
 }
 // cSHAKE specific context
 type cshakeState struct {
 	*state // SHA-3 state context and Read/Write operations
 	// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
 	// by newCShake function and stores concatenation of N followed by S, encoded
 	// by the method specified in 3.3 of [1].
 	// It is stored here in order for Reset() to be able to put context into
 	// initial state.
 	initBlock []byte
 }
 func bytepad(data []byte, rate int) []byte {
 	out := make([]byte, 0, 9+len(data)+rate-1)
 	out = append(out, leftEncode(uint64(rate))...)
 	out = append(out, data...)
 	if padlen := rate - len(out)%rate; padlen < rate {
 		out = append(out, make([]byte, padlen)...)
 	}
 	return out
 }
 func leftEncode(x uint64) []byte {
 	// Let n be the smallest positive integer for which 2^(8n) > x.
 	n := (bits.Len64(x) + 7) / 8
 	if n == 0 {
 		n = 1
 	}
 	// Return n || x with n as a byte and x an n bytes in big-endian order.
 	b := make([]byte, 9)
 	binary.BigEndian.PutUint64(b[1:], x)
 	b = b[9-n-1:]
 	b[0] = byte(n)
 	return b
 }
 func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
 	c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
 	c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
 	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
 	c.initBlock = append(c.initBlock, N...)
 	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
 	c.initBlock = append(c.initBlock, S...)
 	c.Write(bytepad(c.initBlock, c.rate))
 	return &c
 }
 // Reset resets the hash to initial state.
 func (c *cshakeState) Reset() {
 	c.state.Reset()
 	c.Write(bytepad(c.initBlock, c.rate))
 }
 // Clone returns copy of a cSHAKE context within its current state.
 func (c *cshakeState) Clone() ShakeHash {
 	b := make([]byte, len(c.initBlock))
 	copy(b, c.initBlock)
 	return &cshakeState{state: c.clone(), initBlock: b}
 }
 // Clone returns copy of SHAKE context within its current state.
 func (c *state) Clone() ShakeHash {
 	return c.clone()
 }
 func (c *cshakeState) MarshalBinary() ([]byte, error) {
 	return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock)))
 }
 func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) {
 	b, err := c.state.AppendBinary(b)
 	if err != nil {
 		return nil, err
 	}
 	b = append(b, c.initBlock...)
 	return b, nil
 }
 func (c *cshakeState) UnmarshalBinary(b []byte) error {
 	if len(b) <= marshaledSize {
 		return errors.New("sha3: invalid hash state")
 	}
 	if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil {
 		return err
 	}
 	c.initBlock = bytes.Clone(b[marshaledSize:])
 	return nil
 }
 // NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
-	return newShake128()
+	return &shakeWrapper{sha3.NewSHAKE128(), 32, false, sha3.NewSHAKE128}
 }
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
-	return newShake256()
+	return &shakeWrapper{sha3.NewSHAKE256(), 64, false, sha3.NewSHAKE256}
 }
 func newShake128Generic() *state {
 	return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}
 }
 func newShake256Generic() *state {
 	return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}
 }
 // NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
@@ -159,10 +48,9 @@ func newShake256Generic() *state {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake128.
 func NewCShake128(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
+	return &shakeWrapper{sha3.NewCSHAKE128(N, S), 32, false, func() *sha3.SHAKE {
-		return NewShake128()
+		return sha3.NewCSHAKE128(N, S)
-	}
+	}}
 	return newCShake(N, S, rateK256, 32, dsbyteCShake)
 }
 // NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
@@ -172,10 +60,9 @@ func NewCShake128(N, S []byte) ShakeHash {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake256.
 func NewCShake256(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
+	return &shakeWrapper{sha3.NewCSHAKE256(N, S), 64, false, func() *sha3.SHAKE {
-		return NewShake256()
+		return sha3.NewCSHAKE256(N, S)
-	}
+	}}
 	return newCShake(N, S, rateK512, 64, dsbyteCShake)
 }
 // ShakeSum128 writes an arbitrary-length digest of data into hash.
@@ -191,3 +78,42 @@ func ShakeSum256(hash, data []byte) {
 	h.Write(data)
 	h.Read(hash)
 }
 // shakeWrapper adds the Size, Sum, and Clone methods to a sha3.SHAKE
 // to implement the ShakeHash interface.
 type shakeWrapper struct {
 	*sha3.SHAKE
 	outputLen int
 	squeezing bool
 	newSHAKE  func() *sha3.SHAKE
 }
 func (w *shakeWrapper) Read(p []byte) (n int, err error) {
 	w.squeezing = true
 	return w.SHAKE.Read(p)
 }
 func (w *shakeWrapper) Clone() ShakeHash {
 	s := w.newSHAKE()
 	b, err := w.MarshalBinary()
 	if err != nil {
 		panic(err) // unreachable
 	}
 	if err := s.UnmarshalBinary(b); err != nil {
 		panic(err) // unreachable
 	}
 	return &shakeWrapper{s, w.outputLen, w.squeezing, w.newSHAKE}
 }
 func (w *shakeWrapper) Size() int { return w.outputLen }
 func (w *shakeWrapper) Sum(b []byte) []byte {
 	if w.squeezing {
 		panic("sha3: Sum after Read")
 	}
 	out := make([]byte, w.outputLen)
 	// Clone the state so that we don't affect future Write calls.
 	s := w.Clone()
 	s.Read(out)
 	return append(b, out...)
 }
--- a/vendor/golang.org/x/crypto/sha3/shake_noasm.go
+++ b/vendor/golang.org/x/crypto/sha3/shake_noasm.go
@@ -1,15 +0,0 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !gc || purego || !s390x
 package sha3
 func newShake128() *state {
 	return newShake128Generic()
 }
 func newShake256() *state {
 	return newShake256Generic()
 }
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -280,6 +280,8 @@ type Framer struct {
 	// lastHeaderStream is non-zero if the last frame was an
 	// unfinished HEADERS/CONTINUATION.
 	lastHeaderStream uint32
 	// lastFrameType holds the type of the last frame for verifying frame order.
 	lastFrameType FrameType
 	maxReadSize uint32
 	headerBuf   [frameHeaderLen]byte
@@ -488,30 +490,41 @@ func terminalReadFrameError(err error) bool {
 	return err != nil
 }
-// ReadFrame reads a single frame. The returned Frame is only valid
+// ReadFrameHeader reads the header of the next frame.
-// until the next call to ReadFrame.
+// It reads the 9-byte fixed frame header, and does not read any portion of the
 // frame payload. The caller is responsible for consuming the payload, either
 // with ReadFrameForHeader or directly from the Framer's io.Reader.
 //
-// If the frame is larger than previously set with SetMaxReadFrameSize, the
+// If the frame is larger than previously set with SetMaxReadFrameSize, it
-// returned error is ErrFrameTooLarge. Other errors may be of type
+// returns the frame header and ErrFrameTooLarge.
 // ConnectionError, StreamError, or anything else from the underlying
 // reader.
 //
-// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID
+// If the returned FrameHeader.StreamID is non-zero, it indicates the stream
-// indicates the stream responsible for the error.
+// responsible for the error.
-func (fr *Framer) ReadFrame() (Frame, error) {
+func (fr *Framer) ReadFrameHeader() (FrameHeader, error) {
 	fr.errDetail = nil
 	if fr.lastFrame != nil {
 		fr.lastFrame.invalidate()
 	}
 	fh, err := readFrameHeader(fr.headerBuf[:], fr.r)
 	if err != nil {
-		return nil, err
+		return fh, err
 	}
 	if fh.Length > fr.maxReadSize {
 		if fh == invalidHTTP1LookingFrameHeader() {
-			return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
+			return fh, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
 		}
-		return nil, ErrFrameTooLarge
+		return fh, ErrFrameTooLarge
 	}
 	if err := fr.checkFrameOrder(fh); err != nil {
 		return fh, err
 	}
 	return fh, nil
 }
 // ReadFrameForHeader reads the payload for the frame with the given FrameHeader.
 //
 // It behaves identically to ReadFrame, other than not checking the maximum
 // frame size.
 func (fr *Framer) ReadFrameForHeader(fh FrameHeader) (Frame, error) {
 	if fr.lastFrame != nil {
 		fr.lastFrame.invalidate()
 	}
 	payload := fr.getReadBuf(fh.Length)
 	if _, err := io.ReadFull(fr.r, payload); err != nil {
@@ -527,9 +540,7 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 		}
 		return nil, err
 	}
-	if err := fr.checkFrameOrder(f); err != nil {
+	fr.lastFrame = f
 		return nil, err
 	}
 	if fr.logReads {
 		fr.debugReadLoggerf("http2: Framer %p: read %v", fr, summarizeFrame(f))
 	}
@@ -539,6 +550,24 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 	return f, nil
 }
 // ReadFrame reads a single frame. The returned Frame is only valid
 // until the next call to ReadFrame or ReadFrameBodyForHeader.
 //
 // If the frame is larger than previously set with SetMaxReadFrameSize, the
 // returned error is ErrFrameTooLarge. Other errors may be of type
 // ConnectionError, StreamError, or anything else from the underlying
 // reader.
 //
 // If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID
 // indicates the stream responsible for the error.
 func (fr *Framer) ReadFrame() (Frame, error) {
 	fh, err := fr.ReadFrameHeader()
 	if err != nil {
 		return nil, err
 	}
 	return fr.ReadFrameForHeader(fh)
 }
 // connError returns ConnectionError(code) but first
 // stashes away a public reason to the caller can optionally relay it
 // to the peer before hanging up on them. This might help others debug
@@ -551,20 +580,19 @@ func (fr *Framer) connError(code ErrCode, reason string) error {
 // checkFrameOrder reports an error if f is an invalid frame to return
 // next from ReadFrame. Mostly it checks whether HEADERS and
 // CONTINUATION frames are contiguous.
-func (fr *Framer) checkFrameOrder(f Frame) error {
+func (fr *Framer) checkFrameOrder(fh FrameHeader) error {
-	last := fr.lastFrame
+	lastType := fr.lastFrameType
-	fr.lastFrame = f
+	fr.lastFrameType = fh.Type
 	if fr.AllowIllegalReads {
 		return nil
 	}
 	fh := f.Header()
 	if fr.lastHeaderStream != 0 {
 		if fh.Type != FrameContinuation {
 			return fr.connError(ErrCodeProtocol,
 				fmt.Sprintf("got %s for stream %d; expected CONTINUATION following %s for stream %d",
 					fh.Type, fh.StreamID,
-					last.Header().Type, fr.lastHeaderStream))
+					lastType, fr.lastHeaderStream))
 		}
 		if fh.StreamID != fr.lastHeaderStream {
 			return fr.connError(ErrCodeProtocol,
@@ -1161,7 +1189,7 @@ var defaultRFC9218Priority = PriorityParam{
 // PriorityParam struct below is a superset of both schemes. The exported
 // symbols are from RFC 7540 and the non-exported ones are from RFC 9218.
-// PriorityParam are the stream prioritzation parameters.
+// PriorityParam are the stream prioritization parameters.
 type PriorityParam struct {
 	// StreamDep is a 31-bit stream identifier for the
 	// stream that this stream depends on. Zero means no
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -9,6 +9,7 @@ package http2
 import (
 	"bufio"
 	"bytes"
 	"compress/flate"
 	"compress/gzip"
 	"context"
 	"crypto/rand"
@@ -3076,35 +3077,102 @@ type erringRoundTripper struct{ err error }
 func (rt erringRoundTripper) RoundTripErr() error                             { return rt.err }
 func (rt erringRoundTripper) RoundTrip(*http.Request) (*http.Response, error) { return nil, rt.err }
 var errConcurrentReadOnResBody = errors.New("http2: concurrent read on response body")
 // gzipReader wraps a response body so it can lazily
-// call gzip.NewReader on the first call to Read
+// get gzip.Reader from the pool on the first call to Read.
