build(deps): bump the dependabot group across 1 directory with 3 updates

[dependabot]

Bumps the dependabot group with 3 updates in the / directory: github.com/elastic/go-elasticsearch/v8, github.com/jackc/pgx/v5 and github.com/aws/aws-sdk-go-v2.

Updates github.com/elastic/go-elasticsearch/v8 from 8.19.3 to 8.19.4

Release notes

Sourced from github.com/elastic/go-elasticsearch/v8's releases.

v8.19.4

8.19.4 (2026-04-16)

⚠ BREAKING CHANGES

• Typed API: update client from spec 6ee016a

Features

• Add AutoDrainBody option for automatic response body draining (#1370) (c9a2b0b)
• Add functional options pattern for client instantiation (#1321) (7561adf)
• esutil: Add Flush method to BulkIndexer for explicit flush-and-wait (#1361) (be8564d)
• Typed API: Improved generated code comments (fe06c54)
• Typed API: Update client from spec 6ee016a (74ed65d)

Bug Fixes

• esutil: Deterministic context check in BulkIndexer.Close (#1338) (a00439e)
• esutil: Propagate caller context through BulkIndexer item callbacks (#1314) (ca77d44)
• Typed API: Context variable shadowing in TypedAPI Perform causing otel attributes to leak to parent span (#1329) (fe06c54)

Changelog

Sourced from github.com/elastic/go-elasticsearch/v8's changelog.

8.19.4 (2026-04-16)

⚠ BREAKING CHANGES

• Typed API: update client from spec 6ee016a

Features

• Add AutoDrainBody option for automatic response body draining (#1370) (c9a2b0b)
• Add functional options pattern for client instantiation (#1321) (7561adf)
• esutil: Add Flush method to BulkIndexer for explicit flush-and-wait (#1361) (be8564d)
• Typed API: Improved generated code comments (fe06c54)
• Typed API: Update client from spec 6ee016a (74ed65d)

Bug Fixes

• esutil: Deterministic context check in BulkIndexer.Close (#1338) (a00439e)
• esutil: Propagate caller context through BulkIndexer item callbacks (#1314) (ca77d44)
• Typed API: Context variable shadowing in TypedAPI Perform causing otel attributes to leak to parent span (#1329) (fe06c54)

Commits

• e263c13 chore(8.19): release 8.19.4 (#1324)
• d056a2f chore: use transport Options instead of deprecated Config (#1374)
• c9a2b0b feat: add AutoDrainBody option for automatic response body draining (#1370)
• be8564d feat(esutil): add Flush method to BulkIndexer for explicit flush-and-wait (#1...
• 74ed65d feat!(Typed API): update client from spec 6ee016a (#1349)
• a00439e fix(esutil): deterministic context check in BulkIndexer.Close (#1338)
• 192d1cf test: generate TLS certificate dynamically in TestFingerprint (backport #1334...
• fe06c54 fix(Typed API): context variable shadowing in TypedAPI Perform causing otel a...
• ca77d44 fix(esutil): propagate caller context through BulkIndexer item callbacks (#1314)
• 9c371b9 [Backport 8.19] fix(esapi): document Response.Body must be closed; fix leaks ...
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Commits

• 0aeabbc Release v5.9.2
• 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
• a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
• e34e452 doc: Add godoc links
• 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
• 96b4dbd Remove unstable test
• acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
• 2f81f1f Update max_protocol_version and min_protocol_version defaults
• See full diff in compare view

Updates github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.6

Commits

• 9bc9c51 Release 2026-04-17
• 2b41455 Regenerated Clients
• 2327a1b Update endpoints model
• 9225797 Update API model
• 7b6f675 Bump smithy-go to 1.25 (again) (#3390)
• c8b6a97 Release 2026-04-16
• 4a05c2b Regenerated Clients
• 6cd4cc9 Update endpoints model
• 3153bed Update API model
• fe3cef6 Make AccountIDEndpointRouting aware of bdd endpoints (#3387)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions