diff --git a/go.mod b/go.mod
index 9e29b34a8d..6e9864314f 100644
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/coreos/go-semver v0.3.1
 	github.com/coreos/ign-converter v0.0.0-20241125185625-2f773079ca81
 	github.com/coreos/ignition v0.35.0
-	github.com/coreos/ignition/v2 v2.20.0
+	github.com/coreos/ignition/v2 v2.26.0
 	github.com/coreos/rpmostree-client-go v0.0.0-20230914135003-fae0786302f7
 	github.com/coreos/stream-metadata-go v0.4.10-0.20250806142651-4a7d280a6c7b
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
@@ -44,15 +44,15 @@ require (
 	github.com/prometheus/client_golang v1.23.2
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/cobra v1.10.0
-	github.com/spf13/pflag v1.0.9
+	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	github.com/tidwall/gjson v1.18.0
 	github.com/tidwall/sjson v1.2.5
 	github.com/vincent-petithory/dataurl v1.0.0
 	github.com/vmware/govmomi v0.45.1
-	golang.org/x/net v0.47.0
-	golang.org/x/time v0.11.0
-	google.golang.org/grpc v1.72.2
+	golang.org/x/net v0.49.0
+	golang.org/x/time v0.14.0
+	google.golang.org/grpc v1.78.0
 	k8s.io/api v0.35.1
 	k8s.io/apiextensions-apiserver v0.35.1
 	k8s.io/apimachinery v0.35.1
@@ -89,7 +89,7 @@ require (
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
 	github.com/bombsimon/wsl/v4 v4.5.0 // indirect
 	github.com/butuzov/mirror v1.3.0 // indirect
 	github.com/catenacyber/perfsprint v0.7.1 // indirect
@@ -113,7 +113,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/ghostiam/protogetter v0.3.8 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@@ -198,7 +198,7 @@ require (
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.40.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
@@ -211,8 +211,8 @@ require (
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
 	gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
@@ -260,7 +260,7 @@ require (
 	github.com/containers/ocicrypt v1.2.1 // indirect
 	github.com/coreos/go-json v0.0.0-20230131223807-18775e0fb4fb // indirect
 	github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect
-	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
+	github.com/coreos/go-systemd/v22 v22.6.0
 	github.com/coreos/vcontext v0.0.0-20231102161604-685dc7299dc5 // indirect
 	github.com/curioswitch/go-reassign v0.3.0 // indirect
 	github.com/daixiang0/gci v0.13.5 // indirect
@@ -393,17 +393,17 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go4.org v0.0.0-20200104003542-c7e774b10ea0 // indirect
-	golang.org/x/crypto v0.45.0
+	golang.org/x/crypto v0.47.0
 	golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329
 	golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.18.0
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0
 	golang.org/x/sys v0.40.0
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
+	golang.org/x/term v0.39.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
diff --git a/go.sum b/go.sum
index eaaa5e54bf..32ecaec2e4 100644
--- a/go.sum
+++ b/go.sum
@@ -84,8 +84,8 @@ github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8eu
 github.com/ashcrow/osrelease v0.0.0-20180626175927-9b292693c55c h1:icme0QhxrgZOxTBnT6K8dfGLwbKWSOVwPB95XTbo8Ws=
 github.com/ashcrow/osrelease v0.0.0-20180626175927-9b292693c55c/go.mod h1:BRljTyotlu+6N+Qlu5MhjxpdmccCnp9lDvZjNNV8qr4=
 github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk=
-github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU=
+github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
@@ -166,15 +166,15 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f h1:JOrtw2xFKzlg+cbHpyrpLDmnN1HqhBfnX7WDiW7eG2c=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 h1:OoRAFlvDGCUqDLampLQjk0yeeSGdF9zzst/3G9IkBbc=
-github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09/go.mod h1:m2r/smMKsKwgMSAoFKHaa68ImdCSNuKE1MxvQ64xuCQ=
+github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo=
+github.com/coreos/go-systemd/v22 v22.6.0/go.mod h1:iG+pp635Fo7ZmV/j14KUcmEyWF+0X7Lua8rrTWzYgWU=
 github.com/coreos/ign-converter v0.0.0-20241125185625-2f773079ca81 h1:uz0f9dymW/05AsgIOxFQDsMp/qpqxh3mOvDf7xeXd+w=
 github.com/coreos/ign-converter v0.0.0-20241125185625-2f773079ca81/go.mod h1:Q7SbzjFkayIfwm+b+nXedvIcP2SFAndA7ET/JPNNc1I=
 github.com/coreos/ignition v0.35.0 h1:UFodoYq1mOPrbEjtxIsZbThcDyQwAI1owczRDqWmKkQ=
 github.com/coreos/ignition v0.35.0/go.mod h1:WJQapxzEn9DE0ryxsGvm8QnBajm/XsS/PkrDqSpz+bA=
 github.com/coreos/ignition/v2 v2.1.1/go.mod h1:RqmqU64zxarUJa3l4cHtbhcSwfQLpUhv0WVziZwoXvE=
-github.com/coreos/ignition/v2 v2.20.0 h1:xQjrxhCbcSKpqrN2hOQavAc1rx0GOf6qh2QCauScwPU=
-github.com/coreos/ignition/v2 v2.20.0/go.mod h1:l7EpXNWA7jBXmjUMvnVBlrrj+LX2wA/PAyD9kstwFDQ=
+github.com/coreos/ignition/v2 v2.26.0 h1:Db4IO5ydZOMnJYINgbPuXlwAH1ul0/V71h20iKyBi6k=
+github.com/coreos/ignition/v2 v2.26.0/go.mod h1:2f48nEXqnh1BU69Yq3lIWDvaYFSFQVZoFB7rB7wz7DY=
 github.com/coreos/rpmostree-client-go v0.0.0-20230914135003-fae0786302f7 h1:gpIn0B0F00GJPlI1iPjJbHMS01QoxDs7Bf8UgH9D3wg=
 github.com/coreos/rpmostree-client-go v0.0.0-20230914135003-fae0786302f7/go.mod h1:WiAXRoGnl4Lwr7OM5izCLWMLH6Y43sYWJREoeeHEg4E=
 github.com/coreos/stream-metadata-go v0.4.10-0.20250806142651-4a7d280a6c7b h1:CT6nMx5Ap/K6MT8zMqByrWz+RZV7O6pBGW5LhB/pwvY=
@@ -265,8 +265,8 @@ github.com/go-critic/go-critic v0.11.5 h1:TkDTOn5v7EEngMxu8KbuFqFR43USaaH8XRJLz1
 github.com/go-critic/go-critic v0.11.5/go.mod h1:wu6U7ny9PiaHaZHcvMDmdysMqvDem162Rh3zWTrqk8M=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -330,18 +330,17 @@ github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.1-0.20240921181615-a817f3cc4a9e h1:znsZ+BW06LsAtZwQvY/rgWQ3o1q0mnR4SG4q8HCP+3Q=
 github.com/godbus/dbus/v5 v5.1.1-0.20240921181615-a817f3cc4a9e/go.mod h1:nRJ+j259aT/CW6otoGCHPa1K/lNHLO+UGmW133FNj9s=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
-github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
+github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -804,8 +803,8 @@ github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
 github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.20.0-alpha.6 h1:f65Cr/+2qk4GfHC0xqT/isoupQppwN5+VLRztUGTDbY=
 github.com/spf13/viper v1.20.0-alpha.6/go.mod h1:CGBZzv0c9fOUASm6rfus4wdeIjR/04NOLq1P4KRhX3k=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
@@ -933,8 +932,8 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0 h1:KemlMZlVwBSEGaO91WKgp41BBFsnWqqj9sKRwmOqC40=
 go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0/go.mod h1:uq8DrRaen3suIWTpdR/JNHCGpurSvMv9D5Nr5CU5TXc=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
 go.opentelemetry.io/contrib/propagators/b3 v1.19.0 h1:ulz44cpm6V5oAeg5Aw9HyqGFMS6XM7untlMEhD7YzzA=
@@ -978,8 +977,8 @@ golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 h1:9kj3STMvgqy3YA4VQXBrN7925ICMxD5wzMRcgA30588=
 golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
@@ -1001,8 +1000,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1027,11 +1026,11 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1043,8 +1042,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1087,8 +1086,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -1100,10 +1099,10 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1133,8 +1132,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
@@ -1145,29 +1144,31 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
 google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
-google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 h1:FVCohIoYO7IJoDDVpV2pdq7SgrMH6wHnuTyrdrxJNoY=
 gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0/go.mod h1:OdE7CF6DbADk7lN8LIKRzRJTTZXIjtWgA5THM5lhBAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/pkg/controller/common/helpers_test.go b/pkg/controller/common/helpers_test.go
index 797fb19669..299797cdb8 100644
--- a/pkg/controller/common/helpers_test.go
+++ b/pkg/controller/common/helpers_test.go
@@ -140,7 +140,7 @@ func TestValidateIgnition(t *testing.T) {
 // the expected supported minor versions in a sorted slice of strings
 func TestIgnitionConverterGetSupportedMinorVersions(t *testing.T) {
 	converter := newIgnitionConverter(buildConverterList())
-	supported := []string{"2.2", "3.0", "3.1", "3.2", "3.3", "3.4", "3.5"}
+	supported := []string{"2.2", "3.0", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6"}
 	assert.Equal(t, supported, converter.GetSupportedMinorVersions())
 }
 
diff --git a/pkg/controller/common/ignition_converter.go b/pkg/controller/common/ignition_converter.go
index 86a14d2e25..91c7400196 100644
--- a/pkg/controller/common/ignition_converter.go
+++ b/pkg/controller/common/ignition_converter.go
@@ -24,6 +24,8 @@ import (
 	v34types "github.com/coreos/ignition/v2/config/v3_4/types"
 	v35translate "github.com/coreos/ignition/v2/config/v3_5/translate"
 	v35types "github.com/coreos/ignition/v2/config/v3_5/types"
+	v36translate "github.com/coreos/ignition/v2/config/v3_6/translate"
+	v36types "github.com/coreos/ignition/v2/config/v3_6/types"
 )
 
 var (
@@ -126,6 +128,8 @@ func (c *functionConverter) Versions() conversionTuple {
 // of the supported version maps.
 func buildConverterList() []ignitionVersionConverter {
 	return []ignitionVersionConverter{
+		// v3.5 -> v3.6
+		newFunctionConverterTypedNoError[v35types.Config, v36types.Config](v35types.MaxVersion, v36types.MaxVersion, v36translate.Translate),
 		// v3.5 -> v3.4
 		newFunctionConverterTyped[v35types.Config, v34types.Config](v35types.MaxVersion, v34types.MaxVersion, v35tov34.Translate),
 		// v3.4 -> v3.5
diff --git a/pkg/server/api_test.go b/pkg/server/api_test.go
index 73ac23779b..801e1c7a4f 100644
--- a/pkg/server/api_test.go
+++ b/pkg/server/api_test.go
@@ -58,6 +58,7 @@ func TestAcceptHeaders(t *testing.T) {
 	v3_3 := semver.New("3.3.0")
 	v3_4 := semver.New("3.4.0")
 	v3_5 := semver.New("3.5.0")
+	v3_6 := semver.New("3.6.0")
 	headers := []acceptHeaderScenario{
 		{
 			name:  "IgnV0",
@@ -84,6 +85,25 @@ func TestAcceptHeaders(t *testing.T) {
 			},
 			versionOut: v2_2,
 		},
+		{
+			name:  "IgnV2_36",
+			input: "application/vnd.coreos.ignition+json;version=3.6.0, */*;q=0.1",
+			headerVals: []acceptHeaderValue{
+				{
+					MIMEType:    "application",
+					MIMESubtype: "vnd.coreos.ignition+json",
+					SemVer:      v3_6,
+					QValue:      float32ToPtr(1.0),
+				},
+				{
+					MIMEType:    "*",
+					MIMESubtype: "*",
+					SemVer:      nil,
+					QValue:      float32ToPtr(0.1),
+				},
+			},
+			versionOut: v3_6,
+		},
 		{
 			name:  "IgnV2_35",
 			input: "application/vnd.coreos.ignition+json;version=3.5.0, */*;q=0.1",
@@ -254,6 +274,11 @@ func setV3_5AcceptHeaderOnReq(req *http.Request) *http.Request {
 	return req
 }
 
+func setV3_6AcceptHeaderOnReq(req *http.Request) *http.Request {
+	req.Header.Set("Accept", "application/vnd.coreos.ignition+json;version=3.6.0, */*;q=0.1")
+	return req
+}
+
 func TestAPIHandler(t *testing.T) {
 	scenarios := []scenario{
 		{
diff --git a/vendor/github.com/aws/aws-sdk-go/LICENSE.txt b/vendor/github.com/aws/aws-sdk-go-v2/LICENSE.txt
similarity index 100%
rename from vendor/github.com/aws/aws-sdk-go/LICENSE.txt
rename to vendor/github.com/aws/aws-sdk-go-v2/LICENSE.txt
diff --git a/vendor/github.com/aws/aws-sdk-go/NOTICE.txt b/vendor/github.com/aws/aws-sdk-go-v2/NOTICE.txt
similarity index 100%
rename from vendor/github.com/aws/aws-sdk-go/NOTICE.txt
rename to vendor/github.com/aws/aws-sdk-go-v2/NOTICE.txt
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/arn/arn.go
similarity index 94%
rename from vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go
rename to vendor/github.com/aws/aws-sdk-go-v2/aws/arn/arn.go
index 1c49674290..fe63fedadd 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/arn/arn.go
@@ -75,9 +75,8 @@ func Parse(arn string) (ARN, error) {
 	}, nil
 }
 
-// IsARN returns whether the given string is an ARN by looking for
-// whether the string starts with "arn:" and contains the correct number
-// of sections delimited by colons(:).
+// IsARN returns whether the given string is an arn
+// by looking for whether the string starts with arn:
 func IsARN(arn string) bool {
 	return strings.HasPrefix(arn, arnPrefix) && strings.Count(arn, ":") >= arnSections-1
 }
diff --git a/vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go b/vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go
index 147f756fe2..22ce8f1df1 100644
--- a/vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go
+++ b/vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go
@@ -12,7 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// Integration with the systemd D-Bus API.  See http://www.freedesktop.org/wiki/Software/systemd/dbus/
+// Package dbus provides integration with the systemd D-Bus API.
+// See http://www.freedesktop.org/wiki/Software/systemd/dbus/
 package dbus
 
 import (
diff --git a/vendor/github.com/coreos/go-systemd/v22/dbus/methods.go b/vendor/github.com/coreos/go-systemd/v22/dbus/methods.go
index 074148cb4d..a64f0b3eae 100644
--- a/vendor/github.com/coreos/go-systemd/v22/dbus/methods.go
+++ b/vendor/github.com/coreos/go-systemd/v22/dbus/methods.go
@@ -24,15 +24,15 @@ import (
 	"github.com/godbus/dbus/v5"
 )
 
-// Who can be used to specify which process to kill in the unit via the KillUnitWithTarget API
+// Who specifies which process to send a signal to via the [KillUnitWithTarget].
 type Who string
 
 const (
-	// All sends the signal to all processes in the unit
+	// All sends the signal to all processes in the unit.
 	All Who = "all"
-	// Main sends the signal to the main process of the unit
+	// Main sends the signal to the main process of the unit.
 	Main Who = "main"
-	// Control sends the signal to the control process of the unit
+	// Control sends the signal to the control process of the unit.
 	Control Who = "control"
 )
 
@@ -41,7 +41,8 @@ func (c *Conn) jobComplete(signal *dbus.Signal) {
 	var job dbus.ObjectPath
 	var unit string
 	var result string
-	dbus.Store(signal.Body, &id, &job, &unit, &result)
+
+	_ = dbus.Store(signal.Body, &id, &job, &unit, &result)
 	c.jobListener.Lock()
 	out, ok := c.jobListener.jobs[job]
 	if ok {
@@ -51,7 +52,7 @@ func (c *Conn) jobComplete(signal *dbus.Signal) {
 	c.jobListener.Unlock()
 }
 
-func (c *Conn) startJob(ctx context.Context, ch chan<- string, job string, args ...interface{}) (int, error) {
+func (c *Conn) startJob(ctx context.Context, ch chan<- string, job string, args ...any) (int, error) {
 	if ch != nil {
 		c.jobListener.Lock()
 		defer c.jobListener.Unlock()
@@ -102,6 +103,10 @@ func (c *Conn) StartUnit(name string, mode string, ch chan<- string) (int, error
 // has been removed too. skipped indicates that a job was skipped because it
 // didn't apply to the units current state.
 //
+// Important: It is the caller's responsibility to unblock the provided channel write,
+// either by reading from the channel or by using a buffered channel. Until the write
+// is unblocked, the Conn object cannot handle other jobs.
+//
 // If no error occurs, the ID of the underlying systemd job will be returned. There
 // does exist the possibility for no error to be returned, but for the returned job
 // ID to be 0. In this case, the actual underlying ID is not 0 and this datapoint
@@ -192,19 +197,21 @@ func (c *Conn) StartTransientUnitContext(ctx context.Context, name string, mode
 	return c.startJob(ctx, ch, "org.freedesktop.systemd1.Manager.StartTransientUnit", name, mode, properties, make([]PropertyCollection, 0))
 }
 
-// Deprecated: use KillUnitContext instead.
+// Deprecated: use [KillUnitWithTarget] instead.
 func (c *Conn) KillUnit(name string, signal int32) {
 	c.KillUnitContext(context.Background(), name, signal)
 }
 
 // KillUnitContext takes the unit name and a UNIX signal number to send.
 // All of the unit's processes are killed.
+//
+// Deprecated: use [KillUnitWithTarget] instead, with target argument set to [All].
 func (c *Conn) KillUnitContext(ctx context.Context, name string, signal int32) {
-	c.KillUnitWithTarget(ctx, name, All, signal)
+	_ = c.KillUnitWithTarget(ctx, name, All, signal)
 }
 
-// KillUnitWithTarget is like KillUnitContext, but allows you to specify which
-// process in the unit to send the signal to.
+// KillUnitWithTarget sends a signal to the specified unit.
+// The target argument can be one of [All], [Main], or [Control].
 func (c *Conn) KillUnitWithTarget(ctx context.Context, name string, target Who, signal int32) error {
 	return c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.KillUnit", 0, name, string(target), signal).Store()
 }
@@ -240,7 +247,7 @@ func (c *Conn) SystemStateContext(ctx context.Context) (*Property, error) {
 }
 
 // getProperties takes the unit path and returns all of its dbus object properties, for the given dbus interface.
-func (c *Conn) getProperties(ctx context.Context, path dbus.ObjectPath, dbusInterface string) (map[string]interface{}, error) {
+func (c *Conn) getProperties(ctx context.Context, path dbus.ObjectPath, dbusInterface string) (map[string]any, error) {
 	var err error
 	var props map[string]dbus.Variant
 
@@ -254,7 +261,7 @@ func (c *Conn) getProperties(ctx context.Context, path dbus.ObjectPath, dbusInte
 		return nil, err
 	}
 
-	out := make(map[string]interface{}, len(props))
+	out := make(map[string]any, len(props))
 	for k, v := range props {
 		out[k] = v.Value()
 	}
@@ -263,36 +270,36 @@ func (c *Conn) getProperties(ctx context.Context, path dbus.ObjectPath, dbusInte
 }
 
 // Deprecated: use GetUnitPropertiesContext instead.
-func (c *Conn) GetUnitProperties(unit string) (map[string]interface{}, error) {
+func (c *Conn) GetUnitProperties(unit string) (map[string]any, error) {
 	return c.GetUnitPropertiesContext(context.Background(), unit)
 }
 
 // GetUnitPropertiesContext takes the (unescaped) unit name and returns all of
 // its dbus object properties.
-func (c *Conn) GetUnitPropertiesContext(ctx context.Context, unit string) (map[string]interface{}, error) {
+func (c *Conn) GetUnitPropertiesContext(ctx context.Context, unit string) (map[string]any, error) {
 	path := unitPath(unit)
 	return c.getProperties(ctx, path, "org.freedesktop.systemd1.Unit")
 }
 
 // Deprecated: use GetUnitPathPropertiesContext instead.
-func (c *Conn) GetUnitPathProperties(path dbus.ObjectPath) (map[string]interface{}, error) {
+func (c *Conn) GetUnitPathProperties(path dbus.ObjectPath) (map[string]any, error) {
 	return c.GetUnitPathPropertiesContext(context.Background(), path)
 }
 
 // GetUnitPathPropertiesContext takes the (escaped) unit path and returns all
 // of its dbus object properties.
-func (c *Conn) GetUnitPathPropertiesContext(ctx context.Context, path dbus.ObjectPath) (map[string]interface{}, error) {
+func (c *Conn) GetUnitPathPropertiesContext(ctx context.Context, path dbus.ObjectPath) (map[string]any, error) {
 	return c.getProperties(ctx, path, "org.freedesktop.systemd1.Unit")
 }
 
 // Deprecated: use GetAllPropertiesContext instead.
-func (c *Conn) GetAllProperties(unit string) (map[string]interface{}, error) {
+func (c *Conn) GetAllProperties(unit string) (map[string]any, error) {
 	return c.GetAllPropertiesContext(context.Background(), unit)
 }
 
 // GetAllPropertiesContext takes the (unescaped) unit name and returns all of
 // its dbus object properties.
-func (c *Conn) GetAllPropertiesContext(ctx context.Context, unit string) (map[string]interface{}, error) {
+func (c *Conn) GetAllPropertiesContext(ctx context.Context, unit string) (map[string]any, error) {
 	path := unitPath(unit)
 	return c.getProperties(ctx, path, "")
 }
@@ -331,20 +338,20 @@ func (c *Conn) GetServiceProperty(service string, propertyName string) (*Propert
 	return c.GetServicePropertyContext(context.Background(), service, propertyName)
 }
 
-// GetServiceProperty returns property for given service name and property name.
+// GetServicePropertyContext returns property for given service name and property name.
 func (c *Conn) GetServicePropertyContext(ctx context.Context, service string, propertyName string) (*Property, error) {
 	return c.getProperty(ctx, service, "org.freedesktop.systemd1.Service", propertyName)
 }
 
 // Deprecated: use GetUnitTypePropertiesContext instead.
-func (c *Conn) GetUnitTypeProperties(unit string, unitType string) (map[string]interface{}, error) {
+func (c *Conn) GetUnitTypeProperties(unit string, unitType string) (map[string]any, error) {
 	return c.GetUnitTypePropertiesContext(context.Background(), unit, unitType)
 }
 
 // GetUnitTypePropertiesContext returns the extra properties for a unit, specific to the unit type.
 // Valid values for unitType: Service, Socket, Target, Device, Mount, Automount, Snapshot, Timer, Swap, Path, Slice, Scope.
 // Returns "dbus.Error: Unknown interface" error if the unitType is not the correct type of the unit.
-func (c *Conn) GetUnitTypePropertiesContext(ctx context.Context, unit string, unitType string) (map[string]interface{}, error) {
+func (c *Conn) GetUnitTypePropertiesContext(ctx context.Context, unit string, unitType string) (map[string]any, error) {
 	path := unitPath(unit)
 	return c.getProperties(ctx, path, "org.freedesktop.systemd1."+unitType)
 }
@@ -389,22 +396,22 @@ type UnitStatus struct {
 	JobPath     dbus.ObjectPath // The job object path
 }
 
-type storeFunc func(retvalues ...interface{}) error
+type storeFunc func(retvalues ...any) error
 
 func (c *Conn) listUnitsInternal(f storeFunc) ([]UnitStatus, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := f(&result)
 	if err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	status := make([]UnitStatus, len(result))
-	statusInterface := make([]interface{}, len(status))
+	statusInterface := make([]any, len(status))
 	for i := range status {
 		statusInterface[i] = &status[i]
 	}
@@ -499,19 +506,19 @@ type UnitFile struct {
 }
 
 func (c *Conn) listUnitFilesInternal(f storeFunc) ([]UnitFile, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := f(&result)
 	if err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	files := make([]UnitFile, len(result))
-	fileInterface := make([]interface{}, len(files))
+	fileInterface := make([]any, len(files))
 	for i := range files {
 		fileInterface[i] = &files[i]
 	}
@@ -529,7 +536,7 @@ func (c *Conn) ListUnitFiles() ([]UnitFile, error) {
 	return c.ListUnitFilesContext(context.Background())
 }
 
-// ListUnitFiles returns an array of all available units on disk.
+// ListUnitFilesContext returns an array of all available units on disk.
 func (c *Conn) ListUnitFilesContext(ctx context.Context) ([]UnitFile, error) {
 	return c.listUnitFilesInternal(c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.ListUnitFiles", 0).Store)
 }
@@ -569,19 +576,19 @@ func (c *Conn) LinkUnitFiles(files []string, runtime bool, force bool) ([]LinkUn
 // or unlink), the file name of the symlink and the destination of the
 // symlink.
 func (c *Conn) LinkUnitFilesContext(ctx context.Context, files []string, runtime bool, force bool) ([]LinkUnitFileChange, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.LinkUnitFiles", 0, files, runtime, force).Store(&result)
 	if err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	changes := make([]LinkUnitFileChange, len(result))
-	changesInterface := make([]interface{}, len(changes))
+	changesInterface := make([]any, len(changes))
 	for i := range changes {
 		changesInterface[i] = &changes[i]
 	}
@@ -618,19 +625,19 @@ func (c *Conn) EnableUnitFiles(files []string, runtime bool, force bool) (bool,
 func (c *Conn) EnableUnitFilesContext(ctx context.Context, files []string, runtime bool, force bool) (bool, []EnableUnitFileChange, error) {
 	var carries_install_info bool
 
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.EnableUnitFiles", 0, files, runtime, force).Store(&carries_install_info, &result)
 	if err != nil {
 		return false, nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	changes := make([]EnableUnitFileChange, len(result))
-	changesInterface := make([]interface{}, len(changes))
+	changesInterface := make([]any, len(changes))
 	for i := range changes {
 		changesInterface[i] = &changes[i]
 	}
@@ -667,19 +674,19 @@ func (c *Conn) DisableUnitFiles(files []string, runtime bool) ([]DisableUnitFile
 // symlink or unlink), the file name of the symlink and the destination of the
 // symlink.
 func (c *Conn) DisableUnitFilesContext(ctx context.Context, files []string, runtime bool) ([]DisableUnitFileChange, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.DisableUnitFiles", 0, files, runtime).Store(&result)
 	if err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	changes := make([]DisableUnitFileChange, len(result))
-	changesInterface := make([]interface{}, len(changes))
+	changesInterface := make([]any, len(changes))
 	for i := range changes {
 		changesInterface[i] = &changes[i]
 	}
@@ -713,19 +720,19 @@ func (c *Conn) MaskUnitFiles(files []string, runtime bool, force bool) ([]MaskUn
 // runtime only (true, /run/systemd/..), or persistently (false,
 // /etc/systemd/..).
 func (c *Conn) MaskUnitFilesContext(ctx context.Context, files []string, runtime bool, force bool) ([]MaskUnitFileChange, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.MaskUnitFiles", 0, files, runtime, force).Store(&result)
 	if err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	changes := make([]MaskUnitFileChange, len(result))
-	changesInterface := make([]interface{}, len(changes))
+	changesInterface := make([]any, len(changes))
 	for i := range changes {
 		changesInterface[i] = &changes[i]
 	}
@@ -757,19 +764,19 @@ func (c *Conn) UnmaskUnitFiles(files []string, runtime bool) ([]UnmaskUnitFileCh
 // for runtime only (true, /run/systemd/..), or persistently (false,
 // /etc/systemd/..).
 func (c *Conn) UnmaskUnitFilesContext(ctx context.Context, files []string, runtime bool) ([]UnmaskUnitFileChange, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	err := c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.UnmaskUnitFiles", 0, files, runtime).Store(&result)
 	if err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	changes := make([]UnmaskUnitFileChange, len(result))
-	changesInterface := make([]interface{}, len(changes))
+	changesInterface := make([]any, len(changes))
 	for i := range changes {
 		changesInterface[i] = &changes[i]
 	}
@@ -829,18 +836,18 @@ func (c *Conn) ListJobsContext(ctx context.Context) ([]JobStatus, error) {
 }
 
 func (c *Conn) listJobsInternal(ctx context.Context) ([]JobStatus, error) {
-	result := make([][]interface{}, 0)
+	result := make([][]any, 0)
 	if err := c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.ListJobs", 0).Store(&result); err != nil {
 		return nil, err
 	}
 
-	resultInterface := make([]interface{}, len(result))
+	resultInterface := make([]any, len(result))
 	for i := range result {
 		resultInterface[i] = result[i]
 	}
 
 	status := make([]JobStatus, len(result))
-	statusInterface := make([]interface{}, len(status))
+	statusInterface := make([]any, len(status))
 	for i := range status {
 		statusInterface[i] = &status[i]
 	}
@@ -852,13 +859,18 @@ func (c *Conn) listJobsInternal(ctx context.Context) ([]JobStatus, error) {
 	return status, nil
 }
 
-// Freeze the cgroup associated with the unit.
-// Note that FreezeUnit and ThawUnit are only supported on systems running with cgroup v2.
+// FreezeUnit freezes the cgroup associated with the unit.
+// Note that FreezeUnit and [ThawUnit] are only supported on systems running with cgroup v2.
 func (c *Conn) FreezeUnit(ctx context.Context, unit string) error {
 	return c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.FreezeUnit", 0, unit).Store()
 }
 
-// Unfreeze the cgroup associated with the unit.
+// ThawUnit unfreezes the cgroup associated with the unit.
 func (c *Conn) ThawUnit(ctx context.Context, unit string) error {
 	return c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.ThawUnit", 0, unit).Store()
 }
+
+// AttachProcessesToUnit moves existing processes, identified by pids, into an existing systemd unit.
+func (c *Conn) AttachProcessesToUnit(ctx context.Context, unit, subcgroup string, pids []uint32) error {
+	return c.sysobj.CallWithContext(ctx, "org.freedesktop.systemd1.Manager.AttachProcessesToUnit", 0, unit, subcgroup, pids).Store()
+}
diff --git a/vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go b/vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go
index 7e370fea21..f0f6aad9d1 100644
--- a/vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go
+++ b/vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go
@@ -70,7 +70,7 @@ func (c *Conn) dispatch() {
 			switch signal.Name {
 			case "org.freedesktop.systemd1.Manager.JobRemoved":
 				unitName := signal.Body[2].(string)
-				c.sysobj.Call("org.freedesktop.systemd1.Manager.GetUnit", 0, unitName).Store(&unitPath)
+				_ = c.sysobj.Call("org.freedesktop.systemd1.Manager.GetUnit", 0, unitName).Store(&unitPath)
 			case "org.freedesktop.systemd1.Manager.UnitNew":
 				unitPath = signal.Body[1].(dbus.ObjectPath)
 			case "org.freedesktop.DBus.Properties.PropertiesChanged":
@@ -262,7 +262,7 @@ func (c *Conn) shouldIgnore(path dbus.ObjectPath) bool {
 	return ok && t >= time.Now().UnixNano()
 }
 
-func (c *Conn) updateIgnore(path dbus.ObjectPath, info map[string]interface{}) {
+func (c *Conn) updateIgnore(path dbus.ObjectPath, info map[string]any) {
 	loadState, ok := info["LoadState"].(string)
 	if !ok {
 		return
diff --git a/vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go b/vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go
index 5b408d5847..dbe4aa887b 100644
--- a/vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go
+++ b/vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go
@@ -40,8 +40,8 @@ func (s *SubscriptionSet) Subscribe() (<-chan map[string]*UnitStatus, <-chan err
 }
 
 // NewSubscriptionSet returns a new subscription set.
-func (conn *Conn) NewSubscriptionSet() *SubscriptionSet {
-	return &SubscriptionSet{newSet(), conn}
+func (c *Conn) NewSubscriptionSet() *SubscriptionSet {
+	return &SubscriptionSet{newSet(), c}
 }
 
 // mismatchUnitStatus returns true if the provided UnitStatus objects
diff --git a/vendor/github.com/coreos/go-systemd/v22/journal/journal.go b/vendor/github.com/coreos/go-systemd/v22/journal/journal.go
index ac24c7767d..16c4e47751 100644
--- a/vendor/github.com/coreos/go-systemd/v22/journal/journal.go
+++ b/vendor/github.com/coreos/go-systemd/v22/journal/journal.go
@@ -41,6 +41,6 @@ const (
 )
 
 // Print prints a message to the local systemd journal using Send().
-func Print(priority Priority, format string, a ...interface{}) error {
+func Print(priority Priority, format string, a ...any) error {
 	return Send(fmt.Sprintf(format, a...), priority, nil)
 }
diff --git a/vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go b/vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go
index c5b23a8196..6266e16e57 100644
--- a/vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go
+++ b/vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go
@@ -13,7 +13,6 @@
 // limitations under the License.
 
 //go:build !windows
-// +build !windows
 
 // Package journal provides write bindings to the local systemd journal.
 // It is implemented in pure Go and connects to the journal directly over its
@@ -31,7 +30,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"os"
 	"strconv"
@@ -194,7 +192,7 @@ func appendVariable(w io.Writer, name, value string) {
 		 * - the data, followed by a newline
 		 */
 		fmt.Fprintln(w, name)
-		binary.Write(w, binary.LittleEndian, uint64(len(value)))
+		_ = binary.Write(w, binary.LittleEndian, uint64(len(value)))
 		fmt.Fprintln(w, value)
 	} else {
 		/* just write the variable and value all on one line */
@@ -214,7 +212,7 @@ func validVarName(name string) error {
 	}
 
 	for _, c := range name {
-		if !(('A' <= c && c <= 'Z') || ('0' <= c && c <= '9') || c == '_') {
+		if ('A' > c || c > 'Z') && ('0' > c || c > '9') && c != '_' {
 			return errors.New("Variable name contains invalid characters")
 		}
 	}
@@ -239,7 +237,7 @@ func isSocketSpaceError(err error) bool {
 
 // tempFd creates a temporary, unlinked file under `/dev/shm`.
 func tempFd() (*os.File, error) {
-	file, err := ioutil.TempFile("/dev/shm/", "journal.XXXXX")
+	file, err := os.CreateTemp("/dev/shm/", "journal.XXXXX")
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/coreos/go-systemd/v22/unit/deserialize.go b/vendor/github.com/coreos/go-systemd/v22/unit/deserialize.go
index 283c150771..74b9573f93 100644
--- a/vendor/github.com/coreos/go-systemd/v22/unit/deserialize.go
+++ b/vendor/github.com/coreos/go-systemd/v22/unit/deserialize.go
@@ -38,10 +38,8 @@ const (
 	SYSTEMD_NEWLINE = "\r\n"
 )
 
-var (
-	// ErrLineTooLong gets returned when a line is too long for systemd to handle.
-	ErrLineTooLong = fmt.Errorf("line too long (max %d bytes)", SYSTEMD_LINE_MAX)
-)
+// ErrLineTooLong gets returned when a line is too long for systemd to handle.
+var ErrLineTooLong = fmt.Errorf("line too long (max %d bytes)", SYSTEMD_LINE_MAX)
 
 // DeserializeOptions parses a systemd unit file into a list of UnitOptions
 func DeserializeOptions(f io.Reader) (opts []*UnitOption, err error) {
@@ -79,7 +77,6 @@ type lexData struct {
 
 // deserializeAll deserializes into UnitSections and UnitOptions.
 func deserializeAll(f io.Reader) ([]*UnitSection, []*UnitOption, error) {
-
 	lexer, lexchan, errchan := newLexer(f)
 
 	go lexer.lex()
@@ -92,8 +89,8 @@ func deserializeAll(f io.Reader) ([]*UnitSection, []*UnitOption, error) {
 		case optionKind:
 			if ld.Option != nil {
 				// add to options
-				opt := ld.Option
-				options = append(options, &(*opt))
+				opt := *ld.Option
+				options = append(options, &opt)
 
 				// sanity check. "should not happen" as sectionKind is first in code flow.
 				if len(sections) == 0 {
@@ -255,7 +252,7 @@ func (l *lexer) lexNextSectionOrOptionFunc(section string) lexStep {
 			return l.ignoreLineFunc(l.lexNextSectionOrOptionFunc(section)), nil
 		}
 
-		l.buf.UnreadRune()
+		_ = l.buf.UnreadRune() // This can't fail as we just called ReadRune.
 		return l.lexOptionNameFunc(section), nil
 	}
 }
@@ -287,29 +284,23 @@ func (l *lexer) lexOptionNameFunc(section string) lexStep {
 
 func (l *lexer) lexOptionValueFunc(section, name string, partial bytes.Buffer) lexStep {
 	return func() (lexStep, error) {
-		for {
-			line, eof, err := l.toEOL()
-			if err != nil {
-				return nil, err
-			}
-
-			if len(bytes.TrimSpace(line)) == 0 {
-				break
-			}
+		line, eof, err := l.toEOL()
+		if err != nil {
+			return nil, err
+		}
 
+		if len(bytes.TrimSpace(line)) != 0 {
 			partial.Write(line)
 
 			// lack of continuation means this value has been exhausted
-			idx := bytes.LastIndex(line, []byte{'\\'})
-			if idx == -1 || idx != (len(line)-1) {
-				break
-			}
+			if bytes.HasSuffix(line, []byte{'\\'}) {
+				// line ends with backslash, continue parsing
+				if !eof {
+					partial.WriteRune('\n')
+				}
 
-			if !eof {
-				partial.WriteRune('\n')
+				return l.lexOptionValueFunc(section, name, partial), nil
 			}
-
-			return l.lexOptionValueFunc(section, name, partial), nil
 		}
 
 		val := partial.String()
diff --git a/vendor/github.com/coreos/go-systemd/v22/unit/doc.go b/vendor/github.com/coreos/go-systemd/v22/unit/doc.go
new file mode 100644
index 0000000000..1c265e4aa2
--- /dev/null
+++ b/vendor/github.com/coreos/go-systemd/v22/unit/doc.go
@@ -0,0 +1,12 @@
+// Package unit provides utilities for parsing, serializing, and manipulating
+// systemd unit files. It supports both reading unit file content into Go data
+// structures and writing Go data structures back to unit file format.
+//
+// The package provides functionality to:
+//   - Parse systemd unit files into [UnitOption] and [UnitSection] structures
+//   - Serialize Go structures back into unit file format
+//   - Escape and unescape unit names according to systemd conventions
+//
+// Unit files are configuration files that describe how systemd should manage
+// services, sockets, devices, and other system resources.
+package unit
diff --git a/vendor/github.com/coreos/go-systemd/v22/unit/option.go b/vendor/github.com/coreos/go-systemd/v22/unit/option.go
index 98e1af5c99..800ecda449 100644
--- a/vendor/github.com/coreos/go-systemd/v22/unit/option.go
+++ b/vendor/github.com/coreos/go-systemd/v22/unit/option.go
@@ -49,7 +49,7 @@ func AllMatch(u1 []*UnitOption, u2 []*UnitOption) bool {
 		return false
 	}
 
-	for i := 0; i < length; i++ {
+	for i := range length {
 		if !u1[i].Match(u2[i]) {
 			return false
 		}
diff --git a/vendor/github.com/coreos/go-systemd/v22/unit/serialize.go b/vendor/github.com/coreos/go-systemd/v22/unit/serialize.go
index c1b79c02dc..2557706593 100644
--- a/vendor/github.com/coreos/go-systemd/v22/unit/serialize.go
+++ b/vendor/github.com/coreos/go-systemd/v22/unit/serialize.go
@@ -61,7 +61,6 @@ func Serialize(opts []*UnitOption) io.Reader {
 // SerializeSections will serializes the unit file from the given
 // UnitSections.
 func SerializeSections(sections []*UnitSection) io.Reader {
-
 	var buf bytes.Buffer
 
 	for i, s := range sections {
diff --git a/vendor/github.com/coreos/ignition/v2/config/shared/errors/errors.go b/vendor/github.com/coreos/ignition/v2/config/shared/errors/errors.go
index 13742ab01a..85d110112b 100644
--- a/vendor/github.com/coreos/ignition/v2/config/shared/errors/errors.go
+++ b/vendor/github.com/coreos/ignition/v2/config/shared/errors/errors.go
@@ -64,7 +64,7 @@ var (
 	ErrTangThumbprintRequired    = errors.New("thumbprint is required")
 	ErrInvalidTangAdvertisement  = errors.New("advertisement is not valid JSON")
 	ErrFileIllegalMode           = errors.New("illegal file mode")
-	ErrModeSpecialBits           = errors.New("setuid/setgid/sticky bits are not supported in spec versions older than 3.4.0")
+	ErrModeSpecialBits           = errors.New("setuid/setgid/sticky bits are not supported or functional in spec versions older than 3.6.0")
 	ErrBothIDAndNameSet          = errors.New("cannot set both id and name")
 	ErrLabelTooLong              = errors.New("partition labels may not exceed 36 characters")
 	ErrDoesntMatchGUIDRegex      = errors.New("doesn't match the form \"01234567-89AB-CDEF-EDCB-A98765432101\"")
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go b/vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go
index 5d748d829e..5f6a23b88d 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go
@@ -16,7 +16,6 @@ package translate
 
 import (
 	"github.com/coreos/ignition/v2/config/translate"
-	"github.com/coreos/ignition/v2/config/util"
 	old_types "github.com/coreos/ignition/v2/config/v3_3/types"
 	"github.com/coreos/ignition/v2/config/v3_4/types"
 )
@@ -28,31 +27,6 @@ func translateIgnition(old old_types.Ignition) (ret types.Ignition) {
 	return
 }
 
-func translateFileEmbedded1(old old_types.FileEmbedded1) (ret types.FileEmbedded1) {
-	tr := translate.NewTranslator()
-	tr.Translate(&old.Append, &ret.Append)
-	tr.Translate(&old.Contents, &ret.Contents)
-	if old.Mode != nil {
-		// We support the special mode bits for specs >=3.4.0, so if
-		// the user provides special mode bits in an Ignition config
-		// with the version < 3.4.0, then we need to explicitly mask
-		// those bits out during translation.
-		ret.Mode = util.IntToPtr(*old.Mode & ^07000)
-	}
-	return
-}
-
-func translateDirectoryEmbedded1(old old_types.DirectoryEmbedded1) (ret types.DirectoryEmbedded1) {
-	if old.Mode != nil {
-		// We support the special mode bits for specs >=3.4.0, so if
-		// the user provides special mode bits in an Ignition config
-		// with the version < 3.4.0, then we need to explicitly mask
-		// those bits out during translation.
-		ret.Mode = util.IntToPtr(*old.Mode & ^07000)
-	}
-	return
-}
-
 func translateLuks(old old_types.Luks) (ret types.Luks) {
 	tr := translate.NewTranslator()
 	tr.AddCustomTranslator(translateTang)
@@ -77,8 +51,6 @@ func translateTang(old old_types.Tang) (ret types.Tang) {
 func Translate(old old_types.Config) (ret types.Config) {
 	tr := translate.NewTranslator()
 	tr.AddCustomTranslator(translateIgnition)
-	tr.AddCustomTranslator(translateDirectoryEmbedded1)
-	tr.AddCustomTranslator(translateFileEmbedded1)
 	tr.AddCustomTranslator(translateLuks)
 	tr.Translate(&old, &ret)
 	return
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go
index f6f0684557..b01a6bf9d7 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go
@@ -22,5 +22,6 @@ import (
 func (d Directory) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(d.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(d.Mode))
 	return
 }
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go
index 9b71bb26aa..4e7566bd3b 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go
@@ -25,6 +25,7 @@ import (
 func (f File) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(f.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(f.Mode))
 	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
 	return
 }
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go
index 9eb7573d8b..ad3e51c22c 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go
@@ -24,3 +24,13 @@ func validateMode(m *int) error {
 	}
 	return nil
 }
+
+func validateModeSpecialBits(m *int) error {
+	if m != nil {
+		mode := uint32(*m)
+		if mode&07000 != 0 {
+			return errors.ErrModeSpecialBits
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go
index 3ca189dae3..97a4c9ae22 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go
@@ -18,7 +18,7 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/aws/aws-sdk-go/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/vincent-petithory/dataurl"
 
 	"github.com/coreos/ignition/v2/config/shared/errors"
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go
index f6f0684557..b01a6bf9d7 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go
@@ -22,5 +22,6 @@ import (
 func (d Directory) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(d.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(d.Mode))
 	return
 }
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go
index 9b71bb26aa..4e7566bd3b 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go
@@ -25,6 +25,7 @@ import (
 func (f File) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(f.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(f.Mode))
 	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
 	return
 }
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go
index 9eb7573d8b..ad3e51c22c 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go
@@ -24,3 +24,13 @@ func validateMode(m *int) error {
 	}
 	return nil
 }
+
+func validateModeSpecialBits(m *int) error {
+	if m != nil {
+		mode := uint32(*m)
+		if mode&07000 != 0 {
+			return errors.ErrModeSpecialBits
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go
index 3ca189dae3..97a4c9ae22 100644
--- a/vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go
@@ -18,7 +18,7 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/aws/aws-sdk-go/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/vincent-petithory/dataurl"
 
 	"github.com/coreos/ignition/v2/config/shared/errors"
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go
new file mode 100644
index 0000000000..ae16eef368
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go
@@ -0,0 +1,68 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package translate
+
+import (
+	"github.com/coreos/ignition/v2/config/translate"
+	"github.com/coreos/ignition/v2/config/util"
+	old_types "github.com/coreos/ignition/v2/config/v3_5/types"
+	"github.com/coreos/ignition/v2/config/v3_6/types"
+)
+
+func translateFileEmbedded1(old old_types.FileEmbedded1) (ret types.FileEmbedded1) {
+	tr := translate.NewTranslator()
+	tr.Translate(&old.Append, &ret.Append)
+	tr.Translate(&old.Contents, &ret.Contents)
+	if old.Mode != nil {
+		// Since fixing #2024 we now have to mask for the stabilized specs
+		// to reduce security risks of applying permissions that were not applied
+		// before the fix was implemented.
+		// We support the special mode bits for specs >=3.6.0, so if
+		// the user provides special mode bits in an Ignition config
+		// with the version < 3.6.0, then we need to explicitly mask
+		// those bits out during translation.
+		ret.Mode = util.IntToPtr(*old.Mode & ^07000)
+	}
+	return
+}
+
+func translateDirectoryEmbedded1(old old_types.DirectoryEmbedded1) (ret types.DirectoryEmbedded1) {
+	if old.Mode != nil {
+		// Since fixing #2024 we now have to mask for the stabilized specs
+		// to reduce security risks of applying permissions that were not applied
+		// before the fix was implemented.
+		// We support the special mode bits for specs >=3.6.0, so if
+		// the user provides special mode bits in an Ignition config
+		// with the version < 3.6.0, then we need to explicitly mask
+		// those bits out during translation.
+		ret.Mode = util.IntToPtr(*old.Mode & ^07000)
+	}
+	return
+}
+func translateIgnition(old old_types.Ignition) (ret types.Ignition) {
+	// use a new translator so we don't recurse infinitely
+	translate.NewTranslator().Translate(&old, &ret)
+	ret.Version = types.MaxVersion.String()
+	return
+}
+
+func Translate(old old_types.Config) (ret types.Config) {
+	tr := translate.NewTranslator()
+	tr.AddCustomTranslator(translateIgnition)
+	tr.AddCustomTranslator(translateDirectoryEmbedded1)
+	tr.AddCustomTranslator(translateFileEmbedded1)
+	tr.Translate(&old, &ret)
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/cex.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/cex.go
new file mode 100644
index 0000000000..b34f5f527e
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/cex.go
@@ -0,0 +1,33 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (cm Cex) IsPresent() bool {
+	return util.IsTrue(cm.Enabled)
+}
+
+func (cx Cex) Validate(c path.ContextPath) (r report.Report) {
+	if !util.IsTrue(cx.Enabled) {
+		return
+	}
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/clevis.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/clevis.go
new file mode 100644
index 0000000000..3742633ddc
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/clevis.go
@@ -0,0 +1,43 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (c Clevis) IsPresent() bool {
+	return util.NotEmpty(c.Custom.Pin) ||
+		len(c.Tang) > 0 ||
+		util.IsTrue(c.Tpm2) ||
+		c.Threshold != nil && *c.Threshold != 0
+}
+
+func (cu ClevisCustom) Validate(c path.ContextPath) (r report.Report) {
+	if util.NilOrEmpty(cu.Pin) && util.NilOrEmpty(cu.Config) && !util.IsTrue(cu.NeedsNetwork) {
+		return
+	}
+	if util.NilOrEmpty(cu.Pin) {
+		r.AddOnError(c.Append("pin"), errors.ErrClevisPinRequired)
+	}
+	if util.NilOrEmpty(cu.Config) {
+		r.AddOnError(c.Append("config"), errors.ErrClevisConfigRequired)
+	}
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/config.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/config.go
new file mode 100644
index 0000000000..02ef7b4ae9
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/config.go
@@ -0,0 +1,64 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/go-semver/semver"
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+var (
+	MaxVersion = semver.Version{
+		Major: 3,
+		Minor: 6,
+	}
+)
+
+func (cfg Config) Validate(c path.ContextPath) (r report.Report) {
+	systemdPath := "/etc/systemd/system/"
+	unitPaths := map[string]struct{}{}
+	for _, unit := range cfg.Systemd.Units {
+		if !util.NilOrEmpty(unit.Contents) {
+			pathString := systemdPath + unit.Name
+			unitPaths[pathString] = struct{}{}
+		}
+		for _, dropin := range unit.Dropins {
+			if !util.NilOrEmpty(dropin.Contents) {
+				pathString := systemdPath + unit.Name + ".d/" + dropin.Name
+				unitPaths[pathString] = struct{}{}
+			}
+		}
+	}
+	for i, f := range cfg.Storage.Files {
+		if _, exists := unitPaths[f.Path]; exists {
+			r.AddOnError(c.Append("storage", "files", i, "path"), errors.ErrPathConflictsSystemd)
+		}
+	}
+	for i, d := range cfg.Storage.Directories {
+		if _, exists := unitPaths[d.Path]; exists {
+			r.AddOnError(c.Append("storage", "directories", i, "path"), errors.ErrPathConflictsSystemd)
+		}
+	}
+	for i, l := range cfg.Storage.Links {
+		if _, exists := unitPaths[l.Path]; exists {
+			r.AddOnError(c.Append("storage", "links", i, "path"), errors.ErrPathConflictsSystemd)
+		}
+	}
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/device.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/device.go
new file mode 100644
index 0000000000..a10ce97b05
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/device.go
@@ -0,0 +1,25 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (d Device) Validate(c path.ContextPath) (r report.Report) {
+	r.AddOnError(c, validatePath(string(d)))
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/directory.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/directory.go
new file mode 100644
index 0000000000..f6f0684557
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/directory.go
@@ -0,0 +1,26 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (d Directory) Validate(c path.ContextPath) (r report.Report) {
+	r.Merge(d.Node.Validate(c))
+	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/disk.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/disk.go
new file mode 100644
index 0000000000..8caf8499d7
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/disk.go
@@ -0,0 +1,135 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (d Disk) Key() string {
+	return d.Device
+}
+
+func (n Disk) Validate(c path.ContextPath) (r report.Report) {
+	if len(n.Device) == 0 {
+		r.AddOnError(c.Append("device"), errors.ErrDiskDeviceRequired)
+		return
+	}
+	r.AddOnError(c.Append("device"), validatePath(n.Device))
+
+	if collides, p := n.partitionNumbersCollide(); collides {
+		r.AddOnError(c.Append("partitions", p), errors.ErrPartitionNumbersCollide)
+	}
+	if overlaps, p := n.partitionsOverlap(); overlaps {
+		r.AddOnError(c.Append("partitions", p), errors.ErrPartitionsOverlap)
+	}
+	if n.partitionsMixZeroesAndNonexistence() {
+		r.AddOnError(c.Append("partitions"), errors.ErrZeroesWithShouldNotExist)
+	}
+	if collides, p := n.partitionLabelsCollide(); collides {
+		r.AddOnError(c.Append("partitions", p), errors.ErrDuplicateLabels)
+	}
+	return
+}
+
+// partitionNumbersCollide returns true if partition numbers in n.Partitions are not unique. It also returns the
+// index of the colliding partition
+func (n Disk) partitionNumbersCollide() (bool, int) {
+	m := map[int][]int{} // from partition number to index into array
+	for i, p := range n.Partitions {
+		if p.Number != 0 {
+			// a number of 0 means next available number, multiple devices can specify this
+			m[p.Number] = append(m[p.Number], i)
+		}
+	}
+	for _, n := range m {
+		if len(n) > 1 {
+			// TODO(vc): return information describing the collision for logging
+			return true, n[1]
+		}
+	}
+	return false, 0
+}
+
+func (d Disk) partitionLabelsCollide() (bool, int) {
+	m := map[string]struct{}{}
+	for i, p := range d.Partitions {
+		if p.Label != nil {
+			// a number of 0 means next available number, multiple devices can specify this
+			if _, exists := m[*p.Label]; exists {
+				return true, i
+			}
+			m[*p.Label] = struct{}{}
+		}
+	}
+	return false, 0
+}
+
+// end returns the last sector of a partition. Only used by partitionsOverlap. Requires non-nil Start and Size.
+func (p Partition) end() int {
+	if *p.SizeMiB == 0 {
+		// a size of 0 means "fill available", just return the start as the end for those.
+		return *p.StartMiB
+	}
+	return *p.StartMiB + *p.SizeMiB - 1
+}
+
+// partitionsOverlap returns true if any explicitly dimensioned partitions overlap. It also returns the index of
+// the overlapping partition
+func (n Disk) partitionsOverlap() (bool, int) {
+	for _, p := range n.Partitions {
+		// Starts of 0 are placed by sgdisk into the "largest available block" at that time.
+		// We aren't going to check those for overlap since we don't have the disk geometry.
+		if p.StartMiB == nil || p.SizeMiB == nil || *p.StartMiB == 0 {
+			continue
+		}
+
+		for i, o := range n.Partitions {
+			if o.StartMiB == nil || o.SizeMiB == nil || p == o || *o.StartMiB == 0 {
+				continue
+			}
+
+			// is p.StartMiB within o?
+			if *p.StartMiB >= *o.StartMiB && *p.StartMiB <= o.end() {
+				return true, i
+			}
+
+			// is p.end() within o?
+			if p.end() >= *o.StartMiB && p.end() <= o.end() {
+				return true, i
+			}
+
+			// do p.StartMiB and p.end() straddle o?
+			if *p.StartMiB < *o.StartMiB && p.end() > o.end() {
+				return true, i
+			}
+		}
+	}
+	return false, 0
+}
+
+func (n Disk) partitionsMixZeroesAndNonexistence() bool {
+	hasZero := false
+	hasShouldNotExist := false
+	for _, p := range n.Partitions {
+		hasShouldNotExist = hasShouldNotExist || util.IsFalse(p.ShouldExist)
+		hasZero = hasZero || (p.Number == 0)
+	}
+	return hasZero && hasShouldNotExist
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/file.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/file.go
new file mode 100644
index 0000000000..9b71bb26aa
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/file.go
@@ -0,0 +1,43 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (f File) Validate(c path.ContextPath) (r report.Report) {
+	r.Merge(f.Node.Validate(c))
+	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
+	return
+}
+
+func (f File) validateOverwrite() error {
+	if util.IsTrue(f.Overwrite) && f.Contents.Source == nil {
+		return errors.ErrOverwriteAndNilSource
+	}
+	return nil
+}
+
+func (f FileEmbedded1) IgnoreDuplicates() map[string]struct{} {
+	return map[string]struct{}{
+		"Append": {},
+	}
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/filesystem.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/filesystem.go
new file mode 100644
index 0000000000..c722b3633d
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/filesystem.go
@@ -0,0 +1,106 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (f Filesystem) Key() string {
+	return f.Device
+}
+
+func (f Filesystem) IgnoreDuplicates() map[string]struct{} {
+	return map[string]struct{}{
+		"Options":      {},
+		"MountOptions": {},
+	}
+}
+
+func (f Filesystem) Validate(c path.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("path"), f.validatePath())
+	r.AddOnError(c.Append("device"), validatePath(f.Device))
+	r.AddOnError(c.Append("format"), f.validateFormat())
+	r.AddOnError(c.Append("label"), f.validateLabel())
+	return
+}
+
+func (f Filesystem) validatePath() error {
+	return validatePathNilOK(f.Path)
+}
+
+func (f Filesystem) validateFormat() error {
+	if util.NilOrEmpty(f.Format) {
+		if util.NotEmpty(f.Path) ||
+			util.NotEmpty(f.Label) ||
+			util.NotEmpty(f.UUID) ||
+			util.IsTrue(f.WipeFilesystem) ||
+			len(f.MountOptions) != 0 ||
+			len(f.Options) != 0 {
+			return errors.ErrFormatNilWithOthers
+		}
+	} else {
+		switch *f.Format {
+		case "ext4", "btrfs", "xfs", "swap", "vfat", "none":
+		default:
+			return errors.ErrFilesystemInvalidFormat
+		}
+	}
+	return nil
+}
+
+func (f Filesystem) validateLabel() error {
+	if util.NilOrEmpty(f.Label) {
+		return nil
+	}
+	if util.NilOrEmpty(f.Format) {
+		return errors.ErrLabelNeedsFormat
+	}
+
+	switch *f.Format {
+	case "ext4":
+		if len(*f.Label) > 16 {
+			// source: man mkfs.ext4
+			return errors.ErrExt4LabelTooLong
+		}
+	case "btrfs":
+		if len(*f.Label) > 256 {
+			// source: man mkfs.btrfs
+			return errors.ErrBtrfsLabelTooLong
+		}
+	case "xfs":
+		if len(*f.Label) > 12 {
+			// source: man mkfs.xfs
+			return errors.ErrXfsLabelTooLong
+		}
+	case "swap":
+		// mkswap's man page does not state a limit on label size, but through
+		// experimentation it appears that mkswap will truncate long labels to
+		// 15 characters, so let's enforce that.
+		if len(*f.Label) > 15 {
+			return errors.ErrSwapLabelTooLong
+		}
+	case "vfat":
+		if len(*f.Label) > 11 {
+			// source: man mkfs.fat
+			return errors.ErrVfatLabelTooLong
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/headers.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/headers.go
new file mode 100644
index 0000000000..be1aadad9a
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/headers.go
@@ -0,0 +1,65 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"net/http"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+// Parse generates standard net/http headers from the data in HTTPHeaders
+func (hs HTTPHeaders) Parse() (http.Header, error) {
+	headers := http.Header{}
+	for _, header := range hs {
+		if header.Name == "" {
+			return nil, errors.ErrEmptyHTTPHeaderName
+		}
+		if header.Value == nil || string(*header.Value) == "" {
+			return nil, errors.ErrInvalidHTTPHeader
+		}
+		headers.Add(header.Name, string(*header.Value))
+	}
+	return headers, nil
+}
+
+func (h HTTPHeader) Validate(c path.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("name"), h.validateName())
+	r.AddOnError(c.Append("value"), h.validateValue())
+	return
+}
+
+func (h HTTPHeader) validateName() error {
+	if h.Name == "" {
+		return errors.ErrEmptyHTTPHeaderName
+	}
+	return nil
+}
+
+func (h HTTPHeader) validateValue() error {
+	if h.Value == nil {
+		return nil
+	}
+	if string(*h.Value) == "" {
+		return errors.ErrInvalidHTTPHeader
+	}
+	return nil
+}
+
+func (h HTTPHeader) Key() string {
+	return h.Name
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/ignition.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/ignition.go
new file mode 100644
index 0000000000..190445bda7
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/ignition.go
@@ -0,0 +1,49 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/go-semver/semver"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (v Ignition) Semver() (*semver.Version, error) {
+	return semver.NewVersion(v.Version)
+}
+
+func (ic IgnitionConfig) Validate(c path.ContextPath) (r report.Report) {
+	for i, res := range ic.Merge {
+		r.AddOnError(c.Append("merge", i), res.validateRequiredSource())
+	}
+	return
+}
+
+func (v Ignition) Validate(c path.ContextPath) (r report.Report) {
+	c = c.Append("version")
+	tv, err := v.Semver()
+	if err != nil {
+		r.AddOnError(c, errors.ErrInvalidVersion)
+		return
+	}
+
+	if MaxVersion != *tv {
+		r.AddOnError(c, errors.ErrUnknownVersion)
+	}
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/kargs.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/kargs.go
new file mode 100644
index 0000000000..42c29408e1
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/kargs.go
@@ -0,0 +1,22 @@
+// Copyright 2021 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+func (k KernelArguments) MergedKeys() map[string]string {
+	return map[string]string{
+		"ShouldExist":    "KernelArgument",
+		"ShouldNotExist": "KernelArgument",
+	}
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/luks.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/luks.go
new file mode 100644
index 0000000000..e4c1d6815f
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/luks.go
@@ -0,0 +1,82 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"strings"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (l Luks) Key() string {
+	return l.Name
+}
+
+func (l Luks) IgnoreDuplicates() map[string]struct{} {
+	return map[string]struct{}{
+		"Options": {},
+	}
+}
+
+func (l Luks) Validate(c path.ContextPath) (r report.Report) {
+	if strings.Contains(l.Name, "/") {
+		r.AddOnError(c.Append("name"), errors.ErrLuksNameContainsSlash)
+	}
+	r.AddOnError(c.Append("label"), l.validateLabel())
+	if util.NilOrEmpty(l.Device) {
+		r.AddOnError(c.Append("device"), errors.ErrDiskDeviceRequired)
+	} else {
+		r.AddOnError(c.Append("device"), validatePath(*l.Device))
+	}
+
+	if util.NotEmpty(l.Clevis.Custom.Pin) && (len(l.Clevis.Tang) > 0 || util.IsTrue(l.Clevis.Tpm2) || (l.Clevis.Threshold != nil && *l.Clevis.Threshold != 0)) {
+		r.AddOnError(c.Append("clevis"), errors.ErrClevisCustomWithOthers)
+	}
+
+	// fail if a key file is provided and is not valid
+	if err := validateURLNilOK(l.KeyFile.Source); err != nil {
+		r.AddOnError(c.Append("keys"), errors.ErrInvalidLuksKeyFile)
+	}
+
+	// fail if Cex use with Clevis
+	if l.Clevis.IsPresent() && l.Cex.IsPresent() {
+		r.AddOnError(c.Append("cex"), errors.ErrCexWithClevis)
+	}
+
+	// fail if key file is provided along with Cex
+	if l.Cex.IsPresent() && util.NotEmpty(l.KeyFile.Source) {
+		r.AddOnError(c.Append("cex"), errors.ErrCexWithKeyFile)
+	}
+
+	return
+}
+
+func (l Luks) validateLabel() error {
+	if util.NilOrEmpty(l.Label) {
+		return nil
+	}
+
+	if len(*l.Label) > 47 {
+		// LUKS2_LABEL_L has a maximum length of 48 (including the null terminator)
+		// https://gitlab.com/cryptsetup/cryptsetup/-/blob/1633f030e89ad2f11ae649ba9600997a41abd3fc/lib/luks2/luks2.h#L86
+		return errors.ErrLuksLabelTooLong
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/mode.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/mode.go
new file mode 100644
index 0000000000..9eb7573d8b
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/mode.go
@@ -0,0 +1,26 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+)
+
+func validateMode(m *int) error {
+	if m != nil && (*m < 0 || *m > 07777) {
+		return errors.ErrFileIllegalMode
+	}
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/node.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/node.go
new file mode 100644
index 0000000000..248276e737
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/node.go
@@ -0,0 +1,59 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"path"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	vpath "github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (n Node) Key() string {
+	return n.Path
+}
+
+func (n Node) Validate(c vpath.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("path"), validatePath(n.Path))
+	return
+}
+
+func (n Node) Depth() int {
+	count := 0
+	for p := path.Clean(string(n.Path)); p != "/"; count++ {
+		p = path.Dir(p)
+	}
+	return count
+}
+
+func validateIDorName(id *int, name *string) error {
+	if id != nil && util.NotEmpty(name) {
+		return errors.ErrBothIDAndNameSet
+	}
+	return nil
+}
+
+func (nu NodeUser) Validate(c vpath.ContextPath) (r report.Report) {
+	r.AddOnError(c, validateIDorName(nu.ID, nu.Name))
+	return
+}
+
+func (ng NodeGroup) Validate(c vpath.ContextPath) (r report.Report) {
+	r.AddOnError(c, validateIDorName(ng.ID, ng.Name))
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/partition.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/partition.go
new file mode 100644
index 0000000000..1b2d97edf1
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/partition.go
@@ -0,0 +1,91 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+const (
+	guidRegexStr = "^(|[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12})$"
+)
+
+var (
+	guidRegex = regexp.MustCompile(guidRegexStr)
+)
+
+func (p Partition) Key() string {
+	if p.Number != 0 {
+		return fmt.Sprintf("number:%d", p.Number)
+	} else if p.Label != nil {
+		return fmt.Sprintf("label:%s", *p.Label)
+	} else {
+		return ""
+	}
+}
+
+func (p Partition) Validate(c path.ContextPath) (r report.Report) {
+	if util.IsFalse(p.ShouldExist) &&
+		(p.Label != nil || util.NotEmpty(p.TypeGUID) || util.NotEmpty(p.GUID) || p.StartMiB != nil || p.SizeMiB != nil) {
+		r.AddOnError(c, errors.ErrShouldNotExistWithOthers)
+	}
+	if p.Number == 0 && p.Label == nil {
+		r.AddOnError(c, errors.ErrNeedLabelOrNumber)
+	}
+
+	r.AddOnError(c.Append("label"), p.validateLabel())
+	r.AddOnError(c.Append("guid"), validateGUID(p.GUID))
+	r.AddOnError(c.Append("typeGuid"), validateGUID(p.TypeGUID))
+	return
+}
+
+func (p Partition) validateLabel() error {
+	if p.Label == nil {
+		return nil
+	}
+	// http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_entries:
+	// 56 (0x38) 	72 bytes 	Partition name (36 UTF-16LE code units)
+
+	// XXX(vc): note GPT calls it a name, we're using label for consistency
+	// with udev naming /dev/disk/by-partlabel/*.
+	if len(*p.Label) > 36 {
+		return errors.ErrLabelTooLong
+	}
+
+	// sgdisk uses colons for delimitting compound arguments and does not allow escaping them.
+	if strings.Contains(*p.Label, ":") {
+		return errors.ErrLabelContainsColon
+	}
+	return nil
+}
+
+func validateGUID(guidPointer *string) error {
+	if guidPointer == nil {
+		return nil
+	}
+	guid := *guidPointer
+	if ok := guidRegex.MatchString(guid); !ok {
+		return errors.ErrDoesntMatchGUIDRegex
+	}
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/passwd.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/passwd.go
new file mode 100644
index 0000000000..4060a2a6f1
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/passwd.go
@@ -0,0 +1,23 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+func (p PasswdUser) Key() string {
+	return p.Name
+}
+
+func (g PasswdGroup) Key() string {
+	return g.Name
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/path.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/path.go
new file mode 100644
index 0000000000..131e300c1b
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/path.go
@@ -0,0 +1,42 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"path"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+)
+
+func validatePath(p string) error {
+	if p == "" {
+		return errors.ErrNoPath
+	}
+	if !path.IsAbs(p) {
+		return errors.ErrPathRelative
+	}
+	if path.Clean(p) != p {
+		return errors.ErrDirtyPath
+	}
+	return nil
+}
+
+func validatePathNilOK(p *string) error {
+	if util.NilOrEmpty(p) {
+		return nil
+	}
+	return validatePath(*p)
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/proxy.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/proxy.go
new file mode 100644
index 0000000000..d48d210a0f
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/proxy.go
@@ -0,0 +1,49 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"net/url"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (p Proxy) Validate(c path.ContextPath) (r report.Report) {
+	validateProxyURL(p.HTTPProxy, c.Append("httpProxy"), &r, true)
+	validateProxyURL(p.HTTPSProxy, c.Append("httpsProxy"), &r, false)
+	return
+}
+
+func validateProxyURL(s *string, p path.ContextPath, r *report.Report, httpOk bool) {
+	if s == nil {
+		return
+	}
+	u, err := url.Parse(*s)
+	if err != nil {
+		r.AddOnError(p, errors.ErrInvalidUrl)
+		return
+	}
+
+	if u.Scheme != "https" && u.Scheme != "http" {
+		r.AddOnError(p, errors.ErrInvalidProxy)
+		return
+	}
+	if u.Scheme == "http" && !httpOk {
+		r.AddOnWarn(p, errors.ErrInsecureProxy)
+	}
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/raid.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/raid.go
new file mode 100644
index 0000000000..9d69aa366d
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/raid.go
@@ -0,0 +1,62 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (r Raid) Key() string {
+	return r.Name
+}
+
+func (r Raid) IgnoreDuplicates() map[string]struct{} {
+	return map[string]struct{}{
+		"Options": {},
+	}
+}
+
+func (ra Raid) Validate(c path.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("level"), ra.validateLevel())
+	if len(ra.Devices) == 0 {
+		r.AddOnError(c.Append("devices"), errors.ErrRaidDevicesRequired)
+	}
+	return
+}
+
+func (r Raid) validateLevel() error {
+	if util.NilOrEmpty(r.Level) {
+		return errors.ErrRaidLevelRequired
+	}
+	switch *r.Level {
+	case "linear", "raid0", "0", "stripe":
+		if r.Spares != nil && *r.Spares != 0 {
+			return errors.ErrSparesUnsupportedForLevel
+		}
+	case "raid1", "1", "mirror":
+	case "raid4", "4":
+	case "raid5", "5":
+	case "raid6", "6":
+	case "raid10", "10":
+	default:
+		return errors.ErrUnrecognizedRaidLevel
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/resource.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/resource.go
new file mode 100644
index 0000000000..68da6c7b78
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/resource.go
@@ -0,0 +1,91 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"net/url"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (res Resource) Key() string {
+	if res.Source == nil {
+		return ""
+	}
+	return *res.Source
+}
+
+func (res Resource) Validate(c path.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("compression"), res.validateCompression())
+	r.AddOnError(c.Append("verification", "hash"), res.validateVerification())
+	r.AddOnError(c.Append("source"), validateURLNilOK(res.Source))
+	r.AddOnError(c.Append("httpHeaders"), res.validateSchemeForHTTPHeaders())
+	return
+}
+
+func (res Resource) validateCompression() error {
+	if res.Compression != nil {
+		switch *res.Compression {
+		case "", "gzip":
+		default:
+			return errors.ErrCompressionInvalid
+		}
+	}
+	return nil
+}
+
+func (res Resource) validateVerification() error {
+	if res.Verification.Hash != nil && res.Source == nil {
+		return errors.ErrVerificationAndNilSource
+	}
+	return nil
+}
+
+func (res Resource) validateSchemeForHTTPHeaders() error {
+	if len(res.HTTPHeaders) < 1 {
+		return nil
+	}
+
+	if util.NilOrEmpty(res.Source) {
+		return errors.ErrInvalidUrl
+	}
+
+	u, err := url.Parse(*res.Source)
+	if err != nil {
+		return errors.ErrInvalidUrl
+	}
+
+	switch u.Scheme {
+	case "http", "https":
+		return nil
+	default:
+		return errors.ErrUnsupportedSchemeForHTTPHeaders
+	}
+}
+
+// Ensure that the Source is specified and valid.  This is not called by
+// Resource.Validate() because some structs that embed Resource don't
+// require Source to be specified.  Containing structs that require Source
+// should call this function from their Validate().
+func (res Resource) validateRequiredSource() error {
+	if util.NilOrEmpty(res.Source) {
+		return errors.ErrSourceRequired
+	}
+	return validateURL(*res.Source)
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/schema.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/schema.go
new file mode 100644
index 0000000000..9bc976679c
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/schema.go
@@ -0,0 +1,264 @@
+package types
+
+// generated by "schematyper --package=types config/v3_6/schema/ignition.json -o config/v3_6/types/schema.go --root-type=Config" -- DO NOT EDIT
+
+type Cex struct {
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
+type Clevis struct {
+	Custom    ClevisCustom `json:"custom,omitempty"`
+	Tang      []Tang       `json:"tang,omitempty"`
+	Threshold *int         `json:"threshold,omitempty"`
+	Tpm2      *bool        `json:"tpm2,omitempty"`
+}
+
+type ClevisCustom struct {
+	Config       *string `json:"config,omitempty"`
+	NeedsNetwork *bool   `json:"needsNetwork,omitempty"`
+	Pin          *string `json:"pin,omitempty"`
+}
+
+type Config struct {
+	Ignition        Ignition        `json:"ignition"`
+	KernelArguments KernelArguments `json:"kernelArguments,omitempty"`
+	Passwd          Passwd          `json:"passwd,omitempty"`
+	Storage         Storage         `json:"storage,omitempty"`
+	Systemd         Systemd         `json:"systemd,omitempty"`
+}
+
+type Device string
+
+type Directory struct {
+	Node
+	DirectoryEmbedded1
+}
+
+type DirectoryEmbedded1 struct {
+	Mode *int `json:"mode,omitempty"`
+}
+
+type Disk struct {
+	Device     string      `json:"device"`
+	Partitions []Partition `json:"partitions,omitempty"`
+	WipeTable  *bool       `json:"wipeTable,omitempty"`
+}
+
+type Dropin struct {
+	Contents *string `json:"contents,omitempty"`
+	Name     string  `json:"name"`
+}
+
+type File struct {
+	Node
+	FileEmbedded1
+}
+
+type FileEmbedded1 struct {
+	Append   []Resource `json:"append,omitempty"`
+	Contents Resource   `json:"contents,omitempty"`
+	Mode     *int       `json:"mode,omitempty"`
+}
+
+type Filesystem struct {
+	Device         string             `json:"device"`
+	Format         *string            `json:"format,omitempty"`
+	Label          *string            `json:"label,omitempty"`
+	MountOptions   []MountOption      `json:"mountOptions,omitempty"`
+	Options        []FilesystemOption `json:"options,omitempty"`
+	Path           *string            `json:"path,omitempty"`
+	UUID           *string            `json:"uuid,omitempty"`
+	WipeFilesystem *bool              `json:"wipeFilesystem,omitempty"`
+}
+
+type FilesystemOption string
+
+type Group string
+
+type HTTPHeader struct {
+	Name  string  `json:"name"`
+	Value *string `json:"value,omitempty"`
+}
+
+type HTTPHeaders []HTTPHeader
+
+type Ignition struct {
+	Config   IgnitionConfig `json:"config,omitempty"`
+	Proxy    Proxy          `json:"proxy,omitempty"`
+	Security Security       `json:"security,omitempty"`
+	Timeouts Timeouts       `json:"timeouts,omitempty"`
+	Version  string         `json:"version"`
+}
+
+type IgnitionConfig struct {
+	Merge   []Resource `json:"merge,omitempty"`
+	Replace Resource   `json:"replace,omitempty"`
+}
+
+type KernelArgument string
+
+type KernelArguments struct {
+	ShouldExist    []KernelArgument `json:"shouldExist,omitempty"`
+	ShouldNotExist []KernelArgument `json:"shouldNotExist,omitempty"`
+}
+
+type Link struct {
+	Node
+	LinkEmbedded1
+}
+
+type LinkEmbedded1 struct {
+	Hard   *bool   `json:"hard,omitempty"`
+	Target *string `json:"target,omitempty"`
+}
+
+type Luks struct {
+	Cex         Cex          `json:"cex,omitempty"`
+	Clevis      Clevis       `json:"clevis,omitempty"`
+	Device      *string      `json:"device,omitempty"`
+	Discard     *bool        `json:"discard,omitempty"`
+	KeyFile     Resource     `json:"keyFile,omitempty"`
+	Label       *string      `json:"label,omitempty"`
+	Name        string       `json:"name"`
+	OpenOptions []OpenOption `json:"openOptions,omitempty"`
+	Options     []LuksOption `json:"options,omitempty"`
+	UUID        *string      `json:"uuid,omitempty"`
+	WipeVolume  *bool        `json:"wipeVolume,omitempty"`
+}
+
+type LuksOption string
+
+type MountOption string
+
+type NoProxyItem string
+
+type Node struct {
+	Group     NodeGroup `json:"group,omitempty"`
+	Overwrite *bool     `json:"overwrite,omitempty"`
+	Path      string    `json:"path"`
+	User      NodeUser  `json:"user,omitempty"`
+}
+
+type NodeGroup struct {
+	ID   *int    `json:"id,omitempty"`
+	Name *string `json:"name,omitempty"`
+}
+
+type NodeUser struct {
+	ID   *int    `json:"id,omitempty"`
+	Name *string `json:"name,omitempty"`
+}
+
+type OpenOption string
+
+type Partition struct {
+	GUID               *string `json:"guid,omitempty"`
+	Label              *string `json:"label,omitempty"`
+	Number             int     `json:"number,omitempty"`
+	Resize             *bool   `json:"resize,omitempty"`
+	ShouldExist        *bool   `json:"shouldExist,omitempty"`
+	SizeMiB            *int    `json:"sizeMiB,omitempty"`
+	StartMiB           *int    `json:"startMiB,omitempty"`
+	TypeGUID           *string `json:"typeGuid,omitempty"`
+	WipePartitionEntry *bool   `json:"wipePartitionEntry,omitempty"`
+}
+
+type Passwd struct {
+	Groups []PasswdGroup `json:"groups,omitempty"`
+	Users  []PasswdUser  `json:"users,omitempty"`
+}
+
+type PasswdGroup struct {
+	Gid          *int    `json:"gid,omitempty"`
+	Name         string  `json:"name"`
+	PasswordHash *string `json:"passwordHash,omitempty"`
+	ShouldExist  *bool   `json:"shouldExist,omitempty"`
+	System       *bool   `json:"system,omitempty"`
+}
+
+type PasswdUser struct {
+	Gecos             *string            `json:"gecos,omitempty"`
+	Groups            []Group            `json:"groups,omitempty"`
+	HomeDir           *string            `json:"homeDir,omitempty"`
+	Name              string             `json:"name"`
+	NoCreateHome      *bool              `json:"noCreateHome,omitempty"`
+	NoLogInit         *bool              `json:"noLogInit,omitempty"`
+	NoUserGroup       *bool              `json:"noUserGroup,omitempty"`
+	PasswordHash      *string            `json:"passwordHash,omitempty"`
+	PrimaryGroup      *string            `json:"primaryGroup,omitempty"`
+	SSHAuthorizedKeys []SSHAuthorizedKey `json:"sshAuthorizedKeys,omitempty"`
+	Shell             *string            `json:"shell,omitempty"`
+	ShouldExist       *bool              `json:"shouldExist,omitempty"`
+	System            *bool              `json:"system,omitempty"`
+	UID               *int               `json:"uid,omitempty"`
+}
+
+type Proxy struct {
+	HTTPProxy  *string       `json:"httpProxy,omitempty"`
+	HTTPSProxy *string       `json:"httpsProxy,omitempty"`
+	NoProxy    []NoProxyItem `json:"noProxy,omitempty"`
+}
+
+type Raid struct {
+	Devices []Device     `json:"devices,omitempty"`
+	Level   *string      `json:"level,omitempty"`
+	Name    string       `json:"name"`
+	Options []RaidOption `json:"options,omitempty"`
+	Spares  *int         `json:"spares,omitempty"`
+}
+
+type RaidOption string
+
+type Resource struct {
+	Compression  *string      `json:"compression,omitempty"`
+	HTTPHeaders  HTTPHeaders  `json:"httpHeaders,omitempty"`
+	Source       *string      `json:"source,omitempty"`
+	Verification Verification `json:"verification,omitempty"`
+}
+
+type SSHAuthorizedKey string
+
+type Security struct {
+	TLS TLS `json:"tls,omitempty"`
+}
+
+type Storage struct {
+	Directories []Directory  `json:"directories,omitempty"`
+	Disks       []Disk       `json:"disks,omitempty"`
+	Files       []File       `json:"files,omitempty"`
+	Filesystems []Filesystem `json:"filesystems,omitempty"`
+	Links       []Link       `json:"links,omitempty"`
+	Luks        []Luks       `json:"luks,omitempty"`
+	Raid        []Raid       `json:"raid,omitempty"`
+}
+
+type Systemd struct {
+	Units []Unit `json:"units,omitempty"`
+}
+
+type TLS struct {
+	CertificateAuthorities []Resource `json:"certificateAuthorities,omitempty"`
+}
+
+type Tang struct {
+	Advertisement *string `json:"advertisement,omitempty"`
+	Thumbprint    *string `json:"thumbprint,omitempty"`
+	URL           string  `json:"url,omitempty"`
+}
+
+type Timeouts struct {
+	HTTPResponseHeaders *int `json:"httpResponseHeaders,omitempty"`
+	HTTPTotal           *int `json:"httpTotal,omitempty"`
+}
+
+type Unit struct {
+	Contents *string  `json:"contents,omitempty"`
+	Dropins  []Dropin `json:"dropins,omitempty"`
+	Enabled  *bool    `json:"enabled,omitempty"`
+	Mask     *bool    `json:"mask,omitempty"`
+	Name     string   `json:"name"`
+}
+
+type Verification struct {
+	Hash *string `json:"hash,omitempty"`
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/storage.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/storage.go
new file mode 100644
index 0000000000..20cb730482
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/storage.go
@@ -0,0 +1,115 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"path"
+	"strings"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	vpath "github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (s Storage) MergedKeys() map[string]string {
+	return map[string]string{
+		"Directories": "Node",
+		"Files":       "Node",
+		"Links":       "Node",
+	}
+}
+
+func (s Storage) Validate(c vpath.ContextPath) (r report.Report) {
+	s.validateDirectories(c, &r)
+	s.validateFiles(c, &r)
+	s.validateLinks(c, &r)
+	s.validateFilesystems(c, &r)
+	return
+}
+
+func (s Storage) validateDirectories(c vpath.ContextPath, r *report.Report) {
+	for i, d := range s.Directories {
+		for _, l := range s.Links {
+			if strings.HasPrefix(d.Path, l.Path+"/") {
+				r.AddOnError(c.Append("directories", i), errors.ErrDirectoryUsedSymlink)
+			}
+		}
+	}
+}
+
+func (s Storage) validateFiles(c vpath.ContextPath, r *report.Report) {
+	for i, f := range s.Files {
+		for _, l := range s.Links {
+			if strings.HasPrefix(f.Path, l.Path+"/") {
+				r.AddOnError(c.Append("files", i), errors.ErrFileUsedSymlink)
+			}
+		}
+	}
+}
+
+func (s Storage) validateLinks(c vpath.ContextPath, r *report.Report) {
+	for i, l1 := range s.Links {
+		for _, l2 := range s.Links {
+			if strings.HasPrefix(l1.Path, l2.Path+"/") {
+				r.AddOnError(c.Append("links", i), errors.ErrLinkUsedSymlink)
+			}
+		}
+		if util.NilOrEmpty(l1.Target) {
+			r.AddOnError(c.Append("links", i, "target"), errors.ErrLinkTargetRequired)
+			continue
+		}
+		if !util.IsTrue(l1.Hard) {
+			continue
+		}
+		target := path.Clean(*l1.Target)
+		if !path.IsAbs(target) {
+			target = path.Join(l1.Path, *l1.Target)
+		}
+		for _, d := range s.Directories {
+			if target == d.Path {
+				r.AddOnError(c.Append("links", i), errors.ErrHardLinkToDirectory)
+			}
+		}
+		ownerCheck := func(ok bool, path vpath.ContextPath) {
+			if !ok {
+				r.AddOnWarn(path, errors.ErrHardLinkSpecifiesOwner)
+			}
+		}
+		ownerCheck(l1.User.ID == nil, c.Append("links", i, "user", "id"))
+		ownerCheck(l1.User.Name == nil, c.Append("links", i, "user", "name"))
+		ownerCheck(l1.Group.ID == nil, c.Append("links", i, "group", "id"))
+		ownerCheck(l1.Group.Name == nil, c.Append("links", i, "group", "name"))
+	}
+}
+
+func (s Storage) validateFilesystems(c vpath.ContextPath, r *report.Report) {
+	disks := make(map[string]Disk)
+	for _, d := range s.Disks {
+		disks[d.Device] = d
+	}
+
+	for i, f := range s.Filesystems {
+		disk, exist := disks[f.Device]
+		if exist {
+			if len(disk.Partitions) > 0 {
+				r.AddOnWarn(c.Append("filesystems", i, "device"), errors.ErrPartitionsOverwritten)
+			} else if !util.IsTrue(f.WipeFilesystem) && util.IsTrue(disk.WipeTable) {
+				r.AddOnWarn(c.Append("filesystems", i, "device"), errors.ErrFilesystemImplicitWipe)
+			}
+		}
+	}
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/systemd.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/systemd.go
new file mode 100644
index 0000000000..ac521ba73f
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/systemd.go
@@ -0,0 +1,61 @@
+// Copyright 2022 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"regexp"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/shared/parse"
+	"github.com/coreos/ignition/v2/config/util"
+
+	vpath "github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (s Systemd) Validate(c vpath.ContextPath) (r report.Report) {
+	units := make(map[string]Unit)
+	checkInstanceUnit := regexp.MustCompile(`^(.+?)@(.+?)\.service$`)
+	for _, d := range s.Units {
+		units[d.Name] = d
+	}
+	for index, unit := range s.Units {
+		if checkInstanceUnit.MatchString(unit.Name) && util.IsTrue(unit.Enabled) {
+			instUnitSlice := checkInstanceUnit.FindSubmatch([]byte(unit.Name))
+			instantiableUnit := string(instUnitSlice[1]) + "@.service"
+			if _, ok := units[instantiableUnit]; ok && util.NotEmpty(units[instantiableUnit].Contents) {
+				foundInstallSection := false
+				// we're doing a separate validation pass on each unit to identify
+				// if an instantiable unit has the install section. So logging an
+				// `AddOnError` will produce duplicate errors on bad unit contents
+				// because we're already doing that while validating a unit separately.
+				opts, err := parse.ParseUnitContents(units[instantiableUnit].Contents)
+				if err != nil {
+					continue
+				}
+				for _, section := range opts {
+					if section.Section == "Install" {
+						foundInstallSection = true
+						break
+					}
+				}
+				if !foundInstallSection {
+					r.AddOnWarn(c.Append("units", index, "contents"), errors.NewNoInstallSectionForInstantiableUnitError(instantiableUnit, unit.Name))
+				}
+			}
+		}
+	}
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/tang.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/tang.go
new file mode 100644
index 0000000000..1839d6cc32
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/tang.go
@@ -0,0 +1,65 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"encoding/json"
+	"net/url"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (t Tang) Key() string {
+	return t.URL
+}
+
+func (t Tang) Validate(c path.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("url"), validateTangURL(t.URL))
+	if util.NilOrEmpty(t.Thumbprint) {
+		r.AddOnError(c.Append("thumbprint"), errors.ErrTangThumbprintRequired)
+	}
+	r.AddOnError(c.Append("advertisement"), validateTangAdvertisement(t.Advertisement))
+	return
+}
+
+func validateTangURL(s string) error {
+	u, err := url.Parse(s)
+	if err != nil {
+		return errors.ErrInvalidUrl
+	}
+
+	switch u.Scheme {
+	case "http", "https":
+		return nil
+	default:
+		return errors.ErrInvalidScheme
+	}
+}
+
+func validateTangAdvertisement(s *string) error {
+	if util.NotEmpty(s) {
+		var adv any
+		err := json.Unmarshal([]byte(*s), &adv)
+		if err != nil {
+			return errors.ErrInvalidTangAdvertisement
+		}
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/tls.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/tls.go
new file mode 100644
index 0000000000..8890e397e8
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/tls.go
@@ -0,0 +1,27 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (tls TLS) Validate(c path.ContextPath) (r report.Report) {
+	for i, ca := range tls.CertificateAuthorities {
+		r.AddOnError(c.Append("certificateAuthorities", i), ca.validateRequiredSource())
+	}
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/unit.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/unit.go
new file mode 100644
index 0000000000..c5ee1e8e3d
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/unit.go
@@ -0,0 +1,68 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"path"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/shared/parse"
+	"github.com/coreos/ignition/v2/config/shared/validations"
+	"github.com/coreos/ignition/v2/config/util"
+
+	cpath "github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+func (u Unit) Key() string {
+	return u.Name
+}
+
+func (d Dropin) Key() string {
+	return d.Name
+}
+
+func (u Unit) Validate(c cpath.ContextPath) (r report.Report) {
+	r.AddOnError(c.Append("name"), validateName(u.Name))
+	c = c.Append("contents")
+	opts, err := parse.ParseUnitContents(u.Contents)
+	r.AddOnError(c, err)
+
+	r.AddOnWarn(c, validations.ValidateInstallSection(u.Name, util.IsTrue(u.Enabled), util.NilOrEmpty(u.Contents), opts))
+
+	return
+}
+
+func validateName(name string) error {
+	switch path.Ext(name) {
+	case ".service", ".socket", ".device", ".mount", ".automount", ".swap", ".target", ".path", ".timer", ".snapshot", ".slice", ".scope":
+	default:
+		return errors.ErrInvalidSystemdExt
+	}
+	return nil
+}
+
+func (d Dropin) Validate(c cpath.ContextPath) (r report.Report) {
+	_, err := parse.ParseUnitContents(d.Contents)
+	r.AddOnError(c.Append("contents"), err)
+
+	switch path.Ext(d.Name) {
+	case ".conf":
+	default:
+		r.AddOnError(c.Append("name"), errors.ErrInvalidSystemdDropinExt)
+	}
+
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/url.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/url.go
new file mode 100644
index 0000000000..97a4c9ae22
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/url.go
@@ -0,0 +1,83 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/vincent-petithory/dataurl"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+	"github.com/coreos/ignition/v2/config/util"
+)
+
+func validateURL(s string) error {
+	u, err := url.Parse(s)
+	if err != nil {
+		return errors.ErrInvalidUrl
+	}
+
+	switch u.Scheme {
+	case "http", "https", "tftp", "gs":
+		return nil
+	case "s3":
+		if v, ok := u.Query()["versionId"]; ok {
+			if len(v) == 0 || v[0] == "" {
+				return errors.ErrInvalidS3ObjectVersionId
+			}
+		}
+		return nil
+	case "arn":
+		fullURL := u.Scheme + ":" + u.Opaque
+		if !arn.IsARN(fullURL) {
+			return errors.ErrInvalidS3ARN
+		}
+		s3arn, err := arn.Parse(fullURL)
+		if err != nil {
+			return err
+		}
+		if s3arn.Service != "s3" {
+			return errors.ErrInvalidS3ARN
+		}
+		urlSplit := strings.Split(fullURL, "/")
+		if strings.HasPrefix(s3arn.Resource, "accesspoint/") && len(urlSplit) < 3 {
+			return errors.ErrInvalidS3ARN
+		} else if len(urlSplit) < 2 {
+			return errors.ErrInvalidS3ARN
+		}
+		if v, ok := u.Query()["versionId"]; ok {
+			if len(v) == 0 || v[0] == "" {
+				return errors.ErrInvalidS3ObjectVersionId
+			}
+		}
+		return nil
+	case "data":
+		if _, err := dataurl.DecodeString(s); err != nil {
+			return err
+		}
+		return nil
+	default:
+		return errors.ErrInvalidScheme
+	}
+}
+
+func validateURLNilOK(s *string) error {
+	if util.NilOrEmpty(s) {
+		return nil
+	}
+	return validateURL(*s)
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/v3_6/types/verification.go b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/verification.go
new file mode 100644
index 0000000000..5def6f04b0
--- /dev/null
+++ b/vendor/github.com/coreos/ignition/v2/config/v3_6/types/verification.go
@@ -0,0 +1,71 @@
+// Copyright 2020 Red Hat, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types
+
+import (
+	"crypto"
+	"encoding/hex"
+	"strings"
+
+	"github.com/coreos/ignition/v2/config/shared/errors"
+
+	"github.com/coreos/vcontext/path"
+	"github.com/coreos/vcontext/report"
+)
+
+// HashParts will return the sum and function (in that order) of the hash stored
+// in this Verification, or an error if there is an issue during parsing.
+func (v Verification) HashParts() (string, string, error) {
+	if v.Hash == nil {
+		// The hash can be nil
+		return "", "", nil
+	}
+	parts := strings.SplitN(*v.Hash, "-", 2)
+	if len(parts) != 2 {
+		return "", "", errors.ErrHashMalformed
+	}
+
+	return parts[0], parts[1], nil
+}
+
+func (v Verification) Validate(c path.ContextPath) (r report.Report) {
+	c = c.Append("hash")
+	if v.Hash == nil {
+		// The hash can be nil
+		return
+	}
+
+	function, sum, err := v.HashParts()
+	if err != nil {
+		r.AddOnError(c, err)
+		return
+	}
+	var hash crypto.Hash
+	switch function {
+	case "sha512":
+		hash = crypto.SHA512
+	case "sha256":
+		hash = crypto.SHA256
+	default:
+		r.AddOnError(c, errors.ErrHashUnrecognized)
+		return
+	}
+
+	if len(sum) != hex.EncodedLen(hash.Size()) {
+		r.AddOnError(c, errors.ErrHashWrongSize)
+	}
+
+	return
+}
diff --git a/vendor/github.com/coreos/ignition/v2/config/validate/validate.go b/vendor/github.com/coreos/ignition/v2/config/validate/validate.go
index 613c21e446..56ffcd0a76 100644
--- a/vendor/github.com/coreos/ignition/v2/config/validate/validate.go
+++ b/vendor/github.com/coreos/ignition/v2/config/validate/validate.go
@@ -83,7 +83,7 @@ func ValidateUnusedKeys(v reflect.Value, c path.ContextPath, root tree.Node) (r
 	mapNode, ok := node.(tree.MapNode)
 	if !ok {
 		// Something is wrong, we won't be able to report unused keys here, so just warn about it and stop trying
-		r.AddOnWarn(c, fmt.Errorf("context tree does not match content tree at %s. Line and column reporting may be inconsistent. Unused keys may not be reported.", c.String()))
+		r.AddOnWarn(c, fmt.Errorf("context tree does not match content tree at %s. Line and column reporting may be inconsistent. Unused keys may not be reported", c.String()))
 		return
 	}
 
@@ -94,7 +94,7 @@ func ValidateUnusedKeys(v reflect.Value, c path.ContextPath, root tree.Node) (r
 	}
 	for key := range mapNode.Keys {
 		if _, ok := fieldMap[key]; !ok {
-			r.AddOnWarn(c.Append(tree.Key(key)), fmt.Errorf("Unused key %s", key))
+			r.AddOnWarn(c.Append(tree.Key(key)), fmt.Errorf("unused key %s", key))
 		}
 	}
 	return
diff --git a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
deleted file mode 100644
index 6f717dbd86..0000000000
--- a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
+++ /dev/null
@@ -1,96 +0,0 @@
-# v4.0.4
-
-## Fixed
-
- - Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
-   breaking change. See #136 / #137.
-
-# v4.0.3
-
-## Changed
-
- - Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
- - Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
- - Dependency updates
-
-# v4.0.2
-
-## Changed
-
- - Improved documentation of Verify() to note that JSONWebKeySet is a supported
-   argument type (#104)
- - Defined exported error values for missing x5c header and unsupported elliptic
-   curves error cases (#117)
-
-# v4.0.1
-
-## Fixed
-
- - An attacker could send a JWE containing compressed data that used large
-   amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
-   Those functions now return an error if the decompressed data would exceed
-   250kB or 10x the compressed size (whichever is larger). Thanks to
-   Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
-   for reporting.
-
-# v4.0.0
-
-This release makes some breaking changes in order to more thoroughly
-address the vulnerabilities discussed in [Three New Attacks Against JSON Web
-Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
-token".
-
-## Changed
-
- - Limit JWT encryption types (exclude password or public key types) (#78)
- - Enforce minimum length for HMAC keys (#85)
- - jwt: match any audience in a list, rather than requiring all audiences (#81)
- - jwt: accept only Compact Serialization (#75)
- - jws: Add expected algorithms for signatures (#74)
- - Require specifying expected algorithms for ParseEncrypted,
-   ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
-   jwt.ParseSignedAndEncrypted (#69, #74)
-   - Usually there is a small, known set of appropriate algorithms for a program
-     to use and it's a mistake to allow unexpected algorithms. For instance the
-     "billion hash attack" relies in part on programs accepting the PBES2
-     encryption algorithm and doing the necessary work even if they weren't
-     specifically configured to allow PBES2.
- - Revert "Strip padding off base64 strings" (#82)
-  - The specs require base64url encoding without padding.
- - Minimum supported Go version is now 1.21
-
-## Added
-
- - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
-   - These allow parsing a specific serialization, as opposed to ParseSigned and
-     ParseEncrypted, which try to automatically detect which serialization was
-     provided. It's common to require a specific serialization for a specific
-     protocol - for instance JWT requires Compact serialization.
-
-[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v3.0.2
-
-## Fixed
-
- - DecryptMulti: handle decompression error (#19)
-
-## Changed
-
- - jwe/CompactSerialize: improve performance (#67)
- - Increase the default number of PBKDF2 iterations to 600k (#48)
- - Return the proper algorithm for ECDSA keys (#45)
-
-## Added
-
- - Add Thumbprint support for opaque signers (#38)
-
-# v3.0.1
-
-## Fixed
-
- - Security issue: an attacker specifying a large "p2c" value can cause
-   JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
-   amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
-   disclosure and to Tom Tervoort for originally publishing the category of attack.
-   https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
diff --git a/vendor/github.com/go-jose/go-jose/v4/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
index 02b5749546..55c5509176 100644
--- a/vendor/github.com/go-jose/go-jose/v4/README.md
+++ b/vendor/github.com/go-jose/go-jose/v4/README.md
@@ -3,7 +3,6 @@
 [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
 [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
 [![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
-[![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions)
 
 Package jose aims to provide an implementation of the Javascript Object Signing
 and Encryption set of standards. This includes support for JSON Web Encryption,
@@ -29,17 +28,20 @@ libraries in other languages.
 
 ### Versions
 
-[Version 4](https://github.com/go-jose/go-jose)
-([branch](https://github.com/go-jose/go-jose/tree/main),
-[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
+The forthcoming Version 5 will be released with several breaking API changes,
+and will require Golang's `encoding/json/v2`, which is currently requires 
+Go 1.25 built with GOEXPERIMENT=jsonv2.
+
+Version 4 is the current stable version:
 
     import "github.com/go-jose/go-jose/v4"
 
-The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
-are still useable but not actively developed anymore.
+It supports at least the current and previous Golang release. Currently it
+requires Golang 1.24.
+
+Version 3 is only receiving critical security updates. Migration to Version 4 is recommended.
 
-Version 3, in this repo, is still receiving security fixes but not functionality
-updates.
+Versions 1 and 2 are obsolete, but can be found in the old repository, [square/go-jose](https://github.com/square/go-jose).
 
 ### Supported algorithms
 
@@ -47,36 +49,36 @@ See below for a table of supported algorithms. Algorithm identifiers match
 the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)
 standard where possible. The Godoc reference has a list of constants.
 
- Key encryption             | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSA-PKCS#1v1.5             | RSA1_5
- RSA-OAEP                   | RSA-OAEP, RSA-OAEP-256
- AES key wrap               | A128KW, A192KW, A256KW
- AES-GCM key wrap           | A128GCMKW, A192GCMKW, A256GCMKW
- ECDH-ES + AES key wrap     | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
- ECDH-ES (direct)           | ECDH-ES<sup>1</sup>
- Direct encryption          | dir<sup>1</sup>
+| Key encryption         | Algorithm identifier(s)                        |
+|:-----------------------|:-----------------------------------------------|
+| RSA-PKCS#1v1.5         | RSA1_5                                         |
+| RSA-OAEP               | RSA-OAEP, RSA-OAEP-256                         |
+| AES key wrap           | A128KW, A192KW, A256KW                         |
+| AES-GCM key wrap       | A128GCMKW, A192GCMKW, A256GCMKW                |
+| ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW |
+| ECDH-ES (direct)       | ECDH-ES<sup>1</sup>                            |
+| Direct encryption      | dir<sup>1</sup>                                |
 
 <sup>1. Not supported in multi-recipient mode</sup>
 
- Signing / MAC              | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSASSA-PKCS#1v1.5          | RS256, RS384, RS512
- RSASSA-PSS                 | PS256, PS384, PS512
- HMAC                       | HS256, HS384, HS512
- ECDSA                      | ES256, ES384, ES512
- Ed25519                    | EdDSA<sup>2</sup>
+| Signing / MAC     | Algorithm identifier(s) |
+|:------------------|:------------------------|
+| RSASSA-PKCS#1v1.5 | RS256, RS384, RS512     |
+| RSASSA-PSS        | PS256, PS384, PS512     |
+| HMAC              | HS256, HS384, HS512     |
+| ECDSA             | ES256, ES384, ES512     |
+| Ed25519           | EdDSA<sup>2</sup>       |
 
 <sup>2. Only available in version 2 of the package</sup>
 
- Content encryption         | Algorithm identifier(s)
- :------------------------- | :------------------------------
- AES-CBC+HMAC               | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- AES-GCM                    | A128GCM, A192GCM, A256GCM
+| Content encryption | Algorithm identifier(s)                     |
+|:-------------------|:--------------------------------------------|
+| AES-CBC+HMAC       | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |
+| AES-GCM            | A128GCM, A192GCM, A256GCM                   |
 
- Compression                | Algorithm identifiers(s)
- :------------------------- | -------------------------------
- DEFLATE (RFC 1951)         | DEF
+| Compression        | Algorithm identifiers(s) |
+|:-------------------|--------------------------|
+| DEFLATE (RFC 1951) | DEF                      |
 
 ### Supported key types
 
@@ -85,12 +87,12 @@ library, and can be passed to corresponding functions such as `NewEncrypter` or
 `NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
 allows attaching a key id.
 