 // After Close is called it puts gzip.Reader to the pool immediately
 // if there is no Read in progress or later when Read completes.
 type gzipReader struct {
 	_    incomparable
 	body io.ReadCloser // underlying Response.Body
-	zr   *gzip.Reader  // lazily-initialized gzip reader
+	mu   sync.Mutex    // guards zr and zerr
-	zerr error         // sticky error
+	zr   *gzip.Reader  // stores gzip reader from the pool between reads
 	zerr error         // sticky gzip reader init error or sentinel value to detect concurrent read and read after close
 }
 type eofReader struct{}
 func (eofReader) Read([]byte) (int, error) { return 0, io.EOF }
 func (eofReader) ReadByte() (byte, error)  { return 0, io.EOF }
 var gzipPool = sync.Pool{New: func() any { return new(gzip.Reader) }}
 // gzipPoolGet gets a gzip.Reader from the pool and resets it to read from r.
 func gzipPoolGet(r io.Reader) (*gzip.Reader, error) {
 	zr := gzipPool.Get().(*gzip.Reader)
 	if err := zr.Reset(r); err != nil {
 		gzipPoolPut(zr)
 		return nil, err
 	}
 	return zr, nil
 }
 // gzipPoolPut puts a gzip.Reader back into the pool.
 func gzipPoolPut(zr *gzip.Reader) {
 	// Reset will allocate bufio.Reader if we pass it anything
 	// other than a flate.Reader, so ensure that it's getting one.
 	var r flate.Reader = eofReader{}
 	zr.Reset(r)
 	gzipPool.Put(zr)
 }
 // acquire returns a gzip.Reader for reading response body.
 // The reader must be released after use.
 func (gz *gzipReader) acquire() (*gzip.Reader, error) {
 	gz.mu.Lock()
 	defer gz.mu.Unlock()
 	if gz.zerr != nil {
 		return nil, gz.zerr
 	}
 	if gz.zr == nil {
 		gz.zr, gz.zerr = gzipPoolGet(gz.body)
 		if gz.zerr != nil {
 			return nil, gz.zerr
 		}
 	}
 	ret := gz.zr
 	gz.zr, gz.zerr = nil, errConcurrentReadOnResBody
 	return ret, nil
 }
 // release returns the gzip.Reader to the pool if Close was called during Read.
 func (gz *gzipReader) release(zr *gzip.Reader) {
 	gz.mu.Lock()
 	defer gz.mu.Unlock()
 	if gz.zerr == errConcurrentReadOnResBody {
 		gz.zr, gz.zerr = zr, nil
 	} else { // fs.ErrClosed
 		gzipPoolPut(zr)
 	}
 }
 // close returns the gzip.Reader to the pool immediately or
 // signals release to do so after Read completes.
 func (gz *gzipReader) close() {
 	gz.mu.Lock()
 	defer gz.mu.Unlock()
 	if gz.zerr == nil && gz.zr != nil {
 		gzipPoolPut(gz.zr)
 		gz.zr = nil
 	}
 	gz.zerr = fs.ErrClosed
 }
 func (gz *gzipReader) Read(p []byte) (n int, err error) {
-	if gz.zerr != nil {
+	zr, err := gz.acquire()
-		return 0, gz.zerr
+	if err != nil {
 		return 0, err
 	}
-	if gz.zr == nil {
+	defer gz.release(zr)
-		gz.zr, err = gzip.NewReader(gz.body)
+
-		if err != nil {
+	return zr.Read(p)
 			gz.zerr = err
 			return 0, err
 		}
 	}
 	return gz.zr.Read(p)
 }
 func (gz *gzipReader) Close() error {
-	if err := gz.body.Close(); err != nil {
+	gz.close()
-		return err
+
-	}
+	return gz.body.Close()
 	gz.zerr = fs.ErrClosed
 	return nil
 }
 type errorReader struct{ err error }
--- a/vendor/golang.org/x/net/http2/writesched.go
+++ b/vendor/golang.org/x/net/http2/writesched.go
@@ -185,45 +185,75 @@ func (wr *FrameWriteRequest) replyToWriter(err error) {
 }
 // writeQueue is used by implementations of WriteScheduler.
 //
 // Each writeQueue contains a queue of FrameWriteRequests, meant to store all
 // FrameWriteRequests associated with a given stream. This is implemented as a
 // two-stage queue: currQueue[currPos:] and nextQueue. Removing an item is done
 // by incrementing currPos of currQueue. Adding an item is done by appending it
 // to the nextQueue. If currQueue is empty when trying to remove an item, we
 // can swap currQueue and nextQueue to remedy the situation.
