fix(deps): update module github.com/pocketbase/pocketbase to v0.24.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/pocketbase/pocketbase	v0.22.21 -> v0.24.4

---

Release Notes

pocketbase/pocketbase (github.com/pocketbase/pocketbase)

v0.24.4

Compare Source

• Fixed fields extraction for view query with nested comments (#​6309).

• Bumped GitHub action min Go version to 1.23.5 as it comes with some minor security fixes.

v0.24.3

Compare Source

• Fixed incorrectly reported unique validator error for fields starting with name of another field (#​6281; thanks @​svobol13).

• Reload the created/edited records data in the RecordsPicker UI.

• Updated Go dependencies.

v0.24.2

Compare Source

• Fixed display fields extraction when there are multiple "Presentable" relation fields in a single related collection (#​6229).

v0.24.1

Compare Source

• Added missing time macros in the UI autocomplete.

• Fixed JSVM types for structs and functions with multiple generic parameters.

v0.24.0

Compare Source

• ⚠️ Removed the "dry submit" when executing the collections Create API rule
  (you can find more details why this change was introduced and how it could affect your apphttps://github.com/pocketbase/pocketbase/discussions/60736073).
  For most users it should be non-breaking change, BUT if you have Create API rules that uses self-references or view counters you may have to adjust them manually.
  With this change the "multi-match" operators are also normalized in case the targeted collection doesn't have any records
  (or in other words, @collection.example.someField != "test" will result to true if example collection has no records because it satisfies the condition that all available "example" records mustn't have someField equal to "test").
  As a side-effect of all of the above minor changes, the record create API performance has been also improved ~4x times in high concurrent scenarios (500 concurrent clients inserting total of 50k records - old (58.409064001s) vs new (13.580098262s)).

• ⚠️ Changed the type definition of store.Store[T any] to store.Store[K comparable, T any] to allow support for custom store key types.
  For most users it should be non-breaking change, BUT if you are calling store.New[any](nil) instances you'll have to specify the store key type, aka. store.New[string, any](nil).

• Added @yesterday and @tomorrow datetime filter macros.

• Added :lower filter modifier (e.g. title:lower = "lorem").

• Added mailer.Message.InlineAttachments field for attaching inline files to an email (aka. cid links).

• Added cache for the JSVM arrayOf(m), DynamicModel, etc. dynamic reflect created types.

• Added auth collection select for the settings "Send test email" popup (#​6166).

• Added record.SetRandomPassword() to simplify random password generation usually used in the OAuth2 or OTP record creation flows.
  The generated ~30 chars random password is assigned directly as bcrypt hash and ignores the password field plain value validators like min/max length or regex pattern.

• Added option to list and trigger the registered app level cron jobs via the Web API and UI.

• Added extra validators for the collection field int64 options (e.g. FileField.MaxSize) restricting them to the max safe JSON number (2^53-1).

• Added option to unset/overwrite the default PocketBase superuser installer using ServeEvent.InstallerFunc.

• Added app.FindCachedCollectionReferences(collection, excludeIds) to speedup records cascade delete almost twice for projects with many collections.

• Added tests.NewTestAppWithConfig(config) helper if you need more control over the test configurations like IsDev, the number of allowed connections, etc.

• Invalidate all record tokens when the auth record email is changed programmatically or by a superuser (#​5964).

• Eagerly interrupt waiting for the email alert send in case it takes longer than 15s.

• Normalized the hidden fields filter checks and allow targetting hidden fields in the List API rule.

• Fixed "Unique identify fields" input not refreshing on unique indexes change (#​6184).

v0.23.12

Compare Source

• Added warning logs in case of mismatched modernc.org/sqlite and modernc.org/libc versions (#​6136).

• Skipped the default body size limit middleware for the backup upload endpoint (#​6152).

v0.23.11

Compare Source

• Upgraded golang.org/x/net to 0.33.0 to fix CVE-2024-45338.
  PocketBase uses the vulnerable functions primarily for the auto html->text mail generation, but most applications shouldn't be affected unless you are manually embedding unrestricted user provided value in your mail templates.

v0.23.10

Compare Source

• Renew the superuser file token cache when clicking on the thumb preview or download link (#​6137).

• Upgraded modernc.org/sqlite to 1.34.3 to fix "disk io" error on arm64 systems.
  If you are extending PocketBase with Go and upgrading with go get -u make sure to manually set in your go.mod the modernc.org/libc indirect dependency to v1.55.3, aka. the exact same version the driver is using.

v0.23.9

Compare Source

• Replaced strconv.Itoa with strconv.FormatInt to avoid the int64->int conversion overflow on 32-bit platforms (#​6132).

v0.23.8

Compare Source

• Fixed Model->Record and Model->Collection hook events sync for nested and/or inner-hook transactions (#​6122).

• Other minor improvements (updated Go and npm deps, added extra escaping for the default mail record params in case the emails are stored as html files, fixed code comment typos, etc.).

v0.23.7

Compare Source

• Fixed JSVM exception -> Go error unwrapping when throwing errors from non-request hooks (#​6102).

v0.23.6

Compare Source

• Fixed $filesystem.fileFromURL documentation and generated type (#​6058).

• Fixed X-Forwarded-For header typo in the suggested UI "Common trusted proxy" headers (#​6063).

• Updated the text field max length validator error message to make it more clear (#​6066).

• Other minor fixes (updated Go deps, skipped unnecessary validator check when the default primary key pattern is used, updated JSVM types, etc.).

v0.23.5

Compare Source

• Fixed UI logs search not properly accounting for the "Include requests by superusers" toggle when multiple search expressions are used.

• Fixed text field max validation error message (#​6053).

• Other minor fixes (comment typos, JSVM types update).

• Updated Go deps and the min Go release GitHub action version to 1.23.4.

v0.23.4

Compare Source

• Fixed autodate fields not refreshing when calling Save multiple times on the same Record instance (#​6000).

• Added more descriptive test OTP id and failure log message (#​5982).

• Moved the default UI CSP from meta tag to response header (#​5995).

• Updated Go and npm dependencies.

v0.23.3

Compare Source

• Fixed Gzip middleware not applying when serving static files.

• Fixed Record.Fresh()/Record.Clone() methods not properly cloning autodate fields (#​5973).

v0.23.2

Compare Source

• Fixed RecordQuery() custom struct scanning (#​5958).

• Fixed --dev log query print formatting.

• Added support for passing more than one id in the Hook.Unbind method for consistency with the router.

• Added collection rules change list in the confirmation popup
  (to avoid getting anoying during development, the rules confirmation currently is enabled only when using https).

v0.23.1

Compare Source

• Added warning logs in case of mismatched modernc.org/sqlite and modernc.org/libc versions (#​6136).

• Skipped the default body size limit middleware for the backup upload endpoint (#​6152).

v0.23.0

Compare Source

[!NOTE]
You don't have to upgrade to PocketBase v0.23.0 if you are not planning further developing
your existing app and/or are satisfied with the v0.22.x features set. There are no identified critical issues
with PocketBase v0.22.x yet and in the case of critical bugs and security vulnerabilities, the fixes
will be backported for at least until Q1 of 2025 (if not longer).

If you don't plan upgrading make sure to pin the SDKs version to their latest PocketBase v0.22.x compatible:

• JS SDK: <0.22.0
• Dart SDK: <0.19.0

[!CAUTION]
This release introduces many Go/JSVM and Web APIs breaking changes!

Existing pb_data will be automatically upgraded with the start of the new executable,
but custom Go or JSVM (pb_hooks, pb_migrations) and JS/Dart SDK code will have to be migrated manually.
Please refer to the below upgrade guides:

• Go: https://pocketbase.io/v023upgrade/go/.
• JSVM: https://pocketbase.io/v023upgrade/jsvm/.

If you had already switched to some of the earlier <v0.23.0-rc14 versions and have generated a full collections snapshot migration (aka. ./pocketbase migrate collections), then you may have to regenerate the migration file to ensure that it includes the latest changes.

PocketBase v0.23.0 is a major refactor of the internals with the overall goal of making PocketBase an easier to use Go framework.
There are a lot of changes but to highlight some of the most notable ones:

• New and more detailed documentation.
  The old documentation could be accessed at pocketbase.io/old.
• Replaced echo with a new router built on top of the Go 1.22 net/http mux enhancements.
• Merged daos packages in core.App to simplify the DB operations (the models package structs are also migrated in core).
• Option to specify custom DBConnect function as part of the app configuration to allow different database/sql SQLite drivers (turso/libsql, sqlcipher, etc.) and custom builds.
  Note that we no longer loads the mattn/go-sqlite3 driver by default when building with CGO_ENABLED=1 to avoid multiple definition linker errors in case different CGO SQLite drivers or builds are used. You can find an example how to enable it back if you want to in the new documentation.
• New hooks allowing better control over the execution chain and error handling (including wrapping an entire hook chain in a single DB transaction).
• Various Record model improvements (support for get/set modifiers, simplfied file upload by treating the file(s) as regular field value like record.Set("document", file), etc.).
• Dedicated fields structs with safer defaults to make it easier creating/updating collections programmatically.
• Option to mark field as "Hidden", disallowing regular users to read or modify it (there is also a dedicated Record hook to hide/unhide Record fields programmatically from a single place).
• Option to customize the default system collection fields (id, email, password, etc.).
• Admins are now system _superusers auth records.
• Builtin rate limiter (supports tags, wildcards and exact routes matching).
• Batch/transactional Web API endpoint.
• Impersonate Web API endpoint (it could be also used for generating fixed/non-refreshable superuser tokens, aka. "API keys").
• Support for custom user request activity log attributes.
• One-Time Password (OTP) auth method (via email code).
• Multi-Factor Authentication (MFA) support (currently requires any 2 different auth methods to be used).
• Support for Record "proxy/projection" in preparation for the planned autogeneration of typed Go record models.
• Linear OAuth2 provider (#​5909; thanks @​chnfyi).
• WakaTime OAuth2 provider (#​5829; thanks @​tigawanna).
• Notion OAuth2 provider (#​4999; thanks @​s-li1).
• monday.com OAuth2 provider (#​5346; thanks @​Jaytpa01).
• New Instagram provider compatible with the new Instagram Login APIs (#​5588; thanks @​pnmcosta).
  The provider key is instagram2 to prevent conflicts with existing linked users.
• Option to retrieve the OIDC OAuth2 user info from the id_token payload for the cases when the provider doesn't have a dedicated user info endpoint.
• Various minor UI improvements (recursive Presentable view, slightly different collection options organization, zoom/pan for the logs chart, etc.)
• and many more...

Go/JSVM APIs changes

• Go: https://pocketbase.io/v023upgrade/go/.
• JSVM: https://pocketbase.io/v023upgrade/jsvm/.

SDKs changes

• JS SDK v0.22.0
• Dart SDK v0.19.0

Web APIs changes

• New POST /api/batch endpoint.

• New GET /api/collections/meta/scaffolds endpoint.

• New DELETE /api/collections/{collection}/truncate endpoint.

• New POST /api/collections/{collection}/request-otp endpoint.

• New POST /api/collections/{collection}/auth-with-otp endpoint.

• New POST /api/collections/{collection}/impersonate/{id} endpoint.

• ⚠️ If you are constructing requests to /api/* routes manually remove the trailing slash (there is no longer trailing slash removal middleware registered by default).

• ⚠️ Removed /api/admins/* endpoints because admins are converted to _superusers auth collection records.

• ⚠️ Previously when uploading new files to a multiple file field, new files were automatically appended to the existing field values.
  This behaviour has changed with v0.23+ and for consistency with the other multi-valued fields when uploading new files they will replace the old ones. If you want to prepend or append new files to an existing multiple file field value you can use the + prefix or suffix:

  "documents": [file1, file2]  // => [file1_name, file2_name]
  "+documents": [file1, file2] // => [file1_name, file2_name, old1_name, old2_name]
  "documents+": [file1, file2] // => [old1_name, old2_name, file1_name, file2_name]

• ⚠️ Removed GET /records/{id}/external-auths and DELETE /records/{id}/external-auths/{provider} endpoints because this is now handled by sending list and delete requests to the _externalAuths collection.

• ⚠️ Changes to the app settings model fields and response (+new options such as trustedProxy, rateLimits, batch, etc.). The app settings Web APIs are mostly used by the Dashboard UI and rarely by the end users, but if you want to check all settings changes please refer to the Settings Go struct.

• ⚠️ New flatten Collection model and fields structure. The Collection model Web APIs are mostly used by the Dashboard UI and rarely by the end users, but if you want to check all changes please refer to the Collection Go struct.

• ⚠️ The top level error response code key was renamed to status for consistency with the Go APIs.
  The error field key remains code:

  {
      "status": 400, // <-- old: "code"
      "message": "Failed to create record.",
      "data": {
          "title": {
              "code": "validation_required",
              "message": "Missing required value."
          }
      }
  }

• ⚠️ New fields in the GET /api/collections/{collection}/auth-methods response.
  The old authProviders, usernamePassword, emailPassword fields are still returned in the response but are considered deprecated and will be removed in the future.

  {
      "mfa": {
          "duration": 100,
          "enabled": true
      },
      "otp": {
          "duration": 0,
          "enabled": false
      },
      "password": {
          "enabled": true,
          "identityFields": ["email", "username"]
      },
      "oauth2": {
          "enabled": true,
          "providers": [{"name": "gitlab", ...}, {"name": "google", ...}]
      },
      // old fields...
  }

• ⚠️ Soft-deprecated the OAuth2 auth success meta.avatarUrl field in favour of meta.avatarURL.

v0.22.30: Release

Compare Source

• (Backported from v0.24.4) Fixed fields extraction for view queries with nested comments (#​6309).

• Bumped GitHub action min Go version to 1.23.5 as it comes with some minor security fixes.

v0.22.29: Release

Compare Source

• (Backported from v0.23.11) Upgraded golang.org/x/net to 0.33.0 to fix CVE-2024-45338.
  PocketBase uses the vulnerable functions primarily for the auto html->text mail generation, but most applications shouldn't be affected unless you are manually embedding unrestricted user provided value in your mail templates.

v0.22.28: Release

Compare Source

• (Backported from v0.23.10) Renew the superuser file token cache when clicking on the thumb preview or download link (#​6137).

• (Backported from v0.23.10) Upgraded modernc.org/sqlite to 1.34.3 to fix "disk io" error on arm64 systems.
  If you are extending PocketBase with Go and upgrading with go get -u make sure to manually set in your go.mod the modernc.org/libc indirect dependency to v1.55.3, aka. the exact same version the driver is using.

v0.22.27

Compare Source

To update the prebuilt executable you can run ./pocketbase update.

• Instead of unregistering the realtime client(s), we now just unset their auth state on delete of the related auth record so that the client(s) can receive the delete event (#​5898).

v0.22.26: Release

Compare Source

To update the prebuilt executable you can run ./pocketbase update.

• (Backported from v0.23.0-rc) Added manual WAL checkpoints before creating the zip backup to minimize copying unnecessary data.

v0.22.25: Release

Compare Source

To update the prebuilt executable you can run ./pocketbase update.

• Refresh the old collections state in the Import UI after successful import submission (#​5861).

• Added randomized throttle on failed filter list requests as a very rudimentary measure since some security researches raised concern regarding the possibity of eventual side-channel attacks.
  This is not really a solution for such attacks but it makes it difficult enough to make it less practical. With v0.23.0 there are several other measures taken but they cannot be backported easily. I'll submit a post a little bit later today clarifying more on it (edit: #​5683).

v0.22.24: Release

Compare Source

To update the prebuilt executable you can run ./pocketbase update.

• Delete new uploaded record files in case of DB persist error (#​5845).

v0.22.23: Release

Compare Source

To update the prebuilt executable you can run ./pocketbase update.

• Updated the hooks watcher to account for the case when hooksDir is a symlink (#​5789).

• (Backported from v0.23.0-rc) Registered a default http.Server.ErrorLog handler to report general server connection errors as app Debug level logs (e.g. invalid TLS handshakes caused by bots trying to access your server via its IP or other similar errors).

• Other minor fixes (updated npm dev deps to fix the vulnerabilities warning, added more user friendly realtime topic length error, regenerated JSVM types, etc.)

v0.22.22: Release

Compare Source

To update the prebuilt executable you can run ./pocketbase update.

• Added deprecation log in case Instagram OAuth2 is used (related to #​5652).

• Added update command warning to prevent unnecessary downloading PocketBase v0.23.0 since it will contain breaking changes.

• Added global JSVM toString() helper (successor of readerToString()) to stringify any value (bool, number, multi-byte array, io.Reader, etc.).
  readerToString is still available but it is marked as deprecated. You can also use toString as replacement for of String.fromCharCode to properly stringify multi-byte unicode characters like emojis.

  decodeURIComponent(escape(String.fromCharCode(...bytes))) -> toString(bytes)

• Updated aws-sdk-go-v2 and removed deprecated WithEndpointResolverWithOptions.

• Backported some of the v0.23.0-rc form validators, fixes and tests.

• Bumped the GitHub action min Go version and dependencies.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
github.com/aws/aws-sdk-go-v2	v1.30.4 -> v1.32.2
github.com/aws/smithy-go	v1.20.4 -> v1.22.0
golang.org/x/crypto	v0.26.0 -> v0.28.0
golang.org/x/net	v0.28.0 -> v0.30.0
golang.org/x/sys	v0.24.0 -> v0.26.0
golang.org/x/term	v0.23.0 -> v0.25.0
golang.org/x/text	v0.17.0 -> v0.19.0

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/labstack/echo/v5 v5.0.0-20230722203903-ec5b858dab61
go: downloading github.com/pocketbase/pocketbase v0.24.4
go: downloading github.com/joho/godotenv v1.5.1
go: downloading github.com/pocketbase/dbx v1.11.0
go: downloading github.com/fatih/color v1.18.0
go: downloading github.com/spf13/cobra v1.8.1
go: downloading github.com/AlecAivazis/survey/v2 v2.3.7
go: downloading github.com/go-ozzo/ozzo-validation/v4 v4.3.0
go: downloading github.com/golang-jwt/jwt/v4 v4.5.1
go: downloading github.com/spf13/cast v1.7.1
go: downloading golang.org/x/crypto v0.32.0
go: downloading modernc.org/sqlite v1.34.4
go: downloading github.com/mattn/go-colorable v0.1.14
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading golang.org/x/sys v0.29.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
go: downloading golang.org/x/term v0.28.0
go: downloading golang.org/x/text v0.21.0
go: downloading github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
go: downloading github.com/gabriel-vasile/mimetype v1.4.8
go: downloading golang.org/x/oauth2 v0.25.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.32.8
go: downloading github.com/aws/aws-sdk-go-v2/config v1.28.10
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.17.51
go: downloading github.com/aws/aws-sdk-go-v2/service/s3 v1.72.2
go: downloading github.com/aws/smithy-go v1.22.1
go: downloading github.com/disintegration/imaging v1.6.2
go: downloading gocloud.dev v0.40.0
go: downloading github.com/domodwyer/mailyak/v3 v3.6.2
go: downloading golang.org/x/net v0.34.0
go: downloading github.com/ganigeorgiev/fexpr v0.4.1
go: downloading golang.org/x/sync v0.10.0
go: downloading modernc.org/gc/v3 v3.0.0-20250105121824-520be1a3aee6
go: downloading modernc.org/libc v1.55.3
go: downloading github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.24.9
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.33.6
go: downloading github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27
go: downloading github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.27
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.8
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.8
go: downloading golang.org/x/image v0.23.0
go: downloading github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.48
go: downloading go.opencensus.io v0.24.0
go: downloading github.com/dustin/go-humanize v1.0.1
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading modernc.org/mathutil v1.7.1
go: downloading modernc.org/strutil v1.2.1
go: downloading modernc.org/token v1.1.0
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/ncruces/go-strftime v0.1.9
go: downloading modernc.org/memory v1.8.1
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27
go: downloading golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da
go: downloading google.golang.org/grpc v1.69.2
go: downloading github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec
go: downloading github.com/googleapis/gax-go/v2 v2.14.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422
go: downloading github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8
go: downloading google.golang.org/api v0.216.0
go: downloading google.golang.org/protobuf v1.36.2
go: tana.moe/urano/migrations imports
	github.com/pocketbase/pocketbase/daos: cannot find module providing package github.com/pocketbase/pocketbase/daos
go: tana.moe/urano/migrations imports
	github.com/pocketbase/pocketbase/models: cannot find module providing package github.com/pocketbase/pocketbase/models