- Algorithm(s)               | Corresponding types
- :------------------------- | -------------------------------
- RSA                        | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey)
- ECDH, ECDSA                | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey)
- EdDSA<sup>1</sup>          | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey)
- AES, HMAC                  | []byte
+| Algorithm(s)      | Corresponding types                                                                                                                  |
+|:------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| RSA               | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey)             |
+| ECDH, ECDSA       | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey)     |
+| EdDSA<sup>1</sup> | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) |
+| AES, HMAC         | []byte                                                                                                                               |
 
 <sup>1. Only available in version 2 or later of the package</sup>
 
diff --git a/vendor/github.com/go-jose/go-jose/v4/crypter.go b/vendor/github.com/go-jose/go-jose/v4/crypter.go
index d81b03b447..31290fc871 100644
--- a/vendor/github.com/go-jose/go-jose/v4/crypter.go
+++ b/vendor/github.com/go-jose/go-jose/v4/crypter.go
@@ -286,6 +286,10 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey
 		return newSymmetricRecipient(alg, encryptionKey)
 	case string:
 		return newSymmetricRecipient(alg, []byte(encryptionKey))
+	case JSONWebKey:
+		recipient, err := makeJWERecipient(alg, encryptionKey.Key)
+		recipient.keyID = encryptionKey.KeyID
+		return recipient, err
 	case *JSONWebKey:
 		recipient, err := makeJWERecipient(alg, encryptionKey.Key)
 		recipient.keyID = encryptionKey.KeyID
@@ -450,13 +454,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
 		return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
 	}
 
-	critical, err := headers.getCritical()
+	err := headers.checkNoCritical()
 	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
-	}
-
-	if len(critical) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+		return nil, err
 	}
 
 	key, err := tryJWKS(decryptionKey, obj.Header)
@@ -523,13 +523,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
 func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
 	globalHeaders := obj.mergedHeaders(nil)
 
-	critical, err := globalHeaders.getCritical()
+	err := globalHeaders.checkNoCritical()
 	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
-	}
-
-	if len(critical) > 0 {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+		return -1, Header{}, nil, err
 	}
 
 	key, err := tryJWKS(decryptionKey, obj.Header)
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
index 9f1322dccc..6102f91000 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
@@ -274,7 +274,7 @@ func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncr
 	if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
 		return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
 	}
-	if alg != "" && !containsContentEncryption(contentEncryption, enc) {
+	if enc != "" && !containsContentEncryption(contentEncryption, enc) {
 		return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
 	}
 	return nil
@@ -288,11 +288,20 @@ func ParseEncryptedCompact(
 	keyAlgorithms []KeyAlgorithm,
 	contentEncryption []ContentEncryption,
 ) (*JSONWebEncryption, error) {
-	// Five parts is four separators
-	if strings.Count(input, ".") != 4 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+	var parts [5]string
+	var ok bool
+
+	for i := range 4 {
+		parts[i], input, ok = strings.Cut(input, ".")
+		if !ok {
+			return nil, errors.New("go-jose/go-jose: compact JWE format must have five parts")
+		}
+	}
+	// Validate that the last part does not contain more dots
+	if strings.ContainsRune(input, '.') {
+		return nil, errors.New("go-jose/go-jose: compact JWE format must have five parts")
 	}
-	parts := strings.SplitN(input, ".", 5)
+	parts[4] = input
 
 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
index 9e57e93ba2..164d6a1619 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jwk.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
@@ -175,6 +175,8 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
 }
 
 // UnmarshalJSON reads a key from its JSON representation.
+//
+// Returns ErrUnsupportedKeyType for unrecognized or unsupported "kty" header values.
 func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 	var raw rawJSONWebKey
 	err = json.Unmarshal(data, &raw)
@@ -228,7 +230,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 		}
 		key, err = raw.symmetricKey()
 	case "OKP":
-		if raw.Crv == "Ed25519" && raw.X != nil {
+		if raw.Crv == "Ed25519" {
 			if raw.D != nil {
 				key, err = raw.edPrivateKey()
 				if err == nil {
@@ -238,17 +240,27 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 				key, err = raw.edPublicKey()
 				keyPub = key
 			}
-		} else {
-			return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
 		}
-	default:
-		return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+	case "":
+		// kty MUST be present
+		err = fmt.Errorf("go-jose/go-jose: missing json web key type")
 	}
 
 	if err != nil {
 		return
 	}
 
+	if key == nil {
+		// RFC 7517:
+		// 5.  JWK Set Format
+		// ...
+		//     Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
+		//     (key type) values that are not understood by them, that are missing
+		//     required members, or for which values are out of the supported
+		//     ranges.
+		return ErrUnsupportedKeyType
+	}
+
 	if certPub != nil && keyPub != nil {
 		if !reflect.DeepEqual(certPub, keyPub) {
 			return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
@@ -581,10 +593,10 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
 
 func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
 	var missing []string
-	switch {
-	case key.D == nil:
+	if key.D == nil {
 		missing = append(missing, "D")
-	case key.X == nil:
+	}
+	if key.X == nil {
 		missing = append(missing, "X")
 	}
 
@@ -611,19 +623,21 @@ func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
 
 func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
 	var missing []string
-	switch {
-	case key.N == nil:
+	if key.N == nil {
 		missing = append(missing, "N")
-	case key.E == nil:
+	}
+	if key.E == nil {
 		missing = append(missing, "E")
-	case key.D == nil:
+	}
+	if key.D == nil {
 		missing = append(missing, "D")
-	case key.P == nil:
+	}
+	if key.P == nil {
 		missing = append(missing, "P")
-	case key.Q == nil:
+	}
+	if key.Q == nil {
 		missing = append(missing, "Q")
 	}
-
 	if len(missing) > 0 {
 		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
 	}
@@ -698,8 +712,19 @@ func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
 		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
 	}
 
-	if key.X == nil || key.Y == nil || key.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
+	var missing []string
+	if key.X == nil {
+		missing = append(missing, "X")
+	}
+	if key.Y == nil {
+		missing = append(missing, "Y")
+	}
+	if key.D == nil {
+		missing = append(missing, "D")
+	}
+
+	if len(missing) > 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing %s value(s)", strings.Join(missing, ", "))
 	}
 
 	// The length of this octet string MUST be the full size of a coordinate for
diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
index d09d8ba507..c40bd3ec10 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
@@ -75,7 +75,14 @@ type Signature struct {
 	original  *rawSignatureInfo
 }
 
-// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
+// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization. Validation fails if
+// the JWS is signed with an algorithm that isn't in the provided list of signature algorithms.
+// Applications should decide for themselves which signature algorithms are acceptable. If you're
+// not sure which signature algorithms your application might receive, consult the documentation of
+// the program which provides them or the protocol that you are implementing. You can also try
+// getting an example JWS and decoding it with a tool like https://jwt.io to see what its "alg"
+// header parameter indicates. The signature on the JWS does not get validated during parsing. Call
+// Verify() after parsing to validate the signature and obtain the payload.
 //
 // https://datatracker.ietf.org/doc/html/rfc7515#section-7
 func ParseSigned(
@@ -90,7 +97,14 @@ func ParseSigned(
 	return parseSignedCompact(signature, nil, signatureAlgorithms)
 }
 
-// ParseSignedCompact parses a message in JWS Compact Serialization.
+// ParseSignedCompact parses a message in JWS Compact Serialization. Validation fails if the JWS is
+// signed with an algorithm that isn't in the provided list of signature algorithms. Applications
+// should decide for themselves which signature algorithms are acceptable.If you're not sure which
+// signature algorithms your application might receive, consult the documentation of the program
+// which provides them or the protocol that you are implementing. You can also try getting an
+// example JWS and decoding it with a tool like https://jwt.io to see what its "alg" header
+// parameter indicates. The signature on the JWS does not get validated during parsing. Call
+// Verify() after parsing to validate the signature and obtain the payload.
 //
 // https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
 func ParseSignedCompact(
@@ -101,6 +115,15 @@ func ParseSignedCompact(
 }
 
 // ParseDetached parses a signed message in compact serialization format with detached payload.
+// Validation fails if the JWS is signed with an algorithm that isn't in the provided list of
+// signature algorithms. Applications should decide for themselves which signature algorithms are
+// acceptable. If you're not sure which signature algorithms your application might receive, consult
+// the documentation of the program which provides them or the protocol that you are implementing.
+// You can also try getting an example JWS and decoding it with a tool like https://jwt.io to see
+// what its "alg" header parameter indicates. The signature on the JWS does not get validated during
+// parsing. Call Verify() after parsing to validate the signature and obtain the payload.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#appendix-F
 func ParseDetached(
 	signature string,
 	payload []byte,
@@ -181,6 +204,25 @@ func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureA
 	return false
 }
 
+// ErrUnexpectedSignatureAlgorithm is returned when the signature algorithm in
+// the JWS header does not match one of the expected algorithms.
+type ErrUnexpectedSignatureAlgorithm struct {
+	// Got is the signature algorithm found in the JWS header.
+	Got      SignatureAlgorithm
+	expected []SignatureAlgorithm
+}
+
+func (e *ErrUnexpectedSignatureAlgorithm) Error() string {
+	return fmt.Sprintf("unexpected signature algorithm %q; expected %q", e.Got, e.expected)
+}
+
+func newErrUnexpectedSignatureAlgorithm(got SignatureAlgorithm, expected []SignatureAlgorithm) error {
+	return &ErrUnexpectedSignatureAlgorithm{
+		Got:      got,
+		expected: expected,
+	}
+}
+
 // sanitized produces a cleaned-up JWS object from the raw JSON.
 func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
 	if len(signatureAlgorithms) == 0 {
@@ -236,8 +278,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
 
 		alg := SignatureAlgorithm(signature.Header.Algorithm)
 		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
-			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
-				alg, signatureAlgorithms)
+			return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
 		}
 
 		if signature.header != nil {
@@ -285,8 +326,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
 
 		alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
 		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
-			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
-				alg, signatureAlgorithms)
+			return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
 		}
 
 		if obj.Signatures[i].header != nil {
@@ -321,35 +361,43 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
 	return obj, nil
 }
 
+const tokenDelim = "."
+
 // parseSignedCompact parses a message in compact format.
 func parseSignedCompact(
 	input string,
 	payload []byte,
 	signatureAlgorithms []SignatureAlgorithm,
 ) (*JSONWebSignature, error) {
-	// Three parts is two separators
-	if strings.Count(input, ".") != 2 {
+	protected, s, ok := strings.Cut(input, tokenDelim)
+	if !ok { // no period found
+		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+	}
+	claims, sig, ok := strings.Cut(s, tokenDelim)
+	if !ok { // only one period found
+		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+	}
+	if strings.ContainsRune(sig, '.') { // too many periods found
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
 	}
-	parts := strings.SplitN(input, ".", 3)
 
-	if parts[1] != "" && payload != nil {
+	if claims != "" && payload != nil {
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
 	}
 
-	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+	rawProtected, err := base64.RawURLEncoding.DecodeString(protected)
 	if err != nil {
 		return nil, err
 	}
 
 	if payload == nil {
-		payload, err = base64.RawURLEncoding.DecodeString(parts[1])
+		payload, err = base64.RawURLEncoding.DecodeString(claims)
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	signature, err := base64.RawURLEncoding.DecodeString(parts[2])
+	signature, err := base64.RawURLEncoding.DecodeString(sig)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/go-jose/go-jose/v4/shared.go b/vendor/github.com/go-jose/go-jose/v4/shared.go
index 1ec3396126..35130b3aa8 100644
--- a/vendor/github.com/go-jose/go-jose/v4/shared.go
+++ b/vendor/github.com/go-jose/go-jose/v4/shared.go
@@ -77,6 +77,9 @@ var (
 
 	// ErrUnsupportedEllipticCurve indicates unsupported or unknown elliptic curve has been found.
 	ErrUnsupportedEllipticCurve = errors.New("go-jose/go-jose: unsupported/unknown elliptic curve")
+
+	// ErrUnsupportedCriticalHeader is returned when a header is marked critical but not supported by go-jose.
+	ErrUnsupportedCriticalHeader = errors.New("go-jose/go-jose: unsupported critical header")
 )
 
 // Key management algorithms
@@ -167,8 +170,8 @@ const (
 )
 
 // supportedCritical is the set of supported extensions that are understood and processed.
-var supportedCritical = map[string]bool{
-	headerB64: true,
+var supportedCritical = map[string]struct{}{
+	headerB64: {},
 }
 
 // rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
@@ -346,6 +349,32 @@ func (parsed rawHeader) getCritical() ([]string, error) {
 	return q, nil
 }
 
+// checkNoCritical verifies there are no critical headers present.
+func (parsed rawHeader) checkNoCritical() error {
+	if _, ok := parsed[headerCritical]; ok {
+		return ErrUnsupportedCriticalHeader
+	}
+
+	return nil
+}
+
+// checkSupportedCritical verifies there are no unsupported critical headers.
+// Supported headers are passed in as a set: map of names to empty structs
+func (parsed rawHeader) checkSupportedCritical(supported map[string]struct{}) error {
+	crit, err := parsed.getCritical()
+	if err != nil {
+		return err
+	}
+
+	for _, name := range crit {
+		if _, ok := supported[name]; !ok {
+			return ErrUnsupportedCriticalHeader
+		}
+	}
+
+	return nil
+}
+
 // getS2C extracts parsed "p2c" from the raw JSON.
 func (parsed rawHeader) getP2C() (int, error) {
 	v := parsed[headerP2C]
diff --git a/vendor/github.com/go-jose/go-jose/v4/signing.go b/vendor/github.com/go-jose/go-jose/v4/signing.go
index 3dec0112b6..5dbd04c278 100644
--- a/vendor/github.com/go-jose/go-jose/v4/signing.go
+++ b/vendor/github.com/go-jose/go-jose/v4/signing.go
@@ -404,15 +404,23 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
 	}
 
 	signature := obj.Signatures[0]
-	headers := signature.mergedHeaders()
-	critical, err := headers.getCritical()
-	if err != nil {
-		return err
+
+	if signature.header != nil {
+		// Per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11,
+		// 4.1.11. "crit" (Critical) Header Parameter
+		// "When used, this Header Parameter MUST be integrity
+		// protected; therefore, it MUST occur only within the JWS
+		// Protected Header."
+		err = signature.header.checkNoCritical()
+		if err != nil {
+			return err
+		}
 	}
 
-	for _, name := range critical {
-		if !supportedCritical[name] {
-			return ErrCryptoFailure
+	if signature.protected != nil {
+		err = signature.protected.checkSupportedCritical(supportedCritical)
+		if err != nil {
+			return err
 		}
 	}
 
@@ -421,6 +429,7 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
 		return ErrCryptoFailure
 	}
 
+	headers := signature.mergedHeaders()
 	alg := headers.getSignatureAlgorithm()
 	err = verifier.verifyPayload(input, signature.Signature, alg)
 	if err == nil {
@@ -469,14 +478,22 @@ func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey
 
 outer:
 	for i, signature := range obj.Signatures {
-		headers := signature.mergedHeaders()
-		critical, err := headers.getCritical()
-		if err != nil {
-			continue
+		if signature.header != nil {
+			// Per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11,
+			// 4.1.11. "crit" (Critical) Header Parameter
+			// "When used, this Header Parameter MUST be integrity
+			// protected; therefore, it MUST occur only within the JWS
+			// Protected Header."
+			err = signature.header.checkNoCritical()
+			if err != nil {
+				continue outer
+			}
 		}
 
-		for _, name := range critical {
-			if !supportedCritical[name] {
+		if signature.protected != nil {
+			// Check for only supported critical headers
+			err = signature.protected.checkSupportedCritical(supportedCritical)
+			if err != nil {
 				continue outer
 			}
 		}
@@ -486,6 +503,7 @@ outer:
 			continue
 		}
 
+		headers := signature.mergedHeaders()
 		alg := headers.getSignatureAlgorithm()
 		err = verifier.verifyPayload(input, signature.Signature, alg)
 		if err == nil {
diff --git a/vendor/github.com/go-jose/go-jose/v4/symmetric.go b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
index a69103b084..09efefb265 100644
--- a/vendor/github.com/go-jose/go-jose/v4/symmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
@@ -21,6 +21,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/hmac"
+	"crypto/pbkdf2"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/sha512"
@@ -30,8 +31,6 @@ import (
 	"hash"
 	"io"
 
-	"golang.org/x/crypto/pbkdf2"
-
 	josecipher "github.com/go-jose/go-jose/v4/cipher"
 )
 
@@ -330,7 +329,10 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
 
 		// derive key
 		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
+		key, err := pbkdf2.Key(h, string(ctx.key), salt, ctx.p2c, keyLen)
+		if err != nil {
+			return recipientInfo{}, nil
+		}
 
 		// use AES cipher with derived key
 		block, err := aes.NewCipher(key)
@@ -432,7 +434,10 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 
 		// derive key
 		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
+		key, err := pbkdf2.Key(h, string(ctx.key), salt, p2c, keyLen)
+		if err != nil {
+			return nil, err
+		}
 
 		// use AES cipher with derived key
 		block, err := aes.NewCipher(key)
diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go
index eeed1e92b0..2fd3c57597 100644
--- a/vendor/github.com/spf13/pflag/flag.go
+++ b/vendor/github.com/spf13/pflag/flag.go
@@ -143,8 +143,9 @@ type ParseErrorsAllowlist struct {
 	UnknownFlags bool
 }
 
-// DEPRECATED: please use ParseErrorsAllowlist instead
-// This type will be removed in a future release
+// ParseErrorsWhitelist defines the parsing errors that can be ignored.
+//
+// Deprecated: use [ParseErrorsAllowlist] instead. This type will be removed in a future release.
 type ParseErrorsWhitelist = ParseErrorsAllowlist
 
 // NormalizedName is a flag name that has been normalized according to rules
@@ -165,8 +166,9 @@ type FlagSet struct {
 	// ParseErrorsAllowlist is used to configure an allowlist of errors
 	ParseErrorsAllowlist ParseErrorsAllowlist
 
-	// DEPRECATED: please use ParseErrorsAllowlist instead
-	// This field will be removed in a future release
+	// ParseErrorsAllowlist is used to configure an allowlist of errors.
+	//
+	// Deprecated: use [FlagSet.ParseErrorsAllowlist] instead. This field will be removed in a future release.
 	ParseErrorsWhitelist ParseErrorsAllowlist
 
 	name              string
@@ -1185,7 +1187,7 @@ func (f *FlagSet) Parse(arguments []string) error {
 		case ContinueOnError:
 			return err
 		case ExitOnError:
-			if errors.Is(err, ErrHelp) {
+			if err == ErrHelp {
 				os.Exit(0)
 			}
 			fmt.Fprintln(f.Output(), err)
@@ -1214,7 +1216,7 @@ func (f *FlagSet) ParseAll(arguments []string, fn func(flag *Flag, value string)
 		case ContinueOnError:
 			return err
 		case ExitOnError:
-			if errors.Is(err, ErrHelp) {
+			if err == ErrHelp {
 				os.Exit(0)
 			}
 			fmt.Fprintln(f.Output(), err)
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE
index 261eeb9e9f..f1aee0f110 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE
@@ -199,3 +199,33 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+--------------------------------------------------------------------------------
+
+Copyright 2009 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go
index 9e87fb4bb1..e65c4907c9 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go
@@ -4,23 +4,18 @@
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
 import (
-	"google.golang.org/grpc/stats"
+	"context"
 
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
-	"go.opentelemetry.io/otel/metric/noop"
 	"go.opentelemetry.io/otel/propagation"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
 	"go.opentelemetry.io/otel/trace"
+	"google.golang.org/grpc/stats"
 )
 
-const (
-	// ScopeName is the instrumentation scope name.
-	ScopeName = "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
-	// GRPCStatusCodeKey is convention for numeric status code of a gRPC request.
-	GRPCStatusCodeKey = attribute.Key("rpc.grpc.status_code")
-)
+// ScopeName is the instrumentation scope name.
+const ScopeName = "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
 // InterceptorFilter is a predicate used to determine whether a given request in
 // interceptor info should be instrumented. A InterceptorFilter must return true if
@@ -45,17 +40,11 @@ type config struct {
 	SpanAttributes    []attribute.KeyValue
 	MetricAttributes  []attribute.KeyValue
 
+	PublicEndpoint   bool
+	PublicEndpointFn func(ctx context.Context, info *stats.RPCTagInfo) bool
+
 	ReceivedEvent bool
 	SentEvent     bool
-
-	tracer trace.Tracer
-	meter  metric.Meter
-
-	rpcDuration    metric.Float64Histogram
-	rpcInBytes     metric.Int64Histogram
-	rpcOutBytes    metric.Int64Histogram
-	rpcInMessages  metric.Int64Histogram
-	rpcOutMessages metric.Int64Histogram
 }
 
 // Option applies an option value for a config.
@@ -64,7 +53,7 @@ type Option interface {
 }
 
 // newConfig returns a config configured with all the passed Options.
-func newConfig(opts []Option, role string) *config {
+func newConfig(opts []Option) *config {
 	c := &config{
 		Propagators:    otel.GetTextMapPropagator(),
 		TracerProvider: otel.GetTracerProvider(),
@@ -73,88 +62,39 @@ func newConfig(opts []Option, role string) *config {
 	for _, o := range opts {
 		o.apply(c)
 	}
+	return c
+}
 
-	c.tracer = c.TracerProvider.Tracer(
-		ScopeName,
-		trace.WithInstrumentationVersion(SemVersion()),
-	)
-
-	c.meter = c.MeterProvider.Meter(
-		ScopeName,
-		metric.WithInstrumentationVersion(Version()),
-		metric.WithSchemaURL(semconv.SchemaURL),
-	)
-
-	var err error
-	c.rpcDuration, err = c.meter.Float64Histogram("rpc."+role+".duration",
-		metric.WithDescription("Measures the duration of inbound RPC."),
-		metric.WithUnit("ms"))
-	if err != nil {
-		otel.Handle(err)
-		if c.rpcDuration == nil {
-			c.rpcDuration = noop.Float64Histogram{}
-		}
-	}
-
-	rpcRequestSize, err := c.meter.Int64Histogram("rpc."+role+".request.size",
-		metric.WithDescription("Measures size of RPC request messages (uncompressed)."),
-		metric.WithUnit("By"))
-	if err != nil {
-		otel.Handle(err)
-		if rpcRequestSize == nil {
-			rpcRequestSize = noop.Int64Histogram{}
-		}
-	}
+type publicEndpointOption struct{ p bool }
 
-	rpcResponseSize, err := c.meter.Int64Histogram("rpc."+role+".response.size",
-		metric.WithDescription("Measures size of RPC response messages (uncompressed)."),
-		metric.WithUnit("By"))
-	if err != nil {
-		otel.Handle(err)
-		if rpcResponseSize == nil {
-			rpcResponseSize = noop.Int64Histogram{}
-		}
-	}
+func (o publicEndpointOption) apply(c *config) {
+	c.PublicEndpoint = o.p
+}
 
-	rpcRequestsPerRPC, err := c.meter.Int64Histogram("rpc."+role+".requests_per_rpc",
-		metric.WithDescription("Measures the number of messages received per RPC. Should be 1 for all non-streaming RPCs."),
-		metric.WithUnit("{count}"))
-	if err != nil {
-		otel.Handle(err)
-		if rpcRequestsPerRPC == nil {
-			rpcRequestsPerRPC = noop.Int64Histogram{}
-		}
-	}
+// WithPublicEndpoint configures the Handler to link the span with an incoming
+// span context. If this option is not provided, then the association is a child
+// association instead of a link.
+func WithPublicEndpoint() Option {
+	return publicEndpointOption{p: true}
+}
 
-	rpcResponsesPerRPC, err := c.meter.Int64Histogram("rpc."+role+".responses_per_rpc",
-		metric.WithDescription("Measures the number of messages received per RPC. Should be 1 for all non-streaming RPCs."),
-		metric.WithUnit("{count}"))
-	if err != nil {
-		otel.Handle(err)
-		if rpcResponsesPerRPC == nil {
-			rpcResponsesPerRPC = noop.Int64Histogram{}
-		}
-	}
+type publicEndpointFnOption struct {
+	fn func(context.Context, *stats.RPCTagInfo) bool
+}
 
-	switch role {
-	case "client":
-		c.rpcInBytes = rpcResponseSize
-		c.rpcInMessages = rpcResponsesPerRPC
-		c.rpcOutBytes = rpcRequestSize
-		c.rpcOutMessages = rpcRequestsPerRPC
-	case "server":
-		c.rpcInBytes = rpcRequestSize
-		c.rpcInMessages = rpcRequestsPerRPC
-		c.rpcOutBytes = rpcResponseSize
-		c.rpcOutMessages = rpcResponsesPerRPC
-	default:
-		c.rpcInBytes = noop.Int64Histogram{}
-		c.rpcInMessages = noop.Int64Histogram{}
-		c.rpcOutBytes = noop.Int64Histogram{}
-		c.rpcOutMessages = noop.Int64Histogram{}
+func (o publicEndpointFnOption) apply(c *config) {
+	if o.fn != nil {
+		c.PublicEndpointFn = o.fn
 	}
+}
 
-	return c
+// WithPublicEndpointFn runs with every request, and allows conditionally
+// configuring the Handler to link the span with an incoming span context. If
+// this option is not provided or returns false, then the association is a
+// child association instead of a link.
+// Note: WithPublicEndpoint takes precedence over WithPublicEndpointFn.
+func WithPublicEndpointFn(fn func(context.Context, *stats.RPCTagInfo) bool) Option {
+	return publicEndpointFnOption{fn: fn}
 }
 
 type propagatorsOption struct{ p propagation.TextMapPropagator }
@@ -274,6 +214,8 @@ func (o spanStartOption) apply(c *config) {
 
 // WithSpanOptions configures an additional set of
 // trace.SpanOptions, which are applied to each new span.
+//
+// Deprecated: It is only used by the deprecated interceptor, and is unused by [NewClientHandler] and [NewServerHandler].
 func WithSpanOptions(opts ...trace.SpanStartOption) Option {
 	return spanStartOption{opts}
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
index 7d5ed05808..99f88ec3b9 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
@@ -4,506 +4,33 @@
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
 // gRPC tracing middleware
-// https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/rpc.md
+// https://opentelemetry.io/docs/specs/semconv/rpc/
 import (
-	"context"
-	"errors"
-	"io"
 	"net"
 	"strconv"
-	"time"
 
-	"google.golang.org/grpc"
-	grpc_codes "google.golang.org/grpc/codes"
-	"google.golang.org/grpc/metadata"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/proto"
-
-	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
-	"go.opentelemetry.io/otel/metric"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
-	"go.opentelemetry.io/otel/trace"
-)
-
-type messageType attribute.KeyValue
-
-// Event adds an event of the messageType to the span associated with the
-// passed context with a message id.
-func (m messageType) Event(ctx context.Context, id int, _ interface{}) {
-	span := trace.SpanFromContext(ctx)
-	if !span.IsRecording() {
-		return
-	}
-	span.AddEvent("message", trace.WithAttributes(
-		attribute.KeyValue(m),
-		RPCMessageIDKey.Int(id),
-	))
-}
-
-var (
-	messageSent     = messageType(RPCMessageTypeSent)
-	messageReceived = messageType(RPCMessageTypeReceived)
+	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
+	grpc_codes "google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
-// UnaryClientInterceptor returns a grpc.UnaryClientInterceptor suitable
-// for use in a grpc.NewClient call.
-//
-// Deprecated: Use [NewClientHandler] instead.
-func UnaryClientInterceptor(opts ...Option) grpc.UnaryClientInterceptor {
-	cfg := newConfig(opts, "client")
-	tracer := cfg.TracerProvider.Tracer(
-		ScopeName,
-		trace.WithInstrumentationVersion(Version()),
-	)
-
-	return func(
-		ctx context.Context,
-		method string,
-		req, reply interface{},
-		cc *grpc.ClientConn,
-		invoker grpc.UnaryInvoker,
-		callOpts ...grpc.CallOption,
-	) error {
-		i := &InterceptorInfo{
-			Method: method,
-			Type:   UnaryClient,
-		}
-		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
-			return invoker(ctx, method, req, reply, cc, callOpts...)
-		}
-
-		name, attr, _ := telemetryAttributes(method, cc.Target())
-
-		startOpts := append([]trace.SpanStartOption{
-			trace.WithSpanKind(trace.SpanKindClient),
-			trace.WithAttributes(attr...),
-		},
-			cfg.SpanStartOptions...,
-		)
-
-		ctx, span := tracer.Start(
-			ctx,
-			name,
-			startOpts...,
-		)
-		defer span.End()
-
-		ctx = inject(ctx, cfg.Propagators)
-
-		if cfg.SentEvent {
-			messageSent.Event(ctx, 1, req)
-		}
-
-		err := invoker(ctx, method, req, reply, cc, callOpts...)
-
-		if cfg.ReceivedEvent {
-			messageReceived.Event(ctx, 1, reply)
-		}
-
-		if err != nil {
-			s, _ := status.FromError(err)
-			span.SetStatus(codes.Error, s.Message())
-			span.SetAttributes(statusCodeAttr(s.Code()))
-		} else {
-			span.SetAttributes(statusCodeAttr(grpc_codes.OK))
-		}
-
-		return err
-	}
-}
-
-// clientStream  wraps around the embedded grpc.ClientStream, and intercepts the RecvMsg and
-// SendMsg method call.
-type clientStream struct {
-	grpc.ClientStream
-	desc *grpc.StreamDesc
-
-	span trace.Span
-
-	receivedEvent bool
-	sentEvent     bool
-
-	receivedMessageID int
-	sentMessageID     int
-}
-
-var _ = proto.Marshal
-
-func (w *clientStream) RecvMsg(m interface{}) error {
-	err := w.ClientStream.RecvMsg(m)
-
-	if err == nil && !w.desc.ServerStreams {
-		w.endSpan(nil)
-	} else if errors.Is(err, io.EOF) {
-		w.endSpan(nil)
-	} else if err != nil {
-		w.endSpan(err)
-	} else {
-		w.receivedMessageID++
-
-		if w.receivedEvent {
-			messageReceived.Event(w.Context(), w.receivedMessageID, m)
-		}
-	}
-
-	return err
-}
-
-func (w *clientStream) SendMsg(m interface{}) error {
-	err := w.ClientStream.SendMsg(m)
-
-	w.sentMessageID++
-
-	if w.sentEvent {
-		messageSent.Event(w.Context(), w.sentMessageID, m)
-	}
-
-	if err != nil {
-		w.endSpan(err)
-	}
-
-	return err
-}
-
-func (w *clientStream) Header() (metadata.MD, error) {
-	md, err := w.ClientStream.Header()
-	if err != nil {
-		w.endSpan(err)
-	}
-
-	return md, err
-}
-
-func (w *clientStream) CloseSend() error {
-	err := w.ClientStream.CloseSend()
-	if err != nil {
-		w.endSpan(err)
-	}
-
-	return err
-}
-
-func wrapClientStream(s grpc.ClientStream, desc *grpc.StreamDesc, span trace.Span, cfg *config) *clientStream {
-	return &clientStream{
-		ClientStream:  s,
-		span:          span,
-		desc:          desc,
-		receivedEvent: cfg.ReceivedEvent,
-		sentEvent:     cfg.SentEvent,
-	}
-}
-
-func (w *clientStream) endSpan(err error) {
-	if err != nil {
-		s, _ := status.FromError(err)
-		w.span.SetStatus(codes.Error, s.Message())
-		w.span.SetAttributes(statusCodeAttr(s.Code()))
-	} else {
-		w.span.SetAttributes(statusCodeAttr(grpc_codes.OK))
-	}
-
-	w.span.End()
-}
-
-// StreamClientInterceptor returns a grpc.StreamClientInterceptor suitable
-// for use in a grpc.NewClient call.
-//
-// Deprecated: Use [NewClientHandler] instead.
-func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor {
-	cfg := newConfig(opts, "client")
-	tracer := cfg.TracerProvider.Tracer(
-		ScopeName,
-		trace.WithInstrumentationVersion(Version()),
-	)
-
-	return func(
-		ctx context.Context,
-		desc *grpc.StreamDesc,
-		cc *grpc.ClientConn,
-		method string,
-		streamer grpc.Streamer,
-		callOpts ...grpc.CallOption,
-	) (grpc.ClientStream, error) {
-		i := &InterceptorInfo{
-			Method: method,
-			Type:   StreamClient,
-		}
-		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
-			return streamer(ctx, desc, cc, method, callOpts...)
-		}
-
-		name, attr, _ := telemetryAttributes(method, cc.Target())
-
-		startOpts := append([]trace.SpanStartOption{
-			trace.WithSpanKind(trace.SpanKindClient),
-			trace.WithAttributes(attr...),
-		},
-			cfg.SpanStartOptions...,
-		)
-
-		ctx, span := tracer.Start(
-			ctx,
-			name,
-			startOpts...,
-		)
-
-		ctx = inject(ctx, cfg.Propagators)
-
-		s, err := streamer(ctx, desc, cc, method, callOpts...)
-		if err != nil {
-			grpcStatus, _ := status.FromError(err)
-			span.SetStatus(codes.Error, grpcStatus.Message())
-			span.SetAttributes(statusCodeAttr(grpcStatus.Code()))
-			span.End()
-			return s, err
-		}
-		stream := wrapClientStream(s, desc, span, cfg)
-		return stream, nil
-	}
-}
-
-// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable
-// for use in a grpc.NewServer call.
-//
-// Deprecated: Use [NewServerHandler] instead.
-func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
-	cfg := newConfig(opts, "server")
-	tracer := cfg.TracerProvider.Tracer(
-		ScopeName,
-		trace.WithInstrumentationVersion(Version()),
-	)
-
-	return func(
-		ctx context.Context,
-		req interface{},
-		info *grpc.UnaryServerInfo,
-		handler grpc.UnaryHandler,
-	) (interface{}, error) {
-		i := &InterceptorInfo{
-			UnaryServerInfo: info,
-			Type:            UnaryServer,
-		}
-		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
-			return handler(ctx, req)
-		}
-
-		ctx = extract(ctx, cfg.Propagators)
-		name, attr, metricAttrs := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
-
-		startOpts := append([]trace.SpanStartOption{
-			trace.WithSpanKind(trace.SpanKindServer),
-			trace.WithAttributes(attr...),
-		},
-			cfg.SpanStartOptions...,
-		)
-
-		ctx, span := tracer.Start(
-			trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)),
-			name,
-			startOpts...,
-		)
-		defer span.End()
-
-		if cfg.ReceivedEvent {
-			messageReceived.Event(ctx, 1, req)
-		}
-
-		before := time.Now()
-
-		resp, err := handler(ctx, req)
-
-		s, _ := status.FromError(err)
-		if err != nil {
-			statusCode, msg := serverStatus(s)
-			span.SetStatus(statusCode, msg)
-			if cfg.SentEvent {
-				messageSent.Event(ctx, 1, s.Proto())
-			}
-		} else {
-			if cfg.SentEvent {
-				messageSent.Event(ctx, 1, resp)
-			}
-		}
-		grpcStatusCodeAttr := statusCodeAttr(s.Code())
-		span.SetAttributes(grpcStatusCodeAttr)
-
-		// Use floating point division here for higher precision (instead of Millisecond method).
-		elapsedTime := float64(time.Since(before)) / float64(time.Millisecond)
-
-		metricAttrs = append(metricAttrs, grpcStatusCodeAttr)
-		cfg.rpcDuration.Record(ctx, elapsedTime, metric.WithAttributeSet(attribute.NewSet(metricAttrs...)))
-
-		return resp, err
-	}
-}
-
-// serverStream wraps around the embedded grpc.ServerStream, and intercepts the RecvMsg and
-// SendMsg method call.
-type serverStream struct {
-	grpc.ServerStream
-	ctx context.Context
-
-	receivedMessageID int
-	sentMessageID     int
-
-	receivedEvent bool
-	sentEvent     bool
-}
-
-func (w *serverStream) Context() context.Context {
-	return w.ctx
-}
-
-func (w *serverStream) RecvMsg(m interface{}) error {
-	err := w.ServerStream.RecvMsg(m)
-
-	if err == nil {
-		w.receivedMessageID++
-		if w.receivedEvent {
-			messageReceived.Event(w.Context(), w.receivedMessageID, m)
-		}
-	}
-
-	return err
-}
-
-func (w *serverStream) SendMsg(m interface{}) error {
-	err := w.ServerStream.SendMsg(m)
-
-	w.sentMessageID++
-	if w.sentEvent {
-		messageSent.Event(w.Context(), w.sentMessageID, m)
-	}
-
-	return err
-}
-
-func wrapServerStream(ctx context.Context, ss grpc.ServerStream, cfg *config) *serverStream {
-	return &serverStream{
-		ServerStream:  ss,
-		ctx:           ctx,
-		receivedEvent: cfg.ReceivedEvent,
-		sentEvent:     cfg.SentEvent,
-	}
-}
-
-// StreamServerInterceptor returns a grpc.StreamServerInterceptor suitable
-// for use in a grpc.NewServer call.
-//
-// Deprecated: Use [NewServerHandler] instead.
-func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor {
-	cfg := newConfig(opts, "server")
-	tracer := cfg.TracerProvider.Tracer(
-		ScopeName,
-		trace.WithInstrumentationVersion(Version()),
-	)
-
-	return func(
-		srv interface{},
-		ss grpc.ServerStream,
-		info *grpc.StreamServerInfo,
-		handler grpc.StreamHandler,
-	) error {
-		ctx := ss.Context()
-		i := &InterceptorInfo{
-			StreamServerInfo: info,
-			Type:             StreamServer,
-		}
-		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
-			return handler(srv, wrapServerStream(ctx, ss, cfg))
-		}
-
-		ctx = extract(ctx, cfg.Propagators)
-		name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
-
-		startOpts := append([]trace.SpanStartOption{
-			trace.WithSpanKind(trace.SpanKindServer),
-			trace.WithAttributes(attr...),
-		},
-			cfg.SpanStartOptions...,
-		)
-
-		ctx, span := tracer.Start(
-			trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)),
-			name,
-			startOpts...,
-		)
-		defer span.End()
-
-		err := handler(srv, wrapServerStream(ctx, ss, cfg))
-		if err != nil {
-			s, _ := status.FromError(err)
-			statusCode, msg := serverStatus(s)
-			span.SetStatus(statusCode, msg)
-			span.SetAttributes(statusCodeAttr(s.Code()))
-		} else {
-			span.SetAttributes(statusCodeAttr(grpc_codes.OK))
-		}
-
-		return err
-	}
-}
-
-// telemetryAttributes returns a span name and span and metric attributes from
-// the gRPC method and peer address.
-func telemetryAttributes(fullMethod, peerAddress string) (string, []attribute.KeyValue, []attribute.KeyValue) {
-	name, methodAttrs := internal.ParseFullMethod(fullMethod)
-	peerAttrs := peerAttr(peerAddress)
-
-	attrs := make([]attribute.KeyValue, 0, 1+len(methodAttrs)+len(peerAttrs))
-	attrs = append(attrs, RPCSystemGRPC)
-	attrs = append(attrs, methodAttrs...)
-	metricAttrs := attrs[:1+len(methodAttrs)]
-	attrs = append(attrs, peerAttrs...)
-	return name, attrs, metricAttrs
-}
-
-// peerAttr returns attributes about the peer address.
-func peerAttr(addr string) []attribute.KeyValue {
-	host, p, err := net.SplitHostPort(addr)
+// serverAddrAttrs returns the server address attributes for the hostport.
+func serverAddrAttrs(hostport string) []attribute.KeyValue {
+	h, pStr, err := net.SplitHostPort(hostport)
 	if err != nil {
-		return nil
-	}
-
-	if host == "" {
-		host = "127.0.0.1"
+		// The server.address attribute is required.
+		return []attribute.KeyValue{semconv.ServerAddress(hostport)}
 	}
-	port, err := strconv.Atoi(p)
+	p, err := strconv.Atoi(pStr)
 	if err != nil {
-		return nil
-	}
-
-	var attr []attribute.KeyValue
-	if ip := net.ParseIP(host); ip != nil {
-		attr = []attribute.KeyValue{
-			semconv.NetSockPeerAddr(host),
-			semconv.NetSockPeerPort(port),
-		}
-	} else {
-		attr = []attribute.KeyValue{
-			semconv.NetPeerName(host),
-			semconv.NetPeerPort(port),
-		}
+		return []attribute.KeyValue{semconv.ServerAddress(h)}
 	}
-
-	return attr
-}
-
-// peerFromCtx returns a peer address from a context, if one exists.
-func peerFromCtx(ctx context.Context) string {
-	p, ok := peer.FromContext(ctx)
-	if !ok {
-		return ""
+	return []attribute.KeyValue{
+		semconv.ServerAddress(h),
+		semconv.ServerPort(p),
 	}
-	return p.Addr.String()
-}
-
-// statusCodeAttr returns status code attribute based on given gRPC code.
-func statusCodeAttr(c grpc_codes.Code) attribute.KeyValue {
-	return GRPCStatusCodeKey.Int64(int64(c))
 }
 
 // serverStatus returns a span status code and message for a given gRPC
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go
index bef07b7a3c..e46185e0b1 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go
@@ -1,13 +1,14 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package internal provides internal functionality for the otelgrpc package.
 package internal // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal"
 
 import (
 	"strings"
 
 	"go.opentelemetry.io/otel/attribute"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
 )
 
 // ParseFullMethod returns a span name following the OpenTelemetry semantic
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go
index 3aa37915df..b427e17247 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go
@@ -6,15 +6,14 @@ package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.g
 import (
 	"context"
 
-	"google.golang.org/grpc/metadata"
-
 	"go.opentelemetry.io/otel/baggage"
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/trace"
+	"google.golang.org/grpc/metadata"
 )
 
 type metadataSupplier struct {
-	metadata *metadata.MD
+	metadata metadata.MD
 }
 
 // assert that metadataSupplier implements the TextMapCarrier interface.
@@ -28,13 +27,13 @@ func (s *metadataSupplier) Get(key string) string {
 	return values[0]
 }
 
-func (s *metadataSupplier) Set(key string, value string) {
+func (s *metadataSupplier) Set(key, value string) {
 	s.metadata.Set(key, value)
 }
 
 func (s *metadataSupplier) Keys() []string {
-	out := make([]string, 0, len(*s.metadata))
-	for key := range *s.metadata {
+	out := make([]string, 0, len(s.metadata))
+	for key := range s.metadata {
 		out = append(out, key)
 	}
 	return out
@@ -43,11 +42,12 @@ func (s *metadataSupplier) Keys() []string {
 // Inject injects correlation context and span context into the gRPC
 // metadata object. This function is meant to be used on outgoing
 // requests.
+//
 // Deprecated: Unnecessary public func.
 func Inject(ctx context.Context, md *metadata.MD, opts ...Option) {
-	c := newConfig(opts, "")
+	c := newConfig(opts)
 	c.Propagators.Inject(ctx, &metadataSupplier{
-		metadata: md,
+		metadata: *md,
 	})
 }
 
@@ -57,7 +57,7 @@ func inject(ctx context.Context, propagators propagation.TextMapPropagator) cont
 		md = metadata.MD{}
 	}
 	propagators.Inject(ctx, &metadataSupplier{
-		metadata: &md,
+		metadata: md,
 	})
 	return metadata.NewOutgoingContext(ctx, md)
 }
@@ -65,11 +65,12 @@ func inject(ctx context.Context, propagators propagation.TextMapPropagator) cont
 // Extract returns the correlation context and span context that
 // another service encoded in the gRPC metadata object with Inject.
 // This function is meant to be used on incoming requests.
+//
 // Deprecated: Unnecessary public func.
 func Extract(ctx context.Context, md *metadata.MD, opts ...Option) (baggage.Baggage, trace.SpanContext) {
-	c := newConfig(opts, "")
+	c := newConfig(opts)
 	ctx = c.Propagators.Extract(ctx, &metadataSupplier{
-		metadata: md,
+		metadata: *md,
 	})
 
 	return baggage.FromContext(ctx), trace.SpanContextFromContext(ctx)
@@ -82,6 +83,6 @@ func extract(ctx context.Context, propagators propagation.TextMapPropagator) con
 	}
 
 	return propagators.Extract(ctx, &metadataSupplier{
-		metadata: &md,
+		metadata: md,
 	})
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go
deleted file mode 100644
index 409c621b74..0000000000
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
-
-import (
-	"go.opentelemetry.io/otel/attribute"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
-)
-
-// Semantic conventions for attribute keys for gRPC.
-const (
-	// Name of message transmitted or received.
-	RPCNameKey = attribute.Key("name")
-
-	// Type of message transmitted or received.
-	RPCMessageTypeKey = attribute.Key("message.type")
-
-	// Identifier of message transmitted or received.
-	RPCMessageIDKey = attribute.Key("message.id")
-
-	// The compressed size of the message transmitted or received in bytes.
-	RPCMessageCompressedSizeKey = attribute.Key("message.compressed_size")
-
-	// The uncompressed size of the message transmitted or received in
-	// bytes.
-	RPCMessageUncompressedSizeKey = attribute.Key("message.uncompressed_size")
-)
-
-// Semantic conventions for common RPC attributes.
-var (
-	// Semantic convention for gRPC as the remoting system.
-	RPCSystemGRPC = semconv.RPCSystemGRPC
-
-	// Semantic convention for a message named message.
-	RPCNameMessage = RPCNameKey.String("message")
-
-	// Semantic conventions for RPC message types.
-	RPCMessageTypeSent     = RPCMessageTypeKey.String("SENT")
-	RPCMessageTypeReceived = RPCMessageTypeKey.String("RECEIVED")
-)
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go
index 216127d6fb..29d7ab2bda 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go
@@ -8,16 +8,17 @@ import (
 	"sync/atomic"
 	"time"
 
-	grpc_codes "google.golang.org/grpc/codes"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/stats"
-	"google.golang.org/grpc/status"
-
+	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
 	"go.opentelemetry.io/otel/metric"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
+	"go.opentelemetry.io/otel/semconv/v1.37.0/rpcconv"
 	"go.opentelemetry.io/otel/trace"
+	grpc_codes "google.golang.org/grpc/codes"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/stats"
+	"google.golang.org/grpc/status"
 
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal"
 )
@@ -33,49 +34,103 @@ type gRPCContext struct {
 
 type serverHandler struct {
 	*config
+
+	tracer trace.Tracer
+
+	duration rpcconv.ServerDuration
+	inSize   rpcconv.ServerRequestSize
+	outSize  rpcconv.ServerResponseSize
+	inMsg    rpcconv.ServerRequestsPerRPC
+	outMsg   rpcconv.ServerResponsesPerRPC
 }
 
 // NewServerHandler creates a stats.Handler for a gRPC server.
 func NewServerHandler(opts ...Option) stats.Handler {
-	h := &serverHandler{
-		config: newConfig(opts, "server"),
+	c := newConfig(opts)
+	h := &serverHandler{config: c}
+
+	h.tracer = c.TracerProvider.Tracer(
+		ScopeName,
+		trace.WithInstrumentationVersion(Version()),
+	)
+
+	meter := c.MeterProvider.Meter(
+		ScopeName,
+		metric.WithInstrumentationVersion(Version()),
+		metric.WithSchemaURL(semconv.SchemaURL),
+	)
+
+	var err error
+	h.duration, err = rpcconv.NewServerDuration(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.inSize, err = rpcconv.NewServerRequestSize(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.outSize, err = rpcconv.NewServerResponseSize(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.inMsg, err = rpcconv.NewServerRequestsPerRPC(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.outMsg, err = rpcconv.NewServerResponsesPerRPC(meter)
+	if err != nil {
+		otel.Handle(err)
 	}
 
 	return h
 }
 
 // TagConn can attach some information to the given context.
-func (h *serverHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context {
+func (*serverHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
 	return ctx
 }
 
 // HandleConn processes the Conn stats.
-func (h *serverHandler) HandleConn(ctx context.Context, info stats.ConnStats) {
+func (*serverHandler) HandleConn(context.Context, stats.ConnStats) {
 }
 
 // TagRPC can attach some information to the given context.
 func (h *serverHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
-	ctx = extract(ctx, h.config.Propagators)
+	ctx = extract(ctx, h.Propagators)
 
 	name, attrs := internal.ParseFullMethod(info.FullMethodName)
-	attrs = append(attrs, RPCSystemGRPC)
+	attrs = append(attrs, semconv.RPCSystemGRPC)
 
 	record := true
-	if h.config.Filter != nil {
-		record = h.config.Filter(info)
+	if h.Filter != nil {
+		record = h.Filter(info)
 	}
 
 	if record {
+		opts := []trace.SpanStartOption{
+			trace.WithSpanKind(trace.SpanKindServer),
+			trace.WithAttributes(append(attrs, h.SpanAttributes...)...),
+		}
+		if h.PublicEndpoint || (h.PublicEndpointFn != nil && h.PublicEndpointFn(ctx, info)) {
+			opts = append(opts, trace.WithNewRoot())
+			// Linking incoming span context if any for public endpoint.
+			if s := trace.SpanContextFromContext(ctx); s.IsValid() && s.IsRemote() {
+				opts = append(opts, trace.WithLinks(trace.Link{SpanContext: s}))
+			}
+		}
 		ctx, _ = h.tracer.Start(
 			trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)),
 			name,
-			trace.WithSpanKind(trace.SpanKindServer),
-			trace.WithAttributes(append(attrs, h.config.SpanAttributes...)...),
+			opts...,
 		)
 	}
 
 	gctx := gRPCContext{
-		metricAttrs: append(attrs, h.config.MetricAttributes...),
+		metricAttrs: append(attrs, h.MetricAttributes...),
 		record:      record,
 	}
 
@@ -84,18 +139,70 @@ func (h *serverHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) cont
 
 // HandleRPC processes the RPC stats.
 func (h *serverHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
-	isServer := true
-	h.handleRPC(ctx, rs, isServer)
+	h.handleRPC(
+		ctx,
+		rs,
+		h.duration.Inst(),
+		h.inSize,
+		h.outSize,
+		h.inMsg.Inst(),
+		h.outMsg.Inst(),
+		serverStatus,
+	)
 }
 
 type clientHandler struct {
 	*config
+
+	tracer trace.Tracer
+
+	duration rpcconv.ClientDuration
+	inSize   rpcconv.ClientResponseSize
+	outSize  rpcconv.ClientRequestSize
+	inMsg    rpcconv.ClientResponsesPerRPC
+	outMsg   rpcconv.ClientRequestsPerRPC
 }
 
 // NewClientHandler creates a stats.Handler for a gRPC client.
 func NewClientHandler(opts ...Option) stats.Handler {
-	h := &clientHandler{
-		config: newConfig(opts, "client"),
+	c := newConfig(opts)
+	h := &clientHandler{config: c}
+
+	h.tracer = c.TracerProvider.Tracer(
+		ScopeName,
+		trace.WithInstrumentationVersion(Version()),
+	)
+
+	meter := c.MeterProvider.Meter(
+		ScopeName,
+		metric.WithInstrumentationVersion(Version()),
+		metric.WithSchemaURL(semconv.SchemaURL),
+	)
+
+	var err error
+	h.duration, err = rpcconv.NewClientDuration(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.inSize, err = rpcconv.NewClientResponseSize(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.outSize, err = rpcconv.NewClientRequestSize(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.inMsg, err = rpcconv.NewClientResponsesPerRPC(meter)
+	if err != nil {
+		otel.Handle(err)
+	}
+
+	h.outMsg, err = rpcconv.NewClientRequestsPerRPC(meter)
+	if err != nil {
+		otel.Handle(err)
 	}
 
 	return h
@@ -104,11 +211,11 @@ func NewClientHandler(opts ...Option) stats.Handler {
 // TagRPC can attach some information to the given context.
 func (h *clientHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
 	name, attrs := internal.ParseFullMethod(info.FullMethodName)
-	attrs = append(attrs, RPCSystemGRPC)
+	attrs = append(attrs, semconv.RPCSystemGRPC)
 
 	record := true
-	if h.config.Filter != nil {
-		record = h.config.Filter(info)
+	if h.Filter != nil {
+		record = h.Filter(info)
 	}
 
 	if record {
@@ -116,105 +223,129 @@ func (h *clientHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) cont
 			ctx,
 			name,
 			trace.WithSpanKind(trace.SpanKindClient),
-			trace.WithAttributes(append(attrs, h.config.SpanAttributes...)...),
+			trace.WithAttributes(append(attrs, h.SpanAttributes...)...),
 		)
 	}
 
 	gctx := gRPCContext{
-		metricAttrs: append(attrs, h.config.MetricAttributes...),
+		metricAttrs: append(attrs, h.MetricAttributes...),
 		record:      record,
 	}
 
-	return inject(context.WithValue(ctx, gRPCContextKey{}, &gctx), h.config.Propagators)
+	return inject(context.WithValue(ctx, gRPCContextKey{}, &gctx), h.Propagators)
 }
 
 // HandleRPC processes the RPC stats.
 func (h *clientHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
-	isServer := false
-	h.handleRPC(ctx, rs, isServer)
+	h.handleRPC(
+		ctx,
+		rs,
+		h.duration.Inst(),
+		h.inSize,
+		h.outSize,
+		h.inMsg.Inst(),
+		h.outMsg.Inst(),
+		func(s *status.Status) (codes.Code, string) {
+			return codes.Error, s.Message()
+		},
+	)
 }
 
 // TagConn can attach some information to the given context.
-func (h *clientHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context {
+func (*clientHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
 	return ctx
 }
 
 // HandleConn processes the Conn stats.
-func (h *clientHandler) HandleConn(context.Context, stats.ConnStats) {
+func (*clientHandler) HandleConn(context.Context, stats.ConnStats) {
 	// no-op
 }
 
-func (c *config) handleRPC(ctx context.Context, rs stats.RPCStats, isServer bool) { // nolint: revive  // isServer is not a control flag.
-	span := trace.SpanFromContext(ctx)
-	var metricAttrs []attribute.KeyValue
-	var messageId int64
+type int64Hist interface {
+	Record(context.Context, int64, ...attribute.KeyValue)
+}
 
+func (c *config) handleRPC(
+	ctx context.Context,
+	rs stats.RPCStats,
+	duration metric.Float64Histogram,
+	inSize, outSize int64Hist,
+	inMsg, outMsg metric.Int64Histogram,
+	recordStatus func(*status.Status) (codes.Code, string),
+) {
 	gctx, _ := ctx.Value(gRPCContextKey{}).(*gRPCContext)
-	if gctx != nil {
-		if !gctx.record {
-			return
-		}
-		metricAttrs = make([]attribute.KeyValue, 0, len(gctx.metricAttrs)+1)
-		metricAttrs = append(metricAttrs, gctx.metricAttrs...)
+	if gctx != nil && !gctx.record {
+		return
 	}
 
+	span := trace.SpanFromContext(ctx)
+	var messageId int64
+
 	switch rs := rs.(type) {
 	case *stats.Begin:
 	case *stats.InPayload:
 		if gctx != nil {
 			messageId = atomic.AddInt64(&gctx.inMessages, 1)
-			c.rpcInBytes.Record(ctx, int64(rs.Length), metric.WithAttributeSet(attribute.NewSet(metricAttrs...)))
+			inSize.Record(ctx, int64(rs.Length), gctx.metricAttrs...)
 		}
 
-		if c.ReceivedEvent {
+		if c.ReceivedEvent && span.IsRecording() {
 			span.AddEvent("message",
 				trace.WithAttributes(
-					semconv.MessageTypeReceived,
-					semconv.MessageIDKey.Int64(messageId),
-					semconv.MessageCompressedSizeKey.Int(rs.CompressedLength),
-					semconv.MessageUncompressedSizeKey.Int(rs.Length),
+					semconv.RPCMessageTypeReceived,
+					semconv.RPCMessageIDKey.Int64(messageId),
+					semconv.RPCMessageCompressedSizeKey.Int(rs.CompressedLength),
+					semconv.RPCMessageUncompressedSizeKey.Int(rs.Length),
 				),
 			)
 		}
 	case *stats.OutPayload:
 		if gctx != nil {
 			messageId = atomic.AddInt64(&gctx.outMessages, 1)
-			c.rpcOutBytes.Record(ctx, int64(rs.Length), metric.WithAttributeSet(attribute.NewSet(metricAttrs...)))
+			outSize.Record(ctx, int64(rs.Length), gctx.metricAttrs...)
 		}
 
-		if c.SentEvent {
+		if c.SentEvent && span.IsRecording() {
 			span.AddEvent("message",
 				trace.WithAttributes(
-					semconv.MessageTypeSent,
-					semconv.MessageIDKey.Int64(messageId),
-					semconv.MessageCompressedSizeKey.Int(rs.CompressedLength),
-					semconv.MessageUncompressedSizeKey.Int(rs.Length),
+					semconv.RPCMessageTypeSent,
+					semconv.RPCMessageIDKey.Int64(messageId),
+					semconv.RPCMessageCompressedSizeKey.Int(rs.CompressedLength),
+					semconv.RPCMessageUncompressedSizeKey.Int(rs.Length),
 				),
 			)
 		}
 	case *stats.OutTrailer:
 	case *stats.OutHeader:
-		if p, ok := peer.FromContext(ctx); ok {
-			span.SetAttributes(peerAttr(p.Addr.String())...)
+		if span.IsRecording() {
+			if p, ok := peer.FromContext(ctx); ok {
+				span.SetAttributes(serverAddrAttrs(p.Addr.String())...)
+			}
 		}
 	case *stats.End:
 		var rpcStatusAttr attribute.KeyValue
 
+		var s *status.Status
 		if rs.Error != nil {
-			s, _ := status.FromError(rs.Error)
-			if isServer {
-				statusCode, msg := serverStatus(s)
-				span.SetStatus(statusCode, msg)
-			} else {
-				span.SetStatus(codes.Error, s.Message())
-			}
+			s, _ = status.FromError(rs.Error)
 			rpcStatusAttr = semconv.RPCGRPCStatusCodeKey.Int(int(s.Code()))
 		} else {
 			rpcStatusAttr = semconv.RPCGRPCStatusCodeKey.Int(int(grpc_codes.OK))
 		}
-		span.SetAttributes(rpcStatusAttr)
-		span.End()
+		if span.IsRecording() {
+			if s != nil {
+				c, m := recordStatus(s)
+				span.SetStatus(c, m)
+			}
+			span.SetAttributes(rpcStatusAttr)
+			span.End()
+		}
 
+		var metricAttrs []attribute.KeyValue
+		if gctx != nil {
+			metricAttrs = make([]attribute.KeyValue, 0, len(gctx.metricAttrs)+1)
+			metricAttrs = append(metricAttrs, gctx.metricAttrs...)
+		}
 		metricAttrs = append(metricAttrs, rpcStatusAttr)
 		// Allocate vararg slice once.
 		recordOpts := []metric.RecordOption{metric.WithAttributeSet(attribute.NewSet(metricAttrs...))}
@@ -223,10 +354,10 @@ func (c *config) handleRPC(ctx context.Context, rs stats.RPCStats, isServer bool
 		// Measure right before calling Record() to capture as much elapsed time as possible.
 		elapsedTime := float64(rs.EndTime.Sub(rs.BeginTime)) / float64(time.Millisecond)
 
-		c.rpcDuration.Record(ctx, elapsedTime, recordOpts...)
+		duration.Record(ctx, elapsedTime, recordOpts...)
 		if gctx != nil {
-			c.rpcInMessages.Record(ctx, atomic.LoadInt64(&gctx.inMessages), recordOpts...)
-			c.rpcOutMessages.Record(ctx, atomic.LoadInt64(&gctx.outMessages), recordOpts...)
+			inMsg.Record(ctx, atomic.LoadInt64(&gctx.inMessages), recordOpts...)
+			outMsg.Record(ctx, atomic.LoadInt64(&gctx.outMessages), recordOpts...)
 		}
 	default:
 		return
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go
index 442e8a838b..aa4f4e2129 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go
@@ -5,13 +5,6 @@ package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.g
 
 // Version is the current release version of the gRPC instrumentation.
 func Version() string {
-	return "0.60.0"
+	return "0.63.0"
 	// This string is updated by the pre_release.sh script during release
 }
-
-// SemVersion is the semantic version to be supplied to tracer/meter creation.
-//
-// Deprecated: Use [Version] instead.
-func SemVersion() string {
-	return Version()
-}
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/rpcconv/metric.go b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/rpcconv/metric.go
new file mode 100644
index 0000000000..089b0c457f
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/rpcconv/metric.go
@@ -0,0 +1,1010 @@
+// Code generated from semantic convention specification. DO NOT EDIT.
+
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Package rpcconv provides types and functionality for OpenTelemetry semantic
+// conventions in the "rpc" namespace.
+package rpcconv
+
+import (
+	"context"
+	"sync"
+
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/metric"
+	"go.opentelemetry.io/otel/metric/noop"
+)
+
+var (
+	addOptPool = &sync.Pool{New: func() any { return &[]metric.AddOption{} }}
+	recOptPool = &sync.Pool{New: func() any { return &[]metric.RecordOption{} }}
+)
+
+// ClientDuration is an instrument used to record metric values conforming to the
+// "rpc.client.duration" semantic conventions. It represents the measures the
+// duration of outbound RPC.
+type ClientDuration struct {
+	metric.Float64Histogram
+}
+
+var newClientDurationOpts = []metric.Float64HistogramOption{
+	metric.WithDescription("Measures the duration of outbound RPC."),
+	metric.WithUnit("ms"),
+}
+
+// NewClientDuration returns a new ClientDuration instrument.
+func NewClientDuration(
+	m metric.Meter,
+	opt ...metric.Float64HistogramOption,
+) (ClientDuration, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientDuration{noop.Float64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newClientDurationOpts
+	} else {
+		opt = append(opt, newClientDurationOpts...)
+	}
+
+	i, err := m.Float64Histogram(
+		"rpc.client.duration",
+		opt...,
+	)
+	if err != nil {
+		return ClientDuration{noop.Float64Histogram{}}, err
+	}
+	return ClientDuration{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientDuration) Inst() metric.Float64Histogram {
+	return m.Float64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientDuration) Name() string {
+	return "rpc.client.duration"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientDuration) Unit() string {
+	return "ms"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientDuration) Description() string {
+	return "Measures the duration of outbound RPC."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// While streaming RPCs may record this metric as start-of-batch
+// to end-of-batch, it's hard to interpret in practice.
+//
+// **Streaming**: N/A.
+func (m ClientDuration) Record(ctx context.Context, val float64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Float64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// While streaming RPCs may record this metric as start-of-batch
+// to end-of-batch, it's hard to interpret in practice.
+//
+// **Streaming**: N/A.
+func (m ClientDuration) RecordSet(ctx context.Context, val float64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Float64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// ClientRequestSize is an instrument used to record metric values conforming to
+// the "rpc.client.request.size" semantic conventions. It represents the measures
+// the size of RPC request messages (uncompressed).
+type ClientRequestSize struct {
+	metric.Int64Histogram
+}
+
+var newClientRequestSizeOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the size of RPC request messages (uncompressed)."),
+	metric.WithUnit("By"),
+}
+
+// NewClientRequestSize returns a new ClientRequestSize instrument.
+func NewClientRequestSize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ClientRequestSize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientRequestSize{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newClientRequestSizeOpts
+	} else {
+		opt = append(opt, newClientRequestSizeOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.client.request.size",
+		opt...,
+	)
+	if err != nil {
+		return ClientRequestSize{noop.Int64Histogram{}}, err
+	}
+	return ClientRequestSize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientRequestSize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientRequestSize) Name() string {
+	return "rpc.client.request.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientRequestSize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientRequestSize) Description() string {
+	return "Measures the size of RPC request messages (uncompressed)."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// **Streaming**: Recorded per message in a streaming batch
+func (m ClientRequestSize) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// **Streaming**: Recorded per message in a streaming batch
+func (m ClientRequestSize) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ClientRequestsPerRPC is an instrument used to record metric values conforming
+// to the "rpc.client.requests_per_rpc" semantic conventions. It represents the
+// measures the number of messages received per RPC.
+type ClientRequestsPerRPC struct {
+	metric.Int64Histogram
+}
+
+var newClientRequestsPerRPCOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the number of messages received per RPC."),
+	metric.WithUnit("{count}"),
+}
+
+// NewClientRequestsPerRPC returns a new ClientRequestsPerRPC instrument.
+func NewClientRequestsPerRPC(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ClientRequestsPerRPC, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientRequestsPerRPC{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newClientRequestsPerRPCOpts
+	} else {
+		opt = append(opt, newClientRequestsPerRPCOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.client.requests_per_rpc",
+		opt...,
+	)
+	if err != nil {
+		return ClientRequestsPerRPC{noop.Int64Histogram{}}, err
+	}
+	return ClientRequestsPerRPC{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientRequestsPerRPC) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientRequestsPerRPC) Name() string {
+	return "rpc.client.requests_per_rpc"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientRequestsPerRPC) Unit() string {
+	return "{count}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientRequestsPerRPC) Description() string {
+	return "Measures the number of messages received per RPC."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming**: This metric is required for server and client streaming RPCs
+func (m ClientRequestsPerRPC) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming**: This metric is required for server and client streaming RPCs
+func (m ClientRequestsPerRPC) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ClientResponseSize is an instrument used to record metric values conforming to
+// the "rpc.client.response.size" semantic conventions. It represents the
+// measures the size of RPC response messages (uncompressed).
+type ClientResponseSize struct {
+	metric.Int64Histogram
+}
+
+var newClientResponseSizeOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the size of RPC response messages (uncompressed)."),
+	metric.WithUnit("By"),
+}
+
+// NewClientResponseSize returns a new ClientResponseSize instrument.
+func NewClientResponseSize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ClientResponseSize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientResponseSize{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newClientResponseSizeOpts
+	} else {
+		opt = append(opt, newClientResponseSizeOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.client.response.size",
+		opt...,
+	)
+	if err != nil {
+		return ClientResponseSize{noop.Int64Histogram{}}, err
+	}
+	return ClientResponseSize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientResponseSize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientResponseSize) Name() string {
+	return "rpc.client.response.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientResponseSize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientResponseSize) Description() string {
+	return "Measures the size of RPC response messages (uncompressed)."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// **Streaming**: Recorded per response in a streaming batch
+func (m ClientResponseSize) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// **Streaming**: Recorded per response in a streaming batch
+func (m ClientResponseSize) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ClientResponsesPerRPC is an instrument used to record metric values conforming
+// to the "rpc.client.responses_per_rpc" semantic conventions. It represents the
+// measures the number of messages sent per RPC.
+type ClientResponsesPerRPC struct {
+	metric.Int64Histogram
+}
+
+var newClientResponsesPerRPCOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the number of messages sent per RPC."),
+	metric.WithUnit("{count}"),
+}
+
+// NewClientResponsesPerRPC returns a new ClientResponsesPerRPC instrument.
+func NewClientResponsesPerRPC(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ClientResponsesPerRPC, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientResponsesPerRPC{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newClientResponsesPerRPCOpts
+	} else {
+		opt = append(opt, newClientResponsesPerRPCOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.client.responses_per_rpc",
+		opt...,
+	)
+	if err != nil {
+		return ClientResponsesPerRPC{noop.Int64Histogram{}}, err
+	}
+	return ClientResponsesPerRPC{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientResponsesPerRPC) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientResponsesPerRPC) Name() string {
+	return "rpc.client.responses_per_rpc"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientResponsesPerRPC) Unit() string {
+	return "{count}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientResponsesPerRPC) Description() string {
+	return "Measures the number of messages sent per RPC."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming**: This metric is required for server and client streaming RPCs
+func (m ClientResponsesPerRPC) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming**: This metric is required for server and client streaming RPCs
+func (m ClientResponsesPerRPC) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ServerDuration is an instrument used to record metric values conforming to the
+// "rpc.server.duration" semantic conventions. It represents the measures the
+// duration of inbound RPC.
+type ServerDuration struct {
+	metric.Float64Histogram
+}
+
+var newServerDurationOpts = []metric.Float64HistogramOption{
+	metric.WithDescription("Measures the duration of inbound RPC."),
+	metric.WithUnit("ms"),
+}
+
+// NewServerDuration returns a new ServerDuration instrument.
+func NewServerDuration(
+	m metric.Meter,
+	opt ...metric.Float64HistogramOption,
+) (ServerDuration, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerDuration{noop.Float64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newServerDurationOpts
+	} else {
+		opt = append(opt, newServerDurationOpts...)
+	}
+
+	i, err := m.Float64Histogram(
+		"rpc.server.duration",
+		opt...,
+	)
+	if err != nil {
+		return ServerDuration{noop.Float64Histogram{}}, err
+	}
+	return ServerDuration{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerDuration) Inst() metric.Float64Histogram {
+	return m.Float64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerDuration) Name() string {
+	return "rpc.server.duration"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerDuration) Unit() string {
+	return "ms"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerDuration) Description() string {
+	return "Measures the duration of inbound RPC."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// While streaming RPCs may record this metric as start-of-batch
+// to end-of-batch, it's hard to interpret in practice.
+//
+// **Streaming**: N/A.
+func (m ServerDuration) Record(ctx context.Context, val float64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Float64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// While streaming RPCs may record this metric as start-of-batch
+// to end-of-batch, it's hard to interpret in practice.
+//
+// **Streaming**: N/A.
+func (m ServerDuration) RecordSet(ctx context.Context, val float64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Float64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// ServerRequestSize is an instrument used to record metric values conforming to
+// the "rpc.server.request.size" semantic conventions. It represents the measures
+// the size of RPC request messages (uncompressed).
+type ServerRequestSize struct {
+	metric.Int64Histogram
+}
+
+var newServerRequestSizeOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the size of RPC request messages (uncompressed)."),
+	metric.WithUnit("By"),
+}
+
+// NewServerRequestSize returns a new ServerRequestSize instrument.
+func NewServerRequestSize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ServerRequestSize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerRequestSize{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newServerRequestSizeOpts
+	} else {
+		opt = append(opt, newServerRequestSizeOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.server.request.size",
+		opt...,
+	)
+	if err != nil {
+		return ServerRequestSize{noop.Int64Histogram{}}, err
+	}
+	return ServerRequestSize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerRequestSize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerRequestSize) Name() string {
+	return "rpc.server.request.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerRequestSize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerRequestSize) Description() string {
+	return "Measures the size of RPC request messages (uncompressed)."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// **Streaming**: Recorded per message in a streaming batch
+func (m ServerRequestSize) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// **Streaming**: Recorded per message in a streaming batch
+func (m ServerRequestSize) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ServerRequestsPerRPC is an instrument used to record metric values conforming
+// to the "rpc.server.requests_per_rpc" semantic conventions. It represents the
+// measures the number of messages received per RPC.
+type ServerRequestsPerRPC struct {
+	metric.Int64Histogram
+}
+
+var newServerRequestsPerRPCOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the number of messages received per RPC."),
+	metric.WithUnit("{count}"),
+}
+
+// NewServerRequestsPerRPC returns a new ServerRequestsPerRPC instrument.
+func NewServerRequestsPerRPC(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ServerRequestsPerRPC, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerRequestsPerRPC{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newServerRequestsPerRPCOpts
+	} else {
+		opt = append(opt, newServerRequestsPerRPCOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.server.requests_per_rpc",
+		opt...,
+	)
+	if err != nil {
+		return ServerRequestsPerRPC{noop.Int64Histogram{}}, err
+	}
+	return ServerRequestsPerRPC{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerRequestsPerRPC) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerRequestsPerRPC) Name() string {
+	return "rpc.server.requests_per_rpc"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerRequestsPerRPC) Unit() string {
+	return "{count}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerRequestsPerRPC) Description() string {
+	return "Measures the number of messages received per RPC."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming** : This metric is required for server and client streaming RPCs
+func (m ServerRequestsPerRPC) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming** : This metric is required for server and client streaming RPCs
+func (m ServerRequestsPerRPC) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ServerResponseSize is an instrument used to record metric values conforming to
+// the "rpc.server.response.size" semantic conventions. It represents the
+// measures the size of RPC response messages (uncompressed).
+type ServerResponseSize struct {
+	metric.Int64Histogram
+}
+
+var newServerResponseSizeOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the size of RPC response messages (uncompressed)."),
+	metric.WithUnit("By"),
+}
+
+// NewServerResponseSize returns a new ServerResponseSize instrument.
+func NewServerResponseSize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ServerResponseSize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerResponseSize{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newServerResponseSizeOpts
+	} else {
+		opt = append(opt, newServerResponseSizeOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.server.response.size",
+		opt...,
+	)
+	if err != nil {
+		return ServerResponseSize{noop.Int64Histogram{}}, err
+	}
+	return ServerResponseSize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerResponseSize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerResponseSize) Name() string {
+	return "rpc.server.response.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerResponseSize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerResponseSize) Description() string {
+	return "Measures the size of RPC response messages (uncompressed)."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// **Streaming**: Recorded per response in a streaming batch
+func (m ServerResponseSize) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// **Streaming**: Recorded per response in a streaming batch
+func (m ServerResponseSize) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// ServerResponsesPerRPC is an instrument used to record metric values conforming
+// to the "rpc.server.responses_per_rpc" semantic conventions. It represents the
+// measures the number of messages sent per RPC.
+type ServerResponsesPerRPC struct {
+	metric.Int64Histogram
+}
+
+var newServerResponsesPerRPCOpts = []metric.Int64HistogramOption{
+	metric.WithDescription("Measures the number of messages sent per RPC."),
+	metric.WithUnit("{count}"),
+}
+
+// NewServerResponsesPerRPC returns a new ServerResponsesPerRPC instrument.
+func NewServerResponsesPerRPC(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ServerResponsesPerRPC, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerResponsesPerRPC{noop.Int64Histogram{}}, nil
+	}
+
+	if len(opt) == 0 {
+		opt = newServerResponsesPerRPCOpts
+	} else {
+		opt = append(opt, newServerResponsesPerRPCOpts...)
+	}
+
+	i, err := m.Int64Histogram(
+		"rpc.server.responses_per_rpc",
+		opt...,
+	)
+	if err != nil {
+		return ServerResponsesPerRPC{noop.Int64Histogram{}}, err
+	}
+	return ServerResponsesPerRPC{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerResponsesPerRPC) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerResponsesPerRPC) Name() string {
+	return "rpc.server.responses_per_rpc"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerResponsesPerRPC) Unit() string {
+	return "{count}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerResponsesPerRPC) Description() string {
+	return "Measures the number of messages sent per RPC."
+}
+
+// Record records val to the current distribution for attrs.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming**: This metric is required for server and client streaming RPCs
+func (m ServerResponsesPerRPC) Record(ctx context.Context, val int64, attrs ...attribute.KeyValue) {
+	if len(attrs) == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributes(attrs...))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// RecordSet records val to the current distribution for set.
+//
+// Should be 1 for all non-streaming RPCs.
+//
+// **Streaming**: This metric is required for server and client streaming RPCs
+func (m ServerResponsesPerRPC) RecordSet(ctx context.Context, val int64, set attribute.Set) {
+	if set.Len() == 0 {
+		m.Int64Histogram.Record(ctx, val)
+		return
+	}
+
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(*o, metric.WithAttributeSet(set))
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
diff --git a/vendor/golang.org/x/mod/modfile/print.go b/vendor/golang.org/x/mod/modfile/print.go
index 2a0123d4b9..48dbd82aec 100644
--- a/vendor/golang.org/x/mod/modfile/print.go
+++ b/vendor/golang.org/x/mod/modfile/print.go
@@ -33,7 +33,7 @@ type printer struct {
 }
 
 // printf prints to the buffer.
-func (p *printer) printf(format string, args ...interface{}) {
+func (p *printer) printf(format string, args ...any) {
 	fmt.Fprintf(p, format, args...)
 }
 
diff --git a/vendor/golang.org/x/mod/modfile/read.go b/vendor/golang.org/x/mod/modfile/read.go
index 2d7486804f..504a2f1df6 100644
--- a/vendor/golang.org/x/mod/modfile/read.go
+++ b/vendor/golang.org/x/mod/modfile/read.go
@@ -94,7 +94,7 @@ func (x *FileSyntax) Span() (start, end Position) {
 // line, the new line is added at the end of the block containing hint,
 // extracting hint into a new block if it is not yet in one.
 //
-// If the hint is non-nil buts its first token does not match,
+// If the hint is non-nil but its first token does not match,
 // the new line is added after the block containing hint
 // (or hint itself, if not in a block).
 //
@@ -600,7 +600,7 @@ func (in *input) readToken() {
 
 	// Checked all punctuation. Must be identifier token.
 	if c := in.peekRune(); !isIdent(c) {
-		in.Error(fmt.Sprintf("unexpected input character %#q", c))
+		in.Error(fmt.Sprintf("unexpected input character %#q", rune(c)))
 	}
 
 	// Scan over identifier.
diff --git a/vendor/golang.org/x/mod/modfile/rule.go b/vendor/golang.org/x/mod/modfile/rule.go
index a86ee4fd82..c5b8305de7 100644
--- a/vendor/golang.org/x/mod/modfile/rule.go
+++ b/vendor/golang.org/x/mod/modfile/rule.go
@@ -368,7 +368,7 @@ func (f *File) add(errs *ErrorList, block *LineBlock, line *Line, verb string, a
 			Err:      err,
 		})
 	}
-	errorf := func(format string, args ...interface{}) {
+	errorf := func(format string, args ...any) {
 		wrapError(fmt.Errorf(format, args...))
 	}
 
@@ -574,7 +574,7 @@ func parseReplace(filename string, line *Line, verb string, args []string, fix V
 			Err:      err,
 		}
 	}
-	errorf := func(format string, args ...interface{}) *Error {
+	errorf := func(format string, args ...any) *Error {
 		return wrapError(fmt.Errorf(format, args...))
 	}
 
@@ -685,7 +685,7 @@ func (f *WorkFile) add(errs *ErrorList, line *Line, verb string, args []string,
 			Err:      err,
 		})
 	}
-	errorf := func(format string, args ...interface{}) {
+	errorf := func(format string, args ...any) {
 		wrapError(fmt.Errorf(format, args...))
 	}
 
@@ -1594,7 +1594,7 @@ func (f *File) AddRetract(vi VersionInterval, rationale string) error {
 		r.Syntax = f.Syntax.addLine(nil, "retract", "[", AutoQuote(vi.Low), ",", AutoQuote(vi.High), "]")
 	}
 	if rationale != "" {
-		for _, line := range strings.Split(rationale, "\n") {
+		for line := range strings.SplitSeq(rationale, "\n") {
 			com := Comment{Token: "// " + line}
 			r.Syntax.Comment().Before = append(r.Syntax.Comment().Before, com)
 		}
diff --git a/vendor/golang.org/x/mod/module/module.go b/vendor/golang.org/x/mod/module/module.go
index 16e1aa7ab4..739c13f48f 100644
--- a/vendor/golang.org/x/mod/module/module.go
+++ b/vendor/golang.org/x/mod/module/module.go
@@ -261,7 +261,7 @@ func modPathOK(r rune) bool {
 
 // importPathOK reports whether r can appear in a package import path element.
 //
-// Import paths are intermediate between module paths and file paths: we allow
+// Import paths are intermediate between module paths and file paths: we
 // disallow characters that would be confusing or ambiguous as arguments to
 // 'go get' (such as '@' and ' ' ), but allow certain characters that are
 // otherwise-unambiguous on the command line and historically used for some
@@ -802,8 +802,8 @@ func MatchPrefixPatterns(globs, target string) bool {
 	for globs != "" {
 		// Extract next non-empty glob in comma-separated list.
 		var glob string
-		if i := strings.Index(globs, ","); i >= 0 {
-			glob, globs = globs[:i], globs[i+1:]
+		if before, after, ok := strings.Cut(globs, ","); ok {
+			glob, globs = before, after
 		} else {
 			glob, globs = globs, ""
 		}
diff --git a/vendor/golang.org/x/mod/semver/semver.go b/vendor/golang.org/x/mod/semver/semver.go
index 628f8fd687..824b282c83 100644
--- a/vendor/golang.org/x/mod/semver/semver.go
+++ b/vendor/golang.org/x/mod/semver/semver.go
@@ -45,8 +45,8 @@ func IsValid(v string) bool {
 
 // Canonical returns the canonical formatting of the semantic version v.
 // It fills in any missing .MINOR or .PATCH and discards build metadata.
-// Two semantic versions compare equal only if their canonical formattings
-// are identical strings.
+// Two semantic versions compare equal only if their canonical formatting
+// is an identical string.
 // The canonical invalid semantic version is the empty string.
 func Canonical(v string) string {
 	p, ok := parse(v)
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index 1965913e54..ccb87e6da3 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -376,11 +376,24 @@ type ClientConn struct {
 	// completely unresponsive connection.
 	pendingResets int
 
+	// readBeforeStreamID is the smallest stream ID that has not been followed by
+	// a frame read from the peer. We use this to determine when a request may
+	// have been sent to a completely unresponsive connection:
+	// If the request ID is less than readBeforeStreamID, then we have had some
+	// indication of life on the connection since sending the request.
+	readBeforeStreamID uint32
+
 	// reqHeaderMu is a 1-element semaphore channel controlling access to sending new requests.
 	// Write to reqHeaderMu to lock it, read from it to unlock.
 	// Lock reqmu BEFORE mu or wmu.
 	reqHeaderMu chan struct{}
 
+	// internalStateHook reports state changes back to the net/http.ClientConn.
+	// Note that this is different from the user state hook registered by
+	// net/http.ClientConn.SetStateHook: The internal hook calls ClientConn,
+	// which calls the user hook.
+	internalStateHook func()
+
 	// wmu is held while writing.
 	// Acquire BEFORE mu when holding both, to avoid blocking mu on network writes.
 	// Only acquire both at the same time when changing peer settings.
@@ -710,7 +723,7 @@ func canRetryError(err error) bool {
 
 func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse bool) (*ClientConn, error) {
 	if t.transportTestHooks != nil {
-		return t.newClientConn(nil, singleUse)
+		return t.newClientConn(nil, singleUse, nil)
 	}
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -720,7 +733,7 @@ func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse b
 	if err != nil {
 		return nil, err
 	}
-	return t.newClientConn(tconn, singleUse)
+	return t.newClientConn(tconn, singleUse, nil)
 }
 
 func (t *Transport) newTLSConfig(host string) *tls.Config {
@@ -772,10 +785,10 @@ func (t *Transport) expectContinueTimeout() time.Duration {
 }
 
 func (t *Transport) NewClientConn(c net.Conn) (*ClientConn, error) {
-	return t.newClientConn(c, t.disableKeepAlives())
+	return t.newClientConn(c, t.disableKeepAlives(), nil)
 }
 
-func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, error) {
+func (t *Transport) newClientConn(c net.Conn, singleUse bool, internalStateHook func()) (*ClientConn, error) {
 	conf := configFromTransport(t)
 	cc := &ClientConn{
 		t:                           t,
@@ -797,6 +810,7 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 		pings:                       make(map[[8]byte]chan struct{}),
 		reqHeaderMu:                 make(chan struct{}, 1),
 		lastActive:                  time.Now(),
+		internalStateHook:           internalStateHook,
 	}
 	if t.transportTestHooks != nil {
 		t.transportTestHooks.newclientconn(cc)
@@ -1037,10 +1051,7 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 		maxConcurrentOkay = cc.currentRequestCountLocked() < int(cc.maxConcurrentStreams)
 	}
 
-	st.canTakeNewRequest = cc.goAway == nil && !cc.closed && !cc.closing && maxConcurrentOkay &&
-		!cc.doNotReuse &&
-		int64(cc.nextStreamID)+2*int64(cc.pendingRequests) < math.MaxInt32 &&
-		!cc.tooIdleLocked()
+	st.canTakeNewRequest = maxConcurrentOkay && cc.isUsableLocked()
 
 	// If this connection has never been used for a request and is closed,
 	// then let it take a request (which will fail).
@@ -1056,6 +1067,31 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 	return
 }
 
+func (cc *ClientConn) isUsableLocked() bool {
+	return cc.goAway == nil &&
+		!cc.closed &&
+		!cc.closing &&
+		!cc.doNotReuse &&
+		int64(cc.nextStreamID)+2*int64(cc.pendingRequests) < math.MaxInt32 &&
+		!cc.tooIdleLocked()
+}
+
+// canReserveLocked reports whether a net/http.ClientConn can reserve a slot on this conn.
+//
+// This follows slightly different rules than clientConnIdleState.canTakeNewRequest.
+// We only permit reservations up to the conn's concurrency limit.
+// This differs from ClientConn.ReserveNewRequest, which permits reservations
+// past the limit when StrictMaxConcurrentStreams is set.
+func (cc *ClientConn) canReserveLocked() bool {
+	if cc.currentRequestCountLocked() >= int(cc.maxConcurrentStreams) {
+		return false
+	}
+	if !cc.isUsableLocked() {
+		return false
+	}
+	return true
+}
+
 // currentRequestCountLocked reports the number of concurrency slots currently in use,
 // including active streams, reserved slots, and reset streams waiting for acknowledgement.
 func (cc *ClientConn) currentRequestCountLocked() int {
@@ -1067,6 +1103,14 @@ func (cc *ClientConn) canTakeNewRequestLocked() bool {
 	return st.canTakeNewRequest
 }
 
+// availableLocked reports the number of concurrency slots available.
+func (cc *ClientConn) availableLocked() int {
+	if !cc.canTakeNewRequestLocked() {
+		return 0
+	}
+	return max(0, int(cc.maxConcurrentStreams)-cc.currentRequestCountLocked())
+}
+
 // tooIdleLocked reports whether this connection has been been sitting idle
 // for too much wall time.
 func (cc *ClientConn) tooIdleLocked() bool {
@@ -1091,6 +1135,7 @@ func (cc *ClientConn) closeConn() {
 	t := time.AfterFunc(250*time.Millisecond, cc.forceCloseConn)
 	defer t.Stop()
 	cc.tconn.Close()
+	cc.maybeCallStateHook()
 }
 
 // A tls.Conn.Close can hang for a long time if the peer is unresponsive.
@@ -1616,6 +1661,8 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	}
 	bodyClosed := cs.reqBodyClosed
 	closeOnIdle := cc.singleUse || cc.doNotReuse || cc.t.disableKeepAlives() || cc.goAway != nil
+	// Have we read any frames from the connection since sending this request?
+	readSinceStream := cc.readBeforeStreamID > cs.ID
 	cc.mu.Unlock()
 	if mustCloseBody {
 		cs.reqBody.Close()
@@ -1647,8 +1694,10 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 				//
 				// This could be due to the server becoming unresponsive.
 				// To avoid sending too many requests on a dead connection,
-				// we let the request continue to consume a concurrency slot
-				// until we can confirm the server is still responding.
+				// if we haven't read any frames from the connection since
+				// sending this request, we let it continue to consume
+				// a concurrency slot until we can confirm the server is
+				// still responding.
 				// We do this by sending a PING frame along with the RST_STREAM
 				// (unless a ping is already in flight).
 				//
@@ -1659,7 +1708,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 				// because it's short lived and will probably be closed before
 				// we get the ping response.
 				ping := false
-				if !closeOnIdle {
+				if !closeOnIdle && !readSinceStream {
 					cc.mu.Lock()
 					// rstStreamPingsBlocked works around a gRPC behavior:
 					// see comment on the field for details.
@@ -1693,6 +1742,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	}
 
 	close(cs.donec)
+	cc.maybeCallStateHook()
 }
 
 // awaitOpenSlotForStreamLocked waits until len(streams) < maxConcurrentStreams.
@@ -2745,6 +2795,7 @@ func (rl *clientConnReadLoop) streamByID(id uint32, headerOrData bool) *clientSt
 		// See comment on ClientConn.rstStreamPingsBlocked for details.
 		rl.cc.rstStreamPingsBlocked = false
 	}
+	rl.cc.readBeforeStreamID = rl.cc.nextStreamID
 	cs := rl.cc.streams[id]
 	if cs != nil && !cs.readAborted {
 		return cs
@@ -2795,6 +2846,7 @@ func (rl *clientConnReadLoop) processSettings(f *SettingsFrame) error {
 
 func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
 	cc := rl.cc
+	defer cc.maybeCallStateHook()
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
 
@@ -2975,6 +3027,7 @@ func (cc *ClientConn) Ping(ctx context.Context) error {
 func (rl *clientConnReadLoop) processPing(f *PingFrame) error {
 	if f.IsAck() {
 		cc := rl.cc
+		defer cc.maybeCallStateHook()
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
 		// If ack, notify listener if any
@@ -3198,9 +3251,13 @@ func registerHTTPSProtocol(t *http.Transport, rt noDialH2RoundTripper) (err erro
 }
 
 // noDialH2RoundTripper is a RoundTripper which only tries to complete the request
-// if there's already has a cached connection to the host.
+// if there's already a cached connection to the host.
 // (The field is exported so it can be accessed via reflect from net/http; tested
 // by TestNoDialH2RoundTripperType)
+//
+// A noDialH2RoundTripper is registered with http1.Transport.RegisterProtocol,
+// and the http1.Transport can use type assertions to call non-RoundTrip methods on it.
+// This lets us expose, for example, NewClientConn to net/http.
 type noDialH2RoundTripper struct{ *Transport }
 
 func (rt noDialH2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -3211,6 +3268,85 @@ func (rt noDialH2RoundTripper) RoundTrip(req *http.Request) (*http.Response, err
 	return res, err
 }
 
+func (rt noDialH2RoundTripper) NewClientConn(conn net.Conn, internalStateHook func()) (http.RoundTripper, error) {
+	tr := rt.Transport
+	cc, err := tr.newClientConn(conn, tr.disableKeepAlives(), internalStateHook)
+	if err != nil {
+		return nil, err
+	}
+
+	// RoundTrip should block when the conn is at its concurrency limit,
+	// not return an error. Setting strictMaxConcurrentStreams enables this.
+	cc.strictMaxConcurrentStreams = true
+
+	return netHTTPClientConn{cc}, nil
+}
+
+// netHTTPClientConn wraps ClientConn and implements the interface net/http expects from
+// the RoundTripper returned by NewClientConn.
+type netHTTPClientConn struct {
+	cc *ClientConn
+}
+
+func (cc netHTTPClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
+	return cc.cc.RoundTrip(req)
+}
+
+func (cc netHTTPClientConn) Close() error {
+	return cc.cc.Close()
+}
+
+func (cc netHTTPClientConn) Err() error {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	if cc.cc.closed {
+		return errors.New("connection closed")
+	}
+	return nil
+}
+
+func (cc netHTTPClientConn) Reserve() error {
+	defer cc.cc.maybeCallStateHook()
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	if !cc.cc.canReserveLocked() {
+		return errors.New("connection is unavailable")
+	}
+	cc.cc.streamsReserved++
+	return nil
+}
+
+func (cc netHTTPClientConn) Release() {
+	defer cc.cc.maybeCallStateHook()
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	// We don't complain if streamsReserved is 0.
+	//
+	// This is consistent with RoundTrip: both Release and RoundTrip will
+	// consume a reservation iff one exists.
+	if cc.cc.streamsReserved > 0 {
+		cc.cc.streamsReserved--
+	}
+}
+
+func (cc netHTTPClientConn) Available() int {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	return cc.cc.availableLocked()
+}
+
+func (cc netHTTPClientConn) InFlight() int {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	return cc.cc.currentRequestCountLocked()
+}
+
+func (cc *ClientConn) maybeCallStateHook() {
+	if cc.internalStateHook != nil {
+		cc.internalStateHook()
+	}
+}
+
 func (t *Transport) idleConnTimeout() time.Duration {
 	// to keep things backwards compatible, we use non-zero values of
 	// IdleConnTimeout, followed by using the IdleConnTimeout on the underlying
diff --git a/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
index cb4cadc32d..dfbfc1eb34 100644
--- a/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
@@ -37,6 +37,15 @@ type priorityWriteSchedulerRFC9218 struct {
 	// incremental streams or not, when urgency is the same in a given Pop()
 	// call.
 	prioritizeIncremental bool
+
+	// priorityUpdateBuf is used to buffer the most recent PRIORITY_UPDATE we
+	// receive per https://www.rfc-editor.org/rfc/rfc9218.html#name-the-priority_update-frame.
+	priorityUpdateBuf struct {
+		// streamID being 0 means that the buffer is empty. This is a safe
+		// assumption as PRIORITY_UPDATE for stream 0 is a PROTOCOL_ERROR.
+		streamID uint32
+		priority PriorityParam
+	}
 }
 
 func newPriorityWriteSchedulerRFC9218() WriteScheduler {
@@ -50,6 +59,10 @@ func (ws *priorityWriteSchedulerRFC9218) OpenStream(streamID uint32, opt OpenStr
 	if ws.streams[streamID].location != nil {
 		panic(fmt.Errorf("stream %d already opened", streamID))
 	}
+	if streamID == ws.priorityUpdateBuf.streamID {
+		ws.priorityUpdateBuf.streamID = 0
+		opt.priority = ws.priorityUpdateBuf.priority
+	}
 	q := ws.queuePool.get()
 	ws.streams[streamID] = streamMetadata{
 		location: q,
@@ -95,6 +108,8 @@ func (ws *priorityWriteSchedulerRFC9218) AdjustStream(streamID uint32, priority
 	metadata := ws.streams[streamID]
 	q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental
 	if q == nil {
+		ws.priorityUpdateBuf.streamID = streamID
+		ws.priorityUpdateBuf.priority = priority
 		return
 	}
 
diff --git a/vendor/golang.org/x/net/trace/events.go b/vendor/golang.org/x/net/trace/events.go
index 3aaffdd1f7..c2b3c00980 100644
--- a/vendor/golang.org/x/net/trace/events.go
+++ b/vendor/golang.org/x/net/trace/events.go
@@ -58,8 +58,8 @@ func RenderEvents(w http.ResponseWriter, req *http.Request, sensitive bool) {
 		Buckets: buckets,
 	}
 
-	data.Families = make([]string, 0, len(families))
 	famMu.RLock()
+	data.Families = make([]string, 0, len(families))
 	for name := range families {
 		data.Families = append(data.Families, name)
 	}
diff --git a/vendor/golang.org/x/net/websocket/hybi.go b/vendor/golang.org/x/net/websocket/hybi.go
index dda7434666..c7e76cd91b 100644
--- a/vendor/golang.org/x/net/websocket/hybi.go
+++ b/vendor/golang.org/x/net/websocket/hybi.go
@@ -440,6 +440,7 @@ func hybiClientHandshake(config *Config, br *bufio.Reader, bw *bufio.Writer) (er
 	if err != nil {
 		return err
 	}
+	defer resp.Body.Close()
 	if resp.StatusCode != 101 {
 		return ErrBadStatus
 	}
diff --git a/vendor/golang.org/x/oauth2/deviceauth.go b/vendor/golang.org/x/oauth2/deviceauth.go
index e99c92f39c..e783a94374 100644
--- a/vendor/golang.org/x/oauth2/deviceauth.go
+++ b/vendor/golang.org/x/oauth2/deviceauth.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"mime"
 	"net/http"
 	"net/url"
 	"strings"
@@ -116,10 +117,38 @@ func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAu
 		return nil, fmt.Errorf("oauth2: cannot auth device: %v", err)
 	}
 	if code := r.StatusCode; code < 200 || code > 299 {
-		return nil, &RetrieveError{
+		retrieveError := &RetrieveError{
 			Response: r,
 			Body:     body,
 		}
+
+		content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
+		switch content {
+		case "application/x-www-form-urlencoded", "text/plain":
+			// some endpoints return a query string
+			vals, err := url.ParseQuery(string(body))
+			if err != nil {
+				return nil, retrieveError
+			}
+			retrieveError.ErrorCode = vals.Get("error")
+			retrieveError.ErrorDescription = vals.Get("error_description")
+			retrieveError.ErrorURI = vals.Get("error_uri")
+		default:
+			var tj struct {
+				// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+				ErrorCode        string `json:"error"`
+				ErrorDescription string `json:"error_description"`
+				ErrorURI         string `json:"error_uri"`
+			}
+			if json.Unmarshal(body, &tj) != nil {
+				return nil, retrieveError
+			}
+			retrieveError.ErrorCode = tj.ErrorCode
+			retrieveError.ErrorDescription = tj.ErrorDescription
+			retrieveError.ErrorURI = tj.ErrorURI
+		}
+
+		return nil, retrieveError
 	}
 
 	da := &DeviceAuthResponse{}
diff --git a/vendor/golang.org/x/oauth2/oauth2.go b/vendor/golang.org/x/oauth2/oauth2.go
index de34feb844..5c527d31fd 100644
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -9,7 +9,6 @@
 package oauth2 // import "golang.org/x/oauth2"
 
 import (
-	"bytes"
 	"context"
 	"errors"
 	"net/http"
@@ -99,7 +98,7 @@ const (
 	// in the POST body as application/x-www-form-urlencoded parameters.
 	AuthStyleInParams AuthStyle = 1
 
-	// AuthStyleInHeader sends the client_id and client_password
+	// AuthStyleInHeader sends the client_id and client_secret
 	// using HTTP Basic Authorization. This is an optional style
 	// described in the OAuth2 RFC 6749 section 2.3.1.
 	AuthStyleInHeader AuthStyle = 2
@@ -158,7 +157,7 @@ func SetAuthURLParam(key, value string) AuthCodeOption {
 // PKCE), https://www.oauth.com/oauth2-servers/pkce/ and
 // https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html#name-cross-site-request-forgery (describing both approaches)
 func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
-	var buf bytes.Buffer
+	var buf strings.Builder
 	buf.WriteString(c.Endpoint.AuthURL)
 	v := url.Values{
 		"response_type": {"code"},
diff --git a/vendor/golang.org/x/oauth2/pkce.go b/vendor/golang.org/x/oauth2/pkce.go
index cea8374d51..f99384f0f5 100644
--- a/vendor/golang.org/x/oauth2/pkce.go
+++ b/vendor/golang.org/x/oauth2/pkce.go
@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
 	return base64.RawURLEncoding.EncodeToString(sha[:])
 }
 
-// S256ChallengeOption derives a PKCE code challenge derived from verifier with
+// S256ChallengeOption derives a PKCE code challenge from the verifier with
 // method S256. It should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {
diff --git a/vendor/golang.org/x/oauth2/token.go b/vendor/golang.org/x/oauth2/token.go
index 239ec32962..e995eebb5e 100644
--- a/vendor/golang.org/x/oauth2/token.go
+++ b/vendor/golang.org/x/oauth2/token.go
@@ -103,7 +103,7 @@ func (t *Token) WithExtra(extra any) *Token {
 }
 
 // Extra returns an extra field.
-// Extra fields are key-value pairs returned by the server as a
+// Extra fields are key-value pairs returned by the server as
 // part of the token retrieval response.
 func (t *Token) Extra(key string) any {
 	if raw, ok := t.raw.(map[string]any); ok {
diff --git a/vendor/golang.org/x/oauth2/transport.go b/vendor/golang.org/x/oauth2/transport.go
index 8bbebbac9e..9922ec3316 100644
--- a/vendor/golang.org/x/oauth2/transport.go
+++ b/vendor/golang.org/x/oauth2/transport.go
@@ -58,7 +58,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 var cancelOnce sync.Once
 
 // CancelRequest does nothing. It used to be a legacy cancellation mechanism
-// but now only it only logs on first use to warn that it's deprecated.
+// but now only logs on first use to warn that it's deprecated.
 //
 // Deprecated: use contexts for cancellation instead.
 func (t *Transport) CancelRequest(req *http.Request) {
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index 2f45dbc86e..f69fd75468 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -144,8 +144,8 @@ func (g *Group) SetLimit(n int) {
 		g.sem = nil
 		return
 	}
-	if len(g.sem) != 0 {
-		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", len(g.sem)))
+	if active := len(g.sem); active != 0 {
+		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", active))
 	}
 	g.sem = make(chan token, n)
 }
diff --git a/vendor/golang.org/x/term/terminal.go b/vendor/golang.org/x/term/terminal.go
index 9255449b9b..6ec537cdc1 100644
--- a/vendor/golang.org/x/term/terminal.go
+++ b/vendor/golang.org/x/term/terminal.go
@@ -160,7 +160,9 @@ const (
 	keyEnd
 	keyDeleteWord
 	keyDeleteLine
+	keyDelete
 	keyClearScreen
+	keyTranspose
 	keyPasteStart
 	keyPasteEnd
 )
@@ -194,6 +196,8 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
 			return keyDeleteLine, b[1:]
 		case 12: // ^L
 			return keyClearScreen, b[1:]
+		case 20: // ^T
+			return keyTranspose, b[1:]
 		case 23: // ^W
 			return keyDeleteWord, b[1:]
 		case 14: // ^N
@@ -228,6 +232,10 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
 		}
 	}
 
+	if !pasteActive && len(b) >= 4 && b[0] == keyEscape && b[1] == '[' && b[2] == '3' && b[3] == '~' {
+		return keyDelete, b[4:]
+	}
+
 	if !pasteActive && len(b) >= 6 && b[0] == keyEscape && b[1] == '[' && b[2] == '1' && b[3] == ';' && b[4] == '3' {
 		switch b[5] {
 		case 'C':
@@ -590,7 +598,7 @@ func (t *Terminal) handleKey(key rune) (line string, ok bool) {
 		}
 		t.line = t.line[:t.pos]
 		t.moveCursorToPos(t.pos)
-	case keyCtrlD:
+	case keyCtrlD, keyDelete:
 		// Erase the character under the current position.
 		// The EOF case when the line is empty is handled in
 		// readLine().
@@ -600,6 +608,24 @@ func (t *Terminal) handleKey(key rune) (line string, ok bool) {
 		}
 	case keyCtrlU:
 		t.eraseNPreviousChars(t.pos)
+	case keyTranspose:
+		// This transposes the two characters around the cursor and advances the cursor. Best-effort.
+		if len(t.line) < 2 || t.pos < 1 {
+			return
+		}
+		swap := t.pos
+		if swap == len(t.line) {
+			swap-- // special: at end of line, swap previous two chars
+		}
+		t.line[swap-1], t.line[swap] = t.line[swap], t.line[swap-1]
+		if t.pos < len(t.line) {
+			t.pos++
+		}
+		if t.echo {
+			t.moveCursorToPos(swap - 1)
+			t.writeLine(t.line[swap-1:])
+			t.moveCursorToPos(t.pos)
+		}
 	case keyClearScreen:
 		// Erases the screen and moves the cursor to the home position.
 		t.queue([]rune("\x1b[2J\x1b[H"))
diff --git a/vendor/golang.org/x/text/encoding/japanese/eucjp.go b/vendor/golang.org/x/text/encoding/japanese/eucjp.go
index 79313fa589..6fce8c5f52 100644
--- a/vendor/golang.org/x/text/encoding/japanese/eucjp.go
+++ b/vendor/golang.org/x/text/encoding/japanese/eucjp.go
@@ -17,9 +17,9 @@ import (
 var EUCJP encoding.Encoding = &eucJP
 
 var eucJP = internal.Encoding{
-	&internal.SimpleEncoding{eucJPDecoder{}, eucJPEncoder{}},
-	"EUC-JP",
-	identifier.EUCPkdFmtJapanese,
+	Encoding: &internal.SimpleEncoding{Decoder: eucJPDecoder{}, Encoder: eucJPEncoder{}},
+	Name:     "EUC-JP",
+	MIB:      identifier.EUCPkdFmtJapanese,
 }
 
 type eucJPDecoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go b/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go
index 613226df5e..6f7bd460a6 100644
--- a/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go
+++ b/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go
@@ -17,9 +17,9 @@ import (
 var ISO2022JP encoding.Encoding = &iso2022JP
 
 var iso2022JP = internal.Encoding{
-	internal.FuncEncoding{iso2022JPNewDecoder, iso2022JPNewEncoder},
-	"ISO-2022-JP",
-	identifier.ISO2022JP,
+	Encoding: internal.FuncEncoding{Decoder: iso2022JPNewDecoder, Encoder: iso2022JPNewEncoder},
+	Name:     "ISO-2022-JP",
+	MIB:      identifier.ISO2022JP,
 }
 
 func iso2022JPNewDecoder() transform.Transformer {
diff --git a/vendor/golang.org/x/text/encoding/japanese/shiftjis.go b/vendor/golang.org/x/text/encoding/japanese/shiftjis.go
index 16fd8a6e3e..af65d43d95 100644
--- a/vendor/golang.org/x/text/encoding/japanese/shiftjis.go
+++ b/vendor/golang.org/x/text/encoding/japanese/shiftjis.go
@@ -18,9 +18,9 @@ import (
 var ShiftJIS encoding.Encoding = &shiftJIS
 
 var shiftJIS = internal.Encoding{
-	&internal.SimpleEncoding{shiftJISDecoder{}, shiftJISEncoder{}},
-	"Shift JIS",
-	identifier.ShiftJIS,
+	Encoding: &internal.SimpleEncoding{Decoder: shiftJISDecoder{}, Encoder: shiftJISEncoder{}},
+	Name:     "Shift JIS",
+	MIB:      identifier.ShiftJIS,
 }
 
 type shiftJISDecoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/korean/euckr.go b/vendor/golang.org/x/text/encoding/korean/euckr.go
index 034337f5df..81c834730c 100644
--- a/vendor/golang.org/x/text/encoding/korean/euckr.go
+++ b/vendor/golang.org/x/text/encoding/korean/euckr.go
@@ -20,9 +20,9 @@ var All = []encoding.Encoding{EUCKR}
 var EUCKR encoding.Encoding = &eucKR
 
 var eucKR = internal.Encoding{
-	&internal.SimpleEncoding{eucKRDecoder{}, eucKREncoder{}},
-	"EUC-KR",
-	identifier.EUCKR,
+	Encoding: &internal.SimpleEncoding{Decoder: eucKRDecoder{}, Encoder: eucKREncoder{}},
+	Name:     "EUC-KR",
+	MIB:      identifier.EUCKR,
 }
 
 type eucKRDecoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go b/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go
index 0e0fabfd6b..2f2fd5d449 100644
--- a/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go
+++ b/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go
@@ -22,21 +22,21 @@ var (
 )
 
 var gbk = internal.Encoding{
-	&internal.SimpleEncoding{
-		gbkDecoder{gb18030: false},
-		gbkEncoder{gb18030: false},
+	Encoding: &internal.SimpleEncoding{
+		Decoder: gbkDecoder{gb18030: false},
+		Encoder: gbkEncoder{gb18030: false},
 	},
-	"GBK",
-	identifier.GBK,
+	Name: "GBK",
+	MIB:  identifier.GBK,
 }
 
 var gbk18030 = internal.Encoding{
-	&internal.SimpleEncoding{
-		gbkDecoder{gb18030: true},
-		gbkEncoder{gb18030: true},
+	Encoding: &internal.SimpleEncoding{
+		Decoder: gbkDecoder{gb18030: true},
+		Encoder: gbkEncoder{gb18030: true},
 	},
-	"GB18030",
-	identifier.GB18030,
+	Name: "GB18030",
+	MIB:  identifier.GB18030,
 }
 
 type gbkDecoder struct {
diff --git a/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go b/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go
index e15b7bf6a7..351750e60e 100644
--- a/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go
+++ b/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go
@@ -17,9 +17,9 @@ import (
 var HZGB2312 encoding.Encoding = &hzGB2312
 
 var hzGB2312 = internal.Encoding{
-	internal.FuncEncoding{hzGB2312NewDecoder, hzGB2312NewEncoder},
-	"HZ-GB2312",
-	identifier.HZGB2312,
+	Encoding: internal.FuncEncoding{Decoder: hzGB2312NewDecoder, Encoder: hzGB2312NewEncoder},
+	Name:     "HZ-GB2312",
+	MIB:      identifier.HZGB2312,
 }
 
 func hzGB2312NewDecoder() transform.Transformer {
diff --git a/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go b/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go
index 1fcddde082..5046920ee0 100644
--- a/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go
+++ b/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go
@@ -20,9 +20,9 @@ var All = []encoding.Encoding{Big5}
 var Big5 encoding.Encoding = &big5
 
 var big5 = internal.Encoding{
-	&internal.SimpleEncoding{big5Decoder{}, big5Encoder{}},
-	"Big5",
-	identifier.Big5,
+	Encoding: &internal.SimpleEncoding{Decoder: big5Decoder{}, Encoder: big5Encoder{}},
+	Name:     "Big5",
+	MIB:      identifier.Big5,
 }
 
 type big5Decoder struct{ transform.NopResetter }
diff --git a/vendor/golang.org/x/text/encoding/unicode/unicode.go b/vendor/golang.org/x/text/encoding/unicode/unicode.go
index dd99ad14d3..ce28c90628 100644
--- a/vendor/golang.org/x/text/encoding/unicode/unicode.go
+++ b/vendor/golang.org/x/text/encoding/unicode/unicode.go
@@ -60,9 +60,9 @@ func (utf8bomEncoding) NewDecoder() *encoding.Decoder {
 }
 
 var utf8enc = &internal.Encoding{
-	&internal.SimpleEncoding{utf8Decoder{}, runes.ReplaceIllFormed()},
-	"UTF-8",
-	identifier.UTF8,
+	Encoding: &internal.SimpleEncoding{Decoder: utf8Decoder{}, Encoder: runes.ReplaceIllFormed()},
+	Name:     "UTF-8",
+	MIB:      identifier.UTF8,
 }
 
 type utf8bomDecoder struct {
diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go
index 794b2e32bf..563270c154 100644
--- a/vendor/golang.org/x/time/rate/rate.go
+++ b/vendor/golang.org/x/time/rate/rate.go
@@ -195,7 +195,7 @@ func (r *Reservation) CancelAt(t time.Time) {
 	// update state
 	r.lim.last = t
 	r.lim.tokens = tokens
-	if r.timeToAct == r.lim.lastEvent {
+	if r.timeToAct.Equal(r.lim.lastEvent) {
 		prevEvent := r.timeToAct.Add(r.limit.durationFromTokens(float64(-r.tokens)))
 		if !prevEvent.Before(t) {
 			r.lim.lastEvent = prevEvent
diff --git a/vendor/golang.org/x/time/rate/sometimes.go b/vendor/golang.org/x/time/rate/sometimes.go
index 6ba99ddb67..9b83932692 100644
--- a/vendor/golang.org/x/time/rate/sometimes.go
+++ b/vendor/golang.org/x/time/rate/sometimes.go
@@ -61,7 +61,9 @@ func (s *Sometimes) Do(f func()) {
 		(s.Every > 0 && s.count%s.Every == 0) ||
 		(s.Interval > 0 && time.Since(s.last) >= s.Interval) {
 		f()
-		s.last = time.Now()
+		if s.Interval > 0 {
+			s.last = time.Now()
+		}
 	}
 	s.count++
 }
diff --git a/vendor/golang.org/x/tools/go/analysis/diagnostic.go b/vendor/golang.org/x/tools/go/analysis/diagnostic.go
index f6118bec64..527540c62c 100644
--- a/vendor/golang.org/x/tools/go/analysis/diagnostic.go
+++ b/vendor/golang.org/x/tools/go/analysis/diagnostic.go
@@ -33,8 +33,9 @@ type Diagnostic struct {
 	URL string
 
 	// SuggestedFixes is an optional list of fixes to address the
-	// problem described by the diagnostic. Each one represents
-	// an alternative strategy; at most one may be applied.
+	// problem described by the diagnostic. Each one represents an
+	// alternative strategy, and should have a distinct and
+	// descriptive message; at most one may be applied.
 	//
 	// Fixes for different diagnostics should be treated as
 	// independent changes to the same baseline file state,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go b/vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go
index e554c3cc90..8ccf982d23 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go
@@ -13,9 +13,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 //go:embed doc.go
@@ -23,7 +23,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "appends",
-	Doc:      analysisutil.MustExtractDoc(doc, "appends"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "appends"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/appends",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go b/vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go
index efbf05d596..ba9ca38a81 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go
@@ -19,7 +19,7 @@ import (
 	"strings"
 
 	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 const Doc = "report mismatches between assembly files and Go declarations"
@@ -175,7 +175,7 @@ func run(pass *analysis.Pass) (any, error) {
 
 Files:
 	for _, fname := range sfiles {
-		content, tf, err := analysisutil.ReadFile(pass, fname)
+		content, tf, err := analyzerutil.ReadFile(pass, fname)
 		if err != nil {
 			return nil, err
 		}
@@ -211,7 +211,7 @@ Files:
 					resultStr = "result register"
 				}
 				for _, line := range retLine {
-					pass.Reportf(analysisutil.LineStart(tf, line), "[%s] %s: RET without writing to %s", arch, fnName, resultStr)
+					pass.Reportf(tf.LineStart(line), "[%s] %s: RET without writing to %s", arch, fnName, resultStr)
 				}
 			}
 			retLine = nil
@@ -227,7 +227,7 @@ Files:
 			lineno++
 
 			badf := func(format string, args ...any) {
-				pass.Reportf(analysisutil.LineStart(tf, lineno), "[%s] %s: %s", arch, fnName, fmt.Sprintf(format, args...))
+				pass.Reportf(tf.LineStart(lineno), "[%s] %s: %s", arch, fnName, fmt.Sprintf(format, args...))
 			}
 
 			if arch == "" {
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go b/vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go
index dfe68d9b15..69734df825 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go
@@ -17,9 +17,11 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/astutil"
+	"golang.org/x/tools/internal/refactor"
+	"golang.org/x/tools/internal/typesinternal"
 )
 
 //go:embed doc.go
@@ -27,26 +29,26 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "assign",
-	Doc:      analysisutil.MustExtractDoc(doc, "assign"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "assign"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/assign",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
 }
 
 func run(pass *analysis.Pass) (any, error) {
-	inspect := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
+	var (
+		inspect = pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
+		info    = pass.TypesInfo
+	)
 
-	nodeFilter := []ast.Node{
-		(*ast.AssignStmt)(nil),
-	}
-	inspect.Preorder(nodeFilter, func(n ast.Node) {
-		stmt := n.(*ast.AssignStmt)
+	for curAssign := range inspect.Root().Preorder((*ast.AssignStmt)(nil)) {
+		stmt := curAssign.Node().(*ast.AssignStmt)
 		if stmt.Tok != token.ASSIGN {
-			return // ignore :=
+			continue // ignore :=
 		}
 		if len(stmt.Lhs) != len(stmt.Rhs) {
 			// If LHS and RHS have different cardinality, they can't be the same.
-			return
+			continue
 		}
 
 		// Delete redundant LHS, RHS pairs, taking care
@@ -61,9 +63,9 @@ func run(pass *analysis.Pass) (any, error) {
 			isSelfAssign := false
 			var le string
 
-			if !analysisutil.HasSideEffects(pass.TypesInfo, lhs) &&
-				!analysisutil.HasSideEffects(pass.TypesInfo, rhs) &&
-				!isMapIndex(pass.TypesInfo, lhs) &&
+			if typesinternal.NoEffects(info, lhs) &&
+				typesinternal.NoEffects(info, rhs) &&
+				!isMapIndex(info, lhs) &&
 				reflect.TypeOf(lhs) == reflect.TypeOf(rhs) { // short-circuit the heavy-weight gofmt check
 
 				le = astutil.Format(pass.Fset, lhs)
@@ -109,13 +111,14 @@ func run(pass *analysis.Pass) (any, error) {
 		}
 
 		if len(exprs) == 0 {
-			return
+			continue
 		}
 
 		if len(exprs) == len(stmt.Lhs) {
 			// If every part of the statement is a self-assignment,
 			// remove the whole statement.
-			edits = []analysis.TextEdit{{Pos: stmt.Pos(), End: stmt.End()}}
+			tokFile := pass.Fset.File(stmt.Pos())
+			edits = refactor.DeleteStmt(tokFile, curAssign)
 		}
 
 		pass.Report(analysis.Diagnostic{
@@ -126,7 +129,7 @@ func run(pass *analysis.Pass) (any, error) {
 				TextEdits: edits,
 			}},
 		})
-	})
+	}
 
 	return nil, nil
 }
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go b/vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go
index ddd875b23b..c6ab7ff7a2 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go
@@ -11,9 +11,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
@@ -23,7 +23,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:             "atomic",
-	Doc:              analysisutil.MustExtractDoc(doc, "atomic"),
+	Doc:              analyzerutil.MustExtractDoc(doc, "atomic"),
 	URL:              "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/atomic",
 	Requires:         []*analysis.Analyzer{inspect.Analyzer},
 	RunDespiteErrors: true,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go b/vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go
index 3c2a82dce3..574fafaa95 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go
@@ -13,9 +13,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/internal/astutil"
+	"golang.org/x/tools/internal/typesinternal"
 )
 
 const Doc = "check for common mistakes involving boolean operators"
@@ -84,7 +84,7 @@ func (op boolOp) commutativeSets(info *types.Info, e *ast.BinaryExpr, seen map[*
 	i := 0
 	var sets [][]ast.Expr
 	for j := 0; j <= len(exprs); j++ {
-		if j == len(exprs) || analysisutil.HasSideEffects(info, exprs[j]) {
+		if j == len(exprs) || !typesinternal.NoEffects(info, exprs[j]) {
 			if i < j {
 				sets = append(sets, exprs[i:j])
 			}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go b/vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go
index f49fea5176..37c878ef31 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go
@@ -11,10 +11,14 @@ package buildssa
 import (
 	"go/ast"
 	"go/types"
+	"iter"
 	"reflect"
 
 	"golang.org/x/tools/go/analysis"
+	"golang.org/x/tools/go/analysis/passes/ctrlflow"
+	"golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal"
 	"golang.org/x/tools/go/ssa"
+	"golang.org/x/tools/internal/ssainternal"
 )
 
 var Analyzer = &analysis.Analyzer{
@@ -22,7 +26,13 @@ var Analyzer = &analysis.Analyzer{
 	Doc:        "build SSA-form IR for later passes",
 	URL:        "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/buildssa",
 	Run:        run,
-	ResultType: reflect.TypeOf(new(SSA)),
+	Requires:   []*analysis.Analyzer{ctrlflow.Analyzer},
+	ResultType: reflect.TypeFor[*SSA](),
+	// Do not add FactTypes here: SSA construction of P must not
+	// require SSA construction of all of P's dependencies.
+	// (That's why we enlist the cheaper ctrlflow pass to compute
+	// noreturn instead of having go/ssa + buildssa do it.)
+	FactTypes: nil,
 }
 
 // SSA provides SSA-form intermediate representation for all the
@@ -33,6 +43,8 @@ type SSA struct {
 }
 
 func run(pass *analysis.Pass) (any, error) {
+	cfgs := pass.ResultOf[ctrlflow.Analyzer].(*ctrlflow.CFGs)
+
 	// We must create a new Program for each Package because the
 	// analysis API provides no place to hang a Program shared by
 	// all Packages. Consequently, SSA Packages and Functions do not
@@ -49,6 +61,11 @@ func run(pass *analysis.Pass) (any, error) {
 
 	prog := ssa.NewProgram(pass.Fset, mode)
 
+	// Use the result of the ctrlflow analysis to improve the SSA CFG.
+	ssainternal.SetNoReturn(prog, func(fn *types.Func) bool {
+		return ctrlflowinternal.NoReturn(cfgs, fn)
+	})
+
 	// Create SSA packages for direct imports.
 	for _, p := range pass.Pkg.Imports() {
 		prog.CreatePackage(p, nil, nil, true)
@@ -61,34 +78,41 @@ func run(pass *analysis.Pass) (any, error) {
 	// Compute list of source functions, including literals,
 	// in source order.
 	var funcs []*ssa.Function
-	for _, f := range pass.Files {
-		for _, decl := range f.Decls {
-			if fdecl, ok := decl.(*ast.FuncDecl); ok {
-				// (init functions have distinct Func
-				// objects named "init" and distinct
-				// ssa.Functions named "init#1", ...)
-
-				fn := pass.TypesInfo.Defs[fdecl.Name].(*types.Func)
-				if fn == nil {
-					panic(fn)
-				}
+	for _, fn := range allFunctions(pass) {
+		// (init functions have distinct Func
+		// objects named "init" and distinct
+		// ssa.Functions named "init#1", ...)
 
-				f := ssapkg.Prog.FuncValue(fn)
-				if f == nil {
-					panic(fn)
-				}
+		f := ssapkg.Prog.FuncValue(fn)
+		if f == nil {
+			panic(fn)
+		}
 
-				var addAnons func(f *ssa.Function)
-				addAnons = func(f *ssa.Function) {
-					funcs = append(funcs, f)
-					for _, anon := range f.AnonFuncs {
-						addAnons(anon)
-					}
-				}
-				addAnons(f)
+		var addAnons func(f *ssa.Function)
+		addAnons = func(f *ssa.Function) {
+			funcs = append(funcs, f)
+			for _, anon := range f.AnonFuncs {
+				addAnons(anon)
 			}
 		}
+		addAnons(f)
 	}
 
 	return &SSA{Pkg: ssapkg, SrcFuncs: funcs}, nil
 }
+
+// allFunctions returns an iterator over all named functions.
+func allFunctions(pass *analysis.Pass) iter.Seq2[*ast.FuncDecl, *types.Func] {
+	return func(yield func(*ast.FuncDecl, *types.Func) bool) {
+		for _, file := range pass.Files {
+			for _, decl := range file.Decls {
+				if decl, ok := decl.(*ast.FuncDecl); ok {
+					fn := pass.TypesInfo.Defs[decl.Name].(*types.Func)
+					if !yield(decl, fn) {
+						return
+					}
+				}
+			}
+		}
+	}
+}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go b/vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go
index 91aac67625..d0b28e5b84 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go
@@ -14,9 +14,7 @@ import (
 	"unicode"
 
 	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
-	"golang.org/x/tools/internal/analysisinternal"
-	"golang.org/x/tools/internal/versions"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 const Doc = "check //go:build and // +build directives"
@@ -57,6 +55,7 @@ func runBuildTag(pass *analysis.Pass) (any, error) {
 func checkGoFile(pass *analysis.Pass, f *ast.File) {
 	var check checker
 	check.init(pass)
+	defer check.finish()
 
 	for _, group := range f.Comments {
 		// A +build comment is ignored after or adjoining the package declaration.
@@ -78,27 +77,6 @@ func checkGoFile(pass *analysis.Pass, f *ast.File) {
 			check.comment(c.Slash, c.Text)
 		}
 	}
-
-	check.finish()
-
-	// For Go 1.18+ files, offer a fix to remove the +build lines
-	// if they passed all consistency checks.
-	if check.crossCheck && !versions.Before(pass.TypesInfo.FileVersions[f], "go1.18") {
-		for _, rng := range check.plusBuildRanges {
-			check.pass.Report(analysis.Diagnostic{
-				Pos:     rng.Pos(),
-				End:     rng.End(),
-				Message: "+build line is no longer needed",
-				SuggestedFixes: []analysis.SuggestedFix{{
-					Message: "Remove obsolete +build line",
-					TextEdits: []analysis.TextEdit{{
-						Pos: rng.Pos(),
-						End: rng.End(),
-					}},
-				}},
-			})
-		}
-	}
 }
 
 func checkOtherFile(pass *analysis.Pass, filename string) error {
@@ -108,7 +86,7 @@ func checkOtherFile(pass *analysis.Pass, filename string) error {
 
 	// We cannot use the Go parser, since this may not be a Go source file.
 	// Read the raw bytes instead.
-	content, tf, err := analysisutil.ReadFile(pass, filename)
+	content, tf, err := analyzerutil.ReadFile(pass, filename)
 	if err != nil {
 		return err
 	}
@@ -118,15 +96,15 @@ func checkOtherFile(pass *analysis.Pass, filename string) error {
 }
 
 type checker struct {
-	pass            *analysis.Pass
-	plusBuildOK     bool             // "+build" lines still OK
-	goBuildOK       bool             // "go:build" lines still OK
-	crossCheck      bool             // cross-check go:build and +build lines when done reading file
-	inStar          bool             // currently in a /* */ comment
-	goBuildPos      token.Pos        // position of first go:build line found
-	plusBuildRanges []analysis.Range // range of each "+build" line found
-	goBuild         constraint.Expr  // go:build constraint found
-	plusBuild       constraint.Expr  // AND of +build constraints found
+	pass         *analysis.Pass
+	plusBuildOK  bool            // "+build" lines still OK
+	goBuildOK    bool            // "go:build" lines still OK
+	crossCheck   bool            // cross-check go:build and +build lines when done reading file
+	inStar       bool            // currently in a /* */ comment
+	goBuildPos   token.Pos       // position of first go:build line found
+	plusBuildPos token.Pos       // position of first "+build" line found
+	goBuild      constraint.Expr // go:build constraint found
+	plusBuild    constraint.Expr // AND of +build constraints found
 }
 
 func (check *checker) init(pass *analysis.Pass) {
@@ -294,8 +272,6 @@ func (check *checker) goBuildLine(pos token.Pos, line string) {
 }
 
 func (check *checker) plusBuildLine(pos token.Pos, line string) {
-	plusBuildRange := analysisinternal.Range(pos, pos+token.Pos(len(line)))
-
 	line = strings.TrimSpace(line)
 	if !constraint.IsPlusBuild(line) {
 		// Comment with +build but not at beginning.
@@ -310,7 +286,9 @@ func (check *checker) plusBuildLine(pos token.Pos, line string) {
 		check.crossCheck = false
 	}
 
-	check.plusBuildRanges = append(check.plusBuildRanges, plusBuildRange)
+	if check.plusBuildPos == token.NoPos {
+		check.plusBuildPos = pos
+	}
 
 	// testing hack: stop at // ERROR
 	if i := strings.Index(line, " // ERROR "); i >= 0 {
@@ -358,19 +336,19 @@ func (check *checker) plusBuildLine(pos token.Pos, line string) {
 }
 
 func (check *checker) finish() {
-	if !check.crossCheck || len(check.plusBuildRanges) == 0 || check.goBuildPos == token.NoPos {
+	if !check.crossCheck || check.plusBuildPos == token.NoPos || check.goBuildPos == token.NoPos {
 		return
 	}
 
 	// Have both //go:build and // +build,
 	// with no errors found (crossCheck still true).
 	// Check they match.
+	var want constraint.Expr
 	lines, err := constraint.PlusBuildLines(check.goBuild)
 	if err != nil {
 		check.pass.Reportf(check.goBuildPos, "%v", err)
 		return
 	}
-	var want constraint.Expr
 	for _, line := range lines {
 		y, err := constraint.Parse(line)
 		if err != nil {
@@ -385,8 +363,7 @@ func (check *checker) finish() {
 		}
 	}
 	if want.String() != check.plusBuild.String() {
-		check.pass.ReportRangef(check.plusBuildRanges[0], "+build lines do not match //go:build condition")
-		check.crossCheck = false // don't offer fix to remove +build
+		check.pass.Reportf(check.plusBuildPos, "+build lines do not match //go:build condition")
 		return
 	}
 }
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go b/vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go
index bf1202b92b..54b8062cc0 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go
@@ -350,8 +350,8 @@ func typeOKForCgoCall(t types.Type, m map[types.Type]bool) bool {
 	case *types.Array:
 		return typeOKForCgoCall(t.Elem(), m)
 	case *types.Struct:
-		for i := 0; i < t.NumFields(); i++ {
-			if !typeOKForCgoCall(t.Field(i).Type(), m) {
+		for field := range t.Fields() {
+			if !typeOKForCgoCall(field.Type(), m) {
 				return false
 			}
 		}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go b/vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go
index 4190cc5900..208602f486 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go
@@ -328,8 +328,8 @@ func lockPath(tpkg *types.Package, typ types.Type, seen map[types.Type]bool) typ
 
 	ttyp, ok := typ.Underlying().(*types.Tuple)
 	if ok {
-		for i := 0; i < ttyp.Len(); i++ {
-			subpath := lockPath(tpkg, ttyp.At(i).Type(), seen)
+		for v := range ttyp.Variables() {
+			subpath := lockPath(tpkg, v.Type(), seen)
 			if subpath != nil {
 				return append(subpath, typ.String())
 			}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go b/vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go
index 951aaed00f..b84c8d6fec 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go
@@ -16,9 +16,12 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
+	"golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/cfg"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/cfginternal"
+	"golang.org/x/tools/internal/typesinternal"
 )
 
 var Analyzer = &analysis.Analyzer{
@@ -26,7 +29,7 @@ var Analyzer = &analysis.Analyzer{
 	Doc:        "build a control-flow graph",
 	URL:        "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/ctrlflow",
 	Run:        run,
-	ResultType: reflect.TypeOf(new(CFGs)),
+	ResultType: reflect.TypeFor[*CFGs](),
 	FactTypes:  []analysis.Fact{new(noReturn)},
 	Requires:   []*analysis.Analyzer{inspect.Analyzer},
 }
@@ -44,7 +47,20 @@ type CFGs struct {
 	defs      map[*ast.Ident]types.Object // from Pass.TypesInfo.Defs
 	funcDecls map[*types.Func]*declInfo
 	funcLits  map[*ast.FuncLit]*litInfo
-	pass      *analysis.Pass // transient; nil after construction
+	noReturn  map[*types.Func]bool // functions lacking a reachable return statement
+	pass      *analysis.Pass       // transient; nil after construction
+}
+
+// TODO(adonovan): add (*CFGs).NoReturn to public API.
+func (c *CFGs) isNoReturn(fn *types.Func) bool {
+	return c.noReturn[fn]
+}
+
+func init() {
+	// Expose the hidden method to callers in x/tools.
+	ctrlflowinternal.NoReturn = func(c any, fn *types.Func) bool {
+		return c.(*CFGs).isNoReturn(fn)
+	}
 }
 
 // CFGs has two maps: funcDecls for named functions and funcLits for
@@ -54,15 +70,14 @@ type CFGs struct {
 // *types.Func but not the other way.
 
 type declInfo struct {
-	decl     *ast.FuncDecl
-	cfg      *cfg.CFG // iff decl.Body != nil
-	started  bool     // to break cycles
-	noReturn bool
+	decl    *ast.FuncDecl
+	cfg     *cfg.CFG // iff decl.Body != nil
+	started bool     // to break cycles
 }
 
 type litInfo struct {
 	cfg      *cfg.CFG
-	noReturn bool
+	noReturn bool // (currently unused)
 }
 
 // FuncDecl returns the control-flow graph for a named function.
@@ -118,6 +133,7 @@ func run(pass *analysis.Pass) (any, error) {
 		defs:      pass.TypesInfo.Defs,
 		funcDecls: funcDecls,
 		funcLits:  funcLits,
+		noReturn:  make(map[*types.Func]bool),
 		pass:      pass,
 	}
 
@@ -138,7 +154,7 @@ func run(pass *analysis.Pass) (any, error) {
 		li := funcLits[lit]
 		if li.cfg == nil {
 			li.cfg = cfg.New(lit.Body, c.callMayReturn)
-			if !hasReachableReturn(li.cfg) {
+			if cfginternal.IsNoReturn(li.cfg) {
 				li.noReturn = true
 			}
 		}
@@ -158,26 +174,28 @@ func (c *CFGs) buildDecl(fn *types.Func, di *declInfo) {
 	// The buildDecl call tree thus resembles the static call graph.
 	// We mark each node when we start working on it to break cycles.
 
-	if !di.started { // break cycle
-		di.started = true
+	if di.started {
+		return // break cycle
+	}
+	di.started = true
 
-		if isIntrinsicNoReturn(fn) {
-			di.noReturn = true
-		}
+	noreturn, known := knownIntrinsic(fn)
+	if !known {
 		if di.decl.Body != nil {
 			di.cfg = cfg.New(di.decl.Body, c.callMayReturn)
-			if !hasReachableReturn(di.cfg) {
-				di.noReturn = true
+			if cfginternal.IsNoReturn(di.cfg) {
+				noreturn = true
 			}
 		}
-		if di.noReturn {
-			c.pass.ExportObjectFact(fn, new(noReturn))
-		}
+	}
+	if noreturn {
+		c.pass.ExportObjectFact(fn, new(noReturn))
+		c.noReturn[fn] = true
+	}
 
-		// debugging
-		if false {
-			log.Printf("CFG for %s:\n%s (noreturn=%t)\n", fn, di.cfg.Format(c.pass.Fset), di.noReturn)
-		}
+	// debugging
+	if false {
+		log.Printf("CFG for %s:\n%s (noreturn=%t)\n", fn, di.cfg.Format(c.pass.Fset), noreturn)
 	}
 }
 
@@ -201,31 +219,51 @@ func (c *CFGs) callMayReturn(call *ast.CallExpr) (r bool) {
 	// Function or method declared in this package?
 	if di, ok := c.funcDecls[fn]; ok {
 		c.buildDecl(fn, di)
-		return !di.noReturn
+		return !c.noReturn[fn]
 	}
 
 	// Not declared in this package.
 	// Is there a fact from another package?
-	return !c.pass.ImportObjectFact(fn, new(noReturn))
+	if c.pass.ImportObjectFact(fn, new(noReturn)) {
+		c.noReturn[fn] = true
+		return false
+	}
+
+	return true
 }
 
 var panicBuiltin = types.Universe.Lookup("panic").(*types.Builtin)
 
-func hasReachableReturn(g *cfg.CFG) bool {
-	for _, b := range g.Blocks {
-		if b.Live && b.Return() != nil {
-			return true
-		}
-	}
-	return false
-}
-
-// isIntrinsicNoReturn reports whether a function intrinsically never
-// returns because it stops execution of the calling thread.
+// knownIntrinsic reports whether a function intrinsically never
+// returns because it stops execution of the calling thread, or does
+// in fact return, contrary to its apparent body, because it is
+// handled specially by the compiler.
+//
 // It is the base case in the recursion.
-func isIntrinsicNoReturn(fn *types.Func) bool {
+func knownIntrinsic(fn *types.Func) (noreturn, known bool) {
 	// Add functions here as the need arises, but don't allocate memory.
-	path, name := fn.Pkg().Path(), fn.Name()
-	return path == "syscall" && (name == "Exit" || name == "ExitProcess" || name == "ExitThread") ||
-		path == "runtime" && name == "Goexit"
+
+	// Functions known intrinsically never to return.
+	if typesinternal.IsFunctionNamed(fn, "syscall", "Exit", "ExitProcess", "ExitThread") ||
+		typesinternal.IsFunctionNamed(fn, "runtime", "Goexit") {
+		return true, true
+	}
+
+	// Compiler intrinsics known to return, contrary to
+	// what analysis of the function body would conclude.
+	//
+	// Not all such intrinsics must be listed here: ctrlflow
+	// considers any function called for its value--such as
+	// crypto/internal/constanttime.bool2Uint8--to potentially
+	// return; only functions called as a statement, for effects,
+	// are no-return candidates.
+	//
+	// Unfortunately this does sometimes mean peering into internals.
+	// Where possible, use the nearest enclosing public API function.
+	if typesinternal.IsFunctionNamed(fn, "internal/abi", "EscapeNonString") ||
+		typesinternal.IsFunctionNamed(fn, "hash/maphash", "Comparable") {
+		return false, true
+	}
+
+	return // unknown
 }
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go b/vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go
index 5e3d1a3535..32087cd71a 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go
@@ -96,8 +96,8 @@ func containsError(typ types.Type) bool {
 		case *types.Map:
 			return check(t.Key()) || check(t.Elem())
 		case *types.Struct:
-			for i := 0; i < t.NumFields(); i++ {
-				if check(t.Field(i).Type()) {
+			for field := range t.Fields() {
+				if check(field.Type()) {
 					return true
 				}
 			}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go b/vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go
index bf62d327d9..af93407cae 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go
@@ -10,9 +10,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -23,8 +23,8 @@ var doc string
 var Analyzer = &analysis.Analyzer{
 	Name:     "defers",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
+	Doc:      analyzerutil.MustExtractDoc(doc, "defers"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/defers",
-	Doc:      analysisutil.MustExtractDoc(doc, "defers"),
 	Run:      run,
 }
 
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go b/vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go
index bebec89140..5fa28861e5 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go
@@ -14,7 +14,7 @@ import (
 	"unicode/utf8"
 
 	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 const Doc = `check Go toolchain directives such as //go:debug
@@ -86,7 +86,7 @@ func checkGoFile(pass *analysis.Pass, f *ast.File) {
 func checkOtherFile(pass *analysis.Pass, filename string) error {
 	// We cannot use the Go parser, since is not a Go source file.
 	// Read the raw bytes instead.
-	content, tf, err := analysisutil.ReadFile(pass, filename)
+	content, tf, err := analyzerutil.ReadFile(pass, filename)
 	if err != nil {
 		return err
 	}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go b/vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go
index b3df99929d..f1465f7343 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go
@@ -12,7 +12,7 @@ import (
 	"go/types"
 
 	"golang.org/x/tools/go/analysis"
-	typeindexanalyzer "golang.org/x/tools/internal/analysisinternal/typeindex"
+	typeindexanalyzer "golang.org/x/tools/internal/analysis/typeindex"
 	"golang.org/x/tools/internal/typesinternal/typeindex"
 )
 
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go b/vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go
index 4987ec5afd..235fa4f01f 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go
@@ -18,6 +18,7 @@ import (
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/astutil"
 )
 
 const Doc = `find structs that would use less memory if their fields were sorted
@@ -103,6 +104,11 @@ func fieldalignment(pass *analysis.Pass, node *ast.StructType, typ *types.Struct
 		return
 	}
 
+	// Analyzers borrow syntax tree; they do not own them and must modify them.
+	// This Clone operation is a quick fix to the data race introduced
+	// in CL 278872 by the clearing of the Comment and Doc fields below.
+	node = astutil.CloneNode(node)
+
 	// Flatten the ast node since it could have multiple field names per list item while
 	// *types.Struct only have one item per field.
 	// TODO: Preserve multi-named fields instead of flattening.
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go b/vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go
index ff9c8b4f81..a7d558103a 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go
@@ -13,7 +13,7 @@ import (
 	"unicode"
 
 	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 const Doc = "report assembly that clobbers the frame pointer before saving it"
@@ -98,7 +98,7 @@ func run(pass *analysis.Pass) (any, error) {
 	}
 
 	for _, fname := range sfiles {
-		content, tf, err := analysisutil.ReadFile(pass, fname)
+		content, tf, err := analyzerutil.ReadFile(pass, fname)
 		if err != nil {
 			return nil, err
 		}
@@ -127,7 +127,7 @@ func run(pass *analysis.Pass) (any, error) {
 			}
 
 			if arch.isFPWrite(line) {
-				pass.Reportf(analysisutil.LineStart(tf, lineno), "frame pointer is clobbered before saving")
+				pass.Reportf(tf.LineStart(lineno), "frame pointer is clobbered before saving")
 				active = false
 				continue
 			}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go b/vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go
index 4022dbe7c2..da0acbd8e2 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go
@@ -11,8 +11,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typeparams"
 )
 
@@ -21,7 +21,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "ifaceassert",
-	Doc:      analysisutil.MustExtractDoc(doc, "ifaceassert"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "ifaceassert"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/ifaceassert",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go b/vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go
index ee1972f56d..aae5d255f9 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go
@@ -41,7 +41,7 @@ var Analyzer = &analysis.Analyzer{
 	URL:              "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/inspect",
 	Run:              run,
 	RunDespiteErrors: true,
-	ResultType:       reflect.TypeOf(new(inspector.Inspector)),
+	ResultType:       reflect.TypeFor[*inspector.Inspector](),
 }
 
 func run(pass *analysis.Pass) (any, error) {
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go b/vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go
deleted file mode 100644
index d3df898d30..0000000000
--- a/vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go
+++ /dev/null
@@ -1,99 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package analysisutil defines various helper functions
-// used by two or more packages beneath go/analysis.
-package analysisutil
-
-import (
-	"go/ast"
-	"go/token"
-	"go/types"
-	"os"
-
-	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/internal/analysisinternal"
-)
-
-// HasSideEffects reports whether evaluation of e has side effects.
-func HasSideEffects(info *types.Info, e ast.Expr) bool {
-	safe := true
-	ast.Inspect(e, func(node ast.Node) bool {
-		switch n := node.(type) {
-		case *ast.CallExpr:
-			typVal := info.Types[n.Fun]
-			switch {
-			case typVal.IsType():
-				// Type conversion, which is safe.
-			case typVal.IsBuiltin():
-				// Builtin func, conservatively assumed to not
-				// be safe for now.
-				safe = false
-				return false
-			default:
-				// A non-builtin func or method call.
-				// Conservatively assume that all of them have
-				// side effects for now.
-				safe = false
-				return false
-			}
-		case *ast.UnaryExpr:
-			if n.Op == token.ARROW {
-				safe = false
-				return false
-			}
-		}
-		return true
-	})
-	return !safe
-}
-
-// ReadFile reads a file and adds it to the FileSet
-// so that we can report errors against it using lineStart.
-func ReadFile(pass *analysis.Pass, filename string) ([]byte, *token.File, error) {
-	readFile := pass.ReadFile
-	if readFile == nil {
-		readFile = os.ReadFile
-	}
-	content, err := readFile(filename)
-	if err != nil {
-		return nil, nil, err
-	}
-	tf := pass.Fset.AddFile(filename, -1, len(content))
-	tf.SetLinesForContent(content)
-	return content, tf, nil
-}
-
-// LineStart returns the position of the start of the specified line
-// within file f, or NoPos if there is no line of that number.
-func LineStart(f *token.File, line int) token.Pos {
-	// Use binary search to find the start offset of this line.
-	//
-	// TODO(adonovan): eventually replace this function with the
-	// simpler and more efficient (*go/token.File).LineStart, added
-	// in go1.12.
-
-	min := 0        // inclusive
-	max := f.Size() // exclusive
-	for {
-		offset := (min + max) / 2
-		pos := f.Pos(offset)
-		posn := f.Position(pos)
-		if posn.Line == line {
-			return pos - (token.Pos(posn.Column) - 1)
-		}
-
-		if min+1 >= max {
-			return token.NoPos
-		}
-
-		if posn.Line < line {
-			min = offset
-		} else {
-			max = offset
-		}
-	}
-}
-
-var MustExtractDoc = analysisinternal.MustExtractDoc
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal/ctrlflowinternal.go b/vendor/golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal/ctrlflowinternal.go
new file mode 100644
index 0000000000..ee7a37228e
--- /dev/null
+++ b/vendor/golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal/ctrlflowinternal.go
@@ -0,0 +1,17 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ctrlflowinternal exposes internals of ctrlflow.
+// It cannot actually depend on symbols from ctrlflow.
+package ctrlflowinternal
+
+import "go/types"
+
+// NoReturn exposes the (*ctrlflow.CFGs).NoReturn method to the buildssa analyzer.
+//
+// You must link [golang.org/x/tools/go/analysis/passes/ctrlflow] into your
+// application for it to be non-nil.
+var NoReturn = func(cfgs any, fn *types.Func) bool {
+	panic("x/tools/go/analysis/passes/ctrlflow is not linked into this application")
+}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go b/vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go
index 8432e963c6..41b19d7933 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go
@@ -11,9 +11,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 	"golang.org/x/tools/internal/versions"
 )
@@ -23,7 +23,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "loopclosure",
-	Doc:      analysisutil.MustExtractDoc(doc, "loopclosure"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "loopclosure"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/loopclosure",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
@@ -55,8 +55,8 @@ func run(pass *analysis.Pass) (any, error) {
 		switch n := n.(type) {
 		case *ast.File:
 			// Only traverse the file if its goversion is strictly before go1.22.
-			goversion := versions.FileVersion(pass.TypesInfo, n)
-			return versions.Before(goversion, versions.Go1_22)
+			return !analyzerutil.FileUsesGoVersion(pass, n, versions.Go1_22)
+
 		case *ast.RangeStmt:
 			body = n.Body
 			addVar(n.Key)
@@ -308,12 +308,11 @@ func parallelSubtest(info *types.Info, call *ast.CallExpr) []ast.Stmt {
 		if !ok {
 			continue
 		}
-		expr := exprStmt.X
-		if isMethodCall(info, expr, "testing", "T", "Parallel") {
-			call, _ := expr.(*ast.CallExpr)
-			if call == nil {
-				continue
-			}
+		call, ok := exprStmt.X.(*ast.CallExpr)
+		if !ok {
+			continue
+		}
+		if isMethodCall(info, call, "testing", "T", "Parallel") {
 			x, _ := call.Fun.(*ast.SelectorExpr)
 			if x == nil {
 				continue
@@ -347,26 +346,6 @@ func unlabel(stmt ast.Stmt) (ast.Stmt, bool) {
 	}
 }
 
-// isMethodCall reports whether expr is a method call of
-// <pkgPath>.<typeName>.<method>.
-func isMethodCall(info *types.Info, expr ast.Expr, pkgPath, typeName, method string) bool {
-	call, ok := expr.(*ast.CallExpr)
-	if !ok {
-		return false
-	}
-
-	// Check that we are calling a method <method>
-	f := typeutil.StaticCallee(info, call)
-	if f == nil || f.Name() != method {
-		return false
-	}
-	recv := f.Type().(*types.Signature).Recv()
-	if recv == nil {
-		return false
-	}
-
-	// Check that the receiver is a <pkgPath>.<typeName> or
-	// *<pkgPath>.<typeName>.
-	_, named := typesinternal.ReceiverNamed(recv)
-	return typesinternal.IsTypeNamed(named, pkgPath, typeName)
+func isMethodCall(info *types.Info, call *ast.CallExpr, pkgPath, typeName, method string) bool {
+	return typesinternal.IsMethodNamed(typeutil.Callee(info, call), pkgPath, typeName, method)
 }
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go b/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go
index cc0bf0fd31..28a5f6cd93 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go
@@ -13,9 +13,9 @@ import (
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/ctrlflow"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/cfg"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
@@ -25,7 +25,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name: "lostcancel",
-	Doc:  analysisutil.MustExtractDoc(doc, "lostcancel"),
+	Doc:  analyzerutil.MustExtractDoc(doc, "lostcancel"),
 	URL:  "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/lostcancel",
 	Run:  run,
 	Requires: []*analysis.Analyzer{
@@ -316,8 +316,8 @@ outer:
 }
 
 func tupleContains(tuple *types.Tuple, v *types.Var) bool {
-	for i := 0; i < tuple.Len(); i++ {
-		if tuple.At(i) == v {
+	for v0 := range tuple.Variables() {
+		if v0 == v {
 			return true
 		}
 	}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go b/vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go
index fa1883b0c3..6b37295187 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go
@@ -14,8 +14,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -24,7 +24,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "nilfunc",
-	Doc:      analysisutil.MustExtractDoc(doc, "nilfunc"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "nilfunc"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/nilfunc",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go b/vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go
index 8f1cca8f12..6f353968f2 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go
@@ -12,8 +12,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/buildssa"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ssa"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typeparams"
 )
 
@@ -22,7 +22,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "nilness",
-	Doc:      analysisutil.MustExtractDoc(doc, "nilness"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "nilness"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/nilness",
 	Run:      run,
 	Requires: []*analysis.Analyzer{buildssa.Analyzer},
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go b/vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go
index f04e441434..a09bfd1c6c 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go
@@ -92,6 +92,36 @@
 //	}
 //	logf("%s", 123) // logf format %s has arg 123 of wrong type int
 //
+// Interface methods may also be analyzed as printf wrappers, if
+// within the interface's package there is an assignment from a
+// implementation type whose corresponding method is a printf wrapper.
+//
+// For example, the var declaration below causes a *myLoggerImpl value
+// to be assigned to a Logger variable:
+//
+//	type Logger interface {
+//		Logf(format string, args ...any)
+//	}
+//
+//	type myLoggerImpl struct{ ... }
+//
+//	var _ Logger = (*myLoggerImpl)(nil)
+//
+//	func  (*myLoggerImpl) Logf(format string, args ...any) {
+//		println(fmt.Sprintf(format, args...))
+//	}
+//
+// Since myLoggerImpl's Logf method is a printf wrapper, this
+// establishes that Logger.Logf is a printf wrapper too, causing
+// dynamic calls through the interface to be checked:
+//
+//	func f(log Logger) {
+//		log.Logf("%s", 123) // Logger.Logf format %s has arg 123 of wrong type int
+//	}
+//
+// This feature applies only to interface methods declared in files
+// using at least Go 1.26.
+//
 // # Specifying printf wrappers by flag
 //
 // The -funcs flag specifies a comma-separated list of names of
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go b/vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go
index d94e592cf1..1afb07c452 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go
@@ -18,16 +18,16 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/edge"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
-	"golang.org/x/tools/internal/analysisinternal"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/fmtstr"
 	"golang.org/x/tools/internal/typeparams"
 	"golang.org/x/tools/internal/typesinternal"
 	"golang.org/x/tools/internal/versions"
+	"golang.org/x/tools/refactor/satisfy"
 )
 
 func init() {
@@ -39,7 +39,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:       "printf",
-	Doc:        analysisutil.MustExtractDoc(doc, "printf"),
+	Doc:        analyzerutil.MustExtractDoc(doc, "printf"),
 	URL:        "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/printf",
 	Requires:   []*analysis.Analyzer{inspect.Analyzer},
 	Run:        run,
@@ -66,7 +66,7 @@ func (kind Kind) String() string {
 	case KindErrorf:
 		return "errorf"
 	}
-	return ""
+	return "(none)"
 }
 
 // Result is the printf analyzer's result type. Clients may query the result
@@ -137,9 +137,10 @@ type wrapper struct {
 	callers []printfCaller
 }
 
+// printfCaller is a candidate print{,f} forwarding call from candidate wrapper w.
 type printfCaller struct {
 	w    *wrapper
-	call *ast.CallExpr
+	call *ast.CallExpr // forwarding call (nil for implicit interface method -> impl calls)
 }
 
 // formatArgsParams returns the "format string" and "args ...any"
@@ -184,21 +185,42 @@ func findPrintLike(pass *analysis.Pass, res *Result) {
 		wrappers []*wrapper
 		byObj    = make(map[types.Object]*wrapper)
 	)
-	for cur := range inspect.Root().Preorder((*ast.FuncDecl)(nil), (*ast.FuncLit)(nil)) {
-		var (
-			curBody inspector.Cursor // for *ast.BlockStmt
-			sig     *types.Signature
-			obj     types.Object
-		)
+	for cur := range inspect.Root().Preorder((*ast.FuncDecl)(nil), (*ast.FuncLit)(nil), (*ast.InterfaceType)(nil)) {
+
+		// addWrapper records that a func (or var representing
+		// a FuncLit) is a potential print{,f} wrapper.
+		// curBody is its *ast.BlockStmt, if any.
+		addWrapper := func(obj types.Object, sig *types.Signature, curBody inspector.Cursor) *wrapper {
+			format, args := formatArgsParams(sig)
+			if args != nil {
+				// obj (the symbol for a function/method, or variable
+				// assigned to an anonymous function) is a potential
+				// print or printf wrapper.
+				//
+				// Later processing will analyze the graph of potential
+				// wrappers and their function bodies to pick out the
+				// ones that are true wrappers.
+				w := &wrapper{
+					obj:     obj,
+					curBody: curBody,
+					format:  format, // non-nil => printf
+					args:    args,
+				}
+				byObj[w.obj] = w
+				wrappers = append(wrappers, w)
+				return w
+			}
+			return nil
+		}
+
 		switch f := cur.Node().(type) {
 		case *ast.FuncDecl:
 			// named function or method:
 			//
 			//    func wrapf(format string, args ...any) {...}
 			if f.Body != nil {
-				curBody = cur.ChildAt(edge.FuncDecl_Body, -1)
-				obj = info.Defs[f.Name]
-				sig = obj.Type().(*types.Signature)
+				fn := info.Defs[f.Name].(*types.Func)
+				addWrapper(fn, fn.Signature(), cur.ChildAt(edge.FuncDecl_Body, -1))
 			}
 
 		case *ast.FuncLit:
@@ -211,8 +233,6 @@ func findPrintLike(pass *analysis.Pass, res *Result) {
 			// The LHS may also be a struct field x.wrapf or
 			// an imported var pkg.Wrapf.
 			//
-			sig = info.TypeOf(f).(*types.Signature)
-			curBody = cur.ChildAt(edge.FuncLit_Body, -1)
 			var lhs ast.Expr
 			switch ek, idx := cur.ParentEdge(); ek {
 			case edge.ValueSpec_Values:
@@ -223,49 +243,89 @@ func findPrintLike(pass *analysis.Pass, res *Result) {
 				lhs = curLhs.Node().(ast.Expr)
 			}
 
+			var v *types.Var
 			switch lhs := lhs.(type) {
 			case *ast.Ident:
 				// variable: wrapf = func(...)
-				obj = info.ObjectOf(lhs).(*types.Var)
+				v, _ = info.ObjectOf(lhs).(*types.Var)
 			case *ast.SelectorExpr:
 				if sel, ok := info.Selections[lhs]; ok {
 					// struct field: x.wrapf = func(...)
-					obj = sel.Obj().(*types.Var)
+					v = sel.Obj().(*types.Var)
 				} else {
 					// imported var: pkg.Wrapf = func(...)
-					obj = info.Uses[lhs.Sel].(*types.Var)
+					v = info.Uses[lhs.Sel].(*types.Var)
 				}
 			}
-		}
-		if obj != nil {
-			format, args := formatArgsParams(sig)
-			if args != nil {
-				// obj (the symbol for a function/method, or variable
-				// assigned to an anonymous function) is a potential
-				// print or printf wrapper.
-				//
-				// Later processing will analyze the graph of potential
-				// wrappers and their function bodies to pick out the
-				// ones that are true wrappers.
-				w := &wrapper{
-					obj:     obj,
-					curBody: curBody,
-					format:  format, // non-nil => printf
-					args:    args,
+			if v != nil {
+				sig := info.TypeOf(f).(*types.Signature)
+				curBody := cur.ChildAt(edge.FuncLit_Body, -1)
+				addWrapper(v, sig, curBody)
+			}
+
+		case *ast.InterfaceType:
+			// Induction through interface methods is gated as
+			// if it were a go1.26 language feature, to avoid
+			// surprises when go test's vet suite gets stricter.
+			if analyzerutil.FileUsesGoVersion(pass, astutil.EnclosingFile(cur), versions.Go1_26) {
+				for imeth := range info.TypeOf(f).(*types.Interface).Methods() {
+					addWrapper(imeth, imeth.Signature(), inspector.Cursor{})
 				}
-				byObj[w.obj] = w
-				wrappers = append(wrappers, w)
 			}
 		}
 	}
 
+	// impls maps abstract methods to implementations.
+	//
+	// Interface methods are modelled as if they have a body
+	// that calls each implementing method.
+	//
+	// In the code below, impls maps Logger.Logf to
+	// [myLogger.Logf], and if myLogger.Logf is discovered to be
+	// printf-like, then so will be Logger.Logf.
+	//
+	//   type Logger interface {
+	// 	Logf(format string, args ...any)
+	//   }
+	//   type myLogger struct{ ... }
+	//   func (myLogger) Logf(format string, args ...any) {...}
+	//   var _ Logger = myLogger{}
+	impls := methodImplementations(pass)
+
+	// doCall records a call from one wrapper to another.
+	doCall := func(w *wrapper, callee types.Object, call *ast.CallExpr) {
+		// Call from one wrapper candidate to another?
+		// Record the edge so that if callee is found to be
+		// a true wrapper, w will be too.
+		if w2, ok := byObj[callee]; ok {
+			w2.callers = append(w2.callers, printfCaller{w, call})
+		}
+
+		// Is the candidate a true wrapper, because it calls
+		// a known print{,f}-like function from the allowlist
+		// or an imported fact, or another wrapper found
+		// to be a true wrapper?
+		// If so, convert all w's callers to kind.
+		kind := callKind(pass, callee, res)
+		if kind != KindNone {
+			propagate(pass, w, call, kind, res)
+		}
+	}
+
 	// Pass 2: scan the body of each wrapper function
 	// for calls to other printf-like functions.
-	//
-	// Also, reject tricky cases where the parameters
-	// are potentially mutated by AssignStmt or UnaryExpr.
-	// TODO: Relax these checks; issue 26555.
 	for _, w := range wrappers {
+
+		// An interface method has no body, but acts
+		// like an implicit call to each implementing method.
+		if w.curBody.Inspector() == nil {
+			for impl := range impls[w.obj.(*types.Func)] {
+				doCall(w, impl, nil)
+			}
+			continue // (no body)
+		}
+
+		// Process all calls in the wrapper function's body.
 	scan:
 		for cur := range w.curBody.Preorder(
 			(*ast.AssignStmt)(nil),
@@ -273,6 +333,12 @@ func findPrintLike(pass *analysis.Pass, res *Result) {
 			(*ast.CallExpr)(nil),
 		) {
 			switch n := cur.Node().(type) {
+
+			// Reject tricky cases where the parameters
+			// are potentially mutated by AssignStmt or UnaryExpr.
+			// (This logic checks for mutation only before the call.)
+			// TODO: Relax these checks; issue 26555.
+
 			case *ast.AssignStmt:
 				// If the wrapper updates format or args
 				// it is not a simple wrapper.
@@ -295,23 +361,7 @@ func findPrintLike(pass *analysis.Pass, res *Result) {
 			case *ast.CallExpr:
 				if len(n.Args) > 0 && match(info, n.Args[len(n.Args)-1], w.args) {
 					if callee := typeutil.Callee(pass.TypesInfo, n); callee != nil {
-
-						// Call from one wrapper candidate to another?
-						// Record the edge so that if callee is found to be
-						// a true wrapper, w will be too.
-						if w2, ok := byObj[callee]; ok {
-							w2.callers = append(w2.callers, printfCaller{w, n})
-						}
-
-						// Is the candidate a true wrapper, because it calls
-						// a known print{,f}-like function from the allowlist
-						// or an imported fact, or another wrapper found
-						// to be a true wrapper?
-						// If so, convert all w's callers to kind.
-						kind := callKind(pass, callee, res)
-						if kind != KindNone {
-							checkForward(pass, w, n, kind, res)
-						}
+						doCall(w, callee, n)
 					}
 				}
 			}
@@ -319,40 +369,60 @@ func findPrintLike(pass *analysis.Pass, res *Result) {
 	}
 }
 
+// methodImplementations returns the mapping from interface methods
+// declared in this package to their corresponding implementing
+// methods (which may also be interface methods), according to the set
+// of assignments to interface types that appear within this package.
+func methodImplementations(pass *analysis.Pass) map[*types.Func]map[*types.Func]bool {
+	impls := make(map[*types.Func]map[*types.Func]bool)
+
+	// To find interface/implementation relations,
+	// we use the 'satisfy' pass, but proposal #70638
+	// provides a better way.
+	//
+	// This pass over the syntax could be factored out as
+	// a separate analysis pass if it is needed by other
+	// analyzers.
+	var f satisfy.Finder
+	f.Find(pass.TypesInfo, pass.Files)
+	for assign := range f.Result {
+		// Have: LHS = RHS, where LHS is an interface type.
+		for imeth := range assign.LHS.Underlying().(*types.Interface).Methods() {
+			// Limit to interface methods of current package.
+			if imeth.Pkg() != pass.Pkg {
+				continue
+			}
+
+			if _, args := formatArgsParams(imeth.Signature()); args == nil {
+				continue // not print{,f}-like
+			}
+
+			// Add implementing method to the set.
+			impl, _, _ := types.LookupFieldOrMethod(assign.RHS, false, pass.Pkg, imeth.Name()) // can't fail
+			set, ok := impls[imeth]
+			if !ok {
+				set = make(map[*types.Func]bool)
+				impls[imeth] = set
+			}
+			set[impl.(*types.Func)] = true
+		}
+	}
+	return impls
+}
+
 func match(info *types.Info, arg ast.Expr, param *types.Var) bool {
 	id, ok := arg.(*ast.Ident)
 	return ok && info.ObjectOf(id) == param
 }
 
-// checkForward checks that a forwarding wrapper is forwarding correctly.
-// It diagnoses writing fmt.Printf(format, args) instead of fmt.Printf(format, args...).
-func checkForward(pass *analysis.Pass, w *wrapper, call *ast.CallExpr, kind Kind, res *Result) {
-	matched := kind == KindPrint ||
-		kind != KindNone && len(call.Args) >= 2 && match(pass.TypesInfo, call.Args[len(call.Args)-2], w.format)
-	if !matched {
-		return
-	}
-
-	if !call.Ellipsis.IsValid() {
-		typ, ok := pass.TypesInfo.Types[call.Fun].Type.(*types.Signature)
-		if !ok {
-			return
-		}
-		if len(call.Args) > typ.Params().Len() {
-			// If we're passing more arguments than what the
-			// print/printf function can take, adding an ellipsis
-			// would break the program. For example:
-			//
-			//   func foo(arg1 string, arg2 ...interface{}) {
-			//       fmt.Printf("%s %v", arg1, arg2)
-			//   }
-			return
-		}
-		desc := "printf"
-		if kind == KindPrint {
-			desc = "print"
-		}
-		pass.ReportRangef(call, "missing ... in args forwarded to %s-like function", desc)
+// propagate propagates changes in wrapper (non-None) kind information backwards
+// through through the wrapper.callers graph of well-formed forwarding calls.
+func propagate(pass *analysis.Pass, w *wrapper, call *ast.CallExpr, kind Kind, res *Result) {
+	// Check correct call forwarding.
+	//
+	// Interface methods (call==nil) forward
+	// correctly by construction.
+	if call != nil && !checkForward(pass, w, call, kind) {
 		return
 	}
 
@@ -373,11 +443,50 @@ func checkForward(pass *analysis.Pass, w *wrapper, call *ast.CallExpr, kind Kind
 
 		// Propagate kind back to known callers.
 		for _, caller := range w.callers {
-			checkForward(pass, caller.w, caller.call, kind, res)
+			propagate(pass, caller.w, caller.call, kind, res)
 		}
 	}
 }
 
+// checkForward checks whether a call from wrapper w is a well-formed
+// forwarding call of the specified (non-None) kind.
+//
+// If not, it reports a diagnostic that the user wrote
+// fmt.Printf(format, args) instead of fmt.Printf(format, args...).
+func checkForward(pass *analysis.Pass, w *wrapper, call *ast.CallExpr, kind Kind) bool {
+	// Printf/Errorf calls must delegate the format string.
+	switch kind {
+	case KindPrintf, KindErrorf:
+		if len(call.Args) < 2 || !match(pass.TypesInfo, call.Args[len(call.Args)-2], w.format) {
+			return false
+		}
+	}
+
+	// The args... delegation must be variadic.
+	// (That args is actually delegated was
+	// established before the root call to doCall.)
+	if !call.Ellipsis.IsValid() {
+		typ, ok := pass.TypesInfo.Types[call.Fun].Type.(*types.Signature)
+		if !ok {
+			return false
+		}
+		if len(call.Args) > typ.Params().Len() {
+			// If we're passing more arguments than what the
+			// print/printf function can take, adding an ellipsis
+			// would break the program. For example:
+			//
+			//   func foo(arg1 string, arg2 ...interface{}) {
+			//       fmt.Printf("%s %v", arg1, arg2)
+			//   }
+			return false
+		}
+		pass.ReportRangef(call, "missing ... in args forwarded to %s-like function", kind)
+		return false
+	}
+
+	return true
+}
+
 func origin(obj types.Object) types.Object {
 	switch obj := obj.(type) {
 	case *types.Func:
@@ -445,16 +554,14 @@ var isPrint = stringSet{
 	"(*testing.common).Logf":   true,
 	"(*testing.common).Skip":   true,
 	"(*testing.common).Skipf":  true,
-	// *testing.T and B are detected by induction, but testing.TB is
-	// an interface and the inference can't follow dynamic calls.
-	"(testing.TB).Error":  true,
-	"(testing.TB).Errorf": true,
-	"(testing.TB).Fatal":  true,
-	"(testing.TB).Fatalf": true,
-	"(testing.TB).Log":    true,
-	"(testing.TB).Logf":   true,
-	"(testing.TB).Skip":   true,
-	"(testing.TB).Skipf":  true,
+	"(testing.TB).Error":       true,
+	"(testing.TB).Errorf":      true,
+	"(testing.TB).Fatal":       true,
+	"(testing.TB).Fatalf":      true,
+	"(testing.TB).Log":         true,
+	"(testing.TB).Logf":        true,
+	"(testing.TB).Skip":        true,
+	"(testing.TB).Skipf":       true,
 }
 
 // formatStringIndex returns the index of the format string (the last
@@ -613,7 +720,7 @@ func checkPrintf(pass *analysis.Pass, fileVersion string, kind Kind, call *ast.C
 		// breaking existing tests and CI scripts.
 		if idx == len(call.Args)-1 &&
 			fileVersion != "" && // fail open
-			versions.AtLeast(fileVersion, "go1.24") {
+			versions.AtLeast(fileVersion, versions.Go1_24) {
 
 			pass.Report(analysis.Diagnostic{
 				Pos: formatArg.Pos(),
@@ -663,7 +770,7 @@ func checkPrintf(pass *analysis.Pass, fileVersion string, kind Kind, call *ast.C
 			anyIndex = true
 		}
 		rng := opRange(formatArg, op)
-		if !okPrintfArg(pass, call, rng, &maxArgIndex, firstArg, name, op) {
+		if !okPrintfArg(pass, fileVersion, call, rng, &maxArgIndex, firstArg, name, op) {
 			// One error per format is enough.
 			return
 		}
@@ -695,9 +802,9 @@ func checkPrintf(pass *analysis.Pass, fileVersion string, kind Kind, call *ast.C
 // such as the position of the %v substring of "...%v...".
 func opRange(formatArg ast.Expr, op *fmtstr.Operation) analysis.Range {
 	if lit, ok := formatArg.(*ast.BasicLit); ok {
-		start, end, err := astutil.RangeInStringLiteral(lit, op.Range.Start, op.Range.End)
+		rng, err := astutil.RangeInStringLiteral(lit, op.Range.Start, op.Range.End)
 		if err == nil {
-			return analysisinternal.Range(start, end) // position of "%v"
+			return rng // position of "%v"
 		}
 	}
 	return formatArg // entire format string
@@ -708,6 +815,7 @@ type printfArgType int
 
 const (
 	argBool printfArgType = 1 << iota
+	argByte
 	argInt
 	argRune
 	argString
@@ -752,7 +860,7 @@ var printVerbs = []printVerb{
 	{'o', sharpNumFlag, argInt | argPointer},
 	{'O', sharpNumFlag, argInt | argPointer},
 	{'p', "-#", argPointer},
-	{'q', " -+.0#", argRune | argInt | argString},
+	{'q', " -+.0#", argRune | argInt | argString}, // note: when analyzing go1.26 code, argInt => argByte
 	{'s', " -+.0", argString},
 	{'t', "-", argBool},
 	{'T', "-", anyType},
@@ -766,7 +874,7 @@ var printVerbs = []printVerb{
 // okPrintfArg compares the operation to the arguments actually present,
 // reporting any discrepancies it can discern, maxArgIndex was the index of the highest used index.
 // If the final argument is ellipsissed, there's little it can do for that.
-func okPrintfArg(pass *analysis.Pass, call *ast.CallExpr, rng analysis.Range, maxArgIndex *int, firstArg int, name string, operation *fmtstr.Operation) (ok bool) {
+func okPrintfArg(pass *analysis.Pass, fileVersion string, call *ast.CallExpr, rng analysis.Range, maxArgIndex *int, firstArg int, name string, operation *fmtstr.Operation) (ok bool) {
 	verb := operation.Verb.Verb
 	var v printVerb
 	found := false
@@ -778,6 +886,13 @@ func okPrintfArg(pass *analysis.Pass, call *ast.CallExpr, rng analysis.Range, ma
 		}
 	}
 
+	// When analyzing go1.26 code, rune and byte are the only %q integers (#72850).
+	if verb == 'q' &&
+		fileVersion != "" && // fail open
+		versions.AtLeast(fileVersion, versions.Go1_26) {
+		v.typ = argRune | argByte | argString
+	}
+
 	// Could verb's arg implement fmt.Formatter?
 	// Skip check for the %w verb, which requires an error.
 	formatter := false
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/printf/types.go b/vendor/golang.org/x/tools/go/analysis/passes/printf/types.go
index f7e50f98a9..2cc5c23f12 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/printf/types.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/printf/types.go
@@ -204,8 +204,7 @@ func (m *argMatcher) match(typ types.Type, topLevel bool) bool {
 	case *types.Struct:
 		// report whether all the elements of the struct match the expected type. For
 		// instance, with "%d" all the elements must be printable with the "%d" format.
-		for i := 0; i < typ.NumFields(); i++ {
-			typf := typ.Field(i)
+		for typf := range typ.Fields() {
 			if !m.match(typf.Type(), false) {
 				return false
 			}
@@ -228,14 +227,20 @@ func (m *argMatcher) match(typ types.Type, topLevel bool) bool {
 			types.Bool:
 			return m.t&argBool != 0
 
+		case types.Byte:
+			return m.t&(argInt|argByte) != 0
+
+		case types.Rune, types.UntypedRune:
+			return m.t&(argInt|argRune) != 0
+
 		case types.UntypedInt,
 			types.Int,
 			types.Int8,
 			types.Int16,
-			types.Int32,
+			// see case Rune for int32
 			types.Int64,
 			types.Uint,
-			types.Uint8,
+			// see case Byte for uint8
 			types.Uint16,
 			types.Uint32,
 			types.Uint64,
@@ -259,9 +264,6 @@ func (m *argMatcher) match(typ types.Type, topLevel bool) bool {
 		case types.UnsafePointer:
 			return m.t&(argPointer|argInt) != 0
 
-		case types.UntypedRune:
-			return m.t&(argInt|argRune) != 0
-
 		case types.UntypedNil:
 			return false
 
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go b/vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go
index 5626ac1c12..5ce3574984 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go
@@ -11,9 +11,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -22,7 +22,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "reflectvaluecompare",
-	Doc:      analysisutil.MustExtractDoc(doc, "reflectvaluecompare"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "reflectvaluecompare"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/reflectvaluecompare",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go b/vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go
index 8f768bb76c..8e60e38942 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go
@@ -12,8 +12,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 // NOTE: Experimental. Not part of the vet suite.
@@ -23,7 +23,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "shadow",
-	Doc:      analysisutil.MustExtractDoc(doc, "shadow"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "shadow"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/shadow",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go b/vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go
index c339fa064d..174c27109e 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go
@@ -18,8 +18,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -29,7 +29,7 @@ var doc string
 // Analyzer describes sigchanyzer analysis function detector.
 var Analyzer = &analysis.Analyzer{
 	Name:     "sigchanyzer",
-	Doc:      analysisutil.MustExtractDoc(doc, "sigchanyzer"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "sigchanyzer"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/sigchanyzer",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go b/vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go
index cc58396a02..4afbe04684 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go
@@ -17,9 +17,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
@@ -29,7 +29,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "slog",
-	Doc:      analysisutil.MustExtractDoc(doc, "slog"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "slog"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/slog",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
@@ -168,7 +168,7 @@ func isAttr(t types.Type) bool {
 //	"slog.Logger.With" (instead of "(*log/slog.Logger).With")
 func shortName(fn *types.Func) string {
 	var r string
-	if recv := fn.Type().(*types.Signature).Recv(); recv != nil {
+	if recv := fn.Signature().Recv(); recv != nil {
 		if _, named := typesinternal.ReceiverNamed(recv); named != nil {
 			r = named.Obj().Name()
 		} else {
@@ -188,7 +188,7 @@ func kvFuncSkipArgs(fn *types.Func) (int, bool) {
 		return 0, false
 	}
 	var recvName string // by default a slog package function
-	if recv := fn.Type().(*types.Signature).Recv(); recv != nil {
+	if recv := fn.Signature().Recv(); recv != nil {
 		_, named := typesinternal.ReceiverNamed(recv)
 		if named == nil {
 			return 0, false // anon struct/interface
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go b/vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go
index a0bdf001ab..b68385b242 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go
@@ -12,8 +12,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 )
 
 //go:embed doc.go
@@ -21,7 +21,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "stdmethods",
-	Doc:      analysisutil.MustExtractDoc(doc, "stdmethods"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "stdmethods"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/stdmethods",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
@@ -131,12 +131,12 @@ func canonicalMethod(pass *analysis.Pass, id *ast.Ident) {
 	}
 
 	// Do the =s (if any) all match?
-	if !matchParams(pass, expect.args, args, "=") || !matchParams(pass, expect.results, results, "=") {
+	if !matchParams(expect.args, args, "=") || !matchParams(expect.results, results, "=") {
 		return
 	}
 
 	// Everything must match.
-	if !matchParams(pass, expect.args, args, "") || !matchParams(pass, expect.results, results, "") {
+	if !matchParams(expect.args, args, "") || !matchParams(expect.results, results, "") {
 		expectFmt := id.Name + "(" + argjoin(expect.args) + ")"
 		if len(expect.results) == 1 {
 			expectFmt += " " + argjoin(expect.results)
@@ -168,7 +168,7 @@ func argjoin(x []string) string {
 }
 
 // Does each type in expect with the given prefix match the corresponding type in actual?
-func matchParams(pass *analysis.Pass, expect []string, actual *types.Tuple, prefix string) bool {
+func matchParams(expect []string, actual *types.Tuple, prefix string) bool {
 	for i, x := range expect {
 		if !strings.HasPrefix(x, prefix) {
 			continue
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go b/vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go
index 7a02d85ce7..0cbae68898 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go
@@ -13,8 +13,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/refactor"
 	"golang.org/x/tools/internal/typeparams"
 	"golang.org/x/tools/internal/typesinternal"
@@ -25,7 +25,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "stringintconv",
-	Doc:      analysisutil.MustExtractDoc(doc, "stringintconv"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "stringintconv"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/stringintconv",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go b/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go
index 400a6960c6..e38c266afe 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go
@@ -13,9 +13,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -30,7 +30,7 @@ func init() {
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "testinggoroutine",
-	Doc:      analysisutil.MustExtractDoc(doc, "testinggoroutine"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "testinggoroutine"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/testinggoroutine",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go b/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go
index db2e5f76d1..4b68a789cf 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go
@@ -36,7 +36,7 @@ func localFunctionDecls(info *types.Info, files []*ast.File) func(*types.Func) *
 // isMethodNamed returns true if f is a method defined
 // in package with the path pkgPath with a name in names.
 //
-// (Unlike [analysisinternal.IsMethodNamed], it ignores the receiver type name.)
+// (Unlike [analysis.IsMethodNamed], it ignores the receiver type name.)
 func isMethodNamed(f *types.Func, pkgPath string, names ...string) bool {
 	if f == nil {
 		return false
@@ -44,7 +44,7 @@ func isMethodNamed(f *types.Func, pkgPath string, names ...string) bool {
 	if f.Pkg() == nil || f.Pkg().Path() != pkgPath {
 		return false
 	}
-	if f.Type().(*types.Signature).Recv() == nil {
+	if f.Signature().Recv() == nil {
 		return false
 	}
 	return slices.Contains(names, f.Name())
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go b/vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go
index 1c0e92d01d..1f33df8403 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go
@@ -15,8 +15,8 @@ import (
 	"unicode/utf8"
 
 	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
-	"golang.org/x/tools/internal/analysisinternal"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
+	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -25,7 +25,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name: "tests",
-	Doc:  analysisutil.MustExtractDoc(doc, "tests"),
+	Doc:  analyzerutil.MustExtractDoc(doc, "tests"),
 	URL:  "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/tests",
 	Run:  run,
 }
@@ -465,7 +465,7 @@ func checkTest(pass *analysis.Pass, fn *ast.FuncDecl, prefix string) {
 	if tparams := fn.Type.TypeParams; tparams != nil && len(tparams.List) > 0 {
 		// Note: cmd/go/internal/load also errors about TestXXX and BenchmarkXXX functions with type parameters.
 		// We have currently decided to also warn before compilation/package loading. This can help users in IDEs.
-		pass.ReportRangef(analysisinternal.Range(tparams.Opening, tparams.Closing),
+		pass.ReportRangef(astutil.RangeOf(tparams.Opening, tparams.Closing),
 			"%s has type parameters: it will not be run by go test as a %sXXX function",
 			fn.Name.Name, prefix)
 	}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go b/vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go
index db91d37c12..8353c1efa9 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go
@@ -16,9 +16,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -30,7 +30,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "timeformat",
-	Doc:      analysisutil.MustExtractDoc(doc, "timeformat"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "timeformat"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/timeformat",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
@@ -39,7 +39,7 @@ var Analyzer = &analysis.Analyzer{
 func run(pass *analysis.Pass) (any, error) {
 	// Note: (time.Time).Format is a method and can be a typeutil.Callee
 	// without directly importing "time". So we cannot just skip this package
-	// when !analysisutil.Imports(pass.Pkg, "time").
+	// when !analysis.Imports(pass.Pkg, "time").
 	// TODO(taking): Consider using a prepass to collect typeutil.Callees.
 
 	inspect := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go b/vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go
index 26e894bd40..38eb0b1063 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go
@@ -11,9 +11,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -22,7 +22,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "unmarshal",
-	Doc:      analysisutil.MustExtractDoc(doc, "unmarshal"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "unmarshal"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unmarshal",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
@@ -39,7 +39,7 @@ func run(pass *analysis.Pass) (any, error) {
 	// Note: (*"encoding/json".Decoder).Decode, (* "encoding/gob".Decoder).Decode
 	// and (* "encoding/xml".Decoder).Decode are methods and can be a typeutil.Callee
 	// without directly importing their packages. So we cannot just skip this package
-	// when !analysisutil.Imports(pass.Pkg, "encoding/...").
+	// when !analysis.Imports(pass.Pkg, "encoding/...").
 	// TODO(taking): Consider using a prepass to collect typeutil.Callees.
 
 	inspect := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
@@ -57,7 +57,7 @@ func run(pass *analysis.Pass) (any, error) {
 		// Classify the callee (without allocating memory).
 		argidx := -1
 
-		recv := fn.Type().(*types.Signature).Recv()
+		recv := fn.Signature().Recv()
 		if fn.Name() == "Unmarshal" && recv == nil {
 			// "encoding/json".Unmarshal
 			// "encoding/xml".Unmarshal
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go b/vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go
index 317f034992..532f38fe91 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go
@@ -14,8 +14,9 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
+	"golang.org/x/tools/internal/refactor"
 )
 
 //go:embed doc.go
@@ -23,7 +24,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:             "unreachable",
-	Doc:              analysisutil.MustExtractDoc(doc, "unreachable"),
+	Doc:              analyzerutil.MustExtractDoc(doc, "unreachable"),
 	URL:              "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unreachable",
 	Requires:         []*analysis.Analyzer{inspect.Analyzer},
 	RunDespiteErrors: true,
@@ -188,6 +189,11 @@ func (d *deadState) findDead(stmt ast.Stmt) {
 		case *ast.EmptyStmt:
 			// do not warn about unreachable empty statements
 		default:
+			var (
+				inspect    = d.pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
+				curStmt, _ = inspect.Root().FindNode(stmt)
+				tokFile    = d.pass.Fset.File(stmt.Pos())
+			)
 			// (This call to pass.Report is a frequent source
 			// of diagnostics beyond EOF in a truncated file;
 			// see #71659.)
@@ -196,11 +202,8 @@ func (d *deadState) findDead(stmt ast.Stmt) {
 				End:     stmt.End(),
 				Message: "unreachable code",
 				SuggestedFixes: []analysis.SuggestedFix{{
-					Message: "Remove",
-					TextEdits: []analysis.TextEdit{{
-						Pos: stmt.Pos(),
-						End: stmt.End(),
-					}},
+					Message:   "Remove",
+					TextEdits: refactor.DeleteStmt(tokFile, curStmt),
 				}},
 			})
 			d.reachable = true // silence error about next statement
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go b/vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go
index 778010bc0d..ce785725e3 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go
@@ -14,8 +14,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typesinternal"
 )
 
@@ -24,7 +24,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "unsafeptr",
-	Doc:      analysisutil.MustExtractDoc(doc, "unsafeptr"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "unsafeptr"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unsafeptr",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go b/vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go
index ed4cf7ae0b..bd32d58690 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go
@@ -23,10 +23,10 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/inspect"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/go/types/typeutil"
-	"golang.org/x/tools/internal/analysisinternal"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
+	"golang.org/x/tools/internal/astutil"
 )
 
 //go:embed doc.go
@@ -34,7 +34,7 @@ var doc string
 
 var Analyzer = &analysis.Analyzer{
 	Name:     "unusedresult",
-	Doc:      analysisutil.MustExtractDoc(doc, "unusedresult"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "unusedresult"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unusedresult",
 	Requires: []*analysis.Analyzer{inspect.Analyzer},
 	Run:      run,
@@ -150,11 +150,11 @@ func run(pass *analysis.Pass) (any, error) {
 		if !ok {
 			return // e.g. var or builtin
 		}
-		if sig := fn.Type().(*types.Signature); sig.Recv() != nil {
+		if sig := fn.Signature(); sig.Recv() != nil {
 			// method (e.g. foo.String())
 			if types.Identical(sig, sigNoArgsStringResult) {
 				if stringMethods[fn.Name()] {
-					pass.ReportRangef(analysisinternal.Range(call.Pos(), call.Lparen),
+					pass.ReportRangef(astutil.RangeOf(call.Pos(), call.Lparen),
 						"result of (%s).%s call not used",
 						sig.Recv().Type(), fn.Name())
 				}
@@ -162,7 +162,7 @@ func run(pass *analysis.Pass) (any, error) {
 		} else {
 			// package-level function (e.g. fmt.Errorf)
 			if pkgFuncs[[2]string{fn.Pkg().Path(), fn.Name()}] {
-				pass.ReportRangef(analysisinternal.Range(call.Pos(), call.Lparen),
+				pass.ReportRangef(astutil.RangeOf(call.Pos(), call.Lparen),
 					"result of %s.%s call not used",
 					fn.Pkg().Path(), fn.Name())
 			}
diff --git a/vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go b/vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go
index 2e209c8a6c..9bf9f5455f 100644
--- a/vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go
+++ b/vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go
@@ -10,8 +10,8 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/buildssa"
-	"golang.org/x/tools/go/analysis/passes/internal/analysisutil"
 	"golang.org/x/tools/go/ssa"
+	"golang.org/x/tools/internal/analysis/analyzerutil"
 	"golang.org/x/tools/internal/typeparams"
 )
 
@@ -22,7 +22,7 @@ var doc string
 // that are never read.
 var Analyzer = &analysis.Analyzer{
 	Name:     "unusedwrite",
-	Doc:      analysisutil.MustExtractDoc(doc, "unusedwrite"),
+	Doc:      analyzerutil.MustExtractDoc(doc, "unusedwrite"),
 	URL:      "https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/unusedwrite",
 	Requires: []*analysis.Analyzer{buildssa.Analyzer},
 	Run:      run,
diff --git a/vendor/golang.org/x/tools/go/ast/astutil/imports.go b/vendor/golang.org/x/tools/go/ast/astutil/imports.go
index 5bacc0fa49..adb4711019 100644
--- a/vendor/golang.org/x/tools/go/ast/astutil/imports.go
+++ b/vendor/golang.org/x/tools/go/ast/astutil/imports.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"go/ast"
 	"go/token"
+	"reflect"
 	"slices"
 	"strconv"
 	"strings"
@@ -149,7 +150,7 @@ func AddNamedImport(fset *token.FileSet, f *ast.File, name, path string) (added
 	if newImport.Name != nil {
 		newImport.Name.NamePos = pos
 	}
-	newImport.Path.ValuePos = pos
+	updateBasicLitPos(newImport.Path, pos)
 	newImport.EndPos = pos
 
 	// Clean up parens. impDecl contains at least one spec.
@@ -184,7 +185,7 @@ func AddNamedImport(fset *token.FileSet, f *ast.File, name, path string) (added
 		first.Lparen = first.Pos()
 		// Move the imports of the other import declaration to the first one.
 		for _, spec := range gen.Specs {
-			spec.(*ast.ImportSpec).Path.ValuePos = first.Pos()
+			updateBasicLitPos(spec.(*ast.ImportSpec).Path, first.Pos())
 			first.Specs = append(first.Specs, spec)
 		}
 		f.Decls = slices.Delete(f.Decls, i, i+1)
@@ -470,3 +471,17 @@ func Imports(fset *token.FileSet, f *ast.File) [][]*ast.ImportSpec {
 
 	return groups
 }
+
+// updateBasicLitPos updates lit.Pos,
+// ensuring that lit.End (if set) is displaced by the same amount.
+// (See https://go.dev/issue/76395.)
+func updateBasicLitPos(lit *ast.BasicLit, pos token.Pos) {
+	len := lit.End() - lit.Pos()
+	lit.ValuePos = pos
+	// TODO(adonovan): after go1.26, simplify to:
+	//   lit.ValueEnd = pos + len
+	v := reflect.ValueOf(lit).Elem().FieldByName("ValueEnd")
+	if v.IsValid() && v.Int() != 0 {
+		v.SetInt(int64(pos + len))
+	}
+}
diff --git a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
index 7e72d3c284..fc9bbc714c 100644
--- a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
+++ b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
@@ -467,7 +467,9 @@ func (c Cursor) FindByPos(start, end token.Pos) (Cursor, bool) {
 	// This algorithm could be implemented using c.Inspect,
 	// but it is about 2.5x slower.
 
-	best := int32(-1) // push index of latest (=innermost) node containing range
+	// best is the push-index of the latest (=innermost) node containing range.
+	// (Beware: latest is not always innermost because FuncDecl.{Name,Type} overlap.)
+	best := int32(-1)
 	for i, limit := c.indices(); i < limit; i++ {
 		ev := events[i]
 		if ev.index > i { // push?
@@ -481,6 +483,19 @@ func (c Cursor) FindByPos(start, end token.Pos) (Cursor, bool) {
 					continue
 				}
 			} else {
+				// Edge case: FuncDecl.Name and .Type overlap:
+				// Don't update best from Name to FuncDecl.Type.
+				//
+				// The condition can be read as:
+				// - n is FuncType
+				// - n.parent is FuncDecl
+				// - best is strictly beneath the FuncDecl
+				if ev.typ == 1<<nFuncType &&
+					events[ev.parent].typ == 1<<nFuncDecl &&
+					best > ev.parent {
+					continue
+				}
+
 				nodeEnd = n.End()
 				if n.Pos() > start {
 					break // disjoint, after; stop
diff --git a/vendor/golang.org/x/tools/go/cfg/builder.go b/vendor/golang.org/x/tools/go/cfg/builder.go
index ac4d63c400..f16cd42309 100644
--- a/vendor/golang.org/x/tools/go/cfg/builder.go
+++ b/vendor/golang.org/x/tools/go/cfg/builder.go
@@ -13,7 +13,7 @@ import (
 )
 
 type builder struct {
-	cfg       *CFG
+	blocks    []*Block
 	mayReturn func(*ast.CallExpr) bool
 	current   *Block
 	lblocks   map[string]*lblock // labeled blocks
@@ -32,12 +32,18 @@ start:
 		*ast.SendStmt,
 		*ast.IncDecStmt,
 		*ast.GoStmt,
-		*ast.DeferStmt,
 		*ast.EmptyStmt,
 		*ast.AssignStmt:
 		// No effect on control flow.
 		b.add(s)
 
+	case *ast.DeferStmt:
+		b.add(s)
+		// Assume conservatively that this behaves like:
+		//    defer func() { recover() }
+		// so any subsequent panic may act like a return.
+		b.current.returns = true
+
 	case *ast.ExprStmt:
 		b.add(s)
 		if call, ok := s.X.(*ast.CallExpr); ok && !b.mayReturn(call) {
@@ -64,6 +70,7 @@ start:
 		goto start // effectively: tailcall stmt(g, s.Stmt, label)
 
 	case *ast.ReturnStmt:
+		b.current.returns = true
 		b.add(s)
 		b.current = b.newBlock(KindUnreachable, s)
 
@@ -483,14 +490,13 @@ func (b *builder) labeledBlock(label *ast.Ident, stmt *ast.LabeledStmt) *lblock
 // It does not automatically become the current block.
 // comment is an optional string for more readable debugging output.
 func (b *builder) newBlock(kind BlockKind, stmt ast.Stmt) *Block {
-	g := b.cfg
 	block := &Block{
-		Index: int32(len(g.Blocks)),
+		Index: int32(len(b.blocks)),
 		Kind:  kind,
 		Stmt:  stmt,
 	}
 	block.Succs = block.succs2[:0]
-	g.Blocks = append(g.Blocks, block)
+	b.blocks = append(b.blocks, block)
 	return block
 }
 
diff --git a/vendor/golang.org/x/tools/go/cfg/cfg.go b/vendor/golang.org/x/tools/go/cfg/cfg.go
index 29a39f698c..38aba77c29 100644
--- a/vendor/golang.org/x/tools/go/cfg/cfg.go
+++ b/vendor/golang.org/x/tools/go/cfg/cfg.go
@@ -47,13 +47,16 @@ import (
 	"go/ast"
 	"go/format"
 	"go/token"
+
+	"golang.org/x/tools/internal/cfginternal"
 )
 
 // A CFG represents the control-flow graph of a single function.
 //
 // The entry point is Blocks[0]; there may be multiple return blocks.
 type CFG struct {
-	Blocks []*Block // block[0] is entry; order otherwise undefined
+	Blocks   []*Block // block[0] is entry; order otherwise undefined
+	noreturn bool     // function body lacks a reachable return statement
 }
 
 // A Block represents a basic block: a list of statements and
@@ -67,12 +70,13 @@ type CFG struct {
 // an [ast.Expr], Succs[0] is the successor if the condition is true, and
 // Succs[1] is the successor if the condition is false.
 type Block struct {
-	Nodes []ast.Node // statements, expressions, and ValueSpecs
-	Succs []*Block   // successor nodes in the graph
-	Index int32      // index within CFG.Blocks
-	Live  bool       // block is reachable from entry
-	Kind  BlockKind  // block kind
-	Stmt  ast.Stmt   // statement that gave rise to this block (see BlockKind for details)
+	Nodes   []ast.Node // statements, expressions, and ValueSpecs
+	Succs   []*Block   // successor nodes in the graph
+	Index   int32      // index within CFG.Blocks
+	Live    bool       // block is reachable from entry
+	returns bool       // block contains return or defer (which may recover and return)
+	Kind    BlockKind  // block kind
+	Stmt    ast.Stmt   // statement that gave rise to this block (see BlockKind for details)
 
 	succs2 [2]*Block // underlying array for Succs
 }
@@ -141,14 +145,14 @@ func (kind BlockKind) String() string {
 func New(body *ast.BlockStmt, mayReturn func(*ast.CallExpr) bool) *CFG {
 	b := builder{
 		mayReturn: mayReturn,
-		cfg:       new(CFG),
 	}
 	b.current = b.newBlock(KindBody, body)
 	b.stmt(body)
 
-	// Compute liveness (reachability from entry point), breadth-first.
-	q := make([]*Block, 0, len(b.cfg.Blocks))
-	q = append(q, b.cfg.Blocks[0]) // entry point
+	// Compute liveness (reachability from entry point),
+	// breadth-first, marking Block.Live flags.
+	q := make([]*Block, 0, len(b.blocks))
+	q = append(q, b.blocks[0]) // entry point
 	for len(q) > 0 {
 		b := q[len(q)-1]
 		q = q[:len(q)-1]
@@ -162,12 +166,30 @@ func New(body *ast.BlockStmt, mayReturn func(*ast.CallExpr) bool) *CFG {
 	// Does control fall off the end of the function's body?
 	// Make implicit return explicit.
 	if b.current != nil && b.current.Live {
+		b.current.returns = true
 		b.add(&ast.ReturnStmt{
 			Return: body.End() - 1,
 		})
 	}
 
-	return b.cfg
+	// Is any return (or defer+recover) block reachable?
+	noreturn := true
+	for _, bl := range b.blocks {
+		if bl.Live && bl.returns {
+			noreturn = false
+			break
+		}
+	}
+
+	return &CFG{Blocks: b.blocks, noreturn: noreturn}
+}
+
+// isNoReturn reports whether the function has no reachable return.
+// TODO(adonovan): add (*CFG).NoReturn to public API.
+func isNoReturn(_cfg any) bool { return _cfg.(*CFG).noreturn }
+
+func init() {
+	cfginternal.IsNoReturn = isNoReturn // expose to ctrlflow analyzer
 }
 
 func (b *Block) String() string {
@@ -187,6 +209,14 @@ func (b *Block) comment(fset *token.FileSet) string {
 //
 // When control falls off the end of the function, the ReturnStmt is synthetic
 // and its [ast.Node.End] position may be beyond the end of the file.
+//
+// A function that contains no return statement (explicit or implied)
+// may yet return normally, and may even return a nonzero value. For example:
+//
+//	func() (res any) {
+//		defer func() { res = recover() }()
+//		panic(123)
+//	}
 func (b *Block) Return() (ret *ast.ReturnStmt) {
 	if len(b.Nodes) > 0 {
 		ret, _ = b.Nodes[len(b.Nodes)-1].(*ast.ReturnStmt)
diff --git a/vendor/golang.org/x/tools/go/packages/packages.go b/vendor/golang.org/x/tools/go/packages/packages.go
index 060ab08efb..ff607389da 100644
--- a/vendor/golang.org/x/tools/go/packages/packages.go
+++ b/vendor/golang.org/x/tools/go/packages/packages.go
@@ -1027,11 +1027,15 @@ func (ld *loader) refine(response *DriverResponse) ([]*Package, error) {
 // Precondition: ld.Mode&(NeedSyntax|NeedTypes|NeedTypesInfo) != 0.
 func (ld *loader) loadPackage(lpkg *loaderPackage) {
 	if lpkg.PkgPath == "unsafe" {
-		// Fill in the blanks to avoid surprises.
+		// To avoid surprises, fill in the blanks consistent
+		// with other packages. (For example, some analyzers
+		// assert that each needed types.Info map is non-nil
+		// even when there is no syntax that would cause them
+		// to consult the map.)
 		lpkg.Types = types.Unsafe
 		lpkg.Fset = ld.Fset
 		lpkg.Syntax = []*ast.File{}
-		lpkg.TypesInfo = new(types.Info)
+		lpkg.TypesInfo = ld.newTypesInfo()
 		lpkg.TypesSizes = ld.sizes
 		return
 	}
@@ -1180,20 +1184,7 @@ func (ld *loader) loadPackage(lpkg *loaderPackage) {
 		return
 	}
 
-	// Populate TypesInfo only if needed, as it
-	// causes the type checker to work much harder.
-	if ld.Config.Mode&NeedTypesInfo != 0 {
-		lpkg.TypesInfo = &types.Info{
-			Types:        make(map[ast.Expr]types.TypeAndValue),
-			Defs:         make(map[*ast.Ident]types.Object),
-			Uses:         make(map[*ast.Ident]types.Object),
-			Implicits:    make(map[ast.Node]types.Object),
-			Instances:    make(map[*ast.Ident]types.Instance),
-			Scopes:       make(map[ast.Node]*types.Scope),
-			Selections:   make(map[*ast.SelectorExpr]*types.Selection),
-			FileVersions: make(map[*ast.File]string),
-		}
-	}
+	lpkg.TypesInfo = ld.newTypesInfo()
 	lpkg.TypesSizes = ld.sizes
 
 	importer := importerFunc(func(path string) (*types.Package, error) {
@@ -1307,6 +1298,24 @@ func (ld *loader) loadPackage(lpkg *loaderPackage) {
 	lpkg.IllTyped = illTyped
 }
 
+func (ld *loader) newTypesInfo() *types.Info {
+	// Populate TypesInfo only if needed, as it
+	// causes the type checker to work much harder.
+	if ld.Config.Mode&NeedTypesInfo == 0 {
+		return nil
+	}
+	return &types.Info{
+		Types:        make(map[ast.Expr]types.TypeAndValue),
+		Defs:         make(map[*ast.Ident]types.Object),
+		Uses:         make(map[*ast.Ident]types.Object),
+		Implicits:    make(map[ast.Node]types.Object),
+		Instances:    make(map[*ast.Ident]types.Instance),
+		Scopes:       make(map[ast.Node]*types.Scope),
+		Selections:   make(map[*ast.SelectorExpr]*types.Selection),
+		FileVersions: make(map[*ast.File]string),
+	}
+}
+
 // An importFunc is an implementation of the single-method
 // types.Importer interface based on a function value.
 type importerFunc func(path string) (*types.Package, error)
diff --git a/vendor/golang.org/x/tools/go/packages/visit.go b/vendor/golang.org/x/tools/go/packages/visit.go
index af6a60d75f..c546b1b63e 100644
--- a/vendor/golang.org/x/tools/go/packages/visit.go
+++ b/vendor/golang.org/x/tools/go/packages/visit.go
@@ -78,7 +78,7 @@ func PrintErrors(pkgs []*Package) int {
 	return n
 }
 
-// Postorder returns an iterator over the the packages in
+// Postorder returns an iterator over the packages in
 // the import graph whose roots are pkg.
 // Packages are enumerated in dependencies-first order.
 func Postorder(pkgs []*Package) iter.Seq[*Package] {
diff --git a/vendor/golang.org/x/tools/go/ssa/builder.go b/vendor/golang.org/x/tools/go/ssa/builder.go
index 41857ffbb9..a75257c8b1 100644
--- a/vendor/golang.org/x/tools/go/ssa/builder.go
+++ b/vendor/golang.org/x/tools/go/ssa/builder.go
@@ -110,10 +110,11 @@ var (
 	tEface      = types.NewInterfaceType(nil, nil).Complete()
 
 	// SSA Value constants.
-	vZero  = intConst(0)
-	vOne   = intConst(1)
-	vTrue  = NewConst(constant.MakeBool(true), tBool)
-	vFalse = NewConst(constant.MakeBool(false), tBool)
+	vZero     = intConst(0)
+	vOne      = intConst(1)
+	vTrue     = NewConst(constant.MakeBool(true), tBool)
+	vFalse    = NewConst(constant.MakeBool(false), tBool)
+	vNoReturn = NewConst(constant.MakeString("noreturn"), tString)
 
 	jReady = intConst(0)  // range-over-func jump is READY
 	jBusy  = intConst(-1) // range-over-func jump is BUSY
@@ -291,7 +292,7 @@ func (b *builder) exprN(fn *Function, e ast.Expr) Value {
 		var c Call
 		b.setCall(fn, e, &c.Call)
 		c.typ = typ
-		return fn.emit(&c)
+		return emitCall(fn, &c)
 
 	case *ast.IndexExpr:
 		mapt := typeparams.CoreType(fn.typeOf(e.X)).(*types.Map) // ,ok must be a map.
@@ -723,7 +724,7 @@ func (b *builder) expr0(fn *Function, e ast.Expr, tv types.TypeAndValue) Value {
 		var v Call
 		b.setCall(fn, e, &v.Call)
 		v.setType(fn.typ(tv.Type))
-		return fn.emit(&v)
+		return emitCall(fn, &v)
 
 	case *ast.UnaryExpr:
 		switch e.Op {
@@ -2343,7 +2344,7 @@ func (b *builder) rangeStmt(fn *Function, s *ast.RangeStmt, label *lblock) {
 		// 	for x := range f { ... }
 		// into
 		// 	f(func(x T) bool { ... })
-		b.rangeFunc(fn, x, tk, tv, s, label)
+		b.rangeFunc(fn, x, s, label)
 		return
 
 	default:
@@ -2389,7 +2390,7 @@ func (b *builder) rangeStmt(fn *Function, s *ast.RangeStmt, label *lblock) {
 // rangeFunc emits to fn code for the range-over-func rng.Body of the iterator
 // function x, optionally labelled by label. It creates a new anonymous function
 // yield for rng and builds the function.
-func (b *builder) rangeFunc(fn *Function, x Value, tk, tv types.Type, rng *ast.RangeStmt, label *lblock) {
+func (b *builder) rangeFunc(fn *Function, x Value, rng *ast.RangeStmt, label *lblock) {
 	// Consider the SSA code for the outermost range-over-func in fn:
 	//
 	//   func fn(...) (ret R) {
@@ -2993,8 +2994,8 @@ func (b *builder) buildYieldFunc(fn *Function) {
 	fn.source = fn.parent.source
 	fn.startBody()
 	params := fn.Signature.Params()
-	for i := 0; i < params.Len(); i++ {
-		fn.addParamVar(params.At(i))
+	for v := range params.Variables() {
+		fn.addParamVar(v)
 	}
 
 	// Initial targets
diff --git a/vendor/golang.org/x/tools/go/ssa/create.go b/vendor/golang.org/x/tools/go/ssa/create.go
index 2fa3d0757a..bbf88567cb 100644
--- a/vendor/golang.org/x/tools/go/ssa/create.go
+++ b/vendor/golang.org/x/tools/go/ssa/create.go
@@ -15,6 +15,7 @@ import (
 	"os"
 	"sync"
 
+	"golang.org/x/tools/internal/ssainternal"
 	"golang.org/x/tools/internal/versions"
 )
 
@@ -312,3 +313,20 @@ func (prog *Program) AllPackages() []*Package {
 func (prog *Program) ImportedPackage(path string) *Package {
 	return prog.imported[path]
 }
+
+// setNoReturn sets the predicate used by the SSA builder to decide
+// whether a call to the specified named function cannot return,
+// allowing the builder to prune control-flow edges following the
+// call, thus improving the precision of downstream analysis.
+//
+// TODO(adonovan): add (*Program).SetNoReturn to the public API.
+func (prog *Program) setNoReturn(noReturn func(*types.Func) bool) {
+	prog.noReturn = noReturn
+}
+
+func init() {
+	// SetNoReturn exposes Program.setNoReturn to the buildssa analyzer.
+	ssainternal.SetNoReturn = func(prog any, noReturn func(*types.Func) bool) {
+		prog.(*Program).setNoReturn(noReturn)
+	}
+}
diff --git a/vendor/golang.org/x/tools/go/ssa/emit.go b/vendor/golang.org/x/tools/go/ssa/emit.go
index e53ebf5a7f..31aa5de8d7 100644
--- a/vendor/golang.org/x/tools/go/ssa/emit.go
+++ b/vendor/golang.org/x/tools/go/ssa/emit.go
@@ -488,7 +488,7 @@ func emitTailCall(f *Function, call *Call) {
 	} else {
 		call.typ = tresults
 	}
-	tuple := f.emit(call)
+	tuple := emitCall(f, call)
 	var ret Return
 	switch nr {
 	case 0:
@@ -509,6 +509,27 @@ func emitTailCall(f *Function, call *Call) {
 	f.currentBlock = nil
 }
 
+// emitCall emits a call instruction. If the callee is "no return",
+// it also emits a panic to eliminate infeasible CFG edges.
+func emitCall(fn *Function, call *Call) Value {
+	res := fn.emit(call)
+
+	callee := call.Call.StaticCallee()
+	if callee != nil &&
+		callee.object != nil &&
+		fn.Prog.noReturn != nil &&
+		fn.Prog.noReturn(callee.object) {
+		// Call cannot return. Insert a panic after it.
+		fn.emit(&Panic{
+			X:   emitConv(fn, vNoReturn, tEface),
+			pos: call.Pos(),
+		})
+		fn.currentBlock = fn.newBasicBlock("unreachable.noreturn")
+	}
+
+	return res
+}
+
 // emitImplicitSelections emits to f code to apply the sequence of
 // implicit field selections specified by indices to base value v, and
 // returns the selected value.
diff --git a/vendor/golang.org/x/tools/go/ssa/func.go b/vendor/golang.org/x/tools/go/ssa/func.go
index f48bd7184a..33a12444d5 100644
--- a/vendor/golang.org/x/tools/go/ssa/func.go
+++ b/vendor/golang.org/x/tools/go/ssa/func.go
@@ -668,7 +668,11 @@ func WriteFunction(buf *bytes.Buffer, f *Function) {
 			continue
 		}
 		n, _ := fmt.Fprintf(buf, "%d:", b.Index)
+		// (|predecessors|, |successors|, immediate dominator)
 		bmsg := fmt.Sprintf("%s P:%d S:%d", b.Comment, len(b.Preds), len(b.Succs))
+		if b.Idom() != nil {
+			bmsg = fmt.Sprintf("%s idom:%d", bmsg, b.Idom().Index)
+		}
 		fmt.Fprintf(buf, "%*s%s\n", punchcard-1-n-len(bmsg), "", bmsg)
 
 		if false { // CFG debugging
diff --git a/vendor/golang.org/x/tools/go/ssa/instantiate.go b/vendor/golang.org/x/tools/go/ssa/instantiate.go
index 20a0986e6d..5862440a65 100644
--- a/vendor/golang.org/x/tools/go/ssa/instantiate.go
+++ b/vendor/golang.org/x/tools/go/ssa/instantiate.go
@@ -83,7 +83,7 @@ func createInstance(fn *Function, targs []types.Type) *Function {
 	if prog.mode&InstantiateGenerics != 0 && !prog.isParameterized(targs...) {
 		synthetic = fmt.Sprintf("instance of %s", fn.Name())
 		if fn.syntax != nil {
-			subst = makeSubster(prog.ctxt, obj, fn.typeparams, targs, false)
+			subst = makeSubster(prog.ctxt, obj, fn.typeparams, targs)
 			build = (*builder).buildFromSyntax
 		} else {
 			build = (*builder).buildParamsOnly
diff --git a/vendor/golang.org/x/tools/go/ssa/ssa.go b/vendor/golang.org/x/tools/go/ssa/ssa.go
index ecad99d034..7c84494c32 100644
--- a/vendor/golang.org/x/tools/go/ssa/ssa.go
+++ b/vendor/golang.org/x/tools/go/ssa/ssa.go
@@ -45,6 +45,8 @@ type Program struct {
 	// to avoid creation of duplicate methods from type information.
 	objectMethodsMu sync.Mutex
 	objectMethods   map[*types.Func]*Function
+
+	noReturn func(*types.Func) bool // (optional) predicate that decides whether a given call cannot return
 }
 
 // A Package is a single analyzed Go package containing Members for
diff --git a/vendor/golang.org/x/tools/go/ssa/ssautil/visit.go b/vendor/golang.org/x/tools/go/ssa/ssautil/visit.go
index b4feb42cb3..7300d2bf37 100644
--- a/vendor/golang.org/x/tools/go/ssa/ssautil/visit.go
+++ b/vendor/golang.org/x/tools/go/ssa/ssautil/visit.go
@@ -74,8 +74,8 @@ func AllFunctions(prog *ssa.Program) map[*ssa.Function]bool {
 	methodsOf := func(T types.Type) {
 		if !types.IsInterface(T) {
 			mset := prog.MethodSets.MethodSet(T)
-			for i := 0; i < mset.Len(); i++ {
-				function(prog.MethodValue(mset.At(i)))
+			for method := range mset.Methods() {
+				function(prog.MethodValue(method))
 			}
 		}
 	}
diff --git a/vendor/golang.org/x/tools/go/ssa/subst.go b/vendor/golang.org/x/tools/go/ssa/subst.go
index 2c465ec0ae..5799a07802 100644
--- a/vendor/golang.org/x/tools/go/ssa/subst.go
+++ b/vendor/golang.org/x/tools/go/ssa/subst.go
@@ -59,7 +59,7 @@ type subster struct {
 // Returns a subster that replaces tparams[i] with targs[i]. Uses ctxt as a cache.
 // targs should not contain any types in tparams.
 // fn is the generic function for which we are substituting.
-func makeSubster(ctxt *types.Context, fn *types.Func, tparams *types.TypeParamList, targs []types.Type, debug bool) *subster {
+func makeSubster(ctxt *types.Context, fn *types.Func, tparams *types.TypeParamList, targs []types.Type) *subster {
 	assert(tparams.Len() == len(targs), "makeSubster argument count must match")
 
 	subst := &subster{
@@ -352,8 +352,7 @@ func (subst *subster) alias(t *types.Alias) types.Type {
 
 		// Copy and substitute type params.
 		var newTParams []*types.TypeParam
-		for i := 0; i < tparams.Len(); i++ {
-			cur := tparams.At(i)
+		for cur := range tparams.TypeParams() {
 			cobj := cur.Obj()
 			cname := types.NewTypeName(cobj.Pos(), cobj.Pkg(), cobj.Name(), nil)
 			ntp := types.NewTypeParam(cname, nil)
@@ -488,8 +487,7 @@ func (subst *subster) named(t *types.Named) types.Type {
 		obj := types.NewTypeName(tname.Pos(), tname.Pkg(), tname.Name(), nil)
 		fresh := types.NewNamed(obj, nil, nil)
 		var newTParams []*types.TypeParam
-		for i := 0; i < tparams.Len(); i++ {
-			cur := tparams.At(i)
+		for cur := range tparams.TypeParams() {
 			cobj := cur.Obj()
 			cname := types.NewTypeName(cobj.Pos(), cobj.Pkg(), cobj.Name(), nil)
 			ntp := types.NewTypeParam(cname, nil)
diff --git a/vendor/golang.org/x/tools/go/ssa/util.go b/vendor/golang.org/x/tools/go/ssa/util.go
index 932eb6cb0e..42f9621c3f 100644
--- a/vendor/golang.org/x/tools/go/ssa/util.go
+++ b/vendor/golang.org/x/tools/go/ssa/util.go
@@ -121,7 +121,7 @@ func is[T any](x any) bool {
 
 // recvType returns the receiver type of method obj.
 func recvType(obj *types.Func) types.Type {
-	return obj.Type().(*types.Signature).Recv().Type()
+	return obj.Signature().Recv().Type()
 }
 
 // fieldOf returns the index'th field of the (core type of) a struct type;
@@ -200,7 +200,7 @@ func makeLen(T types.Type) *Builtin {
 // receiverTypeArgs returns the type arguments to a method's receiver.
 // Returns an empty list if the receiver does not have type arguments.
 func receiverTypeArgs(method *types.Func) []types.Type {
-	recv := method.Type().(*types.Signature).Recv()
+	recv := method.Signature().Recv()
 	_, named := typesinternal.ReceiverNamed(recv)
 	if named == nil {
 		return nil // recv is anonymous struct/interface
@@ -221,8 +221,8 @@ func receiverTypeArgs(method *types.Func) []types.Type {
 func recvAsFirstArg(sig *types.Signature) *types.Signature {
 	params := make([]*types.Var, 0, 1+sig.Params().Len())
 	params = append(params, sig.Recv())
-	for i := 0; i < sig.Params().Len(); i++ {
-		params = append(params, sig.Params().At(i))
+	for v := range sig.Params().Variables() {
+		params = append(params, v)
 	}
 	return types.NewSignatureType(nil, nil, nil, types.NewTuple(params...), sig.Results(), sig.Variadic())
 }
diff --git a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
index 6c0c74968f..6646bf5508 100644
--- a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
+++ b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
@@ -249,7 +249,7 @@ func (enc *Encoder) For(obj types.Object) (Path, error) {
 
 	case *types.Func:
 		// A func, if not package-level, must be a method.
-		if recv := obj.Type().(*types.Signature).Recv(); recv == nil {
+		if recv := obj.Signature().Recv(); recv == nil {
 			return "", fmt.Errorf("func is not a method: %v", obj)
 		}
 
@@ -405,7 +405,7 @@ func (enc *Encoder) concreteMethod(meth *types.Func) (Path, bool) {
 		return "", false
 	}
 
-	_, named := typesinternal.ReceiverNamed(meth.Type().(*types.Signature).Recv())
+	_, named := typesinternal.ReceiverNamed(meth.Signature().Recv())
 	if named == nil {
 		return "", false
 	}
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/callee.go b/vendor/golang.org/x/tools/go/types/typeutil/callee.go
index 5f10f56cba..3d24a8c637 100644
--- a/vendor/golang.org/x/tools/go/types/typeutil/callee.go
+++ b/vendor/golang.org/x/tools/go/types/typeutil/callee.go
@@ -12,6 +12,7 @@ import (
 
 // Callee returns the named target of a function call, if any:
 // a function, method, builtin, or variable.
+// It returns nil for a T(x) conversion.
 //
 // Functions and methods may potentially have type parameters.
 //
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/map.go b/vendor/golang.org/x/tools/go/types/typeutil/map.go
index f035a0b6be..36624572a6 100644
--- a/vendor/golang.org/x/tools/go/types/typeutil/map.go
+++ b/vendor/golang.org/x/tools/go/types/typeutil/map.go
@@ -304,8 +304,7 @@ func (h hasher) hash(t types.Type) uint32 {
 	case *types.Named:
 		hash := h.hashTypeName(t.Obj())
 		targs := t.TypeArgs()
-		for i := 0; i < targs.Len(); i++ {
-			targ := targs.At(i)
+		for targ := range targs.Types() {
 			hash += 2 * h.hash(targ)
 		}
 		return hash
diff --git a/vendor/golang.org/x/tools/imports/forward.go b/vendor/golang.org/x/tools/imports/forward.go
index 22ae777726..5d120d077c 100644
--- a/vendor/golang.org/x/tools/imports/forward.go
+++ b/vendor/golang.org/x/tools/imports/forward.go
@@ -69,3 +69,9 @@ func Process(filename string, src []byte, opt *Options) ([]byte, error) {
 	}
 	return intimp.Process(filename, src, intopt)
 }
+
+// VendorlessPath returns the devendorized version of the import path ipath.
+// For example, VendorlessPath("foo/barbendor/a/b") return "a/b".
+func VendorlessPath(ipath string) string {
+	return intimp.VendorlessPath(ipath)
+}
diff --git a/vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go
new file mode 100644
index 0000000000..74a2a1c815
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package analyzerutil provides implementation helpers for analyzers.
+package analyzerutil
diff --git a/vendor/golang.org/x/tools/internal/analysisinternal/extractdoc.go b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go
similarity index 97%
rename from vendor/golang.org/x/tools/internal/analysisinternal/extractdoc.go
rename to vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go
index bfb5900f1b..772a0300da 100644
--- a/vendor/golang.org/x/tools/internal/analysisinternal/extractdoc.go
+++ b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package analysisinternal
+package analyzerutil
 
 import (
 	"fmt"
@@ -35,7 +35,7 @@ import (
 //
 //	var Analyzer = &analysis.Analyzer{
 //		Name:             "halting",
-//		Doc:              analysisutil.MustExtractDoc(doc, "halting"),
+//		Doc:              analyzerutil.MustExtractDoc(doc, "halting"),
 //		...
 //	}
 func MustExtractDoc(content, name string) string {
diff --git a/vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go
new file mode 100644
index 0000000000..ecc30cae04
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go
@@ -0,0 +1,30 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package analyzerutil
+
+// This file defines helpers for calling [analysis.Pass.ReadFile].
+
+import (
+	"go/token"
+	"os"
+
+	"golang.org/x/tools/go/analysis"
+)
+
+// ReadFile reads a file and adds it to the FileSet in pass
+// so that we can report errors against it using lineStart.
+func ReadFile(pass *analysis.Pass, filename string) ([]byte, *token.File, error) {
+	readFile := pass.ReadFile
+	if readFile == nil {
+		readFile = os.ReadFile
+	}
+	content, err := readFile(filename)
+	if err != nil {
+		return nil, nil, err
+	}
+	tf := pass.Fset.AddFile(filename, -1, len(content))
+	tf.SetLinesForContent(content)
+	return content, tf, nil
+}
diff --git a/vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go
new file mode 100644
index 0000000000..0b9bcc37b6
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go
@@ -0,0 +1,42 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package analyzerutil
+
+import (
+	"go/ast"
+	"strings"
+
+	"golang.org/x/tools/go/analysis"
+	"golang.org/x/tools/internal/packagepath"
+	"golang.org/x/tools/internal/stdlib"
+	"golang.org/x/tools/internal/versions"
+)
+
+// FileUsesGoVersion reports whether the specified file may use features of the
+// specified version of Go (e.g. "go1.24").
+//
+// Tip: we recommend using this check "late", just before calling
+// pass.Report, rather than "early" (when entering each ast.File, or
+// each candidate node of interest, during the traversal), because the
+// operation is not free, yet is not a highly selective filter: the
+// fraction of files that pass most version checks is high and
+// increases over time.
+func FileUsesGoVersion(pass *analysis.Pass, file *ast.File, version string) (_res bool) {
+	fileVersion := pass.TypesInfo.FileVersions[file]
+
+	// Standard packages that are part of toolchain bootstrapping
+	// are not considered to use a version of Go later than the
+	// current bootstrap toolchain version.
+	// The bootstrap rule does not cover tests,
+	// and some tests (e.g. debug/elf/file_test.go) rely on this.
+	pkgpath := pass.Pkg.Path()
+	if packagepath.IsStdPackage(pkgpath) &&
+		stdlib.IsBootstrapPackage(pkgpath) && // (excludes "*_test" external test packages)
+		!strings.HasSuffix(pass.Fset.File(file.Pos()).Name(), "_test.go") { // (excludes all tests)
+		fileVersion = stdlib.BootstrapVersion.String() // package must bootstrap
+	}
+
+	return !versions.Before(fileVersion, version)
+}
diff --git a/vendor/golang.org/x/tools/internal/analysisinternal/typeindex/typeindex.go b/vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go
similarity index 88%
rename from vendor/golang.org/x/tools/internal/analysisinternal/typeindex/typeindex.go
rename to vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go
index bba21c6ea0..41146d9abb 100644
--- a/vendor/golang.org/x/tools/internal/analysisinternal/typeindex/typeindex.go
+++ b/vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go
@@ -22,12 +22,12 @@ import (
 var Analyzer = &analysis.Analyzer{
 	Name: "typeindex",
 	Doc:  "indexes of type information for later passes",
-	URL:  "https://pkg.go.dev/golang.org/x/tools/internal/analysisinternal/typeindex",
+	URL:  "https://pkg.go.dev/golang.org/x/tools/internal/analysis/typeindex",
 	Run: func(pass *analysis.Pass) (any, error) {
 		inspect := pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)
 		return typeindex.New(inspect, pass.Pkg, pass.TypesInfo), nil
 	},
 	RunDespiteErrors: true,
 	Requires:         []*analysis.Analyzer{inspect.Analyzer},
-	ResultType:       reflect.TypeOf(new(typeindex.Index)),
+	ResultType:       reflect.TypeFor[*typeindex.Index](),
 }
diff --git a/vendor/golang.org/x/tools/internal/analysisinternal/analysis.go b/vendor/golang.org/x/tools/internal/analysisinternal/analysis.go
deleted file mode 100644
index 2b4a8ebb6e..0000000000
--- a/vendor/golang.org/x/tools/internal/analysisinternal/analysis.go
+++ /dev/null
@@ -1,295 +0,0 @@
-// Copyright 2020 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package analysisinternal provides gopls' internal analyses with a
-// number of helper functions that operate on typed syntax trees.
-package analysisinternal
-
-import (
-	"cmp"
-	"fmt"
-	"go/ast"
-	"go/token"
-	"go/types"
-	"slices"
-	"strings"
-
-	"golang.org/x/tools/go/analysis"
-)
-
-// MatchingIdents finds the names of all identifiers in 'node' that match any of the given types.
-// 'pos' represents the position at which the identifiers may be inserted. 'pos' must be within
-// the scope of each of identifier we select. Otherwise, we will insert a variable at 'pos' that
-// is unrecognized.
-//
-// TODO(adonovan): this is only used by gopls/internal/analysis/fill{returns,struct}. Move closer.
-func MatchingIdents(typs []types.Type, node ast.Node, pos token.Pos, info *types.Info, pkg *types.Package) map[types.Type][]string {
-
-	// Initialize matches to contain the variable types we are searching for.
-	matches := make(map[types.Type][]string)
-	for _, typ := range typs {
-		if typ == nil {
-			continue // TODO(adonovan): is this reachable?
-		}
-		matches[typ] = nil // create entry
-	}
-
-	seen := map[types.Object]struct{}{}
-	ast.Inspect(node, func(n ast.Node) bool {
-		if n == nil {
-			return false
-		}
-		// Prevent circular definitions. If 'pos' is within an assignment statement, do not
-		// allow any identifiers in that assignment statement to be selected. Otherwise,
-		// we could do the following, where 'x' satisfies the type of 'f0':
-		//
-		// x := fakeStruct{f0: x}
-		//
-		if assign, ok := n.(*ast.AssignStmt); ok && pos > assign.Pos() && pos <= assign.End() {
-			return false
-		}
-		if n.End() > pos {
-			return n.Pos() <= pos
-		}
-		ident, ok := n.(*ast.Ident)
-		if !ok || ident.Name == "_" {
-			return true
-		}
-		obj := info.Defs[ident]
-		if obj == nil || obj.Type() == nil {
-			return true
-		}
-		if _, ok := obj.(*types.TypeName); ok {
-			return true
-		}
-		// Prevent duplicates in matches' values.
-		if _, ok = seen[obj]; ok {
-			return true
-		}
-		seen[obj] = struct{}{}
-		// Find the scope for the given position. Then, check whether the object
-		// exists within the scope.
-		innerScope := pkg.Scope().Innermost(pos)
-		if innerScope == nil {
-			return true
-		}
-		_, foundObj := innerScope.LookupParent(ident.Name, pos)
-		if foundObj != obj {
-			return true
-		}
-		// The object must match one of the types that we are searching for.
-		// TODO(adonovan): opt: use typeutil.Map?
-		if names, ok := matches[obj.Type()]; ok {
-			matches[obj.Type()] = append(names, ident.Name)
-		} else {
-			// If the object type does not exactly match
-			// any of the target types, greedily find the first
-			// target type that the object type can satisfy.
-			for typ := range matches {
-				if equivalentTypes(obj.Type(), typ) {
-					matches[typ] = append(matches[typ], ident.Name)
-				}
-			}
-		}
-		return true
-	})
-	return matches
-}
-
-func equivalentTypes(want, got types.Type) bool {
-	if types.Identical(want, got) {
-		return true
-	}
-	// Code segment to help check for untyped equality from (golang/go#32146).
-	if rhs, ok := want.(*types.Basic); ok && rhs.Info()&types.IsUntyped > 0 {
-		if lhs, ok := got.Underlying().(*types.Basic); ok {
-			return rhs.Info()&types.IsConstType == lhs.Info()&types.IsConstType
-		}
-	}
-	return types.AssignableTo(want, got)
-}
-
-// A ReadFileFunc is a function that returns the
-// contents of a file, such as [os.ReadFile].
-type ReadFileFunc = func(filename string) ([]byte, error)
-
-// CheckedReadFile returns a wrapper around a Pass.ReadFile
-// function that performs the appropriate checks.
-func CheckedReadFile(pass *analysis.Pass, readFile ReadFileFunc) ReadFileFunc {
-	return func(filename string) ([]byte, error) {
-		if err := CheckReadable(pass, filename); err != nil {
-			return nil, err
-		}
-		return readFile(filename)
-	}
-}
-
-// CheckReadable enforces the access policy defined by the ReadFile field of [analysis.Pass].
-func CheckReadable(pass *analysis.Pass, filename string) error {
-	if slices.Contains(pass.OtherFiles, filename) ||
-		slices.Contains(pass.IgnoredFiles, filename) {
-		return nil
-	}
-	for _, f := range pass.Files {
-		if pass.Fset.File(f.FileStart).Name() == filename {
-			return nil
-		}
-	}
-	return fmt.Errorf("Pass.ReadFile: %s is not among OtherFiles, IgnoredFiles, or names of Files", filename)
-}
-
-// ValidateFixes validates the set of fixes for a single diagnostic.
-// Any error indicates a bug in the originating analyzer.
-//
-// It updates fixes so that fixes[*].End.IsValid().
-//
-// It may be used as part of an analysis driver implementation.
-func ValidateFixes(fset *token.FileSet, a *analysis.Analyzer, fixes []analysis.SuggestedFix) error {
-	fixMessages := make(map[string]bool)
-	for i := range fixes {
-		fix := &fixes[i]
-		if fixMessages[fix.Message] {
-			return fmt.Errorf("analyzer %q suggests two fixes with same Message (%s)", a.Name, fix.Message)
-		}
-		fixMessages[fix.Message] = true
-		if err := validateFix(fset, fix); err != nil {
-			return fmt.Errorf("analyzer %q suggests invalid fix (%s): %v", a.Name, fix.Message, err)
-		}
-	}
-	return nil
-}
-
-// validateFix validates a single fix.
-// Any error indicates a bug in the originating analyzer.
-//
-// It updates fix so that fix.End.IsValid().
-func validateFix(fset *token.FileSet, fix *analysis.SuggestedFix) error {
-
-	// Stably sort edits by Pos. This ordering puts insertions
-	// (end = start) before deletions (end > start) at the same
-	// point, but uses a stable sort to preserve the order of
-	// multiple insertions at the same point.
-	slices.SortStableFunc(fix.TextEdits, func(x, y analysis.TextEdit) int {
-		if sign := cmp.Compare(x.Pos, y.Pos); sign != 0 {
-			return sign
-		}
-		return cmp.Compare(x.End, y.End)
-	})
-
-	var prev *analysis.TextEdit
-	for i := range fix.TextEdits {
-		edit := &fix.TextEdits[i]
-
-		// Validate edit individually.
-		start := edit.Pos
-		file := fset.File(start)
-		if file == nil {
-			return fmt.Errorf("no token.File for TextEdit.Pos (%v)", edit.Pos)
-		}
-		fileEnd := token.Pos(file.Base() + file.Size())
-		if end := edit.End; end.IsValid() {
-			if end < start {
-				return fmt.Errorf("TextEdit.Pos (%v) > TextEdit.End (%v)", edit.Pos, edit.End)
-			}
-			endFile := fset.File(end)
-			if endFile != file && end < fileEnd+10 {
-				// Relax the checks below in the special case when the end position
-				// is only slightly beyond EOF, as happens when End is computed
-				// (as in ast.{Struct,Interface}Type) rather than based on
-				// actual token positions. In such cases, truncate end to EOF.
-				//
-				// This is a workaround for #71659; see:
-				// https://github.com/golang/go/issues/71659#issuecomment-2651606031
-				// A better fix would be more faithful recording of token
-				// positions (or their absence) in the AST.
-				edit.End = fileEnd
-				continue
-			}
-			if endFile == nil {
-				return fmt.Errorf("no token.File for TextEdit.End (%v; File(start).FileEnd is %d)", end, file.Base()+file.Size())
-			}
-			if endFile != file {
-				return fmt.Errorf("edit #%d spans files (%v and %v)",
-					i, file.Position(edit.Pos), endFile.Position(edit.End))
-			}
-		} else {
-			edit.End = start // update the SuggestedFix
-		}
-		if eof := fileEnd; edit.End > eof {
-			return fmt.Errorf("end is (%v) beyond end of file (%v)", edit.End, eof)
-		}
-
-		// Validate the sequence of edits:
-		// properly ordered, no overlapping deletions
-		if prev != nil && edit.Pos < prev.End {
-			xpos := fset.Position(prev.Pos)
-			xend := fset.Position(prev.End)
-			ypos := fset.Position(edit.Pos)
-			yend := fset.Position(edit.End)
-			return fmt.Errorf("overlapping edits to %s (%d:%d-%d:%d and %d:%d-%d:%d)",
-				xpos.Filename,
-				xpos.Line, xpos.Column,
-				xend.Line, xend.Column,
-				ypos.Line, ypos.Column,
-				yend.Line, yend.Column,
-			)
-		}
-		prev = edit
-	}
-
-	return nil
-}
-
-// Range returns an [analysis.Range] for the specified start and end positions.
-func Range(pos, end token.Pos) analysis.Range {
-	return tokenRange{pos, end}
-}
-
-// tokenRange is an implementation of the [analysis.Range] interface.
-type tokenRange struct{ StartPos, EndPos token.Pos }
-
-func (r tokenRange) Pos() token.Pos { return r.StartPos }
-func (r tokenRange) End() token.Pos { return r.EndPos }
-
-// TODO(adonovan): the import-related functions below don't depend on
-// analysis (or even on go/types or go/ast). Move somewhere more logical.
-
-// CanImport reports whether one package is allowed to import another.
-//
-// TODO(adonovan): allow customization of the accessibility relation
-// (e.g. for Bazel).
-func CanImport(from, to string) bool {
-	// TODO(adonovan): better segment hygiene.
-	if to == "internal" || strings.HasPrefix(to, "internal/") {
-		// Special case: only std packages may import internal/...
-		// We can't reliably know whether we're in std, so we
-		// use a heuristic on the first segment.
-		first, _, _ := strings.Cut(from, "/")
-		if strings.Contains(first, ".") {
-			return false // example.com/foo ∉ std
-		}
-		if first == "testdata" {
-			return false // testdata/foo ∉ std
-		}
-	}
-	if strings.HasSuffix(to, "/internal") {
-		return strings.HasPrefix(from, to[:len(to)-len("/internal")])
-	}
-	if i := strings.LastIndex(to, "/internal/"); i >= 0 {
-		return strings.HasPrefix(from, to[:i])
-	}
-	return true
-}
-
-// IsStdPackage reports whether the specified package path belongs to a
-// package in the standard library (including internal dependencies).
-func IsStdPackage(path string) bool {
-	// A standard package has no dot in its first segment.
-	// (It may yet have a dot, e.g. "vendor/golang.org/x/foo".)
-	slash := strings.IndexByte(path, '/')
-	if slash < 0 {
-		slash = len(path)
-	}
-	return !strings.Contains(path[:slash], ".") && path != "testdata"
-}
diff --git a/vendor/golang.org/x/tools/internal/astutil/stringlit.go b/vendor/golang.org/x/tools/internal/astutil/stringlit.go
index 849d45d853..ce1e7de882 100644
--- a/vendor/golang.org/x/tools/internal/astutil/stringlit.go
+++ b/vendor/golang.org/x/tools/internal/astutil/stringlit.go
@@ -14,16 +14,16 @@ import (
 
 // RangeInStringLiteral calculates the positional range within a string literal
 // corresponding to the specified start and end byte offsets within the logical string.
-func RangeInStringLiteral(lit *ast.BasicLit, start, end int) (token.Pos, token.Pos, error) {
+func RangeInStringLiteral(lit *ast.BasicLit, start, end int) (Range, error) {
 	startPos, err := PosInStringLiteral(lit, start)
 	if err != nil {
-		return 0, 0, fmt.Errorf("start: %v", err)
+		return Range{}, fmt.Errorf("start: %v", err)
 	}
 	endPos, err := PosInStringLiteral(lit, end)
 	if err != nil {
-		return 0, 0, fmt.Errorf("end: %v", err)
+		return Range{}, fmt.Errorf("end: %v", err)
 	}
-	return startPos, endPos, nil
+	return Range{startPos, endPos}, nil
 }
 
 // PosInStringLiteral returns the position within a string literal
diff --git a/vendor/golang.org/x/tools/internal/astutil/util.go b/vendor/golang.org/x/tools/internal/astutil/util.go
index a1c0983504..6986a51875 100644
--- a/vendor/golang.org/x/tools/internal/astutil/util.go
+++ b/vendor/golang.org/x/tools/internal/astutil/util.go
@@ -5,6 +5,7 @@
 package astutil
 
 import (
+	"fmt"
 	"go/ast"
 	"go/printer"
 	"go/token"
@@ -50,28 +51,26 @@ func PreorderStack(root ast.Node, stack []ast.Node, f func(n ast.Node, stack []a
 }
 
 // NodeContains reports whether the Pos/End range of node n encloses
-// the given position pos.
+// the given range.
 //
 // It is inclusive of both end points, to allow hovering (etc) when
 // the cursor is immediately after a node.
 //
-// For unfortunate historical reasons, the Pos/End extent of an
-// ast.File runs from the start of its package declaration---excluding
-// copyright comments, build tags, and package documentation---to the
-// end of its last declaration, excluding any trailing comments. So,
-// as a special case, if n is an [ast.File], NodeContains uses
-// n.FileStart <= pos && pos <= n.FileEnd to report whether the
-// position lies anywhere within the file.
+// Like [NodeRange], it treats the range of an [ast.File] as the
+// file's complete extent.
 //
 // Precondition: n must not be nil.
-func NodeContains(n ast.Node, pos token.Pos) bool {
-	var start, end token.Pos
-	if file, ok := n.(*ast.File); ok {
-		start, end = file.FileStart, file.FileEnd // entire file
-	} else {
-		start, end = n.Pos(), n.End()
-	}
-	return start <= pos && pos <= end
+func NodeContains(n ast.Node, rng Range) bool {
+	return NodeRange(n).Contains(rng)
+}
+
+// NodeContainsPos reports whether the Pos/End range of node n encloses
+// the given pos.
+//
+// Like [NodeRange], it treats the range of an [ast.File] as the
+// file's complete extent.
+func NodeContainsPos(n ast.Node, pos token.Pos) bool {
+	return NodeRange(n).ContainsPos(pos)
 }
 
 // IsChildOf reports whether cur.ParentEdge is ek.
@@ -117,3 +116,118 @@ func Format(fset *token.FileSet, n ast.Node) string {
 	printer.Fprint(&buf, fset, n) // ignore errors
 	return buf.String()
 }
+
+// -- Range --
+
+// Range is a Pos interval.
+// It implements [analysis.Range] and [ast.Node].
+type Range struct{ Start, EndPos token.Pos }
+
+// RangeOf constructs a Range.
+//
+// RangeOf exists to pacify the "unkeyed literal" (composites) vet
+// check. It would be nice if there were a way for a type to add
+// itself to the allowlist.
+func RangeOf(start, end token.Pos) Range { return Range{start, end} }
+
+// NodeRange returns the extent of node n as a Range.
+//
+// For unfortunate historical reasons, the Pos/End extent of an
+// ast.File runs from the start of its package declaration---excluding
+// copyright comments, build tags, and package documentation---to the
+// end of its last declaration, excluding any trailing comments. So,
+// as a special case, if n is an [ast.File], NodeContains uses
+// n.FileStart <= pos && pos <= n.FileEnd to report whether the
+// position lies anywhere within the file.
+func NodeRange(n ast.Node) Range {
+	if file, ok := n.(*ast.File); ok {
+		return Range{file.FileStart, file.FileEnd} // entire file
+	}
+	return Range{n.Pos(), n.End()}
+}
+
+func (r Range) Pos() token.Pos { return r.Start }
+func (r Range) End() token.Pos { return r.EndPos }
+
+// ContainsPos reports whether the range (inclusive of both end points)
+// includes the specified position.
+func (r Range) ContainsPos(pos token.Pos) bool {
+	return r.Contains(RangeOf(pos, pos))
+}
+
+// Contains reports whether the range (inclusive of both end points)
+// includes the specified range.
+func (r Range) Contains(rng Range) bool {
+	return r.Start <= rng.Start && rng.EndPos <= r.EndPos
+}
+
+// IsValid reports whether the range is valid.
+func (r Range) IsValid() bool { return r.Start.IsValid() && r.Start <= r.EndPos }
+
+// --
+
+// Select returns the syntax nodes identified by a user's text
+// selection. It returns three nodes: the innermost node that wholly
+// encloses the selection; and the first and last nodes that are
+// wholly enclosed by the selection.
+//
+// For example, given this selection:
+//
+//	{ f(); g(); /* comment */ }
+//	  ~~~~~~~~~~~
+//
+// Select returns the enclosing BlockStmt, the f() CallExpr, and the g() CallExpr.
+//
+// Callers that require exactly one syntax tree (e.g. just f() or just
+// g()) should check that the returned start and end nodes are
+// identical.
+//
+// This function is intended to be called early in the handling of a
+// user's request, since it is tolerant of sloppy selection including
+// extraneous whitespace and comments. Use it in new code instead of
+// PathEnclosingInterval. When the exact extent of a node is known,
+// use [Cursor.FindByPos] instead.
+func Select(curFile inspector.Cursor, start, end token.Pos) (_enclosing, _start, _end inspector.Cursor, _ error) {
+	curEnclosing, ok := curFile.FindByPos(start, end)
+	if !ok {
+		return noCursor, noCursor, noCursor, fmt.Errorf("invalid selection")
+	}
+
+	// Find the first and last node wholly within the (start, end) range.
+	// We'll narrow the effective selection to them, to exclude whitespace.
+	// (This matches the functionality of PathEnclosingInterval.)
+	var curStart, curEnd inspector.Cursor
+	rng := RangeOf(start, end)
+	for cur := range curEnclosing.Preorder() {
+		if rng.Contains(NodeRange(cur.Node())) {
+			// The start node has the least Pos.
+			if !CursorValid(curStart) {
+				curStart = cur
+			}
+			// The end node has the greatest End.
+			// End positions do not change monotonically,
+			// so we must compute the max.
+			if !CursorValid(curEnd) ||
+				cur.Node().End() > curEnd.Node().End() {
+				curEnd = cur
+			}
+		}
+	}
+	if !CursorValid(curStart) {
+		return noCursor, noCursor, noCursor, fmt.Errorf("no syntax selected")
+	}
+	return curEnclosing, curStart, curEnd, nil
+}
+
+// CursorValid reports whether the cursor is valid.
+//
+// A valid cursor may yet be the virtual root node,
+// cur.Inspector.Root(), which has no [Cursor.Node].
+//
+// TODO(adonovan): move to cursorutil package, and move that package into x/tools.
+// Ultimately, make this a method of Cursor. Needs a proposal.
+func CursorValid(cur inspector.Cursor) bool {
+	return cur.Inspector() != nil
+}
+
+var noCursor inspector.Cursor
diff --git a/vendor/golang.org/x/tools/internal/cfginternal/cfginternal.go b/vendor/golang.org/x/tools/internal/cfginternal/cfginternal.go
new file mode 100644
index 0000000000..a9b6236f4d
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/cfginternal/cfginternal.go
@@ -0,0 +1,16 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package cfginternal exposes internals of go/cfg.
+// It cannot actually depend on symbols from go/cfg.
+package cfginternal
+
+// IsNoReturn exposes (*cfg.CFG).noReturn to the ctrlflow analyzer.
+// TODO(adonovan): add CFG.NoReturn to the public API.
+//
+// You must link [golang.org/x/tools/go/cfg] into your application for
+// this function to be non-nil.
+var IsNoReturn = func(cfg any) bool {
+	panic("golang.org/x/tools/go/cfg not linked into application")
+}
diff --git a/vendor/golang.org/x/tools/internal/event/core/export.go b/vendor/golang.org/x/tools/internal/event/core/export.go
index 05f3a9a579..16ae6bb021 100644
--- a/vendor/golang.org/x/tools/internal/event/core/export.go
+++ b/vendor/golang.org/x/tools/internal/event/core/export.go
@@ -8,7 +8,6 @@ import (
 	"context"
 	"sync/atomic"
 	"time"
-	"unsafe"
 
 	"golang.org/x/tools/internal/event/label"
 )
@@ -17,23 +16,21 @@ import (
 // It may return a modified context and event.
 type Exporter func(context.Context, Event, label.Map) context.Context
 
-var (
-	exporter unsafe.Pointer
-)
+var exporter atomic.Pointer[Exporter]
 
 // SetExporter sets the global exporter function that handles all events.
 // The exporter is called synchronously from the event call site, so it should
 // return quickly so as not to hold up user code.
 func SetExporter(e Exporter) {
-	p := unsafe.Pointer(&e)
 	if e == nil {
 		// &e is always valid, and so p is always valid, but for the early abort
 		// of ProcessEvent to be efficient it needs to make the nil check on the
 		// pointer without having to dereference it, so we make the nil function
 		// also a nil pointer
-		p = nil
+		exporter.Store(nil)
+	} else {
+		exporter.Store(&e)
 	}
-	atomic.StorePointer(&exporter, p)
 }
 
 // deliver is called to deliver an event to the supplied exporter.
@@ -48,7 +45,7 @@ func deliver(ctx context.Context, exporter Exporter, ev Event) context.Context {
 // Export is called to deliver an event to the global exporter if set.
 func Export(ctx context.Context, ev Event) context.Context {
 	// get the global exporter and abort early if there is not one
-	exporterPtr := (*Exporter)(atomic.LoadPointer(&exporter))
+	exporterPtr := exporter.Load()
 	if exporterPtr == nil {
 		return ctx
 	}
@@ -61,7 +58,7 @@ func Export(ctx context.Context, ev Event) context.Context {
 // It will fill in the time.
 func ExportPair(ctx context.Context, begin, end Event) (context.Context, func()) {
 	// get the global exporter and abort early if there is not one
-	exporterPtr := (*Exporter)(atomic.LoadPointer(&exporter))
+	exporterPtr := exporter.Load()
 	if exporterPtr == nil {
 		return ctx, func() {}
 	}
diff --git a/vendor/golang.org/x/tools/internal/event/label/label.go b/vendor/golang.org/x/tools/internal/event/label/label.go
index 92a3910573..c37584af94 100644
--- a/vendor/golang.org/x/tools/internal/event/label/label.go
+++ b/vendor/golang.org/x/tools/internal/event/label/label.go
@@ -7,7 +7,6 @@ package label
 import (
 	"fmt"
 	"io"
-	"reflect"
 	"slices"
 	"unsafe"
 )
@@ -103,11 +102,10 @@ type stringptr unsafe.Pointer
 // This method is for implementing new key types, label creation should
 // normally be done with the Of method of the key.
 func OfString(k Key, v string) Label {
-	hdr := (*reflect.StringHeader)(unsafe.Pointer(&v))
 	return Label{
 		key:     k,
-		packed:  uint64(hdr.Len),
-		untyped: stringptr(hdr.Data),
+		packed:  uint64(len(v)),
+		untyped: stringptr(unsafe.StringData(v)),
 	}
 }
 
@@ -116,11 +114,7 @@ func OfString(k Key, v string) Label {
 // This method is for implementing new key types, for type safety normal
 // access should be done with the From method of the key.
 func (t Label) UnpackString() string {
-	var v string
-	hdr := (*reflect.StringHeader)(unsafe.Pointer(&v))
-	hdr.Data = uintptr(t.untyped.(stringptr))
-	hdr.Len = int(t.packed)
-	return v
+	return unsafe.String((*byte)(t.untyped.(stringptr)), int(t.packed))
 }
 
 // Valid returns true if the Label is a valid one (it has a key).
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/bimport.go b/vendor/golang.org/x/tools/internal/gcimporter/bimport.go
index 734c46198d..555ef626c0 100644
--- a/vendor/golang.org/x/tools/internal/gcimporter/bimport.go
+++ b/vendor/golang.org/x/tools/internal/gcimporter/bimport.go
@@ -34,7 +34,7 @@ type fileInfo struct {
 const maxlines = 64 * 1024
 
 func (s *fakeFileSet) pos(file string, line, column int) token.Pos {
-	// TODO(mdempsky): Make use of column.
+	_ = column // TODO(mdempsky): Make use of column.
 
 	// Since we don't know the set of needed file positions, we reserve maxlines
 	// positions per file. We delay calling token.File.SetLines until all
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/iexport.go b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
index 4a4357d2bd..2bef2b058b 100644
--- a/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
@@ -829,8 +829,7 @@ func (p *iexporter) doDecl(obj types.Object) {
 			// their name must be qualified before exporting recv.
 			if rparams := sig.RecvTypeParams(); rparams.Len() > 0 {
 				prefix := obj.Name() + "." + m.Name()
-				for i := 0; i < rparams.Len(); i++ {
-					rparam := rparams.At(i)
+				for rparam := range rparams.TypeParams() {
 					name := tparamExportName(prefix, rparam)
 					w.p.tparamNames[rparam.Obj()] = name
 				}
@@ -944,6 +943,13 @@ func (w *exportWriter) posV0(pos token.Pos) {
 }
 
 func (w *exportWriter) pkg(pkg *types.Package) {
+	if pkg == nil {
+		// [exportWriter.typ] accepts a nil pkg only for types
+		// of constants, which cannot contain named objects
+		// such as fields or methods and thus should never
+		// reach this method (#76222).
+		panic("nil package")
+	}
 	// Ensure any referenced packages are declared in the main index.
 	w.p.allPkgs[pkg] = true
 
@@ -959,9 +965,11 @@ func (w *exportWriter) qualifiedType(obj *types.TypeName) {
 	w.pkg(obj.Pkg())
 }
 
-// TODO(rfindley): what does 'pkg' even mean here? It would be better to pass
-// it in explicitly into signatures and structs that may use it for
-// constructing fields.
+// typ emits the specified type.
+//
+// Objects within the type (struct fields and interface methods) are
+// qualified by pkg. It may be nil if the type cannot contain objects,
+// such as the type of a constant.
 func (w *exportWriter) typ(t types.Type, pkg *types.Package) {
 	w.data.uint64(w.p.typOff(t, pkg))
 }
@@ -991,6 +999,7 @@ func (w *exportWriter) startType(k itag) {
 	w.data.uint64(uint64(k))
 }
 
+// doTyp is the implementation of [exportWriter.typ].
 func (w *exportWriter) doTyp(t types.Type, pkg *types.Package) {
 	if trace {
 		w.p.trace("exporting type %s (%T)", t, t)
@@ -1064,7 +1073,7 @@ func (w *exportWriter) doTyp(t types.Type, pkg *types.Package) {
 
 	case *types.Signature:
 		w.startType(signatureType)
-		w.pkg(pkg)
+		w.pkg(pkg) // qualifies param/result vars
 		w.signature(t)
 
 	case *types.Struct:
@@ -1110,19 +1119,19 @@ func (w *exportWriter) doTyp(t types.Type, pkg *types.Package) {
 
 	case *types.Interface:
 		w.startType(interfaceType)
-		w.pkg(pkg)
+		w.pkg(pkg) // qualifies unexported method funcs
 
 		n := t.NumEmbeddeds()
 		w.uint64(uint64(n))
 		for i := 0; i < n; i++ {
 			ft := t.EmbeddedType(i)
-			tPkg := pkg
 			if named, _ := types.Unalias(ft).(*types.Named); named != nil {
 				w.pos(named.Obj().Pos())
 			} else {
+				// e.g. ~int
 				w.pos(token.NoPos)
 			}
-			w.typ(ft, tPkg)
+			w.typ(ft, pkg)
 		}
 
 		// See comment for struct fields. In shallow mode we change the encoding
@@ -1223,20 +1232,19 @@ func (w *exportWriter) signature(sig *types.Signature) {
 
 func (w *exportWriter) typeList(ts *types.TypeList, pkg *types.Package) {
 	w.uint64(uint64(ts.Len()))
-	for i := 0; i < ts.Len(); i++ {
-		w.typ(ts.At(i), pkg)
+	for t := range ts.Types() {
+		w.typ(t, pkg)
 	}
 }
 
 func (w *exportWriter) tparamList(prefix string, list *types.TypeParamList, pkg *types.Package) {
 	ll := uint64(list.Len())
 	w.uint64(ll)
-	for i := 0; i < list.Len(); i++ {
-		tparam := list.At(i)
+	for tparam := range list.TypeParams() {
 		// Set the type parameter exportName before exporting its type.
 		exportName := tparamExportName(prefix, tparam)
 		w.p.tparamNames[tparam.Obj()] = exportName
-		w.typ(list.At(i), pkg)
+		w.typ(tparam, pkg)
 	}
 }
 
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/iimport.go b/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
index 82e6c9d2dc..4d6d50094a 100644
--- a/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
@@ -432,10 +432,10 @@ func (p *iimporter) doDecl(pkg *types.Package, name string) {
 		errorf("%v.%v not in index", pkg, name)
 	}
 
-	r := &importReader{p: p, currPkg: pkg}
+	r := &importReader{p: p}
 	r.declReader.Reset(p.declData[off:])
 
-	r.obj(name)
+	r.obj(pkg, name)
 }
 
 func (p *iimporter) stringAt(off uint64) string {
@@ -551,7 +551,6 @@ func canReuse(def *types.Named, rhs types.Type) bool {
 type importReader struct {
 	p          *iimporter
 	declReader bytes.Reader
-	currPkg    *types.Package
 	prevFile   string
 	prevLine   int64
 	prevColumn int64
@@ -565,7 +564,8 @@ type importReader struct {
 // for 1.24, but the fix was not worth back-porting).
 var markBlack = func(name *types.TypeName) {}
 
-func (r *importReader) obj(name string) {
+// obj decodes and declares the package-level object denoted by (pkg, name).
+func (r *importReader) obj(pkg *types.Package, name string) {
 	tag := r.byte()
 	pos := r.pos()
 
@@ -576,27 +576,27 @@ func (r *importReader) obj(name string) {
 			tparams = r.tparamList()
 		}
 		typ := r.typ()
-		obj := aliases.NewAlias(r.p.aliases, pos, r.currPkg, name, typ, tparams)
+		obj := aliases.NewAlias(r.p.aliases, pos, pkg, name, typ, tparams)
 		markBlack(obj) // workaround for golang/go#69912
 		r.declare(obj)
 
 	case constTag:
 		typ, val := r.value()
 
-		r.declare(types.NewConst(pos, r.currPkg, name, typ, val))
+		r.declare(types.NewConst(pos, pkg, name, typ, val))
 
 	case funcTag, genericFuncTag:
 		var tparams []*types.TypeParam
 		if tag == genericFuncTag {
 			tparams = r.tparamList()
 		}
-		sig := r.signature(nil, nil, tparams)
-		r.declare(types.NewFunc(pos, r.currPkg, name, sig))
+		sig := r.signature(pkg, nil, nil, tparams)
+		r.declare(types.NewFunc(pos, pkg, name, sig))
 
 	case typeTag, genericTypeTag:
 		// Types can be recursive. We need to setup a stub
 		// declaration before recursing.
-		obj := types.NewTypeName(pos, r.currPkg, name, nil)
+		obj := types.NewTypeName(pos, pkg, name, nil)
 		named := types.NewNamed(obj, nil, nil)
 
 		markBlack(obj) // workaround for golang/go#69912
@@ -616,7 +616,7 @@ func (r *importReader) obj(name string) {
 			for n := r.uint64(); n > 0; n-- {
 				mpos := r.pos()
 				mname := r.ident()
-				recv := r.param()
+				recv := r.param(pkg)
 
 				// If the receiver has any targs, set those as the
 				// rparams of the method (since those are the
@@ -630,9 +630,9 @@ func (r *importReader) obj(name string) {
 						rparams[i] = types.Unalias(targs.At(i)).(*types.TypeParam)
 					}
 				}
-				msig := r.signature(recv, rparams, nil)
+				msig := r.signature(pkg, recv, rparams, nil)
 
-				named.AddMethod(types.NewFunc(mpos, r.currPkg, mname, msig))
+				named.AddMethod(types.NewFunc(mpos, pkg, mname, msig))
 			}
 		}
 
@@ -644,12 +644,12 @@ func (r *importReader) obj(name string) {
 			errorf("unexpected type param type")
 		}
 		name0 := tparamName(name)
-		tn := types.NewTypeName(pos, r.currPkg, name0, nil)
+		tn := types.NewTypeName(pos, pkg, name0, nil)
 		t := types.NewTypeParam(tn, nil)
 
 		// To handle recursive references to the typeparam within its
 		// bound, save the partial type in tparamIndex before reading the bounds.
-		id := ident{r.currPkg, name}
+		id := ident{pkg, name}
 		r.p.tparamIndex[id] = t
 		var implicit bool
 		if r.p.version >= iexportVersionGo1_18 {
@@ -672,7 +672,7 @@ func (r *importReader) obj(name string) {
 	case varTag:
 		typ := r.typ()
 
-		v := types.NewVar(pos, r.currPkg, name, typ)
+		v := types.NewVar(pos, pkg, name, typ)
 		typesinternal.SetVarKind(v, typesinternal.PackageVar)
 		r.declare(v)
 
@@ -905,11 +905,11 @@ func (r *importReader) doType(base *types.Named) (res types.Type) {
 	case mapType:
 		return types.NewMap(r.typ(), r.typ())
 	case signatureType:
-		r.currPkg = r.pkg()
-		return r.signature(nil, nil, nil)
+		paramPkg := r.pkg()
+		return r.signature(paramPkg, nil, nil, nil)
 
 	case structType:
-		r.currPkg = r.pkg()
+		fieldPkg := r.pkg()
 
 		fields := make([]*types.Var, r.uint64())
 		tags := make([]string, len(fields))
@@ -932,7 +932,7 @@ func (r *importReader) doType(base *types.Named) (res types.Type) {
 			// discussed in iexport.go, this is not correct, but mostly works and is
 			// preferable to failing (for now at least).
 			if field == nil {
-				field = types.NewField(fpos, r.currPkg, fname, ftyp, emb)
+				field = types.NewField(fpos, fieldPkg, fname, ftyp, emb)
 			}
 
 			fields[i] = field
@@ -941,7 +941,7 @@ func (r *importReader) doType(base *types.Named) (res types.Type) {
 		return types.NewStruct(fields, tags)
 
 	case interfaceType:
-		r.currPkg = r.pkg()
+		methodPkg := r.pkg() // qualifies methods and their param/result vars
 
 		embeddeds := make([]types.Type, r.uint64())
 		for i := range embeddeds {
@@ -963,12 +963,12 @@ func (r *importReader) doType(base *types.Named) (res types.Type) {
 			// don't agree with this.
 			var recv *types.Var
 			if base != nil {
-				recv = types.NewVar(token.NoPos, r.currPkg, "", base)
+				recv = types.NewVar(token.NoPos, methodPkg, "", base)
 			}
-			msig := r.signature(recv, nil, nil)
+			msig := r.signature(methodPkg, recv, nil, nil)
 
 			if method == nil {
-				method = types.NewFunc(mpos, r.currPkg, mname, msig)
+				method = types.NewFunc(mpos, methodPkg, mname, msig)
 			}
 			methods[i] = method
 		}
@@ -1049,9 +1049,9 @@ func (r *importReader) objectPathObject() types.Object {
 	return obj
 }
 
-func (r *importReader) signature(recv *types.Var, rparams []*types.TypeParam, tparams []*types.TypeParam) *types.Signature {
-	params := r.paramList()
-	results := r.paramList()
+func (r *importReader) signature(paramPkg *types.Package, recv *types.Var, rparams []*types.TypeParam, tparams []*types.TypeParam) *types.Signature {
+	params := r.paramList(paramPkg)
+	results := r.paramList(paramPkg)
 	variadic := params.Len() > 0 && r.bool()
 	return types.NewSignatureType(recv, rparams, tparams, params, results, variadic)
 }
@@ -1070,19 +1070,19 @@ func (r *importReader) tparamList() []*types.TypeParam {
 	return xs
 }
 
-func (r *importReader) paramList() *types.Tuple {
+func (r *importReader) paramList(pkg *types.Package) *types.Tuple {
 	xs := make([]*types.Var, r.uint64())
 	for i := range xs {
-		xs[i] = r.param()
+		xs[i] = r.param(pkg)
 	}
 	return types.NewTuple(xs...)
 }
 
-func (r *importReader) param() *types.Var {
+func (r *importReader) param(pkg *types.Package) *types.Var {
 	pos := r.pos()
 	name := r.ident()
 	typ := r.typ()
-	return types.NewParam(pos, r.currPkg, name, typ)
+	return types.NewParam(pos, pkg, name, typ)
 }
 
 func (r *importReader) bool() bool {
diff --git a/vendor/golang.org/x/tools/internal/imports/sortimports.go b/vendor/golang.org/x/tools/internal/imports/sortimports.go
index 67c17bc431..f390be90f1 100644
--- a/vendor/golang.org/x/tools/internal/imports/sortimports.go
+++ b/vendor/golang.org/x/tools/internal/imports/sortimports.go
@@ -11,6 +11,7 @@ import (
 	"go/ast"
 	"go/token"
 	"log"
+	"reflect"
 	"slices"
 	"sort"
 	"strconv"
@@ -65,7 +66,7 @@ func sortImports(localPrefix string, tokFile *token.File, f *ast.File) {
 }
 
 // mergeImports merges all the import declarations into the first one.
-// Taken from golang.org/x/tools/ast/astutil.
+// Taken from golang.org/x/tools/go/ast/astutil.
 // This does not adjust line numbers properly
 func mergeImports(f *ast.File) {
 	if len(f.Decls) <= 1 {
@@ -89,7 +90,7 @@ func mergeImports(f *ast.File) {
 		first.Lparen = first.Pos()
 		// Move the imports of the other import declaration to the first one.
 		for _, spec := range gen.Specs {
-			spec.(*ast.ImportSpec).Path.ValuePos = first.Pos()
+			updateBasicLitPos(spec.(*ast.ImportSpec).Path, first.Pos())
 			first.Specs = append(first.Specs, spec)
 		}
 		f.Decls = slices.Delete(f.Decls, i, i+1)
@@ -98,7 +99,7 @@ func mergeImports(f *ast.File) {
 }
 
 // declImports reports whether gen contains an import of path.
-// Taken from golang.org/x/tools/ast/astutil.
+// Taken from golang.org/x/tools/go/ast/astutil.
 func declImports(gen *ast.GenDecl, path string) bool {
 	if gen.Tok != token.IMPORT {
 		return false
@@ -221,7 +222,7 @@ func sortSpecs(localPrefix string, tokFile *token.File, f *ast.File, specs []ast
 		if s.Name != nil {
 			s.Name.NamePos = pos[i].Start
 		}
-		s.Path.ValuePos = pos[i].Start
+		updateBasicLitPos(s.Path, pos[i].Start)
 		s.EndPos = pos[i].End
 		nextSpecPos := pos[i].End
 
@@ -296,3 +297,17 @@ type byCommentPos []*ast.CommentGroup
 func (x byCommentPos) Len() int           { return len(x) }
 func (x byCommentPos) Swap(i, j int)      { x[i], x[j] = x[j], x[i] }
 func (x byCommentPos) Less(i, j int) bool { return x[i].Pos() < x[j].Pos() }
+
+// updateBasicLitPos updates lit.Pos,
+// ensuring that lit.End (if set) is displaced by the same amount.
+// (See https://go.dev/issue/76395.)
+func updateBasicLitPos(lit *ast.BasicLit, pos token.Pos) {
+	len := lit.End() - lit.Pos()
+	lit.ValuePos = pos
+	// TODO(adonovan): after go1.26, simplify to:
+	//   lit.ValueEnd = pos + len
+	v := reflect.ValueOf(lit).Elem().FieldByName("ValueEnd")
+	if v.IsValid() && v.Int() != 0 {
+		v.SetInt(int64(pos + len))
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/modindex/lookup.go b/vendor/golang.org/x/tools/internal/modindex/lookup.go
index 0c011a99b3..83bd49cd4b 100644
--- a/vendor/golang.org/x/tools/internal/modindex/lookup.go
+++ b/vendor/golang.org/x/tools/internal/modindex/lookup.go
@@ -8,6 +8,8 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+
+	"golang.org/x/mod/module"
 )
 
 type Candidate struct {
@@ -104,11 +106,15 @@ func (ix *Index) Lookup(pkgName, name string, prefix bool) []Candidate {
 			if len(flds) < 2 {
 				continue // should never happen
 			}
+			impPath, err := module.UnescapePath(e.ImportPath)
+			if err != nil {
+				continue
+			}
 			px := Candidate{
 				PkgName:    pkgName,
 				Name:       flds[0],
 				Dir:        string(e.Dir),
-				ImportPath: e.ImportPath,
+				ImportPath: impPath,
 				Type:       asLexType(flds[1][0]),
 				Deprecated: len(flds[1]) > 1 && flds[1][1] == 'D',
 			}
diff --git a/vendor/golang.org/x/tools/internal/moreiters/iters.go b/vendor/golang.org/x/tools/internal/moreiters/iters.go
index 69c76ccb9b..9e4aaf9485 100644
--- a/vendor/golang.org/x/tools/internal/moreiters/iters.go
+++ b/vendor/golang.org/x/tools/internal/moreiters/iters.go
@@ -45,3 +45,11 @@ func Any[T any](seq iter.Seq[T], pred func(T) bool) bool {
 	}
 	return false
 }
+
+// Len returns the number of elements in the sequence (by iterating).
+func Len[T any](seq iter.Seq[T]) (n int) {
+	for range seq {
+		n++
+	}
+	return
+}
diff --git a/vendor/golang.org/x/tools/internal/packagepath/packagepath.go b/vendor/golang.org/x/tools/internal/packagepath/packagepath.go
new file mode 100644
index 0000000000..fa39a13f9e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/packagepath/packagepath.go
@@ -0,0 +1,49 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package packagepath provides metadata operations on package path
+// strings.
+package packagepath
+
+// (This package should not depend on go/ast.)
+import "strings"
+
+// CanImport reports whether one package is allowed to import another.
+//
+// TODO(adonovan): allow customization of the accessibility relation
+// (e.g. for Bazel).
+func CanImport(from, to string) bool {
+	// TODO(adonovan): better segment hygiene.
+	if to == "internal" || strings.HasPrefix(to, "internal/") {
+		// Special case: only std packages may import internal/...
+		// We can't reliably know whether we're in std, so we
+		// use a heuristic on the first segment.
+		first, _, _ := strings.Cut(from, "/")
+		if strings.Contains(first, ".") {
+			return false // example.com/foo ∉ std
+		}
+		if first == "testdata" {
+			return false // testdata/foo ∉ std
+		}
+	}
+	if strings.HasSuffix(to, "/internal") {
+		return strings.HasPrefix(from, to[:len(to)-len("/internal")])
+	}
+	if i := strings.LastIndex(to, "/internal/"); i >= 0 {
+		return strings.HasPrefix(from, to[:i])
+	}
+	return true
+}
+
+// IsStdPackage reports whether the specified package path belongs to a
+// package in the standard library (including internal dependencies).
+func IsStdPackage(path string) bool {
+	// A standard package has no dot in its first segment.
+	// (It may yet have a dot, e.g. "vendor/golang.org/x/foo".)
+	slash := strings.IndexByte(path, '/')
+	if slash < 0 {
+		slash = len(path)
+	}
+	return !strings.Contains(path[:slash], ".") && path != "testdata"
+}
diff --git a/vendor/golang.org/x/tools/internal/refactor/delete.go b/vendor/golang.org/x/tools/internal/refactor/delete.go
index aa8ba5af4c..54d0b5f038 100644
--- a/vendor/golang.org/x/tools/internal/refactor/delete.go
+++ b/vendor/golang.org/x/tools/internal/refactor/delete.go
@@ -13,15 +13,15 @@ import (
 	"go/types"
 	"slices"
 
-	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/ast/edge"
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/internal/astutil"
 	"golang.org/x/tools/internal/typesinternal"
+	"golang.org/x/tools/internal/typesinternal/typeindex"
 )
 
-// DeleteVar returns edits to delete the declaration of a variable
-// whose defining identifier is curId.
+// DeleteVar returns edits to delete the declaration of a variable or
+// constant whose defining identifier is curId.
 //
 // It handles variants including:
 // - GenDecl > ValueSpec versus AssignStmt;
@@ -31,7 +31,7 @@ import (
 //
 // If it cannot make the necessary edits, such as for a function
 // parameter or result, it returns nil.
-func DeleteVar(tokFile *token.File, info *types.Info, curId inspector.Cursor) []analysis.TextEdit {
+func DeleteVar(tokFile *token.File, info *types.Info, curId inspector.Cursor) []Edit {
 	switch ek, _ := curId.ParentEdge(); ek {
 	case edge.ValueSpec_Names:
 		return deleteVarFromValueSpec(tokFile, info, curId)
@@ -45,10 +45,13 @@ func DeleteVar(tokFile *token.File, info *types.Info, curId inspector.Cursor) []
 	return nil
 }
 
+// deleteVarFromValueSpec returns edits to delete the declaration of a
+// variable or constant within a ValueSpec.
+//
 // Precondition: curId is Ident beneath ValueSpec.Names beneath GenDecl.
 //
 // See also [deleteVarFromAssignStmt], which has parallel structure.
-func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent inspector.Cursor) []analysis.TextEdit {
+func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent inspector.Cursor) []Edit {
 	var (
 		id      = curIdent.Node().(*ast.Ident)
 		curSpec = curIdent.Parent()
@@ -91,13 +94,13 @@ func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent insp
 			pos = spec.Names[index].Pos()
 			end = spec.Names[index+1].Pos()
 		}
-		return []analysis.TextEdit{{
+		return []Edit{{
 			Pos: pos,
 			End: end,
 		}}
 	}
 
-	// If the assignment is 1:1 and the RHS has no effects,
+	// If the assignment is n:n and the RHS has no effects,
 	// we can delete the LHS and its corresponding RHS.
 	if len(spec.Names) == len(spec.Values) &&
 		typesinternal.NoEffects(info, spec.Values[index]) {
@@ -107,7 +110,7 @@ func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent insp
 			//
 			// var _, lhs1 = rhs0, rhs1
 			//      ------       ------
-			return []analysis.TextEdit{
+			return []Edit{
 				{
 					Pos: spec.Names[index-1].End(),
 					End: spec.Names[index].End(),
@@ -122,7 +125,7 @@ func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent insp
 			//
 			// var lhs0, _ = rhs0, rhs1
 			//     ------    ------
-			return []analysis.TextEdit{
+			return []Edit{
 				{
 					Pos: spec.Names[index].Pos(),
 					End: spec.Names[index+1].Pos(),
@@ -137,7 +140,7 @@ func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent insp
 
 	// We cannot delete the RHS.
 	// Blank out the LHS.
-	return []analysis.TextEdit{{
+	return []Edit{{
 		Pos:     id.Pos(),
 		End:     id.End(),
 		NewText: []byte("_"),
@@ -147,7 +150,7 @@ func deleteVarFromValueSpec(tokFile *token.File, info *types.Info, curIdent insp
 // Precondition: curId is Ident beneath AssignStmt.Lhs.
 //
 // See also [deleteVarFromValueSpec], which has parallel structure.
-func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent inspector.Cursor) []analysis.TextEdit {
+func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent inspector.Cursor) []Edit {
 	var (
 		id      = curIdent.Node().(*ast.Ident)
 		curStmt = curIdent.Parent()
@@ -188,7 +191,7 @@ func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent ins
 			//
 			// _, lhs1 := rhs0, rhs1
 			//  ------        ------
-			return []analysis.TextEdit{
+			return []Edit{
 				{
 					Pos: assign.Lhs[index-1].End(),
 					End: assign.Lhs[index].End(),
@@ -203,7 +206,7 @@ func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent ins
 			//
 			// lhs0, _ := rhs0, rhs1
 			// ------     ------
-			return []analysis.TextEdit{
+			return []Edit{
 				{
 					Pos: assign.Lhs[index].Pos(),
 					End: assign.Lhs[index+1].Pos(),
@@ -218,7 +221,7 @@ func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent ins
 
 	// We cannot delete the RHS.
 	// Blank out the LHS.
-	edits := []analysis.TextEdit{{
+	edits := []Edit{{
 		Pos:     id.Pos(),
 		End:     id.End(),
 		NewText: []byte("_"),
@@ -229,7 +232,7 @@ func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent ins
 	// assignment to avoid a "no new variables on left
 	// side of :=" error.
 	if !declaresOtherNames {
-		edits = append(edits, analysis.TextEdit{
+		edits = append(edits, Edit{
 			Pos:     assign.TokPos,
 			End:     assign.TokPos + token.Pos(len(":=")),
 			NewText: []byte("="),
@@ -239,12 +242,12 @@ func deleteVarFromAssignStmt(tokFile *token.File, info *types.Info, curIdent ins
 	return edits
 }
 
-// DeleteSpec returns edits to delete the ValueSpec identified by curSpec.
+// DeleteSpec returns edits to delete the {Type,Value}Spec identified by curSpec.
 //
 // TODO(adonovan): add test suite. Test for consts as well.
-func DeleteSpec(tokFile *token.File, curSpec inspector.Cursor) []analysis.TextEdit {
+func DeleteSpec(tokFile *token.File, curSpec inspector.Cursor) []Edit {
 	var (
-		spec    = curSpec.Node().(*ast.ValueSpec)
+		spec    = curSpec.Node().(ast.Spec)
 		curDecl = curSpec.Parent()
 		decl    = curDecl.Node().(*ast.GenDecl)
 	)
@@ -258,14 +261,14 @@ func DeleteSpec(tokFile *token.File, curSpec inspector.Cursor) []analysis.TextEd
 	// Delete the spec and its comments.
 	_, index := curSpec.ParentEdge() // index of ValueSpec within GenDecl.Specs
 	pos, end := spec.Pos(), spec.End()
-	if spec.Doc != nil {
-		pos = spec.Doc.Pos() // leading comment
+	if doc := astutil.DocComment(spec); doc != nil {
+		pos = doc.Pos() // leading comment
 	}
 	if index == len(decl.Specs)-1 {
 		// Delete final spec.
-		if spec.Comment != nil {
+		if c := eolComment(spec); c != nil {
 			//  var (v int // comment \n)
-			end = spec.Comment.End()
+			end = c.End()
 		}
 	} else {
 		// Delete non-final spec.
@@ -273,7 +276,7 @@ func DeleteSpec(tokFile *token.File, curSpec inspector.Cursor) []analysis.TextEd
 		//         -----
 		end = decl.Specs[index+1].Pos()
 	}
-	return []analysis.TextEdit{{
+	return []Edit{{
 		Pos: pos,
 		End: end,
 	}}
@@ -282,7 +285,7 @@ func DeleteSpec(tokFile *token.File, curSpec inspector.Cursor) []analysis.TextEd
 // DeleteDecl returns edits to delete the ast.Decl identified by curDecl.
 //
 // TODO(adonovan): add test suite.
-func DeleteDecl(tokFile *token.File, curDecl inspector.Cursor) []analysis.TextEdit {
+func DeleteDecl(tokFile *token.File, curDecl inspector.Cursor) []Edit {
 	decl := curDecl.Node().(ast.Decl)
 
 	ek, _ := curDecl.ParentEdge()
@@ -317,7 +320,7 @@ func DeleteDecl(tokFile *token.File, curDecl inspector.Cursor) []analysis.TextEd
 			}
 		}
 
-		return []analysis.TextEdit{{
+		return []Edit{{
 			Pos: pos,
 			End: end,
 		}}
@@ -327,107 +330,237 @@ func DeleteDecl(tokFile *token.File, curDecl inspector.Cursor) []analysis.TextEd
 	}
 }
 
+// find leftmost Pos bigger than start and rightmost less than end
+func filterPos(nds []*ast.Comment, start, end token.Pos) (token.Pos, token.Pos, bool) {
+	l, r := end, token.NoPos
+	ok := false
+	for _, n := range nds {
+		if n.Pos() > start && n.Pos() < l {
+			l = n.Pos()
+			ok = true
+		}
+		if n.End() <= end && n.End() > r {
+			r = n.End()
+			ok = true
+		}
+	}
+	return l, r, ok
+}
+
 // DeleteStmt returns the edits to remove the [ast.Stmt] identified by
-// curStmt, if it is contained within a BlockStmt, CaseClause,
-// CommClause, or is the STMT in switch STMT; ... {...}. It returns nil otherwise.
-func DeleteStmt(tokFile *token.File, curStmt inspector.Cursor) []analysis.TextEdit {
-	stmt := curStmt.Node().(ast.Stmt)
-	// if the stmt is on a line by itself delete the whole line
-	// otherwise just delete the statement.
-
-	// this logic would be a lot simpler with the file contents, and somewhat simpler
-	// if the cursors included the comments.
-
-	lineOf := tokFile.Line
-	stmtStartLine, stmtEndLine := lineOf(stmt.Pos()), lineOf(stmt.End())
-
-	var from, to token.Pos
-	// bounds of adjacent syntax/comments on same line, if any
-	limits := func(left, right token.Pos) {
+// curStmt if it recognizes the context. It returns nil otherwise.
+// TODO(pjw, adonovan): it should not return nil, it should return an error
+//
+// DeleteStmt is called with just the AST so it has trouble deciding if
+// a comment is associated with the statement to be deleted. For instance,
+//
+//	for /*A*/ init()/*B*/;/*C/cond()/*D/;/*E*/post() /*F*/ { /*G*/}
+//
+// comment B and C are indistinguishable, as are D and E. That is, as the
+// AST does not say where the semicolons are, B and C could go either
+// with the init() or the cond(), so cannot be removed safely. The same
+// is true for D, E, and the post(). (And there are other similar cases.)
+// But the other comments can be removed as they are unambiguously
+// associated with the statement being deleted. In particular,
+// it removes whole lines like
+//
+//	stmt // comment
+func DeleteStmt(file *token.File, curStmt inspector.Cursor) []Edit {
+	// if the stmt is on a line by itself, or a range of lines, delete the whole thing
+	// including comments. Except for the heads of switches, type
+	// switches, and for-statements that's the usual case. Complexity occurs where
+	// there are multiple statements on the same line, and adjacent comments.
+
+	// In that case we remove some adjacent comments:
+	// In me()/*A*/;b(), comment A cannot be removed, because the ast
+	// is indistinguishable from me();/*A*/b()
+	// and the same for cases like switch me()/*A*/; x.(type) {
+
+	// this would be more precise with the file contents, or if the ast
+	// contained the location of semicolons
+	var (
+		stmt          = curStmt.Node().(ast.Stmt)
+		tokFile       = file
+		lineOf        = tokFile.Line
+		stmtStartLine = lineOf(stmt.Pos())
+		stmtEndLine   = lineOf(stmt.End())
+
+		leftSyntax, rightSyntax     token.Pos      // pieces of parent node on stmt{Start,End}Line
+		leftComments, rightComments []*ast.Comment // comments before/after stmt on the same line
+	)
+
+	// remember the Pos that are on the same line as stmt
+	use := func(left, right token.Pos) {
 		if lineOf(left) == stmtStartLine {
-			from = left
+			leftSyntax = left
 		}
 		if lineOf(right) == stmtEndLine {
-			to = right
+			rightSyntax = right
 		}
 	}
-	// TODO(pjw): there are other places a statement might be removed:
-	// IfStmt = "if" [ SimpleStmt ";" ] Expression Block [ "else" ( IfStmt | Block ) ] .
-	// (removing the blocks requires more rewriting than this routine would do)
-	// CommCase   = "case" ( SendStmt | RecvStmt ) | "default" .
-	// (removing the stmt requires more rewriting, and it's unclear what the user means)
-	switch parent := curStmt.Parent().Node().(type) {
-	case *ast.SwitchStmt:
-		limits(parent.Switch, parent.Body.Lbrace)
-	case *ast.TypeSwitchStmt:
-		limits(parent.Switch, parent.Body.Lbrace)
-		if parent.Assign == stmt {
-			return nil // don't let the user break the type switch
+
+	// find the comments, if any, on the same line
+Big:
+	for _, cg := range astutil.EnclosingFile(curStmt).Comments {
+		for _, co := range cg.List {
+			if lineOf(co.End()) < stmtStartLine {
+				continue
+			} else if lineOf(co.Pos()) > stmtEndLine {
+				break Big // no more are possible
+			}
+			if lineOf(co.End()) == stmtStartLine && co.End() <= stmt.Pos() {
+				// comment is before the statement
+				leftComments = append(leftComments, co)
+			} else if lineOf(co.Pos()) == stmtEndLine && co.Pos() >= stmt.End() {
+				// comment is after the statement
+				rightComments = append(rightComments, co)
+			}
 		}
+	}
+
+	// find any other syntax on the same line
+	var (
+		leftStmt, rightStmt token.Pos // end/start positions of sibling statements in a []Stmt list
+		inStmtList          = false
+		curParent           = curStmt.Parent()
+	)
+	switch parent := curParent.Node().(type) {
 	case *ast.BlockStmt:
-		limits(parent.Lbrace, parent.Rbrace)
+		use(parent.Lbrace, parent.Rbrace)
+		inStmtList = true
+	case *ast.CaseClause:
+		use(parent.Colon, curStmt.Parent().Parent().Node().(*ast.BlockStmt).Rbrace)
+		inStmtList = true
 	case *ast.CommClause:
-		limits(parent.Colon, curStmt.Parent().Parent().Node().(*ast.BlockStmt).Rbrace)
 		if parent.Comm == stmt {
 			return nil // maybe the user meant to remove the entire CommClause?
 		}
-	case *ast.CaseClause:
-		limits(parent.Colon, curStmt.Parent().Parent().Node().(*ast.BlockStmt).Rbrace)
+		use(parent.Colon, curStmt.Parent().Parent().Node().(*ast.BlockStmt).Rbrace)
+		inStmtList = true
 	case *ast.ForStmt:
-		limits(parent.For, parent.Body.Lbrace)
-
+		use(parent.For, parent.Body.Lbrace)
+		// special handling, as init;cond;post BlockStmt is not a statment list
+		if parent.Init != nil && parent.Cond != nil && stmt == parent.Init && lineOf(parent.Cond.Pos()) == lineOf(stmt.End()) {
+			rightStmt = parent.Cond.Pos()
+		} else if parent.Post != nil && parent.Cond != nil && stmt == parent.Post && lineOf(parent.Cond.End()) == lineOf(stmt.Pos()) {
+			leftStmt = parent.Cond.End()
+		}
+	case *ast.IfStmt:
+		switch stmt {
+		case parent.Init:
+			use(parent.If, parent.Body.Lbrace)
+		case parent.Else:
+			// stmt is the {...} in "if cond {} else {...}" and removing
+			// it would require removing the 'else' keyword, but the ast
+			// does not contain its position.
+			return nil
+		}
+	case *ast.SwitchStmt:
+		use(parent.Switch, parent.Body.Lbrace)
+	case *ast.TypeSwitchStmt:
+		if stmt == parent.Assign {
+			return nil // don't remove .(type)
+		}
+		use(parent.Switch, parent.Body.Lbrace)
 	default:
 		return nil // not one of ours
 	}
 
-	if prev, found := curStmt.PrevSibling(); found && lineOf(prev.Node().End()) == stmtStartLine {
-		from = prev.Node().End() // preceding statement ends on same line
+	if inStmtList {
+		// find the siblings, if any, on the same line
+		if prev, found := curStmt.PrevSibling(); found && lineOf(prev.Node().End()) == stmtStartLine {
+			if _, ok := prev.Node().(ast.Stmt); ok {
+				leftStmt = prev.Node().End() // preceding statement ends on same line
+			}
+		}
+		if next, found := curStmt.NextSibling(); found && lineOf(next.Node().Pos()) == stmtEndLine {
+			rightStmt = next.Node().Pos() // following statement begins on same line
+		}
 	}
-	if next, found := curStmt.NextSibling(); found && lineOf(next.Node().Pos()) == stmtEndLine {
-		to = next.Node().Pos() // following statement begins on same line
+
+	// compute the left and right limits of the edit
+	var leftEdit, rightEdit token.Pos
+	if leftStmt.IsValid() {
+		leftEdit = stmt.Pos() // can't remove preceding comments: a()/*A*/; me()
+	} else if leftSyntax.IsValid() {
+		// remove intervening leftComments
+		if a, _, ok := filterPos(leftComments, leftSyntax, stmt.Pos()); ok {
+			leftEdit = a
+		} else {
+			leftEdit = stmt.Pos()
+		}
+	} else { // remove whole line
+		for leftEdit = stmt.Pos(); lineOf(leftEdit) == stmtStartLine; leftEdit-- {
+		}
+		if leftEdit < stmt.Pos() {
+			leftEdit++ // beginning of line
+		}
 	}
-	// and now for the comments
-Outer:
-	for _, cg := range astutil.EnclosingFile(curStmt).Comments {
-		for _, co := range cg.List {
-			if lineOf(co.End()) < stmtStartLine {
-				continue
-			} else if lineOf(co.Pos()) > stmtEndLine {
-				break Outer // no more are possible
-			}
-			if lineOf(co.End()) == stmtStartLine && co.End() < stmt.Pos() {
-				if !from.IsValid() || co.End() > from {
-					from = co.End()
-					continue // maybe there are more
-				}
-			}
-			if lineOf(co.Pos()) == stmtEndLine && co.Pos() > stmt.End() {
-				if !to.IsValid() || co.Pos() < to {
-					to = co.Pos()
-					continue // maybe there are more
-				}
-			}
+	if rightStmt.IsValid() {
+		rightEdit = stmt.End() // can't remove following comments
+	} else if rightSyntax.IsValid() {
+		// remove intervening rightComments
+		if _, b, ok := filterPos(rightComments, stmt.End(), rightSyntax); ok {
+			rightEdit = b
+		} else {
+			rightEdit = stmt.End()
+		}
+	} else { // remove whole line
+		fend := token.Pos(file.Base()) + token.Pos(file.Size())
+		for rightEdit = stmt.End(); fend >= rightEdit && lineOf(rightEdit) == stmtEndLine; rightEdit++ {
+		}
+		// don't remove \n if there was other stuff earlier
+		if leftSyntax.IsValid() || leftStmt.IsValid() {
+			rightEdit--
 		}
 	}
-	// if either from or to is valid, just remove the statement
-	// otherwise remove the line
-	edit := analysis.TextEdit{Pos: stmt.Pos(), End: stmt.End()}
-	if from.IsValid() || to.IsValid() {
-		// remove just the statement.
-		// we can't tell if there is a ; or whitespace right after the statement
-		// ideally we'd like to remove the former and leave the latter
-		// (if gofmt has run, there likely won't be a ;)
-		// In type switches we know there's a semicolon somewhere after the statement,
-		// but the extra work for this special case is not worth it, as gofmt will fix it.
-		return []analysis.TextEdit{edit}
+
+	return []Edit{{Pos: leftEdit, End: rightEdit}}
+}
+
+// DeleteUnusedVars computes the edits required to delete the
+// declarations of any local variables whose last uses are in the
+// curDelend subtree, which is about to be deleted.
+func DeleteUnusedVars(index *typeindex.Index, info *types.Info, tokFile *token.File, curDelend inspector.Cursor) []Edit {
+	// TODO(adonovan): we might want to generalize this by
+	// splitting the two phases below, so that we can gather
+	// across a whole sequence of deletions then finally compute the
+	// set of variables that are no longer wanted.
+
+	// Count number of deletions of each var.
+	delcount := make(map[*types.Var]int)
+	for curId := range curDelend.Preorder((*ast.Ident)(nil)) {
+		id := curId.Node().(*ast.Ident)
+		if v, ok := info.Uses[id].(*types.Var); ok &&
+			typesinternal.GetVarKind(v) == typesinternal.LocalVar { // always false before go1.25
+			delcount[v]++
+		}
 	}
-	// remove the whole line
-	for lineOf(edit.Pos) == stmtStartLine {
-		edit.Pos--
+
+	// Delete declaration of each var that became unused.
+	var edits []Edit
+	for v, count := range delcount {
+		if len(slices.Collect(index.Uses(v))) == count {
+			if curDefId, ok := index.Def(v); ok {
+				edits = append(edits, DeleteVar(tokFile, info, curDefId)...)
+			}
+		}
 	}
-	edit.Pos++ // get back tostmtStartLine
-	for lineOf(edit.End) == stmtEndLine {
-		edit.End++
+	return edits
+}
+
+func eolComment(n ast.Node) *ast.CommentGroup {
+	// TODO(adonovan): support:
+	//    func f() {...} // comment
+	switch n := n.(type) {
+	case *ast.GenDecl:
+		if !n.TokPos.IsValid() && len(n.Specs) == 1 {
+			return eolComment(n.Specs[0])
+		}
+	case *ast.ValueSpec:
+		return n.Comment
+	case *ast.TypeSpec:
+		return n.Comment
 	}
-	return []analysis.TextEdit{edit}
+	return nil
 }
diff --git a/vendor/golang.org/x/tools/internal/refactor/edit.go b/vendor/golang.org/x/tools/internal/refactor/edit.go
new file mode 100644
index 0000000000..42be9a54b4
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/refactor/edit.go
@@ -0,0 +1,15 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.p
+
+package refactor
+
+// This is the only file in this package that should import analysis.
+//
+// TODO(adonovan): consider unaliasing the type to break the
+// dependency. (The ergonomics of slice append are unfortunate.)
+
+import "golang.org/x/tools/go/analysis"
+
+// An Edit describes a deletion and/or an insertion.
+type Edit = analysis.TextEdit
diff --git a/vendor/golang.org/x/tools/internal/refactor/imports.go b/vendor/golang.org/x/tools/internal/refactor/imports.go
index 1ba3a9609f..e1860ab065 100644
--- a/vendor/golang.org/x/tools/internal/refactor/imports.go
+++ b/vendor/golang.org/x/tools/internal/refactor/imports.go
@@ -7,14 +7,13 @@ package refactor
 // This file defines operations for computing edits to imports.
 
 import (
-	"fmt"
 	"go/ast"
 	"go/token"
 	"go/types"
 	pathpkg "path"
+	"strconv"
 
-	"golang.org/x/tools/go/analysis"
-	"golang.org/x/tools/internal/analysisinternal"
+	"golang.org/x/tools/internal/packagepath"
 )
 
 // AddImport returns the prefix (either "pkg." or "") that should be
@@ -35,7 +34,7 @@ import (
 // package declares member.
 //
 // AddImport does not mutate its arguments.
-func AddImport(info *types.Info, file *ast.File, preferredName, pkgpath, member string, pos token.Pos) (prefix string, edits []analysis.TextEdit) {
+func AddImport(info *types.Info, file *ast.File, preferredName, pkgpath, member string, pos token.Pos) (prefix string, edits []Edit) {
 	// Find innermost enclosing lexical block.
 	scope := info.Scopes[file].Innermost(pos)
 	if scope == nil {
@@ -69,41 +68,61 @@ func AddImport(info *types.Info, file *ast.File, preferredName, pkgpath, member
 	newName := preferredName
 	if preferredName != "_" {
 		newName = FreshName(scope, pos, preferredName)
+		prefix = newName + "."
 	}
 
-	// Create a new import declaration either before the first existing
-	// declaration (which must exist), including its comments; or
-	// inside the declaration, if it is an import group.
-	//
 	// Use a renaming import whenever the preferred name is not
 	// available, or the chosen name does not match the last
 	// segment of its path.
-	newText := fmt.Sprintf("%q", pkgpath)
-	if newName != preferredName || newName != pathpkg.Base(pkgpath) {
-		newText = fmt.Sprintf("%s %q", newName, pkgpath)
+	if newName == preferredName && newName == pathpkg.Base(pkgpath) {
+		newName = ""
+	}
+
+	return prefix, AddImportEdits(file, newName, pkgpath)
+}
+
+// AddImportEdits returns the edits to add an import of the specified
+// package, without any analysis of whether this is necessary or safe.
+// If name is nonempty, it is used as an explicit [ImportSpec.Name].
+//
+// A sequence of calls to AddImportEdits that each add the file's
+// first import (or in a file that does not have a grouped import) may
+// result in multiple import declarations, rather than a single one
+// with multiple ImportSpecs. However, a subsequent run of
+// x/tools/cmd/goimports ([imports.Process]) will combine them.
+//
+// AddImportEdits does not mutate the AST.
+func AddImportEdits(file *ast.File, name, pkgpath string) []Edit {
+	newText := strconv.Quote(pkgpath)
+	if name != "" {
+		newText = name + " " + newText
 	}
 
+	// Create a new import declaration either before the first existing
+	// declaration (which must exist), including its comments; or
+	// inside the declaration, if it is an import group.
 	decl0 := file.Decls[0]
-	var before ast.Node = decl0
+	before := decl0.Pos()
 	switch decl0 := decl0.(type) {
 	case *ast.GenDecl:
 		if decl0.Doc != nil {
-			before = decl0.Doc
+			before = decl0.Doc.Pos()
 		}
 	case *ast.FuncDecl:
 		if decl0.Doc != nil {
-			before = decl0.Doc
+			before = decl0.Doc.Pos()
 		}
 	}
-	if gd, ok := before.(*ast.GenDecl); ok && gd.Tok == token.IMPORT && gd.Rparen.IsValid() {
+	var pos token.Pos
+	if gd, ok := decl0.(*ast.GenDecl); ok && gd.Tok == token.IMPORT && gd.Rparen.IsValid() {
 		// Have existing grouped import ( ... ) decl.
-		if analysisinternal.IsStdPackage(pkgpath) && len(gd.Specs) > 0 {
+		if packagepath.IsStdPackage(pkgpath) && len(gd.Specs) > 0 {
 			// Add spec for a std package before
 			// first existing spec, followed by
 			// a blank line if the next one is non-std.
 			first := gd.Specs[0].(*ast.ImportSpec)
 			pos = first.Pos()
-			if !analysisinternal.IsStdPackage(first.Path.Value) {
+			if !packagepath.IsStdPackage(first.Path.Value) {
 				newText += "\n"
 			}
 			newText += "\n\t"
@@ -116,10 +135,13 @@ func AddImport(info *types.Info, file *ast.File, preferredName, pkgpath, member
 		// No import decl, or non-grouped import.
 		// Add a new import decl before first decl.
 		// (gofmt will merge multiple import decls.)
-		pos = before.Pos()
+		//
+		// TODO(adonovan): do better here; plunder the
+		// mergeImports logic from [imports.Process].
+		pos = before
 		newText = "import " + newText + "\n\n"
 	}
-	return newName + ".", []analysis.TextEdit{{
+	return []Edit{{
 		Pos:     pos,
 		End:     pos,
 		NewText: []byte(newText),
diff --git a/vendor/golang.org/x/tools/internal/refactor/refactor.go b/vendor/golang.org/x/tools/internal/refactor/refactor.go
index 27b9750896..8664377f85 100644
--- a/vendor/golang.org/x/tools/internal/refactor/refactor.go
+++ b/vendor/golang.org/x/tools/internal/refactor/refactor.go
@@ -5,8 +5,7 @@
 // Package refactor provides operators to compute common textual edits
 // for refactoring tools.
 //
-// This package should not use features of the analysis API
-// other than [analysis.TextEdit].
+// This package should not use features of the analysis API other than [Edit].
 package refactor
 
 import (
@@ -17,6 +16,11 @@ import (
 
 // FreshName returns the name of an identifier that is undefined
 // at the specified position, based on the preferred name.
+//
+// TODO(adonovan): refine this to choose a fresh name only when there
+// would be a conflict with the existing declaration: it's fine to
+// redeclare a name in a narrower scope so long as there are no free
+// references to the outer name from within the narrower scope.
 func FreshName(scope *types.Scope, pos token.Pos, preferred string) string {
 	newName := preferred
 	for i := 0; ; i++ {
diff --git a/vendor/golang.org/x/tools/internal/ssainternal/ssainternal.go b/vendor/golang.org/x/tools/internal/ssainternal/ssainternal.go
new file mode 100644
index 0000000000..686c5d97d2
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/ssainternal/ssainternal.go
@@ -0,0 +1,22 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ssainternal exposes setters for internals of go/ssa.
+// It cannot actually depend on symbols from go/ssa.
+package ssainternal
+
+import "go/types"
+
+// SetNoReturn sets the predicate used when building the ssa.Program
+// prog that reports whether a given function cannot return.
+// This may be used to prune spurious control flow edges
+// after (e.g.) log.Fatal, improving the precision of analyses.
+//
+// You must link [golang.org/x/tools/go/ssa] into your application for
+// this function to be non-nil.
+//
+// TODO(adonovan): add (*ssa.Program).SetNoReturn to the public API.
+var SetNoReturn = func(prog any, noreturn func(*types.Func) bool) {
+	panic("golang.org/x/tools/go/ssa not linked into application")
+}
diff --git a/vendor/golang.org/x/tools/internal/stdlib/deps.go b/vendor/golang.org/x/tools/internal/stdlib/deps.go
index 96ad6c5821..f7b9c12865 100644
--- a/vendor/golang.org/x/tools/internal/stdlib/deps.go
+++ b/vendor/golang.org/x/tools/internal/stdlib/deps.go
@@ -12,354 +12,514 @@ type pkginfo struct {
 }
 
 var deps = [...]pkginfo{
-	{"archive/tar", "\x03k\x03E;\x01\n\x01$\x01\x01\x02\x05\b\x02\x01\x02\x02\f"},
-	{"archive/zip", "\x02\x04a\a\x03\x12\x021;\x01+\x05\x01\x0f\x03\x02\x0e\x04"},
-	{"bufio", "\x03k\x83\x01D\x14"},
-	{"bytes", "n*Y\x03\fG\x02\x02"},
+	{"archive/tar", "\x03p\x03F=\x01\n\x01$\x01\x01\x02\x05\b\x02\x01\x02\x02\f"},
+	{"archive/zip", "\x02\x04f\a\x03\x13\x021=\x01+\x05\x01\x0f\x03\x02\x0e\x04"},
+	{"bufio", "\x03p\x86\x01D\x14"},
+	{"bytes", "s+[\x03\fG\x02\x02"},
 	{"cmp", ""},
-	{"compress/bzip2", "\x02\x02\xed\x01A"},
-	{"compress/flate", "\x02l\x03\x80\x01\f\x033\x01\x03"},
-	{"compress/gzip", "\x02\x04a\a\x03\x14lT"},
-	{"compress/lzw", "\x02l\x03\x80\x01"},
-	{"compress/zlib", "\x02\x04a\a\x03\x12\x01m"},
-	{"container/heap", "\xb3\x02"},
+	{"compress/bzip2", "\x02\x02\xf5\x01A"},
+	{"compress/flate", "\x02q\x03\x83\x01\f\x033\x01\x03"},
+	{"compress/gzip", "\x02\x04f\a\x03\x15nT"},
+	{"compress/lzw", "\x02q\x03\x83\x01"},
+	{"compress/zlib", "\x02\x04f\a\x03\x13\x01o"},
+	{"container/heap", "\xbb\x02"},
 	{"container/list", ""},
 	{"container/ring", ""},
-	{"context", "n\\m\x01\r"},
-	{"crypto", "\x83\x01nC"},
-	{"crypto/aes", "\x10\n\a\x93\x02"},
-	{"crypto/cipher", "\x03\x1e\x01\x01\x1e\x11\x1c+X"},
-	{"crypto/des", "\x10\x13\x1e-+\x9b\x01\x03"},
-	{"crypto/dsa", "A\x04)\x83\x01\r"},
-	{"crypto/ecdh", "\x03\v\f\x0e\x04\x15\x04\r\x1c\x83\x01"},
-	{"crypto/ecdsa", "\x0e\x05\x03\x04\x01\x0e\a\v\x05\x01\x04\f\x01\x1c\x83\x01\r\x05K\x01"},
-	{"crypto/ed25519", "\x0e\x1c\x11\x06\n\a\x1c\x83\x01C"},
-	{"crypto/elliptic", "0>\x83\x01\r9"},
-	{"crypto/fips140", " \x05"},
-	{"crypto/hkdf", "-\x13\x01-\x15"},
-	{"crypto/hmac", "\x1a\x14\x12\x01\x111"},
-	{"crypto/internal/boring", "\x0e\x02\rf"},
-	{"crypto/internal/boring/bbig", "\x1a\xe4\x01M"},
-	{"crypto/internal/boring/bcache", "\xb8\x02\x13"},
+	{"context", "s\\p\x01\r"},
+	{"crypto", "\x89\x01pC"},
+	{"crypto/aes", "\x10\n\t\x99\x02"},
+	{"crypto/cipher", "\x03 \x01\x01 \x12\x1c,Z"},
+	{"crypto/des", "\x10\x15 .,\x9d\x01\x03"},
+	{"crypto/dsa", "E\x04*\x86\x01\r"},
+	{"crypto/ecdh", "\x03\v\f\x10\x04\x17\x04\x0e\x1c\x86\x01"},
+	{"crypto/ecdsa", "\x0e\x05\x03\x04\x01\x10\b\v\x06\x01\x04\r\x01\x1c\x86\x01\r\x05K\x01"},
+	{"crypto/ed25519", "\x0e\x1e\x12\a\v\a\x1c\x86\x01C"},
+	{"crypto/elliptic", "3@\x86\x01\r9"},
+	{"crypto/fips140", "\"\x05"},
+	{"crypto/hkdf", "/\x15\x01.\x16"},
+	{"crypto/hmac", "\x1a\x16\x14\x01\x122"},
+	{"crypto/internal/boring", "\x0e\x02\rl"},
+	{"crypto/internal/boring/bbig", "\x1a\xec\x01M"},
+	{"crypto/internal/boring/bcache", "\xc0\x02\x13"},
 	{"crypto/internal/boring/sig", ""},
-	{"crypto/internal/cryptotest", "\x03\r\n\x06$\x0e\x19\x06\x12\x12 \x04\a\t\x16\x01\x11\x11\x1b\x01\a\x05\b\x03\x05\v"},
-	{"crypto/internal/entropy", "F"},
-	{"crypto/internal/fips140", "?/\x15\xa7\x01\v\x16"},
-	{"crypto/internal/fips140/aes", "\x03\x1d\x03\x02\x13\x05\x01\x01\x05*\x92\x014"},
-	{"crypto/internal/fips140/aes/gcm", " \x01\x02\x02\x02\x11\x05\x01\x06*\x8f\x01"},
-	{"crypto/internal/fips140/alias", "\xcb\x02"},
-	{"crypto/internal/fips140/bigmod", "%\x18\x01\x06*\x92\x01"},
-	{"crypto/internal/fips140/check", " \x0e\x06\t\x02\xb2\x01Z"},
-	{"crypto/internal/fips140/check/checktest", "%\x85\x02!"},
-	{"crypto/internal/fips140/drbg", "\x03\x1c\x01\x01\x04\x13\x05\b\x01(\x83\x01\x0f7"},
-	{"crypto/internal/fips140/ecdh", "\x03\x1d\x05\x02\t\r1\x83\x01\x0f7"},
-	{"crypto/internal/fips140/ecdsa", "\x03\x1d\x04\x01\x02\a\x02\x068\x15nF"},
-	{"crypto/internal/fips140/ed25519", "\x03\x1d\x05\x02\x04\v8\xc6\x01\x03"},
-	{"crypto/internal/fips140/edwards25519", "%\a\f\x051\x92\x017"},
-	{"crypto/internal/fips140/edwards25519/field", "%\x13\x051\x92\x01"},
-	{"crypto/internal/fips140/hkdf", "\x03\x1d\x05\t\x06:\x15"},
-	{"crypto/internal/fips140/hmac", "\x03\x1d\x14\x01\x018\x15"},
-	{"crypto/internal/fips140/mlkem", "\x03\x1d\x05\x02\x0e\x03\x051"},
-	{"crypto/internal/fips140/nistec", "%\f\a\x051\x92\x01*\r\x14"},
-	{"crypto/internal/fips140/nistec/fiat", "%\x136\x92\x01"},
-	{"crypto/internal/fips140/pbkdf2", "\x03\x1d\x05\t\x06:\x15"},
-	{"crypto/internal/fips140/rsa", "\x03\x1d\x04\x01\x02\r\x01\x01\x026\x15nF"},
-	{"crypto/internal/fips140/sha256", "\x03\x1d\x1d\x01\x06*\x15}"},
-	{"crypto/internal/fips140/sha3", "\x03\x1d\x18\x05\x010\x92\x01K"},
-	{"crypto/internal/fips140/sha512", "\x03\x1d\x1d\x01\x06*\x15}"},
-	{"crypto/internal/fips140/ssh", "%^"},
-	{"crypto/internal/fips140/subtle", "#\x1a\xc3\x01"},
-	{"crypto/internal/fips140/tls12", "\x03\x1d\x05\t\x06\x028\x15"},
-	{"crypto/internal/fips140/tls13", "\x03\x1d\x05\b\a\t1\x15"},
-	{"crypto/internal/fips140cache", "\xaa\x02\r&"},
+	{"crypto/internal/constanttime", ""},
+	{"crypto/internal/cryptotest", "\x03\r\n\b&\x0f\x19\x06\x13\x12 \x04\x06\t\x19\x01\x11\x11\x1b\x01\a\x05\b\x03\x05\v"},
+	{"crypto/internal/entropy", "J"},
+	{"crypto/internal/entropy/v1.0.0", "C0\x95\x018\x13"},
+	{"crypto/internal/fips140", "B1\xbf\x01\v\x16"},
+	{"crypto/internal/fips140/aes", "\x03\x1f\x03\x02\x14\x05\x01\x01\x06+\x95\x014"},
+	{"crypto/internal/fips140/aes/gcm", "\"\x01\x02\x02\x02\x12\x05\x01\a+\x92\x01"},
+	{"crypto/internal/fips140/alias", "\xd3\x02"},
+	{"crypto/internal/fips140/bigmod", "'\x19\x01\a+\x95\x01"},
+	{"crypto/internal/fips140/check", "\"\x0e\a\t\x02\xb7\x01Z"},
+	{"crypto/internal/fips140/check/checktest", "'\x8b\x02!"},
+	{"crypto/internal/fips140/drbg", "\x03\x1e\x01\x01\x04\x14\x05\t\x01)\x86\x01\x0f7\x01"},
+	{"crypto/internal/fips140/ecdh", "\x03\x1f\x05\x02\n\r3\x86\x01\x0f7"},
+	{"crypto/internal/fips140/ecdsa", "\x03\x1f\x04\x01\x02\a\x03\x06:\x16pF"},
+	{"crypto/internal/fips140/ed25519", "\x03\x1f\x05\x02\x04\f:\xc9\x01\x03"},
+	{"crypto/internal/fips140/edwards25519", "\x1e\t\a\x123\x95\x017"},
+	{"crypto/internal/fips140/edwards25519/field", "'\x14\x053\x95\x01"},
+	{"crypto/internal/fips140/hkdf", "\x03\x1f\x05\t\a<\x16"},
+	{"crypto/internal/fips140/hmac", "\x03\x1f\x15\x01\x01:\x16"},
+	{"crypto/internal/fips140/mldsa", "\x03\x1b\x04\x05\x02\x0e\x01\x03\x053\x95\x017"},
+	{"crypto/internal/fips140/mlkem", "\x03\x1f\x05\x02\x0f\x03\x053\xcc\x01"},
+	{"crypto/internal/fips140/nistec", "\x1e\t\r\f3\x95\x01*\r\x14"},
+	{"crypto/internal/fips140/nistec/fiat", "'\x148\x95\x01"},
+	{"crypto/internal/fips140/pbkdf2", "\x03\x1f\x05\t\a<\x16"},
+	{"crypto/internal/fips140/rsa", "\x03\x1b\x04\x04\x01\x02\x0e\x01\x01\x028\x16pF"},
+	{"crypto/internal/fips140/sha256", "\x03\x1f\x1e\x01\a+\x16\x7f"},
+	{"crypto/internal/fips140/sha3", "\x03\x1f\x19\x05\x012\x95\x01K"},
+	{"crypto/internal/fips140/sha512", "\x03\x1f\x1e\x01\a+\x16\x7f"},
+	{"crypto/internal/fips140/ssh", "'b"},
+	{"crypto/internal/fips140/subtle", "\x1e\a\x1b\xc8\x01"},
+	{"crypto/internal/fips140/tls12", "\x03\x1f\x05\t\a\x02:\x16"},
+	{"crypto/internal/fips140/tls13", "\x03\x1f\x05\b\b\t3\x16"},
+	{"crypto/internal/fips140cache", "\xb2\x02\r&"},
 	{"crypto/internal/fips140deps", ""},
-	{"crypto/internal/fips140deps/byteorder", "\x99\x01"},
-	{"crypto/internal/fips140deps/cpu", "\xae\x01\a"},
-	{"crypto/internal/fips140deps/godebug", "\xb6\x01"},
-	{"crypto/internal/fips140hash", "5\x1b3\xc8\x01"},
-	{"crypto/internal/fips140only", "'\r\x01\x01M3;"},
+	{"crypto/internal/fips140deps/byteorder", "\x9f\x01"},
+	{"crypto/internal/fips140deps/cpu", "\xb4\x01\a"},
+	{"crypto/internal/fips140deps/godebug", "\xbc\x01"},
+	{"crypto/internal/fips140deps/time", "\xcd\x02"},
+	{"crypto/internal/fips140hash", "8\x1d4\xca\x01"},
+	{"crypto/internal/fips140only", ")\x0e\x01\x01P3="},
 	{"crypto/internal/fips140test", ""},
-	{"crypto/internal/hpke", "\x0e\x01\x01\x03\x053#+gM"},
-	{"crypto/internal/impl", "\xb5\x02"},
-	{"crypto/internal/randutil", "\xf1\x01\x12"},
-	{"crypto/internal/sysrand", "nn! \r\r\x01\x01\f\x06"},
-	{"crypto/internal/sysrand/internal/seccomp", "n"},
-	{"crypto/md5", "\x0e3-\x15\x16g"},
-	{"crypto/mlkem", "/"},
-	{"crypto/pbkdf2", "2\x0e\x01-\x15"},
-	{"crypto/rand", "\x1a\x06\a\x1a\x04\x01(\x83\x01\rM"},
-	{"crypto/rc4", "#\x1e-\xc6\x01"},
-	{"crypto/rsa", "\x0e\f\x01\t\x0f\r\x01\x04\x06\a\x1c\x03\x123;\f\x01"},
-	{"crypto/sha1", "\x0e\f'\x03*\x15\x16\x15R"},
-	{"crypto/sha256", "\x0e\f\x1aO"},
-	{"crypto/sha3", "\x0e'N\xc8\x01"},
-	{"crypto/sha512", "\x0e\f\x1cM"},
-	{"crypto/subtle", "8\x9b\x01W"},
-	{"crypto/tls", "\x03\b\x02\x01\x01\x01\x01\x02\x01\x01\x01\x02\x01\x01\a\x01\r\n\x01\t\x05\x03\x01\x01\x01\x01\x02\x01\x02\x01\x17\x02\x03\x12\x16\x15\b;\x16\x16\r\b\x01\x01\x01\x02\x01\r\x06\x02\x01\x0f"},
-	{"crypto/tls/internal/fips140tls", "\x17\xa1\x02"},
-	{"crypto/x509", "\x03\v\x01\x01\x01\x01\x01\x01\x01\x012\x05\x01\x01\x02\x05\x0e\x06\x02\x02\x03E\x038\x01\x02\b\x01\x01\x02\a\x10\x05\x01\x06\x02\x05\n\x01\x02\x0e\x02\x01\x01\x02\x03\x01"},
-	{"crypto/x509/pkix", "d\x06\a\x8d\x01G"},
-	{"database/sql", "\x03\nK\x16\x03\x80\x01\v\a\"\x05\b\x02\x03\x01\r\x02\x02\x02"},
-	{"database/sql/driver", "\ra\x03\xb4\x01\x0f\x11"},
-	{"debug/buildinfo", "\x03X\x02\x01\x01\b\a\x03e\x19\x02\x01+\x0f\x1f"},
-	{"debug/dwarf", "\x03d\a\x03\x80\x011\x11\x01\x01"},
-	{"debug/elf", "\x03\x06Q\r\a\x03e\x1a\x01,\x17\x01\x16"},
-	{"debug/gosym", "\x03d\n\xc2\x01\x01\x01\x02"},
-	{"debug/macho", "\x03\x06Q\r\ne\x1b,\x17\x01"},
-	{"debug/pe", "\x03\x06Q\r\a\x03e\x1b,\x17\x01\x16"},
-	{"debug/plan9obj", "g\a\x03e\x1b,"},
-	{"embed", "n*@\x19\x01S"},
+	{"crypto/internal/hpke", "\x03\v\x01\x01\x03\x055\x03\x04\x01\x01\x16\a\x03\x13\xcc\x01"},
+	{"crypto/internal/impl", "\xbd\x02"},
+	{"crypto/internal/randutil", "\xf9\x01\x12"},
+	{"crypto/internal/sysrand", "sq! \r\r\x01\x01\f\x06"},
+	{"crypto/internal/sysrand/internal/seccomp", "s"},
+	{"crypto/md5", "\x0e7.\x16\x16i"},
+	{"crypto/mlkem", "\x0e$"},
+	{"crypto/mlkem/mlkemtest", "2\x1b&"},
+	{"crypto/pbkdf2", "5\x0f\x01.\x16"},
+	{"crypto/rand", "\x1a\b\a\x1c\x04\x01)\x86\x01\rM"},
+	{"crypto/rc4", "% .\xc9\x01"},
+	{"crypto/rsa", "\x0e\f\x01\v\x10\x0e\x01\x04\a\a\x1c\x03\x133=\f\x01"},
+	{"crypto/sha1", "\x0e\f+\x03+\x16\x16\x15T"},
+	{"crypto/sha256", "\x0e\f\x1dR"},
+	{"crypto/sha3", "\x0e*Q\xca\x01"},
+	{"crypto/sha512", "\x0e\f\x1fP"},
+	{"crypto/subtle", "\x1e\x1d\x9f\x01X"},
+	{"crypto/tls", "\x03\b\x02\x01\x01\x01\x01\x02\x01\x01\x01\x02\x01\x01\t\x01\x0e\n\x01\n\x05\x04\x01\x01\x01\x01\x02\x01\x02\x01\x17\x02\x03\x13\x16\x15\b=\x16\x16\r\b\x01\x01\x01\x02\x01\r\x06\x02\x01\x0f"},
+	{"crypto/tls/internal/fips140tls", "\x17\xa9\x02"},
+	{"crypto/x509", "\x03\v\x01\x01\x01\x01\x01\x01\x01\x016\x06\x01\x01\x02\x05\x0e\x06\x02\x02\x03F\x03:\x01\x02\b\x01\x01\x02\a\x10\x05\x01\x06\a\b\x02\x01\x02\x0e\x02\x01\x01\x02\x03\x01"},
+	{"crypto/x509/pkix", "i\x06\a\x90\x01G"},
+	{"database/sql", "\x03\nP\x16\x03\x83\x01\v\a\"\x05\b\x02\x03\x01\r\x02\x02\x02"},
+	{"database/sql/driver", "\rf\x03\xb7\x01\x0f\x11"},
+	{"debug/buildinfo", "\x03]\x02\x01\x01\b\a\x03g\x1a\x02\x01+\x0f\x1f"},
+	{"debug/dwarf", "\x03i\a\x03\x83\x011\x11\x01\x01"},
+	{"debug/elf", "\x03\x06V\r\a\x03g\x1b\x01\f \x17\x01\x16"},
+	{"debug/gosym", "\x03i\n\xc5\x01\x01\x01\x02"},
+	{"debug/macho", "\x03\x06V\r\ng\x1c,\x17\x01"},
+	{"debug/pe", "\x03\x06V\r\a\x03g\x1c,\x17\x01\x16"},
+	{"debug/plan9obj", "l\a\x03g\x1c,"},
+	{"embed", "s+B\x19\x01S"},
 	{"embed/internal/embedtest", ""},
 	{"encoding", ""},
-	{"encoding/ascii85", "\xf1\x01C"},
-	{"encoding/asn1", "\x03k\x03\x8c\x01\x01'\r\x02\x01\x10\x03\x01"},
-	{"encoding/base32", "\xf1\x01A\x02"},
-	{"encoding/base64", "\x99\x01XA\x02"},
-	{"encoding/binary", "n\x83\x01\f(\r\x05"},
-	{"encoding/csv", "\x02\x01k\x03\x80\x01D\x12\x02"},
-	{"encoding/gob", "\x02`\x05\a\x03e\x1b\v\x01\x03\x1d\b\x12\x01\x0f\x02"},
-	{"encoding/hex", "n\x03\x80\x01A\x03"},
-	{"encoding/json", "\x03\x01^\x04\b\x03\x80\x01\f(\r\x02\x01\x02\x10\x01\x01\x02"},
-	{"encoding/pem", "\x03c\b\x83\x01A\x03"},
-	{"encoding/xml", "\x02\x01_\f\x03\x80\x014\x05\n\x01\x02\x10\x02"},
-	{"errors", "\xca\x01\x81\x01"},
-	{"expvar", "kK?\b\v\x15\r\b\x02\x03\x01\x11"},
-	{"flag", "b\f\x03\x80\x01,\b\x05\b\x02\x01\x10"},
-	{"fmt", "nE>\f \b\r\x02\x03\x12"},
-	{"go/ast", "\x03\x01m\x0e\x01q\x03)\b\r\x02\x01"},
-	{"go/build", "\x02\x01k\x03\x01\x02\x02\a\x02\x01\x17\x1f\x04\x02\t\x19\x13\x01+\x01\x04\x01\a\b\x02\x01\x12\x02\x02"},
-	{"go/build/constraint", "n\xc6\x01\x01\x12\x02"},
-	{"go/constant", "q\x0f}\x01\x024\x01\x02\x12"},
-	{"go/doc", "\x04m\x01\x05\t>31\x10\x02\x01\x12\x02"},
-	{"go/doc/comment", "\x03n\xc1\x01\x01\x01\x01\x12\x02"},
-	{"go/format", "\x03n\x01\v\x01\x02qD"},
-	{"go/importer", "s\a\x01\x01\x04\x01p9"},
-	{"go/internal/gccgoimporter", "\x02\x01X\x13\x03\x04\v\x01n\x02,\x01\x05\x11\x01\f\b"},
-	{"go/internal/gcimporter", "\x02o\x0f\x010\x05\x0e-,\x15\x03\x02"},
-	{"go/internal/srcimporter", "q\x01\x01\n\x03\x01p,\x01\x05\x12\x02\x14"},
-	{"go/parser", "\x03k\x03\x01\x02\v\x01q\x01+\x06\x12"},
-	{"go/printer", "q\x01\x02\x03\tq\f \x15\x02\x01\x02\v\x05\x02"},
-	{"go/scanner", "\x03n\x0fq2\x10\x01\x13\x02"},
-	{"go/token", "\x04m\x83\x01>\x02\x03\x01\x0f\x02"},
-	{"go/types", "\x03\x01\x06d\x03\x01\x03\b\x03\x02\x15\x1f\x061\x04\x03\t \x06\a\b\x01\x01\x01\x02\x01\x0f\x02\x02"},
-	{"go/version", "\xbb\x01z"},
-	{"hash", "\xf1\x01"},
-	{"hash/adler32", "n\x15\x16"},
-	{"hash/crc32", "n\x15\x16\x15\x89\x01\x01\x13"},
-	{"hash/crc64", "n\x15\x16\x9e\x01"},
-	{"hash/fnv", "n\x15\x16g"},
-	{"hash/maphash", "\x83\x01\x11!\x03\x93\x01"},
-	{"html", "\xb5\x02\x02\x12"},
-	{"html/template", "\x03h\x06\x18-;\x01\n!\x05\x01\x02\x03\f\x01\x02\f\x01\x03\x02"},
-	{"image", "\x02l\x1ee\x0f4\x03\x01"},
+	{"encoding/ascii85", "\xf9\x01C"},
+	{"encoding/asn1", "\x03p\x03g(\x01'\r\x02\x01\x10\x03\x01"},
+	{"encoding/base32", "\xf9\x01A\x02"},
+	{"encoding/base64", "\x9f\x01ZA\x02"},
+	{"encoding/binary", "s\x86\x01\f(\r\x05"},
+	{"encoding/csv", "\x02\x01p\x03\x83\x01D\x12\x02"},
+	{"encoding/gob", "\x02e\x05\a\x03g\x1c\v\x01\x03\x1d\b\x12\x01\x0f\x02"},
+	{"encoding/hex", "s\x03\x83\x01A\x03"},
+	{"encoding/json", "\x03\x01c\x04\b\x03\x83\x01\f(\r\x02\x01\x02\x10\x01\x01\x02"},
+	{"encoding/pem", "\x03h\b\x86\x01A\x03"},
+	{"encoding/xml", "\x02\x01d\f\x03\x83\x014\x05\n\x01\x02\x10\x02"},
+	{"errors", "\xcf\x01\x84\x01"},
+	{"expvar", "pLA\b\v\x15\r\b\x02\x03\x01\x11"},
+	{"flag", "g\f\x03\x83\x01,\b\x05\b\x02\x01\x10"},
+	{"fmt", "sF'\x19\f \b\r\x02\x03\x12"},
+	{"go/ast", "\x03\x01r\x0f\x01s\x03)\b\r\x02\x01\x12\x02"},
+	{"go/build", "\x02\x01p\x03\x01\x02\x02\b\x02\x01\x17\x1f\x04\x02\b\x1c\x13\x01+\x01\x04\x01\a\b\x02\x01\x12\x02\x02"},
+	{"go/build/constraint", "s\xc9\x01\x01\x12\x02"},
+	{"go/constant", "v\x10\x7f\x01\x024\x01\x02\x12"},
+	{"go/doc", "\x04r\x01\x05\n=61\x10\x02\x01\x12\x02"},
+	{"go/doc/comment", "\x03s\xc4\x01\x01\x01\x01\x12\x02"},
+	{"go/format", "\x03s\x01\f\x01\x02sD"},
+	{"go/importer", "x\a\x01\x02\x04\x01r9"},
+	{"go/internal/gccgoimporter", "\x02\x01]\x13\x03\x04\f\x01p\x02,\x01\x05\x11\x01\f\b"},
+	{"go/internal/gcimporter", "\x02t\x10\x010\x05\r0,\x15\x03\x02"},
+	{"go/internal/scannerhooks", "\x86\x01"},
+	{"go/internal/srcimporter", "v\x01\x01\v\x03\x01r,\x01\x05\x12\x02\x14"},
+	{"go/parser", "\x03p\x03\x01\x02\b\x04\x01s\x01+\x06\x12"},
+	{"go/printer", "v\x01\x02\x03\ns\f \x15\x02\x01\x02\v\x05\x02"},
+	{"go/scanner", "\x03s\v\x05s2\x10\x01\x13\x02"},
+	{"go/token", "\x04r\x86\x01>\x02\x03\x01\x0f\x02"},
+	{"go/types", "\x03\x01\x06i\x03\x01\x03\t\x03\x024\x063\x04\x03\t \x06\a\b\x01\x01\x01\x02\x01\x0f\x02\x02"},
+	{"go/version", "\xc1\x01|"},
+	{"hash", "\xf9\x01"},
+	{"hash/adler32", "s\x16\x16"},
+	{"hash/crc32", "s\x16\x16\x15\x8b\x01\x01\x13"},
+	{"hash/crc64", "s\x16\x16\xa0\x01"},
+	{"hash/fnv", "s\x16\x16i"},
+	{"hash/maphash", "\x89\x01\x11<}"},
+	{"html", "\xbd\x02\x02\x12"},
+	{"html/template", "\x03m\x06\x19-=\x01\n!\x05\x01\x02\x03\f\x01\x02\f\x01\x03\x02"},
+	{"image", "\x02q\x1fg\x0f4\x03\x01"},
 	{"image/color", ""},
-	{"image/color/palette", "\x8c\x01"},
-	{"image/draw", "\x8b\x01\x01\x04"},
-	{"image/gif", "\x02\x01\x05f\x03\x1a\x01\x01\x01\vX"},
-	{"image/internal/imageutil", "\x8b\x01"},
-	{"image/jpeg", "\x02l\x1d\x01\x04a"},
-	{"image/png", "\x02\a^\n\x12\x02\x06\x01eC"},
-	{"index/suffixarray", "\x03d\a\x83\x01\f+\n\x01"},
-	{"internal/abi", "\xb5\x01\x96\x01"},
-	{"internal/asan", "\xcb\x02"},
-	{"internal/bisect", "\xaa\x02\r\x01"},
-	{"internal/buildcfg", "qGe\x06\x02\x05\n\x01"},
-	{"internal/bytealg", "\xae\x01\x9d\x01"},
+	{"image/color/palette", "\x92\x01"},
+	{"image/draw", "\x91\x01\x01\x04"},
+	{"image/gif", "\x02\x01\x05k\x03\x1b\x01\x01\x01\vZ\x0f"},
+	{"image/internal/imageutil", "\x91\x01"},
+	{"image/jpeg", "\x02q\x1e\x01\x04c"},
+	{"image/png", "\x02\ac\n\x13\x02\x06\x01gC"},
+	{"index/suffixarray", "\x03i\a\x86\x01\f+\n\x01"},
+	{"internal/abi", "\xbb\x01\x98\x01"},
+	{"internal/asan", "\xd3\x02"},
+	{"internal/bisect", "\xb2\x02\r\x01"},
+	{"internal/buildcfg", "vHg\x06\x02\x05\n\x01"},
+	{"internal/bytealg", "\xb4\x01\x9f\x01"},
 	{"internal/byteorder", ""},
 	{"internal/cfg", ""},
-	{"internal/cgrouptest", "q[Q\x06\x0f\x02\x01\x04\x01"},
-	{"internal/chacha8rand", "\x99\x01\x15\a\x96\x01"},
+	{"internal/cgrouptest", "v[T\x06\x0f\x02\x01\x04\x01"},
+	{"internal/chacha8rand", "\x9f\x01\x15\a\x98\x01"},
 	{"internal/copyright", ""},
 	{"internal/coverage", ""},
 	{"internal/coverage/calloc", ""},
-	{"internal/coverage/cfile", "k\x06\x16\x17\x01\x02\x01\x01\x01\x01\x01\x01\x01#\x02$,\x06\a\n\x01\x03\r\x06"},
-	{"internal/coverage/cformat", "\x04m-\x04O\v6\x01\x02\r"},
-	{"internal/coverage/cmerge", "q-_"},
-	{"internal/coverage/decodecounter", "g\n-\v\x02F,\x17\x17"},
-	{"internal/coverage/decodemeta", "\x02e\n\x16\x17\v\x02F,"},
-	{"internal/coverage/encodecounter", "\x02e\n-\f\x01\x02D\v!\x15"},
-	{"internal/coverage/encodemeta", "\x02\x01d\n\x12\x04\x17\r\x02D,."},
-	{"internal/coverage/pods", "\x04m-\x7f\x06\x05\n\x02\x01"},
-	{"internal/coverage/rtcov", "\xcb\x02"},
-	{"internal/coverage/slicereader", "g\n\x80\x01Z"},
-	{"internal/coverage/slicewriter", "q\x80\x01"},
-	{"internal/coverage/stringtab", "q8\x04D"},
+	{"internal/coverage/cfile", "p\x06\x17\x17\x01\x02\x01\x01\x01\x01\x01\x01\x01\"\x02',\x06\a\n\x01\x03\r\x06"},
+	{"internal/coverage/cformat", "\x04r.\x04Q\v6\x01\x02\r"},
+	{"internal/coverage/cmerge", "v.a"},
+	{"internal/coverage/decodecounter", "l\n.\v\x02H,\x17\x17"},
+	{"internal/coverage/decodemeta", "\x02j\n\x17\x17\v\x02H,"},
+	{"internal/coverage/encodecounter", "\x02j\n.\f\x01\x02F\v!\x15"},
+	{"internal/coverage/encodemeta", "\x02\x01i\n\x13\x04\x17\r\x02F,."},
+	{"internal/coverage/pods", "\x04r.\x81\x01\x06\x05\n\x02\x01"},
+	{"internal/coverage/rtcov", "\xd3\x02"},
+	{"internal/coverage/slicereader", "l\n\x83\x01Z"},
+	{"internal/coverage/slicewriter", "v\x83\x01"},
+	{"internal/coverage/stringtab", "v9\x04F"},
 	{"internal/coverage/test", ""},
 	{"internal/coverage/uleb128", ""},
-	{"internal/cpu", "\xcb\x02"},
-	{"internal/dag", "\x04m\xc1\x01\x03"},
-	{"internal/diff", "\x03n\xc2\x01\x02"},
-	{"internal/exportdata", "\x02\x01k\x03\x02c\x1b,\x01\x05\x11\x01\x02"},
-	{"internal/filepathlite", "n*@\x1a@"},
-	{"internal/fmtsort", "\x04\xa1\x02\r"},
-	{"internal/fuzz", "\x03\nB\x18\x04\x03\x03\x01\v\x036;\f\x03\x1d\x01\x05\x02\x05\n\x01\x02\x01\x01\f\x04\x02"},
+	{"internal/cpu", "\xd3\x02"},
+	{"internal/dag", "\x04r\xc4\x01\x03"},
+	{"internal/diff", "\x03s\xc5\x01\x02"},
+	{"internal/exportdata", "\x02\x01p\x03\x02e\x1c,\x01\x05\x11\x01\x02"},
+	{"internal/filepathlite", "s+B\x1a@"},
+	{"internal/fmtsort", "\x04\xa9\x02\r"},
+	{"internal/fuzz", "\x03\nG\x18\x04\x03\x03\x01\f\x036=\f\x03\x1d\x01\x05\x02\x05\n\x01\x02\x01\x01\f\x04\x02"},
 	{"internal/goarch", ""},
-	{"internal/godebug", "\x96\x01!\x80\x01\x01\x13"},
+	{"internal/godebug", "\x9c\x01!\x82\x01\x01\x13"},
 	{"internal/godebugs", ""},
 	{"internal/goexperiment", ""},
 	{"internal/goos", ""},
-	{"internal/goroot", "\x9d\x02\x01\x05\x12\x02"},
+	{"internal/goroot", "\xa5\x02\x01\x05\x12\x02"},
 	{"internal/gover", "\x04"},
 	{"internal/goversion", ""},
-	{"internal/itoa", ""},
-	{"internal/lazyregexp", "\x9d\x02\v\r\x02"},
-	{"internal/lazytemplate", "\xf1\x01,\x18\x02\f"},
-	{"internal/msan", "\xcb\x02"},
+	{"internal/lazyregexp", "\xa5\x02\v\r\x02"},
+	{"internal/lazytemplate", "\xf9\x01,\x18\x02\f"},
+	{"internal/msan", "\xd3\x02"},
 	{"internal/nettrace", ""},
-	{"internal/obscuretestdata", "f\x8b\x01,"},
-	{"internal/oserror", "n"},
-	{"internal/pkgbits", "\x03L\x18\a\x03\x04\vq\r\x1f\r\n\x01"},
+	{"internal/obscuretestdata", "k\x8e\x01,"},
+	{"internal/oserror", "s"},
+	{"internal/pkgbits", "\x03Q\x18\a\x03\x04\fs\r\x1f\r\n\x01"},
 	{"internal/platform", ""},
-	{"internal/poll", "nO\x1f\x159\r\x01\x01\f\x06"},
-	{"internal/profile", "\x03\x04g\x03\x80\x017\v\x01\x01\x10"},
+	{"internal/poll", "sl\x05\x159\r\x01\x01\f\x06"},
+	{"internal/profile", "\x03\x04l\x03\x83\x017\n\x01\x01\x01\x10"},
 	{"internal/profilerecord", ""},
-	{"internal/race", "\x94\x01\xb7\x01"},
-	{"internal/reflectlite", "\x94\x01!9<!"},
-	{"internal/runtime/atomic", "\xb5\x01\x96\x01"},
-	{"internal/runtime/cgroup", "\x98\x01:\x02w"},
-	{"internal/runtime/exithook", "\xcb\x01\x80\x01"},
-	{"internal/runtime/gc", "\xb5\x01"},
-	{"internal/runtime/maps", "\x94\x01\x01 \v\t\a\x03x"},
-	{"internal/runtime/math", "\xb5\x01"},
+	{"internal/race", "\x9a\x01\xb9\x01"},
+	{"internal/reflectlite", "\x9a\x01!;<!"},
+	{"internal/runtime/atomic", "\xbb\x01\x98\x01"},
+	{"internal/runtime/cgroup", "\x9e\x01=\x04t"},
+	{"internal/runtime/exithook", "\xd0\x01\x83\x01"},
+	{"internal/runtime/gc", "\xbb\x01"},
+	{"internal/runtime/gc/internal/gen", "\nb\n\x18k\x04\v\x1d\b\x10\x02"},
+	{"internal/runtime/gc/scan", "\xb4\x01\a\x18\ay"},
+	{"internal/runtime/maps", "\x9a\x01\x01 \n\t\t\x03y"},
+	{"internal/runtime/math", "\xbb\x01"},
+	{"internal/runtime/pprof/label", ""},
 	{"internal/runtime/startlinetest", ""},
-	{"internal/runtime/strconv", "\xd0\x01"},
-	{"internal/runtime/sys", "\xb5\x01\x04"},
-	{"internal/runtime/syscall", "\xb5\x01\x96\x01"},
+	{"internal/runtime/sys", "\xbb\x01\x04"},
+	{"internal/runtime/syscall/linux", "\xbb\x01\x98\x01"},
 	{"internal/runtime/wasitest", ""},
-	{"internal/saferio", "\xf1\x01Z"},
-	{"internal/singleflight", "\xb7\x02"},
-	{"internal/stringslite", "\x98\x01\xb3\x01"},
-	{"internal/sync", "\x94\x01!\x14o\x13"},
-	{"internal/synctest", "\x94\x01\xb7\x01"},
-	{"internal/syscall/execenv", "\xb9\x02"},
-	{"internal/syscall/unix", "\xaa\x02\x0e\x01\x12"},
-	{"internal/sysinfo", "\x02\x01\xab\x01C,\x18\x02"},
+	{"internal/saferio", "\xf9\x01Z"},
+	{"internal/singleflight", "\xbf\x02"},
+	{"internal/strconv", "\x88\x02K"},
+	{"internal/stringslite", "\x9e\x01\xb5\x01"},
+	{"internal/sync", "\x9a\x01!\x13r\x13"},
+	{"internal/synctest", "\x9a\x01\xb9\x01"},
+	{"internal/syscall/execenv", "\xc1\x02"},
+	{"internal/syscall/unix", "\xb2\x02\x0e\x01\x12"},
+	{"internal/sysinfo", "\x02\x01\xb1\x01E,\x18\x02"},
 	{"internal/syslist", ""},
-	{"internal/testenv", "\x03\na\x02\x01)\x1b\x10-+\x01\x05\a\n\x01\x02\x02\x01\v"},
-	{"internal/testhash", "\x03\x80\x01n\x118\v"},
-	{"internal/testlog", "\xb7\x02\x01\x13"},
-	{"internal/testpty", "n\x03\xac\x01"},
-	{"internal/trace", "\x02\x01\x01\x06]\a\x03t\x03\x03\x06\x03\t5\x01\x01\x01\x10\x06"},
-	{"internal/trace/internal/testgen", "\x03d\nr\x03\x02\x03\x011\v\r\x10"},
-	{"internal/trace/internal/tracev1", "\x03\x01c\a\x03z\x06\f5\x01"},
-	{"internal/trace/raw", "\x02e\nw\x03\x06C\x01\x12"},
-	{"internal/trace/testtrace", "\x02\x01k\x03r\x03\x05\x01\x057\n\x02\x01"},
+	{"internal/testenv", "\x03\nf\x02\x01*\x1b\x0f0+\x01\x05\a\n\x01\x02\x02\x01\v"},
+	{"internal/testhash", "\x03\x86\x01p\x118\v"},
+	{"internal/testlog", "\xbf\x02\x01\x13"},
+	{"internal/testpty", "s\x03\xaf\x01"},
+	{"internal/trace", "\x02\x01\x01\x06b\a\x03w\x03\x03\x06\x03\t5\x01\x01\x01\x10\x06"},
+	{"internal/trace/internal/testgen", "\x03i\nu\x03\x02\x03\x011\v\r\x10"},
+	{"internal/trace/internal/tracev1", "\x03\x01h\a\x03}\x06\f5\x01"},
+	{"internal/trace/raw", "\x02j\nz\x03\x06C\x01\x12"},
+	{"internal/trace/testtrace", "\x02\x01p\x03q\x04\x03\x05\x01\x05,\v\x02\b\x02\x01\x05"},
 	{"internal/trace/tracev2", ""},
-	{"internal/trace/traceviewer", "\x02^\v\x06\x19=\x1c\a\a\x04\b\v\x15\x01\x05\a\n\x01\x02\x0e"},
+	{"internal/trace/traceviewer", "\x02c\v\x06\x1a<\x1f\a\a\x04\b\v\x15\x01\x05\a\n\x01\x02\x0e"},
 	{"internal/trace/traceviewer/format", ""},
-	{"internal/trace/version", "qw\t"},
-	{"internal/txtar", "\x03n\xac\x01\x18"},
-	{"internal/types/errors", "\xb4\x02"},
-	{"internal/unsafeheader", "\xcb\x02"},
-	{"internal/xcoff", "Z\r\a\x03e\x1b,\x17\x01"},
-	{"internal/zstd", "g\a\x03\x80\x01\x0f"},
-	{"io", "n\xc9\x01"},
-	{"io/fs", "n*+.1\x10\x13\x04"},
-	{"io/ioutil", "\xf1\x01\x01+\x15\x03"},
-	{"iter", "\xc9\x01a!"},
-	{"log", "q\x80\x01\x05'\r\r\x01\r"},
+	{"internal/trace/version", "vz\t"},
+	{"internal/txtar", "\x03s\xaf\x01\x18"},
+	{"internal/types/errors", "\xbc\x02"},
+	{"internal/unsafeheader", "\xd3\x02"},
+	{"internal/xcoff", "_\r\a\x03g\x1c,\x17\x01"},
+	{"internal/zstd", "l\a\x03\x83\x01\x0f"},
+	{"io", "s\xcc\x01"},
+	{"io/fs", "s+*11\x10\x13\x04"},
+	{"io/ioutil", "\xf9\x01\x01+\x15\x03"},
+	{"iter", "\xce\x01d!"},
+	{"log", "v\x83\x01\x05'\r\r\x01\r"},
 	{"log/internal", ""},
-	{"log/slog", "\x03\nU\t\x03\x03\x80\x01\x04\x01\x02\x02\x03(\x05\b\x02\x01\x02\x01\r\x02\x02\x02"},
+	{"log/slog", "\x03\nZ\t\x03\x03\x83\x01\x04\x01\x02\x02\x03(\x05\b\x02\x01\x02\x01\r\x02\x02\x02"},
 	{"log/slog/internal", ""},
-	{"log/slog/internal/benchmarks", "\ra\x03\x80\x01\x06\x03:\x11"},
-	{"log/slog/internal/buffer", "\xb7\x02"},
-	{"log/syslog", "n\x03\x84\x01\x12\x16\x18\x02\x0e"},
-	{"maps", "\xf4\x01W"},
-	{"math", "\xae\x01RK"},
-	{"math/big", "\x03k\x03(\x15C\f\x03\x020\x02\x01\x02\x14"},
-	{"math/big/internal/asmgen", "\x03\x01m\x8f\x012\x03"},
-	{"math/bits", "\xcb\x02"},
-	{"math/cmplx", "\xfd\x01\x03"},
-	{"math/rand", "\xb6\x01G:\x01\x13"},
-	{"math/rand/v2", "n+\x03a\x03K"},
-	{"mime", "\x02\x01c\b\x03\x80\x01\v!\x15\x03\x02\x10\x02"},
-	{"mime/multipart", "\x02\x01H#\x03E;\v\x01\a\x02\x15\x02\x06\x0f\x02\x01\x16"},
-	{"mime/quotedprintable", "\x02\x01n\x80\x01"},
-	{"net", "\x04\ta*\x1e\a\x04\x05\x11\x01\x04\x15\x01%\x06\r\b\x05\x01\x01\f\x06\a"},
-	{"net/http", "\x02\x01\x04\x04\x02>\b\x13\x01\a\x03E;\x01\x03\a\x01\x03\x02\x02\x01\x02\x06\x02\x01\x01\n\x01\x01\x05\x01\x02\x05\b\x01\x01\x01\x02\x01\r\x02\x02\x02\b\x01\x01\x01"},
-	{"net/http/cgi", "\x02Q\x1b\x03\x80\x01\x04\a\v\x01\x13\x01\x01\x01\x04\x01\x05\x02\b\x02\x01\x10\x0e"},
-	{"net/http/cookiejar", "\x04j\x03\x96\x01\x01\b\f\x16\x03\x02\x0e\x04"},
-	{"net/http/fcgi", "\x02\x01\nZ\a\x03\x80\x01\x16\x01\x01\x14\x18\x02\x0e"},
-	{"net/http/httptest", "\x02\x01\nF\x02\x1b\x01\x80\x01\x04\x12\x01\n\t\x02\x17\x01\x02\x0e\x0e"},
-	{"net/http/httptrace", "\rFnF\x14\n "},
-	{"net/http/httputil", "\x02\x01\na\x03\x80\x01\x04\x0f\x03\x01\x05\x02\x01\v\x01\x19\x02\x0e\x0e"},
-	{"net/http/internal", "\x02\x01k\x03\x80\x01"},
-	{"net/http/internal/ascii", "\xb5\x02\x12"},
-	{"net/http/internal/httpcommon", "\ra\x03\x9c\x01\x0e\x01\x17\x01\x01\x02\x1c\x02"},
-	{"net/http/internal/testcert", "\xb5\x02"},
-	{"net/http/pprof", "\x02\x01\nd\x18-\x11*\x04\x13\x14\x01\r\x04\x03\x01\x02\x01\x10"},
+	{"log/slog/internal/benchmarks", "\rf\x03\x83\x01\x06\x03:\x11"},
+	{"log/slog/internal/buffer", "\xbf\x02"},
+	{"log/syslog", "s\x03\x87\x01\x12\x16\x18\x02\x0e"},
+	{"maps", "\xfc\x01W"},
+	{"math", "\xb4\x01TK"},
+	{"math/big", "\x03p\x03)\x15E\f\x03\x020\x02\x01\x02\x14"},
+	{"math/big/internal/asmgen", "\x03\x01r\x92\x012\x03"},
+	{"math/bits", "\xd3\x02"},
+	{"math/cmplx", "\x85\x02\x03"},
+	{"math/rand", "\xbc\x01I:\x01\x13"},
+	{"math/rand/v2", "s,\x03c\x03K"},
+	{"mime", "\x02\x01h\b\x03\x83\x01\v!\x15\x03\x02\x10\x02"},
+	{"mime/multipart", "\x02\x01M#\x03F=\v\x01\a\x02\x15\x02\x06\x0f\x02\x01\x16"},
+	{"mime/quotedprintable", "\x02\x01s\x83\x01"},
+	{"net", "\x04\tf+\x1e\n\x05\x13\x01\x01\x04\x15\x01%\x06\r\b\x05\x01\x01\f\x06\a"},
+	{"net/http", "\x02\x01\x03\x01\x04\x02C\b\x13\x01\a\x03F=\x01\x03\a\x01\x03\x02\x02\x01\x02\x06\x02\x01\x01\n\x01\x01\x05\x01\x02\x05\b\x01\x01\x01\x02\x01\r\x02\x02\x02\b\x01\x01\x01"},
+	{"net/http/cgi", "\x02V\x1b\x03\x83\x01\x04\a\v\x01\x13\x01\x01\x01\x04\x01\x05\x02\b\x02\x01\x10\x0e"},
+	{"net/http/cookiejar", "\x04o\x03\x99\x01\x01\b\a\x05\x16\x03\x02\x0e\x04"},
+	{"net/http/fcgi", "\x02\x01\n_\a\x03\x83\x01\x16\x01\x01\x14\x18\x02\x0e"},
+	{"net/http/httptest", "\x02\x01\nK\x02\x1b\x01\x83\x01\x04\x12\x01\n\t\x02\x17\x01\x02\x0e\x0e"},
+	{"net/http/httptrace", "\rKnI\x14\n "},
+	{"net/http/httputil", "\x02\x01\nf\x03\x83\x01\x04\x0f\x03\x01\x05\x02\x01\v\x01\x19\x02\x01\r\x0e"},
+	{"net/http/internal", "\x02\x01p\x03\x83\x01"},
+	{"net/http/internal/ascii", "\xbd\x02\x12"},
+	{"net/http/internal/httpcommon", "\rf\x03\x9f\x01\x0e\x01\x17\x01\x01\x02\x1c\x02"},
+	{"net/http/internal/testcert", "\xbd\x02"},
+	{"net/http/pprof", "\x02\x01\ni\x19-\x02\x0e-\x04\x13\x14\x01\r\x04\x03\x01\x02\x01\x10"},
 	{"net/internal/cgotest", ""},
-	{"net/internal/socktest", "q\xc6\x01\x02"},
-	{"net/mail", "\x02l\x03\x80\x01\x04\x0f\x03\x14\x1a\x02\x0e\x04"},
-	{"net/netip", "\x04j*\x01$@\x034\x16"},
-	{"net/rpc", "\x02g\x05\x03\x0f\ng\x04\x12\x01\x1d\r\x03\x02"},
-	{"net/rpc/jsonrpc", "k\x03\x03\x80\x01\x16\x11\x1f"},
-	{"net/smtp", "\x19/\v\x13\b\x03\x80\x01\x16\x14\x1a"},
-	{"net/textproto", "\x02\x01k\x03\x80\x01\f\n-\x01\x02\x14"},
-	{"net/url", "n\x03\x8b\x01&\x10\x02\x01\x16"},
-	{"os", "n*\x01\x19\x03\b\t\x12\x03\x01\x05\x10\x018\b\x05\x01\x01\f\x06"},
-	{"os/exec", "\x03\naH%\x01\x15\x01+\x06\a\n\x01\x04\f"},
-	{"os/exec/internal/fdtest", "\xb9\x02"},
-	{"os/signal", "\r\x90\x02\x15\x05\x02"},
-	{"os/user", "\x02\x01k\x03\x80\x01,\r\n\x01\x02"},
-	{"path", "n*\xb1\x01"},
-	{"path/filepath", "n*\x1a@+\r\b\x03\x04\x10"},
-	{"plugin", "n"},
-	{"reflect", "n&\x04\x1d\b\f\x06\x04\x1b\x06\t-\n\x03\x10\x02\x02"},
+	{"net/internal/socktest", "v\xc9\x01\x02"},
+	{"net/mail", "\x02q\x03\x83\x01\x04\x0f\x03\x14\x1a\x02\x0e\x04"},
+	{"net/netip", "\x04o+\x01f\x034\x16"},
+	{"net/rpc", "\x02l\x05\x03\x10\ni\x04\x12\x01\x1d\r\x03\x02"},
+	{"net/rpc/jsonrpc", "p\x03\x03\x83\x01\x16\x11\x1f"},
+	{"net/smtp", "\x193\f\x13\b\x03\x83\x01\x16\x14\x1a"},
+	{"net/textproto", "\x02\x01p\x03\x83\x01\f\n-\x01\x02\x14"},
+	{"net/url", "s\x03Fc\v\x10\x02\x01\x16"},
+	{"os", "s+\x01\x19\x03\x10\x14\x01\x03\x01\x05\x10\x018\b\x05\x01\x01\f\x06"},
+	{"os/exec", "\x03\nfI'\x01\x15\x01+\x06\a\n\x01\x04\f"},
+	{"os/exec/internal/fdtest", "\xc1\x02"},
+	{"os/signal", "\r\x98\x02\x15\x05\x02"},
+	{"os/user", "\x02\x01p\x03\x83\x01,\r\n\x01\x02"},
+	{"path", "s+\xb3\x01"},
+	{"path/filepath", "s+\x1aB+\r\b\x03\x04\x10"},
+	{"plugin", "s"},
+	{"reflect", "s'\x04\x1d\x13\b\x04\x05\x17\x06\t-\n\x03\x10\x02\x02"},
 	{"reflect/internal/example1", ""},
 	{"reflect/internal/example2", ""},
-	{"regexp", "\x03\xee\x018\t\x02\x01\x02\x10\x02"},
-	{"regexp/syntax", "\xb2\x02\x01\x01\x01\x02\x10\x02"},
-	{"runtime", "\x94\x01\x04\x01\x03\f\x06\a\x02\x01\x01\x0f\x03\x01\x01\x01\x01\x01\x02\x01\x01\x04\x10c"},
-	{"runtime/coverage", "\xa0\x01Q"},
-	{"runtime/debug", "qUW\r\b\x02\x01\x10\x06"},
-	{"runtime/metrics", "\xb7\x01F-!"},
-	{"runtime/pprof", "\x02\x01\x01\x03\x06Z\a\x03#4)\f \r\b\x01\x01\x01\x02\x02\t\x03\x06"},
-	{"runtime/race", "\xb0\x02"},
+	{"regexp", "\x03\xf6\x018\t\x02\x01\x02\x10\x02"},
+	{"regexp/syntax", "\xba\x02\x01\x01\x01\x02\x10\x02"},
+	{"runtime", "\x9a\x01\x04\x01\x03\f\x06\a\x02\x01\x01\x0e\x03\x01\x01\x01\x02\x01\x01\x01\x02\x01\x04\x01\x10\x18K"},
+	{"runtime/coverage", "\xa6\x01S"},
+	{"runtime/debug", "vUZ\r\b\x02\x01\x10\x06"},
+	{"runtime/metrics", "\xbd\x01H-!"},
+	{"runtime/pprof", "\x02\x01\x01\x03\x06_\a\x03$$\x0f\v!\f \r\b\x01\x01\x01\x02\x02\t\x03\x06"},
+	{"runtime/race", "\xb8\x02"},
 	{"runtime/race/internal/amd64v1", ""},
-	{"runtime/trace", "\ra\x03w\t9\b\x05\x01\r\x06"},
-	{"slices", "\x04\xf0\x01\fK"},
-	{"sort", "\xca\x0162"},
-	{"strconv", "n*@%\x03I"},
-	{"strings", "n&\x04@\x19\x03\f7\x10\x02\x02"},
+	{"runtime/trace", "\rf\x03z\t9\b\x05\x01\r\x06"},
+	{"slices", "\x04\xf8\x01\fK"},
+	{"sort", "\xcf\x0192"},
+	{"strconv", "s+A\x01q"},
+	{"strings", "s'\x04B\x19\x03\f7\x10\x02\x02"},
 	{"structs", ""},
-	{"sync", "\xc9\x01\x10\x01P\x0e\x13"},
-	{"sync/atomic", "\xcb\x02"},
-	{"syscall", "n'\x03\x01\x1c\b\x03\x03\x06\vV\b\x05\x01\x13"},
-	{"testing", "\x03\na\x02\x01X\x14\x14\f\x05\x1b\x06\x02\x05\x02\x05\x01\x02\x01\x02\x01\r\x02\x02\x02"},
-	{"testing/fstest", "n\x03\x80\x01\x01\n&\x10\x03\b\b"},
-	{"testing/internal/testdeps", "\x02\v\xa7\x01-\x10,\x03\x05\x03\x06\a\x02\x0e"},
-	{"testing/iotest", "\x03k\x03\x80\x01\x04"},
-	{"testing/quick", "p\x01\x8c\x01\x05#\x10\x10"},
-	{"testing/slogtest", "\ra\x03\x86\x01.\x05\x10\v"},
-	{"testing/synctest", "\xda\x01`\x11"},
-	{"text/scanner", "\x03n\x80\x01,*\x02"},
-	{"text/tabwriter", "q\x80\x01X"},
-	{"text/template", "n\x03B>\x01\n \x01\x05\x01\x02\x05\v\x02\r\x03\x02"},
-	{"text/template/parse", "\x03n\xb9\x01\n\x01\x12\x02"},
-	{"time", "n*\x1e\"(*\r\x02\x12"},
-	{"time/tzdata", "n\xcb\x01\x12"},
+	{"sync", "\xce\x01\x13\x01P\x0e\x13"},
+	{"sync/atomic", "\xd3\x02"},
+	{"syscall", "s(\x03\x01\x1c\n\x03\x06\r\x04S\b\x05\x01\x13"},
+	{"testing", "\x03\nf\x02\x01X\x17\x14\f\x05\x1b\x06\x02\x05\x02\x05\x01\x02\x01\x02\x01\r\x02\x04"},
+	{"testing/fstest", "s\x03\x83\x01\x01\n&\x10\x03\b\b"},
+	{"testing/internal/testdeps", "\x02\v\xad\x01/\x10,\x03\x05\x03\x06\a\x02\x0e"},
+	{"testing/iotest", "\x03p\x03\x83\x01\x04"},
+	{"testing/quick", "u\x01\x8f\x01\x05#\x10\x10"},
+	{"testing/slogtest", "\rf\x03\x89\x01.\x05\x10\v"},
+	{"testing/synctest", "\xe2\x01`\x11"},
+	{"text/scanner", "\x03s\x83\x01,*\x02"},
+	{"text/tabwriter", "v\x83\x01X"},
+	{"text/template", "s\x03C@\x01\n \x01\x05\x01\x02\x05\v\x02\r\x03\x02"},
+	{"text/template/parse", "\x03s\xbc\x01\n\x01\x12\x02"},
+	{"time", "s+\x1e$(*\r\x02\x12"},
+	{"time/tzdata", "s\xce\x01\x12"},
 	{"unicode", ""},
 	{"unicode/utf16", ""},
 	{"unicode/utf8", ""},
-	{"unique", "\x94\x01!#\x01Q\r\x01\x13\x12"},
+	{"unique", "\x9a\x01!%\x01Q\r\x01\x13\x12"},
 	{"unsafe", ""},
-	{"vendor/golang.org/x/crypto/chacha20", "\x10W\a\x92\x01*&"},
-	{"vendor/golang.org/x/crypto/chacha20poly1305", "\x10W\a\xde\x01\x04\x01\a"},
-	{"vendor/golang.org/x/crypto/cryptobyte", "d\n\x03\x8d\x01' \n"},
+	{"vendor/golang.org/x/crypto/chacha20", "\x10\\\a\x95\x01*&"},
+	{"vendor/golang.org/x/crypto/chacha20poly1305", "\x10\\\a\xe1\x01\x04\x01\a"},
+	{"vendor/golang.org/x/crypto/cryptobyte", "i\n\x03\x90\x01' \n"},
 	{"vendor/golang.org/x/crypto/cryptobyte/asn1", ""},
-	{"vendor/golang.org/x/crypto/internal/alias", "\xcb\x02"},
-	{"vendor/golang.org/x/crypto/internal/poly1305", "R\x15\x99\x01"},
-	{"vendor/golang.org/x/net/dns/dnsmessage", "n"},
-	{"vendor/golang.org/x/net/http/httpguts", "\x87\x02\x14\x1a\x14\r"},
-	{"vendor/golang.org/x/net/http/httpproxy", "n\x03\x96\x01\x10\x05\x01\x18\x14\r"},
-	{"vendor/golang.org/x/net/http2/hpack", "\x03k\x03\x80\x01F"},
-	{"vendor/golang.org/x/net/idna", "q\x8c\x018\x14\x10\x02\x01"},
-	{"vendor/golang.org/x/net/nettest", "\x03d\a\x03\x80\x01\x11\x05\x16\x01\f\n\x01\x02\x02\x01\v"},
-	{"vendor/golang.org/x/sys/cpu", "\x9d\x02\r\n\x01\x16"},
-	{"vendor/golang.org/x/text/secure/bidirule", "n\xdb\x01\x11\x01"},
-	{"vendor/golang.org/x/text/transform", "\x03k\x83\x01X"},
-	{"vendor/golang.org/x/text/unicode/bidi", "\x03\bf\x84\x01>\x16"},
-	{"vendor/golang.org/x/text/unicode/norm", "g\n\x80\x01F\x12\x11"},
-	{"weak", "\x94\x01\x96\x01!"},
+	{"vendor/golang.org/x/crypto/internal/alias", "\xd3\x02"},
+	{"vendor/golang.org/x/crypto/internal/poly1305", "W\x15\x9c\x01"},
+	{"vendor/golang.org/x/net/dns/dnsmessage", "s\xc7\x01"},
+	{"vendor/golang.org/x/net/http/httpguts", "\x8f\x02\x14\x1a\x14\r"},
+	{"vendor/golang.org/x/net/http/httpproxy", "s\x03\x99\x01\x10\x05\x01\x18\x14\r"},
+	{"vendor/golang.org/x/net/http2/hpack", "\x03p\x03\x83\x01F"},
+	{"vendor/golang.org/x/net/idna", "v\x8f\x018\x14\x10\x02\x01"},
+	{"vendor/golang.org/x/net/nettest", "\x03i\a\x03\x83\x01\x11\x05\x16\x01\f\n\x01\x02\x02\x01\v"},
+	{"vendor/golang.org/x/sys/cpu", "\xa5\x02\r\n\x01\x16"},
+	{"vendor/golang.org/x/text/secure/bidirule", "s\xde\x01\x11\x01"},
+	{"vendor/golang.org/x/text/transform", "\x03p\x86\x01X"},
+	{"vendor/golang.org/x/text/unicode/bidi", "\x03\bk\x87\x01>\x16"},
+	{"vendor/golang.org/x/text/unicode/norm", "l\n\x83\x01F\x12\x11"},
+	{"weak", "\x9a\x01\x98\x01!"},
 }
+
+// bootstrap is the list of bootstrap packages extracted from cmd/dist.
+var bootstrap = map[string]bool{
+	"cmp":                                     true,
+	"cmd/asm":                                 true,
+	"cmd/asm/internal/arch":                   true,
+	"cmd/asm/internal/asm":                    true,
+	"cmd/asm/internal/flags":                  true,
+	"cmd/asm/internal/lex":                    true,
+	"cmd/cgo":                                 true,
+	"cmd/compile":                             true,
+	"cmd/compile/internal/abi":                true,
+	"cmd/compile/internal/abt":                true,
+	"cmd/compile/internal/amd64":              true,
+	"cmd/compile/internal/arm":                true,
+	"cmd/compile/internal/arm64":              true,
+	"cmd/compile/internal/base":               true,
+	"cmd/compile/internal/bitvec":             true,
+	"cmd/compile/internal/bloop":              true,
+	"cmd/compile/internal/compare":            true,
+	"cmd/compile/internal/coverage":           true,
+	"cmd/compile/internal/deadlocals":         true,
+	"cmd/compile/internal/devirtualize":       true,
+	"cmd/compile/internal/dwarfgen":           true,
+	"cmd/compile/internal/escape":             true,
+	"cmd/compile/internal/gc":                 true,
+	"cmd/compile/internal/importer":           true,
+	"cmd/compile/internal/inline":             true,
+	"cmd/compile/internal/inline/inlheur":     true,
+	"cmd/compile/internal/inline/interleaved": true,
+	"cmd/compile/internal/ir":                 true,
+	"cmd/compile/internal/liveness":           true,
+	"cmd/compile/internal/logopt":             true,
+	"cmd/compile/internal/loong64":            true,
+	"cmd/compile/internal/loopvar":            true,
+	"cmd/compile/internal/mips":               true,
+	"cmd/compile/internal/mips64":             true,
+	"cmd/compile/internal/noder":              true,
+	"cmd/compile/internal/objw":               true,
+	"cmd/compile/internal/pgoir":              true,
+	"cmd/compile/internal/pkginit":            true,
+	"cmd/compile/internal/ppc64":              true,
+	"cmd/compile/internal/rangefunc":          true,
+	"cmd/compile/internal/reflectdata":        true,
+	"cmd/compile/internal/riscv64":            true,
+	"cmd/compile/internal/rttype":             true,
+	"cmd/compile/internal/s390x":              true,
+	"cmd/compile/internal/slice":              true,
+	"cmd/compile/internal/ssa":                true,
+	"cmd/compile/internal/ssagen":             true,
+	"cmd/compile/internal/staticdata":         true,
+	"cmd/compile/internal/staticinit":         true,
+	"cmd/compile/internal/syntax":             true,
+	"cmd/compile/internal/test":               true,
+	"cmd/compile/internal/typebits":           true,
+	"cmd/compile/internal/typecheck":          true,
+	"cmd/compile/internal/types":              true,
+	"cmd/compile/internal/types2":             true,
+	"cmd/compile/internal/walk":               true,
+	"cmd/compile/internal/wasm":               true,
+	"cmd/compile/internal/x86":                true,
+	"cmd/internal/archive":                    true,
+	"cmd/internal/bio":                        true,
+	"cmd/internal/codesign":                   true,
+	"cmd/internal/dwarf":                      true,
+	"cmd/internal/edit":                       true,
+	"cmd/internal/gcprog":                     true,
+	"cmd/internal/goobj":                      true,
+	"cmd/internal/hash":                       true,
+	"cmd/internal/macho":                      true,
+	"cmd/internal/obj":                        true,
+	"cmd/internal/obj/arm":                    true,
+	"cmd/internal/obj/arm64":                  true,
+	"cmd/internal/obj/loong64":                true,
+	"cmd/internal/obj/mips":                   true,
+	"cmd/internal/obj/ppc64":                  true,
+	"cmd/internal/obj/riscv":                  true,
+	"cmd/internal/obj/s390x":                  true,
+	"cmd/internal/obj/wasm":                   true,
+	"cmd/internal/obj/x86":                    true,
+	"cmd/internal/objabi":                     true,
+	"cmd/internal/par":                        true,
+	"cmd/internal/pgo":                        true,
+	"cmd/internal/pkgpath":                    true,
+	"cmd/internal/quoted":                     true,
+	"cmd/internal/src":                        true,
+	"cmd/internal/sys":                        true,
+	"cmd/internal/telemetry":                  true,
+	"cmd/internal/telemetry/counter":          true,
+	"cmd/link":                                true,
+	"cmd/link/internal/amd64":                 true,
+	"cmd/link/internal/arm":                   true,
+	"cmd/link/internal/arm64":                 true,
+	"cmd/link/internal/benchmark":             true,
+	"cmd/link/internal/dwtest":                true,
+	"cmd/link/internal/ld":                    true,
+	"cmd/link/internal/loadelf":               true,
+	"cmd/link/internal/loader":                true,
+	"cmd/link/internal/loadmacho":             true,
+	"cmd/link/internal/loadpe":                true,
+	"cmd/link/internal/loadxcoff":             true,
+	"cmd/link/internal/loong64":               true,
+	"cmd/link/internal/mips":                  true,
+	"cmd/link/internal/mips64":                true,
+	"cmd/link/internal/ppc64":                 true,
+	"cmd/link/internal/riscv64":               true,
+	"cmd/link/internal/s390x":                 true,
+	"cmd/link/internal/sym":                   true,
+	"cmd/link/internal/wasm":                  true,
+	"cmd/link/internal/x86":                   true,
+	"compress/flate":                          true,
+	"compress/zlib":                           true,
+	"container/heap":                          true,
+	"debug/dwarf":                             true,
+	"debug/elf":                               true,
+	"debug/macho":                             true,
+	"debug/pe":                                true,
+	"go/build/constraint":                     true,
+	"go/constant":                             true,
+	"go/version":                              true,
+	"internal/abi":                            true,
+	"internal/coverage":                       true,
+	"cmd/internal/cov/covcmd":                 true,
+	"internal/bisect":                         true,
+	"internal/buildcfg":                       true,
+	"internal/exportdata":                     true,
+	"internal/goarch":                         true,
+	"internal/godebugs":                       true,
+	"internal/goexperiment":                   true,
+	"internal/goroot":                         true,
+	"internal/gover":                          true,
+	"internal/goversion":                      true,
+	"internal/lazyregexp":                     true,
+	"internal/pkgbits":                        true,
+	"internal/platform":                       true,
+	"internal/profile":                        true,
+	"internal/race":                           true,
+	"internal/runtime/gc":                     true,
+	"internal/saferio":                        true,
+	"internal/syscall/unix":                   true,
+	"internal/types/errors":                   true,
+	"internal/unsafeheader":                   true,
+	"internal/xcoff":                          true,
+	"internal/zstd":                           true,
+	"math/bits":                               true,
+	"sort":                                    true,
+}
+
+// BootstrapVersion is the minor version of Go used during toolchain
+// bootstrapping. Packages for which [IsBootstrapPackage] must not use
+// features of Go newer than this version.
+const BootstrapVersion = Version(24) // go1.24.6
diff --git a/vendor/golang.org/x/tools/internal/stdlib/import.go b/vendor/golang.org/x/tools/internal/stdlib/import.go
index f6909878a8..8ecc672b8b 100644
--- a/vendor/golang.org/x/tools/internal/stdlib/import.go
+++ b/vendor/golang.org/x/tools/internal/stdlib/import.go
@@ -87,3 +87,11 @@ func find(pkg string) (int, bool) {
 		return strings.Compare(p.name, n)
 	})
 }
+
+// IsBootstrapPackage reports whether pkg is one of the low-level
+// packages in the Go distribution that must compile with the older
+// language version specified by [BootstrapVersion] during toolchain
+// bootstrapping; see golang.org/s/go15bootstrap.
+func IsBootstrapPackage(pkg string) bool {
+	return bootstrap[pkg]
+}
diff --git a/vendor/golang.org/x/tools/internal/stdlib/manifest.go b/vendor/golang.org/x/tools/internal/stdlib/manifest.go
index c1faa50d36..f1e24625a7 100644
--- a/vendor/golang.org/x/tools/internal/stdlib/manifest.go
+++ b/vendor/golang.org/x/tools/internal/stdlib/manifest.go
@@ -16,6 +16,14 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Writer).Flush", Method, 0, ""},
 		{"(*Writer).Write", Method, 0, ""},
 		{"(*Writer).WriteHeader", Method, 0, ""},
+		{"(FileInfoNames).Gname", Method, 23, ""},
+		{"(FileInfoNames).IsDir", Method, 23, ""},
+		{"(FileInfoNames).ModTime", Method, 23, ""},
+		{"(FileInfoNames).Mode", Method, 23, ""},
+		{"(FileInfoNames).Name", Method, 23, ""},
+		{"(FileInfoNames).Size", Method, 23, ""},
+		{"(FileInfoNames).Sys", Method, 23, ""},
+		{"(FileInfoNames).Uname", Method, 23, ""},
 		{"(Format).String", Method, 10, ""},
 		{"ErrFieldTooLong", Var, 0, ""},
 		{"ErrHeader", Var, 0, ""},
@@ -225,6 +233,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Buffer).Grow", Method, 1, ""},
 		{"(*Buffer).Len", Method, 0, ""},
 		{"(*Buffer).Next", Method, 0, ""},
+		{"(*Buffer).Peek", Method, 26, ""},
 		{"(*Buffer).Read", Method, 0, ""},
 		{"(*Buffer).ReadByte", Method, 0, ""},
 		{"(*Buffer).ReadBytes", Method, 0, ""},
@@ -337,6 +346,9 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Writer).Write", Method, 0, ""},
 		{"(CorruptInputError).Error", Method, 0, ""},
 		{"(InternalError).Error", Method, 0, ""},
+		{"(Reader).Read", Method, 0, ""},
+		{"(Reader).ReadByte", Method, 0, ""},
+		{"(Resetter).Reset", Method, 4, ""},
 		{"BestCompression", Const, 0, ""},
 		{"BestSpeed", Const, 0, ""},
 		{"CorruptInputError", Type, 0, ""},
@@ -408,6 +420,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Writer).Flush", Method, 0, ""},
 		{"(*Writer).Reset", Method, 2, ""},
 		{"(*Writer).Write", Method, 0, ""},
+		{"(Resetter).Reset", Method, 4, ""},
 		{"BestCompression", Const, 0, ""},
 		{"BestSpeed", Const, 0, ""},
 		{"DefaultCompression", Const, 0, ""},
@@ -425,6 +438,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"Writer", Type, 0, ""},
 	},
 	"container/heap": {
+		{"(Interface).Len", Method, 0, ""},
+		{"(Interface).Less", Method, 0, ""},
+		{"(Interface).Pop", Method, 0, ""},
+		{"(Interface).Push", Method, 0, ""},
+		{"(Interface).Swap", Method, 0, ""},
 		{"Fix", Func, 2, "func(h Interface, i int)"},
 		{"Init", Func, 0, "func(h Interface)"},
 		{"Interface", Type, 0, ""},
@@ -468,6 +486,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"Ring.Value", Field, 0, ""},
 	},
 	"context": {
+		{"(Context).Deadline", Method, 7, ""},
+		{"(Context).Done", Method, 7, ""},
+		{"(Context).Err", Method, 7, ""},
+		{"(Context).Value", Method, 7, ""},
 		{"AfterFunc", Func, 21, "func(ctx Context, f func()) (stop func() bool)"},
 		{"Background", Func, 7, "func() Context"},
 		{"CancelCauseFunc", Type, 20, ""},
@@ -487,17 +509,31 @@ var PackageSymbols = map[string][]Symbol{
 		{"WithoutCancel", Func, 21, "func(parent Context) Context"},
 	},
 	"crypto": {
+		{"(Decapsulator).Decapsulate", Method, 26, ""},
+		{"(Decapsulator).Encapsulator", Method, 26, ""},
+		{"(Decrypter).Decrypt", Method, 5, ""},
+		{"(Decrypter).Public", Method, 5, ""},
+		{"(Encapsulator).Bytes", Method, 26, ""},
+		{"(Encapsulator).Encapsulate", Method, 26, ""},
 		{"(Hash).Available", Method, 0, ""},
 		{"(Hash).HashFunc", Method, 4, ""},
 		{"(Hash).New", Method, 0, ""},
 		{"(Hash).Size", Method, 0, ""},
 		{"(Hash).String", Method, 15, ""},
+		{"(MessageSigner).Public", Method, 25, ""},
+		{"(MessageSigner).Sign", Method, 25, ""},
+		{"(MessageSigner).SignMessage", Method, 25, ""},
+		{"(Signer).Public", Method, 4, ""},
+		{"(Signer).Sign", Method, 4, ""},
+		{"(SignerOpts).HashFunc", Method, 4, ""},
 		{"BLAKE2b_256", Const, 9, ""},
 		{"BLAKE2b_384", Const, 9, ""},
 		{"BLAKE2b_512", Const, 9, ""},
 		{"BLAKE2s_256", Const, 9, ""},
+		{"Decapsulator", Type, 26, ""},
 		{"Decrypter", Type, 5, ""},
 		{"DecrypterOpts", Type, 5, ""},
+		{"Encapsulator", Type, 26, ""},
 		{"Hash", Type, 0, ""},
 		{"MD4", Const, 0, ""},
 		{"MD5", Const, 0, ""},
@@ -529,6 +565,16 @@ var PackageSymbols = map[string][]Symbol{
 		{"NewCipher", Func, 0, "func(key []byte) (cipher.Block, error)"},
 	},
 	"crypto/cipher": {
+		{"(AEAD).NonceSize", Method, 2, ""},
+		{"(AEAD).Open", Method, 2, ""},
+		{"(AEAD).Overhead", Method, 2, ""},
+		{"(AEAD).Seal", Method, 2, ""},
+		{"(Block).BlockSize", Method, 0, ""},
+		{"(Block).Decrypt", Method, 0, ""},
+		{"(Block).Encrypt", Method, 0, ""},
+		{"(BlockMode).BlockSize", Method, 0, ""},
+		{"(BlockMode).CryptBlocks", Method, 0, ""},
+		{"(Stream).XORKeyStream", Method, 0, ""},
 		{"(StreamReader).Read", Method, 0, ""},
 		{"(StreamWriter).Close", Method, 0, ""},
 		{"(StreamWriter).Write", Method, 0, ""},
@@ -593,7 +639,13 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*PublicKey).Bytes", Method, 20, ""},
 		{"(*PublicKey).Curve", Method, 20, ""},
 		{"(*PublicKey).Equal", Method, 20, ""},
-		{"Curve", Type, 20, ""},
+		{"(Curve).GenerateKey", Method, 20, ""},
+		{"(Curve).NewPrivateKey", Method, 20, ""},
+		{"(Curve).NewPublicKey", Method, 20, ""},
+		{"(KeyExchanger).Curve", Method, 26, ""},
+		{"(KeyExchanger).ECDH", Method, 26, ""},
+		{"(KeyExchanger).PublicKey", Method, 26, ""},
+		{"KeyExchanger", Type, 26, ""},
 		{"P256", Func, 20, "func() Curve"},
 		{"P384", Func, 20, "func() Curve"},
 		{"P521", Func, 20, "func() Curve"},
@@ -666,6 +718,12 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*CurveParams).Params", Method, 0, ""},
 		{"(*CurveParams).ScalarBaseMult", Method, 0, ""},
 		{"(*CurveParams).ScalarMult", Method, 0, ""},
+		{"(Curve).Add", Method, 0, ""},
+		{"(Curve).Double", Method, 0, ""},
+		{"(Curve).IsOnCurve", Method, 0, ""},
+		{"(Curve).Params", Method, 0, ""},
+		{"(Curve).ScalarBaseMult", Method, 0, ""},
+		{"(Curve).ScalarMult", Method, 0, ""},
 		{"Curve", Type, 0, ""},
 		{"CurveParams", Type, 0, ""},
 		{"CurveParams.B", Field, 0, ""},
@@ -687,6 +745,7 @@ var PackageSymbols = map[string][]Symbol{
 	},
 	"crypto/fips140": {
 		{"Enabled", Func, 24, "func() bool"},
+		{"Version", Func, 26, "func() string"},
 	},
 	"crypto/hkdf": {
 		{"Expand", Func, 24, "func[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLength int) ([]byte, error)"},
@@ -707,9 +766,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*DecapsulationKey1024).Bytes", Method, 24, ""},
 		{"(*DecapsulationKey1024).Decapsulate", Method, 24, ""},
 		{"(*DecapsulationKey1024).EncapsulationKey", Method, 24, ""},
+		{"(*DecapsulationKey1024).Encapsulator", Method, 26, ""},
 		{"(*DecapsulationKey768).Bytes", Method, 24, ""},
 		{"(*DecapsulationKey768).Decapsulate", Method, 24, ""},
 		{"(*DecapsulationKey768).EncapsulationKey", Method, 24, ""},
+		{"(*DecapsulationKey768).Encapsulator", Method, 26, ""},
 		{"(*EncapsulationKey1024).Bytes", Method, 24, ""},
 		{"(*EncapsulationKey1024).Encapsulate", Method, 24, ""},
 		{"(*EncapsulationKey768).Bytes", Method, 24, ""},
@@ -731,6 +792,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"SeedSize", Const, 24, ""},
 		{"SharedKeySize", Const, 24, ""},
 	},
+	"crypto/mlkem/mlkemtest": {
+		{"Encapsulate1024", Func, 26, "func(ek *mlkem.EncapsulationKey1024, random []byte) (sharedKey []byte, ciphertext []byte, err error)"},
+		{"Encapsulate768", Func, 26, "func(ek *mlkem.EncapsulationKey768, random []byte) (sharedKey []byte, ciphertext []byte, err error)"},
+	},
 	"crypto/pbkdf2": {
 		{"Key", Func, 24, "func[Hash hash.Hash](h func() Hash, password string, salt []byte, iter int, keyLength int) ([]byte, error)"},
 	},
@@ -768,6 +833,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"DecryptPKCS1v15", Func, 0, "func(random io.Reader, priv *PrivateKey, ciphertext []byte) ([]byte, error)"},
 		{"DecryptPKCS1v15SessionKey", Func, 0, "func(random io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) error"},
 		{"EncryptOAEP", Func, 0, "func(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error)"},
+		{"EncryptOAEPWithOptions", Func, 26, "func(random io.Reader, pub *PublicKey, msg []byte, opts *OAEPOptions) ([]byte, error)"},
 		{"EncryptPKCS1v15", Func, 0, "func(random io.Reader, pub *PublicKey, msg []byte) ([]byte, error)"},
 		{"ErrDecryption", Var, 0, ""},
 		{"ErrMessageTooLong", Var, 0, ""},
@@ -920,6 +986,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*SessionState).Bytes", Method, 21, ""},
 		{"(AlertError).Error", Method, 21, ""},
 		{"(ClientAuthType).String", Method, 15, ""},
+		{"(ClientSessionCache).Get", Method, 3, ""},
+		{"(ClientSessionCache).Put", Method, 3, ""},
 		{"(CurveID).String", Method, 15, ""},
 		{"(QUICEncryptionLevel).String", Method, 21, ""},
 		{"(RecordHeaderError).Error", Method, 6, ""},
@@ -952,6 +1020,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ClientHelloInfo.CipherSuites", Field, 4, ""},
 		{"ClientHelloInfo.Conn", Field, 8, ""},
 		{"ClientHelloInfo.Extensions", Field, 24, ""},
+		{"ClientHelloInfo.HelloRetryRequest", Field, 26, ""},
 		{"ClientHelloInfo.ServerName", Field, 4, ""},
 		{"ClientHelloInfo.SignatureSchemes", Field, 8, ""},
 		{"ClientHelloInfo.SupportedCurves", Field, 4, ""},
@@ -1000,6 +1069,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ConnectionState.DidResume", Field, 1, ""},
 		{"ConnectionState.ECHAccepted", Field, 23, ""},
 		{"ConnectionState.HandshakeComplete", Field, 0, ""},
+		{"ConnectionState.HelloRetryRequest", Field, 26, ""},
 		{"ConnectionState.NegotiatedProtocol", Field, 0, ""},
 		{"ConnectionState.NegotiatedProtocolIsMutual", Field, 0, ""},
 		{"ConnectionState.OCSPResponse", Field, 5, ""},
@@ -1054,8 +1124,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"QUICEncryptionLevelEarly", Const, 21, ""},
 		{"QUICEncryptionLevelHandshake", Const, 21, ""},
 		{"QUICEncryptionLevelInitial", Const, 21, ""},
+		{"QUICErrorEvent", Const, 26, ""},
 		{"QUICEvent", Type, 21, ""},
 		{"QUICEvent.Data", Field, 21, ""},
+		{"QUICEvent.Err", Field, 26, ""},
 		{"QUICEvent.Kind", Field, 21, ""},
 		{"QUICEvent.Level", Field, 21, ""},
 		{"QUICEvent.SessionState", Field, 23, ""},
@@ -1150,8 +1222,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*RevocationList).CheckSignatureFrom", Method, 19, ""},
 		{"(CertificateInvalidError).Error", Method, 0, ""},
 		{"(ConstraintViolationError).Error", Method, 0, ""},
+		{"(ExtKeyUsage).String", Method, 26, ""},
 		{"(HostnameError).Error", Method, 0, ""},
 		{"(InsecureAlgorithmError).Error", Method, 6, ""},
+		{"(KeyUsage).String", Method, 26, ""},
 		{"(OID).AppendBinary", Method, 24, ""},
 		{"(OID).AppendText", Method, 24, ""},
 		{"(OID).Equal", Method, 22, ""},
@@ -1515,6 +1589,9 @@ var PackageSymbols = map[string][]Symbol{
 		{"(NullInt64).Value", Method, 0, ""},
 		{"(NullString).Value", Method, 0, ""},
 		{"(NullTime).Value", Method, 13, ""},
+		{"(Result).LastInsertId", Method, 0, ""},
+		{"(Result).RowsAffected", Method, 0, ""},
+		{"(Scanner).Scan", Method, 0, ""},
 		{"ColumnType", Type, 8, ""},
 		{"Conn", Type, 9, ""},
 		{"DB", Type, 0, ""},
@@ -1546,8 +1623,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"NamedArg.Name", Field, 8, ""},
 		{"NamedArg.Value", Field, 8, ""},
 		{"Null", Type, 22, ""},
-		{"Null.V", Field, 22, ""},
-		{"Null.Valid", Field, 22, ""},
 		{"NullBool", Type, 0, ""},
 		{"NullBool.Bool", Field, 0, ""},
 		{"NullBool.Valid", Field, 0, ""},
@@ -1590,10 +1665,72 @@ var PackageSymbols = map[string][]Symbol{
 		{"TxOptions.ReadOnly", Field, 8, ""},
 	},
 	"database/sql/driver": {
+		{"(ColumnConverter).ColumnConverter", Method, 0, ""},
+		{"(Conn).Begin", Method, 0, ""},
+		{"(Conn).Close", Method, 0, ""},
+		{"(Conn).Prepare", Method, 0, ""},
+		{"(ConnBeginTx).BeginTx", Method, 8, ""},
+		{"(ConnPrepareContext).PrepareContext", Method, 8, ""},
+		{"(Connector).Connect", Method, 10, ""},
+		{"(Connector).Driver", Method, 10, ""},
+		{"(Driver).Open", Method, 0, ""},
+		{"(DriverContext).OpenConnector", Method, 10, ""},
+		{"(Execer).Exec", Method, 0, ""},
+		{"(ExecerContext).ExecContext", Method, 8, ""},
+		{"(NamedValueChecker).CheckNamedValue", Method, 9, ""},
 		{"(NotNull).ConvertValue", Method, 0, ""},
 		{"(Null).ConvertValue", Method, 0, ""},
+		{"(Pinger).Ping", Method, 8, ""},
+		{"(Queryer).Query", Method, 1, ""},
+		{"(QueryerContext).QueryContext", Method, 8, ""},
+		{"(Result).LastInsertId", Method, 0, ""},
+		{"(Result).RowsAffected", Method, 0, ""},
+		{"(Rows).Close", Method, 0, ""},
+		{"(Rows).Columns", Method, 0, ""},
+		{"(Rows).Next", Method, 0, ""},
 		{"(RowsAffected).LastInsertId", Method, 0, ""},
 		{"(RowsAffected).RowsAffected", Method, 0, ""},
+		{"(RowsColumnScanner).Close", Method, 26, ""},
+		{"(RowsColumnScanner).Columns", Method, 26, ""},
+		{"(RowsColumnScanner).Next", Method, 26, ""},
+		{"(RowsColumnScanner).ScanColumn", Method, 26, ""},
+		{"(RowsColumnTypeDatabaseTypeName).Close", Method, 8, ""},
+		{"(RowsColumnTypeDatabaseTypeName).ColumnTypeDatabaseTypeName", Method, 8, ""},
+		{"(RowsColumnTypeDatabaseTypeName).Columns", Method, 8, ""},
+		{"(RowsColumnTypeDatabaseTypeName).Next", Method, 8, ""},
+		{"(RowsColumnTypeLength).Close", Method, 8, ""},
+		{"(RowsColumnTypeLength).ColumnTypeLength", Method, 8, ""},
+		{"(RowsColumnTypeLength).Columns", Method, 8, ""},
+		{"(RowsColumnTypeLength).Next", Method, 8, ""},
+		{"(RowsColumnTypeNullable).Close", Method, 8, ""},
+		{"(RowsColumnTypeNullable).ColumnTypeNullable", Method, 8, ""},
+		{"(RowsColumnTypeNullable).Columns", Method, 8, ""},
+		{"(RowsColumnTypeNullable).Next", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).Close", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).ColumnTypePrecisionScale", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).Columns", Method, 8, ""},
+		{"(RowsColumnTypePrecisionScale).Next", Method, 8, ""},
+		{"(RowsColumnTypeScanType).Close", Method, 8, ""},
+		{"(RowsColumnTypeScanType).ColumnTypeScanType", Method, 8, ""},
+		{"(RowsColumnTypeScanType).Columns", Method, 8, ""},
+		{"(RowsColumnTypeScanType).Next", Method, 8, ""},
+		{"(RowsNextResultSet).Close", Method, 8, ""},
+		{"(RowsNextResultSet).Columns", Method, 8, ""},
+		{"(RowsNextResultSet).HasNextResultSet", Method, 8, ""},
+		{"(RowsNextResultSet).Next", Method, 8, ""},
+		{"(RowsNextResultSet).NextResultSet", Method, 8, ""},
+		{"(SessionResetter).ResetSession", Method, 10, ""},
+		{"(Stmt).Close", Method, 0, ""},
+		{"(Stmt).Exec", Method, 0, ""},
+		{"(Stmt).NumInput", Method, 0, ""},
+		{"(Stmt).Query", Method, 0, ""},
+		{"(StmtExecContext).ExecContext", Method, 8, ""},
+		{"(StmtQueryContext).QueryContext", Method, 8, ""},
+		{"(Tx).Commit", Method, 0, ""},
+		{"(Tx).Rollback", Method, 0, ""},
+		{"(Validator).IsValid", Method, 15, ""},
+		{"(ValueConverter).ConvertValue", Method, 0, ""},
+		{"(Valuer).Value", Method, 0, ""},
 		{"Bool", Var, 0, ""},
 		{"ColumnConverter", Type, 0, ""},
 		{"Conn", Type, 0, ""},
@@ -1628,6 +1765,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ResultNoRows", Var, 0, ""},
 		{"Rows", Type, 0, ""},
 		{"RowsAffected", Type, 0, ""},
+		{"RowsColumnScanner", Type, 26, ""},
 		{"RowsColumnTypeDatabaseTypeName", Type, 8, ""},
 		{"RowsColumnTypeLength", Type, 8, ""},
 		{"RowsColumnTypeNullable", Type, 8, ""},
@@ -1754,6 +1892,9 @@ var PackageSymbols = map[string][]Symbol{
 		{"(DecodeError).Error", Method, 0, ""},
 		{"(Tag).GoString", Method, 0, ""},
 		{"(Tag).String", Method, 0, ""},
+		{"(Type).Common", Method, 0, ""},
+		{"(Type).Size", Method, 0, ""},
+		{"(Type).String", Method, 0, ""},
 		{"AddrType", Type, 0, ""},
 		{"AddrType.BasicType", Field, 0, ""},
 		{"ArrayType", Type, 0, ""},
@@ -3161,6 +3302,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"R_LARCH_B16", Const, 20, ""},
 		{"R_LARCH_B21", Const, 20, ""},
 		{"R_LARCH_B26", Const, 20, ""},
+		{"R_LARCH_CALL36", Const, 26, ""},
 		{"R_LARCH_CFA", Const, 22, ""},
 		{"R_LARCH_COPY", Const, 19, ""},
 		{"R_LARCH_DELETE", Const, 22, ""},
@@ -3218,11 +3360,25 @@ var PackageSymbols = map[string][]Symbol{
 		{"R_LARCH_SUB64", Const, 19, ""},
 		{"R_LARCH_SUB8", Const, 19, ""},
 		{"R_LARCH_SUB_ULEB128", Const, 22, ""},
+		{"R_LARCH_TLS_DESC32", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_HI12", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_LO20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_PC_HI12", Const, 26, ""},
+		{"R_LARCH_TLS_DESC64_PC_LO20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_CALL", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_HI20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_LD", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_LO12", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_PCREL20_S2", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_PC_HI20", Const, 26, ""},
+		{"R_LARCH_TLS_DESC_PC_LO12", Const, 26, ""},
 		{"R_LARCH_TLS_DTPMOD32", Const, 19, ""},
 		{"R_LARCH_TLS_DTPMOD64", Const, 19, ""},
 		{"R_LARCH_TLS_DTPREL32", Const, 19, ""},
 		{"R_LARCH_TLS_DTPREL64", Const, 19, ""},
 		{"R_LARCH_TLS_GD_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_GD_PCREL20_S2", Const, 26, ""},
 		{"R_LARCH_TLS_GD_PC_HI20", Const, 20, ""},
 		{"R_LARCH_TLS_IE64_HI12", Const, 20, ""},
 		{"R_LARCH_TLS_IE64_LO20", Const, 20, ""},
@@ -3233,11 +3389,15 @@ var PackageSymbols = map[string][]Symbol{
 		{"R_LARCH_TLS_IE_PC_HI20", Const, 20, ""},
 		{"R_LARCH_TLS_IE_PC_LO12", Const, 20, ""},
 		{"R_LARCH_TLS_LD_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_LD_PCREL20_S2", Const, 26, ""},
 		{"R_LARCH_TLS_LD_PC_HI20", Const, 20, ""},
 		{"R_LARCH_TLS_LE64_HI12", Const, 20, ""},
 		{"R_LARCH_TLS_LE64_LO20", Const, 20, ""},
+		{"R_LARCH_TLS_LE_ADD_R", Const, 26, ""},
 		{"R_LARCH_TLS_LE_HI20", Const, 20, ""},
+		{"R_LARCH_TLS_LE_HI20_R", Const, 26, ""},
 		{"R_LARCH_TLS_LE_LO12", Const, 20, ""},
+		{"R_LARCH_TLS_LE_LO12_R", Const, 26, ""},
 		{"R_LARCH_TLS_TPREL32", Const, 19, ""},
 		{"R_LARCH_TLS_TPREL64", Const, 19, ""},
 		{"R_MIPS", Type, 6, ""},
@@ -3942,6 +4102,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(FatArch).ImportedSymbols", Method, 3, ""},
 		{"(FatArch).Section", Method, 3, ""},
 		{"(FatArch).Segment", Method, 3, ""},
+		{"(Load).Raw", Method, 0, ""},
 		{"(LoadBytes).Raw", Method, 0, ""},
 		{"(LoadCmd).GoString", Method, 0, ""},
 		{"(LoadCmd).String", Method, 0, ""},
@@ -4588,6 +4749,12 @@ var PackageSymbols = map[string][]Symbol{
 		{"FS", Type, 16, ""},
 	},
 	"encoding": {
+		{"(BinaryAppender).AppendBinary", Method, 24, ""},
+		{"(BinaryMarshaler).MarshalBinary", Method, 2, ""},
+		{"(BinaryUnmarshaler).UnmarshalBinary", Method, 2, ""},
+		{"(TextAppender).AppendText", Method, 24, ""},
+		{"(TextMarshaler).MarshalText", Method, 2, ""},
+		{"(TextUnmarshaler).UnmarshalText", Method, 2, ""},
 		{"BinaryAppender", Type, 24, ""},
 		{"BinaryMarshaler", Type, 2, ""},
 		{"BinaryUnmarshaler", Type, 2, ""},
@@ -4703,6 +4870,17 @@ var PackageSymbols = map[string][]Symbol{
 		{"URLEncoding", Var, 0, ""},
 	},
 	"encoding/binary": {
+		{"(AppendByteOrder).AppendUint16", Method, 19, ""},
+		{"(AppendByteOrder).AppendUint32", Method, 19, ""},
+		{"(AppendByteOrder).AppendUint64", Method, 19, ""},
+		{"(AppendByteOrder).String", Method, 19, ""},
+		{"(ByteOrder).PutUint16", Method, 0, ""},
+		{"(ByteOrder).PutUint32", Method, 0, ""},
+		{"(ByteOrder).PutUint64", Method, 0, ""},
+		{"(ByteOrder).String", Method, 0, ""},
+		{"(ByteOrder).Uint16", Method, 0, ""},
+		{"(ByteOrder).Uint32", Method, 0, ""},
+		{"(ByteOrder).Uint64", Method, 0, ""},
 		{"Append", Func, 23, "func(buf []byte, order ByteOrder, data any) ([]byte, error)"},
 		{"AppendByteOrder", Type, 19, ""},
 		{"AppendUvarint", Func, 19, "func(buf []byte, x uint64) []byte"},
@@ -4765,6 +4943,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Decoder).DecodeValue", Method, 0, ""},
 		{"(*Encoder).Encode", Method, 0, ""},
 		{"(*Encoder).EncodeValue", Method, 0, ""},
+		{"(GobDecoder).GobDecode", Method, 0, ""},
+		{"(GobEncoder).GobEncode", Method, 0, ""},
 		{"CommonType", Type, 0, ""},
 		{"CommonType.Id", Field, 0, ""},
 		{"CommonType.Name", Field, 0, ""},
@@ -4817,10 +4997,12 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*UnsupportedTypeError).Error", Method, 0, ""},
 		{"(*UnsupportedValueError).Error", Method, 0, ""},
 		{"(Delim).String", Method, 5, ""},
+		{"(Marshaler).MarshalJSON", Method, 0, ""},
 		{"(Number).Float64", Method, 1, ""},
 		{"(Number).Int64", Method, 1, ""},
 		{"(Number).String", Method, 1, ""},
 		{"(RawMessage).MarshalJSON", Method, 8, ""},
+		{"(Unmarshaler).UnmarshalJSON", Method, 0, ""},
 		{"Compact", Func, 0, "func(dst *bytes.Buffer, src []byte) error"},
 		{"Decoder", Type, 0, ""},
 		{"Delim", Type, 5, ""},
@@ -4892,10 +5074,15 @@ var PackageSymbols = map[string][]Symbol{
 		{"(CharData).Copy", Method, 0, ""},
 		{"(Comment).Copy", Method, 0, ""},
 		{"(Directive).Copy", Method, 0, ""},
+		{"(Marshaler).MarshalXML", Method, 2, ""},
+		{"(MarshalerAttr).MarshalXMLAttr", Method, 2, ""},
 		{"(ProcInst).Copy", Method, 0, ""},
 		{"(StartElement).Copy", Method, 0, ""},
 		{"(StartElement).End", Method, 2, ""},
+		{"(TokenReader).Token", Method, 10, ""},
 		{"(UnmarshalError).Error", Method, 0, ""},
+		{"(Unmarshaler).UnmarshalXML", Method, 2, ""},
+		{"(UnmarshalerAttr).UnmarshalXMLAttr", Method, 2, ""},
 		{"Attr", Type, 0, ""},
 		{"Attr.Name", Field, 0, ""},
 		{"Attr.Value", Field, 0, ""},
@@ -4953,6 +5140,7 @@ var PackageSymbols = map[string][]Symbol{
 	},
 	"errors": {
 		{"As", Func, 13, "func(err error, target any) bool"},
+		{"AsType", Func, 26, "func[E error](err error) (E, bool)"},
 		{"ErrUnsupported", Var, 21, ""},
 		{"Is", Func, 13, "func(err error, target error) bool"},
 		{"Join", Func, 20, "func(errs ...error) error"},
@@ -4981,6 +5169,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*String).Value", Method, 8, ""},
 		{"(Func).String", Method, 0, ""},
 		{"(Func).Value", Method, 8, ""},
+		{"(Var).String", Method, 0, ""},
 		{"Do", Func, 0, "func(f func(KeyValue))"},
 		{"Float", Type, 0, ""},
 		{"Func", Type, 0, ""},
@@ -5036,6 +5225,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*FlagSet).Var", Method, 0, ""},
 		{"(*FlagSet).Visit", Method, 0, ""},
 		{"(*FlagSet).VisitAll", Method, 0, ""},
+		{"(Getter).Get", Method, 2, ""},
+		{"(Getter).Set", Method, 2, ""},
+		{"(Getter).String", Method, 2, ""},
+		{"(Value).Set", Method, 0, ""},
+		{"(Value).String", Method, 0, ""},
 		{"Arg", Func, 0, "func(i int) string"},
 		{"Args", Func, 0, "func() []string"},
 		{"Bool", Func, 0, "func(name string, value bool, usage string) *bool"},
@@ -5087,10 +5281,24 @@ var PackageSymbols = map[string][]Symbol{
 		{"VisitAll", Func, 0, "func(fn func(*Flag))"},
 	},
 	"fmt": {
+		{"(Formatter).Format", Method, 0, ""},
+		{"(GoStringer).GoString", Method, 0, ""},
+		{"(ScanState).Read", Method, 0, ""},
+		{"(ScanState).ReadRune", Method, 0, ""},
+		{"(ScanState).SkipSpace", Method, 0, ""},
+		{"(ScanState).Token", Method, 0, ""},
+		{"(ScanState).UnreadRune", Method, 0, ""},
+		{"(ScanState).Width", Method, 0, ""},
+		{"(Scanner).Scan", Method, 0, ""},
+		{"(State).Flag", Method, 0, ""},
+		{"(State).Precision", Method, 0, ""},
+		{"(State).Width", Method, 0, ""},
+		{"(State).Write", Method, 0, ""},
+		{"(Stringer).String", Method, 0, ""},
 		{"Append", Func, 19, "func(b []byte, a ...any) []byte"},
 		{"Appendf", Func, 19, "func(b []byte, format string, a ...any) []byte"},
 		{"Appendln", Func, 19, "func(b []byte, a ...any) []byte"},
-		{"Errorf", Func, 0, "func(format string, a ...any) error"},
+		{"Errorf", Func, 0, "func(format string, a ...any) (err error)"},
 		{"FormatString", Func, 20, "func(state State, verb rune) string"},
 		{"Formatter", Type, 0, ""},
 		{"Fprint", Func, 0, "func(w io.Writer, a ...any) (n int, err error)"},
@@ -5155,6 +5363,9 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*DeclStmt).Pos", Method, 0, ""},
 		{"(*DeferStmt).End", Method, 0, ""},
 		{"(*DeferStmt).Pos", Method, 0, ""},
+		{"(*Directive).End", Method, 26, ""},
+		{"(*Directive).ParseArgs", Method, 26, ""},
+		{"(*Directive).Pos", Method, 26, ""},
 		{"(*Ellipsis).End", Method, 0, ""},
 		{"(*Ellipsis).Pos", Method, 0, ""},
 		{"(*EmptyStmt).End", Method, 0, ""},
@@ -5242,7 +5453,18 @@ var PackageSymbols = map[string][]Symbol{
 		{"(CommentMap).Filter", Method, 1, ""},
 		{"(CommentMap).String", Method, 1, ""},
 		{"(CommentMap).Update", Method, 1, ""},
+		{"(Decl).End", Method, 0, ""},
+		{"(Decl).Pos", Method, 0, ""},
+		{"(Expr).End", Method, 0, ""},
+		{"(Expr).Pos", Method, 0, ""},
+		{"(Node).End", Method, 0, ""},
+		{"(Node).Pos", Method, 0, ""},
 		{"(ObjKind).String", Method, 0, ""},
+		{"(Spec).End", Method, 0, ""},
+		{"(Spec).Pos", Method, 0, ""},
+		{"(Stmt).End", Method, 0, ""},
+		{"(Stmt).Pos", Method, 0, ""},
+		{"(Visitor).Visit", Method, 0, ""},
 		{"ArrayType", Type, 0, ""},
 		{"ArrayType.Elt", Field, 0, ""},
 		{"ArrayType.Lbrack", Field, 0, ""},
@@ -5265,6 +5487,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"BasicLit", Type, 0, ""},
 		{"BasicLit.Kind", Field, 0, ""},
 		{"BasicLit.Value", Field, 0, ""},
+		{"BasicLit.ValueEnd", Field, 26, ""},
 		{"BasicLit.ValuePos", Field, 0, ""},
 		{"BinaryExpr", Type, 0, ""},
 		{"BinaryExpr.Op", Field, 0, ""},
@@ -5314,19 +5537,26 @@ var PackageSymbols = map[string][]Symbol{
 		{"CompositeLit.Rbrace", Field, 0, ""},
 		{"CompositeLit.Type", Field, 0, ""},
 		{"Con", Const, 0, ""},
-		{"Decl", Type, 0, ""},
 		{"DeclStmt", Type, 0, ""},
 		{"DeclStmt.Decl", Field, 0, ""},
 		{"DeferStmt", Type, 0, ""},
 		{"DeferStmt.Call", Field, 0, ""},
 		{"DeferStmt.Defer", Field, 0, ""},
+		{"Directive", Type, 26, ""},
+		{"Directive.Args", Field, 26, ""},
+		{"Directive.ArgsPos", Field, 26, ""},
+		{"Directive.Name", Field, 26, ""},
+		{"Directive.Slash", Field, 26, ""},
+		{"Directive.Tool", Field, 26, ""},
+		{"DirectiveArg", Type, 26, ""},
+		{"DirectiveArg.Arg", Field, 26, ""},
+		{"DirectiveArg.Pos", Field, 26, ""},
 		{"Ellipsis", Type, 0, ""},
 		{"Ellipsis.Ellipsis", Field, 0, ""},
 		{"Ellipsis.Elt", Field, 0, ""},
 		{"EmptyStmt", Type, 0, ""},
 		{"EmptyStmt.Implicit", Field, 5, ""},
 		{"EmptyStmt.Semicolon", Field, 0, ""},
-		{"Expr", Type, 0, ""},
 		{"ExprStmt", Type, 0, ""},
 		{"ExprStmt.X", Field, 0, ""},
 		{"Field", Type, 0, ""},
@@ -5469,6 +5699,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ParenExpr.Lparen", Field, 0, ""},
 		{"ParenExpr.Rparen", Field, 0, ""},
 		{"ParenExpr.X", Field, 0, ""},
+		{"ParseDirective", Func, 26, "func(pos token.Pos, c string) (Directive, bool)"},
 		{"Pkg", Const, 0, ""},
 		{"Preorder", Func, 23, "func(root Node) iter.Seq[Node]"},
 		{"PreorderStack", Func, 25, "func(root Node, stack []Node, f func(n Node, stack []Node) bool)"},
@@ -5509,11 +5740,9 @@ var PackageSymbols = map[string][]Symbol{
 		{"SliceExpr.Slice3", Field, 2, ""},
 		{"SliceExpr.X", Field, 0, ""},
 		{"SortImports", Func, 0, "func(fset *token.FileSet, f *File)"},
-		{"Spec", Type, 0, ""},
 		{"StarExpr", Type, 0, ""},
 		{"StarExpr.Star", Field, 0, ""},
 		{"StarExpr.X", Field, 0, ""},
-		{"Stmt", Type, 0, ""},
 		{"StructType", Type, 0, ""},
 		{"StructType.Fields", Field, 0, ""},
 		{"StructType.Incomplete", Field, 0, ""},
@@ -5668,10 +5897,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*SyntaxError).Error", Method, 16, ""},
 		{"(*TagExpr).Eval", Method, 16, ""},
 		{"(*TagExpr).String", Method, 16, ""},
+		{"(Expr).Eval", Method, 16, ""},
+		{"(Expr).String", Method, 16, ""},
 		{"AndExpr", Type, 16, ""},
 		{"AndExpr.X", Field, 16, ""},
 		{"AndExpr.Y", Field, 16, ""},
-		{"Expr", Type, 16, ""},
 		{"GoVersion", Func, 21, "func(x Expr) string"},
 		{"IsGoBuild", Func, 16, "func(line string) bool"},
 		{"IsPlusBuild", Func, 16, "func(line string) bool"},
@@ -5690,6 +5920,9 @@ var PackageSymbols = map[string][]Symbol{
 	},
 	"go/constant": {
 		{"(Kind).String", Method, 18, ""},
+		{"(Value).ExactString", Method, 6, ""},
+		{"(Value).Kind", Method, 5, ""},
+		{"(Value).String", Method, 5, ""},
 		{"BinaryOp", Func, 5, "func(x_ Value, op token.Token, y_ Value) Value"},
 		{"BitLen", Func, 5, "func(x Value) int"},
 		{"Bool", Const, 5, ""},
@@ -5728,7 +5961,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"UnaryOp", Func, 5, "func(op token.Token, y Value, prec uint) Value"},
 		{"Unknown", Const, 5, ""},
 		{"Val", Func, 13, "func(x Value) any"},
-		{"Value", Type, 5, ""},
 	},
 	"go/doc": {
 		{"(*Package).Filter", Method, 0, ""},
@@ -5812,7 +6044,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Printer).HTML", Method, 19, ""},
 		{"(*Printer).Markdown", Method, 19, ""},
 		{"(*Printer).Text", Method, 19, ""},
-		{"Block", Type, 19, ""},
 		{"Code", Type, 19, ""},
 		{"Code.Text", Field, 19, ""},
 		{"DefaultLookupPackage", Func, 19, "func(name string) (importPath string, ok bool)"},
@@ -5857,7 +6088,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"Printer.TextCodePrefix", Field, 19, ""},
 		{"Printer.TextPrefix", Field, 19, ""},
 		{"Printer.TextWidth", Field, 19, ""},
-		{"Text", Type, 19, ""},
 	},
 	"go/format": {
 		{"Node", Func, 1, "func(dst io.Writer, fset *token.FileSet, node any) error"},
@@ -5929,6 +6159,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*File).AddLineColumnInfo", Method, 11, ""},
 		{"(*File).AddLineInfo", Method, 0, ""},
 		{"(*File).Base", Method, 0, ""},
+		{"(*File).End", Method, 26, ""},
 		{"(*File).Line", Method, 0, ""},
 		{"(*File).LineCount", Method, 0, ""},
 		{"(*File).LineStart", Method, 12, ""},
@@ -6291,6 +6522,22 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Checker).PkgNameOf", Method, 22, ""},
 		{"(Checker).TypeOf", Method, 5, ""},
 		{"(Error).Error", Method, 5, ""},
+		{"(Importer).Import", Method, 5, ""},
+		{"(ImporterFrom).Import", Method, 6, ""},
+		{"(ImporterFrom).ImportFrom", Method, 6, ""},
+		{"(Object).Exported", Method, 5, ""},
+		{"(Object).Id", Method, 5, ""},
+		{"(Object).Name", Method, 5, ""},
+		{"(Object).Parent", Method, 5, ""},
+		{"(Object).Pkg", Method, 5, ""},
+		{"(Object).Pos", Method, 5, ""},
+		{"(Object).String", Method, 5, ""},
+		{"(Object).Type", Method, 5, ""},
+		{"(Sizes).Alignof", Method, 5, ""},
+		{"(Sizes).Offsetsof", Method, 5, ""},
+		{"(Sizes).Sizeof", Method, 5, ""},
+		{"(Type).String", Method, 5, ""},
+		{"(Type).Underlying", Method, 5, ""},
 		{"(TypeAndValue).Addressable", Method, 5, ""},
 		{"(TypeAndValue).Assignable", Method, 5, ""},
 		{"(TypeAndValue).HasOk", Method, 5, ""},
@@ -6429,7 +6676,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"NewUnion", Func, 18, "func(terms []*Term) *Union"},
 		{"NewVar", Func, 5, "func(pos token.Pos, pkg *Package, name string, typ Type) *Var"},
 		{"Nil", Type, 5, ""},
-		{"Object", Type, 5, ""},
 		{"ObjectString", Func, 5, "func(obj Object, qf Qualifier) string"},
 		{"Package", Type, 5, ""},
 		{"PackageVar", Const, 25, ""},
@@ -6500,6 +6746,33 @@ var PackageSymbols = map[string][]Symbol{
 		{"Lang", Func, 22, "func(x string) string"},
 	},
 	"hash": {
+		{"(Cloner).BlockSize", Method, 25, ""},
+		{"(Cloner).Clone", Method, 25, ""},
+		{"(Cloner).Reset", Method, 25, ""},
+		{"(Cloner).Size", Method, 25, ""},
+		{"(Cloner).Sum", Method, 25, ""},
+		{"(Cloner).Write", Method, 25, ""},
+		{"(Hash).BlockSize", Method, 0, ""},
+		{"(Hash).Reset", Method, 0, ""},
+		{"(Hash).Size", Method, 0, ""},
+		{"(Hash).Sum", Method, 0, ""},
+		{"(Hash).Write", Method, 0, ""},
+		{"(Hash32).BlockSize", Method, 0, ""},
+		{"(Hash32).Reset", Method, 0, ""},
+		{"(Hash32).Size", Method, 0, ""},
+		{"(Hash32).Sum", Method, 0, ""},
+		{"(Hash32).Sum32", Method, 0, ""},
+		{"(Hash32).Write", Method, 0, ""},
+		{"(Hash64).BlockSize", Method, 0, ""},
+		{"(Hash64).Reset", Method, 0, ""},
+		{"(Hash64).Size", Method, 0, ""},
+		{"(Hash64).Sum", Method, 0, ""},
+		{"(Hash64).Sum64", Method, 0, ""},
+		{"(Hash64).Write", Method, 0, ""},
+		{"(XOF).BlockSize", Method, 25, ""},
+		{"(XOF).Read", Method, 25, ""},
+		{"(XOF).Reset", Method, 25, ""},
+		{"(XOF).Write", Method, 25, ""},
 		{"Cloner", Type, 25, ""},
 		{"Hash", Type, 0, ""},
 		{"Hash32", Type, 0, ""},
@@ -6765,6 +7038,13 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*YCbCr).SubImage", Method, 0, ""},
 		{"(*YCbCr).YCbCrAt", Method, 4, ""},
 		{"(*YCbCr).YOffset", Method, 0, ""},
+		{"(Image).At", Method, 0, ""},
+		{"(Image).Bounds", Method, 0, ""},
+		{"(Image).ColorModel", Method, 0, ""},
+		{"(PalettedImage).At", Method, 0, ""},
+		{"(PalettedImage).Bounds", Method, 0, ""},
+		{"(PalettedImage).ColorIndexAt", Method, 0, ""},
+		{"(PalettedImage).ColorModel", Method, 0, ""},
 		{"(Point).Add", Method, 0, ""},
 		{"(Point).Div", Method, 0, ""},
 		{"(Point).Eq", Method, 0, ""},
@@ -6773,6 +7053,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Point).Mul", Method, 0, ""},
 		{"(Point).String", Method, 0, ""},
 		{"(Point).Sub", Method, 0, ""},
+		{"(RGBA64Image).At", Method, 17, ""},
+		{"(RGBA64Image).Bounds", Method, 17, ""},
+		{"(RGBA64Image).ColorModel", Method, 17, ""},
+		{"(RGBA64Image).RGBA64At", Method, 17, ""},
 		{"(Rectangle).Add", Method, 0, ""},
 		{"(Rectangle).At", Method, 5, ""},
 		{"(Rectangle).Bounds", Method, 5, ""},
@@ -6897,8 +7181,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Alpha).RGBA", Method, 0, ""},
 		{"(Alpha16).RGBA", Method, 0, ""},
 		{"(CMYK).RGBA", Method, 5, ""},
+		{"(Color).RGBA", Method, 0, ""},
 		{"(Gray).RGBA", Method, 0, ""},
 		{"(Gray16).RGBA", Method, 0, ""},
+		{"(Model).Convert", Method, 0, ""},
 		{"(NRGBA).RGBA", Method, 0, ""},
 		{"(NRGBA64).RGBA", Method, 0, ""},
 		{"(NYCbCrA).RGBA", Method, 6, ""},
@@ -6976,7 +7262,19 @@ var PackageSymbols = map[string][]Symbol{
 		{"WebSafe", Var, 2, ""},
 	},
 	"image/draw": {
+		{"(Drawer).Draw", Method, 2, ""},
+		{"(Image).At", Method, 0, ""},
+		{"(Image).Bounds", Method, 0, ""},
+		{"(Image).ColorModel", Method, 0, ""},
+		{"(Image).Set", Method, 0, ""},
 		{"(Op).Draw", Method, 2, ""},
+		{"(Quantizer).Quantize", Method, 2, ""},
+		{"(RGBA64Image).At", Method, 17, ""},
+		{"(RGBA64Image).Bounds", Method, 17, ""},
+		{"(RGBA64Image).ColorModel", Method, 17, ""},
+		{"(RGBA64Image).RGBA64At", Method, 17, ""},
+		{"(RGBA64Image).Set", Method, 17, ""},
+		{"(RGBA64Image).SetRGBA64", Method, 17, ""},
 		{"Draw", Func, 0, "func(dst Image, r image.Rectangle, src image.Image, sp image.Point, op Op)"},
 		{"DrawMask", Func, 0, "func(dst Image, r image.Rectangle, src image.Image, sp image.Point, mask image.Image, mp image.Point, op Op)"},
 		{"Drawer", Type, 2, ""},
@@ -7011,6 +7309,8 @@ var PackageSymbols = map[string][]Symbol{
 	},
 	"image/jpeg": {
 		{"(FormatError).Error", Method, 0, ""},
+		{"(Reader).Read", Method, 0, ""},
+		{"(Reader).ReadByte", Method, 0, ""},
 		{"(UnsupportedError).Error", Method, 0, ""},
 		{"Decode", Func, 0, "func(r io.Reader) (image.Image, error)"},
 		{"DecodeConfig", Func, 0, "func(r io.Reader) (image.Config, error)"},
@@ -7024,6 +7324,8 @@ var PackageSymbols = map[string][]Symbol{
 	},
 	"image/png": {
 		{"(*Encoder).Encode", Method, 4, ""},
+		{"(EncoderBufferPool).Get", Method, 9, ""},
+		{"(EncoderBufferPool).Put", Method, 9, ""},
 		{"(FormatError).Error", Method, 0, ""},
 		{"(UnsupportedError).Error", Method, 0, ""},
 		{"BestCompression", Const, 4, ""},
@@ -7067,6 +7369,41 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*SectionReader).ReadAt", Method, 0, ""},
 		{"(*SectionReader).Seek", Method, 0, ""},
 		{"(*SectionReader).Size", Method, 0, ""},
+		{"(ByteReader).ReadByte", Method, 0, ""},
+		{"(ByteScanner).ReadByte", Method, 0, ""},
+		{"(ByteScanner).UnreadByte", Method, 0, ""},
+		{"(ByteWriter).WriteByte", Method, 1, ""},
+		{"(Closer).Close", Method, 0, ""},
+		{"(ReadCloser).Close", Method, 0, ""},
+		{"(ReadCloser).Read", Method, 0, ""},
+		{"(ReadSeekCloser).Close", Method, 16, ""},
+		{"(ReadSeekCloser).Read", Method, 16, ""},
+		{"(ReadSeekCloser).Seek", Method, 16, ""},
+		{"(ReadSeeker).Read", Method, 0, ""},
+		{"(ReadSeeker).Seek", Method, 0, ""},
+		{"(ReadWriteCloser).Close", Method, 0, ""},
+		{"(ReadWriteCloser).Read", Method, 0, ""},
+		{"(ReadWriteCloser).Write", Method, 0, ""},
+		{"(ReadWriteSeeker).Read", Method, 0, ""},
+		{"(ReadWriteSeeker).Seek", Method, 0, ""},
+		{"(ReadWriteSeeker).Write", Method, 0, ""},
+		{"(ReadWriter).Read", Method, 0, ""},
+		{"(ReadWriter).Write", Method, 0, ""},
+		{"(Reader).Read", Method, 0, ""},
+		{"(ReaderAt).ReadAt", Method, 0, ""},
+		{"(ReaderFrom).ReadFrom", Method, 0, ""},
+		{"(RuneReader).ReadRune", Method, 0, ""},
+		{"(RuneScanner).ReadRune", Method, 0, ""},
+		{"(RuneScanner).UnreadRune", Method, 0, ""},
+		{"(Seeker).Seek", Method, 0, ""},
+		{"(StringWriter).WriteString", Method, 12, ""},
+		{"(WriteCloser).Close", Method, 0, ""},
+		{"(WriteCloser).Write", Method, 0, ""},
+		{"(WriteSeeker).Seek", Method, 0, ""},
+		{"(WriteSeeker).Write", Method, 0, ""},
+		{"(Writer).Write", Method, 0, ""},
+		{"(WriterAt).WriteAt", Method, 0, ""},
+		{"(WriterTo).WriteTo", Method, 0, ""},
 		{"ByteReader", Type, 0, ""},
 		{"ByteScanner", Type, 0, ""},
 		{"ByteWriter", Type, 1, ""},
@@ -7126,11 +7463,42 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*PathError).Error", Method, 16, ""},
 		{"(*PathError).Timeout", Method, 16, ""},
 		{"(*PathError).Unwrap", Method, 16, ""},
+		{"(DirEntry).Info", Method, 16, ""},
+		{"(DirEntry).IsDir", Method, 16, ""},
+		{"(DirEntry).Name", Method, 16, ""},
+		{"(DirEntry).Type", Method, 16, ""},
+		{"(FS).Open", Method, 16, ""},
+		{"(File).Close", Method, 16, ""},
+		{"(File).Read", Method, 16, ""},
+		{"(File).Stat", Method, 16, ""},
+		{"(FileInfo).IsDir", Method, 16, ""},
+		{"(FileInfo).ModTime", Method, 16, ""},
+		{"(FileInfo).Mode", Method, 16, ""},
+		{"(FileInfo).Name", Method, 16, ""},
+		{"(FileInfo).Size", Method, 16, ""},
+		{"(FileInfo).Sys", Method, 16, ""},
 		{"(FileMode).IsDir", Method, 16, ""},
 		{"(FileMode).IsRegular", Method, 16, ""},
 		{"(FileMode).Perm", Method, 16, ""},
 		{"(FileMode).String", Method, 16, ""},
 		{"(FileMode).Type", Method, 16, ""},
+		{"(GlobFS).Glob", Method, 16, ""},
+		{"(GlobFS).Open", Method, 16, ""},
+		{"(ReadDirFS).Open", Method, 16, ""},
+		{"(ReadDirFS).ReadDir", Method, 16, ""},
+		{"(ReadDirFile).Close", Method, 16, ""},
+		{"(ReadDirFile).Read", Method, 16, ""},
+		{"(ReadDirFile).ReadDir", Method, 16, ""},
+		{"(ReadDirFile).Stat", Method, 16, ""},
+		{"(ReadFileFS).Open", Method, 16, ""},
+		{"(ReadFileFS).ReadFile", Method, 16, ""},
+		{"(ReadLinkFS).Lstat", Method, 25, ""},
+		{"(ReadLinkFS).Open", Method, 25, ""},
+		{"(ReadLinkFS).ReadLink", Method, 25, ""},
+		{"(StatFS).Open", Method, 16, ""},
+		{"(StatFS).Stat", Method, 16, ""},
+		{"(SubFS).Open", Method, 16, ""},
+		{"(SubFS).Sub", Method, 16, ""},
 		{"DirEntry", Type, 16, ""},
 		{"ErrClosed", Var, 16, ""},
 		{"ErrExist", Var, 16, ""},
@@ -7271,6 +7639,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Logger).WarnContext", Method, 21, ""},
 		{"(*Logger).With", Method, 21, ""},
 		{"(*Logger).WithGroup", Method, 21, ""},
+		{"(*MultiHandler).Enabled", Method, 26, ""},
+		{"(*MultiHandler).Handle", Method, 26, ""},
+		{"(*MultiHandler).WithAttrs", Method, 26, ""},
+		{"(*MultiHandler).WithGroup", Method, 26, ""},
 		{"(*Record).Add", Method, 21, ""},
 		{"(*Record).AddAttrs", Method, 21, ""},
 		{"(*TextHandler).Enabled", Method, 21, ""},
@@ -7279,12 +7651,18 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*TextHandler).WithGroup", Method, 21, ""},
 		{"(Attr).Equal", Method, 21, ""},
 		{"(Attr).String", Method, 21, ""},
+		{"(Handler).Enabled", Method, 21, ""},
+		{"(Handler).Handle", Method, 21, ""},
+		{"(Handler).WithAttrs", Method, 21, ""},
+		{"(Handler).WithGroup", Method, 21, ""},
 		{"(Kind).String", Method, 21, ""},
 		{"(Level).AppendText", Method, 24, ""},
 		{"(Level).Level", Method, 21, ""},
 		{"(Level).MarshalJSON", Method, 21, ""},
 		{"(Level).MarshalText", Method, 21, ""},
 		{"(Level).String", Method, 21, ""},
+		{"(Leveler).Level", Method, 21, ""},
+		{"(LogValuer).LogValue", Method, 21, ""},
 		{"(Record).Attrs", Method, 21, ""},
 		{"(Record).Clone", Method, 21, ""},
 		{"(Record).NumAttrs", Method, 21, ""},
@@ -7358,9 +7736,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"LogValuer", Type, 21, ""},
 		{"Logger", Type, 21, ""},
 		{"MessageKey", Const, 21, ""},
+		{"MultiHandler", Type, 26, ""},
 		{"New", Func, 21, "func(h Handler) *Logger"},
 		{"NewJSONHandler", Func, 21, "func(w io.Writer, opts *HandlerOptions) *JSONHandler"},
 		{"NewLogLogger", Func, 21, "func(h Handler, level Level) *log.Logger"},
+		{"NewMultiHandler", Func, 26, "func(handlers ...Handler) *MultiHandler"},
 		{"NewRecord", Func, 21, "func(t time.Time, level Level, msg string, pc uintptr) Record"},
 		{"NewTextHandler", Func, 21, "func(w io.Writer, opts *HandlerOptions) *TextHandler"},
 		{"Record", Type, 21, ""},
@@ -7515,7 +7895,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"MinInt64", Const, 0, ""},
 		{"MinInt8", Const, 0, ""},
 		{"Mod", Func, 0, "func(x float64, y float64) float64"},
-		{"Modf", Func, 0, "func(f float64) (int float64, frac float64)"},
+		{"Modf", Func, 0, "func(f float64) (integer float64, fractional float64)"},
 		{"NaN", Func, 0, "func() float64"},
 		{"Nextafter", Func, 0, "func(x float64, y float64) (r float64)"},
 		{"Nextafter32", Func, 4, "func(x float32, y float32) (r float32)"},
@@ -7811,6 +8191,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Rand).Uint32", Method, 0, ""},
 		{"(*Rand).Uint64", Method, 8, ""},
 		{"(*Zipf).Uint64", Method, 0, ""},
+		{"(Source).Int63", Method, 0, ""},
+		{"(Source).Seed", Method, 0, ""},
+		{"(Source64).Int63", Method, 8, ""},
+		{"(Source64).Seed", Method, 8, ""},
+		{"(Source64).Uint64", Method, 8, ""},
 		{"ExpFloat64", Func, 0, "func() float64"},
 		{"Float32", Func, 0, "func() float32"},
 		{"Float64", Func, 0, "func() float64"},
@@ -7866,6 +8251,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Rand).Uint64N", Method, 22, ""},
 		{"(*Rand).UintN", Method, 22, ""},
 		{"(*Zipf).Uint64", Method, 22, ""},
+		{"(Source).Uint64", Method, 22, ""},
 		{"ChaCha8", Type, 22, ""},
 		{"ExpFloat64", Func, 22, "func() float64"},
 		{"Float32", Func, 22, "func() float32"},
@@ -7929,6 +8315,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Writer).FormDataContentType", Method, 0, ""},
 		{"(*Writer).SetBoundary", Method, 1, ""},
 		{"(*Writer).WriteField", Method, 0, ""},
+		{"(File).Close", Method, 0, ""},
+		{"(File).Read", Method, 0, ""},
+		{"(File).ReadAt", Method, 0, ""},
+		{"(File).Seek", Method, 0, ""},
 		{"ErrMessageTooLarge", Var, 9, ""},
 		{"File", Type, 0, ""},
 		{"FileContentDisposition", Func, 25, "func(fieldname string, filename string) string"},
@@ -7972,6 +8362,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*DNSError).Unwrap", Method, 23, ""},
 		{"(*Dialer).Dial", Method, 1, ""},
 		{"(*Dialer).DialContext", Method, 7, ""},
+		{"(*Dialer).DialIP", Method, 26, ""},
+		{"(*Dialer).DialTCP", Method, 26, ""},
+		{"(*Dialer).DialUDP", Method, 26, ""},
+		{"(*Dialer).DialUnix", Method, 26, ""},
 		{"(*Dialer).MultipathTCP", Method, 21, ""},
 		{"(*Dialer).SetMultipathTCP", Method, 21, ""},
 		{"(*IP).UnmarshalText", Method, 2, ""},
@@ -8109,6 +8503,19 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*UnixListener).SetDeadline", Method, 0, ""},
 		{"(*UnixListener).SetUnlinkOnClose", Method, 8, ""},
 		{"(*UnixListener).SyscallConn", Method, 10, ""},
+		{"(Addr).Network", Method, 0, ""},
+		{"(Addr).String", Method, 0, ""},
+		{"(Conn).Close", Method, 0, ""},
+		{"(Conn).LocalAddr", Method, 0, ""},
+		{"(Conn).Read", Method, 0, ""},
+		{"(Conn).RemoteAddr", Method, 0, ""},
+		{"(Conn).SetDeadline", Method, 0, ""},
+		{"(Conn).SetReadDeadline", Method, 0, ""},
+		{"(Conn).SetWriteDeadline", Method, 0, ""},
+		{"(Conn).Write", Method, 0, ""},
+		{"(Error).Error", Method, 0, ""},
+		{"(Error).Temporary", Method, 0, ""},
+		{"(Error).Timeout", Method, 0, ""},
 		{"(Flags).String", Method, 0, ""},
 		{"(HardwareAddr).String", Method, 0, ""},
 		{"(IP).AppendText", Method, 24, ""},
@@ -8132,6 +8539,16 @@ var PackageSymbols = map[string][]Symbol{
 		{"(InvalidAddrError).Error", Method, 0, ""},
 		{"(InvalidAddrError).Temporary", Method, 0, ""},
 		{"(InvalidAddrError).Timeout", Method, 0, ""},
+		{"(Listener).Accept", Method, 0, ""},
+		{"(Listener).Addr", Method, 0, ""},
+		{"(Listener).Close", Method, 0, ""},
+		{"(PacketConn).Close", Method, 0, ""},
+		{"(PacketConn).LocalAddr", Method, 0, ""},
+		{"(PacketConn).ReadFrom", Method, 0, ""},
+		{"(PacketConn).SetDeadline", Method, 0, ""},
+		{"(PacketConn).SetReadDeadline", Method, 0, ""},
+		{"(PacketConn).SetWriteDeadline", Method, 0, ""},
+		{"(PacketConn).WriteTo", Method, 0, ""},
 		{"(UnknownNetworkError).Error", Method, 0, ""},
 		{"(UnknownNetworkError).Temporary", Method, 0, ""},
 		{"(UnknownNetworkError).Timeout", Method, 0, ""},
@@ -8307,6 +8724,14 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Client).Head", Method, 0, ""},
 		{"(*Client).Post", Method, 0, ""},
 		{"(*Client).PostForm", Method, 0, ""},
+		{"(*ClientConn).Available", Method, 26, ""},
+		{"(*ClientConn).Close", Method, 26, ""},
+		{"(*ClientConn).Err", Method, 26, ""},
+		{"(*ClientConn).InFlight", Method, 26, ""},
+		{"(*ClientConn).Release", Method, 26, ""},
+		{"(*ClientConn).Reserve", Method, 26, ""},
+		{"(*ClientConn).RoundTrip", Method, 26, ""},
+		{"(*ClientConn).SetStateHook", Method, 26, ""},
 		{"(*Cookie).String", Method, 0, ""},
 		{"(*Cookie).Valid", Method, 18, ""},
 		{"(*CrossOriginProtection).AddInsecureBypassPattern", Method, 25, ""},
@@ -8366,10 +8791,22 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Transport).CancelRequest", Method, 1, ""},
 		{"(*Transport).Clone", Method, 13, ""},
 		{"(*Transport).CloseIdleConnections", Method, 0, ""},
+		{"(*Transport).NewClientConn", Method, 26, ""},
 		{"(*Transport).RegisterProtocol", Method, 0, ""},
 		{"(*Transport).RoundTrip", Method, 0, ""},
+		{"(CloseNotifier).CloseNotify", Method, 1, ""},
 		{"(ConnState).String", Method, 3, ""},
+		{"(CookieJar).Cookies", Method, 0, ""},
+		{"(CookieJar).SetCookies", Method, 0, ""},
 		{"(Dir).Open", Method, 0, ""},
+		{"(File).Close", Method, 0, ""},
+		{"(File).Read", Method, 0, ""},
+		{"(File).Readdir", Method, 0, ""},
+		{"(File).Seek", Method, 0, ""},
+		{"(File).Stat", Method, 0, ""},
+		{"(FileSystem).Open", Method, 0, ""},
+		{"(Flusher).Flush", Method, 0, ""},
+		{"(Handler).ServeHTTP", Method, 0, ""},
 		{"(HandlerFunc).ServeHTTP", Method, 0, ""},
 		{"(Header).Add", Method, 0, ""},
 		{"(Header).Clone", Method, 13, ""},
@@ -8379,10 +8816,16 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Header).Values", Method, 14, ""},
 		{"(Header).Write", Method, 0, ""},
 		{"(Header).WriteSubset", Method, 0, ""},
+		{"(Hijacker).Hijack", Method, 0, ""},
 		{"(Protocols).HTTP1", Method, 24, ""},
 		{"(Protocols).HTTP2", Method, 24, ""},
 		{"(Protocols).String", Method, 24, ""},
 		{"(Protocols).UnencryptedHTTP2", Method, 24, ""},
+		{"(Pusher).Push", Method, 8, ""},
+		{"(ResponseWriter).Header", Method, 0, ""},
+		{"(ResponseWriter).Write", Method, 0, ""},
+		{"(ResponseWriter).WriteHeader", Method, 0, ""},
+		{"(RoundTripper).RoundTrip", Method, 0, ""},
 		{"AllowQuerySemicolons", Func, 17, "func(h Handler) Handler"},
 		{"CanonicalHeaderKey", Func, 0, "func(s string) string"},
 		{"Client", Type, 0, ""},
@@ -8390,6 +8833,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Client.Jar", Field, 0, ""},
 		{"Client.Timeout", Field, 3, ""},
 		{"Client.Transport", Field, 0, ""},
+		{"ClientConn", Type, 26, ""},
 		{"CloseNotifier", Type, 1, ""},
 		{"ConnState", Type, 3, ""},
 		{"Cookie", Type, 0, ""},
@@ -8457,6 +8901,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"HTTP2Config.PermitProhibitedCipherSuites", Field, 24, ""},
 		{"HTTP2Config.PingTimeout", Field, 24, ""},
 		{"HTTP2Config.SendPingTimeout", Field, 24, ""},
+		{"HTTP2Config.StrictMaxConcurrentRequests", Field, 26, ""},
 		{"HTTP2Config.WriteByteTimeout", Field, 24, ""},
 		{"Handle", Func, 0, "func(pattern string, handler Handler)"},
 		{"HandleFunc", Func, 0, "func(pattern string, handler func(ResponseWriter, *Request))"},
@@ -8699,6 +9144,8 @@ var PackageSymbols = map[string][]Symbol{
 	"net/http/cookiejar": {
 		{"(*Jar).Cookies", Method, 1, ""},
 		{"(*Jar).SetCookies", Method, 1, ""},
+		{"(PublicSuffixList).PublicSuffix", Method, 1, ""},
+		{"(PublicSuffixList).String", Method, 1, ""},
 		{"Jar", Type, 1, ""},
 		{"New", Func, 1, "func(o *Options) (*Jar, error)"},
 		{"Options", Type, 1, ""},
@@ -8792,6 +9239,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*ServerConn).Pending", Method, 0, ""},
 		{"(*ServerConn).Read", Method, 0, ""},
 		{"(*ServerConn).Write", Method, 0, ""},
+		{"(BufferPool).Get", Method, 6, ""},
+		{"(BufferPool).Put", Method, 6, ""},
 		{"BufferPool", Type, 6, ""},
 		{"ClientConn", Type, 0, ""},
 		{"DumpRequest", Func, 0, "func(req *http.Request, body bool) ([]byte, error)"},
@@ -8904,6 +9353,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Prefix).AppendText", Method, 24, ""},
 		{"(Prefix).AppendTo", Method, 18, ""},
 		{"(Prefix).Bits", Method, 18, ""},
+		{"(Prefix).Compare", Method, 26, ""},
 		{"(Prefix).Contains", Method, 18, ""},
 		{"(Prefix).IsSingleIP", Method, 18, ""},
 		{"(Prefix).IsValid", Method, 18, ""},
@@ -8944,6 +9394,14 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Server).ServeConn", Method, 0, ""},
 		{"(*Server).ServeHTTP", Method, 0, ""},
 		{"(*Server).ServeRequest", Method, 0, ""},
+		{"(ClientCodec).Close", Method, 0, ""},
+		{"(ClientCodec).ReadResponseBody", Method, 0, ""},
+		{"(ClientCodec).ReadResponseHeader", Method, 0, ""},
+		{"(ClientCodec).WriteRequest", Method, 0, ""},
+		{"(ServerCodec).Close", Method, 0, ""},
+		{"(ServerCodec).ReadRequestBody", Method, 0, ""},
+		{"(ServerCodec).ReadRequestHeader", Method, 0, ""},
+		{"(ServerCodec).WriteResponse", Method, 0, ""},
 		{"(ServerError).Error", Method, 0, ""},
 		{"Accept", Func, 0, "func(lis net.Listener)"},
 		{"Call", Type, 0, ""},
@@ -9002,6 +9460,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Client).StartTLS", Method, 0, ""},
 		{"(*Client).TLSConnectionState", Method, 5, ""},
 		{"(*Client).Verify", Method, 0, ""},
+		{"(Auth).Next", Method, 0, ""},
+		{"(Auth).Start", Method, 0, ""},
 		{"Auth", Type, 0, ""},
 		{"CRAMMD5Auth", Func, 0, "func(username string, secret string) Auth"},
 		{"Client", Type, 0, ""},
@@ -9177,6 +9637,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Process).Release", Method, 0, ""},
 		{"(*Process).Signal", Method, 0, ""},
 		{"(*Process).Wait", Method, 0, ""},
+		{"(*Process).WithHandle", Method, 26, ""},
 		{"(*ProcessState).ExitCode", Method, 12, ""},
 		{"(*ProcessState).Exited", Method, 0, ""},
 		{"(*ProcessState).Pid", Method, 0, ""},
@@ -9212,10 +9673,18 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*SyscallError).Error", Method, 0, ""},
 		{"(*SyscallError).Timeout", Method, 10, ""},
 		{"(*SyscallError).Unwrap", Method, 13, ""},
+		{"(FileInfo).IsDir", Method, 0, ""},
+		{"(FileInfo).ModTime", Method, 0, ""},
+		{"(FileInfo).Mode", Method, 0, ""},
+		{"(FileInfo).Name", Method, 0, ""},
+		{"(FileInfo).Size", Method, 0, ""},
+		{"(FileInfo).Sys", Method, 0, ""},
 		{"(FileMode).IsDir", Method, 0, ""},
 		{"(FileMode).IsRegular", Method, 1, ""},
 		{"(FileMode).Perm", Method, 0, ""},
 		{"(FileMode).String", Method, 0, ""},
+		{"(Signal).Signal", Method, 0, ""},
+		{"(Signal).String", Method, 0, ""},
 		{"Args", Var, 0, ""},
 		{"Chdir", Func, 0, "func(dir string) error"},
 		{"Chmod", Func, 0, "func(name string, mode FileMode) error"},
@@ -9234,6 +9703,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ErrExist", Var, 0, ""},
 		{"ErrInvalid", Var, 0, ""},
 		{"ErrNoDeadline", Var, 10, ""},
+		{"ErrNoHandle", Var, 26, ""},
 		{"ErrNotExist", Var, 0, ""},
 		{"ErrPermission", Var, 0, ""},
 		{"ErrProcessDone", Var, 16, ""},
@@ -9461,7 +9931,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ListSeparator", Const, 0, ""},
 		{"Localize", Func, 23, "func(path string) (string, error)"},
 		{"Match", Func, 0, "func(pattern string, name string) (matched bool, err error)"},
-		{"Rel", Func, 0, "func(basepath string, targpath string) (string, error)"},
+		{"Rel", Func, 0, "func(basePath string, targPath string) (string, error)"},
 		{"Separator", Const, 0, ""},
 		{"SkipAll", Var, 20, ""},
 		{"SkipDir", Var, 0, ""},
@@ -9491,6 +9961,45 @@ var PackageSymbols = map[string][]Symbol{
 		{"(StructField).IsExported", Method, 17, ""},
 		{"(StructTag).Get", Method, 0, ""},
 		{"(StructTag).Lookup", Method, 7, ""},
+		{"(Type).Align", Method, 0, ""},
+		{"(Type).AssignableTo", Method, 0, ""},
+		{"(Type).Bits", Method, 0, ""},
+		{"(Type).CanSeq", Method, 23, ""},
+		{"(Type).CanSeq2", Method, 23, ""},
+		{"(Type).ChanDir", Method, 0, ""},
+		{"(Type).Comparable", Method, 4, ""},
+		{"(Type).ConvertibleTo", Method, 1, ""},
+		{"(Type).Elem", Method, 0, ""},
+		{"(Type).Field", Method, 0, ""},
+		{"(Type).FieldAlign", Method, 0, ""},
+		{"(Type).FieldByIndex", Method, 0, ""},
+		{"(Type).FieldByName", Method, 0, ""},
+		{"(Type).FieldByNameFunc", Method, 0, ""},
+		{"(Type).Fields", Method, 26, ""},
+		{"(Type).Implements", Method, 0, ""},
+		{"(Type).In", Method, 0, ""},
+		{"(Type).Ins", Method, 26, ""},
+		{"(Type).IsVariadic", Method, 0, ""},
+		{"(Type).Key", Method, 0, ""},
+		{"(Type).Kind", Method, 0, ""},
+		{"(Type).Len", Method, 0, ""},
+		{"(Type).Method", Method, 0, ""},
+		{"(Type).MethodByName", Method, 0, ""},
+		{"(Type).Methods", Method, 26, ""},
+		{"(Type).Name", Method, 0, ""},
+		{"(Type).NumField", Method, 0, ""},
+		{"(Type).NumIn", Method, 0, ""},
+		{"(Type).NumMethod", Method, 0, ""},
+		{"(Type).NumOut", Method, 0, ""},
+		{"(Type).Out", Method, 0, ""},
+		{"(Type).Outs", Method, 26, ""},
+		{"(Type).OverflowComplex", Method, 23, ""},
+		{"(Type).OverflowFloat", Method, 23, ""},
+		{"(Type).OverflowInt", Method, 23, ""},
+		{"(Type).OverflowUint", Method, 23, ""},
+		{"(Type).PkgPath", Method, 0, ""},
+		{"(Type).Size", Method, 0, ""},
+		{"(Type).String", Method, 0, ""},
 		{"(Value).Addr", Method, 0, ""},
 		{"(Value).Bool", Method, 0, ""},
 		{"(Value).Bytes", Method, 0, ""},
@@ -9517,6 +10026,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Value).FieldByIndexErr", Method, 18, ""},
 		{"(Value).FieldByName", Method, 0, ""},
 		{"(Value).FieldByNameFunc", Method, 0, ""},
+		{"(Value).Fields", Method, 26, ""},
 		{"(Value).Float", Method, 0, ""},
 		{"(Value).Grow", Method, 20, ""},
 		{"(Value).Index", Method, 0, ""},
@@ -9533,6 +10043,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Value).MapRange", Method, 12, ""},
 		{"(Value).Method", Method, 0, ""},
 		{"(Value).MethodByName", Method, 0, ""},
+		{"(Value).Methods", Method, 26, ""},
 		{"(Value).NumField", Method, 0, ""},
 		{"(Value).NumMethod", Method, 0, ""},
 		{"(Value).OverflowComplex", Method, 0, ""},
@@ -9648,7 +10159,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"StructOf", Func, 7, "func(fields []StructField) Type"},
 		{"StructTag", Type, 0, ""},
 		{"Swapper", Func, 8, "func(slice any) func(i int, j int)"},
-		{"Type", Type, 0, ""},
 		{"TypeAssert", Func, 25, "func[T any](v Value) (T, bool)"},
 		{"TypeFor", Func, 22, "func[T any]() Type"},
 		{"TypeOf", Func, 0, "func(i any) Type"},
@@ -9850,6 +10360,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*TypeAssertionError).Error", Method, 0, ""},
 		{"(*TypeAssertionError).RuntimeError", Method, 0, ""},
 		{"(Cleanup).Stop", Method, 24, ""},
+		{"(Error).Error", Method, 0, ""},
+		{"(Error).RuntimeError", Method, 0, ""},
 		{"AddCleanup", Func, 24, "func[T, S any](ptr *T, cleanup func(S), arg S) Cleanup"},
 		{"BlockProfile", Func, 1, "func(p []BlockProfileRecord) (n int, ok bool)"},
 		{"BlockProfileRecord", Type, 1, ""},
@@ -9932,7 +10444,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"PanicNilError", Type, 21, ""},
 		{"Pinner", Type, 21, ""},
 		{"ReadMemStats", Func, 0, "func(m *MemStats)"},
-		{"ReadTrace", Func, 5, "func() []byte"},
+		{"ReadTrace", Func, 5, "func() (buf []byte)"},
 		{"SetBlockProfileRate", Func, 1, "func(rate int)"},
 		{"SetCPUProfileRate", Func, 0, "func(hz int)"},
 		{"SetCgoTraceback", Func, 7, "func(version int, traceback unsafe.Pointer, context unsafe.Pointer, symbolizer unsafe.Pointer)"},
@@ -10124,6 +10636,9 @@ var PackageSymbols = map[string][]Symbol{
 		{"(IntSlice).Search", Method, 0, ""},
 		{"(IntSlice).Sort", Method, 0, ""},
 		{"(IntSlice).Swap", Method, 0, ""},
+		{"(Interface).Len", Method, 0, ""},
+		{"(Interface).Less", Method, 0, ""},
+		{"(Interface).Swap", Method, 0, ""},
 		{"(StringSlice).Len", Method, 0, ""},
 		{"(StringSlice).Less", Method, 0, ""},
 		{"(StringSlice).Search", Method, 0, ""},
@@ -10315,6 +10830,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*WaitGroup).Done", Method, 0, ""},
 		{"(*WaitGroup).Go", Method, 25, ""},
 		{"(*WaitGroup).Wait", Method, 0, ""},
+		{"(Locker).Lock", Method, 0, ""},
+		{"(Locker).Unlock", Method, 0, ""},
 		{"Cond", Type, 0, ""},
 		{"Cond.L", Field, 0, ""},
 		{"Locker", Type, 0, ""},
@@ -10456,10 +10973,14 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Timeval).Nano", Method, 0, ""},
 		{"(*Timeval).Nanoseconds", Method, 0, ""},
 		{"(*Timeval).Unix", Method, 0, ""},
+		{"(Conn).SyscallConn", Method, 9, ""},
 		{"(Errno).Error", Method, 0, ""},
 		{"(Errno).Is", Method, 13, ""},
 		{"(Errno).Temporary", Method, 0, ""},
 		{"(Errno).Timeout", Method, 0, ""},
+		{"(RawConn).Control", Method, 9, ""},
+		{"(RawConn).Read", Method, 9, ""},
+		{"(RawConn).Write", Method, 9, ""},
 		{"(Signal).Signal", Method, 0, ""},
 		{"(Signal).String", Method, 0, ""},
 		{"(Token).Close", Method, 0, ""},
@@ -14379,7 +14900,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"RouteMessage.Data", Field, 0, ""},
 		{"RouteMessage.Header", Field, 0, ""},
 		{"RouteRIB", Func, 0, ""},
-		{"RoutingMessage", Type, 0, ""},
+		{"RoutingMessage", Type, 14, ""},
 		{"RtAttr", Type, 0, ""},
 		{"RtAttr.Len", Field, 0, ""},
 		{"RtAttr.Type", Field, 0, ""},
@@ -15865,7 +16386,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"SockFprog.Filter", Field, 0, ""},
 		{"SockFprog.Len", Field, 0, ""},
 		{"SockFprog.Pad_cgo_0", Field, 0, ""},
-		{"Sockaddr", Type, 0, ""},
 		{"SockaddrDatalink", Type, 0, ""},
 		{"SockaddrDatalink.Alen", Field, 0, ""},
 		{"SockaddrDatalink.Data", Field, 0, ""},
@@ -16679,6 +17199,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ValueOf", Func, 0, ""},
 	},
 	"testing": {
+		{"(*B).ArtifactDir", Method, 26, ""},
 		{"(*B).Attr", Method, 25, ""},
 		{"(*B).Chdir", Method, 24, ""},
 		{"(*B).Cleanup", Method, 14, ""},
@@ -16713,6 +17234,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*B).StopTimer", Method, 0, ""},
 		{"(*B).TempDir", Method, 15, ""},
 		{"(*F).Add", Method, 18, ""},
+		{"(*F).ArtifactDir", Method, 26, ""},
 		{"(*F).Attr", Method, 25, ""},
 		{"(*F).Chdir", Method, 24, ""},
 		{"(*F).Cleanup", Method, 18, ""},
@@ -16738,6 +17260,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*F).TempDir", Method, 18, ""},
 		{"(*M).Run", Method, 4, ""},
 		{"(*PB).Next", Method, 3, ""},
+		{"(*T).ArtifactDir", Method, 26, ""},
 		{"(*T).Attr", Method, 25, ""},
 		{"(*T).Chdir", Method, 24, ""},
 		{"(*T).Cleanup", Method, 14, ""},
@@ -16768,6 +17291,29 @@ var PackageSymbols = map[string][]Symbol{
 		{"(BenchmarkResult).MemString", Method, 1, ""},
 		{"(BenchmarkResult).NsPerOp", Method, 0, ""},
 		{"(BenchmarkResult).String", Method, 0, ""},
+		{"(TB).ArtifactDir", Method, 26, ""},
+		{"(TB).Attr", Method, 25, ""},
+		{"(TB).Chdir", Method, 24, ""},
+		{"(TB).Cleanup", Method, 14, ""},
+		{"(TB).Context", Method, 24, ""},
+		{"(TB).Error", Method, 2, ""},
+		{"(TB).Errorf", Method, 2, ""},
+		{"(TB).Fail", Method, 2, ""},
+		{"(TB).FailNow", Method, 2, ""},
+		{"(TB).Failed", Method, 2, ""},
+		{"(TB).Fatal", Method, 2, ""},
+		{"(TB).Fatalf", Method, 2, ""},
+		{"(TB).Helper", Method, 9, ""},
+		{"(TB).Log", Method, 2, ""},
+		{"(TB).Logf", Method, 2, ""},
+		{"(TB).Name", Method, 8, ""},
+		{"(TB).Output", Method, 25, ""},
+		{"(TB).Setenv", Method, 17, ""},
+		{"(TB).Skip", Method, 2, ""},
+		{"(TB).SkipNow", Method, 2, ""},
+		{"(TB).Skipf", Method, 2, ""},
+		{"(TB).Skipped", Method, 2, ""},
+		{"(TB).TempDir", Method, 15, ""},
 		{"AllocsPerRun", Func, 1, "func(runs int, f func()) (avg float64)"},
 		{"B", Type, 0, ""},
 		{"B.N", Field, 0, ""},
@@ -16818,7 +17364,6 @@ var PackageSymbols = map[string][]Symbol{
 		{"RunTests", Func, 0, "func(matchString func(pat string, str string) (bool, error), tests []InternalTest) (ok bool)"},
 		{"Short", Func, 0, "func() bool"},
 		{"T", Type, 0, ""},
-		{"TB", Type, 2, ""},
 		{"Testing", Func, 21, "func() bool"},
 		{"Verbose", Func, 1, "func() bool"},
 	},
@@ -16854,6 +17399,7 @@ var PackageSymbols = map[string][]Symbol{
 	"testing/quick": {
 		{"(*CheckEqualError).Error", Method, 0, ""},
 		{"(*CheckError).Error", Method, 0, ""},
+		{"(Generator).Generate", Method, 0, ""},
 		{"(SetupError).Error", Method, 0, ""},
 		{"Check", Func, 0, "func(f any, config *Config) error"},
 		{"CheckEqual", Func, 0, "func(f any, g any, config *Config) error"},
@@ -17060,6 +17606,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"(ListNode).Position", Method, 1, ""},
 		{"(ListNode).Type", Method, 0, ""},
 		{"(NilNode).Position", Method, 1, ""},
+		{"(Node).Copy", Method, 0, ""},
+		{"(Node).Position", Method, 1, ""},
+		{"(Node).String", Method, 0, ""},
+		{"(Node).Type", Method, 0, ""},
 		{"(NodeType).Type", Method, 0, ""},
 		{"(NumberNode).Position", Method, 1, ""},
 		{"(NumberNode).Type", Method, 0, ""},
diff --git a/vendor/golang.org/x/tools/internal/stdlib/stdlib.go b/vendor/golang.org/x/tools/internal/stdlib/stdlib.go
index e223e0f340..59a5de36a2 100644
--- a/vendor/golang.org/x/tools/internal/stdlib/stdlib.go
+++ b/vendor/golang.org/x/tools/internal/stdlib/stdlib.go
@@ -39,7 +39,7 @@ const (
 	Var                 // "EOF"
 	Const               // "Pi"
 	Field               // "Point.X"
-	Method              // "(*Buffer).Grow"
+	Method              // "(*Buffer).Grow" or "(Reader).Read"
 )
 
 func (kind Kind) String() string {
diff --git a/vendor/golang.org/x/tools/internal/typeparams/normalize.go b/vendor/golang.org/x/tools/internal/typeparams/normalize.go
index f49802b8ef..8d13f12147 100644
--- a/vendor/golang.org/x/tools/internal/typeparams/normalize.go
+++ b/vendor/golang.org/x/tools/internal/typeparams/normalize.go
@@ -160,8 +160,7 @@ func computeTermSetInternal(t types.Type, seen map[types.Type]*termSet, depth in
 		// The term set of an interface is the intersection of the term sets of its
 		// embedded types.
 		tset.terms = allTermlist
-		for i := 0; i < u.NumEmbeddeds(); i++ {
-			embedded := u.EmbeddedType(i)
+		for embedded := range u.EmbeddedTypes() {
 			if _, ok := embedded.Underlying().(*types.TypeParam); ok {
 				return nil, fmt.Errorf("invalid embedded type %T", embedded)
 			}
@@ -174,8 +173,7 @@ func computeTermSetInternal(t types.Type, seen map[types.Type]*termSet, depth in
 	case *types.Union:
 		// The term set of a union is the union of term sets of its terms.
 		tset.terms = nil
-		for i := 0; i < u.Len(); i++ {
-			t := u.Term(i)
+		for t := range u.Terms() {
 			var terms termlist
 			switch t.Type().Underlying().(type) {
 			case *types.Interface:
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go b/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go
index 3db2a135b9..7ebe9768bc 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/classify_call.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"go/ast"
 	"go/types"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname hack
 )
 
 // CallKind describes the function position of an [*ast.CallExpr].
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/element.go b/vendor/golang.org/x/tools/internal/typesinternal/element.go
index 4957f02164..5fe4d8abcb 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/element.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/element.go
@@ -35,8 +35,8 @@ func ForEachElement(rtypes *typeutil.Map, msets *typeutil.MethodSetCache, T type
 
 		// Recursion over signatures of each method.
 		tmset := msets.MethodSet(T)
-		for i := 0; i < tmset.Len(); i++ {
-			sig := tmset.At(i).Type().(*types.Signature)
+		for method := range tmset.Methods() {
+			sig := method.Type().(*types.Signature)
 			// It is tempting to call visit(sig, false)
 			// but, as noted in golang.org/cl/65450043,
 			// the Signature.Recv field is ignored by
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/fx.go b/vendor/golang.org/x/tools/internal/typesinternal/fx.go
index 93acff2170..c846a53d5f 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/fx.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/fx.go
@@ -19,25 +19,46 @@ func NoEffects(info *types.Info, expr ast.Expr) bool {
 		switch v := n.(type) {
 		case nil, *ast.Ident, *ast.BasicLit, *ast.BinaryExpr, *ast.ParenExpr,
 			*ast.SelectorExpr, *ast.IndexExpr, *ast.SliceExpr, *ast.TypeAssertExpr,
-			*ast.StarExpr, *ast.CompositeLit, *ast.ArrayType, *ast.StructType,
-			*ast.MapType, *ast.InterfaceType, *ast.KeyValueExpr:
-			// No effect
+			*ast.StarExpr, *ast.CompositeLit,
+			// non-expressions that may appear within expressions
+			*ast.KeyValueExpr,
+			*ast.FieldList,
+			*ast.Field,
+			*ast.Ellipsis,
+			*ast.IndexListExpr:
+			// No effect.
+
+		case *ast.ArrayType,
+			*ast.StructType,
+			*ast.ChanType,
+			*ast.FuncType,
+			*ast.MapType,
+			*ast.InterfaceType:
+			// Type syntax: no effects, recursively.
+			// Prune descent.
+			return false
+
 		case *ast.UnaryExpr:
-			// Channel send <-ch has effects
+			// Channel send <-ch has effects.
 			if v.Op == token.ARROW {
 				noEffects = false
 			}
+
 		case *ast.CallExpr:
-			// Type conversion has no effects
+			// Type conversion has no effects.
 			if !info.Types[v.Fun].IsType() {
-				// TODO(adonovan): Add a case for built-in functions without side
-				// effects (by using callsPureBuiltin from tools/internal/refactor/inline)
-
-				noEffects = false
+				if CallsPureBuiltin(info, v) {
+					// A call such as len(e) has no effects of its
+					// own, though the subexpression e might.
+				} else {
+					noEffects = false
+				}
 			}
+
 		case *ast.FuncLit:
 			// A FuncLit has no effects, but do not descend into it.
 			return false
+
 		default:
 			// All other expressions have effects
 			noEffects = false
@@ -47,3 +68,21 @@ func NoEffects(info *types.Info, expr ast.Expr) bool {
 	})
 	return noEffects
 }
+
+// CallsPureBuiltin reports whether call is a call of a built-in
+// function that is a pure computation over its operands (analogous to
+// a + operator). Because it does not depend on program state, it may
+// be evaluated at any point--though not necessarily at multiple
+// points (consider new, make).
+func CallsPureBuiltin(info *types.Info, call *ast.CallExpr) bool {
+	if id, ok := ast.Unparen(call.Fun).(*ast.Ident); ok {
+		if b, ok := info.ObjectOf(id).(*types.Builtin); ok {
+			switch b.Name() {
+			case "len", "cap", "complex", "imag", "real", "make", "new", "max", "min":
+				return true
+			}
+			// Not: append clear close copy delete panic print println recover
+		}
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go b/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
index f2affec4fb..e0d63c46c6 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
@@ -48,7 +48,7 @@ func IsFunctionNamed(obj types.Object, pkgPath string, names ...string) bool {
 	return ok &&
 		IsPackageLevel(obj) &&
 		f.Pkg().Path() == pkgPath &&
-		f.Type().(*types.Signature).Recv() == nil &&
+		f.Signature().Recv() == nil &&
 		slices.Contains(names, f.Name())
 }
 
@@ -60,7 +60,7 @@ func IsFunctionNamed(obj types.Object, pkgPath string, names ...string) bool {
 // which is important for the performance of syntax matching.
 func IsMethodNamed(obj types.Object, pkgPath string, typeName string, names ...string) bool {
 	if fn, ok := obj.(*types.Func); ok {
-		if recv := fn.Type().(*types.Signature).Recv(); recv != nil {
+		if recv := fn.Signature().Recv(); recv != nil {
 			_, T := ReceiverNamed(recv)
 			return T != nil &&
 				IsTypeNamed(T, pkgPath, typeName) &&
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go b/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
index 64f47919f0..4e2756fc49 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
@@ -19,7 +19,7 @@ import (
 // TODO(adonovan): this function ignores the effect of shadowing. It
 // should accept a [token.Pos] and a [types.Info] and compute only the
 // set of imports that are not shadowed at that point, analogous to
-// [analysisinternal.AddImport]. It could also compute (as a side
+// [analysis.AddImport]. It could also compute (as a side
 // effect) the set of additional imports required to ensure that there
 // is an accessible import for each necessary package, making it
 // converge even more closely with AddImport.
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/types.go b/vendor/golang.org/x/tools/internal/typesinternal/types.go
index fef74a7856..51001666ef 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/types.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/types.go
@@ -23,7 +23,6 @@ import (
 	"go/token"
 	"go/types"
 	"reflect"
-	"unsafe"
 
 	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/internal/aliases"
@@ -40,8 +39,7 @@ func SetUsesCgo(conf *types.Config) bool {
 		}
 	}
 
-	addr := unsafe.Pointer(f.UnsafeAddr())
-	*(*bool)(addr) = true
+	*(*bool)(f.Addr().UnsafePointer()) = true
 
 	return true
 }
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/varkind.go b/vendor/golang.org/x/tools/internal/typesinternal/varkind.go
index e5da049511..26499cdd2e 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/varkind.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/varkind.go
@@ -2,39 +2,22 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package typesinternal
+//go:build go1.25
 
-// TODO(adonovan): when CL 645115 lands, define the go1.25 version of
-// this API that actually does something.
+package typesinternal
 
 import "go/types"
 
-type VarKind uint8
+type VarKind = types.VarKind
 
 const (
-	_          VarKind = iota // (not meaningful)
-	PackageVar                // a package-level variable
-	LocalVar                  // a local variable
-	RecvVar                   // a method receiver variable
-	ParamVar                  // a function parameter variable
-	ResultVar                 // a function result variable
-	FieldVar                  // a struct field
+	PackageVar = types.PackageVar
+	LocalVar   = types.LocalVar
+	RecvVar    = types.RecvVar
+	ParamVar   = types.ParamVar
+	ResultVar  = types.ResultVar
+	FieldVar   = types.FieldVar
 )
 
-func (kind VarKind) String() string {
-	return [...]string{
-		0:          "VarKind(0)",
-		PackageVar: "PackageVar",
-		LocalVar:   "LocalVar",
-		RecvVar:    "RecvVar",
-		ParamVar:   "ParamVar",
-		ResultVar:  "ResultVar",
-		FieldVar:   "FieldVar",
-	}[kind]
-}
-
-// GetVarKind returns an invalid VarKind.
-func GetVarKind(v *types.Var) VarKind { return 0 }
-
-// SetVarKind has no effect.
-func SetVarKind(v *types.Var, kind VarKind) {}
+func GetVarKind(v *types.Var) VarKind       { return v.Kind() }
+func SetVarKind(v *types.Var, kind VarKind) { v.SetKind(kind) }
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go b/vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go
new file mode 100644
index 0000000000..17b1804b4e
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go
@@ -0,0 +1,39 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.25
+
+package typesinternal
+
+import "go/types"
+
+type VarKind uint8
+
+const (
+	_          VarKind = iota // (not meaningful)
+	PackageVar                // a package-level variable
+	LocalVar                  // a local variable
+	RecvVar                   // a method receiver variable
+	ParamVar                  // a function parameter variable
+	ResultVar                 // a function result variable
+	FieldVar                  // a struct field
+)
+
+func (kind VarKind) String() string {
+	return [...]string{
+		0:          "VarKind(0)",
+		PackageVar: "PackageVar",
+		LocalVar:   "LocalVar",
+		RecvVar:    "RecvVar",
+		ParamVar:   "ParamVar",
+		ResultVar:  "ResultVar",
+		FieldVar:   "FieldVar",
+	}[kind]
+}
+
+// GetVarKind returns an invalid VarKind.
+func GetVarKind(v *types.Var) VarKind { return 0 }
+
+// SetVarKind has no effect.
+func SetVarKind(v *types.Var, kind VarKind) {}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go b/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
index 453bba2ad5..d612a71029 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
@@ -258,12 +258,12 @@ func TypeExpr(t types.Type, qual types.Qualifier) ast.Expr {
 
 	case *types.Signature:
 		var params []*ast.Field
-		for i := 0; i < t.Params().Len(); i++ {
+		for v := range t.Params().Variables() {
 			params = append(params, &ast.Field{
-				Type: TypeExpr(t.Params().At(i).Type(), qual),
+				Type: TypeExpr(v.Type(), qual),
 				Names: []*ast.Ident{
 					{
-						Name: t.Params().At(i).Name(),
+						Name: v.Name(),
 					},
 				},
 			})
@@ -273,9 +273,9 @@ func TypeExpr(t types.Type, qual types.Qualifier) ast.Expr {
 			last.Type = &ast.Ellipsis{Elt: last.Type.(*ast.ArrayType).Elt}
 		}
 		var returns []*ast.Field
-		for i := 0; i < t.Results().Len(); i++ {
+		for v := range t.Results().Variables() {
 			returns = append(returns, &ast.Field{
-				Type: TypeExpr(t.Results().At(i).Type(), qual),
+				Type: TypeExpr(v.Type(), qual),
 			})
 		}
 		return &ast.FuncType{
@@ -315,8 +315,8 @@ func TypeExpr(t types.Type, qual types.Qualifier) ast.Expr {
 		if hasTypeArgs, ok := t.(interface{ TypeArgs() *types.TypeList }); ok {
 			if typeArgs := hasTypeArgs.TypeArgs(); typeArgs != nil && typeArgs.Len() > 0 {
 				var indices []ast.Expr
-				for i := range typeArgs.Len() {
-					indices = append(indices, TypeExpr(typeArgs.At(i), qual))
+				for t0 := range typeArgs.Types() {
+					indices = append(indices, TypeExpr(t0, qual))
 				}
 				expr = &ast.IndexListExpr{
 					X:       expr,
diff --git a/vendor/golang.org/x/tools/internal/versions/features.go b/vendor/golang.org/x/tools/internal/versions/features.go
index b53f178616..cdd36c388a 100644
--- a/vendor/golang.org/x/tools/internal/versions/features.go
+++ b/vendor/golang.org/x/tools/internal/versions/features.go
@@ -7,13 +7,18 @@ package versions
 // This file contains predicates for working with file versions to
 // decide when a tool should consider a language feature enabled.
 
-// GoVersions that features in x/tools can be gated to.
+// named constants, to avoid misspelling
 const (
+	Go1_17 = "go1.17"
 	Go1_18 = "go1.18"
 	Go1_19 = "go1.19"
 	Go1_20 = "go1.20"
 	Go1_21 = "go1.21"
 	Go1_22 = "go1.22"
+	Go1_23 = "go1.23"
+	Go1_24 = "go1.24"
+	Go1_25 = "go1.25"
+	Go1_26 = "go1.26"
 )
 
 // Future is an invalid unknown Go version sometime in the future.
diff --git a/vendor/golang.org/x/tools/refactor/satisfy/find.go b/vendor/golang.org/x/tools/refactor/satisfy/find.go
new file mode 100644
index 0000000000..bb38375531
--- /dev/null
+++ b/vendor/golang.org/x/tools/refactor/satisfy/find.go
@@ -0,0 +1,725 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package satisfy inspects the type-checked ASTs of Go packages and
+// reports the set of discovered type constraints of the form (lhs, rhs
+// Type) where lhs is a non-trivial interface, rhs satisfies this
+// interface, and this fact is necessary for the package to be
+// well-typed.
+//
+// It requires well-typed inputs.
+package satisfy // import "golang.org/x/tools/refactor/satisfy"
+
+// NOTES:
+//
+// We don't care about numeric conversions, so we don't descend into
+// types or constant expressions.  This is unsound because
+// constant expressions can contain arbitrary statements, e.g.
+//   const x = len([1]func(){func() {
+//     ...
+//   }})
+//
+// Assignability conversions are possible in the following places:
+// - in assignments y = x, y := x, var y = x.
+// - from call argument types to formal parameter types
+// - in append and delete calls
+// - from return operands to result parameter types
+// - in composite literal T{k:v}, from k and v to T's field/element/key type
+// - in map[key] from key to the map's key type
+// - in comparisons x==y and switch x { case y: }.
+// - in explicit conversions T(x)
+// - in sends ch <- x, from x to the channel element type
+// - in type assertions x.(T) and switch x.(type) { case T: }
+//
+// The results of this pass provide information equivalent to the
+// ssa.MakeInterface and ssa.ChangeInterface instructions.
+
+import (
+	"fmt"
+	"go/ast"
+	"go/token"
+	"go/types"
+
+	"golang.org/x/tools/go/types/typeutil"
+	"golang.org/x/tools/internal/typeparams"
+)
+
+// A Constraint records the fact that the RHS type does and must
+// satisfy the LHS type, which is an interface.
+// The names are suggestive of an assignment statement LHS = RHS.
+//
+// The constraint is implicitly universally quantified over any type
+// parameters appearing within the two types.
+type Constraint struct {
+	LHS, RHS types.Type
+}
+
+// A Finder inspects the type-checked ASTs of Go packages and
+// accumulates the set of type constraints (x, y) such that x is
+// assignable to y, y is an interface, and both x and y have methods.
+//
+// In other words, it returns the subset of the "implements" relation
+// that is checked during compilation of a package.  Refactoring tools
+// will need to preserve at least this part of the relation to ensure
+// continued compilation.
+type Finder struct {
+	Result    map[Constraint]bool
+	msetcache typeutil.MethodSetCache
+
+	// per-Find state
+	info *types.Info
+	sig  *types.Signature
+}
+
+// Find inspects a single package, populating Result with its pairs of
+// constrained types.
+//
+// The result is non-canonical and thus may contain duplicates (but this
+// tends to preserves names of interface types better).
+//
+// The package must be free of type errors, and
+// info.{Defs,Uses,Selections,Types} must have been populated by the
+// type-checker.
+func (f *Finder) Find(info *types.Info, files []*ast.File) {
+	if info.Defs == nil || info.Uses == nil || info.Selections == nil || info.Types == nil {
+		panic("Finder.Find: one of info.{Defs,Uses,Selections.Types} is not populated")
+	}
+	if f.Result == nil {
+		f.Result = make(map[Constraint]bool)
+	}
+
+	f.info = info
+	for _, file := range files {
+		for _, d := range file.Decls {
+			switch d := d.(type) {
+			case *ast.GenDecl:
+				if d.Tok == token.VAR { // ignore consts
+					for _, spec := range d.Specs {
+						f.valueSpec(spec.(*ast.ValueSpec))
+					}
+				}
+
+			case *ast.FuncDecl:
+				if d.Body != nil {
+					f.sig = f.info.Defs[d.Name].Type().(*types.Signature)
+					f.stmt(d.Body)
+					f.sig = nil
+				}
+			}
+		}
+	}
+	f.info = nil
+}
+
+var (
+	tInvalid     = types.Typ[types.Invalid]
+	tUntypedBool = types.Typ[types.UntypedBool]
+	tUntypedNil  = types.Typ[types.UntypedNil]
+)
+
+// exprN visits an expression in a multi-value context.
+func (f *Finder) exprN(e ast.Expr) types.Type {
+	typ := f.info.Types[e].Type.(*types.Tuple)
+	switch e := e.(type) {
+	case *ast.ParenExpr:
+		return f.exprN(e.X)
+
+	case *ast.CallExpr:
+		// x, err := f(args)
+		sig := typeparams.CoreType(f.expr(e.Fun)).(*types.Signature)
+		f.call(sig, e.Args)
+
+	case *ast.IndexExpr:
+		// y, ok := x[i]
+		x := f.expr(e.X)
+		f.assign(f.expr(e.Index), typeparams.CoreType(x).(*types.Map).Key())
+
+	case *ast.TypeAssertExpr:
+		// y, ok := x.(T)
+		f.typeAssert(f.expr(e.X), typ.At(0).Type())
+
+	case *ast.UnaryExpr: // must be receive <-
+		// y, ok := <-x
+		f.expr(e.X)
+
+	default:
+		panic(e)
+	}
+	return typ
+}
+
+func (f *Finder) call(sig *types.Signature, args []ast.Expr) {
+	if len(args) == 0 {
+		return
+	}
+
+	// Ellipsis call?  e.g. f(x, y, z...)
+	if _, ok := args[len(args)-1].(*ast.Ellipsis); ok {
+		for i, arg := range args {
+			// The final arg is a slice, and so is the final param.
+			f.assign(sig.Params().At(i).Type(), f.expr(arg))
+		}
+		return
+	}
+
+	var argtypes []types.Type
+
+	// Gather the effective actual parameter types.
+	if tuple, ok := f.info.Types[args[0]].Type.(*types.Tuple); ok {
+		// f(g()) call where g has multiple results?
+		f.expr(args[0])
+		// unpack the tuple
+		for v := range tuple.Variables() {
+			argtypes = append(argtypes, v.Type())
+		}
+	} else {
+		for _, arg := range args {
+			argtypes = append(argtypes, f.expr(arg))
+		}
+	}
+
+	// Assign the actuals to the formals.
+	if !sig.Variadic() {
+		for i, argtype := range argtypes {
+			f.assign(sig.Params().At(i).Type(), argtype)
+		}
+	} else {
+		// The first n-1 parameters are assigned normally.
+		nnormals := sig.Params().Len() - 1
+		for i, argtype := range argtypes[:nnormals] {
+			f.assign(sig.Params().At(i).Type(), argtype)
+		}
+		// Remaining args are assigned to elements of varargs slice.
+		tElem := sig.Params().At(nnormals).Type().(*types.Slice).Elem()
+		for i := nnormals; i < len(argtypes); i++ {
+			f.assign(tElem, argtypes[i])
+		}
+	}
+}
+
+// builtin visits the arguments of a builtin type with signature sig.
+func (f *Finder) builtin(obj *types.Builtin, sig *types.Signature, args []ast.Expr) {
+	switch obj.Name() {
+	case "make", "new":
+		for i, arg := range args {
+			if i == 0 && f.info.Types[arg].IsType() {
+				continue // skip the type operand
+			}
+			f.expr(arg)
+		}
+
+	case "append":
+		s := f.expr(args[0])
+		if _, ok := args[len(args)-1].(*ast.Ellipsis); ok && len(args) == 2 {
+			// append(x, y...)   including append([]byte, "foo"...)
+			f.expr(args[1])
+		} else {
+			// append(x, y, z)
+			tElem := typeparams.CoreType(s).(*types.Slice).Elem()
+			for _, arg := range args[1:] {
+				f.assign(tElem, f.expr(arg))
+			}
+		}
+
+	case "delete":
+		m := f.expr(args[0])
+		k := f.expr(args[1])
+		f.assign(typeparams.CoreType(m).(*types.Map).Key(), k)
+
+	default:
+		// ordinary call
+		f.call(sig, args)
+	}
+}
+
+func (f *Finder) extract(tuple types.Type, i int) types.Type {
+	if tuple, ok := tuple.(*types.Tuple); ok && i < tuple.Len() {
+		return tuple.At(i).Type()
+	}
+	return tInvalid
+}
+
+func (f *Finder) valueSpec(spec *ast.ValueSpec) {
+	var T types.Type
+	if spec.Type != nil {
+		T = f.info.Types[spec.Type].Type
+	}
+	switch len(spec.Values) {
+	case len(spec.Names): // e.g. var x, y = f(), g()
+		for _, value := range spec.Values {
+			v := f.expr(value)
+			if T != nil {
+				f.assign(T, v)
+			}
+		}
+
+	case 1: // e.g. var x, y = f()
+		tuple := f.exprN(spec.Values[0])
+		for i := range spec.Names {
+			if T != nil {
+				f.assign(T, f.extract(tuple, i))
+			}
+		}
+	}
+}
+
+// assign records pairs of distinct types that are related by
+// assignability, where the left-hand side is an interface and both
+// sides have methods.
+//
+// It should be called for all assignability checks, type assertions,
+// explicit conversions and comparisons between two types, unless the
+// types are uninteresting (e.g. lhs is a concrete type, or the empty
+// interface; rhs has no methods).
+func (f *Finder) assign(lhs, rhs types.Type) {
+	if types.Identical(lhs, rhs) {
+		return
+	}
+	if !types.IsInterface(lhs) {
+		return
+	}
+
+	if f.msetcache.MethodSet(lhs).Len() == 0 {
+		return
+	}
+	if f.msetcache.MethodSet(rhs).Len() == 0 {
+		return
+	}
+	// record the pair
+	f.Result[Constraint{lhs, rhs}] = true
+}
+
+// typeAssert must be called for each type assertion x.(T) where x has
+// interface type I.
+func (f *Finder) typeAssert(I, T types.Type) {
+	// Type assertions are slightly subtle, because they are allowed
+	// to be "impossible", e.g.
+	//
+	// 	var x interface{f()}
+	//	_ = x.(interface{f()int}) // legal
+	//
+	// (In hindsight, the language spec should probably not have
+	// allowed this, but it's too late to fix now.)
+	//
+	// This means that a type assert from I to T isn't exactly a
+	// constraint that T is assignable to I, but for a refactoring
+	// tool it is a conditional constraint that, if T is assignable
+	// to I before a refactoring, it should remain so after.
+
+	if types.AssignableTo(T, I) {
+		f.assign(I, T)
+	}
+}
+
+// compare must be called for each comparison x==y.
+func (f *Finder) compare(x, y types.Type) {
+	if types.AssignableTo(x, y) {
+		f.assign(y, x)
+	} else if types.AssignableTo(y, x) {
+		f.assign(x, y)
+	}
+}
+
+// expr visits a true expression (not a type or defining ident)
+// and returns its type.
+func (f *Finder) expr(e ast.Expr) types.Type {
+	tv := f.info.Types[e]
+	if tv.Value != nil {
+		return tv.Type // prune the descent for constants
+	}
+
+	// tv.Type may be nil for an ast.Ident.
+
+	switch e := e.(type) {
+	case *ast.BadExpr, *ast.BasicLit:
+		// no-op
+
+	case *ast.Ident:
+		// (referring idents only)
+		if obj, ok := f.info.Uses[e]; ok {
+			return obj.Type()
+		}
+		if e.Name == "_" { // e.g. "for _ = range x"
+			return tInvalid
+		}
+		panic("undefined ident: " + e.Name)
+
+	case *ast.Ellipsis:
+		if e.Elt != nil {
+			f.expr(e.Elt)
+		}
+
+	case *ast.FuncLit:
+		saved := f.sig
+		f.sig = tv.Type.(*types.Signature)
+		f.stmt(e.Body)
+		f.sig = saved
+
+	case *ast.CompositeLit:
+		switch T := typeparams.CoreType(typeparams.Deref(tv.Type)).(type) {
+		case *types.Struct:
+			for i, elem := range e.Elts {
+				if kv, ok := elem.(*ast.KeyValueExpr); ok {
+					f.assign(f.info.Uses[kv.Key.(*ast.Ident)].Type(), f.expr(kv.Value))
+				} else {
+					f.assign(T.Field(i).Type(), f.expr(elem))
+				}
+			}
+
+		case *types.Map:
+			for _, elem := range e.Elts {
+				elem := elem.(*ast.KeyValueExpr)
+				f.assign(T.Key(), f.expr(elem.Key))
+				f.assign(T.Elem(), f.expr(elem.Value))
+			}
+
+		case *types.Array, *types.Slice:
+			tElem := T.(interface {
+				Elem() types.Type
+			}).Elem()
+			for _, elem := range e.Elts {
+				if kv, ok := elem.(*ast.KeyValueExpr); ok {
+					// ignore the key
+					f.assign(tElem, f.expr(kv.Value))
+				} else {
+					f.assign(tElem, f.expr(elem))
+				}
+			}
+
+		default:
+			panic(fmt.Sprintf("unexpected composite literal type %T: %v", tv.Type, tv.Type.String()))
+		}
+
+	case *ast.ParenExpr:
+		f.expr(e.X)
+
+	case *ast.SelectorExpr:
+		if _, ok := f.info.Selections[e]; ok {
+			f.expr(e.X) // selection
+		} else {
+			return f.info.Uses[e.Sel].Type() // qualified identifier
+		}
+
+	case *ast.IndexExpr:
+		if instance(f.info, e.X) {
+			// f[T] or C[T] -- generic instantiation
+		} else {
+			// x[i] or m[k] -- index or lookup operation
+			x := f.expr(e.X)
+			i := f.expr(e.Index)
+			if ux, ok := typeparams.CoreType(x).(*types.Map); ok {
+				f.assign(ux.Key(), i)
+			}
+		}
+
+	case *ast.IndexListExpr:
+		// f[X, Y] -- generic instantiation
+
+	case *ast.SliceExpr:
+		f.expr(e.X)
+		if e.Low != nil {
+			f.expr(e.Low)
+		}
+		if e.High != nil {
+			f.expr(e.High)
+		}
+		if e.Max != nil {
+			f.expr(e.Max)
+		}
+
+	case *ast.TypeAssertExpr:
+		x := f.expr(e.X)
+		f.typeAssert(x, f.info.Types[e.Type].Type)
+
+	case *ast.CallExpr:
+		if tvFun := f.info.Types[e.Fun]; tvFun.IsType() {
+			// conversion
+			arg0 := f.expr(e.Args[0])
+			f.assign(tvFun.Type, arg0)
+		} else {
+			// function call
+
+			// unsafe call. Treat calls to functions in unsafe like ordinary calls,
+			// except that their signature cannot be determined by their func obj.
+			// Without this special handling, f.expr(e.Fun) would fail below.
+			if s, ok := ast.Unparen(e.Fun).(*ast.SelectorExpr); ok {
+				if obj, ok := f.info.Uses[s.Sel].(*types.Builtin); ok && obj.Pkg().Path() == "unsafe" {
+					sig := f.info.Types[e.Fun].Type.(*types.Signature)
+					f.call(sig, e.Args)
+					return tv.Type
+				}
+			}
+
+			// builtin call
+			if id, ok := ast.Unparen(e.Fun).(*ast.Ident); ok {
+				if obj, ok := f.info.Uses[id].(*types.Builtin); ok {
+					sig := f.info.Types[id].Type.(*types.Signature)
+					f.builtin(obj, sig, e.Args)
+					return tv.Type
+				}
+			}
+
+			// ordinary call
+			f.call(typeparams.CoreType(f.expr(e.Fun)).(*types.Signature), e.Args)
+		}
+
+	case *ast.StarExpr:
+		f.expr(e.X)
+
+	case *ast.UnaryExpr:
+		f.expr(e.X)
+
+	case *ast.BinaryExpr:
+		x := f.expr(e.X)
+		y := f.expr(e.Y)
+		if e.Op == token.EQL || e.Op == token.NEQ {
+			f.compare(x, y)
+		}
+
+	case *ast.KeyValueExpr:
+		f.expr(e.Key)
+		f.expr(e.Value)
+
+	case *ast.ArrayType,
+		*ast.StructType,
+		*ast.FuncType,
+		*ast.InterfaceType,
+		*ast.MapType,
+		*ast.ChanType:
+		panic(e)
+	}
+
+	if tv.Type == nil {
+		panic(fmt.Sprintf("no type for %T", e))
+	}
+
+	return tv.Type
+}
+
+func (f *Finder) stmt(s ast.Stmt) {
+	switch s := s.(type) {
+	case *ast.BadStmt,
+		*ast.EmptyStmt,
+		*ast.BranchStmt:
+		// no-op
+
+	case *ast.DeclStmt:
+		d := s.Decl.(*ast.GenDecl)
+		if d.Tok == token.VAR { // ignore consts
+			for _, spec := range d.Specs {
+				f.valueSpec(spec.(*ast.ValueSpec))
+			}
+		}
+
+	case *ast.LabeledStmt:
+		f.stmt(s.Stmt)
+
+	case *ast.ExprStmt:
+		f.expr(s.X)
+
+	case *ast.SendStmt:
+		ch := f.expr(s.Chan)
+		val := f.expr(s.Value)
+		f.assign(typeparams.CoreType(ch).(*types.Chan).Elem(), val)
+
+	case *ast.IncDecStmt:
+		f.expr(s.X)
+
+	case *ast.AssignStmt:
+		switch s.Tok {
+		case token.ASSIGN, token.DEFINE:
+			// y := x   or   y = x
+			var rhsTuple types.Type
+			if len(s.Lhs) != len(s.Rhs) {
+				rhsTuple = f.exprN(s.Rhs[0])
+			}
+			for i := range s.Lhs {
+				var lhs, rhs types.Type
+				if rhsTuple == nil {
+					rhs = f.expr(s.Rhs[i]) // 1:1 assignment
+				} else {
+					rhs = f.extract(rhsTuple, i) // n:1 assignment
+				}
+
+				if id, ok := s.Lhs[i].(*ast.Ident); ok {
+					if id.Name != "_" {
+						if obj, ok := f.info.Defs[id]; ok {
+							lhs = obj.Type() // definition
+						}
+					}
+				}
+				if lhs == nil {
+					lhs = f.expr(s.Lhs[i]) // assignment
+				}
+				f.assign(lhs, rhs)
+			}
+
+		default:
+			// y op= x
+			f.expr(s.Lhs[0])
+			f.expr(s.Rhs[0])
+		}
+
+	case *ast.GoStmt:
+		f.expr(s.Call)
+
+	case *ast.DeferStmt:
+		f.expr(s.Call)
+
+	case *ast.ReturnStmt:
+		formals := f.sig.Results()
+		switch len(s.Results) {
+		case formals.Len(): // 1:1
+			for i, result := range s.Results {
+				f.assign(formals.At(i).Type(), f.expr(result))
+			}
+
+		case 1: // n:1
+			tuple := f.exprN(s.Results[0])
+			for i := 0; i < formals.Len(); i++ {
+				f.assign(formals.At(i).Type(), f.extract(tuple, i))
+			}
+		}
+
+	case *ast.SelectStmt:
+		f.stmt(s.Body)
+
+	case *ast.BlockStmt:
+		for _, s := range s.List {
+			f.stmt(s)
+		}
+
+	case *ast.IfStmt:
+		if s.Init != nil {
+			f.stmt(s.Init)
+		}
+		f.expr(s.Cond)
+		f.stmt(s.Body)
+		if s.Else != nil {
+			f.stmt(s.Else)
+		}
+
+	case *ast.SwitchStmt:
+		if s.Init != nil {
+			f.stmt(s.Init)
+		}
+		var tag types.Type = tUntypedBool
+		if s.Tag != nil {
+			tag = f.expr(s.Tag)
+		}
+		for _, cc := range s.Body.List {
+			cc := cc.(*ast.CaseClause)
+			for _, cond := range cc.List {
+				f.compare(tag, f.info.Types[cond].Type)
+			}
+			for _, s := range cc.Body {
+				f.stmt(s)
+			}
+		}
+
+	case *ast.TypeSwitchStmt:
+		if s.Init != nil {
+			f.stmt(s.Init)
+		}
+		var I types.Type
+		switch ass := s.Assign.(type) {
+		case *ast.ExprStmt: // x.(type)
+			I = f.expr(ast.Unparen(ass.X).(*ast.TypeAssertExpr).X)
+		case *ast.AssignStmt: // y := x.(type)
+			I = f.expr(ast.Unparen(ass.Rhs[0]).(*ast.TypeAssertExpr).X)
+		}
+		for _, cc := range s.Body.List {
+			cc := cc.(*ast.CaseClause)
+			for _, cond := range cc.List {
+				tCase := f.info.Types[cond].Type
+				if tCase != tUntypedNil {
+					f.typeAssert(I, tCase)
+				}
+			}
+			for _, s := range cc.Body {
+				f.stmt(s)
+			}
+		}
+
+	case *ast.CommClause:
+		if s.Comm != nil {
+			f.stmt(s.Comm)
+		}
+		for _, s := range s.Body {
+			f.stmt(s)
+		}
+
+	case *ast.ForStmt:
+		if s.Init != nil {
+			f.stmt(s.Init)
+		}
+		if s.Cond != nil {
+			f.expr(s.Cond)
+		}
+		if s.Post != nil {
+			f.stmt(s.Post)
+		}
+		f.stmt(s.Body)
+
+	case *ast.RangeStmt:
+		x := f.expr(s.X)
+		// No conversions are involved when Tok==DEFINE.
+		if s.Tok == token.ASSIGN {
+			if s.Key != nil {
+				k := f.expr(s.Key)
+				var xelem types.Type
+				// Keys of array, *array, slice, string aren't interesting
+				// since the RHS key type is just an int.
+				switch ux := typeparams.CoreType(x).(type) {
+				case *types.Chan:
+					xelem = ux.Elem()
+				case *types.Map:
+					xelem = ux.Key()
+				}
+				if xelem != nil {
+					f.assign(k, xelem)
+				}
+			}
+			if s.Value != nil {
+				val := f.expr(s.Value)
+				var xelem types.Type
+				// Values of type strings aren't interesting because
+				// the RHS value type is just a rune.
+				switch ux := typeparams.CoreType(x).(type) {
+				case *types.Array:
+					xelem = ux.Elem()
+				case *types.Map:
+					xelem = ux.Elem()
+				case *types.Pointer: // *array
+					xelem = typeparams.CoreType(typeparams.Deref(ux)).(*types.Array).Elem()
+				case *types.Slice:
+					xelem = ux.Elem()
+				}
+				if xelem != nil {
+					f.assign(val, xelem)
+				}
+			}
+		}
+		f.stmt(s.Body)
+
+	default:
+		panic(s)
+	}
+}
+
+// -- Plundered from golang.org/x/tools/go/ssa -----------------
+
+func instance(info *types.Info, expr ast.Expr) bool {
+	var id *ast.Ident
+	switch x := expr.(type) {
+	case *ast.Ident:
+		id = x
+	case *ast.SelectorExpr:
+		id = x.Sel
+	default:
+		return false
+	}
+	_, ok := info.Instances[id]
+	return ok
+}
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go
index 8b462f3dfe..0b789e2c5e 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go
index db7806cb99..f840481726 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go
index 08505ba3fe..5d583b8660 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go
index a462e7d013..53e9dd1e99 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go
index c93b4f5248..d30fcee4ce 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go
index a1c543a948..175974a869 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go
index 2b54db3045..b8c4aa71f2 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go
index 9f81dbcd86..af9c44d93e 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go
index 0a2ffb5955..4b4f15477f 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go
index 57aaa2c9f5..ef27e878b9 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go
index c90c6015d2..7b973217ed 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go
index 0a5ca6a1b9..4ba3c7b2a8 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go b/vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go
index f388426b08..d083dde3ed 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go b/vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go
index 498020e33c..a69c1d4734 100644
--- a/vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/grpc/CONTRIBUTING.md b/vendor/google.golang.org/grpc/CONTRIBUTING.md
index d9bfa6e1e7..2079de7b0e 100644
--- a/vendor/google.golang.org/grpc/CONTRIBUTING.md
+++ b/vendor/google.golang.org/grpc/CONTRIBUTING.md
@@ -1,73 +1,159 @@
 # How to contribute
 
-We definitely welcome your patches and contributions to gRPC! Please read the gRPC
-organization's [governance rules](https://github.com/grpc/grpc-community/blob/master/governance.md)
-and [contribution guidelines](https://github.com/grpc/grpc-community/blob/master/CONTRIBUTING.md) before proceeding.
+We welcome your patches and contributions to gRPC! Please read the gRPC
+organization's [governance
+rules](https://github.com/grpc/grpc-community/blob/master/governance.md) before
+proceeding.
 
 If you are new to GitHub, please start by reading [Pull Request howto](https://help.github.com/articles/about-pull-requests/)
 
 ## Legal requirements
 
 In order to protect both you and ourselves, you will need to sign the
-[Contributor License Agreement](https://identity.linuxfoundation.org/projects/cncf).
+[Contributor License
+Agreement](https://identity.linuxfoundation.org/projects/cncf). When you create
+your first PR, a link will be added as a comment that contains the steps needed
+to complete this process.
+
+## Getting Started
+
+A great way to start is by searching through our open issues. [Unassigned issues
+labeled as "help
+wanted"](https://github.com/grpc/grpc-go/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20label%3A%22Status%3A%20Help%20Wanted%22%20no%3Aassignee)
+are especially nice for first-time contributors, as they should be well-defined
+problems that already have agreed-upon solutions.
+
+## Code Style
+
+We follow [Google's published Go style
+guide](https://google.github.io/styleguide/go/). Note that there are three
+primary documents that make up this style guide; please follow them as closely
+as possible. If a reviewer recommends something that contradicts those
+guidelines, there may be valid reasons to do so, but it should be rare.
 
 ## Guidelines for Pull Requests
-How to get your contributions merged smoothly and quickly.
+
+Please read the following carefully to ensure your contributions can be merged
+smoothly and quickly.
+
+### PR Contents
 
 - Create **small PRs** that are narrowly focused on **addressing a single
-  concern**. We often times receive PRs that are trying to fix several things at
-  a time, but only one fix is considered acceptable, nothing gets merged and
-  both author's & review's time is wasted. Create more PRs to address different
-  concerns and everyone will be happy.
+  concern**. We often receive PRs that attempt to fix several things at the same
+  time, and if one part of the PR has a problem, that will hold up the entire
+  PR.
+
+- If your change does not address an **open issue** with an **agreed
+  resolution**, consider opening an issue and discussing it first. If you are
+  suggesting a behavioral or API change, consider starting with a [gRFC
+  proposal](https://github.com/grpc/proposal). Many new features that are not
+  bug fixes will require cross-language agreement.
+
+- If you want to fix **formatting or style**, consider whether your changes are
+  an obvious improvement or might be considered a personal preference. If a
+  style change is based on preference, it likely will not be accepted. If it
+  corrects widely agreed-upon anti-patterns, then please do create a PR and
+  explain the benefits of the change.
+
+- For correcting **misspellings**, please be aware that we use some terms that
+  are sometimes flagged by spell checkers. As an example, "if an only if" is
+  often written as "iff". Please do not make spelling correction changes unless
+  you are certain they are misspellings.
+
+- **All tests need to be passing** before your change can be merged. We
+  recommend you run tests locally before creating your PR to catch breakages
+  early on:
 
-- If you are searching for features to work on, issues labeled [Status: Help
-  Wanted](https://github.com/grpc/grpc-go/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22Status%3A+Help+Wanted%22)
-  is a great place to start. These issues are well-documented and usually can be
-  resolved with a single pull request.
+  - `./scripts/vet.sh` to catch vet errors.
+  - `go test -cpu 1,4 -timeout 7m ./...` to run the tests.
+  - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode.
 
-- If you are adding a new file, make sure it has the copyright message template
-  at the top as a comment. You can copy over the message from an existing file
-  and update the year.
+  Note that we have a multi-module repo, so `go test` commands may need to be
+  run from the root of each module in order to cause all tests to run.
+
+  *Alternatively*, you may find it easier to push your changes to your fork on
+  GitHub, which will trigger a GitHub Actions run that you can use to verify
+  everything is passing.
+
+- Note that there are two GitHub actions checks that need not be green:
+
+  1. We test the freshness of the generated proto code we maintain via the
+     `vet-proto` check. If the source proto files are updated, but our repo is
+     not updated, an optional checker will fail. This will be fixed by our team
+     in a separate PR and will not prevent the merge of your PR.
+
+  2. We run a checker that will fail if there is any change in dependencies of
+     an exported package via the `dependencies` check. If new dependencies are
+     added that are not appropriate, we may not accept your PR (see below).
+
+- If you are adding a **new file**, make sure it has the **copyright message**
+  template at the top as a comment. You can copy the message from an existing
+  file and update the year.
 
 - The grpc package should only depend on standard Go packages and a small number
-  of exceptions. If your contribution introduces new dependencies which are NOT
-  in the [list](https://godoc.org/google.golang.org/grpc?imports), you need a
-  discussion with gRPC-Go authors and consultants.
+  of exceptions. **If your contribution introduces new dependencies**, you will
+  need a discussion with gRPC-Go maintainers.
 
-- For speculative changes, consider opening an issue and discussing it first. If
-  you are suggesting a behavioral or API change, consider starting with a [gRFC
-  proposal](https://github.com/grpc/proposal).
+### PR Descriptions
 
-- Provide a good **PR description** as a record of **what** change is being made
-  and **why** it was made. Link to a GitHub issue if it exists.
+- **PR titles** should start with the name of the component being addressed, or
+  the type of change. Examples: transport, client, server, round_robin, xds,
+  cleanup, deps.
 
-- If you want to fix formatting or style, consider whether your changes are an
-  obvious improvement or might be considered a personal preference. If a style
-  change is based on preference, it likely will not be accepted. If it corrects
-  widely agreed-upon anti-patterns, then please do create a PR and explain the
-  benefits of the change.
+- Read and follow the **guidelines for PR titles and descriptions** here:
+  https://google.github.io/eng-practices/review/developer/cl-descriptions.html
 
-- Unless your PR is trivial, you should expect there will be reviewer comments
-  that you'll need to address before merging. We'll mark it as `Status: Requires
-  Reporter Clarification` if we expect you to respond to these comments in a
-  timely manner. If the PR remains inactive for 6 days, it will be marked as
-  `stale` and automatically close 7 days after that if we don't hear back from
-  you.
+  *particularly* the sections "First Line" and "Body is Informative".
 
-- Maintain **clean commit history** and use **meaningful commit messages**. PRs
-  with messy commit history are difficult to review and won't be merged. Use
-  `rebase -i upstream/master` to curate your commit history and/or to bring in
-  latest changes from master (but avoid rebasing in the middle of a code
-  review).
+  Note: your PR description will be used as the git commit message in a
+  squash-and-merge if your PR is approved. We may make changes to this as
+  necessary.
 
-- Keep your PR up to date with upstream/master (if there are merge conflicts, we
-  can't really merge your change).
+- **Does this PR relate to an open issue?** On the first line, please use the
+  tag `Fixes #<issue>` to ensure the issue is closed when the PR is merged. Or
+  use `Updates #<issue>` if the PR is related to an open issue, but does not fix
+  it. Consider filing an issue if one does not already exist.
 
-- **All tests need to be passing** before your change can be merged. We
-  recommend you **run tests locally** before creating your PR to catch breakages
-  early on.
-  - `./scripts/vet.sh` to catch vet errors
-  - `go test -cpu 1,4 -timeout 7m ./...` to run the tests
-  - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode
+- PR descriptions *must* conclude with **release notes** as follows:
+
+  ```
+  RELEASE NOTES:
+  * <component>: <summary>
+  ```
+
+  This need not match the PR title.
+
+  The summary must:
+
+  * be something that gRPC users will understand.
+
+  * clearly explain the feature being added, the issue being fixed, or the
+    behavior being changed, etc. If fixing a bug, be clear about how the bug
+    can be triggered by an end-user.
+
+  * begin with a capital letter and use complete sentences.
 
-- Exceptions to the rules can be made if there's a compelling reason for doing so.
+  * be as short as possible to describe the change being made.
+
+  If a PR is *not* end-user visible -- e.g. a cleanup, testing change, or
+  GitHub-related, use `RELEASE NOTES: n/a`.
+
+### PR Process
+
+- Please **self-review** your code changes before sending your PR. This will
+  prevent simple, obvious errors from causing delays.
+
+- Maintain a **clean commit history** and use **meaningful commit messages**.
+  PRs with messy commit histories are difficult to review and won't be merged.
+  Before sending your PR, ensure your changes are based on top of the latest
+  `upstream/master` commits, and avoid rebasing in the middle of a code review.
+  You should **never use `git push -f`** unless absolutely necessary during a
+  review, as it can interfere with GitHub's tracking of comments.
+
+- Unless your PR is trivial, you should **expect reviewer comments** that you
+  will need to address before merging. We'll label the PR as `Status: Requires
+  Reporter Clarification` if we expect you to respond to these comments in a
+  timely manner. If the PR remains inactive for 6 days, it will be marked as
+  `stale`, and we will automatically close it after 7 days if we don't hear back
+  from you. Please feel free to ping issues or bugs if you do not get a response
+  within a week.
diff --git a/vendor/google.golang.org/grpc/MAINTAINERS.md b/vendor/google.golang.org/grpc/MAINTAINERS.md
index 5d4096d46a..df35bb9a88 100644
--- a/vendor/google.golang.org/grpc/MAINTAINERS.md
+++ b/vendor/google.golang.org/grpc/MAINTAINERS.md
@@ -9,21 +9,19 @@ for general contribution guidelines.
 
 ## Maintainers (in alphabetical order)
 
-- [aranjans](https://github.com/aranjans), Google LLC
 - [arjan-bal](https://github.com/arjan-bal), Google LLC
 - [arvindbr8](https://github.com/arvindbr8), Google LLC
 - [atollena](https://github.com/atollena), Datadog, Inc.
 - [dfawley](https://github.com/dfawley), Google LLC
 - [easwars](https://github.com/easwars), Google LLC
-- [erm-g](https://github.com/erm-g), Google LLC
 - [gtcooke94](https://github.com/gtcooke94), Google LLC
-- [purnesh42h](https://github.com/purnesh42h), Google LLC
-- [zasweq](https://github.com/zasweq), Google LLC
 
 ## Emeritus Maintainers (in alphabetical order)
 - [adelez](https://github.com/adelez)
+- [aranjans](https://github.com/aranjans)
 - [canguler](https://github.com/canguler)
 - [cesarghali](https://github.com/cesarghali)
+- [erm-g](https://github.com/erm-g)
 - [iamqizhao](https://github.com/iamqizhao)
 - [jeanbza](https://github.com/jeanbza)
 - [jtattermusch](https://github.com/jtattermusch)
@@ -32,5 +30,7 @@ for general contribution guidelines.
 - [matt-kwong](https://github.com/matt-kwong)
 - [menghanl](https://github.com/menghanl)
 - [nicolasnoble](https://github.com/nicolasnoble)
+- [purnesh42h](https://github.com/purnesh42h)
 - [srini100](https://github.com/srini100)
 - [yongni](https://github.com/yongni)
+- [zasweq](https://github.com/zasweq)
diff --git a/vendor/google.golang.org/grpc/README.md b/vendor/google.golang.org/grpc/README.md
index b572707c62..f9a88d597e 100644
--- a/vendor/google.golang.org/grpc/README.md
+++ b/vendor/google.golang.org/grpc/README.md
@@ -32,6 +32,7 @@ import "google.golang.org/grpc"
 - [Low-level technical docs](Documentation) from this repository
 - [Performance benchmark][]
 - [Examples](examples)
+- [Contribution guidelines](CONTRIBUTING.md)
 
 ## FAQ
 
diff --git a/vendor/google.golang.org/grpc/balancer/balancer.go b/vendor/google.golang.org/grpc/balancer/balancer.go
index c9b343c715..b1264017db 100644
--- a/vendor/google.golang.org/grpc/balancer/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/balancer.go
@@ -360,6 +360,10 @@ type Balancer interface {
 	// call SubConn.Shutdown for its existing SubConns; however, this will be
 	// required in a future release, so it is recommended.
 	Close()
+	// ExitIdle instructs the LB policy to reconnect to backends / exit the
+	// IDLE state, if appropriate and possible.  Note that SubConns that enter
+	// the IDLE state will not reconnect until SubConn.Connect is called.
+	ExitIdle()
 }
 
 // ExitIdler is an optional interface for balancers to implement.  If
@@ -367,8 +371,8 @@ type Balancer interface {
 // the ClientConn is idle.  If unimplemented, ClientConn.Connect will cause
 // all SubConns to connect.
 //
-// Notice: it will be required for all balancers to implement this in a future
-// release.
+// Deprecated: All balancers must implement this interface. This interface will
+// be removed in a future release.
 type ExitIdler interface {
 	// ExitIdle instructs the LB policy to reconnect to backends / exit the
 	// IDLE state, if appropriate and possible.  Note that SubConns that enter
diff --git a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
index cc606f4dae..360db08ebc 100644
--- a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
+++ b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
@@ -37,6 +37,8 @@ import (
 	"google.golang.org/grpc/resolver"
 )
 
+var randIntN = rand.IntN
+
 // ChildState is the balancer state of a child along with the endpoint which
 // identifies the child balancer.
 type ChildState struct {
@@ -45,7 +47,15 @@ type ChildState struct {
 
 	// Balancer exposes only the ExitIdler interface of the child LB policy.
 	// Other methods of the child policy are called only by endpointsharding.
-	Balancer balancer.ExitIdler
+	Balancer ExitIdler
+}
+
+// ExitIdler provides access to only the ExitIdle method of the child balancer.
+type ExitIdler interface {
+	// ExitIdle instructs the LB policy to reconnect to backends / exit the
+	// IDLE state, if appropriate and possible.  Note that SubConns that enter
+	// the IDLE state will not reconnect until SubConn.Connect is called.
+	ExitIdle()
 }
 
 // Options are the options to configure the behaviour of the
@@ -104,6 +114,21 @@ type endpointSharding struct {
 	mu sync.Mutex
 }
 
+// rotateEndpoints returns a slice of all the input endpoints rotated a random
+// amount.
+func rotateEndpoints(es []resolver.Endpoint) []resolver.Endpoint {
+	les := len(es)
+	if les == 0 {
+		return es
+	}
+	r := randIntN(les)
+	// Make a copy to avoid mutating data beyond the end of es.
+	ret := make([]resolver.Endpoint, les)
+	copy(ret, es[r:])
+	copy(ret[les-r:], es[:r])
+	return ret
+}
+
 // UpdateClientConnState creates a child for new endpoints and deletes children
 // for endpoints that are no longer present. It also updates all the children,
 // and sends a single synchronous update of the childrens' aggregated state at
@@ -125,7 +150,7 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 	newChildren := resolver.NewEndpointMap[*balancerWrapper]()
 
 	// Update/Create new children.
-	for _, endpoint := range state.ResolverState.Endpoints {
+	for _, endpoint := range rotateEndpoints(state.ResolverState.Endpoints) {
 		if _, ok := newChildren.Get(endpoint); ok {
 			// Endpoint child was already created, continue to avoid duplicate
 			// update.
@@ -205,6 +230,16 @@ func (es *endpointSharding) Close() {
 	}
 }
 
+func (es *endpointSharding) ExitIdle() {
+	es.childMu.Lock()
+	defer es.childMu.Unlock()
+	for _, bw := range es.children.Load().Values() {
+		if !bw.isClosed {
+			bw.child.ExitIdle()
+		}
+	}
+}
+
 // updateState updates this component's state. It sends the aggregated state,
 // and a picker with round robin behavior with all the child states present if
 // needed.
@@ -261,7 +296,7 @@ func (es *endpointSharding) updateState() {
 	p := &pickerWithChildStates{
 		pickers:     pickers,
 		childStates: childStates,
-		next:        uint32(rand.IntN(len(pickers))),
+		next:        uint32(randIntN(len(pickers))),
 	}
 	es.cc.UpdateState(balancer.State{
 		ConnectivityState: aggState,
@@ -326,15 +361,13 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
 // ExitIdle pings an IDLE child balancer to exit idle in a new goroutine to
 // avoid deadlocks due to synchronous balancer state updates.
 func (bw *balancerWrapper) ExitIdle() {
-	if ei, ok := bw.child.(balancer.ExitIdler); ok {
-		go func() {
-			bw.es.childMu.Lock()
-			if !bw.isClosed {
-				ei.ExitIdle()
-			}
-			bw.es.childMu.Unlock()
-		}()
-	}
+	go func() {
+		bw.es.childMu.Lock()
+		if !bw.isClosed {
+			bw.child.ExitIdle()
+		}
+		bw.es.childMu.Unlock()
+	}()
 }
 
 // updateClientConnStateLocked delivers the ClientConnState to the child
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
index ea8899818c..b4bc3a2bf3 100644
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
+++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
@@ -16,55 +16,124 @@
  *
  */
 
-// Package pickfirst contains the pick_first load balancing policy.
+// Package pickfirst contains the pick_first load balancing policy which
+// is the universal leaf policy.
 package pickfirst
 
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	rand "math/rand/v2"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
 
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/pickfirst/internal"
 	"google.golang.org/grpc/connectivity"
+	expstats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/envconfig"
 	internalgrpclog "google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/pretty"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
-
-	_ "google.golang.org/grpc/balancer/pickfirst/pickfirstleaf" // For automatically registering the new pickfirst if required.
 )
 
 func init() {
-	if envconfig.NewPickFirstEnabled {
-		return
-	}
 	balancer.Register(pickfirstBuilder{})
 }
 
-var logger = grpclog.Component("pick-first-lb")
+// Name is the name of the pick_first balancer.
+const Name = "pick_first"
+
+// enableHealthListenerKeyType is a unique key type used in resolver
+// attributes to indicate whether the health listener usage is enabled.
+type enableHealthListenerKeyType struct{}
+
+var (
+	logger               = grpclog.Component("pick-first-leaf-lb")
+	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.disconnections",
+		Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+		Unit:        "{disconnection}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.connection_attempts_succeeded",
+		Description: "EXPERIMENTAL. Number of successful connection attempts.",
+		Unit:        "{attempt}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.connection_attempts_failed",
+		Description: "EXPERIMENTAL. Number of failed connection attempts.",
+		Unit:        "{attempt}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+)
 
 const (
-	// Name is the name of the pick_first balancer.
-	Name      = "pick_first"
-	logPrefix = "[pick-first-lb %p] "
+	// TODO: change to pick-first when this becomes the default pick_first policy.
+	logPrefix = "[pick-first-leaf-lb %p] "
+	// connectionDelayInterval is the time to wait for during the happy eyeballs
+	// pass before starting the next connection attempt.
+	connectionDelayInterval = 250 * time.Millisecond
+)
+
+type ipAddrFamily int
+
+const (
+	// ipAddrFamilyUnknown represents strings that can't be parsed as an IP
+	// address.
+	ipAddrFamilyUnknown ipAddrFamily = iota
+	ipAddrFamilyV4
+	ipAddrFamilyV6
 )
 
 type pickfirstBuilder struct{}
 
-func (pickfirstBuilder) Build(cc balancer.ClientConn, _ balancer.BuildOptions) balancer.Balancer {
-	b := &pickfirstBalancer{cc: cc}
+func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
+	b := &pickfirstBalancer{
+		cc:              cc,
+		target:          bo.Target.String(),
+		metricsRecorder: cc.MetricsRecorder(),
+
+		subConns:              resolver.NewAddressMapV2[*scData](),
+		state:                 connectivity.Connecting,
+		cancelConnectionTimer: func() {},
+	}
 	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
 	return b
 }
 
-func (pickfirstBuilder) Name() string {
+func (b pickfirstBuilder) Name() string {
 	return Name
 }
 
+func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
+	var cfg pfConfig
+	if err := json.Unmarshal(js, &cfg); err != nil {
+		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+	}
+	return cfg, nil
+}
+
+// EnableHealthListener updates the state to configure pickfirst for using a
+// generic health listener.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func EnableHealthListener(state resolver.State) resolver.State {
+	state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
+	return state
+}
+
 type pfConfig struct {
 	serviceconfig.LoadBalancingConfig `json:"-"`
 
@@ -74,90 +143,129 @@ type pfConfig struct {
 	ShuffleAddressList bool `json:"shuffleAddressList"`
 }
 
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
-	var cfg pfConfig
-	if err := json.Unmarshal(js, &cfg); err != nil {
-		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+// scData keeps track of the current state of the subConn.
+// It is not safe for concurrent access.
+type scData struct {
+	// The following fields are initialized at build time and read-only after
+	// that.
+	subConn balancer.SubConn
+	addr    resolver.Address
+
+	rawConnectivityState connectivity.State
+	// The effective connectivity state based on raw connectivity, health state
+	// and after following sticky TransientFailure behaviour defined in A62.
+	effectiveState              connectivity.State
+	lastErr                     error
+	connectionFailedInFirstPass bool
+}
+
+func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
+	sd := &scData{
+		rawConnectivityState: connectivity.Idle,
+		effectiveState:       connectivity.Idle,
+		addr:                 addr,
 	}
-	return cfg, nil
+	sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
+		StateListener: func(state balancer.SubConnState) {
+			b.updateSubConnState(sd, state)
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	sd.subConn = sc
+	return sd, nil
 }
 
 type pickfirstBalancer struct {
-	logger  *internalgrpclog.PrefixLogger
-	state   connectivity.State
-	cc      balancer.ClientConn
-	subConn balancer.SubConn
+	// The following fields are initialized at build time and read-only after
+	// that and therefore do not need to be guarded by a mutex.
+	logger          *internalgrpclog.PrefixLogger
+	cc              balancer.ClientConn
+	target          string
+	metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
+
+	// The mutex is used to ensure synchronization of updates triggered
+	// from the idle picker and the already serialized resolver,
+	// SubConn state updates.
+	mu sync.Mutex
+	// State reported to the channel based on SubConn states and resolver
+	// updates.
+	state connectivity.State
+	// scData for active subonns mapped by address.
+	subConns              *resolver.AddressMapV2[*scData]
+	addressList           addressList
+	firstPass             bool
+	numTF                 int
+	cancelConnectionTimer func()
+	healthCheckingEnabled bool
 }
 
+// ResolverError is called by the ClientConn when the name resolver produces
+// an error or when pickfirst determined the resolver update to be invalid.
 func (b *pickfirstBalancer) ResolverError(err error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.resolverErrorLocked(err)
+}
+
+func (b *pickfirstBalancer) resolverErrorLocked(err error) {
 	if b.logger.V(2) {
 		b.logger.Infof("Received error from the name resolver: %v", err)
 	}
-	if b.subConn == nil {
-		b.state = connectivity.TransientFailure
-	}
 
-	if b.state != connectivity.TransientFailure {
-		// The picker will not change since the balancer does not currently
-		// report an error.
+	// The picker will not change since the balancer does not currently
+	// report an error. If the balancer hasn't received a single good resolver
+	// update yet, transition to TRANSIENT_FAILURE.
+	if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
+		if b.logger.V(2) {
+			b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
+		}
 		return
 	}
-	b.cc.UpdateState(balancer.State{
+
+	b.updateBalancerState(balancer.State{
 		ConnectivityState: connectivity.TransientFailure,
 		Picker:            &picker{err: fmt.Errorf("name resolver error: %v", err)},
 	})
 }
 
-// Shuffler is an interface for shuffling an address list.
-type Shuffler interface {
-	ShuffleAddressListForTesting(n int, swap func(i, j int))
-}
-
-// ShuffleAddressListForTesting pseudo-randomizes the order of addresses.  n
-// is the number of elements.  swap swaps the elements with indexes i and j.
-func ShuffleAddressListForTesting(n int, swap func(i, j int)) { rand.Shuffle(n, swap) }
-
 func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.cancelConnectionTimer()
 	if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
-		// The resolver reported an empty address list. Treat it like an error by
-		// calling b.ResolverError.
-		if b.subConn != nil {
-			// Shut down the old subConn. All addresses were removed, so it is
-			// no longer valid.
-			b.subConn.Shutdown()
-			b.subConn = nil
-		}
-		b.ResolverError(errors.New("produced zero addresses"))
+		// Cleanup state pertaining to the previous resolver state.
+		// Treat an empty address list like an error by calling b.ResolverError.
+		b.closeSubConnsLocked()
+		b.addressList.updateAddrs(nil)
+		b.resolverErrorLocked(errors.New("produced zero addresses"))
 		return balancer.ErrBadResolverState
 	}
-	// We don't have to guard this block with the env var because ParseConfig
-	// already does so.
+	b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
 	cfg, ok := state.BalancerConfig.(pfConfig)
 	if state.BalancerConfig != nil && !ok {
-		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v", state.BalancerConfig, state.BalancerConfig)
+		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
 	}
 
 	if b.logger.V(2) {
 		b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
 	}
 
-	var addrs []resolver.Address
+	var newAddrs []resolver.Address
 	if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
-		// Perform the optional shuffling described in gRFC A62. The shuffling will
-		// change the order of endpoints but not touch the order of the addresses
-		// within each endpoint. - A61
+		// Perform the optional shuffling described in gRFC A62. The shuffling
+		// will change the order of endpoints but not touch the order of the
+		// addresses within each endpoint. - A61
 		if cfg.ShuffleAddressList {
 			endpoints = append([]resolver.Endpoint{}, endpoints...)
 			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
 		}
 
-		// "Flatten the list by concatenating the ordered list of addresses for each
-		// of the endpoints, in order." - A61
+		// "Flatten the list by concatenating the ordered list of addresses for
+		// each of the endpoints, in order." - A61
 		for _, endpoint := range endpoints {
-			// "In the flattened list, interleave addresses from the two address
-			// families, as per RFC-8304 section 4." - A61
-			// TODO: support the above language.
-			addrs = append(addrs, endpoint.Addresses...)
+			newAddrs = append(newAddrs, endpoint.Addresses...)
 		}
 	} else {
 		// Endpoints not set, process addresses until we migrate resolver
@@ -166,42 +274,53 @@ func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState
 		// target do not forward the corresponding correct endpoints down/split
 		// endpoints properly. Once all balancers correctly forward endpoints
 		// down, can delete this else conditional.
-		addrs = state.ResolverState.Addresses
+		newAddrs = state.ResolverState.Addresses
 		if cfg.ShuffleAddressList {
-			addrs = append([]resolver.Address{}, addrs...)
-			rand.Shuffle(len(addrs), func(i, j int) { addrs[i], addrs[j] = addrs[j], addrs[i] })
+			newAddrs = append([]resolver.Address{}, newAddrs...)
+			internal.RandShuffle(len(newAddrs), func(i, j int) { newAddrs[i], newAddrs[j] = newAddrs[j], newAddrs[i] })
 		}
 	}
 
-	if b.subConn != nil {
-		b.cc.UpdateAddresses(b.subConn, addrs)
+	// If an address appears in multiple endpoints or in the same endpoint
+	// multiple times, we keep it only once. We will create only one SubConn
+	// for the address because an AddressMap is used to store SubConns.
+	// Not de-duplicating would result in attempting to connect to the same
+	// SubConn multiple times in the same pass. We don't want this.
+	newAddrs = deDupAddresses(newAddrs)
+	newAddrs = interleaveAddresses(newAddrs)
+
+	prevAddr := b.addressList.currentAddress()
+	prevSCData, found := b.subConns.Get(prevAddr)
+	prevAddrsCount := b.addressList.size()
+	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
+	b.addressList.updateAddrs(newAddrs)
+
+	// If the previous ready SubConn exists in new address list,
+	// keep this connection and don't create new SubConns.
+	if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
 		return nil
 	}
 
-	var subConn balancer.SubConn
-	subConn, err := b.cc.NewSubConn(addrs, balancer.NewSubConnOptions{
-		StateListener: func(state balancer.SubConnState) {
-			b.updateSubConnState(subConn, state)
-		},
-	})
-	if err != nil {
-		if b.logger.V(2) {
-			b.logger.Infof("Failed to create new SubConn: %v", err)
-		}
-		b.state = connectivity.TransientFailure
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: connectivity.TransientFailure,
-			Picker:            &picker{err: fmt.Errorf("error creating connection: %v", err)},
+	b.reconcileSubConnsLocked(newAddrs)
+	// If it's the first resolver update or the balancer was already READY
+	// (but the new address list does not contain the ready SubConn) or
+	// CONNECTING, enter CONNECTING.
+	// We may be in TRANSIENT_FAILURE due to a previous empty address list,
+	// we should still enter CONNECTING because the sticky TF behaviour
+	//  mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
+	// due to connectivity failures.
+	if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
+		// Start connection attempt at first address.
+		b.forceUpdateConcludedStateLocked(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
-		return balancer.ErrBadResolverState
+		b.startFirstPassLocked()
+	} else if b.state == connectivity.TransientFailure {
+		// If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
+		// we're READY. See A62.
+		b.startFirstPassLocked()
 	}
-	b.subConn = subConn
-	b.state = connectivity.Idle
-	b.cc.UpdateState(balancer.State{
-		ConnectivityState: connectivity.Connecting,
-		Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-	})
-	b.subConn.Connect()
 	return nil
 }
 
@@ -211,63 +330,484 @@ func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state b
 	b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
 }
 
-func (b *pickfirstBalancer) updateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received SubConn state update: %p, %+v", subConn, state)
+func (b *pickfirstBalancer) Close() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.closeSubConnsLocked()
+	b.cancelConnectionTimer()
+	b.state = connectivity.Shutdown
+}
+
+// ExitIdle moves the balancer out of idle state. It can be called concurrently
+// by the idlePicker and clientConn so access to variables should be
+// synchronized.
+func (b *pickfirstBalancer) ExitIdle() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.state == connectivity.Idle {
+		// Move the balancer into CONNECTING state immediately. This is done to
+		// avoid staying in IDLE if a resolver update arrives before the first
+		// SubConn reports CONNECTING.
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
+		})
+		b.startFirstPassLocked()
+	}
+}
+
+func (b *pickfirstBalancer) startFirstPassLocked() {
+	b.firstPass = true
+	b.numTF = 0
+	// Reset the connection attempt record for existing SubConns.
+	for _, sd := range b.subConns.Values() {
+		sd.connectionFailedInFirstPass = false
+	}
+	b.requestConnectionLocked()
+}
+
+func (b *pickfirstBalancer) closeSubConnsLocked() {
+	for _, sd := range b.subConns.Values() {
+		sd.subConn.Shutdown()
+	}
+	b.subConns = resolver.NewAddressMapV2[*scData]()
+}
+
+// deDupAddresses ensures that each address appears only once in the slice.
+func deDupAddresses(addrs []resolver.Address) []resolver.Address {
+	seenAddrs := resolver.NewAddressMapV2[bool]()
+	retAddrs := []resolver.Address{}
+
+	for _, addr := range addrs {
+		if _, ok := seenAddrs.Get(addr); ok {
+			continue
+		}
+		seenAddrs.Set(addr, true)
+		retAddrs = append(retAddrs, addr)
+	}
+	return retAddrs
+}
+
+// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
+// as per RFC-8305 section 4.
+// Whichever address family is first in the list is followed by an address of
+// the other address family; that is, if the first address in the list is IPv6,
+// then the first IPv4 address should be moved up in the list to be second in
+// the list. It doesn't support configuring "First Address Family Count", i.e.
+// there will always be a single member of the first address family at the
+// beginning of the interleaved list.
+// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
+// "unknown" family for interleaving.
+// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
+func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
+	familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
+	interleavingOrder := []ipAddrFamily{}
+	for _, addr := range addrs {
+		family := addressFamily(addr.Addr)
+		if _, found := familyAddrsMap[family]; !found {
+			interleavingOrder = append(interleavingOrder, family)
+		}
+		familyAddrsMap[family] = append(familyAddrsMap[family], addr)
+	}
+
+	interleavedAddrs := make([]resolver.Address, 0, len(addrs))
+
+	for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
+		// Some IP types may have fewer addresses than others, so we look for
+		// the next type that has a remaining member to add to the interleaved
+		// list.
+		family := interleavingOrder[curFamilyIdx]
+		remainingMembers := familyAddrsMap[family]
+		if len(remainingMembers) > 0 {
+			interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
+			familyAddrsMap[family] = remainingMembers[1:]
+		}
+	}
+
+	return interleavedAddrs
+}
+
+// addressFamily returns the ipAddrFamily after parsing the address string.
+// If the address isn't of the format "ip-address:port", it returns
+// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
+// using a resolver like passthrough where the address may be a hostname in
+// some format that the dialer can resolve.
+func addressFamily(address string) ipAddrFamily {
+	// Parse the IP after removing the port.
+	host, _, err := net.SplitHostPort(address)
+	if err != nil {
+		return ipAddrFamilyUnknown
+	}
+	ip, err := netip.ParseAddr(host)
+	if err != nil {
+		return ipAddrFamilyUnknown
+	}
+	switch {
+	case ip.Is4() || ip.Is4In6():
+		return ipAddrFamilyV4
+	case ip.Is6():
+		return ipAddrFamilyV6
+	default:
+		return ipAddrFamilyUnknown
+	}
+}
+
+// reconcileSubConnsLocked updates the active subchannels based on a new address
+// list from the resolver. It does this by:
+//   - closing subchannels: any existing subchannels associated with addresses
+//     that are no longer in the updated list are shut down.
+//   - removing subchannels: entries for these closed subchannels are removed
+//     from the subchannel map.
+//
+// This ensures that the subchannel map accurately reflects the current set of
+// addresses received from the name resolver.
+func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
+	newAddrsMap := resolver.NewAddressMapV2[bool]()
+	for _, addr := range newAddrs {
+		newAddrsMap.Set(addr, true)
+	}
+
+	for _, oldAddr := range b.subConns.Keys() {
+		if _, ok := newAddrsMap.Get(oldAddr); ok {
+			continue
+		}
+		val, _ := b.subConns.Get(oldAddr)
+		val.subConn.Shutdown()
+		b.subConns.Delete(oldAddr)
+	}
+}
+
+// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
+// becomes ready, which means that all other subConn must be shutdown.
+func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
+	b.cancelConnectionTimer()
+	for _, sd := range b.subConns.Values() {
+		if sd.subConn != selected.subConn {
+			sd.subConn.Shutdown()
+		}
+	}
+	b.subConns = resolver.NewAddressMapV2[*scData]()
+	b.subConns.Set(selected.addr, selected)
+}
+
+// requestConnectionLocked starts connecting on the subchannel corresponding to
+// the current address. If no subchannel exists, one is created. If the current
+// subchannel is in TransientFailure, a connection to the next address is
+// attempted until a subchannel is found.
+func (b *pickfirstBalancer) requestConnectionLocked() {
+	if !b.addressList.isValid() {
+		return
+	}
+	var lastErr error
+	for valid := true; valid; valid = b.addressList.increment() {
+		curAddr := b.addressList.currentAddress()
+		sd, ok := b.subConns.Get(curAddr)
+		if !ok {
+			var err error
+			// We want to assign the new scData to sd from the outer scope,
+			// hence we can't use := below.
+			sd, err = b.newSCData(curAddr)
+			if err != nil {
+				// This should never happen, unless the clientConn is being shut
+				// down.
+				if b.logger.V(2) {
+					b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
+				}
+				// Do nothing, the LB policy will be closed soon.
+				return
+			}
+			b.subConns.Set(curAddr, sd)
+		}
+
+		switch sd.rawConnectivityState {
+		case connectivity.Idle:
+			sd.subConn.Connect()
+			b.scheduleNextConnectionLocked()
+			return
+		case connectivity.TransientFailure:
+			// The SubConn is being re-used and failed during a previous pass
+			// over the addressList. It has not completed backoff yet.
+			// Mark it as having failed and try the next address.
+			sd.connectionFailedInFirstPass = true
+			lastErr = sd.lastErr
+			continue
+		case connectivity.Connecting:
+			// Wait for the connection attempt to complete or the timer to fire
+			// before attempting the next address.
+			b.scheduleNextConnectionLocked()
+			return
+		default:
+			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
+			return
+
+		}
+	}
+
+	// All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
+	// first pass if possible.
+	b.endFirstPassIfPossibleLocked(lastErr)
+}
+
+func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
+	b.cancelConnectionTimer()
+	if !b.addressList.hasNext() {
+		return
 	}
-	if b.subConn != subConn {
+	curAddr := b.addressList.currentAddress()
+	cancelled := false // Access to this is protected by the balancer's mutex.
+	closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
+		b.mu.Lock()
+		defer b.mu.Unlock()
+		// If the scheduled task is cancelled while acquiring the mutex, return.
+		if cancelled {
+			return
+		}
 		if b.logger.V(2) {
-			b.logger.Infof("Ignored state change because subConn is not recognized")
+			b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
+		}
+		if b.addressList.increment() {
+			b.requestConnectionLocked()
 		}
+	})
+	// Access to the cancellation callback held by the balancer is guarded by
+	// the balancer's mutex, so it's safe to set the boolean from the callback.
+	b.cancelConnectionTimer = sync.OnceFunc(func() {
+		cancelled = true
+		closeFn()
+	})
+}
+
+func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	oldState := sd.rawConnectivityState
+	sd.rawConnectivityState = newState.ConnectivityState
+	// Previously relevant SubConns can still callback with state updates.
+	// To prevent pickers from returning these obsolete SubConns, this logic
+	// is included to check if the current list of active SubConns includes this
+	// SubConn.
+	if !b.isActiveSCData(sd) {
 		return
 	}
-	if state.ConnectivityState == connectivity.Shutdown {
-		b.subConn = nil
+	if newState.ConnectivityState == connectivity.Shutdown {
+		sd.effectiveState = connectivity.Shutdown
 		return
 	}
 
-	switch state.ConnectivityState {
-	case connectivity.Ready:
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &picker{result: balancer.PickResult{SubConn: subConn}},
-		})
-	case connectivity.Connecting:
-		if b.state == connectivity.TransientFailure {
-			// We stay in TransientFailure until we are Ready. See A62.
+	// Record a connection attempt when exiting CONNECTING.
+	if newState.ConnectivityState == connectivity.TransientFailure {
+		sd.connectionFailedInFirstPass = true
+		connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
+	}
+
+	if newState.ConnectivityState == connectivity.Ready {
+		connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+		b.shutdownRemainingLocked(sd)
+		if !b.addressList.seekTo(sd.addr) {
+			// This should not fail as we should have only one SubConn after
+			// entering READY. The SubConn should be present in the addressList.
+			b.logger.Errorf("Address %q not found address list in %v", sd.addr, b.addressList.addresses)
 			return
 		}
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
+		if !b.healthCheckingEnabled {
+			if b.logger.V(2) {
+				b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
+			}
+
+			sd.effectiveState = connectivity.Ready
+			b.updateBalancerState(balancer.State{
+				ConnectivityState: connectivity.Ready,
+				Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
+			})
+			return
+		}
+		if b.logger.V(2) {
+			b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
+		}
+		// Send a CONNECTING update to take the SubConn out of sticky-TF if
+		// required.
+		sd.effectiveState = connectivity.Connecting
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
 			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
+		sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
+			b.updateSubConnHealthState(sd, scs)
+		})
+		return
+	}
+
+	// If the LB policy is READY, and it receives a subchannel state change,
+	// it means that the READY subchannel has failed.
+	// A SubConn can also transition from CONNECTING directly to IDLE when
+	// a transport is successfully created, but the connection fails
+	// before the SubConn can send the notification for READY. We treat
+	// this as a successful connection and transition to IDLE.
+	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+	// part of the if condition below once the issue is fixed.
+	if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
+		// Once a transport fails, the balancer enters IDLE and starts from
+		// the first address when the picker is used.
+		b.shutdownRemainingLocked(sd)
+		sd.effectiveState = newState.ConnectivityState
+		// READY SubConn interspliced in between CONNECTING and IDLE, need to
+		// account for that.
+		if oldState == connectivity.Connecting {
+			// A known issue (https://github.com/grpc/grpc-go/issues/7862)
+			// causes a race that prevents the READY state change notification.
+			// This works around it.
+			connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+		}
+		disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
+		b.addressList.reset()
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Idle,
+			Picker:            &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
+		})
+		return
+	}
+
+	if b.firstPass {
+		switch newState.ConnectivityState {
+		case connectivity.Connecting:
+			// The effective state can be in either IDLE, CONNECTING or
+			// TRANSIENT_FAILURE. If it's  TRANSIENT_FAILURE, stay in
+			// TRANSIENT_FAILURE until it's READY. See A62.
+			if sd.effectiveState != connectivity.TransientFailure {
+				sd.effectiveState = connectivity.Connecting
+				b.updateBalancerState(balancer.State{
+					ConnectivityState: connectivity.Connecting,
+					Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
+				})
+			}
+		case connectivity.TransientFailure:
+			sd.lastErr = newState.ConnectionError
+			sd.effectiveState = connectivity.TransientFailure
+			// Since we're re-using common SubConns while handling resolver
+			// updates, we could receive an out of turn TRANSIENT_FAILURE from
+			// a pass over the previous address list. Happy Eyeballs will also
+			// cause out of order updates to arrive.
+
+			if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
+				b.cancelConnectionTimer()
+				if b.addressList.increment() {
+					b.requestConnectionLocked()
+					return
+				}
+			}
+
+			// End the first pass if we've seen a TRANSIENT_FAILURE from all
+			// SubConns once.
+			b.endFirstPassIfPossibleLocked(newState.ConnectionError)
+		}
+		return
+	}
+
+	// We have finished the first pass, keep re-connecting failing SubConns.
+	switch newState.ConnectivityState {
+	case connectivity.TransientFailure:
+		b.numTF = (b.numTF + 1) % b.subConns.Len()
+		sd.lastErr = newState.ConnectionError
+		if b.numTF%b.subConns.Len() == 0 {
+			b.updateBalancerState(balancer.State{
+				ConnectivityState: connectivity.TransientFailure,
+				Picker:            &picker{err: newState.ConnectionError},
+			})
+		}
+		// We don't need to request re-resolution since the SubConn already
+		// does that before reporting TRANSIENT_FAILURE.
+		// TODO: #7534 - Move re-resolution requests from SubConn into
+		// pick_first.
 	case connectivity.Idle:
-		if b.state == connectivity.TransientFailure {
-			// We stay in TransientFailure until we are Ready. Also kick the
-			// subConn out of Idle into Connecting. See A62.
-			b.subConn.Connect()
+		sd.subConn.Connect()
+	}
+}
+
+// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
+// addresses are tried and their SubConns have reported a failure.
+func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
+	// An optimization to avoid iterating over the entire SubConn map.
+	if b.addressList.isValid() {
+		return
+	}
+	// Connect() has been called on all the SubConns. The first pass can be
+	// ended if all the SubConns have reported a failure.
+	for _, sd := range b.subConns.Values() {
+		if !sd.connectionFailedInFirstPass {
 			return
 		}
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &idlePicker{subConn: subConn},
+	}
+	b.firstPass = false
+	b.updateBalancerState(balancer.State{
+		ConnectivityState: connectivity.TransientFailure,
+		Picker:            &picker{err: lastErr},
+	})
+	// Start re-connecting all the SubConns that are already in IDLE.
+	for _, sd := range b.subConns.Values() {
+		if sd.rawConnectivityState == connectivity.Idle {
+			sd.subConn.Connect()
+		}
+	}
+}
+
+func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
+	activeSD, found := b.subConns.Get(sd.addr)
+	return found && activeSD == sd
+}
+
+func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	// Previously relevant SubConns can still callback with state updates.
+	// To prevent pickers from returning these obsolete SubConns, this logic
+	// is included to check if the current list of active SubConns includes
+	// this SubConn.
+	if !b.isActiveSCData(sd) {
+		return
+	}
+	sd.effectiveState = state.ConnectivityState
+	switch state.ConnectivityState {
+	case connectivity.Ready:
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Ready,
+			Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
 		})
 	case connectivity.TransientFailure:
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &picker{err: state.ConnectionError},
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.TransientFailure,
+			Picker:            &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
+		})
+	case connectivity.Connecting:
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
+	default:
+		b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
 	}
-	b.state = state.ConnectivityState
 }
 
-func (b *pickfirstBalancer) Close() {
+// updateBalancerState stores the state reported to the channel and calls
+// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
+// updates to the channel.
+func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
+	// In case of TransientFailures allow the picker to be updated to update
+	// the connectivity error, in all other cases don't send duplicate state
+	// updates.
+	if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
+		return
+	}
+	b.forceUpdateConcludedStateLocked(newState)
 }
 
-func (b *pickfirstBalancer) ExitIdle() {
-	if b.subConn != nil && b.state == connectivity.Idle {
-		b.subConn.Connect()
-	}
+// forceUpdateConcludedStateLocked stores the state reported to the channel and
+// calls ClientConn.UpdateState().
+// A separate function is defined to force update the ClientConn state since the
+// channel doesn't correctly assume that LB policies start in CONNECTING and
+// relies on LB policy to send an initial CONNECTING update.
+func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
+	b.state = newState.ConnectivityState
+	b.cc.UpdateState(newState)
 }
 
 type picker struct {
@@ -282,10 +822,87 @@ func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
 // idlePicker is used when the SubConn is IDLE and kicks the SubConn into
 // CONNECTING when Pick is called.
 type idlePicker struct {
-	subConn balancer.SubConn
+	exitIdle func()
 }
 
 func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	i.subConn.Connect()
+	i.exitIdle()
 	return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
 }
+
+// addressList manages sequentially iterating over addresses present in a list
+// of endpoints. It provides a 1 dimensional view of the addresses present in
+// the endpoints.
+// This type is not safe for concurrent access.
+type addressList struct {
+	addresses []resolver.Address
+	idx       int
+}
+
+func (al *addressList) isValid() bool {
+	return al.idx < len(al.addresses)
+}
+
+func (al *addressList) size() int {
+	return len(al.addresses)
+}
+
+// increment moves to the next index in the address list.
+// This method returns false if it went off the list, true otherwise.
+func (al *addressList) increment() bool {
+	if !al.isValid() {
+		return false
+	}
+	al.idx++
+	return al.idx < len(al.addresses)
+}
+
+// currentAddress returns the current address pointed to in the addressList.
+// If the list is in an invalid state, it returns an empty address instead.
+func (al *addressList) currentAddress() resolver.Address {
+	if !al.isValid() {
+		return resolver.Address{}
+	}
+	return al.addresses[al.idx]
+}
+
+func (al *addressList) reset() {
+	al.idx = 0
+}
+
+func (al *addressList) updateAddrs(addrs []resolver.Address) {
+	al.addresses = addrs
+	al.reset()
+}
+
+// seekTo returns false if the needle was not found and the current index was
+// left unchanged.
+func (al *addressList) seekTo(needle resolver.Address) bool {
+	for ai, addr := range al.addresses {
+		if !equalAddressIgnoringBalAttributes(&addr, &needle) {
+			continue
+		}
+		al.idx = ai
+		return true
+	}
+	return false
+}
+
+// hasNext returns whether incrementing the addressList will result in moving
+// past the end of the list. If the list has already moved past the end, it
+// returns false.
+func (al *addressList) hasNext() bool {
+	if !al.isValid() {
+		return false
+	}
+	return al.idx+1 < len(al.addresses)
+}
+
+// equalAddressIgnoringBalAttributes returns true is a and b are considered
+// equal. This is different from the Equal method on the resolver.Address type
+// which considers all fields to determine equality. Here, we only consider
+// fields that are meaningful to the SubConn.
+func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
+	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
+		a.Attributes.Equal(b.Attributes)
+}
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
deleted file mode 100644
index 494314f235..0000000000
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
+++ /dev/null
@@ -1,927 +0,0 @@
-/*
- *
- * Copyright 2024 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package pickfirstleaf contains the pick_first load balancing policy which
-// will be the universal leaf policy after dualstack changes are implemented.
-//
-// # Experimental
-//
-// Notice: This package is EXPERIMENTAL and may be changed or removed in a
-// later release.
-package pickfirstleaf
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"time"
-
-	"google.golang.org/grpc/balancer"
-	"google.golang.org/grpc/balancer/pickfirst/internal"
-	"google.golang.org/grpc/connectivity"
-	expstats "google.golang.org/grpc/experimental/stats"
-	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/envconfig"
-	internalgrpclog "google.golang.org/grpc/internal/grpclog"
-	"google.golang.org/grpc/internal/pretty"
-	"google.golang.org/grpc/resolver"
-	"google.golang.org/grpc/serviceconfig"
-)
-
-func init() {
-	if envconfig.NewPickFirstEnabled {
-		// Register as the default pick_first balancer.
-		Name = "pick_first"
-	}
-	balancer.Register(pickfirstBuilder{})
-}
-
-type (
-	// enableHealthListenerKeyType is a unique key type used in resolver
-	// attributes to indicate whether the health listener usage is enabled.
-	enableHealthListenerKeyType struct{}
-	// managedByPickfirstKeyType is an attribute key type to inform Outlier
-	// Detection that the generic health listener is being used.
-	// TODO: https://github.com/grpc/grpc-go/issues/7915 - Remove this when
-	// implementing the dualstack design. This is a hack. Once Dualstack is
-	// completed, outlier detection will stop sending ejection updates through
-	// the connectivity listener.
-	managedByPickfirstKeyType struct{}
-)
-
-var (
-	logger = grpclog.Component("pick-first-leaf-lb")
-	// Name is the name of the pick_first_leaf balancer.
-	// It is changed to "pick_first" in init() if this balancer is to be
-	// registered as the default pickfirst.
-	Name                 = "pick_first_leaf"
-	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.disconnections",
-		Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
-		Unit:        "disconnection",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.connection_attempts_succeeded",
-		Description: "EXPERIMENTAL. Number of successful connection attempts.",
-		Unit:        "attempt",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.connection_attempts_failed",
-		Description: "EXPERIMENTAL. Number of failed connection attempts.",
-		Unit:        "attempt",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-)
-
-const (
-	// TODO: change to pick-first when this becomes the default pick_first policy.
-	logPrefix = "[pick-first-leaf-lb %p] "
-	// connectionDelayInterval is the time to wait for during the happy eyeballs
-	// pass before starting the next connection attempt.
-	connectionDelayInterval = 250 * time.Millisecond
-)
-
-type ipAddrFamily int
-
-const (
-	// ipAddrFamilyUnknown represents strings that can't be parsed as an IP
-	// address.
-	ipAddrFamilyUnknown ipAddrFamily = iota
-	ipAddrFamilyV4
-	ipAddrFamilyV6
-)
-
-type pickfirstBuilder struct{}
-
-func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
-	b := &pickfirstBalancer{
-		cc:              cc,
-		target:          bo.Target.String(),
-		metricsRecorder: cc.MetricsRecorder(),
-
-		subConns:              resolver.NewAddressMapV2[*scData](),
-		state:                 connectivity.Connecting,
-		cancelConnectionTimer: func() {},
-	}
-	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
-	return b
-}
-
-func (b pickfirstBuilder) Name() string {
-	return Name
-}
-
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
-	var cfg pfConfig
-	if err := json.Unmarshal(js, &cfg); err != nil {
-		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
-	}
-	return cfg, nil
-}
-
-// EnableHealthListener updates the state to configure pickfirst for using a
-// generic health listener.
-func EnableHealthListener(state resolver.State) resolver.State {
-	state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
-	return state
-}
-
-// IsManagedByPickfirst returns whether an address belongs to a SubConn
-// managed by the pickfirst LB policy.
-// TODO: https://github.com/grpc/grpc-go/issues/7915 - This is a hack to disable
-// outlier_detection via the with connectivity listener when using pick_first.
-// Once Dualstack changes are complete, all SubConns will be created by
-// pick_first and outlier detection will only use the health listener for
-// ejection. This hack can then be removed.
-func IsManagedByPickfirst(addr resolver.Address) bool {
-	return addr.BalancerAttributes.Value(managedByPickfirstKeyType{}) != nil
-}
-
-type pfConfig struct {
-	serviceconfig.LoadBalancingConfig `json:"-"`
-
-	// If set to true, instructs the LB policy to shuffle the order of the list
-	// of endpoints received from the name resolver before attempting to
-	// connect to them.
-	ShuffleAddressList bool `json:"shuffleAddressList"`
-}
-
-// scData keeps track of the current state of the subConn.
-// It is not safe for concurrent access.
-type scData struct {
-	// The following fields are initialized at build time and read-only after
-	// that.
-	subConn balancer.SubConn
-	addr    resolver.Address
-
-	rawConnectivityState connectivity.State
-	// The effective connectivity state based on raw connectivity, health state
-	// and after following sticky TransientFailure behaviour defined in A62.
-	effectiveState              connectivity.State
-	lastErr                     error
-	connectionFailedInFirstPass bool
-}
-
-func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
-	addr.BalancerAttributes = addr.BalancerAttributes.WithValue(managedByPickfirstKeyType{}, true)
-	sd := &scData{
-		rawConnectivityState: connectivity.Idle,
-		effectiveState:       connectivity.Idle,
-		addr:                 addr,
-	}
-	sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
-		StateListener: func(state balancer.SubConnState) {
-			b.updateSubConnState(sd, state)
-		},
-	})
-	if err != nil {
-		return nil, err
-	}
-	sd.subConn = sc
-	return sd, nil
-}
-
-type pickfirstBalancer struct {
-	// The following fields are initialized at build time and read-only after
-	// that and therefore do not need to be guarded by a mutex.
-	logger          *internalgrpclog.PrefixLogger
-	cc              balancer.ClientConn
-	target          string
-	metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
-
-	// The mutex is used to ensure synchronization of updates triggered
-	// from the idle picker and the already serialized resolver,
-	// SubConn state updates.
-	mu sync.Mutex
-	// State reported to the channel based on SubConn states and resolver
-	// updates.
-	state connectivity.State
-	// scData for active subonns mapped by address.
-	subConns              *resolver.AddressMapV2[*scData]
-	addressList           addressList
-	firstPass             bool
-	numTF                 int
-	cancelConnectionTimer func()
-	healthCheckingEnabled bool
-}
-
-// ResolverError is called by the ClientConn when the name resolver produces
-// an error or when pickfirst determined the resolver update to be invalid.
-func (b *pickfirstBalancer) ResolverError(err error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.resolverErrorLocked(err)
-}
-
-func (b *pickfirstBalancer) resolverErrorLocked(err error) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received error from the name resolver: %v", err)
-	}
-
-	// The picker will not change since the balancer does not currently
-	// report an error. If the balancer hasn't received a single good resolver
-	// update yet, transition to TRANSIENT_FAILURE.
-	if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
-		if b.logger.V(2) {
-			b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
-		}
-		return
-	}
-
-	b.updateBalancerState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            &picker{err: fmt.Errorf("name resolver error: %v", err)},
-	})
-}
-
-func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.cancelConnectionTimer()
-	if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
-		// Cleanup state pertaining to the previous resolver state.
-		// Treat an empty address list like an error by calling b.ResolverError.
-		b.closeSubConnsLocked()
-		b.addressList.updateAddrs(nil)
-		b.resolverErrorLocked(errors.New("produced zero addresses"))
-		return balancer.ErrBadResolverState
-	}
-	b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
-	cfg, ok := state.BalancerConfig.(pfConfig)
-	if state.BalancerConfig != nil && !ok {
-		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
-	}
-
-	if b.logger.V(2) {
-		b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
-	}
-
-	var newAddrs []resolver.Address
-	if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
-		// Perform the optional shuffling described in gRFC A62. The shuffling
-		// will change the order of endpoints but not touch the order of the
-		// addresses within each endpoint. - A61
-		if cfg.ShuffleAddressList {
-			endpoints = append([]resolver.Endpoint{}, endpoints...)
-			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
-		}
-
-		// "Flatten the list by concatenating the ordered list of addresses for
-		// each of the endpoints, in order." - A61
-		for _, endpoint := range endpoints {
-			newAddrs = append(newAddrs, endpoint.Addresses...)
-		}
-	} else {
-		// Endpoints not set, process addresses until we migrate resolver
-		// emissions fully to Endpoints. The top channel does wrap emitted
-		// addresses with endpoints, however some balancers such as weighted
-		// target do not forward the corresponding correct endpoints down/split
-		// endpoints properly. Once all balancers correctly forward endpoints
-		// down, can delete this else conditional.
-		newAddrs = state.ResolverState.Addresses
-		if cfg.ShuffleAddressList {
-			newAddrs = append([]resolver.Address{}, newAddrs...)
-			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
-		}
-	}
-
-	// If an address appears in multiple endpoints or in the same endpoint
-	// multiple times, we keep it only once. We will create only one SubConn
-	// for the address because an AddressMap is used to store SubConns.
-	// Not de-duplicating would result in attempting to connect to the same
-	// SubConn multiple times in the same pass. We don't want this.
-	newAddrs = deDupAddresses(newAddrs)
-	newAddrs = interleaveAddresses(newAddrs)
-
-	prevAddr := b.addressList.currentAddress()
-	prevSCData, found := b.subConns.Get(prevAddr)
-	prevAddrsCount := b.addressList.size()
-	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
-	b.addressList.updateAddrs(newAddrs)
-
-	// If the previous ready SubConn exists in new address list,
-	// keep this connection and don't create new SubConns.
-	if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
-		return nil
-	}
-
-	b.reconcileSubConnsLocked(newAddrs)
-	// If it's the first resolver update or the balancer was already READY
-	// (but the new address list does not contain the ready SubConn) or
-	// CONNECTING, enter CONNECTING.
-	// We may be in TRANSIENT_FAILURE due to a previous empty address list,
-	// we should still enter CONNECTING because the sticky TF behaviour
-	//  mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
-	// due to connectivity failures.
-	if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
-		// Start connection attempt at first address.
-		b.forceUpdateConcludedStateLocked(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-		b.startFirstPassLocked()
-	} else if b.state == connectivity.TransientFailure {
-		// If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
-		// we're READY. See A62.
-		b.startFirstPassLocked()
-	}
-	return nil
-}
-
-// UpdateSubConnState is unused as a StateListener is always registered when
-// creating SubConns.
-func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
-	b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
-}
-
-func (b *pickfirstBalancer) Close() {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.closeSubConnsLocked()
-	b.cancelConnectionTimer()
-	b.state = connectivity.Shutdown
-}
-
-// ExitIdle moves the balancer out of idle state. It can be called concurrently
-// by the idlePicker and clientConn so access to variables should be
-// synchronized.
-func (b *pickfirstBalancer) ExitIdle() {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.state == connectivity.Idle {
-		b.startFirstPassLocked()
-	}
-}
-
-func (b *pickfirstBalancer) startFirstPassLocked() {
-	b.firstPass = true
-	b.numTF = 0
-	// Reset the connection attempt record for existing SubConns.
-	for _, sd := range b.subConns.Values() {
-		sd.connectionFailedInFirstPass = false
-	}
-	b.requestConnectionLocked()
-}
-
-func (b *pickfirstBalancer) closeSubConnsLocked() {
-	for _, sd := range b.subConns.Values() {
-		sd.subConn.Shutdown()
-	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
-}
-
-// deDupAddresses ensures that each address appears only once in the slice.
-func deDupAddresses(addrs []resolver.Address) []resolver.Address {
-	seenAddrs := resolver.NewAddressMapV2[*scData]()
-	retAddrs := []resolver.Address{}
-
-	for _, addr := range addrs {
-		if _, ok := seenAddrs.Get(addr); ok {
-			continue
-		}
-		retAddrs = append(retAddrs, addr)
-	}
-	return retAddrs
-}
-
-// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
-// as per RFC-8305 section 4.
-// Whichever address family is first in the list is followed by an address of
-// the other address family; that is, if the first address in the list is IPv6,
-// then the first IPv4 address should be moved up in the list to be second in
-// the list. It doesn't support configuring "First Address Family Count", i.e.
-// there will always be a single member of the first address family at the
-// beginning of the interleaved list.
-// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
-// "unknown" family for interleaving.
-// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
-func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
-	familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
-	interleavingOrder := []ipAddrFamily{}
-	for _, addr := range addrs {
-		family := addressFamily(addr.Addr)
-		if _, found := familyAddrsMap[family]; !found {
-			interleavingOrder = append(interleavingOrder, family)
-		}
-		familyAddrsMap[family] = append(familyAddrsMap[family], addr)
-	}
-
-	interleavedAddrs := make([]resolver.Address, 0, len(addrs))
-
-	for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
-		// Some IP types may have fewer addresses than others, so we look for
-		// the next type that has a remaining member to add to the interleaved
-		// list.
-		family := interleavingOrder[curFamilyIdx]
-		remainingMembers := familyAddrsMap[family]
-		if len(remainingMembers) > 0 {
-			interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
-			familyAddrsMap[family] = remainingMembers[1:]
-		}
-	}
-
-	return interleavedAddrs
-}
-
-// addressFamily returns the ipAddrFamily after parsing the address string.
-// If the address isn't of the format "ip-address:port", it returns
-// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
-// using a resolver like passthrough where the address may be a hostname in
-// some format that the dialer can resolve.
-func addressFamily(address string) ipAddrFamily {
-	// Parse the IP after removing the port.
-	host, _, err := net.SplitHostPort(address)
-	if err != nil {
-		return ipAddrFamilyUnknown
-	}
-	ip, err := netip.ParseAddr(host)
-	if err != nil {
-		return ipAddrFamilyUnknown
-	}
-	switch {
-	case ip.Is4() || ip.Is4In6():
-		return ipAddrFamilyV4
-	case ip.Is6():
-		return ipAddrFamilyV6
-	default:
-		return ipAddrFamilyUnknown
-	}
-}
-
-// reconcileSubConnsLocked updates the active subchannels based on a new address
-// list from the resolver. It does this by:
-//   - closing subchannels: any existing subchannels associated with addresses
-//     that are no longer in the updated list are shut down.
-//   - removing subchannels: entries for these closed subchannels are removed
-//     from the subchannel map.
-//
-// This ensures that the subchannel map accurately reflects the current set of
-// addresses received from the name resolver.
-func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
-	newAddrsMap := resolver.NewAddressMapV2[bool]()
-	for _, addr := range newAddrs {
-		newAddrsMap.Set(addr, true)
-	}
-
-	for _, oldAddr := range b.subConns.Keys() {
-		if _, ok := newAddrsMap.Get(oldAddr); ok {
-			continue
-		}
-		val, _ := b.subConns.Get(oldAddr)
-		val.subConn.Shutdown()
-		b.subConns.Delete(oldAddr)
-	}
-}
-
-// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
-// becomes ready, which means that all other subConn must be shutdown.
-func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
-	b.cancelConnectionTimer()
-	for _, sd := range b.subConns.Values() {
-		if sd.subConn != selected.subConn {
-			sd.subConn.Shutdown()
-		}
-	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
-	b.subConns.Set(selected.addr, selected)
-}
-
-// requestConnectionLocked starts connecting on the subchannel corresponding to
-// the current address. If no subchannel exists, one is created. If the current
-// subchannel is in TransientFailure, a connection to the next address is
-// attempted until a subchannel is found.
-func (b *pickfirstBalancer) requestConnectionLocked() {
-	if !b.addressList.isValid() {
-		return
-	}
-	var lastErr error
-	for valid := true; valid; valid = b.addressList.increment() {
-		curAddr := b.addressList.currentAddress()
-		sd, ok := b.subConns.Get(curAddr)
-		if !ok {
-			var err error
-			// We want to assign the new scData to sd from the outer scope,
-			// hence we can't use := below.
-			sd, err = b.newSCData(curAddr)
-			if err != nil {
-				// This should never happen, unless the clientConn is being shut
-				// down.
-				if b.logger.V(2) {
-					b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
-				}
-				// Do nothing, the LB policy will be closed soon.
-				return
-			}
-			b.subConns.Set(curAddr, sd)
-		}
-
-		switch sd.rawConnectivityState {
-		case connectivity.Idle:
-			sd.subConn.Connect()
-			b.scheduleNextConnectionLocked()
-			return
-		case connectivity.TransientFailure:
-			// The SubConn is being re-used and failed during a previous pass
-			// over the addressList. It has not completed backoff yet.
-			// Mark it as having failed and try the next address.
-			sd.connectionFailedInFirstPass = true
-			lastErr = sd.lastErr
-			continue
-		case connectivity.Connecting:
-			// Wait for the connection attempt to complete or the timer to fire
-			// before attempting the next address.
-			b.scheduleNextConnectionLocked()
-			return
-		default:
-			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
-			return
-
-		}
-	}
-
-	// All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
-	// first pass if possible.
-	b.endFirstPassIfPossibleLocked(lastErr)
-}
-
-func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
-	b.cancelConnectionTimer()
-	if !b.addressList.hasNext() {
-		return
-	}
-	curAddr := b.addressList.currentAddress()
-	cancelled := false // Access to this is protected by the balancer's mutex.
-	closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
-		b.mu.Lock()
-		defer b.mu.Unlock()
-		// If the scheduled task is cancelled while acquiring the mutex, return.
-		if cancelled {
-			return
-		}
-		if b.logger.V(2) {
-			b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
-		}
-		if b.addressList.increment() {
-			b.requestConnectionLocked()
-		}
-	})
-	// Access to the cancellation callback held by the balancer is guarded by
-	// the balancer's mutex, so it's safe to set the boolean from the callback.
-	b.cancelConnectionTimer = sync.OnceFunc(func() {
-		cancelled = true
-		closeFn()
-	})
-}
-
-func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	oldState := sd.rawConnectivityState
-	sd.rawConnectivityState = newState.ConnectivityState
-	// Previously relevant SubConns can still callback with state updates.
-	// To prevent pickers from returning these obsolete SubConns, this logic
-	// is included to check if the current list of active SubConns includes this
-	// SubConn.
-	if !b.isActiveSCData(sd) {
-		return
-	}
-	if newState.ConnectivityState == connectivity.Shutdown {
-		sd.effectiveState = connectivity.Shutdown
-		return
-	}
-
-	// Record a connection attempt when exiting CONNECTING.
-	if newState.ConnectivityState == connectivity.TransientFailure {
-		sd.connectionFailedInFirstPass = true
-		connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
-	}
-
-	if newState.ConnectivityState == connectivity.Ready {
-		connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
-		b.shutdownRemainingLocked(sd)
-		if !b.addressList.seekTo(sd.addr) {
-			// This should not fail as we should have only one SubConn after
-			// entering READY. The SubConn should be present in the addressList.
-			b.logger.Errorf("Address %q not found address list in  %v", sd.addr, b.addressList.addresses)
-			return
-		}
-		if !b.healthCheckingEnabled {
-			if b.logger.V(2) {
-				b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
-			}
-
-			sd.effectiveState = connectivity.Ready
-			b.updateBalancerState(balancer.State{
-				ConnectivityState: connectivity.Ready,
-				Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
-			})
-			return
-		}
-		if b.logger.V(2) {
-			b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
-		}
-		// Send a CONNECTING update to take the SubConn out of sticky-TF if
-		// required.
-		sd.effectiveState = connectivity.Connecting
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-		sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
-			b.updateSubConnHealthState(sd, scs)
-		})
-		return
-	}
-
-	// If the LB policy is READY, and it receives a subchannel state change,
-	// it means that the READY subchannel has failed.
-	// A SubConn can also transition from CONNECTING directly to IDLE when
-	// a transport is successfully created, but the connection fails
-	// before the SubConn can send the notification for READY. We treat
-	// this as a successful connection and transition to IDLE.
-	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
-	// part of the if condition below once the issue is fixed.
-	if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
-		// Once a transport fails, the balancer enters IDLE and starts from
-		// the first address when the picker is used.
-		b.shutdownRemainingLocked(sd)
-		sd.effectiveState = newState.ConnectivityState
-		// READY SubConn interspliced in between CONNECTING and IDLE, need to
-		// account for that.
-		if oldState == connectivity.Connecting {
-			// A known issue (https://github.com/grpc/grpc-go/issues/7862)
-			// causes a race that prevents the READY state change notification.
-			// This works around it.
-			connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
-		}
-		disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
-		b.addressList.reset()
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Idle,
-			Picker:            &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
-		})
-		return
-	}
-
-	if b.firstPass {
-		switch newState.ConnectivityState {
-		case connectivity.Connecting:
-			// The effective state can be in either IDLE, CONNECTING or
-			// TRANSIENT_FAILURE. If it's  TRANSIENT_FAILURE, stay in
-			// TRANSIENT_FAILURE until it's READY. See A62.
-			if sd.effectiveState != connectivity.TransientFailure {
-				sd.effectiveState = connectivity.Connecting
-				b.updateBalancerState(balancer.State{
-					ConnectivityState: connectivity.Connecting,
-					Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-				})
-			}
-		case connectivity.TransientFailure:
-			sd.lastErr = newState.ConnectionError
-			sd.effectiveState = connectivity.TransientFailure
-			// Since we're re-using common SubConns while handling resolver
-			// updates, we could receive an out of turn TRANSIENT_FAILURE from
-			// a pass over the previous address list. Happy Eyeballs will also
-			// cause out of order updates to arrive.
-
-			if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
-				b.cancelConnectionTimer()
-				if b.addressList.increment() {
-					b.requestConnectionLocked()
-					return
-				}
-			}
-
-			// End the first pass if we've seen a TRANSIENT_FAILURE from all
-			// SubConns once.
-			b.endFirstPassIfPossibleLocked(newState.ConnectionError)
-		}
-		return
-	}
-
-	// We have finished the first pass, keep re-connecting failing SubConns.
-	switch newState.ConnectivityState {
-	case connectivity.TransientFailure:
-		b.numTF = (b.numTF + 1) % b.subConns.Len()
-		sd.lastErr = newState.ConnectionError
-		if b.numTF%b.subConns.Len() == 0 {
-			b.updateBalancerState(balancer.State{
-				ConnectivityState: connectivity.TransientFailure,
-				Picker:            &picker{err: newState.ConnectionError},
-			})
-		}
-		// We don't need to request re-resolution since the SubConn already
-		// does that before reporting TRANSIENT_FAILURE.
-		// TODO: #7534 - Move re-resolution requests from SubConn into
-		// pick_first.
-	case connectivity.Idle:
-		sd.subConn.Connect()
-	}
-}
-
-// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
-// addresses are tried and their SubConns have reported a failure.
-func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
-	// An optimization to avoid iterating over the entire SubConn map.
-	if b.addressList.isValid() {
-		return
-	}
-	// Connect() has been called on all the SubConns. The first pass can be
-	// ended if all the SubConns have reported a failure.
-	for _, sd := range b.subConns.Values() {
-		if !sd.connectionFailedInFirstPass {
-			return
-		}
-	}
-	b.firstPass = false
-	b.updateBalancerState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            &picker{err: lastErr},
-	})
-	// Start re-connecting all the SubConns that are already in IDLE.
-	for _, sd := range b.subConns.Values() {
-		if sd.rawConnectivityState == connectivity.Idle {
-			sd.subConn.Connect()
-		}
-	}
-}
-
-func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
-	activeSD, found := b.subConns.Get(sd.addr)
-	return found && activeSD == sd
-}
-
-func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	// Previously relevant SubConns can still callback with state updates.
-	// To prevent pickers from returning these obsolete SubConns, this logic
-	// is included to check if the current list of active SubConns includes
-	// this SubConn.
-	if !b.isActiveSCData(sd) {
-		return
-	}
-	sd.effectiveState = state.ConnectivityState
-	switch state.ConnectivityState {
-	case connectivity.Ready:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Ready,
-			Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
-		})
-	case connectivity.TransientFailure:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.TransientFailure,
-			Picker:            &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
-		})
-	case connectivity.Connecting:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-	default:
-		b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
-	}
-}
-
-// updateBalancerState stores the state reported to the channel and calls
-// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
-// updates to the channel.
-func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
-	// In case of TransientFailures allow the picker to be updated to update
-	// the connectivity error, in all other cases don't send duplicate state
-	// updates.
-	if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
-		return
-	}
-	b.forceUpdateConcludedStateLocked(newState)
-}
-
-// forceUpdateConcludedStateLocked stores the state reported to the channel and
-// calls ClientConn.UpdateState().
-// A separate function is defined to force update the ClientConn state since the
-// channel doesn't correctly assume that LB policies start in CONNECTING and
-// relies on LB policy to send an initial CONNECTING update.
-func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
-	b.state = newState.ConnectivityState
-	b.cc.UpdateState(newState)
-}
-
-type picker struct {
-	result balancer.PickResult
-	err    error
-}
-
-func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	return p.result, p.err
-}
-
-// idlePicker is used when the SubConn is IDLE and kicks the SubConn into
-// CONNECTING when Pick is called.
-type idlePicker struct {
-	exitIdle func()
-}
-
-func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	i.exitIdle()
-	return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
-}
-
-// addressList manages sequentially iterating over addresses present in a list
-// of endpoints. It provides a 1 dimensional view of the addresses present in
-// the endpoints.
-// This type is not safe for concurrent access.
-type addressList struct {
-	addresses []resolver.Address
-	idx       int
-}
-
-func (al *addressList) isValid() bool {
-	return al.idx < len(al.addresses)
-}
-
-func (al *addressList) size() int {
-	return len(al.addresses)
-}
-
-// increment moves to the next index in the address list.
-// This method returns false if it went off the list, true otherwise.
-func (al *addressList) increment() bool {
-	if !al.isValid() {
-		return false
-	}
-	al.idx++
-	return al.idx < len(al.addresses)
-}
-
-// currentAddress returns the current address pointed to in the addressList.
-// If the list is in an invalid state, it returns an empty address instead.
-func (al *addressList) currentAddress() resolver.Address {
-	if !al.isValid() {
-		return resolver.Address{}
-	}
-	return al.addresses[al.idx]
-}
-
-func (al *addressList) reset() {
-	al.idx = 0
-}
-
-func (al *addressList) updateAddrs(addrs []resolver.Address) {
-	al.addresses = addrs
-	al.reset()
-}
-
-// seekTo returns false if the needle was not found and the current index was
-// left unchanged.
-func (al *addressList) seekTo(needle resolver.Address) bool {
-	for ai, addr := range al.addresses {
-		if !equalAddressIgnoringBalAttributes(&addr, &needle) {
-			continue
-		}
-		al.idx = ai
-		return true
-	}
-	return false
-}
-
-// hasNext returns whether incrementing the addressList will result in moving
-// past the end of the list. If the list has already moved past the end, it
-// returns false.
-func (al *addressList) hasNext() bool {
-	if !al.isValid() {
-		return false
-	}
-	return al.idx+1 < len(al.addresses)
-}
-
-// equalAddressIgnoringBalAttributes returns true is a and b are considered
-// equal. This is different from the Equal method on the resolver.Address type
-// which considers all fields to determine equality. Here, we only consider
-// fields that are meaningful to the SubConn.
-func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
-	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
-		a.Attributes.Equal(b.Attributes)
-}
diff --git a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
index 35da5d1ec9..22e6e32679 100644
--- a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
+++ b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
@@ -26,7 +26,7 @@ import (
 
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/endpointsharding"
-	"google.golang.org/grpc/balancer/pickfirst/pickfirstleaf"
+	"google.golang.org/grpc/balancer/pickfirst"
 	"google.golang.org/grpc/grpclog"
 	internalgrpclog "google.golang.org/grpc/internal/grpclog"
 )
@@ -47,7 +47,7 @@ func (bb builder) Name() string {
 }
 
 func (bb builder) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.Balancer {
-	childBuilder := balancer.Get(pickfirstleaf.Name).Build
+	childBuilder := balancer.Get(pickfirst.Name).Build
 	bal := &rrBalancer{
 		cc:       cc,
 		Balancer: endpointsharding.NewBalancer(cc, opts, childBuilder, endpointsharding.Options{}),
@@ -67,13 +67,6 @@ func (b *rrBalancer) UpdateClientConnState(ccs balancer.ClientConnState) error {
 	return b.Balancer.UpdateClientConnState(balancer.ClientConnState{
 		// Enable the health listener in pickfirst children for client side health
 		// checks and outlier detection, if configured.
-		ResolverState: pickfirstleaf.EnableHealthListener(ccs.ResolverState),
+		ResolverState: pickfirst.EnableHealthListener(ccs.ResolverState),
 	})
 }
-
-func (b *rrBalancer) ExitIdle() {
-	// Should always be ok, as child is endpoint sharding.
-	if ei, ok := b.Balancer.(balancer.ExitIdler); ok {
-		ei.ExitIdle()
-	}
-}
diff --git a/vendor/google.golang.org/grpc/balancer_wrapper.go b/vendor/google.golang.org/grpc/balancer_wrapper.go
index 948a21ef68..2c760e623f 100644
--- a/vendor/google.golang.org/grpc/balancer_wrapper.go
+++ b/vendor/google.golang.org/grpc/balancer_wrapper.go
@@ -450,13 +450,14 @@ func (acbw *acBalancerWrapper) healthListenerRegFn() func(context.Context, func(
 	if acbw.ccb.cc.dopts.disableHealthCheck {
 		return noOpRegisterHealthListenerFn
 	}
+	cfg := acbw.ac.cc.healthCheckConfig()
+	if cfg == nil {
+		return noOpRegisterHealthListenerFn
+	}
 	regHealthLisFn := internal.RegisterClientHealthCheckListener
 	if regHealthLisFn == nil {
 		// The health package is not imported.
-		return noOpRegisterHealthListenerFn
-	}
-	cfg := acbw.ac.cc.healthCheckConfig()
-	if cfg == nil {
+		channelz.Error(logger, acbw.ac.channelz, "Health check is requested but health package is not imported.")
 		return noOpRegisterHealthListenerFn
 	}
 	return func(ctx context.Context, listener func(balancer.SubConnState)) func() {
diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
index 825c31795f..42c61cf9fe 100644
--- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
+++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.5
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/binlog/v1/binarylog.proto
 
@@ -858,133 +858,68 @@ func (x *Address) GetIpPort() uint32 {
 
 var File_grpc_binlog_v1_binarylog_proto protoreflect.FileDescriptor
 
-var file_grpc_binlog_v1_binarylog_proto_rawDesc = string([]byte{
-	0x0a, 0x1e, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62, 0x69, 0x6e, 0x6c, 0x6f, 0x67, 0x2f, 0x76, 0x31,
-	0x2f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x11, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
-	0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbb, 0x07, 0x0a, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67,
-	0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12,
-	0x17, 0x0a, 0x07, 0x63, 0x61, 0x6c, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04,
-	0x52, 0x06, 0x63, 0x61, 0x6c, 0x6c, 0x49, 0x64, 0x12, 0x35, 0x0a, 0x17, 0x73, 0x65, 0x71, 0x75,
-	0x65, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x5f, 0x63,
-	0x61, 0x6c, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x14, 0x73, 0x65, 0x71, 0x75, 0x65,
-	0x6e, 0x63, 0x65, 0x49, 0x64, 0x57, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x43, 0x61, 0x6c, 0x6c, 0x12,
-	0x3d, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e,
-	0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
-	0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x45,
-	0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x3e,
-	0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26,
-	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e,
-	0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e,
-	0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x52, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x46,
-	0x0a, 0x0d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
-	0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
-	0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
-	0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00,
-	0x52, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x36,
-	0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
-	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x48, 0x00, 0x52, 0x07, 0x6d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x36, 0x0a, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65,
-	0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
-	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69,
-	0x6c, 0x65, 0x72, 0x48, 0x00, 0x52, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x2b,
-	0x0a, 0x11, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61,
-	0x74, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x70, 0x61, 0x79, 0x6c, 0x6f,
-	0x61, 0x64, 0x54, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x04, 0x70,
-	0x65, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63,
-	0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x04, 0x70, 0x65, 0x65, 0x72, 0x22, 0xf5, 0x01, 0x0a, 0x09,
-	0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x12, 0x45, 0x56, 0x45,
-	0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
-	0x00, 0x12, 0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x01, 0x12,
-	0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45,
-	0x52, 0x56, 0x45, 0x52, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x1d, 0x0a,
-	0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45,
-	0x4e, 0x54, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x03, 0x12, 0x1d, 0x0a, 0x19,
-	0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x45,
-	0x52, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x04, 0x12, 0x20, 0x0a, 0x1c, 0x45,
-	0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54,
-	0x5f, 0x48, 0x41, 0x4c, 0x46, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x05, 0x12, 0x1d, 0x0a,
-	0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56,
-	0x45, 0x52, 0x5f, 0x54, 0x52, 0x41, 0x49, 0x4c, 0x45, 0x52, 0x10, 0x06, 0x12, 0x15, 0x0a, 0x11,
-	0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x41, 0x4e, 0x43, 0x45,
-	0x4c, 0x10, 0x07, 0x22, 0x42, 0x0a, 0x06, 0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x12, 0x0a,
-	0x0e, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
-	0x00, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x43, 0x4c, 0x49, 0x45,
-	0x4e, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x53,
-	0x45, 0x52, 0x56, 0x45, 0x52, 0x10, 0x02, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f,
-	0x61, 0x64, 0x22, 0xbb, 0x01, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x48, 0x65, 0x61,
-	0x64, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
-	0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f, 0x0a, 0x0b,
-	0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0a, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a,
-	0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x33, 0x0a, 0x07, 0x74,
-	0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44,
-	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74,
-	0x22, 0x47, 0x0a, 0x0c, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
-	0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79,
-	0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb1, 0x01, 0x0a, 0x07, 0x54, 0x72,
-	0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
-	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f,
-	0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0d, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x6f, 0x64, 0x65, 0x12,
-	0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d,
-	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x22, 0x35, 0x0a,
-	0x07, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67,
-	0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68,
-	0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04,
-	0x64, 0x61, 0x74, 0x61, 0x22, 0x42, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x12, 0x36, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x20, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
-	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x37, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x22, 0xb8, 0x01, 0x0a, 0x07, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x33, 0x0a,
-	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x67, 0x72,
-	0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e,
-	0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
-	0x70, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x17, 0x0a, 0x07,
-	0x69, 0x70, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x69,
-	0x70, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x45, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a,
-	0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
-	0x0d, 0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x34, 0x10, 0x01, 0x12, 0x0d,
-	0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x36, 0x10, 0x02, 0x12, 0x0d, 0x0a,
-	0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x58, 0x10, 0x03, 0x42, 0x5c, 0x0a, 0x14,
-	0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f,
-	0x67, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x4c, 0x6f, 0x67, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
-	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62,
-	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x62, 0x69,
-	0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-})
+const file_grpc_binlog_v1_binarylog_proto_rawDesc = "" +
+	"\n" +
+	"\x1egrpc/binlog/v1/binarylog.proto\x12\x11grpc.binarylog.v1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xbb\a\n" +
+	"\fGrpcLogEntry\x128\n" +
+	"\ttimestamp\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\ttimestamp\x12\x17\n" +
+	"\acall_id\x18\x02 \x01(\x04R\x06callId\x125\n" +
+	"\x17sequence_id_within_call\x18\x03 \x01(\x04R\x14sequenceIdWithinCall\x12=\n" +
+	"\x04type\x18\x04 \x01(\x0e2).grpc.binarylog.v1.GrpcLogEntry.EventTypeR\x04type\x12>\n" +
+	"\x06logger\x18\x05 \x01(\x0e2&.grpc.binarylog.v1.GrpcLogEntry.LoggerR\x06logger\x12F\n" +
+	"\rclient_header\x18\x06 \x01(\v2\x1f.grpc.binarylog.v1.ClientHeaderH\x00R\fclientHeader\x12F\n" +
+	"\rserver_header\x18\a \x01(\v2\x1f.grpc.binarylog.v1.ServerHeaderH\x00R\fserverHeader\x126\n" +
+	"\amessage\x18\b \x01(\v2\x1a.grpc.binarylog.v1.MessageH\x00R\amessage\x126\n" +
+	"\atrailer\x18\t \x01(\v2\x1a.grpc.binarylog.v1.TrailerH\x00R\atrailer\x12+\n" +
+	"\x11payload_truncated\x18\n" +
+	" \x01(\bR\x10payloadTruncated\x12.\n" +
+	"\x04peer\x18\v \x01(\v2\x1a.grpc.binarylog.v1.AddressR\x04peer\"\xf5\x01\n" +
+	"\tEventType\x12\x16\n" +
+	"\x12EVENT_TYPE_UNKNOWN\x10\x00\x12\x1c\n" +
+	"\x18EVENT_TYPE_CLIENT_HEADER\x10\x01\x12\x1c\n" +
+	"\x18EVENT_TYPE_SERVER_HEADER\x10\x02\x12\x1d\n" +
+	"\x19EVENT_TYPE_CLIENT_MESSAGE\x10\x03\x12\x1d\n" +
+	"\x19EVENT_TYPE_SERVER_MESSAGE\x10\x04\x12 \n" +
+	"\x1cEVENT_TYPE_CLIENT_HALF_CLOSE\x10\x05\x12\x1d\n" +
+	"\x19EVENT_TYPE_SERVER_TRAILER\x10\x06\x12\x15\n" +
+	"\x11EVENT_TYPE_CANCEL\x10\a\"B\n" +
+	"\x06Logger\x12\x12\n" +
+	"\x0eLOGGER_UNKNOWN\x10\x00\x12\x11\n" +
+	"\rLOGGER_CLIENT\x10\x01\x12\x11\n" +
+	"\rLOGGER_SERVER\x10\x02B\t\n" +
+	"\apayload\"\xbb\x01\n" +
+	"\fClientHeader\x127\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
+	"\vmethod_name\x18\x02 \x01(\tR\n" +
+	"methodName\x12\x1c\n" +
+	"\tauthority\x18\x03 \x01(\tR\tauthority\x123\n" +
+	"\atimeout\x18\x04 \x01(\v2\x19.google.protobuf.DurationR\atimeout\"G\n" +
+	"\fServerHeader\x127\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\"\xb1\x01\n" +
+	"\aTrailer\x127\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
+	"\vstatus_code\x18\x02 \x01(\rR\n" +
+	"statusCode\x12%\n" +
+	"\x0estatus_message\x18\x03 \x01(\tR\rstatusMessage\x12%\n" +
+	"\x0estatus_details\x18\x04 \x01(\fR\rstatusDetails\"5\n" +
+	"\aMessage\x12\x16\n" +
+	"\x06length\x18\x01 \x01(\rR\x06length\x12\x12\n" +
+	"\x04data\x18\x02 \x01(\fR\x04data\"B\n" +
+	"\bMetadata\x126\n" +
+	"\x05entry\x18\x01 \x03(\v2 .grpc.binarylog.v1.MetadataEntryR\x05entry\"7\n" +
+	"\rMetadataEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05value\"\xb8\x01\n" +
+	"\aAddress\x123\n" +
+	"\x04type\x18\x01 \x01(\x0e2\x1f.grpc.binarylog.v1.Address.TypeR\x04type\x12\x18\n" +
+	"\aaddress\x18\x02 \x01(\tR\aaddress\x12\x17\n" +
+	"\aip_port\x18\x03 \x01(\rR\x06ipPort\"E\n" +
+	"\x04Type\x12\x10\n" +
+	"\fTYPE_UNKNOWN\x10\x00\x12\r\n" +
+	"\tTYPE_IPV4\x10\x01\x12\r\n" +
+	"\tTYPE_IPV6\x10\x02\x12\r\n" +
+	"\tTYPE_UNIX\x10\x03B\\\n" +
+	"\x14io.grpc.binarylog.v1B\x0eBinaryLogProtoP\x01Z2google.golang.org/grpc/binarylog/grpc_binarylog_v1b\x06proto3"
 
 var (
 	file_grpc_binlog_v1_binarylog_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/clientconn.go b/vendor/google.golang.org/grpc/clientconn.go
index 4f350ca56a..b767d3e33e 100644
--- a/vendor/google.golang.org/grpc/clientconn.go
+++ b/vendor/google.golang.org/grpc/clientconn.go
@@ -35,16 +35,19 @@ import (
 	"google.golang.org/grpc/balancer/pickfirst"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
+	expstats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/channelz"
 	"google.golang.org/grpc/internal/grpcsync"
 	"google.golang.org/grpc/internal/idle"
 	iresolver "google.golang.org/grpc/internal/resolver"
-	"google.golang.org/grpc/internal/stats"
+	istats "google.golang.org/grpc/internal/stats"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
+	"google.golang.org/grpc/stats"
 	"google.golang.org/grpc/status"
 
 	_ "google.golang.org/grpc/balancer/roundrobin"           // To register roundrobin.
@@ -97,6 +100,41 @@ var (
 	errTransportCredentialsMissing = errors.New("grpc: the credentials require transport level security (use grpc.WithTransportCredentials() to set)")
 )
 
+var (
+	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.disconnections",
+		Description:    "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+		Unit:           "{disconnection}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality", "grpc.disconnect_error"},
+		Default:        false,
+	})
+	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.connection_attempts_succeeded",
+		Description:    "EXPERIMENTAL. Number of successful connection attempts.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+		Default:        false,
+	})
+	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.connection_attempts_failed",
+		Description:    "EXPERIMENTAL. Number of failed connection attempts.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+		Default:        false,
+	})
+	openConnectionsMetric = expstats.RegisterInt64UpDownCount(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.open_connections",
+		Description:    "EXPERIMENTAL. Number of open connections.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.security_level", "grpc.lb.locality"},
+		Default:        false,
+	})
+)
+
 const (
 	defaultClientMaxReceiveMessageSize = 1024 * 1024 * 4
 	defaultClientMaxSendMessageSize    = math.MaxInt32
@@ -208,9 +246,10 @@ func NewClient(target string, opts ...DialOption) (conn *ClientConn, err error)
 	channelz.Infof(logger, cc.channelz, "Channel authority set to %q", cc.authority)
 
 	cc.csMgr = newConnectivityStateManager(cc.ctx, cc.channelz)
-	cc.pickerWrapper = newPickerWrapper(cc.dopts.copts.StatsHandlers)
+	cc.pickerWrapper = newPickerWrapper()
 
-	cc.metricsRecorderList = stats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+	cc.metricsRecorderList = istats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+	cc.statsHandler = istats.NewCombinedHandler(cc.dopts.copts.StatsHandlers...)
 
 	cc.initIdleStateLocked() // Safe to call without the lock, since nothing else has a reference to cc.
 	cc.idlenessMgr = idle.NewManager((*idler)(cc), cc.dopts.idleTimeout)
@@ -260,9 +299,10 @@ func DialContext(ctx context.Context, target string, opts ...DialOption) (conn *
 	}()
 
 	// This creates the name resolver, load balancer, etc.
-	if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
-		return nil, err
+	if err := cc.exitIdleMode(); err != nil {
+		return nil, fmt.Errorf("failed to exit idle mode: %w", err)
 	}
+	cc.idlenessMgr.UnsafeSetNotIdle()
 
 	// Return now for non-blocking dials.
 	if !cc.dopts.block {
@@ -330,7 +370,7 @@ func (cc *ClientConn) addTraceEvent(msg string) {
 			Severity: channelz.CtInfo,
 		}
 	}
-	channelz.AddTraceEvent(logger, cc.channelz, 0, ted)
+	channelz.AddTraceEvent(logger, cc.channelz, 1, ted)
 }
 
 type idler ClientConn
@@ -339,14 +379,17 @@ func (i *idler) EnterIdleMode() {
 	(*ClientConn)(i).enterIdleMode()
 }
 
-func (i *idler) ExitIdleMode() error {
-	return (*ClientConn)(i).exitIdleMode()
+func (i *idler) ExitIdleMode() {
+	// Ignore the error returned from this method, because from the perspective
+	// of the caller (idleness manager), the channel would have always moved out
+	// of IDLE by the time this method returns.
+	(*ClientConn)(i).exitIdleMode()
 }
 
 // exitIdleMode moves the channel out of idle mode by recreating the name
 // resolver and load balancer.  This should never be called directly; use
 // cc.idlenessMgr.ExitIdleMode instead.
-func (cc *ClientConn) exitIdleMode() (err error) {
+func (cc *ClientConn) exitIdleMode() error {
 	cc.mu.Lock()
 	if cc.conns == nil {
 		cc.mu.Unlock()
@@ -354,11 +397,23 @@ func (cc *ClientConn) exitIdleMode() (err error) {
 	}
 	cc.mu.Unlock()
 
+	// Set state to CONNECTING before building the name resolver
+	// so the channel does not remain in IDLE.
+	cc.csMgr.updateState(connectivity.Connecting)
+
 	// This needs to be called without cc.mu because this builds a new resolver
 	// which might update state or report error inline, which would then need to
 	// acquire cc.mu.
 	if err := cc.resolverWrapper.start(); err != nil {
-		return err
+		// If resolver creation fails, treat it like an error reported by the
+		// resolver before any valid updates. Set channel's state to
+		// TransientFailure, and set an erroring picker with the resolver build
+		// error, which will returned as part of any subsequent RPCs.
+		logger.Warningf("Failed to start resolver: %v", err)
+		cc.csMgr.updateState(connectivity.TransientFailure)
+		cc.mu.Lock()
+		cc.updateResolverStateAndUnlock(resolver.State{}, err)
+		return fmt.Errorf("failed to start resolver: %w", err)
 	}
 
 	cc.addTraceEvent("exiting idle mode")
@@ -456,7 +511,7 @@ func (cc *ClientConn) validateTransportCredentials() error {
 func (cc *ClientConn) channelzRegistration(target string) {
 	parentChannel, _ := cc.dopts.channelzParent.(*channelz.Channel)
 	cc.channelz = channelz.RegisterChannel(parentChannel, target)
-	cc.addTraceEvent("created")
+	cc.addTraceEvent(fmt.Sprintf("created for target %q", target))
 }
 
 // chainUnaryClientInterceptors chains all unary client interceptors into one.
@@ -621,7 +676,8 @@ type ClientConn struct {
 	channelz            *channelz.Channel // Channelz object.
 	resolverBuilder     resolver.Builder  // See initParsedTargetAndResolverBuilder().
 	idlenessMgr         *idle.Manager
-	metricsRecorderList *stats.MetricsRecorderList
+	metricsRecorderList *istats.MetricsRecorderList
+	statsHandler        stats.Handler
 
 	// The following provide their own synchronization, and therefore don't
 	// require cc.mu to be held to access them.
@@ -678,10 +734,8 @@ func (cc *ClientConn) GetState() connectivity.State {
 // Notice: This API is EXPERIMENTAL and may be changed or removed in a later
 // release.
 func (cc *ClientConn) Connect() {
-	if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
-		cc.addTraceEvent(err.Error())
-		return
-	}
+	cc.idlenessMgr.ExitIdleMode()
+
 	// If the ClientConn was not in idle mode, we need to call ExitIdle on the
 	// LB policy so that connections can be created.
 	cc.mu.Lock()
@@ -689,22 +743,31 @@ func (cc *ClientConn) Connect() {
 	cc.mu.Unlock()
 }
 
-// waitForResolvedAddrs blocks until the resolver has provided addresses or the
-// context expires.  Returns nil unless the context expires first; otherwise
-// returns a status error based on the context.
-func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) error {
+// waitForResolvedAddrs blocks until the resolver provides addresses or the
+// context expires, whichever happens first.
+//
+// Error is nil unless the context expires first; otherwise returns a status
+// error based on the context.
+//
+// The returned boolean indicates whether it did block or not. If the
+// resolution has already happened once before, it returns false without
+// blocking. Otherwise, it wait for the resolution and return true if
+// resolution has succeeded or return false along with error if resolution has
+// failed.
+func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) (bool, error) {
 	// This is on the RPC path, so we use a fast path to avoid the
 	// more-expensive "select" below after the resolver has returned once.
 	if cc.firstResolveEvent.HasFired() {
-		return nil
+		return false, nil
 	}
+	internal.NewStreamWaitingForResolver()
 	select {
 	case <-cc.firstResolveEvent.Done():
-		return nil
+		return true, nil
 	case <-ctx.Done():
-		return status.FromContextError(ctx.Err()).Err()
+		return false, status.FromContextError(ctx.Err()).Err()
 	case <-cc.ctx.Done():
-		return ErrClientConnClosing
+		return false, ErrClientConnClosing
 	}
 }
 
@@ -723,8 +786,8 @@ func init() {
 	internal.EnterIdleModeForTesting = func(cc *ClientConn) {
 		cc.idlenessMgr.EnterIdleModeForTesting()
 	}
-	internal.ExitIdleModeForTesting = func(cc *ClientConn) error {
-		return cc.idlenessMgr.ExitIdleMode()
+	internal.ExitIdleModeForTesting = func(cc *ClientConn) {
+		cc.idlenessMgr.ExitIdleMode()
 	}
 }
 
@@ -849,6 +912,7 @@ func (cc *ClientConn) newAddrConnLocked(addrs []resolver.Address, opts balancer.
 		channelz:     channelz.RegisterSubChannel(cc.channelz, ""),
 		resetBackoff: make(chan struct{}),
 	}
+	ac.updateTelemetryLabelsLocked()
 	ac.ctx, ac.cancel = context.WithCancel(cc.ctx)
 	// Start with our address set to the first address; this may be updated if
 	// we connect to different addresses.
@@ -965,7 +1029,7 @@ func (ac *addrConn) updateAddrs(addrs []resolver.Address) {
 	}
 
 	ac.addrs = addrs
-
+	ac.updateTelemetryLabelsLocked()
 	if ac.state == connectivity.Shutdown ||
 		ac.state == connectivity.TransientFailure ||
 		ac.state == connectivity.Idle {
@@ -1067,13 +1131,6 @@ func (cc *ClientConn) healthCheckConfig() *healthCheckConfig {
 	return cc.sc.healthCheckConfig
 }
 
-func (cc *ClientConn) getTransport(ctx context.Context, failfast bool, method string) (transport.ClientTransport, balancer.PickResult, error) {
-	return cc.pickerWrapper.pick(ctx, failfast, balancer.PickInfo{
-		Ctx:            ctx,
-		FullMethodName: method,
-	})
-}
-
 func (cc *ClientConn) applyServiceConfigAndBalancer(sc *ServiceConfig, configSelector iresolver.ConfigSelector) {
 	if sc == nil {
 		// should never reach here.
@@ -1211,6 +1268,9 @@ type addrConn struct {
 	resetBackoff chan struct{}
 
 	channelz *channelz.SubChannel
+
+	localityLabel       string
+	backendServiceLabel string
 }
 
 // Note: this requires a lock on ac.mu.
@@ -1218,6 +1278,18 @@ func (ac *addrConn) updateConnectivityState(s connectivity.State, lastErr error)
 	if ac.state == s {
 		return
 	}
+
+	// If we are transitioning out of Ready, it means there is a disconnection.
+	// A SubConn can also transition from CONNECTING directly to IDLE when
+	// a transport is successfully created, but the connection fails
+	// before the SubConn can send the notification for READY. We treat
+	// this as a successful connection and transition to IDLE.
+	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+	// part of the if condition below once the issue is fixed.
+	if ac.state == connectivity.Ready || (ac.state == connectivity.Connecting && s == connectivity.Idle) {
+		disconnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel, "unknown")
+		openConnectionsMetric.Record(ac.cc.metricsRecorderList, -1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
+	}
 	ac.state = s
 	ac.channelz.ChannelMetrics.State.Store(&s)
 	if lastErr == nil {
@@ -1275,6 +1347,15 @@ func (ac *addrConn) resetTransportAndUnlock() {
 	ac.mu.Unlock()
 
 	if err := ac.tryAllAddrs(acCtx, addrs, connectDeadline); err != nil {
+		if !errors.Is(err, context.Canceled) {
+			connectionAttemptsFailedMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+		} else {
+			if logger.V(2) {
+				// This records cancelled connection attempts which can be later
+				// replaced by a metric.
+				logger.Infof("Context cancellation detected; not recording this as a failed connection attempt.")
+			}
+		}
 		// TODO: #7534 - Move re-resolution requests into the pick_first LB policy
 		// to ensure one resolution request per pass instead of per subconn failure.
 		ac.cc.resolveNow(resolver.ResolveNowOptions{})
@@ -1314,10 +1395,50 @@ func (ac *addrConn) resetTransportAndUnlock() {
 	}
 	// Success; reset backoff.
 	ac.mu.Lock()
+	connectionAttemptsSucceededMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+	openConnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
 	ac.backoffIdx = 0
 	ac.mu.Unlock()
 }
 
