deps(deps): bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
github.com/coder/websocket	1.8.13	1.8.14
github.com/oapi-codegen/runtime	1.1.2	1.2.0
golang.org/x/oauth2	0.30.0	0.35.0
go.opentelemetry.io/otel	1.37.0	1.40.0
golang.org/x/time	0.12.0	0.14.0

Updates github.com/coder/websocket from 1.8.13 to 1.8.14

Release notes

Sourced from github.com/coder/websocket's releases.

v1.8.14

Changes

• fix: match Origin scheme if defined in OriginPatterns by @​mafredri in coder/websocket#536
• refactor: use context.AfterFunc to track timeouts instead of goroutine by @​ash2k in coder/websocket#532
• refactor: add ErrMessageTooBig sentinel error for limited reads by @​DanielleMaywood in coder/websocket#535
• build: update to Go 1.23 by @​mafredri in coder/websocket#524
• build: add Makefile by @​mafredri in coder/websocket#525
• chore: update LICENSE file by @​mtojek in coder/websocket#526
• chore: apply various modernisations by @​Jacalz in coder/websocket#531

New Contributors

• @​mtojek made their first contribution in coder/websocket#526
• @​ash2k made their first contribution in coder/websocket#532
• @​DanielleMaywood made their first contribution in coder/websocket#535

Full Changelog: coder/websocket@v1.8.13...v1.8.14

Commits

• 7d7c644 refactor: add ErrMessageTooBig sentinel error for limited reads (#535)
• c7846ea refactor: use context.AfterFunc to track timeouts instead of goroutine (#532)
• e11dd4e fix: match Origin scheme if defined in OriginPatterns (#536)
• 91013c1 chore: apply various modernisations (#531)
• efb626b chore: update LICENSE file (#526)
• 246891f build: add Makefile (#525)
• 778d161 build: update to Go 1.23 (#524)
• See full diff in compare view

Updates github.com/oapi-codegen/runtime from 1.1.2 to 1.2.0

Release notes

Sourced from github.com/oapi-codegen/runtime's releases.

Parameter binding extensions, bug fixes, dependency updates

Notable Changes

The main change in this release is the addition of new Parameter binding and styling functions, which allow the code generator to pass in the type and format from the spec. Previously, we inferred what we wanted to do based on the destination type, however, it's not always possible to decide this without information about the specification.

🚀 New features and improvements

• feat: add BindRawQueryParameter for correct comma handling (#92) @​mromaszewicz
• fix: add TypeHint-aware parameter binding and styling for []byte (#97) (#98) @​mromaszewicz
• Support array of objects parameters (#40) @​danicc097
• Allow BindStyledParameterWithOptions to fill maps (#72) @​JoZie

🐛 Bug fixes

• fix: bind Date and Time query params as scalar values (#21) (#93) @​mromaszewicz
• fix: support non-indexed deepObject array unmarshaling (#22) (#96) @​mromaszewicz
• fix: correct time.Time date-only fallback parsing in deepObject (#95) @​mromaszewicz
• Refactor date parsing error handling (#88) @​jsnfwlr
• fix: improve email validation using net/mail package (#60) @​sniperwolf
• Fix deepObject marshalling losing json number format/precision (#29) @​mgabeler-lee-6rs
• Fix issue 55 (#56) @​mikhalytch
• fix(deepobject): support nested objects in deepObject arrays (#84) @​adrianbrad

👻 Maintenance

• feat(fix): bump gin version (#51) @​Gamawn
• Update golang.org/x/crypto to v0.32.0 (#59) @​kojustin
• Updated Golang reference to address security vulnerability (#57) @​ivan-manzhulin
• Fix linter errors (#85) @​mromaszewicz
• build: capture govulncheck results as Code Scanning alerts (#80) @​jamietanna

📦 Dependency updates

• chore(deps): update release-drafter/release-drafter action to v6 (#31) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

... (truncated)

Commits

• b76a24f fix: bind Date and Time query params as scalar values (#21) (#93)
• 1f844c3 feat: add BindRawQueryParameter for correct comma handling (#92)
• ca4e933 fix: support non-indexed deepObject array unmarshaling (#22) (#96)
• ead11e4 fix: correct time.Time date-only fallback parsing in deepObject (#95)
• 224825a fix: add Type/Format-aware parameter binding and styling for []byte (#97) (#98)
• 03288f9 Refactor date parsing error handling (#88)
• effec1a feat(fix): bump gin version (#51)
• 53a813b fix: improve email validation using net/mail package (#60)
• 451d249 Update golang.org/x/crypto to v0.32.0 (#59)
• 7dffa6e Updated Golang reference to address security vulnerability (#57)
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.30.0 to 0.35.0

Commits

• 89ff2e1 google: add safer credentials JSON loading options.
• acc3815 endpoints: fix %q verb use with wrong type
• f28b0b5 all: fix some comments
• fd15e0f x/oauth2: populate RetrieveError from DeviceAuth
• 792c877 oauth2: use strings.Builder instead of bytes.Buffer
• 014cf77 all: upgrade go directive to at least 1.24.0 [generated]
• 3c76ce5 endpoints: correct Naver OAuth2 endpoint URLs
• See full diff in compare view

Updates go.opentelemetry.io/otel from 1.37.0 to 1.40.0

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

Deprecated

• Deprecate go.opentelemetry.io/otel/exporters/zipkin. For more information, see the OTel blog post deprecating the Zipkin exporter. (#7670)

[1.39.0/0.61.0/0.15.0/0.0.14] 2025-12-05

Added

• Greatly reduce the cost of recording metrics in go.opentelemetry.io/otel/sdk/metric using hashing for map keys. (#7175)
• Add WithInstrumentationAttributeSet option to go.opentelemetry.io/otel/log, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace packages. This provides a concurrent-safe and performant alternative to WithInstrumentationAttributes by accepting a pre-constructed attribute.Set. (#7287)
• Add experimental observability for the Prometheus exporter in go.opentelemetry.io/otel/exporters/prometheus. Check the go.opentelemetry.io/otel/exporters/prometheus/internal/x package documentation for more information. (#7345)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#7353)
• Add temporality selector functions DeltaTemporalitySelector, CumulativeTemporalitySelector, LowMemoryTemporalitySelector to go.opentelemetry.io/otel/sdk/metric. (#7434)
• Add experimental observability metrics for simple log processor in go.opentelemetry.io/otel/sdk/log. (#7548)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#7459)

... (truncated)

Commits

• a3a5317 Release v1.40.0 (#7859)
• 77785da chore(deps): update github/codeql-action action to v4.32.1 (#7858)
• 56fa1c2 chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 (#7857)
• 298cbed Upgrade semconv use to v1.39.0 (#7854)
• 3264bf1 refactor: modernize code (#7850)
• fd5d030 chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
• 8d3b4cb chore(deps): update actions/cache action to v5.0.3 (#7847)
• 91f7cad chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 (#7845)
• fdad1eb chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...
• c46d3ba chore(deps): update golang.org/x/telemetry digest to fcf36f6 (#7843)
• Additional commits viewable in compare view

Updates golang.org/x/time from 0.12.0 to 0.14.0

Commits

• 2b4e439 rate: use time.Time.Equal instead of ==
• c0b0320 all: upgrade go directive to at least 1.24.0 [generated]
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions