chore(deps): bump the minor-and-patch group across 1 directory with 3 updates

[dependabot]

Bumps the minor-and-patch group with 3 updates in the / directory: github.com/hybridgroup/yzma, github.com/modelcontextprotocol/go-sdk and modernc.org/sqlite.

Updates github.com/hybridgroup/yzma from 1.12.0 to 1.13.0

Release notes

Sourced from github.com/hybridgroup/yzma's releases.

1.13.0

What's Changed

• llama: remove llama_params_fit and llama_memory_breakdown_print bindings by @​deadprogram in hybridgroup/yzma#239
• Release 1.13.0 by @​deadprogram in hybridgroup/yzma#240

Full Changelog: hybridgroup/yzma@v1.12.0...v1.13.0

Commits

• 7e542eb Release 1.13.0
• ee35a06 llama: remove llama_params_fit and llama_memory_breakdown_print bindings
• See full diff in compare view

Updates github.com/modelcontextprotocol/go-sdk from 1.5.0 to 1.6.0

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.0-pre.1

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

• extauth: add ClientCredentialsHandler for OAuth client credentials grant by @​ravyg in modelcontextprotocol/go-sdk#895

2026-06-30 Release related PRs

• feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

  New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

• feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

  By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

• mcp: preserve existing Content in SetError by @​ravyg in modelcontextprotocol/go-sdk#864

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

• mcp: remove default cross origin protection by @​maciej-kisiel in modelcontextprotocol/go-sdk#906

disablecrossoriginprotection was replaced by enableoriginverification after the default was changed to not enable cross-origin protection.

jsonescaping option was removed, according to plan.

Other Changes to the SDK

• internal: remove unused util functions by @​alexandear in modelcontextprotocol/go-sdk#871
• build(deps): bump github/codeql-action from 4.32.4 to 4.35.1 by @​dependabot[bot] in modelcontextprotocol/go-sdk#873
• build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in modelcontextprotocol/go-sdk#874
• build(deps): bump actions/setup-node from 6.2.0 to 6.3.0 by @​dependabot[bot] in modelcontextprotocol/go-sdk#875
• build(deps): bump dominikh/staticcheck-action from 1.4.0 to 1.4.1 by @​dependabot[bot] in modelcontextprotocol/go-sdk#872
• oauthex: accept 200 in client registration by @​MatyasVondraOutreach in modelcontextprotocol/go-sdk#877
• mcp: allow Content-Type parameters in streamable transport by @​rafaeljusto in modelcontextprotocol/go-sdk#878
• mcp: preserve existing Content in SetError by @​ravyg in modelcontextprotocol/go-sdk#864
• mcp: fix race condition in ServerSession.startKeepalive by @​begelundmuller in modelcontextprotocol/go-sdk#856
• chore: preserve CNAME when deploying to GitHub pages by @​maciej-kisiel in modelcontextprotocol/go-sdk#884

... (truncated)

Commits

• f5f2015 MCPGODEBUG update for 1.6.0 (#893)
• e01639a feat: HTTP Header Standardization for method and name (#907)
• 93a41b2 internal/jsonrpc2: remove unused code (#910)
• 446beae mcp: Upgrade jsonschema-go (#912)
• 2e21834 extauth: add ClientCredentialsHandler for OAuth client credentials grant (#895)
• 2643b22 feat: add automatic application_type inference (#904)
• db50910 mcp: do not re-prompt OAuth after cancelled Authorize (#885)
• 5f2cd8f mcp: preserve transport errors in Write error chain (#888)
• 0edc597 Update README.md (#896)
• 41e1f94 mcp: remove default cross origin protection (#906)
• Additional commits viewable in compare view

Updates modernc.org/sqlite from 1.49.1 to 1.50.0

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-04-24 v1.50.0:

  • Upgrade to sqlite-vec v0.1.9.
  • Introduce ColumnInfo, enabling dynamic query builders and ORMs to retrieve underlying SQLite C-API metadata (OriginName, TableName, DatabaseName, and DeclType).
  • This feature is exposed via the idiomatic database/sql escape hatch (*sql.Conn).Raw(), avoiding custom statement handles and keeping the standard library workflow intact.
  • See [GitLab merge request #113](https://gitlab.com/cznic/sqlite/-/merge_requests/113), thanks Josh Bleecher Snyder!

• 2026-04-17 v1.49.0: Upgrade to SQLite 3.53.0.

  • Added -DSQLITE_ENABLE_DBPAGE_VTAB to the transpilation. See "The SQLITE_DBPAGE Virtual Table" for details.

• 2026-04-06 v1.48.2:

  • Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.
  • Ensure the Go trampoline signature correctly aligns with the public sqlite3_preupdate_hook C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).
  • See [GitLab merge request #98](https://gitlab.com/cznic/sqlite/-/merge_requests/98), thanks Josh Bleecher Snyder!
  • Fix the memory allocator used in (*conn).Deserialize.
  • Replace tls.Alloc with sqlite3_malloc64 to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the SQLITE_DESERIALIZE_RESIZEABLE and SQLITE_DESERIALIZE_FREEONCLOSE flags.
  • Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.
  • See [GitLab merge request #100](https://gitlab.com/cznic/sqlite/-/merge_requests/100), thanks Josh Bleecher Snyder!
  • Fix (*conn).Deserialize to explicitly reject nil or empty byte slices.
  • Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when sqlite3_deserialize receives a 0-length buffer.
  • See [GitLab merge request #101](https://gitlab.com/cznic/sqlite/-/merge_requests/101), thanks Josh Bleecher Snyder!
  • Fix commitHookTrampoline and rollbackHookTrampoline signatures by removing the unused pCsr parameter.
  • Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.
  • See [GitLab merge request #102](https://gitlab.com/cznic/sqlite/-/merge_requests/102), thanks Josh Bleecher Snyder!
  • Fix checkptr instrumentation failures during go test -race when registering and using virtual tables (vtab).
  • Allocate sqlite3_module instances using the C allocator (libc.Xcalloc) instead of the Go heap. This ensures transpiled C code can safely perform pointer operations on the struct without tripping Go's pointer checks.
  • See [GitLab merge request #103](https://gitlab.com/cznic/sqlite/-/merge_requests/103), thanks Josh Bleecher Snyder!
  • Fix data race on mutex.id in the mutexTry non-recursive path.
  • Ensure consistent atomic writes (atomic.StoreInt32) to prevent data races with atomic loads in mutexHeld and mutexNotheld during concurrent execution.
  • See [GitLab merge request #104](https://gitlab.com/cznic/sqlite/-/merge_requests/104), thanks Josh Bleecher Snyder!
  • Fix resource leak in (*Backup).Commit where the destination connection was not closed on error.
  • Ensure dstConn is properly closed when sqlite3_backup_finish fails, preventing file descriptor, TLS, and memory leaks.
  • See [GitLab merge request #105](https://gitlab.com/cznic/sqlite/-/merge_requests/105), thanks Josh Bleecher Snyder!
  • Fix Exec to fully drain rows when encountering SQLITE_ROW, preventing silent data loss in DML statements.
  • Previously, Exec aborted after the first row, meaning INSERT, UPDATE, or DELETE statements with a RETURNING clause would fail to process subsequent rows. The execution path now correctly loops until SQLITE_DONE and properly respects context cancellations during the drain loop, fully aligning with native C sqlite3_exec semantics.
  • See [GitLab merge request #106](https://gitlab.com/cznic/sqlite/-/merge_requests/106), thanks Josh Bleecher Snyder!
  • Fix "Shadowed err value (stmt.go)".
  • See [GitLab issue #249](https://gitlab.com/cznic/sqlite/-/work_items/249), thanks Emrecan BATI!
  • Fix silent omission of virtual table savepoint callbacks by correctly setting the sqlite3_module version.
  • See [GitLab merge request #107](https://gitlab.com/cznic/sqlite/-/merge_requests/107), thanks Josh Bleecher Snyder!
  • Fix vfsRead to properly handle partial and fragmented reads from io.Reader.
  • Replace f.Read with io.ReadFull to ensure the buffer is fully populated, preventing premature SQLITE_IOERR_SHORT_READ errors on valid mid-stream partial reads. Unread tail bytes at EOF are now efficiently zero-filled using the built-in clear function.
  • See [GitLab merge request #108](https://gitlab.com/cznic/sqlite/-/merge_requests/108), thanks Josh Bleecher Snyder!
  • Refactor internal error formatting to safely handle uninitialized or closed database pointers.
  • Prevent a misleading "out of memory" error message when an operation fails and the underlying SQLite database handle is NULL (db == 0).
  • See [GitLab merge request #109](https://gitlab.com/cznic/sqlite/-/merge_requests/109), thanks Josh Bleecher Snyder!
  • Fix error handling in database backup and restore initialization (sqlite3_backup_init).
  • Ensure error codes and messages are accurately read from the destination database handle rather than hardcoding the source or remote handle. This prevents swallowed errors or mismatched "not an error" messages when a backup or restore operation fails to start.
  • See [GitLab merge request #111](https://gitlab.com/cznic/sqlite/-/merge_requests/111), thanks Josh Bleecher Snyder!

... (truncated)

Commits

• e220cc9 CHANGELOG.md: add !113
• a58d5e5 Merge branch 'columns' into 'master'
• 119d8b1 add ColumnInfo, for inspecting query columns
• c353a4f upgrade to sqlite-vec v0.1.9
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[greptile-apps]

Greptile Summary

Routine dependabot bump upgrading three direct dependencies (github.com/hybridgroup/yzma 1.12→1.13, github.com/modelcontextprotocol/go-sdk 1.5→1.6, modernc.org/sqlite 1.49.1→1.50.0) plus the transitive github.com/google/jsonschema-go 0.4.2→0.4.3. None of the behavior changes introduced in the new versions (SetError preservation, cross-origin protection default removal, removed llama_params_fit/llama_memory_breakdown_print C bindings) affect this codebase.

Confidence Score: 5/5

Safe to merge — no breaking API changes affect the codebase.

All three dependency upgrades introduce only additive or internally-scoped changes. The removed yzma C bindings are not exposed through the Go API used here, the MCP SDK behavioral changes (SetError, cross-origin protection) touch code paths not exercised by this project, and the sqlite bump is purely additive. go.sum hashes are consistent.

No files require special attention.

Important Files Changed

Filename	Overview
go.mod	Three direct dependency version bumps and one indirect bump; no API usage in the codebase is affected by the removed or changed behaviors in the new releases.
go.sum	Hash entries updated to match the new dependency versions in go.mod; no issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[go.mod / go.sum] --> B[hybridgroup/yzma v1.12.0 → v1.13.0]
    A --> C[modelcontextprotocol/go-sdk v1.5.0 → v1.6.0]
    A --> D[modernc.org/sqlite v1.49.1 → v1.50.0]
    A --> E[google/jsonschema-go v0.4.2 → v0.4.3 indirect]

    B --> B1[Removes llama_params_fit and llama_memory_breakdown_print C bindings - Not used in codebase]
    C --> C1[SetError preserves existing Content - Cross-origin protection no longer default - SetError unused stdio transport only]
    D --> D1[Adds ColumnInfo API - Upgrades sqlite-vec to v0.1.9 - No API changes affecting usage]
    E --> E1[Patch bump via go-sdk upgrade - No direct usage impact]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): bump the minor-and-patch gr..." | Re-trigger Greptile}