fix(deps): update module github.com/pocketbase/pocketbase to v0.22.16

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/pocketbase/pocketbase	v0.22.10 -> v0.22.16

---

Release Notes

pocketbase/pocketbase (github.com/pocketbase/pocketbase)

v0.22.16

Compare Source

• Fixed the days calculation for triggering old logs deletion (#​5179; thanks @​nehmeroumani).
  Note that the previous versions correctly delete only the logs older than the configured setting but due to the typo the delete query is invoked unnecessary on each logs batch write.

v0.22.15

Compare Source

• Added mutex to tests.TestMailer() to minimize tests data race warnings (#​5157).

• Updated goja and the other Go dependencies.

• Bumped the min Go version in the GitHub release action to Go 1.22.5 since it comes with net/http security fixes.

v0.22.14

Compare Source

• Added OAuth2 POST redirect support (in case of response_mode=form_post) to allow specifying scopes for the Apple OAuth2 integration.

  Note 1: If you are using the "Manual code exchange" flow with Apple (aka. authWithOAuth2Code()), you need to either update your custom
  redirect handler to accept POST requests OR if you want to keep the old behavior and don't need the Apple user's email - replace in the Apple authorization url response_mode=form_post back to response_mode=query.

  Note 2: Existing users that have already logged in with Apple may need to revoke their access in order to see the email sharing options as shown in this screenshot.
  If you want to force the new consent screen you could register a new Apple OAuth2 app.

• ⚠️ Fixed a security vulnerability related to the OAuth2 email autolinking (thanks to @​dalurness for reporting it).

  Just to be safe I've also published a GitHub security advisory (may take some time to show up in the related security databases).

  In order to be exploited you must have both OAuth2 and Password auth methods enabled.

  A possible attack scenario could be:

  • a malicious actor register with the targeted user's email (it is unverified)
  • at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user)
  • on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
  • because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password

  To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).

  Additionally to warn users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:

  Hello,
  Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.
  If you have recently signed in with a password, you may disregard this email.
  If you don't recognize the above action, you should immediately change your Acme account password.
  Thanks,
  Acme team

  The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).

v0.22.13

Compare Source

• Fixed rules inconsistency for text literals when inside parenthesis (#​5017).

• Updated Go deps.

v0.22.12

Compare Source

• Fixed calendar picker grid layout misalignment on Firefox (#​4865).

• Updated Go deps and bumped the min Go version in the GitHub release action to Go 1.22.3 since it comes with some minor security fixes.

v0.22.11

Compare Source

• Load the full record in the relation picker edit panel (#​4857).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 39 additional dependencies were updated

Details:

Package	Change
github.com/aws/aws-sdk-go-v2	v1.26.1 -> v1.30.1
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.2 -> v1.6.3
github.com/aws/aws-sdk-go-v2/config	v1.27.11 -> v1.27.23
github.com/aws/aws-sdk-go-v2/credentials	v1.17.11 -> v1.17.23
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.16.1 -> v1.16.9
github.com/aws/aws-sdk-go-v2/feature/s3/manager	v1.16.15 -> v1.17.4
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.5 -> v1.3.13
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.5 -> v2.6.13
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.3.5 -> v1.3.13
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.11.2 -> v1.11.3
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.3.7 -> v1.3.15
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.11.7 -> v1.11.15
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.17.5 -> v1.17.13
github.com/aws/aws-sdk-go-v2/service/s3	v1.53.1 -> v1.58.0
github.com/aws/aws-sdk-go-v2/service/sso	v1.20.5 -> v1.22.1
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.23.4 -> v1.26.1
github.com/aws/aws-sdk-go-v2/service/sts	v1.28.6 -> v1.30.1
github.com/aws/smithy-go	v1.20.2 -> v1.20.3
github.com/fatih/color	v1.16.0 -> v1.17.0
github.com/gabriel-vasile/mimetype	v1.4.3 -> v1.4.4
github.com/ganigeorgiev/fexpr	v0.4.0 -> v0.4.1
github.com/goccy/go-json	v0.10.2 -> v0.10.3
github.com/googleapis/gax-go/v2	v2.12.3 -> v2.12.5
github.com/spf13/cobra	v1.8.0 -> v1.8.1
golang.org/x/crypto	v0.22.0 -> v0.24.0
golang.org/x/image	v0.15.0 -> v0.18.0
golang.org/x/mod	v0.16.0 -> v0.17.0
golang.org/x/net	v0.24.0 -> v0.26.0
golang.org/x/oauth2	v0.19.0 -> v0.21.0
golang.org/x/sys	v0.19.0 -> v0.21.0
golang.org/x/term	v0.19.0 -> v0.21.0
golang.org/x/text	v0.14.0 -> v0.16.0
golang.org/x/tools	v0.19.0 -> v0.21.1-0.20240508182429-e35e4ccd0d2d
google.golang.org/api	v0.176.1 -> v0.187.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240415180920-8c6c420018be -> v0.0.0-20240701130421-f6361c86f094
google.golang.org/grpc	v1.63.2 -> v1.65.0
google.golang.org/protobuf	v1.33.0 -> v1.34.2
modernc.org/libc	v1.50.2 -> v1.52.1
modernc.org/sqlite	v1.29.8 -> v1.30.1