 // This two-stage queue is analogous to the use of two lists in Okasaki's
 // purely functional queue but without the overhead of reversing the list when
 // swapping stages.
 //
 // writeQueue also contains prev and next, this can be used by implementations
 // of WriteScheduler to construct data structures that represent the order of
 // writing between different streams (e.g. circular linked list).
 type writeQueue struct {
-	s          []FrameWriteRequest
+	currQueue []FrameWriteRequest
 	nextQueue []FrameWriteRequest
 	currPos   int
 	prev, next *writeQueue
 }
-func (q *writeQueue) empty() bool { return len(q.s) == 0 }
+func (q *writeQueue) empty() bool {
 	return (len(q.currQueue) - q.currPos + len(q.nextQueue)) == 0
 }
 func (q *writeQueue) push(wr FrameWriteRequest) {
-	q.s = append(q.s, wr)
+	q.nextQueue = append(q.nextQueue, wr)
 }
 func (q *writeQueue) shift() FrameWriteRequest {
-	if len(q.s) == 0 {
+	if q.empty() {
 		panic("invalid use of queue")
 	}
-	wr := q.s[0]
+	if q.currPos >= len(q.currQueue) {
-	// TODO: less copy-happy queue.
+		q.currQueue, q.currPos, q.nextQueue = q.nextQueue, 0, q.currQueue[:0]
-	copy(q.s, q.s[1:])
+	}
-	q.s[len(q.s)-1] = FrameWriteRequest{}
+	wr := q.currQueue[q.currPos]
-	q.s = q.s[:len(q.s)-1]
+	q.currQueue[q.currPos] = FrameWriteRequest{}
 	q.currPos++
 	return wr
 }
 func (q *writeQueue) peek() *FrameWriteRequest {
 	if q.currPos < len(q.currQueue) {
 		return &q.currQueue[q.currPos]
 	}
 	if len(q.nextQueue) > 0 {
 		return &q.nextQueue[0]
 	}
 	return nil
 }
 // consume consumes up to n bytes from q.s[0]. If the frame is
 // entirely consumed, it is removed from the queue. If the frame
 // is partially consumed, the frame is kept with the consumed
 // bytes removed. Returns true iff any bytes were consumed.
 func (q *writeQueue) consume(n int32) (FrameWriteRequest, bool) {
-	if len(q.s) == 0 {
+	if q.empty() {
 		return FrameWriteRequest{}, false
 	}
-	consumed, rest, numresult := q.s[0].Consume(n)
+	consumed, rest, numresult := q.peek().Consume(n)
 	switch numresult {
 	case 0:
 		return FrameWriteRequest{}, false
 	case 1:
 		q.shift()
 	case 2:
-		q.s[0] = rest
+		*q.peek() = rest
 	}
 	return consumed, true
 }
@@ -232,10 +262,15 @@ type writeQueuePool []*writeQueue
 // put inserts an unused writeQueue into the pool.
 func (p *writeQueuePool) put(q *writeQueue) {
-	for i := range q.s {
+	for i := range q.currQueue {
-		q.s[i] = FrameWriteRequest{}
+		q.currQueue[i] = FrameWriteRequest{}
 	}
-	q.s = q.s[:0]
+	for i := range q.nextQueue {
 		q.nextQueue[i] = FrameWriteRequest{}
 	}
 	q.currQueue = q.currQueue[:0]
 	q.nextQueue = q.nextQueue[:0]
 	q.currPos = 0
 	*p = append(*p, q)
 }
--- a/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
@@ -214,8 +214,8 @@ func (z sortPriorityNodeSiblingsRFC7540) Swap(i, k int) { z[i], z[k] = z[k], z[i
 func (z sortPriorityNodeSiblingsRFC7540) Less(i, k int) bool {
 	// Prefer the subtree that has sent fewer bytes relative to its weight.
 	// See sections 5.3.2 and 5.3.4.
-	wi, bi := float64(z[i].weight+1), float64(z[i].subtreeBytes)
+	wi, bi := float64(z[i].weight)+1, float64(z[i].subtreeBytes)
-	wk, bk := float64(z[k].weight+1), float64(z[k].subtreeBytes)
+	wk, bk := float64(z[k].weight)+1, float64(z[k].subtreeBytes)
 	if bi == 0 && bk == 0 {
 		return wi >= wk
 	}
@@ -302,7 +302,6 @@ func (ws *priorityWriteSchedulerRFC7540) CloseStream(streamID uint32) {
 	q := n.q
 	ws.queuePool.put(&q)
 	n.q.s = nil
 	if ws.maxClosedNodesInTree > 0 {
 		ws.addClosedOrIdleNode(&ws.closedNodes, ws.maxClosedNodesInTree, n)
 	} else {
--- a/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
@@ -39,7 +39,7 @@ type priorityWriteSchedulerRFC9218 struct {
 	prioritizeIncremental bool
 }
-func newPriorityWriteSchedulerRFC9128() WriteScheduler {
+func newPriorityWriteSchedulerRFC9218() WriteScheduler {
 	ws := &priorityWriteSchedulerRFC9218{
 		streams: make(map[uint32]streamMetadata),
 	}
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.
 // Package errgroup provides synchronization, error propagation, and Context
-// cancelation for groups of goroutines working on subtasks of a common task.
+// cancellation for groups of goroutines working on subtasks of a common task.
 //
 // [errgroup.Group] is related to [sync.WaitGroup] but adds handling of tasks
 // returning errors.
--- a/vendor/golang.org/x/term/terminal.go
+++ b/vendor/golang.org/x/term/terminal.go
@@ -413,7 +413,7 @@ func (t *Terminal) eraseNPreviousChars(n int) {
 	}
 }
-// countToLeftWord returns then number of characters from the cursor to the
+// countToLeftWord returns the number of characters from the cursor to the
 // start of the previous word.
 func (t *Terminal) countToLeftWord() int {
 	if t.pos == 0 {
@@ -438,7 +438,7 @@ func (t *Terminal) countToLeftWord() int {
 	return t.pos - pos
 }
-// countToRightWord returns then number of characters from the cursor to the
+// countToRightWord returns the number of characters from the cursor to the
 // start of the next word.
 func (t *Terminal) countToRightWord() int {
 	pos := t.pos
@@ -478,7 +478,7 @@ func visualLength(runes []rune) int {
 	return length
 }
-// histroryAt unlocks the terminal and relocks it while calling History.At.
+// historyAt unlocks the terminal and relocks it while calling History.At.
 func (t *Terminal) historyAt(idx int) (string, bool) {
 	t.lock.Unlock()     // Unlock to avoid deadlock if History methods use the output writer.
 	defer t.lock.Lock() // panic in At (or Len) protection.
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -528,7 +528,7 @@ go.yaml.in/yaml/v2
 # go.yaml.in/yaml/v3 v3.0.4
 ## explicit; go 1.16
 go.yaml.in/yaml/v3
-# golang.org/x/crypto v0.43.0
+# golang.org/x/crypto v0.45.0
 ## explicit; go 1.24.0
 golang.org/x/crypto/curve25519
 golang.org/x/crypto/hkdf
@@ -542,7 +542,7 @@ golang.org/x/exp/maps
 # golang.org/x/mod v0.29.0
 ## explicit; go 1.24.0
 golang.org/x/mod/semver
-# golang.org/x/net v0.46.0
+# golang.org/x/net v0.47.0
 ## explicit; go 1.24.0
 golang.org/x/net/html
 golang.org/x/net/html/atom
@@ -559,7 +559,7 @@ golang.org/x/net/trace
 ## explicit; go 1.23.0
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.17.0
+# golang.org/x/sync v0.18.0
 ## explicit; go 1.24.0
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
@@ -569,10 +569,10 @@ golang.org/x/sys/cpu
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/term v0.36.0
+# golang.org/x/term v0.37.0
 ## explicit; go 1.24.0
 golang.org/x/term
-# golang.org/x/text v0.30.0
+# golang.org/x/text v0.31.0
 ## explicit; go 1.24.0
 golang.org/x/text/cases
 golang.org/x/text/internal