+// updateTelemetryLabelsLocked calculates and caches the telemetry labels based on the
+// first address in addrConn.
+func (ac *addrConn) updateTelemetryLabelsLocked() {
+	labelsFunc, ok := internal.AddressToTelemetryLabels.(func(resolver.Address) map[string]string)
+	if !ok || len(ac.addrs) == 0 {
+		// Reset defaults
+		ac.localityLabel = ""
+		ac.backendServiceLabel = ""
+		return
+	}
+	labels := labelsFunc(ac.addrs[0])
+	ac.localityLabel = labels["grpc.lb.locality"]
+	ac.backendServiceLabel = labels["grpc.lb.backend_service"]
+}
+
+type securityLevelKey struct{}
+
+func (ac *addrConn) securityLevelLocked() string {
+	var secLevel string
+	// During disconnection, ac.transport is nil. Fall back to the security level
+	// stored in the current address during connection.
+	if ac.transport == nil {
+		secLevel, _ = ac.curAddr.Attributes.Value(securityLevelKey{}).(string)
+		return secLevel
+	}
+	authInfo := ac.transport.Peer().AuthInfo
+	if ci, ok := authInfo.(interface {
+		GetCommonAuthInfo() credentials.CommonAuthInfo
+	}); ok {
+		secLevel = ci.GetCommonAuthInfo().SecurityLevel.String()
+		// Store the security level in the current address' attributes so
+		// that it remains available for disconnection metrics after the
+		// transport is closed.
+		ac.curAddr.Attributes = ac.curAddr.Attributes.WithValue(securityLevelKey{}, secLevel)
+	}
+	return secLevel
+}
+
 // tryAllAddrs tries to create a connection to the addresses, and stop when at
 // the first successful one. It returns an error if no address was successfully
 // connected, or updates ac appropriately with the new transport.
@@ -1822,7 +1943,7 @@ func (cc *ClientConn) initAuthority() error {
 	} else if auth, ok := cc.resolverBuilder.(resolver.AuthorityOverrider); ok {
 		cc.authority = auth.OverrideAuthority(cc.parsedTarget)
 	} else if strings.HasPrefix(endpoint, ":") {
-		cc.authority = "localhost" + endpoint
+		cc.authority = "localhost" + encodeAuthority(endpoint)
 	} else {
 		cc.authority = encodeAuthority(endpoint)
 	}
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index 665e790bb0..06f6c6c70a 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -44,8 +44,7 @@ type PerRPCCredentials interface {
 	// A54). uri is the URI of the entry point for the request.  When supported
 	// by the underlying implementation, ctx can be used for timeout and
 	// cancellation. Additionally, RequestInfo data will be available via ctx
-	// to this call.  TODO(zhaoq): Define the set of the qualified keys instead
-	// of leaving it as an arbitrary string.
+	// to this call.
 	GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
 	// RequireTransportSecurity indicates whether the credentials requires
 	// transport security.
@@ -96,10 +95,11 @@ func (c CommonAuthInfo) GetCommonAuthInfo() CommonAuthInfo {
 	return c
 }
 
-// ProtocolInfo provides information regarding the gRPC wire protocol version,
-// security protocol, security protocol version in use, server name, etc.
+// ProtocolInfo provides static information regarding transport credentials.
 type ProtocolInfo struct {
 	// ProtocolVersion is the gRPC wire protocol version.
+	//
+	// Deprecated: this is unused by gRPC.
 	ProtocolVersion string
 	// SecurityProtocol is the security protocol in use.
 	SecurityProtocol string
@@ -109,7 +109,16 @@ type ProtocolInfo struct {
 	//
 	// Deprecated: please use Peer.AuthInfo.
 	SecurityVersion string
-	// ServerName is the user-configured server name.
+	// ServerName is the user-configured server name.  If set, this overrides
+	// the default :authority header used for all RPCs on the channel using the
+	// containing credentials, unless grpc.WithAuthority is set on the channel,
+	// in which case that setting will take precedence.
+	//
+	// This must be a valid `:authority` header according to
+	// [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2).
+	//
+	// Deprecated: Users should use grpc.WithAuthority to override the authority
+	// on a channel instead of configuring the credentials.
 	ServerName string
 }
 
@@ -120,6 +129,20 @@ type AuthInfo interface {
 	AuthType() string
 }
 
+// AuthorityValidator validates the authority used to override the `:authority`
+// header. This is an optional interface that implementations of AuthInfo can
+// implement if they support per-RPC authority overrides. It is invoked when the
+// application attempts to override the HTTP/2 `:authority` header using the
+// CallAuthority call option.
+type AuthorityValidator interface {
+	// ValidateAuthority checks the authority value used to override the
+	// `:authority` header. The authority parameter is the override value
+	// provided by the application via the CallAuthority option. This value
+	// typically corresponds to the server hostname or endpoint the RPC is
+	// targeting. It returns non-nil error if the validation fails.
+	ValidateAuthority(authority string) error
+}
+
 // ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
 // and the caller should not close rawConn.
 var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
@@ -159,12 +182,17 @@ type TransportCredentials interface {
 	// Clone makes a copy of this TransportCredentials.
 	Clone() TransportCredentials
 	// OverrideServerName specifies the value used for the following:
+	//
 	// - verifying the hostname on the returned certificates
 	// - as SNI in the client's handshake to support virtual hosting
 	// - as the value for `:authority` header at stream creation time
 	//
-	// Deprecated: use grpc.WithAuthority instead. Will be supported
-	// throughout 1.x.
+	// The provided string should be a valid `:authority` header according to
+	// [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2).
+	//
+	// Deprecated: this method is unused by gRPC.  Users should use
+	// grpc.WithAuthority to override the authority on a channel instead of
+	// configuring the credentials.
 	OverrideServerName(string) error
 }
 
@@ -207,14 +235,32 @@ type RequestInfo struct {
 	AuthInfo AuthInfo
 }
 
+// requestInfoKey is a struct to be used as the key to store RequestInfo in a
+// context.
+type requestInfoKey struct{}
+
 // RequestInfoFromContext extracts the RequestInfo from the context if it exists.
 //
 // This API is experimental.
 func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool) {
-	ri, ok = icredentials.RequestInfoFromContext(ctx).(RequestInfo)
+	ri, ok = ctx.Value(requestInfoKey{}).(RequestInfo)
 	return ri, ok
 }
 
+// NewContextWithRequestInfo creates a new context from ctx and attaches ri to it.
+//
+// This RequestInfo will be accessible via RequestInfoFromContext.
+//
+// Intended to be used from tests for PerRPCCredentials implementations (that
+// often need to check connection's SecurityLevel). Should not be used from
+// non-test code: the gRPC client already prepares a context with the correct
+// RequestInfo attached when calling PerRPCCredentials.GetRequestMetadata.
+//
+// This API is experimental.
+func NewContextWithRequestInfo(ctx context.Context, ri RequestInfo) context.Context {
+	return context.WithValue(ctx, requestInfoKey{}, ri)
+}
+
 // ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes
 // it possible to pass arbitrary data to the handshaker from gRPC, resolver,
 // balancer etc. Individual credential implementations control the actual
diff --git a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
index 4c805c6446..93156c0f34 100644
--- a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
+++ b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
@@ -30,7 +30,7 @@ import (
 // NewCredentials returns a credentials which disables transport security.
 //
 // Note that using this credentials with per-RPC credentials which require
-// transport security is incompatible and will cause grpc.Dial() to fail.
+// transport security is incompatible and will cause RPCs to fail.
 func NewCredentials() credentials.TransportCredentials {
 	return insecureTC{}
 }
@@ -71,6 +71,12 @@ func (info) AuthType() string {
 	return "insecure"
 }
 
+// ValidateAuthority allows any value to be overridden for the :authority
+// header.
+func (info) ValidateAuthority(string) error {
+	return nil
+}
+
 // insecureBundle implements an insecure bundle.
 // An insecure bundle provides a thin wrapper around insecureTC to support
 // the credentials.Bundle interface.
diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go
index bd5fe22b6a..8277be7d6f 100644
--- a/vendor/google.golang.org/grpc/credentials/tls.go
+++ b/vendor/google.golang.org/grpc/credentials/tls.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -50,6 +51,21 @@ func (t TLSInfo) AuthType() string {
 	return "tls"
 }
 
+// ValidateAuthority validates the provided authority being used to override the
+// :authority header by verifying it against the peer certificates. It returns a
+// non-nil error if the validation fails.
+func (t TLSInfo) ValidateAuthority(authority string) error {
+	var errs []error
+	for _, cert := range t.State.PeerCertificates {
+		var err error
+		if err = cert.VerifyHostname(authority); err == nil {
+			return nil
+		}
+		errs = append(errs, err)
+	}
+	return fmt.Errorf("credentials: invalid authority %q: %v", authority, errors.Join(errs...))
+}
+
 // cipherSuiteLookup returns the string version of a TLS cipher suite ID.
 func cipherSuiteLookup(cipherSuiteID uint16) string {
 	for _, s := range tls.CipherSuites() {
@@ -94,14 +110,14 @@ func (c tlsCreds) Info() ProtocolInfo {
 func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {
 	// use local cfg to avoid clobbering ServerName if using multiple endpoints
 	cfg := credinternal.CloneTLSConfig(c.config)
-	if cfg.ServerName == "" {
-		serverName, _, err := net.SplitHostPort(authority)
-		if err != nil {
-			// If the authority had no host port or if the authority cannot be parsed, use it as-is.
-			serverName = authority
-		}
-		cfg.ServerName = serverName
+
+	serverName, _, err := net.SplitHostPort(authority)
+	if err != nil {
+		// If the authority had no host port or if the authority cannot be parsed, use it as-is.
+		serverName = authority
 	}
+	cfg.ServerName = serverName
+
 	conn := tls.Client(rawConn, cfg)
 	errChannel := make(chan error, 1)
 	go func() {
@@ -243,9 +259,11 @@ func applyDefaults(c *tls.Config) *tls.Config {
 // certificates to establish the identity of the client need to be included in
 // the credentials (eg: for mTLS), use NewTLS instead, where a complete
 // tls.Config can be specified.
-// serverNameOverride is for testing only. If set to a non empty string,
-// it will override the virtual host name of authority (e.g. :authority header
-// field) in requests.
+//
+// serverNameOverride is for testing only. If set to a non empty string, it will
+// override the virtual host name of authority (e.g. :authority header field) in
+// requests.  Users should use grpc.WithAuthority passed to grpc.NewClient to
+// override the authority of the client instead.
 func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials {
 	return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp})
 }
@@ -255,9 +273,11 @@ func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) Transpor
 // certificates to establish the identity of the client need to be included in
 // the credentials (eg: for mTLS), use NewTLS instead, where a complete
 // tls.Config can be specified.
-// serverNameOverride is for testing only. If set to a non empty string,
-// it will override the virtual host name of authority (e.g. :authority header
-// field) in requests.
+//
+// serverNameOverride is for testing only. If set to a non empty string, it will
+// override the virtual host name of authority (e.g. :authority header field) in
+// requests.  Users should use grpc.WithAuthority passed to grpc.NewClient to
+// override the authority of the client instead.
 func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error) {
 	b, err := os.ReadFile(certFile)
 	if err != nil {
diff --git a/vendor/google.golang.org/grpc/dialoptions.go b/vendor/google.golang.org/grpc/dialoptions.go
index 405a2ffeb3..7a5ac2e7c4 100644
--- a/vendor/google.golang.org/grpc/dialoptions.go
+++ b/vendor/google.golang.org/grpc/dialoptions.go
@@ -213,6 +213,7 @@ func WithReadBufferSize(s int) DialOption {
 func WithInitialWindowSize(s int32) DialOption {
 	return newFuncDialOption(func(o *dialOptions) {
 		o.copts.InitialWindowSize = s
+		o.copts.StaticWindowSize = true
 	})
 }
 
@@ -222,6 +223,26 @@ func WithInitialWindowSize(s int32) DialOption {
 func WithInitialConnWindowSize(s int32) DialOption {
 	return newFuncDialOption(func(o *dialOptions) {
 		o.copts.InitialConnWindowSize = s
+		o.copts.StaticWindowSize = true
+	})
+}
+
+// WithStaticStreamWindowSize returns a DialOption which sets the initial
+// stream window size to the value provided and disables dynamic flow control.
+func WithStaticStreamWindowSize(s int32) DialOption {
+	return newFuncDialOption(func(o *dialOptions) {
+		o.copts.InitialWindowSize = s
+		o.copts.StaticWindowSize = true
+	})
+}
+
+// WithStaticConnWindowSize returns a DialOption which sets the initial
+// connection window size to the value provided and disables dynamic flow
+// control.
+func WithStaticConnWindowSize(s int32) DialOption {
+	return newFuncDialOption(func(o *dialOptions) {
+		o.copts.InitialConnWindowSize = s
+		o.copts.StaticWindowSize = true
 	})
 }
 
@@ -360,7 +381,7 @@ func WithReturnConnectionError() DialOption {
 //
 // Note that using this DialOption with per-RPC credentials (through
 // WithCredentialsBundle or WithPerRPCCredentials) which require transport
-// security is incompatible and will cause grpc.Dial() to fail.
+// security is incompatible and will cause RPCs to fail.
 //
 // Deprecated: use WithTransportCredentials and insecure.NewCredentials()
 // instead. Will be supported throughout 1.x.
@@ -587,6 +608,8 @@ func WithChainStreamInterceptor(interceptors ...StreamClientInterceptor) DialOpt
 
 // WithAuthority returns a DialOption that specifies the value to be used as the
 // :authority pseudo-header and as the server name in authentication handshake.
+// This overrides all other ways of setting authority on the channel, but can be
+// overridden per-call by using grpc.CallAuthority.
 func WithAuthority(a string) DialOption {
 	return newFuncDialOption(func(o *dialOptions) {
 		o.authority = a
diff --git a/vendor/google.golang.org/grpc/encoding/encoding.go b/vendor/google.golang.org/grpc/encoding/encoding.go
index 11d0ae142c..dadd21e40f 100644
--- a/vendor/google.golang.org/grpc/encoding/encoding.go
+++ b/vendor/google.golang.org/grpc/encoding/encoding.go
@@ -27,8 +27,10 @@ package encoding
 
 import (
 	"io"
+	"slices"
 	"strings"
 
+	"google.golang.org/grpc/encoding/internal"
 	"google.golang.org/grpc/internal/grpcutil"
 )
 
@@ -36,6 +38,24 @@ import (
 // It is intended for grpc internal use only.
 const Identity = "identity"
 
+func init() {
+	internal.RegisterCompressorForTesting = func(c Compressor) func() {
+		name := c.Name()
+		curCompressor, found := registeredCompressor[name]
+		RegisterCompressor(c)
+		return func() {
+			if found {
+				registeredCompressor[name] = curCompressor
+				return
+			}
+			delete(registeredCompressor, name)
+			grpcutil.RegisteredCompressorNames = slices.DeleteFunc(grpcutil.RegisteredCompressorNames, func(s string) bool {
+				return s == name
+			})
+		}
+	}
+}
+
 // Compressor is used for compressing and decompressing when sending or
 // receiving messages.
 //
diff --git a/vendor/google.golang.org/grpc/encoding/internal/internal.go b/vendor/google.golang.org/grpc/encoding/internal/internal.go
new file mode 100644
index 0000000000..ee9acb4377
--- /dev/null
+++ b/vendor/google.golang.org/grpc/encoding/internal/internal.go
@@ -0,0 +1,28 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package internal contains code internal to the encoding package.
+package internal
+
+// RegisterCompressorForTesting registers a compressor in the global compressor
+// registry. It returns a cleanup function that should be called at the end
+// of the test to unregister the compressor.
+//
+// This prevents compressors registered in one test from appearing in the
+// encoding headers of subsequent tests.
+var RegisterCompressorForTesting any // func RegisterCompressor(c Compressor) func()
diff --git a/vendor/google.golang.org/grpc/encoding/proto/proto.go b/vendor/google.golang.org/grpc/encoding/proto/proto.go
index ceec319dd2..1ab874c7ad 100644
--- a/vendor/google.golang.org/grpc/encoding/proto/proto.go
+++ b/vendor/google.golang.org/grpc/encoding/proto/proto.go
@@ -46,9 +46,25 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
 		return nil, fmt.Errorf("proto: failed to marshal, message is %T, want proto.Message", v)
 	}
 
+	// Important: if we remove this Size call then we cannot use
+	// UseCachedSize in MarshalOptions below.
 	size := proto.Size(vv)
+
+	// MarshalOptions with UseCachedSize allows reusing the result from the
+	// previous Size call. This is safe here because:
+	//
+	// 1. We just computed the size.
+	// 2. We assume the message is not being mutated concurrently.
+	//
+	// Important: If the proto.Size call above is removed, using UseCachedSize
+	// becomes unsafe and may lead to incorrect marshaling.
+	//
+	// For more details, see the doc of UseCachedSize:
+	// https://pkg.go.dev/google.golang.org/protobuf/proto#MarshalOptions
+	marshalOptions := proto.MarshalOptions{UseCachedSize: true}
+
 	if mem.IsBelowBufferPoolingThreshold(size) {
-		buf, err := proto.Marshal(vv)
+		buf, err := marshalOptions.Marshal(vv)
 		if err != nil {
 			return nil, err
 		}
@@ -56,7 +72,7 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
 	} else {
 		pool := mem.DefaultBufferPool()
 		buf := pool.Get(size)
-		if _, err := (proto.MarshalOptions{}).MarshalAppend((*buf)[:0], vv); err != nil {
+		if _, err := marshalOptions.MarshalAppend((*buf)[:0], vv); err != nil {
 			pool.Put(buf)
 			return nil, err
 		}
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
index ad75313a18..472813f58f 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
@@ -75,6 +75,8 @@ const (
 	MetricTypeIntHisto
 	MetricTypeFloatHisto
 	MetricTypeIntGauge
+	MetricTypeIntUpDownCount
+	MetricTypeIntAsyncGauge
 )
 
 // Int64CountHandle is a typed handle for a int count metric. This handle
@@ -93,6 +95,23 @@ func (h *Int64CountHandle) Record(recorder MetricsRecorder, incr int64, labels .
 	recorder.RecordInt64Count(h, incr, labels...)
 }
 
+// Int64UpDownCountHandle is a typed handle for an int up-down counter metric.
+// This handle is passed at the recording point in order to know which metric
+// to record on.
+type Int64UpDownCountHandle MetricDescriptor
+
+// Descriptor returns the int64 up-down counter handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64UpDownCountHandle) Descriptor() *MetricDescriptor {
+	return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 up-down counter value on the metrics recorder provided.
+// The value 'v' can be positive to increment or negative to decrement.
+func (h *Int64UpDownCountHandle) Record(recorder MetricsRecorder, v int64, labels ...string) {
+	recorder.RecordInt64UpDownCount(h, v, labels...)
+}
+
 // Float64CountHandle is a typed handle for a float count metric. This handle is
 // passed at the recording point in order to know which metric to record on.
 type Float64CountHandle MetricDescriptor
@@ -154,6 +173,30 @@ func (h *Int64GaugeHandle) Record(recorder MetricsRecorder, incr int64, labels .
 	recorder.RecordInt64Gauge(h, incr, labels...)
 }
 
+// AsyncMetric is a marker interface for asynchronous metric types.
+type AsyncMetric interface {
+	isAsync()
+	Descriptor() *MetricDescriptor
+}
+
+// Int64AsyncGaugeHandle is a typed handle for an int gauge metric. This handle is
+// passed at the recording point in order to know which metric to record on.
+type Int64AsyncGaugeHandle MetricDescriptor
+
+// isAsync implements the AsyncMetric interface.
+func (h *Int64AsyncGaugeHandle) isAsync() {}
+
+// Descriptor returns the int64 gauge handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64AsyncGaugeHandle) Descriptor() *MetricDescriptor {
+	return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 gauge value on the metrics recorder provided.
+func (h *Int64AsyncGaugeHandle) Record(recorder AsyncMetricsRecorder, value int64, labels ...string) {
+	recorder.RecordInt64AsyncGauge(h, value, labels...)
+}
+
 // registeredMetrics are the registered metric descriptor names.
 var registeredMetrics = make(map[string]bool)
 
@@ -249,6 +292,35 @@ func RegisterInt64Gauge(descriptor MetricDescriptor) *Int64GaugeHandle {
 	return (*Int64GaugeHandle)(descPtr)
 }
 
+// RegisterInt64UpDownCount registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64UpDownCount(descriptor MetricDescriptor) *Int64UpDownCountHandle {
+	registerMetric(descriptor.Name, descriptor.Default)
+	// Set the specific metric type for the up-down counter
+	descriptor.Type = MetricTypeIntUpDownCount
+	descPtr := &descriptor
+	metricsRegistry[descriptor.Name] = descPtr
+	return (*Int64UpDownCountHandle)(descPtr)
+}
+
+// RegisterInt64AsyncGauge registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64AsyncGauge(descriptor MetricDescriptor) *Int64AsyncGaugeHandle {
+	registerMetric(descriptor.Name, descriptor.Default)
+	descriptor.Type = MetricTypeIntAsyncGauge
+	descPtr := &descriptor
+	metricsRegistry[descriptor.Name] = descPtr
+	return (*Int64AsyncGaugeHandle)(descPtr)
+}
+
 // snapshotMetricsRegistryForTesting snapshots the global data of the metrics
 // registry. Returns a cleanup function that sets the metrics registry to its
 // original state.
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metrics.go b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
index ee1423605a..d7d404cbe4 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metrics.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
@@ -38,6 +38,16 @@ type MetricsRecorder interface {
 	// RecordInt64Gauge records the measurement alongside labels on the int
 	// gauge associated with the provided handle.
 	RecordInt64Gauge(handle *Int64GaugeHandle, incr int64, labels ...string)
+	// RecordInt64UpDownCounter records the measurement alongside labels on the int
+	// count associated with the provided handle.
+	RecordInt64UpDownCount(handle *Int64UpDownCountHandle, incr int64, labels ...string)
+}
+
+// AsyncMetricsRecorder records on asynchronous metrics derived from metric registry.
+type AsyncMetricsRecorder interface {
+	// RecordInt64AsyncGauge records the measurement alongside labels on the int
+	// count associated with the provided handle asynchronously
+	RecordInt64AsyncGauge(handle *Int64AsyncGaugeHandle, incr int64, labels ...string)
 }
 
 // Metrics is an experimental legacy alias of the now-stable stats.MetricSet.
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
index faa59e4182..8f7d9f6bbe 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.5
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/health/v1/health.proto
 
@@ -261,63 +261,29 @@ func (x *HealthListResponse) GetStatuses() map[string]*HealthCheckResponse {
 
 var File_grpc_health_v1_health_proto protoreflect.FileDescriptor
 
-var file_grpc_health_v1_health_proto_rawDesc = string([]byte{
-	0x0a, 0x1b, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x76, 0x31,
-	0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x67,
-	0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x22, 0x2e, 0x0a,
-	0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0xb1, 0x01,
-	0x0a, 0x13, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x49, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65,
-	0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x6e, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x22, 0x4f, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b,
-	0x0a, 0x07, 0x53, 0x45, 0x52, 0x56, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x4e,
-	0x4f, 0x54, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f,
-	0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
-	0x03, 0x22, 0x13, 0x0a, 0x11, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x4c, 0x69, 0x73, 0x74, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xc4, 0x01, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74,
-	0x68, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4c, 0x0a,
-	0x08, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x30, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31,
-	0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x08, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x65, 0x73, 0x1a, 0x60, 0x0a, 0x0d, 0x53,
-	0x74, 0x61, 0x74, 0x75, 0x73, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x39,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e,
-	0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48,
-	0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x32, 0xfd, 0x01,
-	0x0a, 0x06, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x12, 0x50, 0x0a, 0x05, 0x43, 0x68, 0x65, 0x63,
-	0x6b, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e,
-	0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65,
-	0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4d, 0x0a, 0x04, 0x4c, 0x69,
-	0x73, 0x74, 0x12, 0x21, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68,
-	0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x4c, 0x69, 0x73,
-	0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x52, 0x0a, 0x05, 0x57, 0x61, 0x74,
-	0x63, 0x68, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68,
-	0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65,
-	0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68,
-	0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x42, 0x70, 0x0a,
-	0x11, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e,
-	0x76, 0x31, 0x42, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
-	0x01, 0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67,
-	0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68,
-	0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x5f, 0x76, 0x31, 0xa2,
-	0x02, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x56, 0x31, 0xaa, 0x02,
-	0x0e, 0x47, 0x72, 0x70, 0x63, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x56, 0x31, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_grpc_health_v1_health_proto_rawDesc = "" +
+	"\n" +
+	"\x1bgrpc/health/v1/health.proto\x12\x0egrpc.health.v1\".\n" +
+	"\x12HealthCheckRequest\x12\x18\n" +
+	"\aservice\x18\x01 \x01(\tR\aservice\"\xb1\x01\n" +
+	"\x13HealthCheckResponse\x12I\n" +
+	"\x06status\x18\x01 \x01(\x0e21.grpc.health.v1.HealthCheckResponse.ServingStatusR\x06status\"O\n" +
+	"\rServingStatus\x12\v\n" +
+	"\aUNKNOWN\x10\x00\x12\v\n" +
+	"\aSERVING\x10\x01\x12\x0f\n" +
+	"\vNOT_SERVING\x10\x02\x12\x13\n" +
+	"\x0fSERVICE_UNKNOWN\x10\x03\"\x13\n" +
+	"\x11HealthListRequest\"\xc4\x01\n" +
+	"\x12HealthListResponse\x12L\n" +
+	"\bstatuses\x18\x01 \x03(\v20.grpc.health.v1.HealthListResponse.StatusesEntryR\bstatuses\x1a`\n" +
+	"\rStatusesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x129\n" +
+	"\x05value\x18\x02 \x01(\v2#.grpc.health.v1.HealthCheckResponseR\x05value:\x028\x012\xfd\x01\n" +
+	"\x06Health\x12P\n" +
+	"\x05Check\x12\".grpc.health.v1.HealthCheckRequest\x1a#.grpc.health.v1.HealthCheckResponse\x12M\n" +
+	"\x04List\x12!.grpc.health.v1.HealthListRequest\x1a\".grpc.health.v1.HealthListResponse\x12R\n" +
+	"\x05Watch\x12\".grpc.health.v1.HealthCheckRequest\x1a#.grpc.health.v1.HealthCheckResponse0\x01Bp\n" +
+	"\x11io.grpc.health.v1B\vHealthProtoP\x01Z,google.golang.org/grpc/health/grpc_health_v1\xa2\x02\fGrpcHealthV1\xaa\x02\x0eGrpc.Health.V1b\x06proto3"
 
 var (
 	file_grpc_health_v1_health_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
index 93136610ec..e99cd5c838 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/health/v1/health.proto
 
@@ -188,13 +188,13 @@ type HealthServer interface {
 type UnimplementedHealthServer struct{}
 
 func (UnimplementedHealthServer) Check(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Check not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Check not implemented")
 }
 func (UnimplementedHealthServer) List(context.Context, *HealthListRequest) (*HealthListResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method List not implemented")
+	return nil, status.Error(codes.Unimplemented, "method List not implemented")
 }
 func (UnimplementedHealthServer) Watch(*HealthCheckRequest, grpc.ServerStreamingServer[HealthCheckResponse]) error {
-	return status.Errorf(codes.Unimplemented, "method Watch not implemented")
+	return status.Error(codes.Unimplemented, "method Watch not implemented")
 }
 func (UnimplementedHealthServer) testEmbeddedByValue() {}
 
diff --git a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
index fbc1ca356a..f38de74a49 100644
--- a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
+++ b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
@@ -67,6 +67,10 @@ type Balancer struct {
 	// balancerCurrent before the UpdateSubConnState is called on the
 	// balancerCurrent.
 	currentMu sync.Mutex
+
+	// activeGoroutines tracks all the goroutines that this balancer has started
+	// and that should be waited on when the balancer closes.
+	activeGoroutines sync.WaitGroup
 }
 
 // swap swaps out the current lb with the pending lb and updates the ClientConn.
@@ -76,7 +80,9 @@ func (gsb *Balancer) swap() {
 	cur := gsb.balancerCurrent
 	gsb.balancerCurrent = gsb.balancerPending
 	gsb.balancerPending = nil
+	gsb.activeGoroutines.Add(1)
 	go func() {
+		defer gsb.activeGoroutines.Done()
 		gsb.currentMu.Lock()
 		defer gsb.currentMu.Unlock()
 		cur.Close()
@@ -223,15 +229,7 @@ func (gsb *Balancer) ExitIdle() {
 	// There is no need to protect this read with a mutex, as the write to the
 	// Balancer field happens in SwitchTo, which completes before this can be
 	// called.
-	if ei, ok := balToUpdate.Balancer.(balancer.ExitIdler); ok {
-		ei.ExitIdle()
-		return
-	}
-	gsb.mu.Lock()
-	defer gsb.mu.Unlock()
-	for sc := range balToUpdate.subconns {
-		sc.Connect()
-	}
+	balToUpdate.ExitIdle()
 }
 
 // updateSubConnState forwards the update to the appropriate child.
@@ -282,6 +280,7 @@ func (gsb *Balancer) Close() {
 
 	currentBalancerToClose.Close()
 	pendingBalancerToClose.Close()
+	gsb.activeGoroutines.Wait()
 }
 
 // balancerWrapper wraps a balancer.Balancer, and overrides some Balancer
@@ -332,7 +331,12 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
 	defer bw.gsb.mu.Unlock()
 	bw.lastState = state
 
+	// If Close() acquires the mutex before UpdateState(), the balancer
+	// will already have been removed from the current or pending state when
+	// reaching this point.
 	if !bw.gsb.balancerCurrentOrPending(bw) {
+		// Returning here ensures that (*Balancer).swap() is not invoked after
+		// (*Balancer).Close() and therefore prevents "use after close".
 		return
 	}
 
diff --git a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
index 11f91668ac..467392b8d4 100644
--- a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
+++ b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
@@ -83,6 +83,7 @@ func (b *Unbounded) Load() {
 		default:
 		}
 	} else if b.closing && !b.closed {
+		b.closed = true
 		close(b.c)
 	}
 }
diff --git a/vendor/google.golang.org/grpc/internal/channelz/trace.go b/vendor/google.golang.org/grpc/internal/channelz/trace.go
index 2bffe47776..3b7ba59662 100644
--- a/vendor/google.golang.org/grpc/internal/channelz/trace.go
+++ b/vendor/google.golang.org/grpc/internal/channelz/trace.go
@@ -194,7 +194,7 @@ func (r RefChannelType) String() string {
 // If channelz is not turned ON, this will simply log the event descriptions.
 func AddTraceEvent(l grpclog.DepthLoggerV2, e Entity, depth int, desc *TraceEvent) {
 	// Log only the trace description associated with the bottom most entity.
-	d := fmt.Sprintf("[%s]%s", e, desc.Desc)
+	d := fmt.Sprintf("[%s] %s", e, desc.Desc)
 	switch desc.Severity {
 	case CtUnknown, CtInfo:
 		l.InfoDepth(depth+1, d)
diff --git a/vendor/google.golang.org/grpc/internal/credentials/credentials.go b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
index 9deee7f651..48b22d9cf0 100644
--- a/vendor/google.golang.org/grpc/internal/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
@@ -20,20 +20,6 @@ import (
 	"context"
 )
 
-// requestInfoKey is a struct to be used as the key to store RequestInfo in a
-// context.
-type requestInfoKey struct{}
-
-// NewRequestInfoContext creates a context with ri.
-func NewRequestInfoContext(ctx context.Context, ri any) context.Context {
-	return context.WithValue(ctx, requestInfoKey{}, ri)
-}
-
-// RequestInfoFromContext extracts the RequestInfo from ctx.
-func RequestInfoFromContext(ctx context.Context) any {
-	return ctx.Value(requestInfoKey{})
-}
-
 // clientHandshakeInfoKey is a struct used as the key to store
 // ClientHandshakeInfo in a context.
 type clientHandshakeInfoKey struct{}
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
index cc5713fd9d..6414ee4bbe 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
@@ -26,35 +26,31 @@ import (
 )
 
 var (
-	// TXTErrIgnore is set if TXT errors should be ignored ("GRPC_GO_IGNORE_TXT_ERRORS" is not "false").
+	// EnableTXTServiceConfig is set if the DNS resolver should perform TXT
+	// lookups for service config ("GRPC_ENABLE_TXT_SERVICE_CONFIG" is not
+	// "false").
+	EnableTXTServiceConfig = boolFromEnv("GRPC_ENABLE_TXT_SERVICE_CONFIG", true)
+
+	// TXTErrIgnore is set if TXT errors should be ignored
+	// ("GRPC_GO_IGNORE_TXT_ERRORS" is not "false").
 	TXTErrIgnore = boolFromEnv("GRPC_GO_IGNORE_TXT_ERRORS", true)
+
 	// RingHashCap indicates the maximum ring size which defaults to 4096
 	// entries but may be overridden by setting the environment variable
 	// "GRPC_RING_HASH_CAP".  This does not override the default bounds
 	// checking which NACKs configs specifying ring sizes > 8*1024*1024 (~8M).
 	RingHashCap = uint64FromEnv("GRPC_RING_HASH_CAP", 4096, 1, 8*1024*1024)
-	// LeastRequestLB is set if we should support the least_request_experimental
-	// LB policy, which can be enabled by setting the environment variable
-	// "GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST" to "true".
-	LeastRequestLB = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST", false)
+
 	// ALTSMaxConcurrentHandshakes is the maximum number of concurrent ALTS
 	// handshakes that can be performed.
 	ALTSMaxConcurrentHandshakes = uint64FromEnv("GRPC_ALTS_MAX_CONCURRENT_HANDSHAKES", 100, 1, 100)
+
 	// EnforceALPNEnabled is set if TLS connections to servers with ALPN disabled
 	// should be rejected. The HTTP/2 protocol requires ALPN to be enabled, this
 	// option is present for backward compatibility. This option may be overridden
 	// by setting the environment variable "GRPC_ENFORCE_ALPN_ENABLED" to "true"
 	// or "false".
 	EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
-	// XDSFallbackSupport is the env variable that controls whether support for
-	// xDS fallback is turned on. If this is unset or is false, only the first
-	// xDS server in the list of server configs will be used.
-	XDSFallbackSupport = boolFromEnv("GRPC_EXPERIMENTAL_XDS_FALLBACK", true)
-	// NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used
-	// instead of the exiting pickfirst implementation. This can be disabled by
-	// setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST"
-	// to "false".
-	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", true)
 
 	// XDSEndpointHashKeyBackwardCompat controls the parsing of the endpoint hash
 	// key from EDS LbEndpoint metadata. Endpoint hash keys can be disabled by
@@ -69,6 +65,23 @@ var (
 	// to gRFC A76. It can be enabled by setting the environment variable
 	// "GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY" to "true".
 	RingHashSetRequestHashKey = boolFromEnv("GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY", false)
+
+	// ALTSHandshakerKeepaliveParams is set if we should add the
+	// KeepaliveParams when dial the ALTS handshaker service.
+	ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
+
+	// EnableDefaultPortForProxyTarget controls whether the resolver adds a default port 443
+	// to a target address that lacks one. This flag only has an effect when all of
+	// the following conditions are met:
+	//   - A connect proxy is being used.
+	//   - Target resolution is disabled.
+	//   - The DNS resolver is being used.
+	EnableDefaultPortForProxyTarget = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET", true)
+
+	// XDSAuthorityRewrite indicates whether xDS authority rewriting is enabled.
+	// This feature is defined in gRFC A81 and is enabled by setting the
+	// environment variable GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE to "true".
+	XDSAuthorityRewrite = boolFromEnv("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)
 )
 
 func boolFromEnv(envVar string, def bool) bool {
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
index 2eb97f832b..7685d08b54 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
@@ -63,4 +63,20 @@ var (
 	// For more details, see:
 	// https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md.
 	XDSSystemRootCertsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS", false)
+
+	// XDSSPIFFEEnabled controls if SPIFFE Bundle Maps can be used as roots of
+	// trust.  For more details, see:
+	// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+	XDSSPIFFEEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE", false)
+
+	// XDSHTTPConnectEnabled is true if gRPC should parse custom Metadata
+	// configuring use of an HTTP CONNECT proxy via xDS from cluster resources.
+	// For more details, see:
+	// https://github.com/grpc/proposal/blob/master/A86-xds-http-connect.md
+	XDSHTTPConnectEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_HTTP_CONNECT", false)
+
+	// XDSBootstrapCallCredsEnabled controls if call credentials can be used in
+	// xDS bootstrap configuration via the `call_creds` field. For more details,
+	// see: https://github.com/grpc/proposal/blob/master/A97-xds-jwt-call-creds.md
+	XDSBootstrapCallCredsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS", false)
 )
diff --git a/vendor/google.golang.org/grpc/internal/experimental.go b/vendor/google.golang.org/grpc/internal/experimental.go
index 7617be2158..c90cc51bdd 100644
--- a/vendor/google.golang.org/grpc/internal/experimental.go
+++ b/vendor/google.golang.org/grpc/internal/experimental.go
@@ -25,4 +25,8 @@ var (
 	// BufferPool is implemented by the grpc package and returns a server
 	// option to configure a shared buffer pool for a grpc.Server.
 	BufferPool any // func (grpc.SharedBufferPool) grpc.ServerOption
+
+	// AcceptCompressors is implemented by the grpc package and returns
+	// a call option that restricts the grpc-accept-encoding header for a call.
+	AcceptCompressors any // func(...string) grpc.CallOption
 )
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
index 8e8e861280..9b6d8a1fa3 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
@@ -80,25 +80,11 @@ func (cs *CallbackSerializer) ScheduleOr(f func(ctx context.Context), onFailure
 func (cs *CallbackSerializer) run(ctx context.Context) {
 	defer close(cs.done)
 
-	// TODO: when Go 1.21 is the oldest supported version, this loop and Close
-	// can be replaced with:
-	//
-	// context.AfterFunc(ctx, cs.callbacks.Close)
-	for ctx.Err() == nil {
-		select {
-		case <-ctx.Done():
-			// Do nothing here. Next iteration of the for loop will not happen,
-			// since ctx.Err() would be non-nil.
-		case cb := <-cs.callbacks.Get():
-			cs.callbacks.Load()
-			cb.(func(context.Context))(ctx)
-		}
-	}
-
-	// Close the buffer to prevent new callbacks from being added.
-	cs.callbacks.Close()
+	// Close the buffer when the context is canceled
+	// to prevent new callbacks from being added.
+	context.AfterFunc(ctx, cs.callbacks.Close)
 
-	// Run all pending callbacks.
+	// Run all callbacks.
 	for cb := range cs.callbacks.Get() {
 		cs.callbacks.Load()
 		cb.(func(context.Context))(ctx)
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/event.go b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
index fbe697c376..d788c24930 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/event.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
@@ -21,28 +21,25 @@
 package grpcsync
 
 import (
-	"sync"
 	"sync/atomic"
 )
 
 // Event represents a one-time event that may occur in the future.
 type Event struct {
-	fired int32
+	fired atomic.Bool
 	c     chan struct{}
-	o     sync.Once
 }
 
 // Fire causes e to complete.  It is safe to call multiple times, and
 // concurrently.  It returns true iff this call to Fire caused the signaling
-// channel returned by Done to close.
+// channel returned by Done to close. If Fire returns false, it is possible
+// the Done channel has not been closed yet.
 func (e *Event) Fire() bool {
-	ret := false
-	e.o.Do(func() {
-		atomic.StoreInt32(&e.fired, 1)
+	if e.fired.CompareAndSwap(false, true) {
 		close(e.c)
-		ret = true
-	})
-	return ret
+		return true
+	}
+	return false
 }
 
 // Done returns a channel that will be closed when Fire is called.
@@ -52,7 +49,7 @@ func (e *Event) Done() <-chan struct{} {
 
 // HasFired returns true if Fire has been called.
 func (e *Event) HasFired() bool {
-	return atomic.LoadInt32(&e.fired) == 1
+	return e.fired.Load()
 }
 
 // NewEvent returns a new, ready-to-use Event.
diff --git a/vendor/google.golang.org/grpc/internal/idle/idle.go b/vendor/google.golang.org/grpc/internal/idle/idle.go
index 2c13ee9dac..d3cd24f80b 100644
--- a/vendor/google.golang.org/grpc/internal/idle/idle.go
+++ b/vendor/google.golang.org/grpc/internal/idle/idle.go
@@ -21,7 +21,6 @@
 package idle
 
 import (
-	"fmt"
 	"math"
 	"sync"
 	"sync/atomic"
@@ -33,15 +32,15 @@ var timeAfterFunc = func(d time.Duration, f func()) *time.Timer {
 	return time.AfterFunc(d, f)
 }
 
-// Enforcer is the functionality provided by grpc.ClientConn to enter
-// and exit from idle mode.
-type Enforcer interface {
-	ExitIdleMode() error
+// ClientConn is the functionality provided by grpc.ClientConn to enter and exit
+// from idle mode.
+type ClientConn interface {
+	ExitIdleMode()
 	EnterIdleMode()
 }
 
-// Manager implements idleness detection and calls the configured Enforcer to
-// enter/exit idle mode when appropriate.  Must be created by NewManager.
+// Manager implements idleness detection and calls the ClientConn to enter/exit
+// idle mode when appropriate. Must be created by NewManager.
 type Manager struct {
 	// State accessed atomically.
 	lastCallEndTime           int64 // Unix timestamp in nanos; time when the most recent RPC completed.
@@ -51,8 +50,8 @@ type Manager struct {
 
 	// Can be accessed without atomics or mutex since these are set at creation
 	// time and read-only after that.
-	enforcer Enforcer // Functionality provided by grpc.ClientConn.
-	timeout  time.Duration
+	cc      ClientConn // Functionality provided by grpc.ClientConn.
+	timeout time.Duration
 
 	// idleMu is used to guarantee mutual exclusion in two scenarios:
 	// - Opposing intentions:
@@ -72,9 +71,9 @@ type Manager struct {
 
 // NewManager creates a new idleness manager implementation for the
 // given idle timeout.  It begins in idle mode.
-func NewManager(enforcer Enforcer, timeout time.Duration) *Manager {
+func NewManager(cc ClientConn, timeout time.Duration) *Manager {
 	return &Manager{
-		enforcer:         enforcer,
+		cc:               cc,
 		timeout:          timeout,
 		actuallyIdle:     true,
 		activeCallsCount: -math.MaxInt32,
@@ -127,7 +126,7 @@ func (m *Manager) handleIdleTimeout() {
 
 	// Now that we've checked that there has been no activity, attempt to enter
 	// idle mode, which is very likely to succeed.
-	if m.tryEnterIdleMode() {
+	if m.tryEnterIdleMode(true) {
 		// Successfully entered idle mode. No timer needed until we exit idle.
 		return
 	}
@@ -142,10 +141,13 @@ func (m *Manager) handleIdleTimeout() {
 // that, it performs a last minute check to ensure that no new RPC has come in,
 // making the channel active.
 //
+// checkActivity controls if a check for RPC activity, since the last time the
+// idle_timeout fired, is made.
+
 // Return value indicates whether or not the channel moved to idle mode.
 //
 // Holds idleMu which ensures mutual exclusion with exitIdleMode.
-func (m *Manager) tryEnterIdleMode() bool {
+func (m *Manager) tryEnterIdleMode(checkActivity bool) bool {
 	// Setting the activeCallsCount to -math.MaxInt32 indicates to OnCallBegin()
 	// that the channel is either in idle mode or is trying to get there.
 	if !atomic.CompareAndSwapInt32(&m.activeCallsCount, 0, -math.MaxInt32) {
@@ -166,7 +168,7 @@ func (m *Manager) tryEnterIdleMode() bool {
 		atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
 		return false
 	}
-	if atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
+	if checkActivity && atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
 		// A very short RPC could have come in (and also finished) after we
 		// checked for calls count and activity in handleIdleTimeout(), but
 		// before the CAS operation. So, we need to check for activity again.
@@ -177,44 +179,37 @@ func (m *Manager) tryEnterIdleMode() bool {
 	// No new RPCs have come in since we set the active calls count value to
 	// -math.MaxInt32. And since we have the lock, it is safe to enter idle mode
 	// unconditionally now.
-	m.enforcer.EnterIdleMode()
+	m.cc.EnterIdleMode()
 	m.actuallyIdle = true
 	return true
 }
 
 // EnterIdleModeForTesting instructs the channel to enter idle mode.
 func (m *Manager) EnterIdleModeForTesting() {
-	m.tryEnterIdleMode()
+	m.tryEnterIdleMode(false)
 }
 
 // OnCallBegin is invoked at the start of every RPC.
-func (m *Manager) OnCallBegin() error {
+func (m *Manager) OnCallBegin() {
 	if m.isClosed() {
-		return nil
+		return
 	}
 
 	if atomic.AddInt32(&m.activeCallsCount, 1) > 0 {
 		// Channel is not idle now. Set the activity bit and allow the call.
 		atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
-		return nil
+		return
 	}
 
 	// Channel is either in idle mode or is in the process of moving to idle
 	// mode. Attempt to exit idle mode to allow this RPC.
-	if err := m.ExitIdleMode(); err != nil {
-		// Undo the increment to calls count, and return an error causing the
-		// RPC to fail.
-		atomic.AddInt32(&m.activeCallsCount, -1)
-		return err
-	}
-
+	m.ExitIdleMode()
 	atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
-	return nil
 }
 
-// ExitIdleMode instructs m to call the enforcer's ExitIdleMode and update m's
+// ExitIdleMode instructs m to call the ClientConn's ExitIdleMode and update its
 // internal state.
-func (m *Manager) ExitIdleMode() error {
+func (m *Manager) ExitIdleMode() {
 	// Holds idleMu which ensures mutual exclusion with tryEnterIdleMode.
 	m.idleMu.Lock()
 	defer m.idleMu.Unlock()
@@ -231,12 +226,10 @@ func (m *Manager) ExitIdleMode() error {
 		//   m.ExitIdleMode.
 		//
 		// In any case, there is nothing to do here.
-		return nil
+		return
 	}
 
-	if err := m.enforcer.ExitIdleMode(); err != nil {
-		return fmt.Errorf("failed to exit idle mode: %w", err)
-	}
+	m.cc.ExitIdleMode()
 
 	// Undo the idle entry process. This also respects any new RPC attempts.
 	atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
@@ -244,7 +237,23 @@ func (m *Manager) ExitIdleMode() error {
 
 	// Start a new timer to fire after the configured idle timeout.
 	m.resetIdleTimerLocked(m.timeout)
-	return nil
+}
+
+// UnsafeSetNotIdle instructs the Manager to update its internal state to
+// reflect the reality that the channel is no longer in IDLE mode.
+//
+// N.B. This method is intended only for internal use by the gRPC client
+// when it exits IDLE mode **manually** from `Dial`. The callsite must ensure:
+//   - The channel was **actually in IDLE mode** immediately prior to the call.
+//   - There is **no concurrent activity** that could cause the channel to exit
+//     IDLE mode *naturally* at the same time.
+func (m *Manager) UnsafeSetNotIdle() {
+	m.idleMu.Lock()
+	defer m.idleMu.Unlock()
+
+	atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
+	m.actuallyIdle = false
+	m.resetIdleTimerLocked(m.timeout)
 }
 
 // OnCallEnd is invoked at the end of every RPC.
diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go
index 2ce012cda1..27bef83d97 100644
--- a/vendor/google.golang.org/grpc/internal/internal.go
+++ b/vendor/google.golang.org/grpc/internal/internal.go
@@ -182,35 +182,6 @@ var (
 	// other features, including the CSDS service.
 	NewXDSResolverWithClientForTesting any // func(xdsclient.XDSClient) (resolver.Builder, error)
 
-	// RegisterRLSClusterSpecifierPluginForTesting registers the RLS Cluster
-	// Specifier Plugin for testing purposes, regardless of the XDSRLS environment
-	// variable.
-	//
-	// TODO: Remove this function once the RLS env var is removed.
-	RegisterRLSClusterSpecifierPluginForTesting func()
-
-	// UnregisterRLSClusterSpecifierPluginForTesting unregisters the RLS Cluster
-	// Specifier Plugin for testing purposes. This is needed because there is no way
-	// to unregister the RLS Cluster Specifier Plugin after registering it solely
-	// for testing purposes using RegisterRLSClusterSpecifierPluginForTesting().
-	//
-	// TODO: Remove this function once the RLS env var is removed.
-	UnregisterRLSClusterSpecifierPluginForTesting func()
-
-	// RegisterRBACHTTPFilterForTesting registers the RBAC HTTP Filter for testing
-	// purposes, regardless of the RBAC environment variable.
-	//
-	// TODO: Remove this function once the RBAC env var is removed.
-	RegisterRBACHTTPFilterForTesting func()
-
-	// UnregisterRBACHTTPFilterForTesting unregisters the RBAC HTTP Filter for
-	// testing purposes. This is needed because there is no way to unregister the
-	// HTTP Filter after registering it solely for testing purposes using
-	// RegisterRBACHTTPFilterForTesting().
-	//
-	// TODO: Remove this function once the RBAC env var is removed.
-	UnregisterRBACHTTPFilterForTesting func()
-
 	// ORCAAllowAnyMinReportingInterval is for examples/orca use ONLY.
 	ORCAAllowAnyMinReportingInterval any // func(so *orca.ServiceOptions)
 
@@ -266,6 +237,17 @@ var (
 	TimeAfterFunc = func(d time.Duration, f func()) Timer {
 		return time.AfterFunc(d, f)
 	}
+
+	// NewStreamWaitingForResolver is a test hook that is triggered when a
+	// new stream blocks while waiting for name resolution. This can be
+	// used in tests to synchronize resolver updates and avoid race conditions.
+	// When set, the function will be called before the stream enters
+	// the blocking state.
+	NewStreamWaitingForResolver = func() {}
+
+	// AddressToTelemetryLabels is an xDS-provided function to extract telemetry
+	// labels from a resolver.Address. Callers must assert its type before calling.
+	AddressToTelemetryLabels any // func(addr resolver.Address) map[string]string
 )
 
 // HealthChecker defines the signature of the client-side LB channel health
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index 20b8fb098a..5bfa67b726 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -22,11 +22,13 @@ package delegatingresolver
 
 import (
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"sync"
 
 	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/internal/envconfig"
 	"google.golang.org/grpc/internal/proxyattributes"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/internal/transport/networktype"
@@ -40,6 +42,8 @@ var (
 	HTTPSProxyFromEnvironment = http.ProxyFromEnvironment
 )
 
+const defaultPort = "443"
+
 // delegatingResolver manages both target URI and proxy address resolution by
 // delegating these tasks to separate child resolvers. Essentially, it acts as
 // an intermediary between the gRPC ClientConn and the child resolvers.
@@ -107,10 +111,18 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 		targetResolver: nopResolver{},
 	}
 
+	addr := target.Endpoint()
 	var err error
-	r.proxyURL, err = proxyURLForTarget(target.Endpoint())
+	if target.URL.Scheme == "dns" && !targetResolutionEnabled && envconfig.EnableDefaultPortForProxyTarget {
+		addr, err = parseTarget(addr)
+		if err != nil {
+			return nil, fmt.Errorf("delegating_resolver: invalid target address %q: %v", target.Endpoint(), err)
+		}
+	}
+
+	r.proxyURL, err = proxyURLForTarget(addr)
 	if err != nil {
-		return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %s: %v", target, err)
+		return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %q: %v", target, err)
 	}
 
 	// proxy is not configured or proxy address excluded using `NO_PROXY` env
@@ -132,8 +144,8 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 	// bypass the target resolver and store the unresolved target address.
 	if target.URL.Scheme == "dns" && !targetResolutionEnabled {
 		r.targetResolverState = &resolver.State{
-			Addresses: []resolver.Address{{Addr: target.Endpoint()}},
-			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: target.Endpoint()}}}},
+			Addresses: []resolver.Address{{Addr: addr}},
+			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: addr}}}},
 		}
 		r.updateTargetResolverState(*r.targetResolverState)
 		return r, nil
@@ -202,6 +214,44 @@ func needsProxyResolver(state *resolver.State) bool {
 	return false
 }
 
+// parseTarget takes a target string and ensures it is a valid "host:port" target.
+//
+// It does the following:
+//  1. If the target already has a port (e.g., "host:port", "[ipv6]:port"),
+//     it is returned as is.
+//  2. If the host part is empty (e.g., ":80"), it defaults to "localhost",
+//     returning "localhost:80".
+//  3. If the target is missing a port (e.g., "host", "ipv6"), the defaultPort
+//     is added.
+//
+// An error is returned for empty targets or targets with a trailing colon
+// but no port (e.g., "host:").
+func parseTarget(target string) (string, error) {
+	if target == "" {
+		return "", fmt.Errorf("missing address")
+	}
+
+	host, port, err := net.SplitHostPort(target)
+	if err != nil {
+		// If SplitHostPort fails, it's likely because the port is missing.
+		// We append the default port and return the result.
+		return net.JoinHostPort(target, defaultPort), nil
+	}
+
+	// If SplitHostPort succeeds, we check for edge cases.
+	if port == "" {
+		// A success with an empty port means the target had a trailing colon,
+		// e.g., "host:", which is an error.
+		return "", fmt.Errorf("missing port after port-separator colon")
+	}
+	if host == "" {
+		// A success with an empty host means the target was like ":80".
+		// We default the host to "localhost".
+		host = "localhost"
+	}
+	return net.JoinHostPort(host, port), nil
+}
+
 func skipProxy(address resolver.Address) bool {
 	// Avoid proxy when network is not tcp.
 	networkType, ok := networktype.Get(address)
diff --git a/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go b/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go
index ba5c5a95d0..ada5251cff 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go
@@ -132,13 +132,13 @@ func (b *dnsBuilder) Build(target resolver.Target, cc resolver.ClientConn, opts
 	// DNS address (non-IP).
 	ctx, cancel := context.WithCancel(context.Background())
 	d := &dnsResolver{
-		host:                 host,
-		port:                 port,
-		ctx:                  ctx,
-		cancel:               cancel,
-		cc:                   cc,
-		rn:                   make(chan struct{}, 1),
-		disableServiceConfig: opts.DisableServiceConfig,
+		host:                host,
+		port:                port,
+		ctx:                 ctx,
+		cancel:              cancel,
+		cc:                  cc,
+		rn:                  make(chan struct{}, 1),
+		enableServiceConfig: envconfig.EnableTXTServiceConfig && !opts.DisableServiceConfig,
 	}
 
 	d.resolver, err = internal.NewNetResolver(target.URL.Host)
@@ -181,8 +181,8 @@ type dnsResolver struct {
 	// finishes, race detector sometimes will warn lookup (READ the lookup
 	// function pointers) inside watcher() goroutine has data race with
 	// replaceNetFunc (WRITE the lookup function pointers).
-	wg                   sync.WaitGroup
-	disableServiceConfig bool
+	wg                  sync.WaitGroup
+	enableServiceConfig bool
 }
 
 // ResolveNow invoke an immediate resolution of the target that this
@@ -346,7 +346,7 @@ func (d *dnsResolver) lookup() (*resolver.State, error) {
 	if len(srv) > 0 {
 		state = grpclbstate.Set(state, &grpclbstate.State{BalancerAddresses: srv})
 	}
-	if !d.disableServiceConfig {
+	if d.enableServiceConfig {
 		state.ServiceConfig = d.lookupTXT(ctx)
 	}
 	return &state, nil
diff --git a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
index 79044657be..d5f7e4d62d 100644
--- a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
+++ b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
@@ -64,6 +64,16 @@ func (l *MetricsRecorderList) RecordInt64Count(handle *estats.Int64CountHandle,
 	}
 }
 
+// RecordInt64UpDownCount records the measurement alongside labels on the int
+// count associated with the provided handle.
+func (l *MetricsRecorderList) RecordInt64UpDownCount(handle *estats.Int64UpDownCountHandle, incr int64, labels ...string) {
+	verifyLabels(handle.Descriptor(), labels...)
+
+	for _, metricRecorder := range l.metricsRecorders {
+		metricRecorder.RecordInt64UpDownCount(handle, incr, labels...)
+	}
+}
+
 // RecordFloat64Count records the measurement alongside labels on the float
 // count associated with the provided handle.
 func (l *MetricsRecorderList) RecordFloat64Count(handle *estats.Float64CountHandle, incr float64, labels ...string) {
diff --git a/vendor/google.golang.org/grpc/internal/stats/stats.go b/vendor/google.golang.org/grpc/internal/stats/stats.go
new file mode 100644
index 0000000000..49019b80d1
--- /dev/null
+++ b/vendor/google.golang.org/grpc/internal/stats/stats.go
@@ -0,0 +1,70 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package stats
+
+import (
+	"context"
+
+	"google.golang.org/grpc/stats"
+)
+
+type combinedHandler struct {
+	handlers []stats.Handler
+}
+
+// NewCombinedHandler combines multiple stats.Handlers into a single handler.
+//
+// It returns nil if no handlers are provided. If only one handler is
+// provided, it is returned directly without wrapping.
+func NewCombinedHandler(handlers ...stats.Handler) stats.Handler {
+	switch len(handlers) {
+	case 0:
+		return nil
+	case 1:
+		return handlers[0]
+	default:
+		return &combinedHandler{handlers: handlers}
+	}
+}
+
+func (ch *combinedHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
+	for _, h := range ch.handlers {
+		ctx = h.TagRPC(ctx, info)
+	}
+	return ctx
+}
+
+func (ch *combinedHandler) HandleRPC(ctx context.Context, stats stats.RPCStats) {
+	for _, h := range ch.handlers {
+		h.HandleRPC(ctx, stats)
+	}
+}
+
+func (ch *combinedHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context {
+	for _, h := range ch.handlers {
+		ctx = h.TagConn(ctx, info)
+	}
+	return ctx
+}
+
+func (ch *combinedHandler) HandleConn(ctx context.Context, stats stats.ConnStats) {
+	for _, h := range ch.handlers {
+		h.HandleConn(ctx, stats)
+	}
+}
diff --git a/vendor/google.golang.org/grpc/internal/status/status.go b/vendor/google.golang.org/grpc/internal/status/status.go
index 1186f1e9a9..aad171cd02 100644
--- a/vendor/google.golang.org/grpc/internal/status/status.go
+++ b/vendor/google.golang.org/grpc/internal/status/status.go
@@ -236,3 +236,11 @@ func IsRestrictedControlPlaneCode(s *Status) bool {
 	}
 	return false
 }
+
+// RawStatusProto returns the internal protobuf message for use by gRPC itself.
+func RawStatusProto(s *Status) *spb.Status {
+	if s == nil {
+		return nil
+	}
+	return s.s
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/client_stream.go b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
index ccc0e017e5..980452519e 100644
--- a/vendor/google.golang.org/grpc/internal/transport/client_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
@@ -29,25 +29,27 @@ import (
 
 // ClientStream implements streaming functionality for a gRPC client.
 type ClientStream struct {
-	*Stream // Embed for common stream functionality.
+	Stream // Embed for common stream functionality.
 
 	ct       *http2Client
 	done     chan struct{} // closed at the end of stream to unblock writers.
 	doneFunc func()        // invoked at the end of stream.
 
-	headerChan       chan struct{} // closed to indicate the end of header metadata.
-	headerChanClosed uint32        // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+	headerChan chan struct{} // closed to indicate the end of header metadata.
+	header     metadata.MD   // the received header metadata
+
+	status *status.Status // the status error received from the server
+
+	// Non-pointer fields are at the end to optimize GC allocations.
+
 	// headerValid indicates whether a valid header was received.  Only
 	// meaningful after headerChan is closed (always call waitOnHeader() before
 	// reading its value).
-	headerValid bool
-	header      metadata.MD // the received header metadata
-	noHeaders   bool        // set if the client never received headers (set only after the stream is done).
-
-	bytesReceived atomic.Bool // indicates whether any bytes have been received on this stream
-	unprocessed   atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
-
-	status *status.Status // the status error received from the server
+	headerValid      bool
+	noHeaders        bool        // set if the client never received headers (set only after the stream is done).
+	headerChanClosed uint32      // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+	bytesReceived    atomic.Bool // indicates whether any bytes have been received on this stream
+	unprocessed      atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
 }
 
 // Read reads an n byte message from the input stream.
@@ -142,3 +144,11 @@ func (s *ClientStream) TrailersOnly() bool {
 func (s *ClientStream) Status() *status.Status {
 	return s.status
 }
+
+func (s *ClientStream) requestRead(n int) {
+	s.ct.adjustWindow(s, uint32(n))
+}
+
+func (s *ClientStream) updateWindow(n int) {
+	s.ct.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
index ef72fbb3a0..2dcd1e63bd 100644
--- a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
+++ b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
@@ -40,6 +40,13 @@ var updateHeaderTblSize = func(e *hpack.Encoder, v uint32) {
 	e.SetMaxDynamicTableSizeLimit(v)
 }
 
+// itemNodePool is used to reduce heap allocations.
+var itemNodePool = sync.Pool{
+	New: func() any {
+		return &itemNode{}
+	},
+}
+
 type itemNode struct {
 	it   any
 	next *itemNode
@@ -51,7 +58,9 @@ type itemList struct {
 }
 
 func (il *itemList) enqueue(i any) {
-	n := &itemNode{it: i}
+	n := itemNodePool.Get().(*itemNode)
+	n.next = nil
+	n.it = i
 	if il.tail == nil {
 		il.head, il.tail = n, n
 		return
@@ -71,7 +80,9 @@ func (il *itemList) dequeue() any {
 		return nil
 	}
 	i := il.head.it
+	temp := il.head
 	il.head = il.head.next
+	itemNodePool.Put(temp)
 	if il.head == nil {
 		il.tail = nil
 	}
@@ -146,10 +157,11 @@ type earlyAbortStream struct {
 func (*earlyAbortStream) isTransportResponseFrame() bool { return false }
 
 type dataFrame struct {
-	streamID  uint32
-	endStream bool
-	h         []byte
-	reader    mem.Reader
+	streamID   uint32
+	endStream  bool
+	h          []byte
+	data       mem.BufferSlice
+	processing bool
 	// onEachWrite is called every time
 	// a part of data is written out.
 	onEachWrite func()
@@ -234,6 +246,7 @@ type outStream struct {
 	itl              *itemList
 	bytesOutStanding int
 	wq               *writeQuota
+	reader           mem.Reader
 
 	next *outStream
 	prev *outStream
@@ -461,7 +474,9 @@ func (c *controlBuffer) finish() {
 				v.onOrphaned(ErrConnClosing)
 			}
 		case *dataFrame:
-			_ = v.reader.Close()
+			if !v.processing {
+				v.data.Free()
+			}
 		}
 	}
 
@@ -481,6 +496,16 @@ const (
 	serverSide
 )
 
+// maxWriteBufSize is the maximum length (number of elements) the cached
+// writeBuf can grow to. The length depends on the number of buffers
+// contained within the BufferSlice produced by the codec, which is
+// generally small.
+//
+// If a writeBuf larger than this limit is required, it will be allocated
+// and freed after use, rather than being cached. This avoids holding
+// on to large amounts of memory.
+const maxWriteBufSize = 64
+
 // Loopy receives frames from the control buffer.
 // Each frame is handled individually; most of the work done by loopy goes
 // into handling data frames. Loopy maintains a queue of active streams, and each
@@ -515,6 +540,8 @@ type loopyWriter struct {
 
 	// Side-specific handlers
 	ssGoAwayHandler func(*goAway) (bool, error)
+
+	writeBuf [][]byte // cached slice to avoid heap allocations for calls to mem.Reader.Peek.
 }
 
 func newLoopyWriter(s side, fr *framer, cbuf *controlBuffer, bdpEst *bdpEstimator, conn net.Conn, logger *grpclog.PrefixLogger, goAwayHandler func(*goAway) (bool, error), bufferPool mem.BufferPool) *loopyWriter {
@@ -790,10 +817,13 @@ func (l *loopyWriter) cleanupStreamHandler(c *cleanupStream) error {
 		// a RST_STREAM before stream initialization thus the stream might
 		// not be established yet.
 		delete(l.estdStreams, c.streamID)
+		str.reader.Close()
 		str.deleteSelf()
 		for head := str.itl.dequeueAll(); head != nil; head = head.next {
 			if df, ok := head.it.(*dataFrame); ok {
-				_ = df.reader.Close()
+				if !df.processing {
+					df.data.Free()
+				}
 			}
 		}
 	}
@@ -928,7 +958,13 @@ func (l *loopyWriter) processData() (bool, error) {
 	if str == nil {
 		return true, nil
 	}
+	reader := &str.reader
 	dataItem := str.itl.peek().(*dataFrame) // Peek at the first data item this stream.
+	if !dataItem.processing {
+		dataItem.processing = true
+		reader.Reset(dataItem.data)
+		dataItem.data.Free()
+	}
 	// A data item is represented by a dataFrame, since it later translates into
 	// multiple HTTP2 data frames.
 	// Every dataFrame has two buffers; h that keeps grpc-message header and data
@@ -936,13 +972,13 @@ func (l *loopyWriter) processData() (bool, error) {
 	// from data is copied to h to make as big as the maximum possible HTTP2 frame
 	// size.
 
-	if len(dataItem.h) == 0 && dataItem.reader.Remaining() == 0 { // Empty data frame
+	if len(dataItem.h) == 0 && reader.Remaining() == 0 { // Empty data frame
 		// Client sends out empty data frame with endStream = true
-		if err := l.framer.fr.WriteData(dataItem.streamID, dataItem.endStream, nil); err != nil {
+		if err := l.framer.writeData(dataItem.streamID, dataItem.endStream, nil); err != nil {
 			return false, err
 		}
 		str.itl.dequeue() // remove the empty data item from stream
-		_ = dataItem.reader.Close()
+		reader.Close()
 		if str.itl.isEmpty() {
 			str.state = empty
 		} else if trailer, ok := str.itl.peek().(*headerFrame); ok { // the next item is trailers.
@@ -971,29 +1007,24 @@ func (l *loopyWriter) processData() (bool, error) {
 	}
 	// Compute how much of the header and data we can send within quota and max frame length
 	hSize := min(maxSize, len(dataItem.h))
-	dSize := min(maxSize-hSize, dataItem.reader.Remaining())
-	remainingBytes := len(dataItem.h) + dataItem.reader.Remaining() - hSize - dSize
+	dSize := min(maxSize-hSize, reader.Remaining())
+	remainingBytes := len(dataItem.h) + reader.Remaining() - hSize - dSize
 	size := hSize + dSize
 
-	var buf *[]byte
-
-	if hSize != 0 && dSize == 0 {
-		buf = &dataItem.h
-	} else {
-		// Note: this is only necessary because the http2.Framer does not support
-		// partially writing a frame, so the sequence must be materialized into a buffer.
-		// TODO: Revisit once https://github.com/golang/go/issues/66655 is addressed.
-		pool := l.bufferPool
-		if pool == nil {
-			// Note that this is only supposed to be nil in tests. Otherwise, stream is
-			// always initialized with a BufferPool.
-			pool = mem.DefaultBufferPool()
+	l.writeBuf = l.writeBuf[:0]
+	if hSize > 0 {
+		l.writeBuf = append(l.writeBuf, dataItem.h[:hSize])
+	}
+	if dSize > 0 {
+		var err error
+		l.writeBuf, err = reader.Peek(dSize, l.writeBuf)
+		if err != nil {
+			// This must never happen since the reader must have at least dSize
+			// bytes.
+			// Log an error to fail tests.
+			l.logger.Errorf("unexpected error while reading Data frame payload: %v", err)
+			return false, err
 		}
-		buf = pool.Get(size)
-		defer pool.Put(buf)
-
-		copy((*buf)[:hSize], dataItem.h)
-		_, _ = dataItem.reader.Read((*buf)[hSize:])
 	}
 
 	// Now that outgoing flow controls are checked we can replenish str's write quota
@@ -1006,7 +1037,14 @@ func (l *loopyWriter) processData() (bool, error) {
 	if dataItem.onEachWrite != nil {
 		dataItem.onEachWrite()
 	}
-	if err := l.framer.fr.WriteData(dataItem.streamID, endStream, (*buf)[:size]); err != nil {
+	err := l.framer.writeData(dataItem.streamID, endStream, l.writeBuf)
+	reader.Discard(dSize)
+	if cap(l.writeBuf) > maxWriteBufSize {
+		l.writeBuf = nil
+	} else {
+		clear(l.writeBuf)
+	}
+	if err != nil {
 		return false, err
 	}
 	str.bytesOutStanding += size
@@ -1014,7 +1052,7 @@ func (l *loopyWriter) processData() (bool, error) {
 	dataItem.h = dataItem.h[hSize:]
 
 	if remainingBytes == 0 { // All the data from that message was written out.
-		_ = dataItem.reader.Close()
+		reader.Close()
 		str.itl.dequeue()
 	}
 	if str.itl.isEmpty() {
diff --git a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
index dfc0f224ec..7cfbc9637b 100644
--- a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
+++ b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
@@ -28,7 +28,7 @@ import (
 // writeQuota is a soft limit on the amount of data a stream can
 // schedule before some of it is written out.
 type writeQuota struct {
-	quota int32
+	_ noCopy
 	// get waits on read from when quota goes less than or equal to zero.
 	// replenish writes on it when quota goes positive again.
 	ch chan struct{}
@@ -38,16 +38,17 @@ type writeQuota struct {
 	// It is implemented as a field so that it can be updated
 	// by tests.
 	replenish func(n int)
+	quota     int32
 }
 
-func newWriteQuota(sz int32, done <-chan struct{}) *writeQuota {
-	w := &writeQuota{
-		quota: sz,
-		ch:    make(chan struct{}, 1),
-		done:  done,
-	}
+// init allows a writeQuota to be initialized in-place, which is useful for
+// resetting a buffer or for avoiding a heap allocation when the buffer is
+// embedded in another struct.
+func (w *writeQuota) init(sz int32, done <-chan struct{}) {
+	w.quota = sz
+	w.ch = make(chan struct{}, 1)
+	w.done = done
 	w.replenish = w.realReplenish
-	return w
 }
 
 func (w *writeQuota) get(sz int32) error {
@@ -67,9 +68,9 @@ func (w *writeQuota) get(sz int32) error {
 
 func (w *writeQuota) realReplenish(n int) {
 	sz := int32(n)
-	a := atomic.AddInt32(&w.quota, sz)
-	b := a - sz
-	if b <= 0 && a > 0 {
+	newQuota := atomic.AddInt32(&w.quota, sz)
+	previousQuota := newQuota - sz
+	if previousQuota <= 0 && newQuota > 0 {
 		select {
 		case w.ch <- struct{}{}:
 		default:
diff --git a/vendor/google.golang.org/grpc/internal/transport/handler_server.go b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
index 3dea235735..7ab3422b8a 100644
--- a/vendor/google.golang.org/grpc/internal/transport/handler_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
@@ -50,7 +50,7 @@ import (
 // NewServerHandlerTransport returns a ServerTransport handling gRPC from
 // inside an http.Handler, or writes an HTTP error to w and returns an error.
 // It requires that the http Server supports HTTP/2.
-func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats []stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
+func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
 	if r.Method != http.MethodPost {
 		w.Header().Set("Allow", http.MethodPost)
 		msg := fmt.Sprintf("invalid gRPC request method %q", r.Method)
@@ -170,7 +170,7 @@ type serverHandlerTransport struct {
 	// TODO make sure this is consistent across handler_server and http2_server
 	contentSubtype string
 
-	stats  []stats.Handler
+	stats  stats.Handler
 	logger *grpclog.PrefixLogger
 
 	bufferPool mem.BufferPool
@@ -274,14 +274,14 @@ func (ht *serverHandlerTransport) writeStatus(s *ServerStream, st *status.Status
 		}
 	})
 
-	if err == nil { // transport has not been closed
+	if err == nil && ht.stats != nil { // transport has not been closed
 		// Note: The trailer fields are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		for _, sh := range ht.stats {
-			sh.HandleRPC(s.Context(), &stats.OutTrailer{
-				Trailer: s.trailer.Copy(),
-			})
-		}
+		s.hdrMu.Lock()
+		ht.stats.HandleRPC(s.Context(), &stats.OutTrailer{
+			Trailer: s.trailer.Copy(),
+		})
+		s.hdrMu.Unlock()
 	}
 	ht.Close(errors.New("finished writing status"))
 	return err
@@ -372,19 +372,23 @@ func (ht *serverHandlerTransport) writeHeader(s *ServerStream, md metadata.MD) e
 		ht.rw.(http.Flusher).Flush()
 	})
 
-	if err == nil {
-		for _, sh := range ht.stats {
-			// Note: The header fields are compressed with hpack after this call returns.
-			// No WireLength field is set here.
-			sh.HandleRPC(s.Context(), &stats.OutHeader{
-				Header:      md.Copy(),
-				Compression: s.sendCompress,
-			})
-		}
+	if err == nil && ht.stats != nil {
+		// Note: The header fields are compressed with hpack after this call returns.
+		// No WireLength field is set here.
+		ht.stats.HandleRPC(s.Context(), &stats.OutHeader{
+			Header:      md.Copy(),
+			Compression: s.sendCompress,
+		})
 	}
 	return err
 }
 
+func (ht *serverHandlerTransport) adjustWindow(*ServerStream, uint32) {
+}
+
+func (ht *serverHandlerTransport) updateWindow(*ServerStream, uint32) {
+}
+
 func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream func(*ServerStream)) {
 	// With this transport type there will be exactly 1 stream: this HTTP request.
 	var cancel context.CancelFunc
@@ -409,11 +413,9 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
 	ctx = metadata.NewIncomingContext(ctx, ht.headerMD)
 	req := ht.req
 	s := &ServerStream{
-		Stream: &Stream{
+		Stream: Stream{
 			id:             0, // irrelevant
 			ctx:            ctx,
-			requestRead:    func(int) {},
-			buf:            newRecvBuffer(),
 			method:         req.URL.Path,
 			recvCompress:   req.Header.Get("grpc-encoding"),
 			contentSubtype: ht.contentSubtype,
@@ -422,9 +424,11 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
 		st:               ht,
 		headerWireLength: 0, // won't have access to header wire length until golang/go#18997.
 	}
-	s.trReader = &transportReader{
-		reader:        &recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: s.buf},
-		windowHandler: func(int) {},
+	s.Stream.buf.init()
+	s.readRequester = s
+	s.trReader = transportReader{
+		reader:        recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: &s.buf},
+		windowHandler: s,
 	}
 
 	// readerDone is closed when the Body.Read-ing goroutine exits.
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
index 171e690a3f..38ca031af6 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
@@ -44,6 +44,7 @@ import (
 	"google.golang.org/grpc/internal/grpcutil"
 	imetadata "google.golang.org/grpc/internal/metadata"
 	"google.golang.org/grpc/internal/proxyattributes"
+	istats "google.golang.org/grpc/internal/stats"
 	istatus "google.golang.org/grpc/internal/status"
 	isyscall "google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/internal/transport/networktype"
@@ -105,7 +106,7 @@ type http2Client struct {
 	kp               keepalive.ClientParameters
 	keepaliveEnabled bool
 
-	statsHandlers []stats.Handler
+	statsHandler stats.Handler
 
 	initialWindowSize int32
 
@@ -309,11 +310,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 			scheme = "https"
 		}
 	}
-	dynamicWindow := true
 	icwz := int32(initialWindowSize)
 	if opts.InitialConnWindowSize >= defaultWindowSize {
 		icwz = opts.InitialConnWindowSize
-		dynamicWindow = false
 	}
 	writeBufSize := opts.WriteBufferSize
 	readBufSize := opts.ReadBufferSize
@@ -337,14 +336,14 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 		writerDone:            make(chan struct{}),
 		goAway:                make(chan struct{}),
 		keepaliveDone:         make(chan struct{}),
-		framer:                newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize),
+		framer:                newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize, opts.BufferPool),
 		fc:                    &trInFlow{limit: uint32(icwz)},
 		scheme:                scheme,
 		activeStreams:         make(map[uint32]*ClientStream),
 		isSecure:              isSecure,
 		perRPCCreds:           perRPCCreds,
 		kp:                    kp,
-		statsHandlers:         opts.StatsHandlers,
+		statsHandler:          istats.NewCombinedHandler(opts.StatsHandlers...),
 		initialWindowSize:     initialWindowSize,
 		nextID:                1,
 		maxConcurrentStreams:  defaultMaxStreamsClient,
@@ -371,7 +370,7 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 		})
 	t.logger = prefixLoggerForClientTransport(t)
 	// Add peer information to the http2client context.
-	t.ctx = peer.NewContext(t.ctx, t.getPeer())
+	t.ctx = peer.NewContext(t.ctx, t.Peer())
 
 	if md, ok := addr.Metadata.(*metadata.MD); ok {
 		t.md = *md
@@ -381,23 +380,21 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 	t.controlBuf = newControlBuffer(t.ctxDone)
 	if opts.InitialWindowSize >= defaultWindowSize {
 		t.initialWindowSize = opts.InitialWindowSize
-		dynamicWindow = false
 	}
-	if dynamicWindow {
+	if !opts.StaticWindowSize {
 		t.bdpEst = &bdpEstimator{
 			bdp:               initialWindowSize,
 			updateFlowControl: t.updateFlowControl,
 		}
 	}
-	for _, sh := range t.statsHandlers {
-		t.ctx = sh.TagConn(t.ctx, &stats.ConnTagInfo{
+	if t.statsHandler != nil {
+		t.ctx = t.statsHandler.TagConn(t.ctx, &stats.ConnTagInfo{
 			RemoteAddr: t.remoteAddr,
 			LocalAddr:  t.localAddr,
 		})
-		connBegin := &stats.ConnBegin{
+		t.statsHandler.HandleConn(t.ctx, &stats.ConnBegin{
 			Client: true,
-		}
-		sh.HandleConn(t.ctx, connBegin)
+		})
 	}
 	if t.keepaliveEnabled {
 		t.kpDormancyCond = sync.NewCond(&t.mu)
@@ -484,10 +481,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientStream {
 	// TODO(zhaoq): Handle uint32 overflow of Stream.id.
 	s := &ClientStream{
-		Stream: &Stream{
+		Stream: Stream{
 			method:         callHdr.Method,
 			sendCompress:   callHdr.SendCompress,
-			buf:            newRecvBuffer(),
 			contentSubtype: callHdr.ContentSubtype,
 		},
 		ct:         t,
@@ -495,31 +491,26 @@ func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientSt
 		headerChan: make(chan struct{}),
 		doneFunc:   callHdr.DoneFunc,
 	}
-	s.wq = newWriteQuota(defaultWriteQuota, s.done)
-	s.requestRead = func(n int) {
-		t.adjustWindow(s, uint32(n))
-	}
+	s.Stream.buf.init()
+	s.Stream.wq.init(defaultWriteQuota, s.done)
+	s.readRequester = s
 	// The client side stream context should have exactly the same life cycle with the user provided context.
 	// That means, s.ctx should be read-only. And s.ctx is done iff ctx is done.
 	// So we use the original context here instead of creating a copy.
 	s.ctx = ctx
-	s.trReader = &transportReader{
-		reader: &recvBufferReader{
-			ctx:     s.ctx,
-			ctxDone: s.ctx.Done(),
-			recv:    s.buf,
-			closeStream: func(err error) {
-				s.Close(err)
-			},
-		},
-		windowHandler: func(n int) {
-			t.updateWindow(s, uint32(n))
+	s.trReader = transportReader{
+		reader: recvBufferReader{
+			ctx:          s.ctx,
+			ctxDone:      s.ctx.Done(),
+			recv:         &s.buf,
+			clientStream: s,
 		},
+		windowHandler: s,
 	}
 	return s
 }
 
-func (t *http2Client) getPeer() *peer.Peer {
+func (t *http2Client) Peer() *peer.Peer {
 	return &peer.Peer{
 		Addr:      t.remoteAddr,
 		AuthInfo:  t.authInfo, // Can be nil
@@ -545,7 +536,7 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		Method:   callHdr.Method,
 		AuthInfo: t.authInfo,
 	}
-	ctxWithRequestInfo := icredentials.NewRequestInfoContext(ctx, ri)
+	ctxWithRequestInfo := credentials.NewContextWithRequestInfo(ctx, ri)
 	authData, err := t.getTrAuthData(ctxWithRequestInfo, aud)
 	if err != nil {
 		return nil, err
@@ -559,6 +550,22 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 	// Make the slice of certain predictable size to reduce allocations made by append.
 	hfLen := 7 // :method, :scheme, :path, :authority, content-type, user-agent, te
 	hfLen += len(authData) + len(callAuthData)
+	registeredCompressors := t.registeredCompressors
+	if callHdr.AcceptedCompressors != nil {
+		registeredCompressors = *callHdr.AcceptedCompressors
+	}
+	if callHdr.PreviousAttempts > 0 {
+		hfLen++
+	}
+	if callHdr.SendCompress != "" {
+		hfLen++
+	}
+	if registeredCompressors != "" {
+		hfLen++
+	}
+	if _, ok := ctx.Deadline(); ok {
+		hfLen++
+	}
 	headerFields := make([]hpack.HeaderField, 0, hfLen)
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":method", Value: "POST"})
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":scheme", Value: t.scheme})
@@ -571,7 +578,6 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-previous-rpc-attempts", Value: strconv.Itoa(callHdr.PreviousAttempts)})
 	}
 
-	registeredCompressors := t.registeredCompressors
 	if callHdr.SendCompress != "" {
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-encoding", Value: callHdr.SendCompress})
 		// Include the outgoing compressor name when compressor is not registered
@@ -592,6 +598,9 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		// Send out timeout regardless its value. The server can detect timeout context by itself.
 		// TODO(mmukhi): Perhaps this field should be updated when actually writing out to the wire.
 		timeout := time.Until(dl)
+		if timeout <= 0 {
+			return nil, status.Error(codes.DeadlineExceeded, context.DeadlineExceeded.Error())
+		}
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-timeout", Value: grpcutil.EncodeDuration(timeout)})
 	}
 	for k, v := range authData {
@@ -736,7 +745,7 @@ func (e NewStreamError) Error() string {
 // NewStream creates a stream and registers it into the transport as "active"
 // streams.  All non-nil errors returned will be *NewStreamError.
 func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientStream, error) {
-	ctx = peer.NewContext(ctx, t.getPeer())
+	ctx = peer.NewContext(ctx, t.Peer())
 
 	// ServerName field of the resolver returned address takes precedence over
 	// Host field of CallHdr to determine the :authority header. This is because,
@@ -749,6 +758,25 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 		callHdr = &newCallHdr
 	}
 
+	// The authority specified via the `CallAuthority` CallOption takes the
+	// highest precedence when determining the `:authority` header. It overrides
+	// any value present in the Host field of CallHdr. Before applying this
+	// override, the authority string is validated. If the credentials do not
+	// implement the AuthorityValidator interface, or if validation fails, the
+	// RPC is failed with a status code of `UNAVAILABLE`.
+	if callHdr.Authority != "" {
+		auth, ok := t.authInfo.(credentials.AuthorityValidator)
+		if !ok {
+			return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "credentials type %q does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType())}
+		}
+		if err := auth.ValidateAuthority(callHdr.Authority); err != nil {
+			return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "failed to validate authority %q : %v", callHdr.Authority, err)}
+		}
+		newCallHdr := *callHdr
+		newCallHdr.Host = callHdr.Authority
+		callHdr = &newCallHdr
+	}
+
 	headerFields, err := t.createHeaderFields(ctx, callHdr)
 	if err != nil {
 		return nil, &NewStreamError{Err: err, AllowTransparentRetry: false}
@@ -792,7 +820,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 			return nil
 		},
 		onOrphaned: cleanup,
-		wq:         s.wq,
+		wq:         &s.wq,
 	}
 	firstTry := true
 	var ch chan struct{}
@@ -823,7 +851,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 		transportDrainRequired = t.nextID > MaxStreamID
 
 		s.id = hdr.streamID
-		s.fc = &inFlow{limit: uint32(t.initialWindowSize)}
+		s.fc = inFlow{limit: uint32(t.initialWindowSize)}
 		t.activeStreams[s.id] = s
 		t.mu.Unlock()
 
@@ -874,27 +902,23 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 			return nil, &NewStreamError{Err: ErrConnClosing, AllowTransparentRetry: true}
 		}
 	}
-	if len(t.statsHandlers) != 0 {
+	if t.statsHandler != nil {
 		header, ok := metadata.FromOutgoingContext(ctx)
 		if ok {
 			header.Set("user-agent", t.userAgent)
 		} else {
 			header = metadata.Pairs("user-agent", t.userAgent)
 		}
-		for _, sh := range t.statsHandlers {
-			// Note: The header fields are compressed with hpack after this call returns.
-			// No WireLength field is set here.
-			// Note: Creating a new stats object to prevent pollution.
-			outHeader := &stats.OutHeader{
-				Client:      true,
-				FullMethod:  callHdr.Method,
-				RemoteAddr:  t.remoteAddr,
-				LocalAddr:   t.localAddr,
-				Compression: callHdr.SendCompress,
-				Header:      header,
-			}
-			sh.HandleRPC(s.ctx, outHeader)
-		}
+		// Note: The header fields are compressed with hpack after this call returns.
+		// No WireLength field is set here.
+		t.statsHandler.HandleRPC(s.ctx, &stats.OutHeader{
+			Client:      true,
+			FullMethod:  callHdr.Method,
+			RemoteAddr:  t.remoteAddr,
+			LocalAddr:   t.localAddr,
+			Compression: callHdr.SendCompress,
+			Header:      header,
+		})
 	}
 	if transportDrainRequired {
 		if t.logger.V(logLevel) {
@@ -971,6 +995,9 @@ func (t *http2Client) closeStream(s *ClientStream, err error, rst bool, rstCode
 // accessed anymore.
 func (t *http2Client) Close(err error) {
 	t.conn.SetWriteDeadline(time.Now().Add(time.Second * 10))
+	// For background on the deadline value chosen here, see
+	// https://github.com/grpc/grpc-go/issues/8425#issuecomment-3057938248 .
+	t.conn.SetReadDeadline(time.Now().Add(time.Second))
 	t.mu.Lock()
 	// Make sure we only close once.
 	if t.state == closing {
@@ -1032,11 +1059,10 @@ func (t *http2Client) Close(err error) {
 	for _, s := range streams {
 		t.closeStream(s, err, false, http2.ErrCodeNo, st, nil, false)
 	}
-	for _, sh := range t.statsHandlers {
-		connEnd := &stats.ConnEnd{
+	if t.statsHandler != nil {
+		t.statsHandler.HandleConn(t.ctx, &stats.ConnEnd{
 			Client: true,
-		}
-		sh.HandleConn(t.ctx, connEnd)
+		})
 	}
 }
 
@@ -1069,32 +1095,29 @@ func (t *http2Client) GracefulClose() {
 // Write formats the data into HTTP2 data frame(s) and sends it out. The caller
 // should proceed only if Write returns nil.
 func (t *http2Client) write(s *ClientStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error {
-	reader := data.Reader()
-
 	if opts.Last {
 		// If it's the last message, update stream state.
 		if !s.compareAndSwapState(streamActive, streamWriteDone) {
-			_ = reader.Close()
 			return errStreamDone
 		}
 	} else if s.getState() != streamActive {
-		_ = reader.Close()
 		return errStreamDone
 	}
 	df := &dataFrame{
 		streamID:  s.id,
 		endStream: opts.Last,
 		h:         hdr,
-		reader:    reader,
+		data:      data,
 	}
-	if hdr != nil || df.reader.Remaining() != 0 { // If it's not an empty data frame, check quota.
-		if err := s.wq.get(int32(len(hdr) + df.reader.Remaining())); err != nil {
-			_ = reader.Close()
+	dataLen := data.Len()
+	if hdr != nil || dataLen != 0 { // If it's not an empty data frame, check quota.
+		if err := s.wq.get(int32(len(hdr) + dataLen)); err != nil {
 			return err
 		}
 	}
+	data.Ref()
 	if err := t.controlBuf.put(df); err != nil {
-		_ = reader.Close()
+		data.Free()
 		return err
 	}
 	t.incrMsgSent()
@@ -1150,7 +1173,7 @@ func (t *http2Client) updateFlowControl(n uint32) {
 	})
 }
 
-func (t *http2Client) handleData(f *http2.DataFrame) {
+func (t *http2Client) handleData(f *parsedDataFrame) {
 	size := f.Header().Length
 	var sendBDPPing bool
 	if t.bdpEst != nil {
@@ -1194,22 +1217,15 @@ func (t *http2Client) handleData(f *http2.DataFrame) {
 			t.closeStream(s, io.EOF, true, http2.ErrCodeFlowControl, status.New(codes.Internal, err.Error()), nil, false)
 			return
 		}
+		dataLen := f.data.Len()
 		if f.Header().Flags.Has(http2.FlagDataPadded) {
-			if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+			if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
 				t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
 			}
 		}
-		// TODO(bradfitz, zhaoq): A copy is required here because there is no
-		// guarantee f.Data() is consumed before the arrival of next frame.
-		// Can this copy be eliminated?
-		if len(f.Data()) > 0 {
-			pool := t.bufferPool
-			if pool == nil {
-				// Note that this is only supposed to be nil in tests. Otherwise, stream is
-				// always initialized with a BufferPool.
-				pool = mem.DefaultBufferPool()
-			}
-			s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+		if dataLen > 0 {
+			f.data.Ref()
+			s.write(recvMsg{buffer: f.data})
 		}
 	}
 	// The server has closed the stream without sending trailers.  Record that
@@ -1449,17 +1465,14 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		contentTypeErr = "malformed header: missing HTTP content-type"
 		grpcMessage    string
 		recvCompress   string
-		httpStatusCode *int
 		httpStatusErr  string
-		rawStatusCode  = codes.Unknown
+		// the code from the grpc-status header, if present
+		grpcStatusCode = codes.Unknown
 		// headerError is set if an error is encountered while parsing the headers
 		headerError string
+		httpStatus  string
 	)
 
-	if initialHeader {
-		httpStatusErr = "malformed header: missing HTTP status"
-	}
-
 	for _, hf := range frame.Fields {
 		switch hf.Name {
 		case "content-type":
@@ -1475,35 +1488,15 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		case "grpc-status":
 			code, err := strconv.ParseInt(hf.Value, 10, 32)
 			if err != nil {
-				se := status.New(codes.Internal, fmt.Sprintf("transport: malformed grpc-status: %v", err))
+				se := status.New(codes.Unknown, fmt.Sprintf("transport: malformed grpc-status: %v", err))
 				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
 				return
 			}
-			rawStatusCode = codes.Code(uint32(code))
+			grpcStatusCode = codes.Code(uint32(code))
 		case "grpc-message":
 			grpcMessage = decodeGrpcMessage(hf.Value)
 		case ":status":
-			if hf.Value == "200" {
-				httpStatusErr = ""
-				statusCode := 200
-				httpStatusCode = &statusCode
-				break
-			}
-
-			c, err := strconv.ParseInt(hf.Value, 10, 32)
-			if err != nil {
-				se := status.New(codes.Internal, fmt.Sprintf("transport: malformed http-status: %v", err))
-				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
-				return
-			}
-			statusCode := int(c)
-			httpStatusCode = &statusCode
-
-			httpStatusErr = fmt.Sprintf(
-				"unexpected HTTP status code received from server: %d (%s)",
-				statusCode,
-				http.StatusText(statusCode),
-			)
+			httpStatus = hf.Value
 		default:
 			if isReservedHeader(hf.Name) && !isWhitelistedHeader(hf.Name) {
 				break
@@ -1518,25 +1511,52 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		}
 	}
 
-	if !isGRPC || httpStatusErr != "" {
-		var code = codes.Internal // when header does not include HTTP status, return INTERNAL
-
-		if httpStatusCode != nil {
+	// If a non-gRPC response is received, then evaluate the HTTP status to
+	// process the response and close the stream.
+	// In case http status doesn't provide any error information (status : 200),
+	// then evalute response code to be Unknown.
+	if !isGRPC {
+		var grpcErrorCode = codes.Internal
+		if httpStatus == "" {
+			httpStatusErr = "malformed header: missing HTTP status"
+		} else {
+			// Parse the status codes (e.g. "200", 404").
+			statusCode, err := strconv.Atoi(httpStatus)
+			if err != nil {
+				se := status.New(grpcErrorCode, fmt.Sprintf("transport: malformed http-status: %v", err))
+				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+				return
+			}
+			if statusCode >= 100 && statusCode < 200 {
+				if endStream {
+					se := status.New(codes.Internal, fmt.Sprintf(
+						"protocol error: informational header with status code %d must not have END_STREAM set", statusCode))
+					t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+				}
+				// In case of informational headers, return.
+				return
+			}
+			httpStatusErr = fmt.Sprintf(
+				"unexpected HTTP status code received from server: %d (%s)",
+				statusCode,
+				http.StatusText(statusCode),
+			)
 			var ok bool
-			code, ok = HTTPStatusConvTab[*httpStatusCode]
+			grpcErrorCode, ok = HTTPStatusConvTab[statusCode]
 			if !ok {
-				code = codes.Unknown
+				grpcErrorCode = codes.Unknown
 			}
 		}
 		var errs []string
 		if httpStatusErr != "" {
 			errs = append(errs, httpStatusErr)
 		}
+
 		if contentTypeErr != "" {
 			errs = append(errs, contentTypeErr)
 		}
-		// Verify the HTTP response is a 200.
-		se := status.New(code, strings.Join(errs, "; "))
+
+		se := status.New(grpcErrorCode, strings.Join(errs, "; "))
 		t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
 		return
 	}
@@ -1567,22 +1587,20 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		}
 	}
 
-	for _, sh := range t.statsHandlers {
+	if t.statsHandler != nil {
 		if !endStream {
-			inHeader := &stats.InHeader{
+			t.statsHandler.HandleRPC(s.ctx, &stats.InHeader{
 				Client:      true,
 				WireLength:  int(frame.Header().Length),
 				Header:      metadata.MD(mdata).Copy(),
 				Compression: s.recvCompress,
-			}
-			sh.HandleRPC(s.ctx, inHeader)
+			})
 		} else {
-			inTrailer := &stats.InTrailer{
+			t.statsHandler.HandleRPC(s.ctx, &stats.InTrailer{
 				Client:     true,
 				WireLength: int(frame.Header().Length),
 				Trailer:    metadata.MD(mdata).Copy(),
-			}
-			sh.HandleRPC(s.ctx, inTrailer)
+			})
 		}
 	}
 
@@ -1590,7 +1608,7 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		return
 	}
 
-	status := istatus.NewWithProto(rawStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
+	status := istatus.NewWithProto(grpcStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
 
 	// If client received END_STREAM from server while stream was still active,
 	// send RST_STREAM.
@@ -1637,7 +1655,7 @@ func (t *http2Client) reader(errCh chan<- error) {
 	// loop to keep reading incoming messages on this transport.
 	for {
 		t.controlBuf.throttle()
-		frame, err := t.framer.fr.ReadFrame()
+		frame, err := t.framer.readFrame()
 		if t.keepaliveEnabled {
 			atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
 		}
@@ -1652,7 +1670,7 @@ func (t *http2Client) reader(errCh chan<- error) {
 				if s != nil {
 					// use error detail to provide better err message
 					code := http2ErrConvTab[se.Code]
-					errorDetail := t.framer.fr.ErrorDetail()
+					errorDetail := t.framer.errorDetail()
 					var msg string
 					if errorDetail != nil {
 						msg = errorDetail.Error()
@@ -1670,8 +1688,9 @@ func (t *http2Client) reader(errCh chan<- error) {
 		switch frame := frame.(type) {
 		case *http2.MetaHeadersFrame:
 			t.operateHeaders(frame)
-		case *http2.DataFrame:
+		case *parsedDataFrame:
 			t.handleData(frame)
+			frame.data.Free()
 		case *http2.RSTStreamFrame:
 			t.handleRSTStream(frame)
 		case *http2.SettingsFrame:
@@ -1791,8 +1810,6 @@ func (t *http2Client) socketMetrics() *channelz.EphemeralSocketMetrics {
 	}
 }
 
-func (t *http2Client) RemoteAddr() net.Addr { return t.remoteAddr }
-
 func (t *http2Client) incrMsgSent() {
 	if channelz.IsOn() {
 		t.channelz.SocketMetrics.MessagesSent.Add(1)
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index 7e53eb1735..6f78a6b0c8 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -35,13 +35,15 @@ import (
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
+	"google.golang.org/protobuf/proto"
+
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/grpcutil"
 	"google.golang.org/grpc/internal/pretty"
+	istatus "google.golang.org/grpc/internal/status"
 	"google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/mem"
-	"google.golang.org/protobuf/proto"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -85,7 +87,7 @@ type http2Server struct {
 	// updates, reset streams, and various settings) to the controller.
 	controlBuf *controlBuffer
 	fc         *trInFlow
-	stats      []stats.Handler
+	stats      stats.Handler
 	// Keepalive and max-age parameters for the server.
 	kp keepalive.ServerParameters
 	// Keepalive enforcement policy.
@@ -131,6 +133,10 @@ type http2Server struct {
 	maxStreamID uint32 // max stream ID ever seen
 
 	logger *grpclog.PrefixLogger
+	// setResetPingStrikes is stored as a closure instead of making this a
+	// method on http2Server to avoid a heap allocation when converting a method
+	// to a closure for passing to frames objects.
+	setResetPingStrikes func()
 }
 
 // NewServerTransport creates a http2 transport with conn and configuration
@@ -163,7 +169,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 	if config.MaxHeaderListSize != nil {
 		maxHeaderListSize = *config.MaxHeaderListSize
 	}
-	framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize)
+	framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize, config.BufferPool)
 	// Send initial settings as connection preface to client.
 	isettings := []http2.Setting{{
 		ID:  http2.SettingMaxFrameSize,
@@ -175,16 +181,13 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 			Val: config.MaxStreams,
 		})
 	}
-	dynamicWindow := true
 	iwz := int32(initialWindowSize)
 	if config.InitialWindowSize >= defaultWindowSize {
 		iwz = config.InitialWindowSize
-		dynamicWindow = false
 	}
 	icwz := int32(initialWindowSize)
 	if config.InitialConnWindowSize >= defaultWindowSize {
 		icwz = config.InitialConnWindowSize
-		dynamicWindow = false
 	}
 	if iwz != defaultWindowSize {
 		isettings = append(isettings, http2.Setting{
@@ -258,13 +261,16 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 		fc:                &trInFlow{limit: uint32(icwz)},
 		state:             reachable,
 		activeStreams:     make(map[uint32]*ServerStream),
-		stats:             config.StatsHandlers,
+		stats:             config.StatsHandler,
 		kp:                kp,
 		idle:              time.Now(),
 		kep:               kep,
 		initialWindowSize: iwz,
 		bufferPool:        config.BufferPool,
 	}
+	t.setResetPingStrikes = func() {
+		atomic.StoreUint32(&t.resetPingStrikes, 1)
+	}
 	var czSecurity credentials.ChannelzSecurityValue
 	if au, ok := authInfo.(credentials.ChannelzSecurityInfo); ok {
 		czSecurity = au.GetSecurityValue()
@@ -284,7 +290,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 	t.logger = prefixLoggerForServerTransport(t)
 
 	t.controlBuf = newControlBuffer(t.done)
-	if dynamicWindow {
+	if !config.StaticWindowSize {
 		t.bdpEst = &bdpEstimator{
 			bdp:               initialWindowSize,
 			updateFlowControl: t.updateFlowControl,
@@ -385,16 +391,15 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 	}
 	t.maxStreamID = streamID
 
-	buf := newRecvBuffer()
 	s := &ServerStream{
-		Stream: &Stream{
-			id:  streamID,
-			buf: buf,
-			fc:  &inFlow{limit: uint32(t.initialWindowSize)},
+		Stream: Stream{
+			id: streamID,
+			fc: inFlow{limit: uint32(t.initialWindowSize)},
 		},
 		st:               t,
 		headerWireLength: int(frame.Header().Length),
 	}
+	s.Stream.buf.init()
 	var (
 		// if false, content-type was missing or invalid
 		isGRPC      = false
@@ -595,10 +600,25 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 			return nil
 		}
 	}
+
+	if s.ctx.Err() != nil {
+		t.mu.Unlock()
+		// Early abort in case the timeout was zero or so low it already fired.
+		t.controlBuf.put(&earlyAbortStream{
+			httpStatus:     http.StatusOK,
+			streamID:       s.id,
+			contentSubtype: s.contentSubtype,
+			status:         status.New(codes.DeadlineExceeded, context.DeadlineExceeded.Error()),
+			rst:            !frame.StreamEnded(),
+		})
+		return nil
+	}
+
 	t.activeStreams[streamID] = s
 	if len(t.activeStreams) == 1 {
 		t.idle = time.Time{}
 	}
+
 	// Start a timer to close the stream on reaching the deadline.
 	if timeoutSet {
 		// We need to wait for s.cancel to be updated before calling
@@ -620,25 +640,21 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 		t.channelz.SocketMetrics.StreamsStarted.Add(1)
 		t.channelz.SocketMetrics.LastRemoteStreamCreatedTimestamp.Store(time.Now().UnixNano())
 	}
-	s.requestRead = func(n int) {
-		t.adjustWindow(s, uint32(n))
-	}
+	s.readRequester = s
 	s.ctxDone = s.ctx.Done()
-	s.wq = newWriteQuota(defaultWriteQuota, s.ctxDone)
-	s.trReader = &transportReader{
-		reader: &recvBufferReader{
+	s.Stream.wq.init(defaultWriteQuota, s.ctxDone)
+	s.trReader = transportReader{
+		reader: recvBufferReader{
 			ctx:     s.ctx,
 			ctxDone: s.ctxDone,
-			recv:    s.buf,
-		},
-		windowHandler: func(n int) {
-			t.updateWindow(s, uint32(n))
+			recv:    &s.buf,
 		},
+		windowHandler: s,
 	}
 	// Register the stream with loopy.
 	t.controlBuf.put(&registerStream{
 		streamID: s.id,
-		wq:       s.wq,
+		wq:       &s.wq,
 	})
 	handle(s)
 	return nil
@@ -654,7 +670,7 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
 	}()
 	for {
 		t.controlBuf.throttle()
-		frame, err := t.framer.fr.ReadFrame()
+		frame, err := t.framer.readFrame()
 		atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
 		if err != nil {
 			if se, ok := err.(http2.StreamError); ok {
@@ -691,8 +707,9 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
 				})
 				continue
 			}
-		case *http2.DataFrame:
+		case *parsedDataFrame:
 			t.handleData(frame)
+			frame.data.Free()
 		case *http2.RSTStreamFrame:
 			t.handleRSTStream(frame)
 		case *http2.SettingsFrame:
@@ -772,7 +789,7 @@ func (t *http2Server) updateFlowControl(n uint32) {
 
 }
 
-func (t *http2Server) handleData(f *http2.DataFrame) {
+func (t *http2Server) handleData(f *parsedDataFrame) {
 	size := f.Header().Length
 	var sendBDPPing bool
 	if t.bdpEst != nil {
@@ -817,22 +834,15 @@ func (t *http2Server) handleData(f *http2.DataFrame) {
 			t.closeStream(s, true, http2.ErrCodeFlowControl, false)
 			return
 		}
+		dataLen := f.data.Len()
 		if f.Header().Flags.Has(http2.FlagDataPadded) {
-			if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+			if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
 				t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
 			}
 		}
-		// TODO(bradfitz, zhaoq): A copy is required here because there is no
-		// guarantee f.Data() is consumed before the arrival of next frame.
-		// Can this copy be eliminated?
-		if len(f.Data()) > 0 {
-			pool := t.bufferPool
-			if pool == nil {
-				// Note that this is only supposed to be nil in tests. Otherwise, stream is
-				// always initialized with a BufferPool.
-				pool = mem.DefaultBufferPool()
-			}
-			s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+		if dataLen > 0 {
+			f.data.Ref()
+			s.write(recvMsg{buffer: f.data})
 		}
 	}
 	if f.StreamEnded() {
@@ -1015,10 +1025,6 @@ func (t *http2Server) writeHeader(s *ServerStream, md metadata.MD) error {
 	return nil
 }
 
-func (t *http2Server) setResetPingStrikes() {
-	atomic.StoreUint32(&t.resetPingStrikes, 1)
-}
-
 func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 	// TODO(mmukhi): Benchmark if the performance gets better if count the metadata and other header fields
 	// first and create a slice of that exact size.
@@ -1043,19 +1049,18 @@ func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 		t.closeStream(s, true, http2.ErrCodeInternal, false)
 		return ErrHeaderListSizeLimitViolation
 	}
-	for _, sh := range t.stats {
+	if t.stats != nil {
 		// Note: Headers are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		outHeader := &stats.OutHeader{
+		t.stats.HandleRPC(s.Context(), &stats.OutHeader{
 			Header:      s.header.Copy(),
 			Compression: s.sendCompress,
-		}
-		sh.HandleRPC(s.Context(), outHeader)
+		})
 	}
 	return nil
 }
 
-// WriteStatus sends stream status to the client and terminates the stream.
+// writeStatus sends stream status to the client and terminates the stream.
 // There is no further I/O operations being able to perform on this stream.
 // TODO(zhaoq): Now it indicates the end of entire stream. Revisit if early
 // OK is adopted.
@@ -1083,7 +1088,7 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 	headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-status", Value: strconv.Itoa(int(st.Code()))})
 	headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-message", Value: encodeGrpcMessage(st.Message())})
 
-	if p := st.Proto(); p != nil && len(p.Details) > 0 {
+	if p := istatus.RawStatusProto(st); len(p.GetDetails()) > 0 {
 		// Do not use the user's grpc-status-details-bin (if present) if we are
 		// even attempting to set our own.
 		delete(s.trailer, grpcStatusDetailsBinHeader)
@@ -1118,10 +1123,10 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 	// Send a RST_STREAM after the trailers if the client has not already half-closed.
 	rst := s.getState() == streamActive
 	t.finishStream(s, rst, http2.ErrCodeNo, trailingHeader, true)
-	for _, sh := range t.stats {
+	if t.stats != nil {
 		// Note: The trailer fields are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		sh.HandleRPC(s.Context(), &stats.OutTrailer{
+		t.stats.HandleRPC(s.Context(), &stats.OutTrailer{
 			Trailer: s.trailer.Copy(),
 		})
 	}
@@ -1131,17 +1136,13 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 // Write converts the data into HTTP2 data frame and sends it out. Non-nil error
 // is returns if it fails (e.g., framing error, transport error).
 func (t *http2Server) write(s *ServerStream, hdr []byte, data mem.BufferSlice, _ *WriteOptions) error {
-	reader := data.Reader()
-
 	if !s.isHeaderSent() { // Headers haven't been written yet.
 		if err := t.writeHeader(s, nil); err != nil {
-			_ = reader.Close()
 			return err
 		}
 	} else {
 		// Writing headers checks for this condition.
 		if s.getState() == streamDone {
-			_ = reader.Close()
 			return t.streamContextErr(s)
 		}
 	}
@@ -1149,15 +1150,16 @@ func (t *http2Server) write(s *ServerStream, hdr []byte, data mem.BufferSlice, _
 	df := &dataFrame{
 		streamID:    s.id,
 		h:           hdr,
-		reader:      reader,
+		data:        data,
 		onEachWrite: t.setResetPingStrikes,
 	}
-	if err := s.wq.get(int32(len(hdr) + df.reader.Remaining())); err != nil {
-		_ = reader.Close()
+	dataLen := data.Len()
+	if err := s.wq.get(int32(len(hdr) + dataLen)); err != nil {
 		return t.streamContextErr(s)
 	}
+	data.Ref()
 	if err := t.controlBuf.put(df); err != nil {
-		_ = reader.Close()
+		data.Free()
 		return err
 	}
 	t.incrMsgSent()
@@ -1292,7 +1294,8 @@ func (t *http2Server) Close(err error) {
 // deleteStream deletes the stream s from transport's active streams.
 func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
 	t.mu.Lock()
-	if _, ok := t.activeStreams[s.id]; ok {
+	_, isActive := t.activeStreams[s.id]
+	if isActive {
 		delete(t.activeStreams, s.id)
 		if len(t.activeStreams) == 0 {
 			t.idle = time.Now()
@@ -1300,7 +1303,7 @@ func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
 	}
 	t.mu.Unlock()
 
-	if channelz.IsOn() {
+	if isActive && channelz.IsOn() {
 		if eosReceived {
 			t.channelz.SocketMetrics.StreamsSucceeded.Add(1)
 		} else {
@@ -1340,10 +1343,10 @@ func (t *http2Server) closeStream(s *ServerStream, rst bool, rstCode http2.ErrCo
 	// called to interrupt the potential blocking on other goroutines.
 	s.cancel()
 
-	oldState := s.swapState(streamDone)
-	if oldState == streamDone {
-		return
-	}
+	// We can't return early even if the stream's state is "done" as the state
+	// might have been set by the `finishStream` method. Deleting the stream via
+	// `finishStream` can get blocked on flow control.
+	s.swapState(streamDone)
 	t.deleteStream(s, eosReceived)
 
 	t.controlBuf.put(&cleanupStream{
diff --git a/vendor/google.golang.org/grpc/internal/transport/http_util.go b/vendor/google.golang.org/grpc/internal/transport/http_util.go
index f997f9fdb5..5bbb641ad9 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http_util.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http_util.go
@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"io"
 	"math"
-	"net"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -37,6 +36,7 @@ import (
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/mem"
 )
 
 const (
@@ -196,11 +196,11 @@ func decodeTimeout(s string) (time.Duration, error) {
 	if !ok {
 		return 0, fmt.Errorf("transport: timeout unit is not recognized: %q", s)
 	}
-	t, err := strconv.ParseInt(s[:size-1], 10, 64)
+	t, err := strconv.ParseUint(s[:size-1], 10, 64)
 	if err != nil {
 		return 0, err
 	}
-	const maxHours = math.MaxInt64 / int64(time.Hour)
+	const maxHours = math.MaxInt64 / uint64(time.Hour)
 	if d == time.Hour && t > maxHours {
 		// This timeout would overflow math.MaxInt64; clamp it.
 		return time.Duration(math.MaxInt64), nil
@@ -300,11 +300,11 @@ type bufWriter struct {
 	buf       []byte
 	offset    int
 	batchSize int
-	conn      net.Conn
+	conn      io.Writer
 	err       error
 }
 
-func newBufWriter(conn net.Conn, batchSize int, pool *sync.Pool) *bufWriter {
+func newBufWriter(conn io.Writer, batchSize int, pool *sync.Pool) *bufWriter {
 	w := &bufWriter{
 		batchSize: batchSize,
 		conn:      conn,
@@ -388,15 +388,29 @@ func toIOError(err error) error {
 	return ioError{error: err}
 }
 
+type parsedDataFrame struct {
+	http2.FrameHeader
+	data mem.Buffer
+}
+
+func (df *parsedDataFrame) StreamEnded() bool {
+	return df.FrameHeader.Flags.Has(http2.FlagDataEndStream)
+}
+
 type framer struct {
-	writer *bufWriter
-	fr     *http2.Framer
+	writer    *bufWriter
+	fr        *http2.Framer
+	headerBuf []byte // cached slice for framer headers to reduce heap allocs.
+	reader    io.Reader
+	dataFrame parsedDataFrame // Cached data frame to avoid heap allocations.
+	pool      mem.BufferPool
+	errDetail error
 }
 
 var writeBufferPoolMap = make(map[int]*sync.Pool)
 var writeBufferMutex sync.Mutex
 
-func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32) *framer {
+func newFramer(conn io.ReadWriter, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32, memPool mem.BufferPool) *framer {
 	if writeBufferSize < 0 {
 		writeBufferSize = 0
 	}
@@ -412,6 +426,8 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
 	f := &framer{
 		writer: w,
 		fr:     http2.NewFramer(w, r),
+		reader: r,
+		pool:   memPool,
 	}
 	f.fr.SetMaxReadFrameSize(http2MaxFrameLen)
 	// Opt-in to Frame reuse API on framer to reduce garbage.
@@ -422,6 +438,146 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
 	return f
 }
 
+// writeData writes a DATA frame.
+//
+// It is the caller's responsibility not to violate the maximum frame size.
+func (f *framer) writeData(streamID uint32, endStream bool, data [][]byte) error {
+	var flags http2.Flags
+	if endStream {
+		flags = http2.FlagDataEndStream
+	}
+	length := uint32(0)
+	for _, d := range data {
+		length += uint32(len(d))
+	}
+	// TODO: Replace the header write with the framer API being added in
+	// https://github.com/golang/go/issues/66655.
+	f.headerBuf = append(f.headerBuf[:0],
+		byte(length>>16),
+		byte(length>>8),
+		byte(length),
+		byte(http2.FrameData),
+		byte(flags),
+		byte(streamID>>24),
+		byte(streamID>>16),
+		byte(streamID>>8),
+		byte(streamID))
+	if _, err := f.writer.Write(f.headerBuf); err != nil {
+		return err
+	}
+	for _, d := range data {
+		if _, err := f.writer.Write(d); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// readFrame reads a single frame. The returned Frame is only valid
+// until the next call to readFrame.
+func (f *framer) readFrame() (any, error) {
+	f.errDetail = nil
+	fh, err := f.fr.ReadFrameHeader()
+	if err != nil {
+		f.errDetail = f.fr.ErrorDetail()
+		return nil, err
+	}
+	// Read the data frame directly from the underlying io.Reader to avoid
+	// copies.
+	if fh.Type == http2.FrameData {
+		err = f.readDataFrame(fh)
+		return &f.dataFrame, err
+	}
+	fr, err := f.fr.ReadFrameForHeader(fh)
+	if err != nil {
+		f.errDetail = f.fr.ErrorDetail()
+		return nil, err
+	}
+	return fr, err
+}
+
+// errorDetail returns a more detailed error of the last error
+// returned by framer.readFrame. For instance, if readFrame
+// returns a StreamError with code PROTOCOL_ERROR, errorDetail
+// will say exactly what was invalid. errorDetail is not guaranteed
+// to return a non-nil value.
+// errorDetail is reset after the next call to readFrame.
+func (f *framer) errorDetail() error {
+	return f.errDetail
+}
+
+func (f *framer) readDataFrame(fh http2.FrameHeader) (err error) {
+	if fh.StreamID == 0 {
+		// DATA frames MUST be associated with a stream. If a
+		// DATA frame is received whose stream identifier
+		// field is 0x0, the recipient MUST respond with a
+		// connection error (Section 5.4.1) of type
+		// PROTOCOL_ERROR.
+		f.errDetail = errors.New("DATA frame with stream ID 0")
+		return http2.ConnectionError(http2.ErrCodeProtocol)
+	}
+	// Converting a *[]byte to a mem.SliceBuffer incurs a heap allocation. This
+	// conversion is performed by mem.NewBuffer. To avoid the extra allocation
+	// a []byte is allocated directly if required and cast to a mem.SliceBuffer.
+	var buf []byte
+	// poolHandle is the pointer returned by the buffer pool (if it's used.).
+	var poolHandle *[]byte
+	useBufferPool := !mem.IsBelowBufferPoolingThreshold(int(fh.Length))
+	if useBufferPool {
+		poolHandle = f.pool.Get(int(fh.Length))
+		buf = *poolHandle
+		defer func() {
+			if err != nil {
+				f.pool.Put(poolHandle)
+			}
+		}()
+	} else {
+		buf = make([]byte, int(fh.Length))
+	}
+	if fh.Flags.Has(http2.FlagDataPadded) {
+		if fh.Length == 0 {
+			return io.ErrUnexpectedEOF
+		}
+		// This initial 1-byte read can be inefficient for unbuffered readers,
+		// but it allows the rest of the payload to be read directly to the
+		// start of the destination slice. This makes it easy to return the
+		// original slice back to the buffer pool.
+		if _, err := io.ReadFull(f.reader, buf[:1]); err != nil {
+			return err
+		}
+		padSize := buf[0]
+		buf = buf[:len(buf)-1]
+		if int(padSize) > len(buf) {
+			// If the length of the padding is greater than the
+			// length of the frame payload, the recipient MUST
+			// treat this as a connection error.
+			// Filed: https://github.com/http2/http2-spec/issues/610
+			f.errDetail = errors.New("pad size larger than data payload")
+			return http2.ConnectionError(http2.ErrCodeProtocol)
+		}
+		if _, err := io.ReadFull(f.reader, buf); err != nil {
+			return err
+		}
+		buf = buf[:len(buf)-int(padSize)]
+	} else if _, err := io.ReadFull(f.reader, buf); err != nil {
+		return err
+	}
+
+	f.dataFrame.FrameHeader = fh
+	if useBufferPool {
+		// Update the handle to point to the (potentially re-sliced) buf.
+		*poolHandle = buf
+		f.dataFrame.data = mem.NewBuffer(poolHandle, f.pool)
+	} else {
+		f.dataFrame.data = mem.SliceBuffer(buf)
+	}
+	return nil
+}
+
+func (df *parsedDataFrame) Header() http2.FrameHeader {
+	return df.FrameHeader
+}
+
 func getWriteBufferPool(size int) *sync.Pool {
 	writeBufferMutex.Lock()
 	defer writeBufferMutex.Unlock()
diff --git a/vendor/google.golang.org/grpc/internal/transport/server_stream.go b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
index cf8da0b52d..ed6a13b750 100644
--- a/vendor/google.golang.org/grpc/internal/transport/server_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
@@ -32,7 +32,7 @@ import (
 
 // ServerStream implements streaming functionality for a gRPC server.
 type ServerStream struct {
-	*Stream // Embed for common stream functionality.
+	Stream // Embed for common stream functionality.
 
 	st      internalServerTransport
 	ctxDone <-chan struct{} // closed at the end of stream.  Cache of ctx.Done() (for performance)
@@ -43,12 +43,13 @@ type ServerStream struct {
 	// Holds compressor names passed in grpc-accept-encoding metadata from the
 	// client.
 	clientAdvertisedCompressors string
-	headerWireLength            int
 
 	// hdrMu protects outgoing header and trailer metadata.
 	hdrMu      sync.Mutex
 	header     metadata.MD // the outgoing header metadata.  Updated by WriteHeader.
 	headerSent atomic.Bool // atomically set when the headers are sent out.
+
+	headerWireLength int
 }
 
 // Read reads an n byte message from the input stream.
@@ -178,3 +179,11 @@ func (s *ServerStream) SetTrailer(md metadata.MD) error {
 	s.hdrMu.Unlock()
 	return nil
 }
+
+func (s *ServerStream) requestRead(n int) {
+	s.st.adjustWindow(s, uint32(n))
+}
+
+func (s *ServerStream) updateWindow(n int) {
+	s.st.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/transport.go b/vendor/google.golang.org/grpc/internal/transport/transport.go
index af4a4aeab1..6daf1e002d 100644
--- a/vendor/google.golang.org/grpc/internal/transport/transport.go
+++ b/vendor/google.golang.org/grpc/internal/transport/transport.go
@@ -68,11 +68,11 @@ type recvBuffer struct {
 	err     error
 }
 
-func newRecvBuffer() *recvBuffer {
-	b := &recvBuffer{
-		c: make(chan recvMsg, 1),
-	}
-	return b
+// init allows a recvBuffer to be initialized in-place, which is useful
+// for resetting a buffer or for avoiding a heap allocation when the buffer
+// is embedded in another struct.
+func (b *recvBuffer) init() {
+	b.c = make(chan recvMsg, 1)
 }
 
 func (b *recvBuffer) put(r recvMsg) {
@@ -123,12 +123,13 @@ func (b *recvBuffer) get() <-chan recvMsg {
 // recvBufferReader implements io.Reader interface to read the data from
 // recvBuffer.
 type recvBufferReader struct {
-	closeStream func(error) // Closes the client transport stream with the given error and nil trailer metadata.
-	ctx         context.Context
-	ctxDone     <-chan struct{} // cache of ctx.Done() (for performance).
-	recv        *recvBuffer
-	last        mem.Buffer // Stores the remaining data in the previous calls.
-	err         error
+	_            noCopy
+	clientStream *ClientStream // The client transport stream is closed with a status representing ctx.Err() and nil trailer metadata.
+	ctx          context.Context
+	ctxDone      <-chan struct{} // cache of ctx.Done() (for performance).
+	recv         *recvBuffer
+	last         mem.Buffer // Stores the remaining data in the previous calls.
+	err          error
 }
 
 func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
@@ -139,7 +140,7 @@ func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
 		n, r.last = mem.ReadUnsafe(header, r.last)
 		return n, nil
 	}
-	if r.closeStream != nil {
+	if r.clientStream != nil {
 		n, r.err = r.readMessageHeaderClient(header)
 	} else {
 		n, r.err = r.readMessageHeader(header)
@@ -164,7 +165,7 @@ func (r *recvBufferReader) Read(n int) (buf mem.Buffer, err error) {
 		}
 		return buf, nil
 	}
-	if r.closeStream != nil {
+	if r.clientStream != nil {
 		buf, r.err = r.readClient(n)
 	} else {
 		buf, r.err = r.read(n)
@@ -209,7 +210,7 @@ func (r *recvBufferReader) readMessageHeaderClient(header []byte) (n int, err er
 		// TODO: delaying ctx error seems like a unnecessary side effect. What
 		// we really want is to mark the stream as done, and return ctx error
 		// faster.
-		r.closeStream(ContextErr(r.ctx.Err()))
+		r.clientStream.Close(ContextErr(r.ctx.Err()))
 		m := <-r.recv.get()
 		return r.readMessageHeaderAdditional(m, header)
 	case m := <-r.recv.get():
@@ -236,7 +237,7 @@ func (r *recvBufferReader) readClient(n int) (buf mem.Buffer, err error) {
 		// TODO: delaying ctx error seems like a unnecessary side effect. What
 		// we really want is to mark the stream as done, and return ctx error
 		// faster.
-		r.closeStream(ContextErr(r.ctx.Err()))
+		r.clientStream.Close(ContextErr(r.ctx.Err()))
 		m := <-r.recv.get()
 		return r.readAdditional(m, n)
 	case m := <-r.recv.get():
@@ -285,27 +286,32 @@ const (
 
 // Stream represents an RPC in the transport layer.
 type Stream struct {
-	id           uint32
 	ctx          context.Context // the associated context of the stream
 	method       string          // the associated RPC method of the stream
 	recvCompress string
 	sendCompress string
-	buf          *recvBuffer
-	trReader     *transportReader
-	fc           *inFlow
-	wq           *writeQuota
-
-	// Callback to state application's intentions to read data. This
-	// is used to adjust flow control, if needed.
-	requestRead func(int)
 
-	state streamState
+	readRequester readRequester
 
 	// contentSubtype is the content-subtype for requests.
 	// this must be lowercase or the behavior is undefined.
 	contentSubtype string
 
 	trailer metadata.MD // the key-value map of trailer metadata.
+
+	// Non-pointer fields are at the end to optimize GC performance.
+	state    streamState
+	id       uint32
+	buf      recvBuffer
+	trReader transportReader
+	fc       inFlow
+	wq       writeQuota
+}
+
+// readRequester is used to state application's intentions to read data. This
+// is used to adjust flow control, if needed.
+type readRequester interface {
+	requestRead(int)
 }
 
 func (s *Stream) swapState(st streamState) streamState {
@@ -355,7 +361,7 @@ func (s *Stream) ReadMessageHeader(header []byte) (err error) {
 	if er := s.trReader.er; er != nil {
 		return er
 	}
-	s.requestRead(len(header))
+	s.readRequester.requestRead(len(header))
 	for len(header) != 0 {
 		n, err := s.trReader.ReadMessageHeader(header)
 		header = header[n:]
@@ -378,7 +384,7 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
 	if er := s.trReader.er; er != nil {
 		return nil, er
 	}
-	s.requestRead(n)
+	s.readRequester.requestRead(n)
 	for n != 0 {
 		buf, err := s.trReader.Read(n)
 		var bufLen int
@@ -401,16 +407,34 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
 	return data, nil
 }
 
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
+
 // transportReader reads all the data available for this Stream from the transport and
 // passes them into the decoder, which converts them into a gRPC message stream.
 // The error is io.EOF when the stream is done or another non-nil error if
 // the stream broke.
 type transportReader struct {
-	reader *recvBufferReader
+	_ noCopy
 	// The handler to control the window update procedure for both this
 	// particular stream and the associated transport.
-	windowHandler func(int)
+	windowHandler windowHandler
 	er            error
+	reader        recvBufferReader
+}
+
+// The handler to control the window update procedure for both this
+// particular stream and the associated transport.
+type windowHandler interface {
+	updateWindow(int)
 }
 
 func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
@@ -419,7 +443,7 @@ func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
 		t.er = err
 		return 0, err
 	}
-	t.windowHandler(n)
+	t.windowHandler.updateWindow(n)
 	return n, nil
 }
 
@@ -429,7 +453,7 @@ func (t *transportReader) Read(n int) (mem.Buffer, error) {
 		t.er = err
 		return buf, err
 	}
-	t.windowHandler(buf.Len())
+	t.windowHandler.updateWindow(buf.Len())
 	return buf, nil
 }
 
@@ -454,7 +478,7 @@ type ServerConfig struct {
 	ConnectionTimeout     time.Duration
 	Credentials           credentials.TransportCredentials
 	InTapHandle           tap.ServerInHandle
-	StatsHandlers         []stats.Handler
+	StatsHandler          stats.Handler
 	KeepaliveParams       keepalive.ServerParameters
 	KeepalivePolicy       keepalive.EnforcementPolicy
 	InitialWindowSize     int32
@@ -466,6 +490,7 @@ type ServerConfig struct {
 	MaxHeaderListSize     *uint32
 	HeaderTableSize       *uint32
 	BufferPool            mem.BufferPool
+	StaticWindowSize      bool
 }
 
 // ConnectOptions covers all relevant options for communicating with the server.
@@ -504,6 +529,8 @@ type ConnectOptions struct {
 	MaxHeaderListSize *uint32
 	// The mem.BufferPool to use when reading/writing to the wire.
 	BufferPool mem.BufferPool
+	// StaticWindowSize controls whether dynamic window sizing is enabled.
+	StaticWindowSize bool
 }
 
 // WriteOptions provides additional hints and information for message
@@ -526,6 +553,12 @@ type CallHdr struct {
 	// outbound message.
 	SendCompress string
 
+	// AcceptedCompressors overrides the grpc-accept-encoding header for this
+	// call. When nil, the transport advertises the default set of registered
+	// compressors. A non-nil pointer overrides that value (including the empty
+	// string to advertise none).
+	AcceptedCompressors *string
+
 	// Creds specifies credentials.PerRPCCredentials for a call.
 	Creds credentials.PerRPCCredentials
 
@@ -540,6 +573,11 @@ type CallHdr struct {
 	PreviousAttempts int // value of grpc-previous-rpc-attempts header to set
 
 	DoneFunc func() // called when the stream is finished
+
+	// Authority is used to explicitly override the `:authority` header. If set,
+	// this value takes precedence over the Host field and will be used as the
+	// value for the `:authority` header.
+	Authority string
 }
 
 // ClientTransport is the common interface for all gRPC client-side transport
@@ -576,8 +614,9 @@ type ClientTransport interface {
 	// with a human readable string with debug info.
 	GetGoAwayReason() (GoAwayReason, string)
 
-	// RemoteAddr returns the remote network address.
-	RemoteAddr() net.Addr
+	// Peer returns information about the peer associated with the Transport.
+	// The returned information includes authentication and network address details.
+	Peer() *peer.Peer
 }
 
 // ServerTransport is the common interface for all gRPC server-side transport
@@ -607,6 +646,8 @@ type internalServerTransport interface {
 	write(s *ServerStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error
 	writeStatus(s *ServerStream, st *status.Status) error
 	incrMsgRecv()
+	adjustWindow(s *ServerStream, n uint32)
+	updateWindow(s *ServerStream, n uint32)
 }
 
 // connectionErrorf creates an ConnectionError with the specified error description.
diff --git a/vendor/google.golang.org/grpc/mem/buffer_pool.go b/vendor/google.golang.org/grpc/mem/buffer_pool.go
index c37c58c023..e37afdd198 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_pool.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_pool.go
@@ -32,12 +32,17 @@ type BufferPool interface {
 	Get(length int) *[]byte
 
 	// Put returns a buffer to the pool.
+	//
+	// The provided pointer must hold a prefix of the buffer obtained via
+	// BufferPool.Get to ensure the buffer's entire capacity can be re-used.
 	Put(*[]byte)
 }
 
+const goPageSize = 4 << 10 // 4KiB. N.B. this must be a power of 2.
+
 var defaultBufferPoolSizes = []int{
 	256,
-	4 << 10,  // 4KB (go page size)
+	goPageSize,
 	16 << 10, // 16KB (max HTTP/2 frame size used by gRPC)
 	32 << 10, // 32KB (default buffer size for io.Copy)
 	1 << 20,  // 1MB
@@ -118,7 +123,11 @@ type sizedBufferPool struct {
 }
 
 func (p *sizedBufferPool) Get(size int) *[]byte {
-	buf := p.pool.Get().(*[]byte)
+	buf, ok := p.pool.Get().(*[]byte)
+	if !ok {
+		buf := make([]byte, size, p.defaultSize)
+		return &buf
+	}
 	b := *buf
 	clear(b[:cap(b)])
 	*buf = b[:size]
@@ -137,12 +146,6 @@ func (p *sizedBufferPool) Put(buf *[]byte) {
 
 func newSizedBufferPool(size int) *sizedBufferPool {
 	return &sizedBufferPool{
-		pool: sync.Pool{
-			New: func() any {
-				buf := make([]byte, size)
-				return &buf
-			},
-		},
 		defaultSize: size,
 	}
 }
@@ -160,6 +163,7 @@ type simpleBufferPool struct {
 func (p *simpleBufferPool) Get(size int) *[]byte {
 	bs, ok := p.pool.Get().(*[]byte)
 	if ok && cap(*bs) >= size {
+		clear((*bs)[:cap(*bs)])
 		*bs = (*bs)[:size]
 		return bs
 	}
@@ -170,7 +174,14 @@ func (p *simpleBufferPool) Get(size int) *[]byte {
 		p.pool.Put(bs)
 	}
 
-	b := make([]byte, size)
+	// If we're going to allocate, round up to the nearest page. This way if
+	// requests frequently arrive with small variation we don't allocate
+	// repeatedly if we get unlucky and they increase over time. By default we
+	// only allocate here if size > 1MiB. Because goPageSize is a power of 2, we
+	// can round up efficiently.
+	allocSize := (size + goPageSize - 1) & ^(goPageSize - 1)
+
+	b := make([]byte, size, allocSize)
 	return &b
 }
 
diff --git a/vendor/google.golang.org/grpc/mem/buffer_slice.go b/vendor/google.golang.org/grpc/mem/buffer_slice.go
index 65002e2cc8..084fb19c6d 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_slice.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_slice.go
@@ -19,6 +19,7 @@
 package mem
 
 import (
+	"fmt"
 	"io"
 )
 
@@ -117,47 +118,53 @@ func (s BufferSlice) MaterializeToBuffer(pool BufferPool) Buffer {
 
 // Reader returns a new Reader for the input slice after taking references to
 // each underlying buffer.
-func (s BufferSlice) Reader() Reader {
+func (s BufferSlice) Reader() *Reader {
 	s.Ref()
-	return &sliceReader{
+	return &Reader{
 		data: s,
 		len:  s.Len(),
 	}
 }
 
 // Reader exposes a BufferSlice's data as an io.Reader, allowing it to interface
-// with other parts systems. It also provides an additional convenience method
-// Remaining(), which returns the number of unread bytes remaining in the slice.
+// with other systems.
+//
 // Buffers will be freed as they are read.
-type Reader interface {
-	io.Reader
-	io.ByteReader
-	// Close frees the underlying BufferSlice and never returns an error. Subsequent
-	// calls to Read will return (0, io.EOF).
-	Close() error
-	// Remaining returns the number of unread bytes remaining in the slice.
-	Remaining() int
-}
-
-type sliceReader struct {
+//
+// A Reader can be constructed from a BufferSlice; alternatively the zero value
+// of a Reader may be used after calling Reset on it.
+type Reader struct {
 	data BufferSlice
 	len  int
 	// The index into data[0].ReadOnlyData().
 	bufferIdx int
 }
 
-func (r *sliceReader) Remaining() int {
+// Remaining returns the number of unread bytes remaining in the slice.
+func (r *Reader) Remaining() int {
 	return r.len
 }
 
-func (r *sliceReader) Close() error {
+// Reset frees the currently held buffer slice and starts reading from the
+// provided slice. This allows reusing the reader object.
+func (r *Reader) Reset(s BufferSlice) {
+	r.data.Free()
+	s.Ref()
+	r.data = s
+	r.len = s.Len()
+	r.bufferIdx = 0
+}
+
+// Close frees the underlying BufferSlice and never returns an error. Subsequent
+// calls to Read will return (0, io.EOF).
+func (r *Reader) Close() error {
 	r.data.Free()
 	r.data = nil
 	r.len = 0
 	return nil
 }
 
-func (r *sliceReader) freeFirstBufferIfEmpty() bool {
+func (r *Reader) freeFirstBufferIfEmpty() bool {
 	if len(r.data) == 0 || r.bufferIdx != len(r.data[0].ReadOnlyData()) {
 		return false
 	}
@@ -168,7 +175,7 @@ func (r *sliceReader) freeFirstBufferIfEmpty() bool {
 	return true
 }
 
-func (r *sliceReader) Read(buf []byte) (n int, _ error) {
+func (r *Reader) Read(buf []byte) (n int, _ error) {
 	if r.len == 0 {
 		return 0, io.EOF
 	}
@@ -191,7 +198,8 @@ func (r *sliceReader) Read(buf []byte) (n int, _ error) {
 	return n, nil
 }
 
-func (r *sliceReader) ReadByte() (byte, error) {
+// ReadByte reads a single byte.
+func (r *Reader) ReadByte() (byte, error) {
 	if r.len == 0 {
 		return 0, io.EOF
 	}
@@ -279,3 +287,59 @@ nextBuffer:
 		}
 	}
 }
+
+// Discard skips the next n bytes, returning the number of bytes discarded.
+//
+// It frees buffers as they are fully consumed.
+//
+// If Discard skips fewer than n bytes, it also returns an error.
+func (r *Reader) Discard(n int) (discarded int, err error) {
+	total := n
+	for n > 0 && r.len > 0 {
+		curData := r.data[0].ReadOnlyData()
+		curSize := min(n, len(curData)-r.bufferIdx)
+		n -= curSize
+		r.len -= curSize
+		r.bufferIdx += curSize
+		if r.bufferIdx >= len(curData) {
+			r.data[0].Free()
+			r.data = r.data[1:]
+			r.bufferIdx = 0
+		}
+	}
+	discarded = total - n
+	if n > 0 {
+		return discarded, fmt.Errorf("insufficient bytes in reader")
+	}
+	return discarded, nil
+}
+
+// Peek returns the next n bytes without advancing the reader.
+//
+// Peek appends results to the provided res slice and returns the updated slice.
+// This pattern allows re-using the storage of res if it has sufficient
+// capacity.
+//
+// The returned subslices are views into the underlying buffers and are only
+// valid until the reader is advanced past the corresponding buffer.
+//
+// If Peek returns fewer than n bytes, it also returns an error.
+func (r *Reader) Peek(n int, res [][]byte) ([][]byte, error) {
+	for i := 0; n > 0 && i < len(r.data); i++ {
+		curData := r.data[i].ReadOnlyData()
+		start := 0
+		if i == 0 {
+			start = r.bufferIdx
+		}
+		curSize := min(n, len(curData)-start)
+		if curSize == 0 {
+			continue
+		}
+		res = append(res, curData[start:start+curSize])
+		n -= curSize
+	}
+	if n > 0 {
+		return nil, fmt.Errorf("insufficient bytes in reader")
+	}
+	return res, nil
+}
diff --git a/vendor/google.golang.org/grpc/picker_wrapper.go b/vendor/google.golang.org/grpc/picker_wrapper.go
index a2d2a798d4..aa52bfe95f 100644
--- a/vendor/google.golang.org/grpc/picker_wrapper.go
+++ b/vendor/google.golang.org/grpc/picker_wrapper.go
@@ -29,7 +29,6 @@ import (
 	"google.golang.org/grpc/internal/channelz"
 	istatus "google.golang.org/grpc/internal/status"
 	"google.golang.org/grpc/internal/transport"
-	"google.golang.org/grpc/stats"
 	"google.golang.org/grpc/status"
 )
 
@@ -48,14 +47,11 @@ type pickerGeneration struct {
 // actions and unblock when there's a picker update.
 type pickerWrapper struct {
 	// If pickerGen holds a nil pointer, the pickerWrapper is closed.
-	pickerGen     atomic.Pointer[pickerGeneration]
-	statsHandlers []stats.Handler // to record blocking picker calls
+	pickerGen atomic.Pointer[pickerGeneration]
 }
 
-func newPickerWrapper(statsHandlers []stats.Handler) *pickerWrapper {
-	pw := &pickerWrapper{
-		statsHandlers: statsHandlers,
-	}
+func newPickerWrapper() *pickerWrapper {
+	pw := &pickerWrapper{}
 	pw.pickerGen.Store(&pickerGeneration{
 		blockingCh: make(chan struct{}),
 	})
@@ -93,6 +89,12 @@ func doneChannelzWrapper(acbw *acBalancerWrapper, result *balancer.PickResult) {
 	}
 }
 
+type pick struct {
+	transport transport.ClientTransport // the selected transport
+	result    balancer.PickResult       // the contents of the pick from the LB policy
+	blocked   bool                      // set if a picker call queued for a new picker
+}
+
 // pick returns the transport that will be used for the RPC.
 // It may block in the following cases:
 // - there's no picker
@@ -100,15 +102,16 @@ func doneChannelzWrapper(acbw *acBalancerWrapper, result *balancer.PickResult) {
 // - the current picker returns other errors and failfast is false.
 // - the subConn returned by the current picker is not READY
 // When one of these situations happens, pick blocks until the picker gets updated.
-func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.PickInfo) (transport.ClientTransport, balancer.PickResult, error) {
+func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.PickInfo) (pick, error) {
 	var ch chan struct{}
 
 	var lastPickErr error
+	pickBlocked := false
 
 	for {
 		pg := pw.pickerGen.Load()
 		if pg == nil {
-			return nil, balancer.PickResult{}, ErrClientConnClosing
+			return pick{}, ErrClientConnClosing
 		}
 		if pg.picker == nil {
 			ch = pg.blockingCh
@@ -127,9 +130,9 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
 				}
 				switch ctx.Err() {
 				case context.DeadlineExceeded:
-					return nil, balancer.PickResult{}, status.Error(codes.DeadlineExceeded, errStr)
+					return pick{}, status.Error(codes.DeadlineExceeded, errStr)
 				case context.Canceled:
-					return nil, balancer.PickResult{}, status.Error(codes.Canceled, errStr)
+					return pick{}, status.Error(codes.Canceled, errStr)
 				}
 			case <-ch:
 			}
@@ -145,9 +148,7 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
 		// In the second case, the only way it will get to this conditional is
 		// if there is a new picker.
 		if ch != nil {
-			for _, sh := range pw.statsHandlers {
-				sh.HandleRPC(ctx, &stats.PickerUpdated{})
-			}
+			pickBlocked = true
 		}
 
 		ch = pg.blockingCh
@@ -164,7 +165,7 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
 				if istatus.IsRestrictedControlPlaneCode(st) {
 					err = status.Errorf(codes.Internal, "received picker error with illegal status: %v", err)
 				}
-				return nil, balancer.PickResult{}, dropError{error: err}
+				return pick{}, dropError{error: err}
 			}
 			// For all other errors, wait for ready RPCs should block and other
 			// RPCs should fail with unavailable.
@@ -172,7 +173,7 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
 				lastPickErr = err
 				continue
 			}
-			return nil, balancer.PickResult{}, status.Error(codes.Unavailable, err.Error())
+			return pick{}, status.Error(codes.Unavailable, err.Error())
 		}
 
 		acbw, ok := pickResult.SubConn.(*acBalancerWrapper)
@@ -183,9 +184,8 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
 		if t := acbw.ac.getReadyTransport(); t != nil {
 			if channelz.IsOn() {
 				doneChannelzWrapper(acbw, &pickResult)
-				return t, pickResult, nil
 			}
-			return t, pickResult, nil
+			return pick{transport: t, result: pickResult, blocked: pickBlocked}, nil
 		}
 		if pickResult.Done != nil {
 			// Calling done with nil error, no bytes sent and no bytes received.
diff --git a/vendor/google.golang.org/grpc/preloader.go b/vendor/google.golang.org/grpc/preloader.go
index ee0ff969af..1e783febf9 100644
--- a/vendor/google.golang.org/grpc/preloader.go
+++ b/vendor/google.golang.org/grpc/preloader.go
@@ -47,9 +47,6 @@ func (p *PreparedMsg) Encode(s Stream, msg any) error {
 	}
 
 	// check if the context has the relevant information to prepareMsg
-	if rpcInfo.preloaderInfo == nil {
-		return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo is nil")
-	}
 	if rpcInfo.preloaderInfo.codec == nil {
 		return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo.codec is nil")
 	}
diff --git a/vendor/google.golang.org/grpc/resolver/resolver.go b/vendor/google.golang.org/grpc/resolver/resolver.go
index b84ef26d46..8e6af9514b 100644
--- a/vendor/google.golang.org/grpc/resolver/resolver.go
+++ b/vendor/google.golang.org/grpc/resolver/resolver.go
@@ -332,6 +332,11 @@ type AuthorityOverrider interface {
 	// OverrideAuthority returns the authority to use for a ClientConn with the
 	// given target. The implementation must generate it without blocking,
 	// typically in line, and must keep it unchanged.
+	//
+	// The returned string must be a valid ":authority" header value, i.e. be
+	// encoded according to
+	// [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2) as
+	// necessary.
 	OverrideAuthority(Target) string
 }
 
diff --git a/vendor/google.golang.org/grpc/resolver_wrapper.go b/vendor/google.golang.org/grpc/resolver_wrapper.go
index 80e16a327c..6e61376437 100644
--- a/vendor/google.golang.org/grpc/resolver_wrapper.go
+++ b/vendor/google.golang.org/grpc/resolver_wrapper.go
@@ -69,6 +69,7 @@ func (ccr *ccResolverWrapper) start() error {
 	errCh := make(chan error)
 	ccr.serializer.TrySchedule(func(ctx context.Context) {
 		if ctx.Err() != nil {
+			errCh <- ctx.Err()
 			return
 		}
 		opts := resolver.BuildOptions{
diff --git a/vendor/google.golang.org/grpc/rpc_util.go b/vendor/google.golang.org/grpc/rpc_util.go
index ad20e9dff2..8160f94304 100644
--- a/vendor/google.golang.org/grpc/rpc_util.go
+++ b/vendor/google.golang.org/grpc/rpc_util.go
@@ -33,6 +33,8 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/encoding"
 	"google.golang.org/grpc/encoding/proto"
+	"google.golang.org/grpc/internal"
+	"google.golang.org/grpc/internal/grpcutil"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/mem"
 	"google.golang.org/grpc/metadata"
@@ -41,6 +43,10 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+func init() {
+	internal.AcceptCompressors = acceptCompressors
+}
+
 // Compressor defines the interface gRPC uses to compress a message.
 //
 // Deprecated: use package encoding.
@@ -151,15 +157,32 @@ func (d *gzipDecompressor) Type() string {
 
 // callInfo contains all related configuration and information about an RPC.
 type callInfo struct {
-	compressorName        string
-	failFast              bool
-	maxReceiveMessageSize *int
-	maxSendMessageSize    *int
-	creds                 credentials.PerRPCCredentials
-	contentSubtype        string
-	codec                 baseCodec
-	maxRetryRPCBufferSize int
-	onFinish              []func(err error)
+	compressorName              string
+	failFast                    bool
+	maxReceiveMessageSize       *int
+	maxSendMessageSize          *int
+	creds                       credentials.PerRPCCredentials
+	contentSubtype              string
+	codec                       baseCodec
+	maxRetryRPCBufferSize       int
+	onFinish                    []func(err error)
+	authority                   string
+	acceptedResponseCompressors []string
+}
+
+func acceptedCompressorAllows(allowed []string, name string) bool {
+	if allowed == nil {
+		return true
+	}
+	if name == "" || name == encoding.Identity {
+		return true
+	}
+	for _, a := range allowed {
+		if a == name {
+			return true
+		}
+	}
+	return false
 }
 
 func defaultCallInfo() *callInfo {
@@ -169,6 +192,29 @@ func defaultCallInfo() *callInfo {
 	}
 }
 
+func newAcceptedCompressionConfig(names []string) ([]string, error) {
+	if len(names) == 0 {
+		return nil, nil
+	}
+	var allowed []string
+	seen := make(map[string]struct{}, len(names))
+	for _, name := range names {
+		name = strings.TrimSpace(name)
+		if name == "" || name == encoding.Identity {
+			continue
+		}
+		if !grpcutil.IsCompressorNameRegistered(name) {
+			return nil, status.Errorf(codes.InvalidArgument, "grpc: compressor %q is not registered", name)
+		}
+		if _, dup := seen[name]; dup {
+			continue
+		}
+		seen[name] = struct{}{}
+		allowed = append(allowed, name)
+	}
+	return allowed, nil
+}
+
 // CallOption configures a Call before it starts or extracts information from
 // a Call after it completes.
 type CallOption interface {
@@ -365,6 +411,36 @@ func (o MaxRecvMsgSizeCallOption) before(c *callInfo) error {
 }
 func (o MaxRecvMsgSizeCallOption) after(*callInfo, *csAttempt) {}
 
+// CallAuthority returns a CallOption that sets the HTTP/2 :authority header of
+// an RPC to the specified value. When using CallAuthority, the credentials in
+// use must implement the AuthorityValidator interface.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func CallAuthority(authority string) CallOption {
+	return AuthorityOverrideCallOption{Authority: authority}
+}
+
+// AuthorityOverrideCallOption is a CallOption that indicates the HTTP/2
+// :authority header value to use for the call.
+//
+// # Experimental
+//
+// Notice: This type is EXPERIMENTAL and may be changed or removed in a later
+// release.
+type AuthorityOverrideCallOption struct {
+	Authority string
+}
+
+func (o AuthorityOverrideCallOption) before(c *callInfo) error {
+	c.authority = o.Authority
+	return nil
+}
+
+func (o AuthorityOverrideCallOption) after(*callInfo, *csAttempt) {}
+
 // MaxCallSendMsgSize returns a CallOption which sets the maximum message size
 // in bytes the client can send. If this is not set, gRPC uses the default
 // `math.MaxInt32`.
@@ -440,6 +516,31 @@ func (o CompressorCallOption) before(c *callInfo) error {
 }
 func (o CompressorCallOption) after(*callInfo, *csAttempt) {}
 
+// acceptCompressors returns a CallOption that limits the compression algorithms
+// advertised in the grpc-accept-encoding header for response messages.
+// Compression algorithms not in the provided list will not be advertised, and
+// responses compressed with non-listed algorithms will be rejected.
+func acceptCompressors(names ...string) CallOption {
+	cp := append([]string(nil), names...)
+	return acceptCompressorsCallOption{names: cp}
+}
+
+// acceptCompressorsCallOption is a CallOption that limits response compression.
+type acceptCompressorsCallOption struct {
+	names []string
+}
+
+func (o acceptCompressorsCallOption) before(c *callInfo) error {
+	allowed, err := newAcceptedCompressionConfig(o.names)
+	if err != nil {
+		return err
+	}
+	c.acceptedResponseCompressors = allowed
+	return nil
+}
+
+func (acceptCompressorsCallOption) after(*callInfo, *csAttempt) {}
+
 // CallContentSubtype returns a CallOption that will set the content-subtype
 // for a call. For example, if content-subtype is "json", the Content-Type over
 // the wire will be "application/grpc+json". The content-subtype is converted
@@ -626,8 +727,20 @@ type streamReader interface {
 	Read(n int) (mem.BufferSlice, error)
 }
 
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
+
 // parser reads complete gRPC messages from the underlying reader.
 type parser struct {
+	_ noCopy
 	// r is the underlying reader.
 	// See the comment on recvMsg for the permissible
 	// error types.
@@ -814,8 +927,7 @@ func (p *payloadInfo) free() {
 // the buffer is no longer needed.
 // TODO: Refactor this function to reduce the number of arguments.
 // See: https://google.github.io/styleguide/go/best-practices.html#function-argument-lists
-func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool,
-) (out mem.BufferSlice, err error) {
+func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool) (out mem.BufferSlice, err error) {
 	pf, compressed, err := p.recvMsg(maxReceiveMessageSize)
 	if err != nil {
 		return nil, err
@@ -918,7 +1030,7 @@ func recv(p *parser, c baseCodec, s recvCompressor, dc Decompressor, m any, maxR
 // Information about RPC
 type rpcInfo struct {
 	failfast      bool
-	preloaderInfo *compressorInfo
+	preloaderInfo compressorInfo
 }
 
 // Information about Preloader
@@ -937,7 +1049,7 @@ type rpcInfoContextKey struct{}
 func newContextWithRPCInfo(ctx context.Context, failfast bool, codec baseCodec, cp Compressor, comp encoding.Compressor) context.Context {
 	return context.WithValue(ctx, rpcInfoContextKey{}, &rpcInfo{
 		failfast: failfast,
-		preloaderInfo: &compressorInfo{
+		preloaderInfo: compressorInfo{
 			codec: codec,
 			cp:    cp,
 			comp:  comp,
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 976e70ae06..ddd3773411 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -124,7 +124,8 @@ type serviceInfo struct {
 
 // Server is a gRPC server to serve RPC requests.
 type Server struct {
-	opts serverOptions
+	opts         serverOptions
+	statsHandler stats.Handler
 
 	mu  sync.Mutex // guards following
 	lis map[net.Listener]bool
@@ -179,6 +180,7 @@ type serverOptions struct {
 	numServerWorkers      uint32
 	bufferPool            mem.BufferPool
 	waitForHandlers       bool
+	staticWindowSize      bool
 }
 
 var defaultServerOptions = serverOptions{
@@ -279,6 +281,7 @@ func ReadBufferSize(s int) ServerOption {
 func InitialWindowSize(s int32) ServerOption {
 	return newFuncServerOption(func(o *serverOptions) {
 		o.initialWindowSize = s
+		o.staticWindowSize = true
 	})
 }
 
@@ -287,6 +290,29 @@ func InitialWindowSize(s int32) ServerOption {
 func InitialConnWindowSize(s int32) ServerOption {
 	return newFuncServerOption(func(o *serverOptions) {
 		o.initialConnWindowSize = s
+		o.staticWindowSize = true
+	})
+}
+
+// StaticStreamWindowSize returns a ServerOption to set the initial stream
+// window size to the value provided and disables dynamic flow control.
+// The lower bound for window size is 64K and any value smaller than that
+// will be ignored.
+func StaticStreamWindowSize(s int32) ServerOption {
+	return newFuncServerOption(func(o *serverOptions) {
+		o.initialWindowSize = s
+		o.staticWindowSize = true
+	})
+}
+
+// StaticConnWindowSize returns a ServerOption to set the initial connection
+// window size to the value provided and disables dynamic flow control.
+// The lower bound for window size is 64K and any value smaller than that
+// will be ignored.
+func StaticConnWindowSize(s int32) ServerOption {
+	return newFuncServerOption(func(o *serverOptions) {
+		o.initialConnWindowSize = s
+		o.staticWindowSize = true
 	})
 }
 
@@ -667,13 +693,14 @@ func NewServer(opt ...ServerOption) *Server {
 		o.apply(&opts)
 	}
 	s := &Server{
-		lis:      make(map[net.Listener]bool),
-		opts:     opts,
-		conns:    make(map[string]map[transport.ServerTransport]bool),
-		services: make(map[string]*serviceInfo),
-		quit:     grpcsync.NewEvent(),
-		done:     grpcsync.NewEvent(),
-		channelz: channelz.RegisterServer(""),
+		lis:          make(map[net.Listener]bool),
+		opts:         opts,
+		statsHandler: istats.NewCombinedHandler(opts.statsHandlers...),
+		conns:        make(map[string]map[transport.ServerTransport]bool),
+		services:     make(map[string]*serviceInfo),
+		quit:         grpcsync.NewEvent(),
+		done:         grpcsync.NewEvent(),
+		channelz:     channelz.RegisterServer(""),
 	}
 	chainUnaryServerInterceptors(s)
 	chainStreamServerInterceptors(s)
@@ -974,7 +1001,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 		ConnectionTimeout:     s.opts.connectionTimeout,
 		Credentials:           s.opts.creds,
 		InTapHandle:           s.opts.inTapHandle,
-		StatsHandlers:         s.opts.statsHandlers,
+		StatsHandler:          s.statsHandler,
 		KeepaliveParams:       s.opts.keepaliveParams,
 		KeepalivePolicy:       s.opts.keepalivePolicy,
 		InitialWindowSize:     s.opts.initialWindowSize,
@@ -986,6 +1013,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 		MaxHeaderListSize:     s.opts.maxHeaderListSize,
 		HeaderTableSize:       s.opts.headerTableSize,
 		BufferPool:            s.opts.bufferPool,
+		StaticWindowSize:      s.opts.staticWindowSize,
 	}
 	st, err := transport.NewServerTransport(c, config)
 	if err != nil {
@@ -1010,18 +1038,18 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 func (s *Server) serveStreams(ctx context.Context, st transport.ServerTransport, rawConn net.Conn) {
 	ctx = transport.SetConnection(ctx, rawConn)
 	ctx = peer.NewContext(ctx, st.Peer())
-	for _, sh := range s.opts.statsHandlers {
-		ctx = sh.TagConn(ctx, &stats.ConnTagInfo{
+	if s.statsHandler != nil {
+		ctx = s.statsHandler.TagConn(ctx, &stats.ConnTagInfo{
 			RemoteAddr: st.Peer().Addr,
 			LocalAddr:  st.Peer().LocalAddr,
 		})
-		sh.HandleConn(ctx, &stats.ConnBegin{})
+		s.statsHandler.HandleConn(ctx, &stats.ConnBegin{})
 	}
 
 	defer func() {
 		st.Close(errors.New("finished serving streams for the server transport"))
-		for _, sh := range s.opts.statsHandlers {
-			sh.HandleConn(ctx, &stats.ConnEnd{})
+		if s.statsHandler != nil {
+			s.statsHandler.HandleConn(ctx, &stats.ConnEnd{})
 		}
 	}()
 
@@ -1078,7 +1106,7 @@ var _ http.Handler = (*Server)(nil)
 // Notice: This API is EXPERIMENTAL and may be changed or removed in a
 // later release.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	st, err := transport.NewServerHandlerTransport(w, r, s.opts.statsHandlers, s.opts.bufferPool)
+	st, err := transport.NewServerHandlerTransport(w, r, s.statsHandler, s.opts.bufferPool)
 	if err != nil {
 		// Errors returned from transport.NewServerHandlerTransport have
 		// already been written to w.
@@ -1172,12 +1200,8 @@ func (s *Server) sendResponse(ctx context.Context, stream *transport.ServerStrea
 		return status.Errorf(codes.ResourceExhausted, "grpc: trying to send message larger than max (%d vs. %d)", payloadLen, s.opts.maxSendMessageSize)
 	}
 	err = stream.Write(hdr, payload, opts)
-	if err == nil {
-		if len(s.opts.statsHandlers) != 0 {
-			for _, sh := range s.opts.statsHandlers {
-				sh.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
-			}
-		}
+	if err == nil && s.statsHandler != nil {
+		s.statsHandler.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
 	}
 	return err
 }
@@ -1219,16 +1243,15 @@ func getChainUnaryHandler(interceptors []UnaryServerInterceptor, curr int, info
 }
 
 func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerStream, info *serviceInfo, md *MethodDesc, trInfo *traceInfo) (err error) {
-	shs := s.opts.statsHandlers
-	if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+	sh := s.statsHandler
+	if sh != nil || trInfo != nil || channelz.IsOn() {
 		if channelz.IsOn() {
 			s.incrCallsStarted()
 		}
 		var statsBegin *stats.Begin
-		for _, sh := range shs {
-			beginTime := time.Now()
+		if sh != nil {
 			statsBegin = &stats.Begin{
-				BeginTime:      beginTime,
+				BeginTime:      time.Now(),
 				IsClientStream: false,
 				IsServerStream: false,
 			}
@@ -1256,7 +1279,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 				trInfo.tr.Finish()
 			}
 
-			for _, sh := range shs {
+			if sh != nil {
 				end := &stats.End{
 					BeginTime: statsBegin.BeginTime,
 					EndTime:   time.Now(),
@@ -1353,7 +1376,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 	}
 
 	var payInfo *payloadInfo
-	if len(shs) != 0 || len(binlogs) != 0 {
+	if sh != nil || len(binlogs) != 0 {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
@@ -1379,7 +1402,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 			return status.Errorf(codes.Internal, "grpc: error unmarshalling request: %v", err)
 		}
 
-		for _, sh := range shs {
+		if sh != nil {
 			sh.HandleRPC(ctx, &stats.InPayload{
 				RecvTime:         time.Now(),
 				Payload:          v,
@@ -1553,32 +1576,30 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 	if channelz.IsOn() {
 		s.incrCallsStarted()
 	}
-	shs := s.opts.statsHandlers
+	sh := s.statsHandler
 	var statsBegin *stats.Begin
-	if len(shs) != 0 {
-		beginTime := time.Now()
+	if sh != nil {
 		statsBegin = &stats.Begin{
-			BeginTime:      beginTime,
+			BeginTime:      time.Now(),
 			IsClientStream: sd.ClientStreams,
 			IsServerStream: sd.ServerStreams,
 		}
-		for _, sh := range shs {
-			sh.HandleRPC(ctx, statsBegin)
-		}
+		sh.HandleRPC(ctx, statsBegin)
 	}
 	ctx = NewContextWithServerTransportStream(ctx, stream)
 	ss := &serverStream{
 		ctx:                   ctx,
 		s:                     stream,
-		p:                     &parser{r: stream, bufferPool: s.opts.bufferPool},
+		p:                     parser{r: stream, bufferPool: s.opts.bufferPool},
 		codec:                 s.getCodec(stream.ContentSubtype()),
+		desc:                  sd,
 		maxReceiveMessageSize: s.opts.maxReceiveMessageSize,
 		maxSendMessageSize:    s.opts.maxSendMessageSize,
 		trInfo:                trInfo,
-		statsHandler:          shs,
+		statsHandler:          sh,
 	}
 
-	if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+	if sh != nil || trInfo != nil || channelz.IsOn() {
 		// See comment in processUnaryRPC on defers.
 		defer func() {
 			if trInfo != nil {
@@ -1592,7 +1613,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 				ss.mu.Unlock()
 			}
 
-			if len(shs) != 0 {
+			if sh != nil {
 				end := &stats.End{
 					BeginTime: statsBegin.BeginTime,
 					EndTime:   time.Now(),
@@ -1600,9 +1621,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 				if err != nil && err != io.EOF {
 					end.Error = toRPCErr(err)
 				}
-				for _, sh := range shs {
-					sh.HandleRPC(ctx, end)
-				}
+				sh.HandleRPC(ctx, end)
 			}
 
 			if channelz.IsOn() {
@@ -1791,19 +1810,17 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser
 	method := sm[pos+1:]
 
 	// FromIncomingContext is expensive: skip if there are no statsHandlers
-	if len(s.opts.statsHandlers) > 0 {
+	if s.statsHandler != nil {
 		md, _ := metadata.FromIncomingContext(ctx)
-		for _, sh := range s.opts.statsHandlers {
-			ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
-			sh.HandleRPC(ctx, &stats.InHeader{
-				FullMethod:  stream.Method(),
-				RemoteAddr:  t.Peer().Addr,
-				LocalAddr:   t.Peer().LocalAddr,
-				Compression: stream.RecvCompress(),
-				WireLength:  stream.HeaderWireLength(),
-				Header:      md,
-			})
-		}
+		ctx = s.statsHandler.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
+		s.statsHandler.HandleRPC(ctx, &stats.InHeader{
+			FullMethod:  stream.Method(),
+			RemoteAddr:  t.Peer().Addr,
+			LocalAddr:   t.Peer().LocalAddr,
+			Compression: stream.RecvCompress(),
+			WireLength:  stream.HeaderWireLength(),
+			Header:      md,
+		})
 	}
 	// To have calls in stream callouts work. Will delete once all stats handler
 	// calls come from the gRPC layer.
diff --git a/vendor/google.golang.org/grpc/stats/handlers.go b/vendor/google.golang.org/grpc/stats/handlers.go
index dc03731e45..67194a592f 100644
--- a/vendor/google.golang.org/grpc/stats/handlers.go
+++ b/vendor/google.golang.org/grpc/stats/handlers.go
@@ -38,6 +38,15 @@ type RPCTagInfo struct {
 	// FailFast indicates if this RPC is failfast.
 	// This field is only valid on client side, it's always false on server side.
 	FailFast bool
+	// NameResolutionDelay indicates if the RPC needed to wait for the
+	// initial name resolver update before it could begin. This should only
+	// happen if the channel is IDLE when the RPC is started.  Note that
+	// all retry or hedging attempts for an RPC that experienced a delay
+	// will have it set.
+	//
+	// This field is only valid on the client side; it is always false on
+	// the server side.
+	NameResolutionDelay bool
 }
 
 // Handler defines the interface for the related stats handling (e.g., RPCs, connections).
diff --git a/vendor/google.golang.org/grpc/stats/stats.go b/vendor/google.golang.org/grpc/stats/stats.go
index baf7740efb..10bf998aa5 100644
--- a/vendor/google.golang.org/grpc/stats/stats.go
+++ b/vendor/google.golang.org/grpc/stats/stats.go
@@ -64,15 +64,21 @@ func (s *Begin) IsClient() bool { return s.Client }
 
 func (s *Begin) isRPCStats() {}
 
-// PickerUpdated indicates that the LB policy provided a new picker while the
-// RPC was waiting for one.
-type PickerUpdated struct{}
+// DelayedPickComplete indicates that the RPC is unblocked following a delay in
+// selecting a connection for the call.
+type DelayedPickComplete struct{}
 
-// IsClient indicates if the stats information is from client side. Only Client
-// Side interfaces with a Picker, thus always returns true.
-func (*PickerUpdated) IsClient() bool { return true }
+// IsClient indicates DelayedPickComplete is available on the client.
+func (*DelayedPickComplete) IsClient() bool { return true }
 
-func (*PickerUpdated) isRPCStats() {}
+func (*DelayedPickComplete) isRPCStats() {}
+
+// PickerUpdated indicates that the RPC is unblocked following a delay in
+// selecting a connection for the call.
+//
+// Deprecated: will be removed in a future release; use DelayedPickComplete
+// instead.
+type PickerUpdated = DelayedPickComplete
 
 // InPayload contains stats about an incoming payload.
 type InPayload struct {
diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go
index 12163150ba..ec9577b278 100644
--- a/vendor/google.golang.org/grpc/stream.go
+++ b/vendor/google.golang.org/grpc/stream.go
@@ -25,6 +25,7 @@ import (
 	"math"
 	rand "math/rand/v2"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -101,9 +102,9 @@ type ClientStream interface {
 	// It must only be called after stream.CloseAndRecv has returned, or
 	// stream.Recv has returned a non-nil error (including io.EOF).
 	Trailer() metadata.MD
-	// CloseSend closes the send direction of the stream. It closes the stream
-	// when non-nil error is met. It is also not safe to call CloseSend
-	// concurrently with SendMsg.
+	// CloseSend closes the send direction of the stream. This method always
+	// returns a nil error. The status of the stream may be discovered using
+	// RecvMsg. It is also not safe to call CloseSend concurrently with SendMsg.
 	CloseSend() error
 	// Context returns the context for this stream.
 	//
@@ -177,13 +178,43 @@ func NewClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return cc.NewStream(ctx, desc, method, opts...)
 }
 
+var emptyMethodConfig = serviceconfig.MethodConfig{}
+
+// endOfClientStream performs cleanup actions required for both successful and
+// failed streams. This includes incrementing channelz stats and invoking all
+// registered OnFinish call options.
+func endOfClientStream(cc *ClientConn, err error, opts ...CallOption) {
+	if channelz.IsOn() {
+		if err != nil {
+			cc.incrCallsFailed()
+		} else {
+			cc.incrCallsSucceeded()
+		}
+	}
+
+	for _, o := range opts {
+		if o, ok := o.(OnFinishCallOption); ok {
+			o.OnFinish(err)
+		}
+	}
+}
+
 func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, opts ...CallOption) (_ ClientStream, err error) {
+	if channelz.IsOn() {
+		cc.incrCallsStarted()
+	}
+	defer func() {
+		if err != nil {
+			// Ensure cleanup when stream creation fails.
+			endOfClientStream(cc, err, opts...)
+		}
+	}()
+
 	// Start tracking the RPC for idleness purposes. This is where a stream is
 	// created for both streaming and unary RPCs, and hence is a good place to
 	// track active RPC count.
-	if err := cc.idlenessMgr.OnCallBegin(); err != nil {
-		return nil, err
-	}
+	cc.idlenessMgr.OnCallBegin()
+
 	// Add a calloption, to decrement the active call count, that gets executed
 	// when the RPC completes.
 	opts = append([]CallOption{OnFinish(func(error) { cc.idlenessMgr.OnCallEnd() })}, opts...)
@@ -202,24 +233,17 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 			}
 		}
 	}
-	if channelz.IsOn() {
-		cc.incrCallsStarted()
-		defer func() {
-			if err != nil {
-				cc.incrCallsFailed()
-			}
-		}()
-	}
 	// Provide an opportunity for the first RPC to see the first service config
 	// provided by the resolver.
-	if err := cc.waitForResolvedAddrs(ctx); err != nil {
+	nameResolutionDelayed, err := cc.waitForResolvedAddrs(ctx)
+	if err != nil {
 		return nil, err
 	}
 
-	var mc serviceconfig.MethodConfig
+	mc := &emptyMethodConfig
 	var onCommit func()
 	newStream := func(ctx context.Context, done func()) (iresolver.ClientStream, error) {
-		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, opts...)
+		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, nameResolutionDelayed, opts...)
 	}
 
 	rpcInfo := iresolver.RPCInfo{Context: ctx, Method: method}
@@ -239,7 +263,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 		if rpcConfig.Context != nil {
 			ctx = rpcConfig.Context
 		}
-		mc = rpcConfig.MethodConfig
+		mc = &rpcConfig.MethodConfig
 		onCommit = rpcConfig.OnCommitted
 		if rpcConfig.Interceptor != nil {
 			rpcInfo.Context = nil
@@ -257,7 +281,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return newStream(ctx, func() {})
 }
 
-func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), opts ...CallOption) (_ iresolver.ClientStream, err error) {
+func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc *serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
 	callInfo := defaultCallInfo()
 	if mc.WaitForReady != nil {
 		callInfo.failFast = !*mc.WaitForReady
@@ -296,6 +320,11 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 		Method:         method,
 		ContentSubtype: callInfo.contentSubtype,
 		DoneFunc:       doneFunc,
+		Authority:      callInfo.authority,
+	}
+	if allowed := callInfo.acceptedResponseCompressors; len(allowed) > 0 {
+		headerValue := strings.Join(allowed, ",")
+		callHdr.AcceptedCompressors = &headerValue
 	}
 
 	// Set our outgoing compression according to the UseCompressor CallOption, if
@@ -321,19 +350,20 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 	}
 
 	cs := &clientStream{
-		callHdr:      callHdr,
-		ctx:          ctx,
-		methodConfig: &mc,
-		opts:         opts,
-		callInfo:     callInfo,
-		cc:           cc,
-		desc:         desc,
-		codec:        callInfo.codec,
-		compressorV0: compressorV0,
-		compressorV1: compressorV1,
-		cancel:       cancel,
-		firstAttempt: true,
-		onCommit:     onCommit,
+		callHdr:             callHdr,
+		ctx:                 ctx,
+		methodConfig:        mc,
+		opts:                opts,
+		callInfo:            callInfo,
+		cc:                  cc,
+		desc:                desc,
+		codec:               callInfo.codec,
+		compressorV0:        compressorV0,
+		compressorV1:        compressorV1,
+		cancel:              cancel,
+		firstAttempt:        true,
+		onCommit:            onCommit,
+		nameResolutionDelay: nameResolutionDelayed,
 	}
 	if !cc.dopts.disableRetry {
 		cs.retryThrottler = cc.retryThrottler.Load().(*retryThrottler)
@@ -415,19 +445,21 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 	ctx := newContextWithRPCInfo(cs.ctx, cs.callInfo.failFast, cs.callInfo.codec, cs.compressorV0, cs.compressorV1)
 	method := cs.callHdr.Method
 	var beginTime time.Time
-	shs := cs.cc.dopts.copts.StatsHandlers
-	for _, sh := range shs {
-		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast})
+	sh := cs.cc.statsHandler
+	if sh != nil {
 		beginTime = time.Now()
-		begin := &stats.Begin{
+		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{
+			FullMethodName: method, FailFast: cs.callInfo.failFast,
+			NameResolutionDelay: cs.nameResolutionDelay,
+		})
+		sh.HandleRPC(ctx, &stats.Begin{
 			Client:                    true,
 			BeginTime:                 beginTime,
 			FailFast:                  cs.callInfo.failFast,
 			IsClientStream:            cs.desc.ClientStreams,
 			IsServerStream:            cs.desc.ServerStreams,
 			IsTransparentRetryAttempt: isTransparent,
-		}
-		sh.HandleRPC(ctx, begin)
+		})
 	}
 
 	var trInfo *traceInfo
@@ -458,7 +490,7 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 		beginTime:      beginTime,
 		cs:             cs,
 		decompressorV0: cs.cc.dopts.dc,
-		statsHandlers:  shs,
+		statsHandler:   sh,
 		trInfo:         trInfo,
 	}, nil
 }
@@ -466,8 +498,9 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 func (a *csAttempt) getTransport() error {
 	cs := a.cs
 
-	var err error
-	a.transport, a.pickResult, err = cs.cc.getTransport(a.ctx, cs.callInfo.failFast, cs.callHdr.Method)
+	pickInfo := balancer.PickInfo{Ctx: a.ctx, FullMethodName: cs.callHdr.Method}
+	pick, err := cs.cc.pickerWrapper.pick(a.ctx, cs.callInfo.failFast, pickInfo)
+	a.transport, a.pickResult = pick.transport, pick.result
 	if err != nil {
 		if de, ok := err.(dropError); ok {
 			err = de.error
@@ -476,7 +509,10 @@ func (a *csAttempt) getTransport() error {
 		return err
 	}
 	if a.trInfo != nil {
-		a.trInfo.firstLine.SetRemoteAddr(a.transport.RemoteAddr())
+		a.trInfo.firstLine.SetRemoteAddr(a.transport.Peer().Addr)
+	}
+	if pick.blocked && a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.DelayedPickComplete{})
 	}
 	return nil
 }
@@ -520,7 +556,7 @@ func (a *csAttempt) newStream() error {
 	}
 	a.transportStream = s
 	a.ctx = s.Context()
-	a.parser = &parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
+	a.parser = parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
 	return nil
 }
 
@@ -540,6 +576,8 @@ type clientStream struct {
 
 	sentLast bool // sent an end stream
 
+	receivedFirstMsg bool // set after the first message is received
+
 	methodConfig *MethodConfig
 
 	ctx context.Context // the application's context, wrapped by stats/tracing
@@ -573,6 +611,9 @@ type clientStream struct {
 	onCommit         func()
 	replayBuffer     []replayOp // operations to replay on retry
 	replayBufferSize int        // current size of replayBuffer
+	// nameResolutionDelay indicates if there was a delay in the name resolution.
+	// This field is only valid on client side, it's always false on server side.
+	nameResolutionDelay bool
 }
 
 type replayOp struct {
@@ -587,7 +628,7 @@ type csAttempt struct {
 	cs              *clientStream
 	transport       transport.ClientTransport
 	transportStream *transport.ClientStream
-	parser          *parser
+	parser          parser
 	pickResult      balancer.PickResult
 
 	finished        bool
@@ -601,8 +642,8 @@ type csAttempt struct {
 	// and cleared when the finish method is called.
 	trInfo *traceInfo
 
-	statsHandlers []stats.Handler
-	beginTime     time.Time
+	statsHandler stats.Handler
+	beginTime    time.Time
 
 	// set for newStream errors that may be transparently retried
 	allowTransparentRetry bool
@@ -987,7 +1028,7 @@ func (cs *clientStream) RecvMsg(m any) error {
 
 func (cs *clientStream) CloseSend() error {
 	if cs.sentLast {
-		// TODO: return an error and finish the stream instead, due to API misuse?
+		// Return a nil error on repeated calls to this method.
 		return nil
 	}
 	cs.sentLast = true
@@ -1008,7 +1049,10 @@ func (cs *clientStream) CloseSend() error {
 			binlog.Log(cs.ctx, chc)
 		}
 	}
-	// We never returned an error here for reasons.
+	// We don't return an error here as we expect users to read all messages
+	// from the stream and get the RPC status from RecvMsg().  Note that
+	// SendMsg() must return an error when one occurs so the application
+	// knows to stop sending messages, but that does not apply here.
 	return nil
 }
 
@@ -1023,9 +1067,6 @@ func (cs *clientStream) finish(err error) {
 		return
 	}
 	cs.finished = true
-	for _, onFinish := range cs.callInfo.onFinish {
-		onFinish(err)
-	}
 	cs.commitAttemptLocked()
 	if cs.attempt != nil {
 		cs.attempt.finish(err)
@@ -1065,13 +1106,7 @@ func (cs *clientStream) finish(err error) {
 	if err == nil {
 		cs.retryThrottler.successfulRPC()
 	}
-	if channelz.IsOn() {
-		if err != nil {
-			cs.cc.incrCallsFailed()
-		} else {
-			cs.cc.incrCallsSucceeded()
-		}
-	}
+	endOfClientStream(cs.cc, err, cs.opts...)
 	cs.cancel()
 }
 
@@ -1093,17 +1128,15 @@ func (a *csAttempt) sendMsg(m any, hdr []byte, payld mem.BufferSlice, dataLength
 		}
 		return io.EOF
 	}
-	if len(a.statsHandlers) != 0 {
-		for _, sh := range a.statsHandlers {
-			sh.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
-		}
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
 	}
 	return nil
 }
 
 func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	cs := a.cs
-	if len(a.statsHandlers) != 0 && payInfo == nil {
+	if a.statsHandler != nil && payInfo == nil {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
@@ -1117,6 +1150,10 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 				a.decompressorV0 = nil
 				a.decompressorV1 = encoding.GetCompressor(ct)
 			}
+			// Validate that the compression method is acceptable for this call.
+			if !acceptedCompressorAllows(cs.callInfo.acceptedResponseCompressors, ct) {
+				return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+			}
 		} else {
 			// No compression is used; disable our decompressor.
 			a.decompressorV0 = nil
@@ -1124,16 +1161,21 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 		// Only initialize this state once per stream.
 		a.decompressorSet = true
 	}
-	if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
+	if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
 		if err == io.EOF {
 			if statusErr := a.transportStream.Status().Err(); statusErr != nil {
 				return statusErr
 			}
+			// Received no msg and status OK for non-server streaming rpcs.
+			if !cs.desc.ServerStreams && !cs.receivedFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+			}
 			return io.EOF // indicates successful end of stream.
 		}
 
 		return toRPCErr(err)
 	}
+	cs.receivedFirstMsg = true
 	if a.trInfo != nil {
 		a.mu.Lock()
 		if a.trInfo.tr != nil {
@@ -1141,8 +1183,8 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 		}
 		a.mu.Unlock()
 	}
-	for _, sh := range a.statsHandlers {
-		sh.HandleRPC(a.ctx, &stats.InPayload{
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.InPayload{
 			Client:           true,
 			RecvTime:         time.Now(),
 			Payload:          m,
@@ -1157,12 +1199,12 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	}
 	// Special handling for non-server-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
+	if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
 		return a.transportStream.Status().Err() // non-server streaming Recv returns nil on success
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return toRPCErr(errors.New("grpc: client streaming protocol violation: get <nil>, want <EOF>"))
+	return status.Error(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
 }
 
 func (a *csAttempt) finish(err error) {
@@ -1195,15 +1237,14 @@ func (a *csAttempt) finish(err error) {
 			ServerLoad:    balancerload.Parse(tr),
 		})
 	}
-	for _, sh := range a.statsHandlers {
-		end := &stats.End{
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.End{
 			Client:    true,
 			BeginTime: a.beginTime,
 			EndTime:   time.Now(),
 			Trailer:   tr,
 			Error:     err,
-		}
-		sh.HandleRPC(a.ctx, end)
+		})
 	}
 	if a.trInfo != nil && a.trInfo.tr != nil {
 		if err == nil {
@@ -1309,7 +1350,7 @@ func newNonRetryClientStream(ctx context.Context, desc *StreamDesc, method strin
 		return nil, err
 	}
 	as.transportStream = s
-	as.parser = &parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
+	as.parser = parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
 	ac.incrCallsStarted()
 	if desc != unaryStreamDesc {
 		// Listen on stream context to cleanup when the stream context is
@@ -1344,6 +1385,7 @@ type addrConnStream struct {
 	transport        transport.ClientTransport
 	ctx              context.Context
 	sentLast         bool
+	receivedFirstMsg bool
 	desc             *StreamDesc
 	codec            baseCodec
 	sendCompressorV0 Compressor
@@ -1351,7 +1393,7 @@ type addrConnStream struct {
 	decompressorSet  bool
 	decompressorV0   Decompressor
 	decompressorV1   encoding.Compressor
-	parser           *parser
+	parser           parser
 
 	// mu guards finished and is held for the entire finish method.
 	mu       sync.Mutex
@@ -1372,7 +1414,7 @@ func (as *addrConnStream) Trailer() metadata.MD {
 
 func (as *addrConnStream) CloseSend() error {
 	if as.sentLast {
-		// TODO: return an error and finish the stream instead, due to API misuse?
+		// Return a nil error on repeated calls to this method.
 		return nil
 	}
 	as.sentLast = true
@@ -1457,6 +1499,10 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 				as.decompressorV0 = nil
 				as.decompressorV1 = encoding.GetCompressor(ct)
 			}
+			// Validate that the compression method is acceptable for this call.
+			if !acceptedCompressorAllows(as.callInfo.acceptedResponseCompressors, ct) {
+				return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+			}
 		} else {
 			// No compression is used; disable our decompressor.
 			as.decompressorV0 = nil
@@ -1464,15 +1510,20 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 		// Only initialize this state once per stream.
 		as.decompressorSet = true
 	}
-	if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
+	if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
 		if err == io.EOF {
 			if statusErr := as.transportStream.Status().Err(); statusErr != nil {
 				return statusErr
 			}
+			// Received no msg and status OK for non-server streaming rpcs.
+			if !as.desc.ServerStreams && !as.receivedFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+			}
 			return io.EOF // indicates successful end of stream.
 		}
 		return toRPCErr(err)
 	}
+	as.receivedFirstMsg = true
 
 	if as.desc.ServerStreams {
 		// Subsequent messages should be received by subsequent RecvMsg calls.
@@ -1481,12 +1532,12 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 
 	// Special handling for non-server-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
+	if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
 		return as.transportStream.Status().Err() // non-server streaming Recv returns nil on success
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return toRPCErr(errors.New("grpc: client streaming protocol violation: get <nil>, want <EOF>"))
+	return status.Error(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
 }
 
 func (as *addrConnStream) finish(err error) {
@@ -1569,8 +1620,9 @@ type ServerStream interface {
 type serverStream struct {
 	ctx   context.Context
 	s     *transport.ServerStream
-	p     *parser
+	p     parser
 	codec baseCodec
+	desc  *StreamDesc
 
 	compressorV0   Compressor
 	compressorV1   encoding.Compressor
@@ -1579,11 +1631,13 @@ type serverStream struct {
 
 	sendCompressorName string
 
+	recvFirstMsg bool // set after the first message is received
+
 	maxReceiveMessageSize int
 	maxSendMessageSize    int
 	trInfo                *traceInfo
 
-	statsHandler []stats.Handler
+	statsHandler stats.Handler
 
 	binlogs []binarylog.MethodLogger
 	// serverHeaderBinlogged indicates whether server header has been logged. It
@@ -1719,10 +1773,8 @@ func (ss *serverStream) SendMsg(m any) (err error) {
 			binlog.Log(ss.ctx, sm)
 		}
 	}
-	if len(ss.statsHandler) != 0 {
-		for _, sh := range ss.statsHandler {
-			sh.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
-		}
+	if ss.statsHandler != nil {
+		ss.statsHandler.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
 	}
 	return nil
 }
@@ -1753,11 +1805,11 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 		}
 	}()
 	var payInfo *payloadInfo
-	if len(ss.statsHandler) != 0 || len(ss.binlogs) != 0 {
+	if ss.statsHandler != nil || len(ss.binlogs) != 0 {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
-	if err := recv(ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
+	if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
 		if err == io.EOF {
 			if len(ss.binlogs) != 0 {
 				chc := &binarylog.ClientHalfClose{}
@@ -1765,6 +1817,10 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 					binlog.Log(ss.ctx, chc)
 				}
 			}
+			// Received no request msg for non-client streaming rpcs.
+			if !ss.desc.ClientStreams && !ss.recvFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no request message from non-client-streaming RPC")
+			}
 			return err
 		}
 		if err == io.ErrUnexpectedEOF {
@@ -1772,16 +1828,15 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 		}
 		return toRPCErr(err)
 	}
-	if len(ss.statsHandler) != 0 {
-		for _, sh := range ss.statsHandler {
-			sh.HandleRPC(ss.s.Context(), &stats.InPayload{
-				RecvTime:         time.Now(),
-				Payload:          m,
-				Length:           payInfo.uncompressedBytes.Len(),
-				WireLength:       payInfo.compressedLength + headerLen,
-				CompressedLength: payInfo.compressedLength,
-			})
-		}
+	ss.recvFirstMsg = true
+	if ss.statsHandler != nil {
+		ss.statsHandler.HandleRPC(ss.s.Context(), &stats.InPayload{
+			RecvTime:         time.Now(),
+			Payload:          m,
+			Length:           payInfo.uncompressedBytes.Len(),
+			WireLength:       payInfo.compressedLength + headerLen,
+			CompressedLength: payInfo.compressedLength,
+		})
 	}
 	if len(ss.binlogs) != 0 {
 		cm := &binarylog.ClientMessage{
@@ -1791,7 +1846,19 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 			binlog.Log(ss.ctx, cm)
 		}
 	}
-	return nil
+
+	if ss.desc.ClientStreams {
+		// Subsequent messages should be received by subsequent RecvMsg calls.
+		return nil
+	}
+	// Special handling for non-client-stream rpcs.
+	// This recv expects EOF or errors, so we don't collect inPayload.
+	if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, nil, ss.decompressorV1, true); err == io.EOF {
+		return nil
+	} else if err != nil {
+		return err
+	}
+	return status.Error(codes.Internal, "cardinality violation: received multiple request messages for non-client-streaming RPC")
 }
 
 // MethodFromServerStream returns the method string for the input stream.
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index 2bae4db890..ff7840fd8e 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
 package grpc
 
 // Version is the current grpc version.
-const Version = "1.72.2"
+const Version = "1.78.0"
diff --git a/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go b/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go
index bf1aba0e85..7b9f01afb0 100644
--- a/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go
+++ b/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go
@@ -9,7 +9,7 @@ import "google.golang.org/protobuf/types/descriptorpb"
 
 const (
 	Minimum = descriptorpb.Edition_EDITION_PROTO2
-	Maximum = descriptorpb.Edition_EDITION_2023
+	Maximum = descriptorpb.Edition_EDITION_2024
 
 	// MaximumKnown is the maximum edition that is known to Go Protobuf, but not
 	// declared as supported. In other words: end users cannot use it, but
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
index 669133d04d..c96e448346 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
@@ -32,7 +32,7 @@ var byteType = reflect.TypeOf(byte(0))
 func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescriptors) protoreflect.FieldDescriptor {
 	f := new(filedesc.Field)
 	f.L0.ParentFile = filedesc.SurrogateProto2
-	f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+	packed := false
 	for len(tag) > 0 {
 		i := strings.IndexByte(tag, ',')
 		if i < 0 {
@@ -108,7 +108,7 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
 				f.L1.StringName.InitJSON(jsonName)
 			}
 		case s == "packed":
-			f.L1.EditionFeatures.IsPacked = true
+			packed = true
 		case strings.HasPrefix(s, "def="):
 			// The default tag is special in that everything afterwards is the
 			// default regardless of the presence of commas.
@@ -121,6 +121,13 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
 		tag = strings.TrimPrefix(tag[i:], ",")
 	}
 
+	// Update EditionFeatures after the loop and after we know whether this is
+	// a proto2 or proto3 field.
+	f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+	if packed {
+		f.L1.EditionFeatures.IsPacked = true
+	}
+
 	// The generator uses the group message name instead of the field name.
 	// We obtain the real field name by lowercasing the group name.
 	if f.L1.Kind == protoreflect.GroupKind {
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
index 099b2bf451..9aa7a9bb77 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
@@ -424,27 +424,34 @@ func (d *Decoder) parseFieldName() (tok Token, err error) {
 	return Token{}, d.newSyntaxError("invalid field name: %s", errId(d.in))
 }
 
-// parseTypeName parses Any type URL or extension field name. The name is
-// enclosed in [ and ] characters. The C++ parser does not handle many legal URL
-// strings. This implementation is more liberal and allows for the pattern
-// ^[-_a-zA-Z0-9]+([./][-_a-zA-Z0-9]+)*`). Whitespaces and comments are allowed
-// in between [ ], '.', '/' and the sub names.
+// parseTypeName parses an Any type URL or an extension field name. The name is
+// enclosed in [ and ] characters. We allow almost arbitrary type URL prefixes,
+// closely following the text-format spec [1,2]. We implement "ExtensionName |
+// AnyName" as follows (with some exceptions for backwards compatibility):
+//
+// char      = [-_a-zA-Z0-9]
+// url_char  = char | [.~!$&'()*+,;=] | "%", hex, hex
+//
+// Ident         = char, { char }
+// TypeName      = Ident, { ".", Ident } ;
+// UrlPrefix     = url_char, { url_char | "/" } ;
+// ExtensionName = "[", TypeName, "]" ;
+// AnyName       = "[", UrlPrefix, "/", TypeName, "]" ;
+//
+// Additionally, we allow arbitrary whitespace and comments between [ and ].
+//
+// [1] https://protobuf.dev/reference/protobuf/textformat-spec/#characters
+// [2] https://protobuf.dev/reference/protobuf/textformat-spec/#field-names
 func (d *Decoder) parseTypeName() (Token, error) {
-	startPos := len(d.orig) - len(d.in)
 	// Use alias s to advance first in order to use d.in for error handling.
-	// Caller already checks for [ as first character.
+	// Caller already checks for [ as first character (d.in[0] == '[').
 	s := consume(d.in[1:], 0)
 	if len(s) == 0 {
 		return Token{}, ErrUnexpectedEOF
 	}
 
+	// Collect everything between [ and ] in name.
 	var name []byte
-	for len(s) > 0 && isTypeNameChar(s[0]) {
-		name = append(name, s[0])
-		s = s[1:]
-	}
-	s = consume(s, 0)
-
 	var closed bool
 	for len(s) > 0 && !closed {
 		switch {
@@ -452,23 +459,20 @@ func (d *Decoder) parseTypeName() (Token, error) {
 			s = s[1:]
 			closed = true
 
-		case s[0] == '/', s[0] == '.':
-			if len(name) > 0 && (name[len(name)-1] == '/' || name[len(name)-1] == '.') {
-				return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
-					d.orig[startPos:len(d.orig)-len(s)+1])
-			}
+		case s[0] == '/' || isTypeNameChar(s[0]) || isUrlExtraChar(s[0]):
 			name = append(name, s[0])
-			s = s[1:]
-			s = consume(s, 0)
-			for len(s) > 0 && isTypeNameChar(s[0]) {
-				name = append(name, s[0])
-				s = s[1:]
+			s = consume(s[1:], 0)
+
+		// URL percent-encoded chars
+		case s[0] == '%':
+			if len(s) < 3 || !isHexChar(s[1]) || !isHexChar(s[2]) {
+				return Token{}, d.parseTypeNameError(s, 3)
 			}
-			s = consume(s, 0)
+			name = append(name, s[0], s[1], s[2])
+			s = consume(s[3:], 0)
 
 		default:
-			return Token{}, d.newSyntaxError(
-				"invalid type URL/extension field name: %s", d.orig[startPos:len(d.orig)-len(s)+1])
+			return Token{}, d.parseTypeNameError(s, 1)
 		}
 	}
 
@@ -476,15 +480,38 @@ func (d *Decoder) parseTypeName() (Token, error) {
 		return Token{}, ErrUnexpectedEOF
 	}
 
-	// First character cannot be '.'. Last character cannot be '.' or '/'.
-	size := len(name)
-	if size == 0 || name[0] == '.' || name[size-1] == '.' || name[size-1] == '/' {
-		return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
-			d.orig[startPos:len(d.orig)-len(s)])
+	// Split collected name on last '/' into urlPrefix and typeName (if '/' is
+	// present).
+	typeName := name
+	if i := bytes.LastIndexByte(name, '/'); i != -1 {
+		urlPrefix := name[:i]
+		typeName = name[i+1:]
+
+		// urlPrefix may be empty (for backwards compatibility).
+		// If non-empty, it must not start with '/'.
+		if len(urlPrefix) > 0 && urlPrefix[0] == '/' {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
 	}
 
+	// typeName must not be empty (note: "" splits to [""]) and all identifier
+	// parts must not be empty.
+	for _, ident := range bytes.Split(typeName, []byte{'.'}) {
+		if len(ident) == 0 {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
+	}
+
+	// typeName must not contain any percent-encoded or special URL chars.
+	for _, b := range typeName {
+		if b == '%' || (b != '.' && isUrlExtraChar(b)) {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
+	}
+
+	startPos := len(d.orig) - len(d.in)
+	endPos := len(d.orig) - len(s)
 	d.in = s
-	endPos := len(d.orig) - len(d.in)
 	d.consume(0)
 
 	return Token{
@@ -496,16 +523,32 @@ func (d *Decoder) parseTypeName() (Token, error) {
 	}, nil
 }
 
+func (d *Decoder) parseTypeNameError(s []byte, numUnconsumedChars int) error {
+	return d.newSyntaxError(
+		"invalid type URL/extension field name: %s",
+		d.in[:len(d.in)-len(s)+min(numUnconsumedChars, len(s))],
+	)
+}
+
+func isHexChar(b byte) bool {
+	return ('0' <= b && b <= '9') ||
+		('a' <= b && b <= 'f') ||
+		('A' <= b && b <= 'F')
+}
+
 func isTypeNameChar(b byte) bool {
-	return (b == '-' || b == '_' ||
+	return b == '-' || b == '_' ||
 		('0' <= b && b <= '9') ||
 		('a' <= b && b <= 'z') ||
-		('A' <= b && b <= 'Z'))
+		('A' <= b && b <= 'Z')
 }
 
-func isWhiteSpace(b byte) bool {
+// isUrlExtraChar complements isTypeNameChar with extra characters that we allow
+// in URLs but not in type names. Note that '/' is not included so that it can
+// be treated specially.
+func isUrlExtraChar(b byte) bool {
 	switch b {
-	case ' ', '\n', '\r', '\t':
+	case '.', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=':
 		return true
 	default:
 		return false
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
index 688aabe434..c775e5832f 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
@@ -32,6 +32,7 @@ const (
 	EditionProto3      Edition = 999
 	Edition2023        Edition = 1000
 	Edition2024        Edition = 1001
+	EditionUnstable    Edition = 9999
 	EditionUnsupported Edition = 100000
 )
 
@@ -72,9 +73,10 @@ type (
 		EditionFeatures EditionFeatures
 	}
 	FileL2 struct {
-		Options   func() protoreflect.ProtoMessage
-		Imports   FileImports
-		Locations SourceLocations
+		Options       func() protoreflect.ProtoMessage
+		Imports       FileImports
+		OptionImports func() protoreflect.FileImports
+		Locations     SourceLocations
 	}
 
 	// EditionFeatures is a frequently-instantiated struct, so please take care
@@ -126,12 +128,9 @@ func (fd *File) ParentFile() protoreflect.FileDescriptor { return fd }
 func (fd *File) Parent() protoreflect.Descriptor         { return nil }
 func (fd *File) Index() int                              { return 0 }
 func (fd *File) Syntax() protoreflect.Syntax             { return fd.L1.Syntax }
-
-// Not exported and just used to reconstruct the original FileDescriptor proto
-func (fd *File) Edition() int32                  { return int32(fd.L1.Edition) }
-func (fd *File) Name() protoreflect.Name         { return fd.L1.Package.Name() }
-func (fd *File) FullName() protoreflect.FullName { return fd.L1.Package }
-func (fd *File) IsPlaceholder() bool             { return false }
+func (fd *File) Name() protoreflect.Name                 { return fd.L1.Package.Name() }
+func (fd *File) FullName() protoreflect.FullName         { return fd.L1.Package }
+func (fd *File) IsPlaceholder() bool                     { return false }
 func (fd *File) Options() protoreflect.ProtoMessage {
 	if f := fd.lazyInit().Options; f != nil {
 		return f()
@@ -150,6 +149,16 @@ func (fd *File) Format(s fmt.State, r rune)                    { descfmt.FormatD
 func (fd *File) ProtoType(protoreflect.FileDescriptor)         {}
 func (fd *File) ProtoInternal(pragma.DoNotImplement)           {}
 
+// The next two are not part of the FileDescriptor interface. They are just used to reconstruct
+// the original FileDescriptor proto.
+func (fd *File) Edition() int32 { return int32(fd.L1.Edition) }
+func (fd *File) OptionImports() protoreflect.FileImports {
+	if f := fd.lazyInit().OptionImports; f != nil {
+		return f()
+	}
+	return emptyFiles
+}
+
 func (fd *File) lazyInit() *FileL2 {
 	if atomic.LoadUint32(&fd.once) == 0 {
 		fd.lazyInitOnce()
@@ -182,9 +191,9 @@ type (
 		L2 *EnumL2 // protected by fileDesc.once
 	}
 	EnumL1 struct {
-		eagerValues bool // controls whether EnumL2.Values is already populated
-
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		eagerValues     bool // controls whether EnumL2.Values is already populated
 	}
 	EnumL2 struct {
 		Options        func() protoreflect.ProtoMessage
@@ -219,6 +228,11 @@ func (ed *Enum) ReservedNames() protoreflect.Names       { return &ed.lazyInit()
 func (ed *Enum) ReservedRanges() protoreflect.EnumRanges { return &ed.lazyInit().ReservedRanges }
 func (ed *Enum) Format(s fmt.State, r rune)              { descfmt.FormatDesc(s, r, ed) }
 func (ed *Enum) ProtoType(protoreflect.EnumDescriptor)   {}
+
+// This is not part of the EnumDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (ed *Enum) Visibility() int32 { return ed.L1.Visibility }
+
 func (ed *Enum) lazyInit() *EnumL2 {
 	ed.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return ed.L2
@@ -244,13 +258,13 @@ type (
 		L2 *MessageL2 // protected by fileDesc.once
 	}
 	MessageL1 struct {
-		Enums        Enums
-		Messages     Messages
-		Extensions   Extensions
-		IsMapEntry   bool // promoted from google.protobuf.MessageOptions
-		IsMessageSet bool // promoted from google.protobuf.MessageOptions
-
+		Enums           Enums
+		Messages        Messages
+		Extensions      Extensions
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		IsMapEntry      bool // promoted from google.protobuf.MessageOptions
+		IsMessageSet    bool // promoted from google.protobuf.MessageOptions
 	}
 	MessageL2 struct {
 		Options               func() protoreflect.ProtoMessage
@@ -319,6 +333,11 @@ func (md *Message) Messages() protoreflect.MessageDescriptors     { return &md.L
 func (md *Message) Extensions() protoreflect.ExtensionDescriptors { return &md.L1.Extensions }
 func (md *Message) ProtoType(protoreflect.MessageDescriptor)      {}
 func (md *Message) Format(s fmt.State, r rune)                    { descfmt.FormatDesc(s, r, md) }
+
+// This is not part of the MessageDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (md *Message) Visibility() int32 { return md.L1.Visibility }
+
 func (md *Message) lazyInit() *MessageL2 {
 	md.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return md.L2
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
index d2f549497e..e91860f5a2 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
@@ -284,6 +284,13 @@ func (ed *Enum) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protorefl
 			case genid.EnumDescriptorProto_Value_field_number:
 				numValues++
 			}
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.EnumDescriptorProto_Visibility_field_number:
+				ed.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
@@ -365,6 +372,13 @@ func (md *Message) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protor
 				md.unmarshalSeedOptions(v)
 			}
 			prevField = num
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.DescriptorProto_Visibility_field_number:
+				md.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
index d4c94458bd..78f02b1b49 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
@@ -134,6 +134,7 @@ func (fd *File) unmarshalFull(b []byte) {
 
 	var enumIdx, messageIdx, extensionIdx, serviceIdx int
 	var rawOptions []byte
+	var optionImports []string
 	fd.L2 = new(FileL2)
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
@@ -157,6 +158,8 @@ func (fd *File) unmarshalFull(b []byte) {
 					imp = PlaceholderFile(path)
 				}
 				fd.L2.Imports = append(fd.L2.Imports, protoreflect.FileImport{FileDescriptor: imp})
+			case genid.FileDescriptorProto_OptionDependency_field_number:
+				optionImports = append(optionImports, sb.MakeString(v))
 			case genid.FileDescriptorProto_EnumType_field_number:
 				fd.L1.Enums.List[enumIdx].unmarshalFull(v, sb)
 				enumIdx++
@@ -178,6 +181,23 @@ func (fd *File) unmarshalFull(b []byte) {
 		}
 	}
 	fd.L2.Options = fd.builder.optionsUnmarshaler(&descopts.File, rawOptions)
+	if len(optionImports) > 0 {
+		var imps FileImports
+		var once sync.Once
+		fd.L2.OptionImports = func() protoreflect.FileImports {
+			once.Do(func() {
+				imps = make(FileImports, len(optionImports))
+				for i, path := range optionImports {
+					imp, _ := fd.builder.FileRegistry.FindFileByPath(path)
+					if imp == nil {
+						imp = PlaceholderFile(path)
+					}
+					imps[i] = protoreflect.FileImport{FileDescriptor: imp}
+				}
+			})
+			return &imps
+		}
+	}
 }
 
 func (ed *Enum) unmarshalFull(b []byte, sb *strs.Builder) {
@@ -310,7 +330,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
 				md.L1.Extensions.List[extensionIdx].unmarshalFull(v, sb)
 				extensionIdx++
 			case genid.DescriptorProto_Options_field_number:
-				md.unmarshalOptions(v)
 				rawOptions = appendOptions(rawOptions, v)
 			}
 		default:
@@ -336,27 +355,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
 	md.L2.Options = md.L0.ParentFile.builder.optionsUnmarshaler(&descopts.Message, rawOptions)
 }
 
-func (md *Message) unmarshalOptions(b []byte) {
-	for len(b) > 0 {
-		num, typ, n := protowire.ConsumeTag(b)
-		b = b[n:]
-		switch typ {
-		case protowire.VarintType:
-			v, m := protowire.ConsumeVarint(b)
-			b = b[m:]
-			switch num {
-			case genid.MessageOptions_MapEntry_field_number:
-				md.L1.IsMapEntry = protowire.DecodeBool(v)
-			case genid.MessageOptions_MessageSetWireFormat_field_number:
-				md.L1.IsMessageSet = protowire.DecodeBool(v)
-			}
-		default:
-			m := protowire.ConsumeFieldValue(num, typ, b)
-			b = b[m:]
-		}
-	}
-}
-
 func unmarshalMessageReservedRange(b []byte) (r [2]protoreflect.FieldNumber) {
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
index a0aad2777f..66ba906806 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
@@ -13,8 +13,10 @@ import (
 	"google.golang.org/protobuf/reflect/protoreflect"
 )
 
-var defaultsCache = make(map[Edition]EditionFeatures)
-var defaultsKeys = []Edition{}
+var (
+	defaultsCache = make(map[Edition]EditionFeatures)
+	defaultsKeys  = []Edition{}
+)
 
 func init() {
 	unmarshalEditionDefaults(editiondefaults.Defaults)
@@ -41,7 +43,7 @@ func unmarshalGoFeature(b []byte, parent EditionFeatures) EditionFeatures {
 			b = b[m:]
 			parent.StripEnumPrefix = int(v)
 		default:
-			panic(fmt.Sprintf("unkown field number %d while unmarshalling GoFeatures", num))
+			panic(fmt.Sprintf("unknown field number %d while unmarshalling GoFeatures", num))
 		}
 	}
 	return parent
@@ -76,7 +78,7 @@ func unmarshalFeatureSet(b []byte, parent EditionFeatures) EditionFeatures {
 				// DefaultSymbolVisibility is enforced in protoc, runtimes should not
 				// inspect this value.
 			default:
-				panic(fmt.Sprintf("unkown field number %d while unmarshalling FeatureSet", num))
+				panic(fmt.Sprintf("unknown field number %d while unmarshalling FeatureSet", num))
 			}
 		case protowire.BytesType:
 			v, m := protowire.ConsumeBytes(b)
@@ -150,7 +152,7 @@ func unmarshalEditionDefaults(b []byte) {
 			_, m := protowire.ConsumeVarint(b)
 			b = b[m:]
 		default:
-			panic(fmt.Sprintf("unkown field number %d while unmarshalling EditionDefault", num))
+			panic(fmt.Sprintf("unknown field number %d while unmarshalling EditionDefault", num))
 		}
 	}
 }
diff --git a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
index 950a6a325a..65aaf4d210 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
@@ -26,6 +26,7 @@ const (
 	Edition_EDITION_PROTO3_enum_value          = 999
 	Edition_EDITION_2023_enum_value            = 1000
 	Edition_EDITION_2024_enum_value            = 1001
+	Edition_EDITION_UNSTABLE_enum_value        = 9999
 	Edition_EDITION_1_TEST_ONLY_enum_value     = 1
 	Edition_EDITION_2_TEST_ONLY_enum_value     = 2
 	Edition_EDITION_99997_TEST_ONLY_enum_value = 99997
diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
index 229c698013..4a3bf393ef 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
@@ -113,6 +113,9 @@ func sizeMap(mapv reflect.Value, mapi *mapInfo, f *coderFieldInfo, opts marshalO
 }
 
 func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+	if opts.depth--; opts.depth < 0 {
+		return out, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return out, errUnknown
 	}
@@ -170,6 +173,9 @@ func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo
 }
 
 func consumeMapOfMessage(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+	if opts.depth--; opts.depth < 0 {
+		return out, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return out, errUnknown
 	}
diff --git a/vendor/google.golang.org/protobuf/internal/impl/decode.go b/vendor/google.golang.org/protobuf/internal/impl/decode.go
index e0dd21fa5f..1228b5c8c2 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/decode.go
@@ -102,8 +102,7 @@ var errUnknown = errors.New("unknown")
 
 func (mi *MessageInfo) unmarshalPointer(b []byte, p pointer, groupTag protowire.Number, opts unmarshalOptions) (out unmarshalOutput, err error) {
 	mi.init()
-	opts.depth--
-	if opts.depth < 0 {
+	if opts.depth--; opts.depth < 0 {
 		return out, errRecursionDepth
 	}
 	if flags.ProtoLegacy && mi.isMessageSet {
diff --git a/vendor/google.golang.org/protobuf/internal/impl/validate.go b/vendor/google.golang.org/protobuf/internal/impl/validate.go
index 7b2995dde5..99a1eb95f7 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/validate.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/validate.go
@@ -68,9 +68,13 @@ func Validate(mt protoreflect.MessageType, in protoiface.UnmarshalInput) (out pr
 	if in.Resolver == nil {
 		in.Resolver = protoregistry.GlobalTypes
 	}
+	if in.Depth == 0 {
+		in.Depth = protowire.DefaultRecursionLimit
+	}
 	o, st := mi.validate(in.Buf, 0, unmarshalOptions{
 		flags:    in.Flags,
 		resolver: in.Resolver,
+		depth:    in.Depth,
 	})
 	if o.initialized {
 		out.Flags |= protoiface.UnmarshalInitialized
@@ -257,6 +261,9 @@ func (mi *MessageInfo) validate(b []byte, groupTag protowire.Number, opts unmars
 		states[0].typ = validationTypeGroup
 		states[0].endGroup = groupTag
 	}
+	if opts.depth--; opts.depth < 0 {
+		return out, ValidationInvalid
+	}
 	initialized := true
 	start := len(b)
 State:
@@ -451,6 +458,13 @@ State:
 						mi:      vi.mi,
 						tail:    b,
 					})
+					if vi.typ == validationTypeMessage ||
+						vi.typ == validationTypeGroup ||
+						vi.typ == validationTypeMap {
+						if opts.depth--; opts.depth < 0 {
+							return out, ValidationInvalid
+						}
+					}
 					b = v
 					continue State
 				case validationTypeRepeatedVarint:
@@ -499,6 +513,9 @@ State:
 						mi:       vi.mi,
 						endGroup: num,
 					})
+					if opts.depth--; opts.depth < 0 {
+						return out, ValidationInvalid
+					}
 					continue State
 				case flags.ProtoLegacy && vi.typ == validationTypeMessageSetItem:
 					typeid, v, n, err := messageset.ConsumeFieldValue(b, false)
@@ -521,6 +538,13 @@ State:
 							mi:   xvi.mi,
 							tail: b[n:],
 						})
+						if xvi.typ == validationTypeMessage ||
+							xvi.typ == validationTypeGroup ||
+							xvi.typ == validationTypeMap {
+							if opts.depth--; opts.depth < 0 {
+								return out, ValidationInvalid
+							}
+						}
 						b = v
 						continue State
 					}
@@ -547,12 +571,14 @@ State:
 		switch st.typ {
 		case validationTypeMessage, validationTypeGroup:
 			numRequiredFields = int(st.mi.numRequiredFields)
+			opts.depth++
 		case validationTypeMap:
 			// If this is a map field with a message value that contains
 			// required fields, require that the value be present.
 			if st.mi != nil && st.mi.numRequiredFields > 0 {
 				numRequiredFields = 1
 			}
+			opts.depth++
 		}
 		// If there are more than 64 required fields, this check will
 		// always fail and we will report that the message is potentially
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 697d1c14f3..763fd82841 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
 const (
 	Major      = 1
 	Minor      = 36
-	Patch      = 8
+	Patch      = 11
 	PreRelease = ""
 )
 
diff --git a/vendor/google.golang.org/protobuf/proto/decode.go b/vendor/google.golang.org/protobuf/proto/decode.go
index 4cbf1aeaf7..889d8511d2 100644
--- a/vendor/google.golang.org/protobuf/proto/decode.go
+++ b/vendor/google.golang.org/protobuf/proto/decode.go
@@ -121,9 +121,8 @@ func (o UnmarshalOptions) unmarshal(b []byte, m protoreflect.Message) (out proto
 
 		out, err = methods.Unmarshal(in)
 	} else {
-		o.RecursionLimit--
-		if o.RecursionLimit < 0 {
-			return out, errors.New("exceeded max recursion depth")
+		if o.RecursionLimit--; o.RecursionLimit < 0 {
+			return out, errRecursionDepth
 		}
 		err = o.unmarshalMessageSlow(b, m)
 	}
@@ -220,6 +219,9 @@ func (o UnmarshalOptions) unmarshalSingular(b []byte, wtyp protowire.Type, m pro
 }
 
 func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv protoreflect.Map, fd protoreflect.FieldDescriptor) (n int, err error) {
+	if o.RecursionLimit--; o.RecursionLimit < 0 {
+		return 0, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return 0, errUnknown
 	}
@@ -305,3 +307,5 @@ func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv proto
 var errUnknown = errors.New("BUG: internal error (unknown)")
 
 var errDecode = errors.New("cannot parse invalid wire-format data")
+
+var errRecursionDepth = errors.New("exceeded maximum recursion depth")
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
index 823dbf3ba6..40f17af4e3 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
@@ -108,7 +108,9 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 	if f.L1.Path == "" {
 		return nil, errors.New("file path must be populated")
 	}
-	if f.L1.Syntax == protoreflect.Editions && (fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) {
+	if f.L1.Syntax == protoreflect.Editions &&
+		(fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) &&
+		fd.GetEdition() != descriptorpb.Edition_EDITION_UNSTABLE {
 		// Allow cmd/protoc-gen-go/testdata to use any edition for easier
 		// testing of upcoming edition features.
 		if !strings.HasPrefix(fd.GetName(), "cmd/protoc-gen-go/testdata/") {
@@ -152,6 +154,31 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 		imp := &f.L2.Imports[i]
 		imps.importPublic(imp.Imports())
 	}
+	optionImps := importSet{f.Path(): true}
+	if len(fd.GetOptionDependency()) > 0 {
+		optionImports := make(filedesc.FileImports, len(fd.GetOptionDependency()))
+		for i, path := range fd.GetOptionDependency() {
+			imp := &optionImports[i]
+			f, err := r.FindFileByPath(path)
+			if err == protoregistry.NotFound {
+				// We always allow option imports to be unresolvable.
+				f = filedesc.PlaceholderFile(path)
+			} else if err != nil {
+				return nil, errors.New("could not resolve import %q: %v", path, err)
+			}
+			imp.FileDescriptor = f
+
+			if imps[imp.Path()] || optionImps[imp.Path()] {
+				return nil, errors.New("already imported %q", path)
+			}
+			// This needs to be a separate map so that we don't recognize non-options
+			// symbols coming from option imports.
+			optionImps[imp.Path()] = true
+		}
+		f.L2.OptionImports = func() protoreflect.FileImports {
+			return &optionImports
+		}
+	}
 
 	// Handle source locations.
 	f.L2.Locations.File = f
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
index 9da34998b1..c826ad0430 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
@@ -29,6 +29,7 @@ func (r descsByName) initEnumDeclarations(eds []*descriptorpb.EnumDescriptorProt
 			e.L2.Options = func() protoreflect.ProtoMessage { return opts }
 		}
 		e.L1.EditionFeatures = mergeEditionFeatures(parent, ed.GetOptions().GetFeatures())
+		e.L1.Visibility = int32(ed.GetVisibility())
 		for _, s := range ed.GetReservedName() {
 			e.L2.ReservedNames.List = append(e.L2.ReservedNames.List, protoreflect.Name(s))
 		}
@@ -70,6 +71,7 @@ func (r descsByName) initMessagesDeclarations(mds []*descriptorpb.DescriptorProt
 			return nil, err
 		}
 		m.L1.EditionFeatures = mergeEditionFeatures(parent, md.GetOptions().GetFeatures())
+		m.L1.Visibility = int32(md.GetVisibility())
 		if opts := md.GetOptions(); opts != nil {
 			opts = proto.Clone(opts).(*descriptorpb.MessageOptions)
 			m.L2.Options = func() protoreflect.ProtoMessage { return opts }
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
index 697a61b290..147b8c7398 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
@@ -46,6 +46,8 @@ func toEditionProto(ed filedesc.Edition) descriptorpb.Edition {
 		return descriptorpb.Edition_EDITION_2023
 	case filedesc.Edition2024:
 		return descriptorpb.Edition_EDITION_2024
+	case filedesc.EditionUnstable:
+		return descriptorpb.Edition_EDITION_UNSTABLE
 	default:
 		panic(fmt.Sprintf("unknown value for edition: %v", ed))
 	}
@@ -58,7 +60,7 @@ func getFeatureSetFor(ed filedesc.Edition) *descriptorpb.FeatureSet {
 		return def
 	}
 	edpb := toEditionProto(ed)
-	if defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb {
+	if (defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb) && edpb != descriptorpb.Edition_EDITION_UNSTABLE {
 		// This should never happen protodesc.(FileOptions).New would fail when
 		// initializing the file descriptor.
 		// This most likely means the embedded defaults were not updated.
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
index 9b880aa8c9..6f91074e36 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
@@ -70,16 +70,27 @@ func ToFileDescriptorProto(file protoreflect.FileDescriptor) *descriptorpb.FileD
 	if syntax := file.Syntax(); syntax != protoreflect.Proto2 && syntax.IsValid() {
 		p.Syntax = proto.String(file.Syntax().String())
 	}
+	desc := file
+	if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
+		desc = fileImportDesc.FileDescriptor
+	}
 	if file.Syntax() == protoreflect.Editions {
-		desc := file
-		if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
-			desc = fileImportDesc.FileDescriptor
-		}
-
 		if editionsInterface, ok := desc.(interface{ Edition() int32 }); ok {
 			p.Edition = descriptorpb.Edition(editionsInterface.Edition()).Enum()
 		}
 	}
+	type hasOptionImports interface {
+		OptionImports() protoreflect.FileImports
+	}
+	if opts, ok := desc.(hasOptionImports); ok {
+		if optionImports := opts.OptionImports(); optionImports.Len() > 0 {
+			optionDeps := make([]string, optionImports.Len())
+			for i := range optionImports.Len() {
+				optionDeps[i] = optionImports.Get(i).Path()
+			}
+			p.OptionDependency = optionDeps
+		}
+	}
 	return p
 }
 
@@ -123,6 +134,14 @@ func ToDescriptorProto(message protoreflect.MessageDescriptor) *descriptorpb.Des
 	for i, names := 0, message.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := message.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
@@ -216,6 +235,14 @@ func ToEnumDescriptorProto(enum protoreflect.EnumDescriptor) *descriptorpb.EnumD
 	for i, names := 0, enum.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := enum.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
diff --git a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
index 4eacb523c3..0b23faa957 100644
--- a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
+++ b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
@@ -69,6 +69,8 @@ const (
 	// comparison.
 	Edition_EDITION_2023 Edition = 1000
 	Edition_EDITION_2024 Edition = 1001
+	// A placeholder edition for developing and testing unscheduled features.
+	Edition_EDITION_UNSTABLE Edition = 9999
 	// Placeholder editions for testing feature resolution.  These should not be
 	// used or relied on outside of tests.
 	Edition_EDITION_1_TEST_ONLY     Edition = 1
@@ -91,6 +93,7 @@ var (
 		999:        "EDITION_PROTO3",
 		1000:       "EDITION_2023",
 		1001:       "EDITION_2024",
+		9999:       "EDITION_UNSTABLE",
 		1:          "EDITION_1_TEST_ONLY",
 		2:          "EDITION_2_TEST_ONLY",
 		99997:      "EDITION_99997_TEST_ONLY",
@@ -105,6 +108,7 @@ var (
 		"EDITION_PROTO3":          999,
 		"EDITION_2023":            1000,
 		"EDITION_2024":            1001,
+		"EDITION_UNSTABLE":        9999,
 		"EDITION_1_TEST_ONLY":     1,
 		"EDITION_2_TEST_ONLY":     2,
 		"EDITION_99997_TEST_ONLY": 99997,
@@ -4793,11 +4797,11 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
 	"\x18EnumValueDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
 	"\x06number\x18\x02 \x01(\x05R\x06number\x12;\n" +
-	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xa7\x01\n" +
+	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xb5\x01\n" +
 	"\x16ServiceDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12>\n" +
 	"\x06method\x18\x02 \x03(\v2&.google.protobuf.MethodDescriptorProtoR\x06method\x129\n" +
-	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptions\"\x89\x02\n" +
+	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptionsJ\x04\b\x04\x10\x05R\x06stream\"\x89\x02\n" +
 	"\x15MethodDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1d\n" +
 	"\n" +
@@ -5033,14 +5037,15 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
 	"\bSemantic\x12\b\n" +
 	"\x04NONE\x10\x00\x12\a\n" +
 	"\x03SET\x10\x01\x12\t\n" +
-	"\x05ALIAS\x10\x02*\xa7\x02\n" +
+	"\x05ALIAS\x10\x02*\xbe\x02\n" +
 	"\aEdition\x12\x13\n" +
 	"\x0fEDITION_UNKNOWN\x10\x00\x12\x13\n" +
 	"\x0eEDITION_LEGACY\x10\x84\a\x12\x13\n" +
 	"\x0eEDITION_PROTO2\x10\xe6\a\x12\x13\n" +
 	"\x0eEDITION_PROTO3\x10\xe7\a\x12\x11\n" +
 	"\fEDITION_2023\x10\xe8\a\x12\x11\n" +
-	"\fEDITION_2024\x10\xe9\a\x12\x17\n" +
+	"\fEDITION_2024\x10\xe9\a\x12\x15\n" +
+	"\x10EDITION_UNSTABLE\x10\x8fN\x12\x17\n" +
 	"\x13EDITION_1_TEST_ONLY\x10\x01\x12\x17\n" +
 	"\x13EDITION_2_TEST_ONLY\x10\x02\x12\x1d\n" +
 	"\x17EDITION_99997_TEST_ONLY\x10\x9d\x8d\x06\x12\x1d\n" +
diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
index 06d584c14b..484c21fd53 100644
--- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
@@ -172,13 +172,14 @@ import (
 // ) to obtain a formatter capable of generating timestamps in this format.
 type Timestamp struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
-	// Represents seconds of UTC time since Unix epoch
-	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-	// 9999-12-31T23:59:59Z inclusive.
+	// Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
+	// be between -315576000000 and 315576000000 inclusive (which corresponds to
+	// 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
 	Seconds int64 `protobuf:"varint,1,opt,name=seconds,proto3" json:"seconds,omitempty"`
-	// Non-negative fractions of a second at nanosecond resolution. Negative
-	// second values with fractions must still have non-negative nanos values
-	// that count forward in time. Must be from 0 to 999,999,999
+	// Non-negative fractions of a second at nanosecond resolution. This field is
+	// the nanosecond portion of the duration, not an alternative to seconds.
+	// Negative second values with fractions must still have non-negative nanos
+	// values that count forward in time. Must be between 0 and 999,999,999
 	// inclusive.
 	Nanos         int32 `protobuf:"varint,2,opt,name=nanos,proto3" json:"nanos,omitempty"`
 	unknownFields protoimpl.UnknownFields
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 31acfee3b6..a1e509931d 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -159,9 +159,9 @@ github.com/ashanbrown/makezero/makezero
 # github.com/ashcrow/osrelease v0.0.0-20180626175927-9b292693c55c
 ## explicit
 github.com/ashcrow/osrelease
-# github.com/aws/aws-sdk-go v1.55.6
-## explicit; go 1.19
-github.com/aws/aws-sdk-go/aws/arn
+# github.com/aws/aws-sdk-go-v2 v1.41.1
+## explicit; go 1.23
+github.com/aws/aws-sdk-go-v2/aws/arn
 # github.com/beorn7/perks v1.0.1
 ## explicit; go 1.11
 github.com/beorn7/perks/quantile
@@ -350,8 +350,8 @@ github.com/coreos/go-semver/semver
 # github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f
 ## explicit
 github.com/coreos/go-systemd/unit
-# github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
-## explicit; go 1.12
+# github.com/coreos/go-systemd/v22 v22.6.0
+## explicit; go 1.23
 github.com/coreos/go-systemd/v22/daemon
 github.com/coreos/go-systemd/v22/dbus
 github.com/coreos/go-systemd/v22/journal
@@ -385,8 +385,8 @@ github.com/coreos/ignition/config/validate
 github.com/coreos/ignition/config/validate/astjson
 github.com/coreos/ignition/config/validate/astnode
 github.com/coreos/ignition/config/validate/report
-# github.com/coreos/ignition/v2 v2.20.0
-## explicit; go 1.20
+# github.com/coreos/ignition/v2 v2.26.0
+## explicit; go 1.24.0
 github.com/coreos/ignition/v2/config/merge
 github.com/coreos/ignition/v2/config/shared/errors
 github.com/coreos/ignition/v2/config/shared/parse
@@ -410,6 +410,8 @@ github.com/coreos/ignition/v2/config/v3_4/types
 github.com/coreos/ignition/v2/config/v3_5
 github.com/coreos/ignition/v2/config/v3_5/translate
 github.com/coreos/ignition/v2/config/v3_5/types
+github.com/coreos/ignition/v2/config/v3_6/translate
+github.com/coreos/ignition/v2/config/v3_6/types
 github.com/coreos/ignition/v2/config/validate
 # github.com/coreos/rpmostree-client-go v0.0.0-20230914135003-fae0786302f7
 ## explicit; go 1.17
@@ -540,8 +542,8 @@ github.com/go-critic/go-critic/linter
 # github.com/go-errors/errors v1.4.2
 ## explicit; go 1.14
 github.com/go-errors/errors
-# github.com/go-jose/go-jose/v4 v4.0.5
-## explicit; go 1.21
+# github.com/go-jose/go-jose/v4 v4.1.3
+## explicit; go 1.24.0
 github.com/go-jose/go-jose/v4
 github.com/go-jose/go-jose/v4/cipher
 github.com/go-jose/go-jose/v4/json
@@ -1725,7 +1727,7 @@ github.com/spf13/cast
 # github.com/spf13/cobra v1.10.0
 ## explicit; go 1.15
 github.com/spf13/cobra
-# github.com/spf13/pflag v1.0.9
+# github.com/spf13/pflag v1.0.10
 ## explicit; go 1.12
 github.com/spf13/pflag
 # github.com/spf13/viper v1.20.0-alpha.6
@@ -1920,8 +1922,8 @@ go.opentelemetry.io/auto/sdk/internal/telemetry
 ## explicit; go 1.19
 go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful
 go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful/internal/semconvutil
-# go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0
+## explicit; go 1.23.0
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal
 # go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
@@ -1947,6 +1949,7 @@ go.opentelemetry.io/otel/semconv/v1.17.0
 go.opentelemetry.io/otel/semconv/v1.20.0
 go.opentelemetry.io/otel/semconv/v1.26.0
 go.opentelemetry.io/otel/semconv/v1.37.0
+go.opentelemetry.io/otel/semconv/v1.37.0/rpcconv
 go.opentelemetry.io/otel/semconv/v1.39.0
 go.opentelemetry.io/otel/semconv/v1.39.0/otelconv
 # go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0
@@ -2018,7 +2021,7 @@ go.yaml.in/yaml/v3
 # go4.org v0.0.0-20200104003542-c7e774b10ea0
 ## explicit
 go4.org/errorutil
-# golang.org/x/crypto v0.45.0
+# golang.org/x/crypto v0.47.0
 ## explicit; go 1.24.0
 golang.org/x/crypto/argon2
 golang.org/x/crypto/blake2b
@@ -2053,13 +2056,13 @@ golang.org/x/exp/slices
 # golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f
 ## explicit; go 1.18
 golang.org/x/exp/typeparams
-# golang.org/x/mod v0.29.0
+# golang.org/x/mod v0.31.0
 ## explicit; go 1.24.0
 golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/modfile
 golang.org/x/mod/module
 golang.org/x/mod/semver
-# golang.org/x/net v0.47.0
+# golang.org/x/net v0.49.0
 ## explicit; go 1.24.0
 golang.org/x/net/context
 golang.org/x/net/html
@@ -2075,11 +2078,11 @@ golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.30.0
-## explicit; go 1.23.0
+# golang.org/x/oauth2 v0.34.0
+## explicit; go 1.24.0
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.18.0
+# golang.org/x/sync v0.19.0
 ## explicit; go 1.24.0
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
@@ -2093,10 +2096,10 @@ golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
 golang.org/x/sys/windows/svc
 golang.org/x/sys/windows/svc/mgr
-# golang.org/x/term v0.37.0
+# golang.org/x/term v0.39.0
 ## explicit; go 1.24.0
 golang.org/x/term
-# golang.org/x/text v0.31.0
+# golang.org/x/text v0.33.0
 ## explicit; go 1.24.0
 golang.org/x/text/cases
 golang.org/x/text/encoding
@@ -2128,10 +2131,10 @@ golang.org/x/text/transform
 golang.org/x/text/unicode/bidi
 golang.org/x/text/unicode/norm
 golang.org/x/text/width
-# golang.org/x/time v0.11.0
-## explicit; go 1.23.0
+# golang.org/x/time v0.14.0
+## explicit; go 1.24.0
 golang.org/x/time/rate
-# golang.org/x/tools v0.38.0
+# golang.org/x/tools v0.40.0
 ## explicit; go 1.24.0
 golang.org/x/tools/cover
 golang.org/x/tools/go/analysis
@@ -2157,7 +2160,7 @@ golang.org/x/tools/go/analysis/passes/framepointer
 golang.org/x/tools/go/analysis/passes/httpresponse
 golang.org/x/tools/go/analysis/passes/ifaceassert
 golang.org/x/tools/go/analysis/passes/inspect
-golang.org/x/tools/go/analysis/passes/internal/analysisutil
+golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal
 golang.org/x/tools/go/analysis/passes/loopclosure
 golang.org/x/tools/go/analysis/passes/lostcancel
 golang.org/x/tools/go/analysis/passes/nilfunc
@@ -2196,9 +2199,10 @@ golang.org/x/tools/go/types/objectpath
 golang.org/x/tools/go/types/typeutil
 golang.org/x/tools/imports
 golang.org/x/tools/internal/aliases
-golang.org/x/tools/internal/analysisinternal
-golang.org/x/tools/internal/analysisinternal/typeindex
+golang.org/x/tools/internal/analysis/analyzerutil
+golang.org/x/tools/internal/analysis/typeindex
 golang.org/x/tools/internal/astutil
+golang.org/x/tools/internal/cfginternal
 golang.org/x/tools/internal/event
 golang.org/x/tools/internal/event/core
 golang.org/x/tools/internal/event/keys
@@ -2210,26 +2214,29 @@ golang.org/x/tools/internal/gopathwalk
 golang.org/x/tools/internal/imports
 golang.org/x/tools/internal/modindex
 golang.org/x/tools/internal/moreiters
+golang.org/x/tools/internal/packagepath
 golang.org/x/tools/internal/packagesinternal
 golang.org/x/tools/internal/pkgbits
 golang.org/x/tools/internal/refactor
+golang.org/x/tools/internal/ssainternal
 golang.org/x/tools/internal/stdlib
 golang.org/x/tools/internal/typeparams
 golang.org/x/tools/internal/typesinternal
 golang.org/x/tools/internal/typesinternal/typeindex
 golang.org/x/tools/internal/versions
-# google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
-## explicit; go 1.23.0
+golang.org/x/tools/refactor/satisfy
+# google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217
+## explicit; go 1.24.0
 google.golang.org/genproto/googleapis/api
 google.golang.org/genproto/googleapis/api/annotations
 google.golang.org/genproto/googleapis/api/expr/v1alpha1
 google.golang.org/genproto/googleapis/api/httpbody
-# google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a
-## explicit; go 1.23.0
+# google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b
+## explicit; go 1.24.0
 google.golang.org/genproto/googleapis/rpc/errdetails
 google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.72.2
-## explicit; go 1.23
+# google.golang.org/grpc v1.78.0
+## explicit; go 1.24.0
 google.golang.org/grpc
 google.golang.org/grpc/attributes
 google.golang.org/grpc/backoff
@@ -2239,7 +2246,6 @@ google.golang.org/grpc/balancer/endpointsharding
 google.golang.org/grpc/balancer/grpclb/state
 google.golang.org/grpc/balancer/pickfirst
 google.golang.org/grpc/balancer/pickfirst/internal
-google.golang.org/grpc/balancer/pickfirst/pickfirstleaf
 google.golang.org/grpc/balancer/roundrobin
 google.golang.org/grpc/binarylog/grpc_binarylog_v1
 google.golang.org/grpc/channelz
@@ -2249,6 +2255,7 @@ google.golang.org/grpc/credentials
 google.golang.org/grpc/credentials/insecure
 google.golang.org/grpc/encoding
 google.golang.org/grpc/encoding/gzip
+google.golang.org/grpc/encoding/internal
 google.golang.org/grpc/encoding/proto
 google.golang.org/grpc/experimental/stats
 google.golang.org/grpc/grpclog
@@ -2293,7 +2300,7 @@ google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.8
+# google.golang.org/protobuf v1.36.11
 ## explicit; go 1.23
 google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson