changelog: revert previous release version

Signed-off-by: Artem Fetishev <rtm@victoriametrics.com>

deployment/docker/compose-vm-cluster.yml

@@ -3,7 +3,7 @@ services:
   #  It scrapes targets defined in --promscrape.config
   #  And forward them to --remoteWrite.url
   vmagent:
-    image: victoriametrics/vmagent:v1.143.0
+    image: victoriametrics/vmagent:v1.144.0
     depends_on:
       - "vmauth"
     ports:
@@ -42,14 +42,14 @@ services:
   # vmstorage shards. Each shard receives 1/N of all metrics sent to vminserts,
   # where N is number of vmstorages (2 in this case).
   vmstorage-1:
-    image: victoriametrics/vmstorage:v1.143.0-cluster
+    image: victoriametrics/vmstorage:v1.144.0-cluster
     volumes:
       - strgdata-1:/storage
     command:
       - "--storageDataPath=/storage"
     restart: always
   vmstorage-2:
-    image: victoriametrics/vmstorage:v1.143.0-cluster
+    image: victoriametrics/vmstorage:v1.144.0-cluster
     volumes:
       - strgdata-2:/storage
     command:
@@ -59,7 +59,7 @@ services:
   # vminsert is ingestion frontend. It receives metrics pushed by vmagent,
   # pre-process them and distributes across configured vmstorage shards.
   vminsert-1:
-    image: victoriametrics/vminsert:v1.143.0-cluster
+    image: victoriametrics/vminsert:v1.144.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -68,7 +68,7 @@ services:
       - "--storageNode=vmstorage-2:8400"
     restart: always
   vminsert-2:
-    image: victoriametrics/vminsert:v1.143.0-cluster
+    image: victoriametrics/vminsert:v1.144.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -80,7 +80,7 @@ services:
   # vmselect is a query fronted. It serves read queries in MetricsQL or PromQL.
   # vmselect collects results from configured `--storageNode` shards.
   vmselect-1:
-    image: victoriametrics/vmselect:v1.143.0-cluster
+    image: victoriametrics/vmselect:v1.144.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -90,7 +90,7 @@ services:
       - "--vmalert.proxyURL=http://vmalert:8880"
     restart: always
   vmselect-2:
-    image: victoriametrics/vmselect:v1.143.0-cluster
+    image: victoriametrics/vmselect:v1.144.0-cluster
     depends_on:
       - "vmstorage-1"
       - "vmstorage-2"
@@ -105,7 +105,7 @@ services:
   # read requests from Grafana, vmui, vmalert among vmselects.
   # It can be used as an authentication proxy.
   vmauth:
-    image: victoriametrics/vmauth:v1.143.0
+    image: victoriametrics/vmauth:v1.144.0
     depends_on:
       - "vmselect-1"
       - "vmselect-2"
@@ -119,7 +119,7 @@ services:
 
   # vmalert executes alerting and recording rules
   vmalert:
-    image: victoriametrics/vmalert:v1.143.0
+    image: victoriametrics/vmalert:v1.144.0
     depends_on:
       - "vmauth"
     ports:

deployment/docker/compose-vm-single.yml

@@ -3,7 +3,7 @@ services:
   #  It scrapes targets defined in --promscrape.config
   #  And forward them to --remoteWrite.url
   vmagent:
-    image: victoriametrics/vmagent:v1.143.0
+    image: victoriametrics/vmagent:v1.144.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -18,7 +18,7 @@ services:
   # VictoriaMetrics instance, a single process responsible for
   # storing metrics and serve read requests.
   victoriametrics:
-    image: victoriametrics/victoria-metrics:v1.143.0
+    image: victoriametrics/victoria-metrics:v1.144.0
     ports:
       - 8428:8428
       - 8089:8089
@@ -59,7 +59,7 @@ services:
 
   # vmalert executes alerting and recording rules
   vmalert:
-    image: victoriametrics/vmalert:v1.143.0
+    image: victoriametrics/vmalert:v1.144.0
     depends_on:
       - "victoriametrics"
       - "alertmanager"

deployment/docker/vmanomaly/vmanomaly-integration/compose.yml

@@ -1,6 +1,6 @@
 services:
   vmagent:
-    image: victoriametrics/vmagent:v1.143.0
+    image: victoriametrics/vmagent:v1.144.0
     depends_on:
       - "victoriametrics"
     ports:
@@ -14,7 +14,7 @@ services:
     restart: always
 
   victoriametrics:
-    image: victoriametrics/victoria-metrics:v1.143.0
+    image: victoriametrics/victoria-metrics:v1.144.0
     ports:
       - 8428:8428
     volumes:
@@ -40,7 +40,7 @@ services:
     restart: always
 
   vmalert:
-    image: victoriametrics/vmalert:v1.143.0
+    image: victoriametrics/vmalert:v1.144.0
     depends_on:
       - "victoriametrics"
     ports:

docs/guides/grafana-vmauth-openid-configuration/README.md

@@ -240,23 +240,23 @@ vmagent will write data into VictoriaMetrics single-node and cluster (with tenan
 # compose.yaml
 services:
   vmsingle:
-    image: victoriametrics/victoria-metrics:v1.143.0
+    image: victoriametrics/victoria-metrics:v1.144.0
 
   vmstorage:
-    image: victoriametrics/vmstorage:v1.143.0-cluster
+    image: victoriametrics/vmstorage:v1.144.0-cluster
 
   vminsert:
-    image: victoriametrics/vminsert:v1.143.0-cluster
+    image: victoriametrics/vminsert:v1.144.0-cluster
     command:
       - -storageNode=vmstorage:8400
 
   vmselect:
-    image: victoriametrics/vmselect:v1.143.0-cluster
+    image: victoriametrics/vmselect:v1.144.0-cluster
     command:
       - -storageNode=vmstorage:8401
 
   vmagent:
-    image: victoriametrics/vmagent:v1.143.0
+    image: victoriametrics/vmagent:v1.144.0
     volumes:
       - ./scrape.yaml:/etc/vmagent/config.yaml
     command:
@@ -308,7 +308,7 @@ Now add the vmauth service to `compose.yaml`:
 # compose.yaml
 services:
   vmauth:
-    image: docker.io/victoriametrics/vmauth:v1.143.0
+    image: docker.io/victoriametrics/vmauth:v1.144.0
     ports:
       - 8427:8427
     volumes:

docs/guides/vmagent-openid-configuration/README.md

@@ -155,15 +155,15 @@ These services will store and query the metrics scraped by vmagent.
 # compose.yaml
 services:
   vmstorage:
-    image: victoriametrics/vmstorage:v1.143.0-cluster
+    image: victoriametrics/vmstorage:v1.144.0-cluster
 
   vminsert:
-    image: victoriametrics/vminsert:v1.143.0-cluster
+    image: victoriametrics/vminsert:v1.144.0-cluster
     command:
       - -storageNode=vmstorage:8400
 
   vmselect:
-    image: victoriametrics/vmselect:v1.143.0-cluster
+    image: victoriametrics/vmselect:v1.144.0-cluster
     command:
       - -storageNode=vmstorage:8401
     ports:
@@ -196,7 +196,7 @@ Add the vmauth service to `compose.yaml`:
 # compose.yaml
 services:
   vmauth:
-    image: victoriametrics/vmauth:v1.143.0-enterprise
+    image: victoriametrics/vmauth:v1.144.0-enterprise
     ports:
       - 8427:8427
     volumes:
@@ -251,7 +251,7 @@ Add the vmagent service to `compose.yaml` with OAuth2 configuration:
 # compose.yaml
 services:
   vmagent:
-    image: victoriametrics/vmagent:v1.143.0
+    image: victoriametrics/vmagent:v1.144.0
     volumes:
       - ./scrape.yaml:/etc/vmagent/config.yaml
     command:

docs/guides/vmalert-datasource-managed-alerts-grafana/README.md

@@ -107,7 +107,7 @@ The final piece is the Docker Compose file. This ties all the services together
 # compose.yml
 services:
   victoriametrics:
-    image: victoriametrics/victoria-metrics:v1.143.0
+    image: victoriametrics/victoria-metrics:v1.144.0
     command:
       - "--storageDataPath=/victoria-metrics-data"
       - "--selfScrapeInterval=10s"
@@ -128,7 +128,7 @@ services:
       - ./alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
 
   vmalert:
-    image: victoriametrics/vmalert:v1.143.0
+    image: victoriametrics/vmalert:v1.144.0
     depends_on:
       - victoriametrics
       - alertmanager

docs/victoriametrics/Quick-Start.md

@@ -58,9 +58,9 @@ Download the newest available [VictoriaMetrics release](https://docs.victoriamet
 from [DockerHub](https://hub.docker.com/r/victoriametrics/victoria-metrics) or [Quay](https://quay.io/repository/victoriametrics/victoria-metrics?tab=tags):
 
 ```sh
-docker pull victoriametrics/victoria-metrics:v1.143.0
+docker pull victoriametrics/victoria-metrics:v1.144.0
 docker run -it --rm -v `pwd`/victoria-metrics-data:/victoria-metrics-data -p 8428:8428 \
- victoriametrics/victoria-metrics:v1.143.0 --selfScrapeInterval=5s -storageDataPath=victoria-metrics-data
+ victoriametrics/victoria-metrics:v1.144.0 --selfScrapeInterval=5s -storageDataPath=victoria-metrics-data
 ```
 
 _For Enterprise images, see [this link](https://docs.victoriametrics.com/victoriametrics/enterprise/#docker-images)._

docs/victoriametrics/changelog/CHANGELOG.md

@@ -240,6 +240,28 @@ It enables back `Discovered targets` debug UI by default.
 * BUGFIX: `vmstorage` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): properly apply `extra_filters[]` filter when querying `vm_account_id` or `vm_project_id` labels via [multitenant](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#multitenancy) request for `/api/v1/label/…/values` API. Before, `extra_filters` was ignored. See [#10503](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10503).
 * BUGFIX: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) and `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): revert the use of rollup result cache for [instant queries](https://docs.victoriametrics.com/keyConcepts.html#instant-query) that contain [`rate`](https://docs.victoriametrics.com/MetricsQL.html#rate) function with a lookbehind window larger than `-search.minWindowForInstantRollupOptimization`. The cache usage was removed since [v1.132.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.132.0). See [#10098](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10098#issuecomment-3895011084) for more details.
 
+## [v1.136.10](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.136.10)
+
+Released at 2026-05-22
+
+**v1.136.x is a line of [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-releases/). It contains important up-to-date bugfixes for [VictoriaMetrics enterprise](https://docs.victoriametrics.com/victoriametrics/enterprise/).
+All these fixes are also included in [the latest community release](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/latest).
+The v1.136.x line will be supported for at least 12 months since [v1.136.0](https://docs.victoriametrics.com/victoriametrics/changelog/#v11360) release**
+
+* BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): stop emitting stale values for `quantiles(...)` outputs when a time series has no samples during the current aggregation interval. See [#10918](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10918). Thanks to @alexei38 for the contribution.
+* BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): extend delay on aggregation windows flush by the biggest lag among pushed samples. Before, the delay was calculated as 95th percentile across samples, which could underrepresent outliers and reject them from aggregation as "too old". See [#10402](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10402).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): fix a bug in [cardinality limiters](https://docs.victoriametrics.com/victoriametrics/vmagent/#cardinality-limiter) where series with different labels, like `{a="bc"}` and `{ab="c"}`, could be incorrectly treated as identical and dropped. See [#10937](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10937).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): hide values passed to `-remoteWrite.headers` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive HTTP headers such as `Authorization` and API keys.
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): hide values passed to `-remoteWrite.proxyURL` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive credentials.
+* BUGFIX: [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/): hide values passed to `-remoteWrite.headers`,`remoteRead.headers`, `datasource.headers` and `notifier.headers` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive HTTP headers such as `Authorization` and API keys.
+* BUGFIX: `vminsert` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): properly establish [mtls](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#mtls-protection) connection between vmstorage and vminsert. Regression was introduced in v1.130.0 release for the enterprise version of vmstorage. See [#10972](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10972).
+* BUGFIX: [vmrestore](https://docs.victoriametrics.com/victoriametrics/vmrestore/): fix a bug where specifying `-storageDataPath` with a trailing slash could cause `vmrestore` to panic. See [#10823](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10823). Thanks to @utafrali for the contribution.
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): prevent unintentional rerouting of samples to other sharding targets when one of the `-remoteWrite.url` targets with `-remoteWrite.disableOnDiskQueue` becomes blocked. Previously this could break the sharding guarantee by sending samples to wrong targets instead of dropping or retrying them. See [#10507](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10507).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): return error on startup if `-remoteWrite.disableOnDiskQueue` is not configured uniformly across all `-remoteWrite.url` targets when `-remoteWrite.shardByURL` is enabled. Either all targets must have it enabled or all must have it disabled. See [#10507](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10507).
+* BUGFIX: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) and `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): hide values passed to `vmalert.proxyURL` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive HTTP headers such as `Authorization` and API keys.
+* BUGFIX: [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui): preserve exact series values in graph tooltips instead of rounding them by significant digits. See [#10952](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10952).
+* BUGFIX: [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui): add missing `__timestamp__` and `__value__` columns to CSV exported from the table view on the Query tab. See [#10975](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10975).
+
 ## [v1.136.9](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.136.9)
 
 Released at 2026-05-08
@@ -561,6 +583,26 @@ See changes [here](https://docs.victoriametrics.com/victoriametrics/changelog/ch
 
 See changes [here](https://docs.victoriametrics.com/victoriametrics/changelog/changelog_2025/#v11230)
 
+## [v1.122.23](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.23)
+
+Released at 2026-05-22
+
+**v1.122.x is a line of [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-releases/). It contains important up-to-date bugfixes for [VictoriaMetrics enterprise](https://docs.victoriametrics.com/victoriametrics/enterprise/).
+All these fixes are also included in [the latest community release](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/latest).
+The v1.122.x line will be supported for at least 12 months since [v1.122.0](https://docs.victoriametrics.com/victoriametrics/changelog/#v11220) release**
+
+* BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): stop emitting stale values for `quantiles(...)` outputs when a time series has no samples during the current aggregation interval. See [#10918](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10918). Thanks to @alexei38 for the contribution.
+* BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): extend delay on aggregation windows flush by the biggest lag among pushed samples. Before, the delay was calculated as 95th percentile across samples, which could underrepresent outliers and reject them from aggregation as "too old". See [#10402](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10402).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): fix a bug in [cardinality limiters](https://docs.victoriametrics.com/victoriametrics/vmagent/#cardinality-limiter) where series with different labels, like `{a="bc"}` and `{ab="c"}`, could be incorrectly treated as identical and dropped. See [#10937](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10937).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): hide values passed to `-remoteWrite.headers` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive HTTP headers such as `Authorization` and API keys.
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): hide values passed to `-remoteWrite.proxyURL` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive credentials.
+* BUGFIX: [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/): hide values passed to `-remoteWrite.headers`,`remoteRead.headers`, `datasource.headers` and `notifier.headers` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive HTTP headers such as `Authorization` and API keys.
+* BUGFIX: [vmrestore](https://docs.victoriametrics.com/victoriametrics/vmrestore/): fix a bug where specifying `-storageDataPath` with a trailing slash could cause `vmrestore` to panic. See [#10823](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10823). Thanks to @utafrali for the contribution.
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): prevent unintentional rerouting of samples to other sharding targets when one of the `-remoteWrite.url` targets with `-remoteWrite.disableOnDiskQueue` becomes blocked. Previously this could break the sharding guarantee by sending samples to wrong targets instead of dropping or retrying them. See [#10507](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10507).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): return error on startup if `-remoteWrite.disableOnDiskQueue` is not configured uniformly across all `-remoteWrite.url` targets when `-remoteWrite.shardByURL` is enabled. Either all targets must have it enabled or all must have it disabled. See [#10507](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10507).
+* BUGFIX: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) and `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): hide values passed to `vmalert.proxyURL` in startup logs, `/metrics`, and `/flags`, since they can contain sensitive HTTP headers such as `Authorization` and API keys.
+* BUGFIX: [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui): preserve exact series values in graph tooltips instead of rounding them by significant digits. See [#10952](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10952).
+
 ## [v1.122.22](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.22)
 
 Released at 2026-05-08

docs/victoriametrics/enterprise.md

@@ -121,7 +121,7 @@ It is allowed to run Enterprise components in [cases listed here](https://docs.v
 Binary releases of Enterprise components are available at [the releases page for VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/latest),
 [the releases page for VictoriaLogs](https://github.com/VictoriaMetrics/VictoriaLogs/releases/latest)
 and [the releases page for VictoriaTraces](https://github.com/VictoriaMetrics/VictoriaTraces/releases/latest).
-Enterprise binaries and packages have `enterprise` suffix in their names. For example, `victoria-metrics-linux-amd64-v1.143.0-enterprise.tar.gz`.
+Enterprise binaries and packages have `enterprise` suffix in their names. For example, `victoria-metrics-linux-amd64-v1.144.0-enterprise.tar.gz`.
 
 In order to run binary release of Enterprise component, please download the `*-enterprise.tar.gz` archive for your OS and architecture
 from the corresponding releases page and unpack it. Then run the unpacked binary.
@@ -139,8 +139,8 @@ For example, the following command runs VictoriaMetrics Enterprise binary with t
 obtained at [this page](https://victoriametrics.com/products/enterprise/trial/):
 
 ```sh
-wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.143.0/victoria-metrics-linux-amd64-v1.143.0-enterprise.tar.gz
-tar -xzf victoria-metrics-linux-amd64-v1.143.0-enterprise.tar.gz
+wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.144.0/victoria-metrics-linux-amd64-v1.144.0-enterprise.tar.gz
+tar -xzf victoria-metrics-linux-amd64-v1.144.0-enterprise.tar.gz
 ./victoria-metrics-prod -license=BASE64_ENCODED_LICENSE_KEY
 ```
 
@@ -155,7 +155,7 @@ Alternatively, VictoriaMetrics Enterprise license can be stored in the file and
 It is allowed to run Enterprise components in [cases listed here](https://docs.victoriametrics.com/victoriametrics/enterprise/#valid-cases-for-victoriametrics-enterprise).
 
 Docker images for Enterprise components are available at [VictoriaMetrics Docker Hub](https://hub.docker.com/u/victoriametrics) and [VictoriaMetrics Quay](https://quay.io/organization/victoriametrics).
-Enterprise docker images have `enterprise` suffix in their names. For example, `victoriametrics/victoria-metrics:v1.143.0-enterprise`.
+Enterprise docker images have `enterprise` suffix in their names. For example, `victoriametrics/victoria-metrics:v1.144.0-enterprise`.
 
 In order to run Docker image of VictoriaMetrics Enterprise component, it is required to provide the license key via the command-line
 flag as described in the [binary-releases](https://docs.victoriametrics.com/victoriametrics/enterprise/#binary-releases) section.
@@ -165,13 +165,13 @@ Enterprise license key can be obtained at [this page](https://victoriametrics.co
 For example, the following command runs VictoriaMetrics Enterprise Docker image with the specified license key:
 
 ```sh
-docker run --name=victoria-metrics victoriametrics/victoria-metrics:v1.143.0-enterprise -license=BASE64_ENCODED_LICENSE_KEY
+docker run --name=victoria-metrics victoriametrics/victoria-metrics:v1.144.0-enterprise -license=BASE64_ENCODED_LICENSE_KEY
 ```
 
 Alternatively, the license code can be stored in the file and then referred via `-licenseFile` command-line flag:
 
 ```sh
-docker run --name=victoria-metrics -v /vm-license:/vm-license  victoriametrics/victoria-metrics:v1.143.0-enterprise -licenseFile=/path/to/vm-license
+docker run --name=victoria-metrics -v /vm-license:/vm-license  victoriametrics/victoria-metrics:v1.144.0-enterprise -licenseFile=/path/to/vm-license
 ```
 
 Example docker-compose configuration:
@@ -181,7 +181,7 @@ version: "3.5"
 services:
   victoriametrics:
     container_name: victoriametrics
-    image: victoriametrics/victoria-metrics:v1.143.0
+    image: victoriametrics/victoria-metrics:v1.144.0
     ports:
       - 8428:8428
     volumes:
@@ -213,7 +213,7 @@ is used to provide the license key in plain-text:
 ```yaml
 server:
   image:
-    tag: v1.143.0-enterprise
+    tag: v1.144.0-enterprise
 
 license:
   key: {BASE64_ENCODED_LICENSE_KEY}
@@ -224,7 +224,7 @@ In order to provide the license key via existing secret, the following values fi
 ```yaml
 server:
   image:
-    tag: v1.143.0-enterprise
+    tag: v1.144.0-enterprise
 
 license:
   secret:
@@ -274,7 +274,7 @@ spec:
   license:
     key: {BASE64_ENCODED_LICENSE_KEY}
   image:
-    tag: v1.143.0-enterprise
+    tag: v1.144.0-enterprise
 ```
 
 In order to provide the license key via an existing secret, the following custom resource is used:
@@ -291,7 +291,7 @@ spec:
       name: vm-license
       key: license
   image:
-    tag: v1.143.0-enterprise
+    tag: v1.144.0-enterprise
 ```
 
 Example secret with license key:
@@ -342,7 +342,7 @@ Builds are available for amd64 and arm64 architectures.
 
 Example archive:
 
-`victoria-metrics-linux-amd64-v1.143.0-enterprise.tar.gz`
+`victoria-metrics-linux-amd64-v1.144.0-enterprise.tar.gz`
 
 Includes:
 
@@ -351,7 +351,7 @@ Includes:
 
 Example Docker image:
 
-`victoriametrics/victoria-metrics:v1.143.0-enterprise-fips` – uses the FIPS-compatible binary and based on `scratch` image.
+`victoriametrics/victoria-metrics:v1.144.0-enterprise-fips` – uses the FIPS-compatible binary and based on `scratch` image.
 
 ## What Happens to Licensed Components When a License Expires
 

docs/victoriametrics/scrape_config_examples.md

@@ -35,8 +35,8 @@ scrape_configs:
 After you created the `scrape.yaml` file, download and unpack [single-node VictoriaMetrics](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) to the same directory:
 
 ```sh
-wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.143.0/victoria-metrics-linux-amd64-v1.143.0.tar.gz
-tar xzf victoria-metrics-linux-amd64-v1.143.0.tar.gz
+wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.144.0/victoria-metrics-linux-amd64-v1.144.0.tar.gz
+tar xzf victoria-metrics-linux-amd64-v1.144.0.tar.gz
 ```
 
 Then start VictoriaMetrics and instruct it to scrape targets defined in `scrape.yaml` and save scraped metrics
@@ -150,8 +150,8 @@ Then start [single-node VictoriaMetrics](https://docs.victoriametrics.com/victor
 
 ```yaml
 # Download and unpack single-node VictoriaMetrics
-wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.143.0/victoria-metrics-linux-amd64-v1.143.0.tar.gz
-tar xzf victoria-metrics-linux-amd64-v1.143.0.tar.gz
+wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.144.0/victoria-metrics-linux-amd64-v1.144.0.tar.gz
+tar xzf victoria-metrics-linux-amd64-v1.144.0.tar.gz
 
 # Run single-node VictoriaMetrics with the given scrape.yaml
 ./victoria-metrics-prod -promscrape.config=scrape.yaml

docs/victoriametrics/victoria_metrics_common_flags.md

@@ -37,7 +37,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/
      Flag value can be read from the given file when using -deleteAuthKey=file:///abs/path/to/file or -deleteAuthKey=file://./relative/path/to/file.
      Flag value can be read from the given http/https url when using -deleteAuthKey=http://host/path or -deleteAuthKey=https://host/path
   -denyQueriesOutsideRetention
-     Whether to deny queries outside the configured -retentionPeriod. When set, then /api/v1/query_range would return '503 Service Unavailable' error for queries with 'from' value outside -retentionPeriod. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee
+     Whether to deny queries outside the configured -retentionPeriod and -futureRetention. When set, then /api/v1/query_range will return an error for queries with 'from' value outside -retentionPeriod or 'to' value beyond -futureRetention. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee
   -denyQueryTracing
      Whether to disable the ability to trace queries. See https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#query-tracing
   -disablePerDayIndex
@@ -198,7 +198,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/
   -maxLabelsPerTimeseries int
      The maximum number of labels per time series to be accepted. Series with superfluous labels are ignored. In this case the vm_rows_ignored_total{reason="too_many_labels"} metric at /metrics page is incremented (default 40)
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)
@@ -217,6 +217,8 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864)
   -opentelemetry.convertMetricNamesToPrometheus
      Whether to convert only metric names into Prometheus-compatible format for the metrics ingested via OpenTelemetry protocol; see https://docs.victoriametrics.com/victoriametrics/integrations/opentelemetry/
+  -opentelemetry.labelNameUnderscoreSanitization
+     Whether to enable prepending of 'key' to labels starting with '_' when -opentelemetry.usePrometheusNaming is enabled. Reserved labels starting with '__' are not modified. See https://docs.victoriametrics.com/victoriametrics/integrations/opentelemetry/ (default true)
   -opentelemetry.maxRequestSize size
      The maximum size in bytes of a single OpenTelemetry request
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864)

docs/victoriametrics/vmagent_common_flags.md

@@ -169,7 +169,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmagent/ .
   -maxLabelsPerTimeseries int
      The maximum number of labels per time series to be accepted. Series with superfluous labels are ignored. In this case the vm_rows_ignored_total{reason="too_many_labels"} metric at /metrics page is incremented
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)
@@ -184,6 +184,8 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmagent/ .
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864)
   -opentelemetry.convertMetricNamesToPrometheus
      Whether to convert only metric names into Prometheus-compatible format for the metrics ingested via OpenTelemetry protocol; see https://docs.victoriametrics.com/victoriametrics/integrations/opentelemetry/
+  -opentelemetry.labelNameUnderscoreSanitization
+     Whether to enable prepending of 'key' to labels starting with '_' when -opentelemetry.usePrometheusNaming is enabled. Reserved labels starting with '__' are not modified. See https://docs.victoriametrics.com/victoriametrics/integrations/opentelemetry/ (default true)
   -opentelemetry.maxRequestSize size
      The maximum size in bytes of a single OpenTelemetry request
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864)

docs/victoriametrics/vmalert_common_flags.md

@@ -166,7 +166,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmalert/ .
   -loggerWarnsPerSecondLimit int
      Per-second limit on the number of WARN messages. If more than the given number of warns are emitted per second, then the remaining warns are suppressed. Zero values disable the rate limit
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)

docs/victoriametrics/vmauth_common_flags.md

@@ -135,7 +135,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmauth/ .
      The maximum request body size to buffer in memory for potential retries at other backends. Request bodies larger than this size cannot be retried if the backend fails. Zero or negative value disables retries. See also -requestBufferSize
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 16384)
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)

docs/victoriametrics/vmctl/vmctl.md

@@ -34,9 +34,9 @@ vmctl command-line tool is available as:
 
 Download and unpack vmctl:
 ```sh
-wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.143.0/vmutils-darwin-arm64-v1.143.0.tar.gz
+wget https://github.com/VictoriaMetrics/VictoriaMetrics/releases/download/v1.144.0/vmutils-darwin-arm64-v1.144.0.tar.gz
 
-tar xzf vmutils-darwin-arm64-v1.143.0.tar.gz
+tar xzf vmutils-darwin-arm64-v1.144.0.tar.gz
 ```
 
 Once binary is unpacked, see the full list of supported modes by running the following command:

docs/victoriametrics/vminsert_common_flags.md

@@ -169,7 +169,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
   -maxLabelsPerTimeseries int
      The maximum number of labels per time series to be accepted. Series with superfluous labels are ignored. In this case the vm_rows_ignored_total{reason="too_many_labels"} metric at /metrics page is incremented (default 40)
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)
@@ -184,6 +184,8 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864)
   -opentelemetry.convertMetricNamesToPrometheus
      Whether to convert only metric names into Prometheus-compatible format for the metrics ingested via OpenTelemetry protocol; see https://docs.victoriametrics.com/victoriametrics/integrations/opentelemetry/
+  -opentelemetry.labelNameUnderscoreSanitization
+     Whether to enable prepending of 'key' to labels starting with '_' when -opentelemetry.usePrometheusNaming is enabled. Reserved labels starting with '__' are not modified. See https://docs.victoriametrics.com/victoriametrics/integrations/opentelemetry/ (default true)
   -opentelemetry.maxRequestSize size
      The maximum size in bytes of a single OpenTelemetry request
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 67108864)

docs/victoriametrics/vminsert_enterprise_flags.md

@@ -18,6 +18,20 @@ sitemap:
      Whether to skip verification of TLS certificates provided by -storageNode nodes if -cluster.tls flag is set. Note that disabled TLS certificate verification breaks security. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
   -cluster.tlsKeyFile string
      Path to client-side TLS key file to use when connecting to -storageNode if -cluster.tls flag is set. See https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#mtls-protection . This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
+  -clusternative.tls
+     Whether to use TLS when accepting connections at -clusternativeListenAddr. See https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#mtls-protection . This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
+  -clusternative.tlsCAFile string
+     Path to TLS CA file to use for verifying certificates provided by vminsert, which connects at -clusternativeListenAddr if -clusternative.tls flag is set. By default system CA is used. See https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#mtls-protection . This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
+  -clusternative.tlsCertFile string
+     Path to server-side TLS certificate file to use when accepting connections at -clusternativeListenAddr if -clusternative.tls flag is set. See https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#mtls-protection . This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
+  -clusternative.tlsCipherSuites array
+     Optional list of TLS cipher suites used for connections at -clusternativeListenAddr if -clusternative.tls flag is set. See the list of supported cipher suites at https://pkg.go.dev/crypto/tls#pkg-constants . This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
+     Supports an array of values separated by comma or specified via multiple flags.
+     Each array item can contain comma inside single-quoted or double-quoted string, {}, [] and () braces.
+  -clusternative.tlsInsecureSkipVerify
+     Whether to skip verification of TLS certificates provided by vminsert, which connects to -clusternativeListenAddr if -clusternative.tls flag is set. Note that disabled TLS certificate verification breaks security. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
+  -clusternative.tlsKeyFile string
+     Path to server-side TLS key file to use when accepting connections at -clusternativeListenAddr if -clusternative.tls flag is set. See https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#mtls-protection . This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/victoriametrics/enterprise/
   -eula
      Deprecated, please use -license or -licenseFile flags instead. By specifying this flag, you confirm that you have an enterprise license and accept the ESA https://victoriametrics.com/legal/esa/ . This flag is available only in Enterprise binaries. See https://docs.victoriametrics.com/victoriametrics/enterprise/
   -license string

docs/victoriametrics/vmselect_common_flags.md

@@ -126,7 +126,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
   -loggerWarnsPerSecondLimit int
      Per-second limit on the number of WARN messages. If more than the given number of warns are emitted per second, then the remaining warns are suppressed. Zero values disable the rate limit
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)

docs/victoriametrics/vmstorage_common_flags.md

@@ -22,7 +22,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
   -dedup.minScrapeInterval duration
      Leave only the last sample in every time series per each discrete interval equal to -dedup.minScrapeInterval > 0. See https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#deduplication for details
   -denyQueriesOutsideRetention
-     Whether to deny queries outside of the configured -retentionPeriod. When set, then /api/v1/query_range would return '503 Service Unavailable' error for queries with 'from' value outside -retentionPeriod. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee
+     Whether to deny queries outside the configured -retentionPeriod and -futureRetention. When set, then /api/v1/query_range will return an error for queries with 'from' value outside -retentionPeriod or 'to' value beyond -futureRetention. This may be useful when multiple data sources with distinct retentions are hidden behind query-tee
   -denyQueryTracing
      Whether to disable the ability to trace queries. See https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#query-tracing
   -disablePerDayIndex
@@ -131,7 +131,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
   -maxConcurrentInserts int
      The maximum number of concurrent insert requests. Set higher value when clients send data over slow networks. Default value depends on the number of available CPU cores. It should work fine in most cases since it minimizes resource usage. See also -insert.maxQueueDuration (default 2*cgroup.AvailableCPUs())
   -memory.allowedBytes size
-     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage
+     Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache resulting in higher disk IO usage. The process may behave unexpectedly if this flag is set too small (e.g., 1 byte).
      Supports the following optional suffixes for size values: KB, MB, GB, TB, KiB, MiB, GiB, TiB (default 0)
   -memory.allowedPercent float
      Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from the OS page cache which will result in higher disk IO usage (default 60)

go.mod

@@ -33,9 +33,9 @@ require (
 	github.com/valyala/gozstd v1.24.0
 	github.com/valyala/histogram v1.2.0
 	github.com/valyala/quicktemplate v1.8.0
-	golang.org/x/net v0.53.0
+	golang.org/x/net v0.55.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sys v0.43.0
+	golang.org/x/sys v0.45.0
 	google.golang.org/api v0.276.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -155,11 +155,11 @@ require (
 	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
 	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/term v0.42.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
 	google.golang.org/genproto v0.0.0-20260414002931-afd174a4e478 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260414002931-afd174a4e478 // indirect

go.sum

@@ -376,8 +376,6 @@ github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEo
 github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
 github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
 github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
-github.com/prometheus/prometheus v0.311.2 h1:6fBxp93y08GAZGNT1o3bIhgV/AMYvBFfU+ltDNEsHg8=
-github.com/prometheus/prometheus v0.311.2/go.mod h1:gjsCxTKtHO1Q8T9333u1s+lUR1OjPyM7ruuGH8RvVyo=
 github.com/prometheus/prometheus v0.311.3 h1:3IrVxQv6v5i/ZCGi6OrYeBhtCwaPTn6Z3DYruXoYm3M=
 github.com/prometheus/prometheus v0.311.3/go.mod h1:gjsCxTKtHO1Q8T9333u1s+lUR1OjPyM7ruuGH8RvVyo=
 github.com/prometheus/sigv4 v0.4.1 h1:EIc3j+8NBea9u1iV6O5ZAN8uvPq2xOIUPcqCTivHuXs=
@@ -511,8 +509,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
 golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -523,8 +521,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -536,14 +534,14 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

vendor/golang.org/x/crypto/hkdf/hkdf.go

@@ -11,6 +11,7 @@
 package hkdf
 
 import (
+	"crypto/hkdf"
 	"crypto/hmac"
 	"errors"
 	"hash"
@@ -24,15 +25,19 @@ import (
 // Expand invocations and different context values. Most common scenarios,
 // including the generation of multiple keys, should use New instead.
 func Extract(hash func() hash.Hash, secret, salt []byte) []byte {
-	if salt == nil {
-		salt = make([]byte, hash().Size())
+	// Use the stdlib Extract, which disables FIPS 140 enforcement of the HMAC
+	// key (which in HKDF is the salt). The only possible error is FIPS 140
+	// enforcement of the hash, which had to panic under this API anyway. We
+	// don't use the stdlib Expand, because it switched to returning a []byte
+	// instead of an io.Reader, and Expand uses the HMAC key as a key.
+	out, err := hkdf.Extract(hash, secret, salt)
+	if err != nil {
+		panic(err)
 	}
-	extractor := hmac.New(hash, salt)
-	extractor.Write(secret)
-	return extractor.Sum(nil)
+	return out
 }
 
-type hkdf struct {
+type hkdfReader struct {
 	expander hash.Hash
 	size     int
 
@@ -43,7 +48,7 @@ type hkdf struct {
 	buf  []byte
 }
 
-func (f *hkdf) Read(p []byte) (int, error) {
+func (f *hkdfReader) Read(p []byte) (int, error) {
 	// Check whether enough data can be generated
 	need := len(p)
 	remains := len(f.buf) + int(255-f.counter+1)*f.size
@@ -84,7 +89,7 @@ func (f *hkdf) Read(p []byte) (int, error) {
 // 3.3. Most common scenarios will want to use New instead.
 func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader {
 	expander := hmac.New(hash, pseudorandomKey)
-	return &hkdf{expander, expander.Size(), info, 1, nil, nil}
+	return &hkdfReader{expander, expander.Size(), info, 1, nil, nil}
 }
 
 // New returns a Reader, from which keys can be read, using the given hash,

vendor/golang.org/x/net/http2/README.md

@@ -0,0 +1,19 @@
+This package (golang.org/x/net/http2) is the original source of truth
+of the Go HTTP/2 implementation.
+
+As of Go 1.27, the source of truth has moved to the standard library
+package net/http/internal/http2.
+All new feature development should happen in that package.
+Only critical bug fixes and security fixes will be backported to x/net.
+
+The x/net package contains two implementations of the HTTP/2 transport and server:
+
+The original implementation (no longer the source of truth).
+
+A reimplementation of the x/net/http2 APIs in terms of net/http.
+This is called "the wrapping implementation", since it wraps net/http.
+
+The original implementation is used when the Go version is less than 1.27.
+
+The wrapping implementation is used when the Go version is at least 1.27.
+The build tag "http2legacy" may be set to use the original implementation.

vendor/golang.org/x/net/http2/client_conn_pool.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 // Transport code's client connection pooling.
 
 package http2
@@ -14,18 +16,6 @@ import (
 	"sync"
 )
 
-// ClientConnPool manages a pool of HTTP/2 client connections.
-type ClientConnPool interface {
-	// GetClientConn returns a specific HTTP/2 connection (usually
-	// a TLS-TCP connection) to an HTTP/2 server. On success, the
-	// returned ClientConn accounts for the upcoming RoundTrip
-	// call, so the caller should not omit it. If the caller needs
-	// to, ClientConn.RoundTrip can be called with a bogus
-	// new(http.Request) to release the stream reservation.
-	GetClientConn(req *http.Request, addr string) (*ClientConn, error)
-	MarkDead(*ClientConn)
-}
-
 // clientConnPoolIdleCloser is the interface implemented by ClientConnPool
 // implementations which can close their idle connections.
 type clientConnPoolIdleCloser interface {

vendor/golang.org/x/net/http2/clientconn.go

@@ -0,0 +1,57 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"context"
+	"net/http"
+)
+
+func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
+	return cc.roundTrip(req)
+}
+
+// SetDoNotReuse marks cc as not reusable for future HTTP requests.
+func (cc *ClientConn) SetDoNotReuse() {
+	cc.setDoNotReuse()
+}
+
+// CanTakeNewRequest reports whether the connection can take a new request,
+// meaning it has not been closed or received or sent a GOAWAY.
+//
+// If the caller is going to immediately make a new request on this
+// connection, use ReserveNewRequest instead.
+func (cc *ClientConn) CanTakeNewRequest() bool {
+	return cc.canTakeNewRequest()
+}
+
+// ReserveNewRequest is like CanTakeNewRequest but also reserves a
+// concurrent stream in cc. The reservation is decremented on the
+// next call to RoundTrip.
+func (cc *ClientConn) ReserveNewRequest() bool {
+	return cc.reserveNewRequest()
+}
+
+// State returns a snapshot of cc's state.
+func (cc *ClientConn) State() ClientConnState {
+	return cc.state()
+}
+
+// Shutdown gracefully closes the client connection, waiting for running streams to complete.
+func (cc *ClientConn) Shutdown(ctx context.Context) error {
+	return cc.shutdown(ctx)
+}
+
+// Close closes the client connection immediately.
+//
+// In-flight requests are interrupted. For a graceful shutdown, use Shutdown instead.
+func (cc *ClientConn) Close() error {
+	return cc.close()
+}
+
+// Ping sends a PING frame to the server and waits for the ack.
+func (cc *ClientConn) Ping(ctx context.Context) error {
+	return cc.ping(ctx)
+}

vendor/golang.org/x/net/http2/config.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 package http2
 
 import (

vendor/golang.org/x/net/http2/hpack/tables.go

@@ -6,7 +6,6 @@ package hpack
 
 import (
 	"fmt"
-	"strings"
 )
 
 // headerFieldTable implements a list of HeaderFields.
@@ -55,16 +54,10 @@ func (t *headerFieldTable) len() int {
 
 // addEntry adds a new entry.
 func (t *headerFieldTable) addEntry(f HeaderField) {
-	// Prevent f from escaping to the heap.
-	f2 := HeaderField{
-		Name:      strings.Clone(f.Name),
-		Value:     strings.Clone(f.Value),
-		Sensitive: f.Sensitive,
-	}
 	id := uint64(t.len()) + t.evictCount + 1
-	t.byName[f2.Name] = id
-	t.byNameValue[pairNameValue{f2.Name, f2.Value}] = id
-	t.ents = append(t.ents, f2)
+	t.byName[f.Name] = id
+	t.byNameValue[pairNameValue{f.Name, f.Value}] = id
+	t.ents = append(t.ents, f)
 }
 
 // evictOldest evicts the n oldest entries in the table.

vendor/golang.org/x/net/http2/http2.go

@@ -195,7 +195,7 @@ func (s SettingID) String() string {
 }
 
 // validWireHeaderFieldName reports whether v is a valid header field
-// name (key). See httpguts.ValidHeaderName for the base rules.
+// name (key). See httpguts.ValidHeaderFieldName for the base rules.
 //
 // Further, http2 says:
 //

vendor/golang.org/x/net/http2/server.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 // TODO: turn off the serve goroutine when idle, so
 // an idle conn only has the readFrames goroutine active. (which could
 // also be optimized probably to pin less memory in crypto/tls). This
@@ -88,98 +90,6 @@ var (
 	testHookOnPanic       func(sc *serverConn, panicVal interface{}) (rePanic bool)
 )
 
-// Server is an HTTP/2 server.
-type Server struct {
-	// MaxHandlers limits the number of http.Handler ServeHTTP goroutines
-	// which may run at a time over all connections.
-	// Negative or zero no limit.
-	// TODO: implement
-	MaxHandlers int
-
-	// MaxConcurrentStreams optionally specifies the number of
-	// concurrent streams that each client may have open at a
-	// time. This is unrelated to the number of http.Handler goroutines
-	// which may be active globally, which is MaxHandlers.
-	// If zero, MaxConcurrentStreams defaults to at least 100, per
-	// the HTTP/2 spec's recommendations.
-	MaxConcurrentStreams uint32
-
-	// MaxDecoderHeaderTableSize optionally specifies the http2
-	// SETTINGS_HEADER_TABLE_SIZE to send in the initial settings frame. It
-	// informs the remote endpoint of the maximum size of the header compression
-	// table used to decode header blocks, in octets. If zero, the default value
-	// of 4096 is used.
-	MaxDecoderHeaderTableSize uint32
-
-	// MaxEncoderHeaderTableSize optionally specifies an upper limit for the
-	// header compression table used for encoding request headers. Received
-	// SETTINGS_HEADER_TABLE_SIZE settings are capped at this limit. If zero,
-	// the default value of 4096 is used.
-	MaxEncoderHeaderTableSize uint32
-
-	// MaxReadFrameSize optionally specifies the largest frame
-	// this server is willing to read. A valid value is between
-	// 16k and 16M, inclusive. If zero or otherwise invalid, a
-	// default value is used.
-	MaxReadFrameSize uint32
-
-	// PermitProhibitedCipherSuites, if true, permits the use of
-	// cipher suites prohibited by the HTTP/2 spec.
-	PermitProhibitedCipherSuites bool
-
-	// IdleTimeout specifies how long until idle clients should be
-	// closed with a GOAWAY frame. PING frames are not considered
-	// activity for the purposes of IdleTimeout.
-	// If zero or negative, there is no timeout.
-	IdleTimeout time.Duration
-
-	// ReadIdleTimeout is the timeout after which a health check using a ping
-	// frame will be carried out if no frame is received on the connection.
-	// If zero, no health check is performed.
-	ReadIdleTimeout time.Duration
-
-	// PingTimeout is the timeout after which the connection will be closed
-	// if a response to a ping is not received.
-	// If zero, a default of 15 seconds is used.
-	PingTimeout time.Duration
-
-	// WriteByteTimeout is the timeout after which a connection will be
-	// closed if no data can be written to it. The timeout begins when data is
-	// available to write, and is extended whenever any bytes are written.
-	// If zero or negative, there is no timeout.
-	WriteByteTimeout time.Duration
-
-	// MaxUploadBufferPerConnection is the size of the initial flow
-	// control window for each connections. The HTTP/2 spec does not
-	// allow this to be smaller than 65535 or larger than 2^32-1.
-	// If the value is outside this range, a default value will be
-	// used instead.
-	MaxUploadBufferPerConnection int32
-
-	// MaxUploadBufferPerStream is the size of the initial flow control
-	// window for each stream. The HTTP/2 spec does not allow this to
-	// be larger than 2^32-1. If the value is zero or larger than the
-	// maximum, a default value will be used instead.
-	MaxUploadBufferPerStream int32
-
-	// NewWriteScheduler constructs a write scheduler for a connection.
-	// If nil, a default scheduler is chosen.
-	//
-	// Deprecated: User-provided write schedulers are deprecated.
-	NewWriteScheduler func() WriteScheduler
-
-	// CountError, if non-nil, is called on HTTP/2 server errors.
-	// It's intended to increment a metric for monitoring, such
-	// as an expvar or Prometheus metric.
-	// The errType consists of only ASCII word characters.
-	CountError func(errType string)
-
-	// Internal state. This is a pointer (rather than embedded directly)
-	// so that we don't embed a Mutex in this struct, which will make the
-	// struct non-copyable, which might break some callers.
-	state *serverInternalState
-}
-
 type serverInternalState struct {
 	mu          sync.Mutex
 	activeConns map[*serverConn]struct{}
@@ -187,6 +97,9 @@ type serverInternalState struct {
 	// Pool of error channels. This is per-Server rather than global
 	// because channels can't be reused across synctest bubbles.
 	errChanPool sync.Pool
+
+	// Used in tests.
+	testNewConn func(*serverConn)
 }
 
 func (s *serverInternalState) registerConn(sc *serverConn) {
@@ -239,12 +152,7 @@ func (s *serverInternalState) putErrChan(ch chan error) {
 	s.errChanPool.Put(ch)
 }
 
-// ConfigureServer adds HTTP/2 support to a net/http Server.
-//
-// The configuration conf may be nil.
-//
-// ConfigureServer must be called before s begins serving.
-func ConfigureServer(s *http.Server, conf *Server) error {
+func configureServer(s *http.Server, conf *Server) error {
 	if s == nil {
 		panic("nil *http.Server")
 	}
@@ -349,83 +257,6 @@ func ConfigureServer(s *http.Server, conf *Server) error {
 	return nil
 }
 
-// ServeConnOpts are options for the Server.ServeConn method.
-type ServeConnOpts struct {
-	// Context is the base context to use.
-	// If nil, context.Background is used.
-	Context context.Context
-
-	// BaseConfig optionally sets the base configuration
-	// for values. If nil, defaults are used.
-	BaseConfig *http.Server
-
-	// Handler specifies which handler to use for processing
-	// requests. If nil, BaseConfig.Handler is used. If BaseConfig
-	// or BaseConfig.Handler is nil, http.DefaultServeMux is used.
-	Handler http.Handler
-
-	// UpgradeRequest is an initial request received on a connection
-	// undergoing an h2c upgrade. The request body must have been
-	// completely read from the connection before calling ServeConn,
-	// and the 101 Switching Protocols response written.
-	UpgradeRequest *http.Request
-
-	// Settings is the decoded contents of the HTTP2-Settings header
-	// in an h2c upgrade request.
-	Settings []byte
-
-	// SawClientPreface is set if the HTTP/2 connection preface
-	// has already been read from the connection.
-	SawClientPreface bool
-}
-
-func (o *ServeConnOpts) context() context.Context {
-	if o != nil && o.Context != nil {
-		return o.Context
-	}
-	return context.Background()
-}
-
-func (o *ServeConnOpts) baseConfig() *http.Server {
-	if o != nil && o.BaseConfig != nil {
-		return o.BaseConfig
-	}
-	return new(http.Server)
-}
-
-func (o *ServeConnOpts) handler() http.Handler {
-	if o != nil {
-		if o.Handler != nil {
-			return o.Handler
-		}
-		if o.BaseConfig != nil && o.BaseConfig.Handler != nil {
-			return o.BaseConfig.Handler
-		}
-	}
-	return http.DefaultServeMux
-}
-
-// ServeConn serves HTTP/2 requests on the provided connection and
-// blocks until the connection is no longer readable.
-//
-// ServeConn starts speaking HTTP/2 assuming that c has not had any
-// reads or writes. It writes its initial settings frame and expects
-// to be able to read the preface and settings frame from the
-// client. If c has a ConnectionState method like a *tls.Conn, the
-// ConnectionState is used to verify the TLS ciphersuite and to set
-// the Request.TLS field in Handlers.
-//
-// ServeConn does not support h2c by itself. Any h2c support must be
-// implemented in terms of providing a suitably-behaving net.Conn.
-//
-// The opts parameter is optional. If nil, default values are used.
-func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
-	if opts == nil {
-		opts = &ServeConnOpts{}
-	}
-	s.serveConn(c, opts, nil)
-}
-
 func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, newf func(*serverConn)) {
 	baseCtx, cancel := serverConnBaseContext(c, opts)
 	defer cancel()
@@ -461,6 +292,9 @@ func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, newf func(*serverCon
 	if newf != nil {
 		newf(sc)
 	}
+	if s.state != nil && s.state.testNewConn != nil {
+		s.state.testNewConn(sc)
+	}
 
 	s.state.registerConn(sc)
 	defer s.state.unregisterConn(sc)
@@ -570,15 +404,6 @@ func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, newf func(*serverCon
 	sc.serve(conf)
 }
 
-func serverConnBaseContext(c net.Conn, opts *ServeConnOpts) (ctx context.Context, cancel func()) {
-	ctx, cancel = context.WithCancel(opts.context())
-	ctx = context.WithValue(ctx, http.LocalAddrContextKey, c.LocalAddr())
-	if hs := opts.baseConfig(); hs != nil {
-		ctx = context.WithValue(ctx, http.ServerContextKey, hs)
-	}
-	return
-}
-
 func (sc *serverConn) rejectConn(err ErrCode, debug string) {
 	sc.vlogf("http2: server rejecting conn: %v, %s", err, debug)
 	// ignoring errors. hanging up anyway.
@@ -2832,21 +2657,6 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
 	return len(p), nil
 }
 
-// TrailerPrefix is a magic prefix for ResponseWriter.Header map keys
-// that, if present, signals that the map entry is actually for
-// the response trailers, and not the response headers. The prefix
-// is stripped after the ServeHTTP call finishes and the values are
-// sent in the trailers.
-//
-// This mechanism is intended only for trailers that are not known
-// prior to the headers being written. If the set of trailers is fixed
-// or known before the header is written, the normal Go trailers mechanism
-// is preferred:
-//
-//	https://golang.org/pkg/net/http/#ResponseWriter
-//	https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
-const TrailerPrefix = "Trailer:"
-
 // promoteUndeclaredTrailers permits http.Handlers to set trailers
 // after the header has already been flushed. Because the Go
 // ResponseWriter interface has no way to set Trailers (only the
@@ -3123,12 +2933,6 @@ func (w *responseWriter) handlerDone() {
 	responseWriterStatePool.Put(rws)
 }
 
-// Push errors.
-var (
-	ErrRecursivePush    = errors.New("http2: recursive push not allowed")
-	ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS")
-)
-
 var _ http.Pusher = (*responseWriter)(nil)
 
 func (w *responseWriter) Push(target string, opts *http.PushOptions) error {

vendor/golang.org/x/net/http2/server_common.go

@@ -0,0 +1,221 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"time"
+)
+
+// TrailerPrefix is a magic prefix for ResponseWriter.Header map keys
+// that, if present, signals that the map entry is actually for
+// the response trailers, and not the response headers. The prefix
+// is stripped after the ServeHTTP call finishes and the values are
+// sent in the trailers.
+//
+// This mechanism is intended only for trailers that are not known
+// prior to the headers being written. If the set of trailers is fixed
+// or known before the header is written, the normal Go trailers mechanism
+// is preferred:
+//
+//	https://golang.org/pkg/net/http/#ResponseWriter
+//	https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
+const TrailerPrefix = "Trailer:"
+
+// Push errors.
+var (
+	ErrRecursivePush    = errors.New("http2: recursive push not allowed")
+	ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS")
+)
+
+// ConfigureServer adds HTTP/2 support to a net/http Server.
+//
+// The configuration conf may be nil.
+//
+// ConfigureServer must be called before s begins serving.
+func ConfigureServer(s *http.Server, conf *Server) error {
+	return configureServer(s, conf)
+}
+
+// Server is an HTTP/2 server.
+type Server struct {
+	// MaxHandlers limits the number of http.Handler ServeHTTP goroutines
+	// which may run at a time over all connections.
+	// Negative or zero no limit.
+	// TODO: implement
+	MaxHandlers int
+
+	// MaxConcurrentStreams optionally specifies the number of
+	// concurrent streams that each client may have open at a
+	// time. This is unrelated to the number of http.Handler goroutines
+	// which may be active globally, which is MaxHandlers.
+	// If zero, MaxConcurrentStreams defaults to at least 100, per
+	// the HTTP/2 spec's recommendations.
+	MaxConcurrentStreams uint32
+
+	// MaxDecoderHeaderTableSize optionally specifies the http2
+	// SETTINGS_HEADER_TABLE_SIZE to send in the initial settings frame. It
+	// informs the remote endpoint of the maximum size of the header compression
+	// table used to decode header blocks, in octets. If zero, the default value
+	// of 4096 is used.
+	MaxDecoderHeaderTableSize uint32
+
+	// MaxEncoderHeaderTableSize optionally specifies an upper limit for the
+	// header compression table used for encoding request headers. Received
+	// SETTINGS_HEADER_TABLE_SIZE settings are capped at this limit. If zero,
+	// the default value of 4096 is used.
+	MaxEncoderHeaderTableSize uint32
+
+	// MaxReadFrameSize optionally specifies the largest frame
+	// this server is willing to read. A valid value is between
+	// 16k and 16M, inclusive. If zero or otherwise invalid, a
+	// default value is used.
+	MaxReadFrameSize uint32
+
+	// PermitProhibitedCipherSuites, if true, permits the use of
+	// cipher suites prohibited by the HTTP/2 spec.
+	PermitProhibitedCipherSuites bool
+
+	// IdleTimeout specifies how long until idle clients should be
+	// closed with a GOAWAY frame. PING frames are not considered
+	// activity for the purposes of IdleTimeout.
+	// If zero or negative, there is no timeout.
+	IdleTimeout time.Duration
+
+	// ReadIdleTimeout is the timeout after which a health check using a ping
+	// frame will be carried out if no frame is received on the connection.
+	// If zero, no health check is performed.
+	ReadIdleTimeout time.Duration
+
+	// PingTimeout is the timeout after which the connection will be closed
+	// if a response to a ping is not received.
+	// If zero, a default of 15 seconds is used.
+	PingTimeout time.Duration
+
+	// WriteByteTimeout is the timeout after which a connection will be
+	// closed if no data can be written to it. The timeout begins when data is
+	// available to write, and is extended whenever any bytes are written.
+	// If zero or negative, there is no timeout.
+	WriteByteTimeout time.Duration
+
+	// MaxUploadBufferPerConnection is the size of the initial flow
+	// control window for each connections. The HTTP/2 spec does not
+	// allow this to be smaller than 65535 or larger than 2^32-1.
+	// If the value is outside this range, a default value will be
+	// used instead.
+	MaxUploadBufferPerConnection int32
+
+	// MaxUploadBufferPerStream is the size of the initial flow control
+	// window for each stream. The HTTP/2 spec does not allow this to
+	// be larger than 2^32-1. If the value is zero or larger than the
+	// maximum, a default value will be used instead.
+	MaxUploadBufferPerStream int32
+
+	// NewWriteScheduler constructs a write scheduler for a connection.
+	// If nil, a default scheduler is chosen.
+	//
+	// Deprecated: User-provided write schedulers are deprecated.
+	NewWriteScheduler func() WriteScheduler
+
+	// CountError, if non-nil, is called on HTTP/2 server errors.
+	// It's intended to increment a metric for monitoring, such
+	// as an expvar or Prometheus metric.
+	// The errType consists of only ASCII word characters.
+	CountError func(errType string)
+
+	// Internal state. This is a pointer (rather than embedded directly)
+	// so that we don't embed a Mutex in this struct, which will make the
+	// struct non-copyable, which might break some callers.
+	state *serverInternalState
+}
+
+// ServeConnOpts are options for the Server.ServeConn method.
+type ServeConnOpts struct {
+	// Context is the base context to use.
+	// If nil, context.Background is used.
+	Context context.Context
+
+	// BaseConfig optionally sets the base configuration
+	// for values. If nil, defaults are used.
+	BaseConfig *http.Server
+
+	// Handler specifies which handler to use for processing
+	// requests. If nil, BaseConfig.Handler is used. If BaseConfig
+	// or BaseConfig.Handler is nil, http.DefaultServeMux is used.
+	Handler http.Handler
+
+	// UpgradeRequest is an initial request received on a connection
+	// undergoing an h2c upgrade. The request body must have been
+	// completely read from the connection before calling ServeConn,
+	// and the 101 Switching Protocols response written.
+	UpgradeRequest *http.Request
+
+	// Settings is the decoded contents of the HTTP2-Settings header
+	// in an h2c upgrade request.
+	Settings []byte
+
+	// SawClientPreface is set if the HTTP/2 connection preface
+	// has already been read from the connection.
+	SawClientPreface bool
+}
+
+// ServeConn serves HTTP/2 requests on the provided connection and
+// blocks until the connection is no longer readable.
+//
+// ServeConn starts speaking HTTP/2 assuming that c has not had any
+// reads or writes. It writes its initial settings frame and expects
+// to be able to read the preface and settings frame from the
+// client. If c has a ConnectionState method like a *tls.Conn, the
+// ConnectionState is used to verify the TLS ciphersuite and to set
+// the Request.TLS field in Handlers.
+//
+// ServeConn does not support h2c by itself. Any h2c support must be
+// implemented in terms of providing a suitably-behaving net.Conn.
+//
+// The opts parameter is optional. If nil, default values are used.
+func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
+	if opts == nil {
+		opts = &ServeConnOpts{}
+	}
+	s.serveConn(c, opts, nil)
+}
+
+func (o *ServeConnOpts) context() context.Context {
+	if o != nil && o.Context != nil {
+		return o.Context
+	}
+	return context.Background()
+}
+
+func (o *ServeConnOpts) baseConfig() *http.Server {
+	if o != nil && o.BaseConfig != nil {
+		return o.BaseConfig
+	}
+	return new(http.Server)
+}
+
+func (o *ServeConnOpts) handler() http.Handler {
+	if o != nil {
+		if o.Handler != nil {
+			return o.Handler
+		}
+		if o.BaseConfig != nil && o.BaseConfig.Handler != nil {
+			return o.BaseConfig.Handler
+		}
+	}
+	return http.DefaultServeMux
+}
+
+func serverConnBaseContext(c net.Conn, opts *ServeConnOpts) (ctx context.Context, cancel func()) {
+	ctx, cancel = context.WithCancel(opts.context())
+	ctx = context.WithValue(ctx, http.LocalAddrContextKey, c.LocalAddr())
+	if hs := opts.baseConfig(); hs != nil {
+		ctx = context.WithValue(ctx, http.ServerContextKey, hs)
+	}
+	return
+}

vendor/golang.org/x/net/http2/server_wrap.go

@@ -0,0 +1,201 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.27 && !http2legacy
+
+// Server wrapping a net/http.Server.
+
+package http2
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+)
+
+type serverInternalState struct {
+	s1            *http.Server
+	initOnce      sync.Once
+	serveConnFunc func(context.Context, net.Conn, http.Handler, bool, *http.Request, []byte)
+}
+
+func configureServer(s *http.Server, conf *Server) error {
+	if s == nil {
+		panic("nil *http.Server")
+	}
+	if conf == nil {
+		conf = new(Server)
+	}
+	if conf.state != nil {
+		// This isn't a panic in the pre-wrapping implementation,
+		// but calling ConfigureServer twice with the same http2.Server
+		// overwrites internal state on the server.
+		// Make the error explicit and early here.
+		panic("ConfigureServer may be called only once per Server")
+	}
+	if h1, h2 := s, conf; h2.IdleTimeout == 0 {
+		if h1.IdleTimeout != 0 {
+			h2.IdleTimeout = h1.IdleTimeout
+		} else {
+			h2.IdleTimeout = h1.ReadTimeout
+		}
+	}
+	conf.state = &serverInternalState{
+		s1: s,
+	}
+	sconfig := &serverConfig{s: conf}
+	if err := s.Serve(sconfig); err != nil || sconfig.serveConnFunc == nil {
+		panic("http2: net/http does not support this version of x/net/http2")
+	}
+	conf.state.serveConnFunc = sconfig.serveConnFunc
+	return nil
+}
+
+type serverConfig struct {
+	s             *Server
+	serveConnFunc func(context.Context, net.Conn, http.Handler, bool, *http.Request, []byte)
+}
+
+func (*serverConfig) Accept() (net.Conn, error) {
+	return nil, errors.New("unexpected call to Accept")
+}
+func (*serverConfig) Close() error {
+	return nil
+}
+func (*serverConfig) Addr() net.Addr {
+	return nil
+}
+
+func (s *serverConfig) ServeConnFunc(f func(context.Context, net.Conn, http.Handler, bool, *http.Request, []byte)) {
+	s.serveConnFunc = f
+}
+
+func (s *serverConfig) HTTP2Config() http.HTTP2Config {
+	return http.HTTP2Config{
+		MaxConcurrentStreams:          int(s.s.MaxConcurrentStreams),
+		MaxDecoderHeaderTableSize:     int(s.s.MaxDecoderHeaderTableSize),
+		MaxEncoderHeaderTableSize:     int(s.s.MaxEncoderHeaderTableSize),
+		MaxReadFrameSize:              int(s.s.MaxReadFrameSize),
+		PermitProhibitedCipherSuites:  s.s.PermitProhibitedCipherSuites,
+		MaxReceiveBufferPerConnection: int(s.s.MaxUploadBufferPerConnection),
+		MaxReceiveBufferPerStream:     int(s.s.MaxUploadBufferPerStream),
+		SendPingTimeout:               s.s.ReadIdleTimeout,
+		PingTimeout:                   s.s.PingTimeout,
+		WriteByteTimeout:              s.s.WriteByteTimeout,
+		CountError:                    s.s.CountError,
+	}
+}
+
+func (s *serverConfig) IdleTimeout() time.Duration {
+	return s.s.IdleTimeout
+}
+
+type serverConn struct{}
+
+func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, _ func(*serverConn)) {
+	var serveConnFunc func(context.Context, net.Conn, http.Handler, bool, *http.Request, []byte)
+	switch {
+	case opts.BaseConfig != nil:
+		// The user has provided us with an http.Server to take configuration from.
+		//
+		// We can't send our request to opts.BaseConfig, because an http.Server can
+		// only be associated with a single http2.Server and the user might
+		// use this one with several http.Servers.
+		//
+		// We can't send our request to s.state.s1, because it doesn't contain
+		// the right configuration.
+		//
+		// So create a one-off copy of opts.BaseConfig and use it.
+		h1 := &http.Server{
+			TLSConfig:         opts.BaseConfig.TLSConfig,
+			ReadTimeout:       opts.BaseConfig.ReadTimeout,
+			ReadHeaderTimeout: opts.BaseConfig.ReadHeaderTimeout,
+			WriteTimeout:      opts.BaseConfig.WriteTimeout,
+			IdleTimeout:       opts.BaseConfig.IdleTimeout,
+			MaxHeaderBytes:    opts.BaseConfig.MaxHeaderBytes,
+			ConnState:         opts.BaseConfig.ConnState,
+			ErrorLog:          opts.BaseConfig.ErrorLog,
+			BaseContext:       opts.BaseConfig.BaseContext,
+			ConnContext:       opts.BaseConfig.ConnContext,
+			HTTP2:             opts.BaseConfig.HTTP2,
+		}
+		sconfig := &serverConfig{s: s}
+		if err := h1.Serve(sconfig); err != nil || sconfig.serveConnFunc == nil {
+			panic("http2: net/http does not support this version of x/net/http2")
+		}
+		serveConnFunc = sconfig.serveConnFunc
+	case s.state != nil:
+		serveConnFunc = s.state.serveConnFunc
+	default:
+		// Strange-but-true: Server has no concurrency-safe way to initialize
+		// its internal state, so historically ServeConn just doesn't use any
+		// persistent state if you don't call ConfigureServer first.
+		//
+		// If ConfigureServer hasn't been called, create a one-off http.Server
+		// for the connection, since we don't have any way to keep one around for reuse.
+		h1 := &http.Server{}
+		sconfig := &serverConfig{s: s}
+		if err := h1.Serve(sconfig); err != nil || sconfig.serveConnFunc == nil {
+			panic("http2: net/http does not support this version of x/net/http2")
+		}
+		serveConnFunc = sconfig.serveConnFunc
+	}
+
+	ctx, cancel := serverConnBaseContext(c, opts)
+	defer cancel()
+	serveConnFunc(ctx, c, opts.handler(), opts.SawClientPreface, opts.UpgradeRequest, opts.Settings)
+
+}
+
+// FrameWriteRequest is a request to write a frame.
+//
+// Deprecated: User-provided write schedulers are deprecated.
+type FrameWriteRequest struct {
+	// Ideally we'd define this in writesched_common.go,
+	// to avoid duplicating an exported symbol across two files,
+	// but the changes required to make this work are fairly large.
+}
+
+func (wr FrameWriteRequest) StreamID() uint32 {
+	return 0
+}
+
+func (wr FrameWriteRequest) DataSize() int {
+	return 0
+}
+
+func (wr FrameWriteRequest) Consume(n int32) (FrameWriteRequest, FrameWriteRequest, int) {
+	return FrameWriteRequest{}, FrameWriteRequest{}, 0
+}
+
+func (wr FrameWriteRequest) String() string {
+	return ""
+}
+
+// NewPriorityWriteScheduler is deprecated.
+//
+// Deprecated: User-provided write schedulers are deprecated.
+func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler {
+	return unsupportedWriteScheduler{}
+}
+
+// NewRandomWriteScheduler is deprecated.
+//
+// Deprecated: User-provided write schedulers are deprecated.
+func NewRandomWriteScheduler() WriteScheduler {
+	return unsupportedWriteScheduler{}
+}
+
+type unsupportedWriteScheduler struct{}
+
+func (unsupportedWriteScheduler) OpenStream(streamID uint32, options OpenStreamOptions) {}
+func (unsupportedWriteScheduler) CloseStream(streamID uint32)                           {}
+func (unsupportedWriteScheduler) AdjustStream(streamID uint32, priority PriorityParam)  {}
+func (unsupportedWriteScheduler) Push(wr FrameWriteRequest)                             {}
+func (unsupportedWriteScheduler) Pop() (wr FrameWriteRequest, ok bool) {
+	return FrameWriteRequest{}, false
+}

vendor/golang.org/x/net/http2/transport.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 // Transport code.
 
 package http2
@@ -21,20 +23,17 @@ import (
 	"log"
 	"math"
 	"math/bits"
-	mathrand "math/rand"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/textproto"
 	"strconv"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 
 	"golang.org/x/net/http/httpguts"
 	"golang.org/x/net/http2/hpack"
-	"golang.org/x/net/idna"
 	"golang.org/x/net/internal/httpcommon"
 )
 
@@ -60,123 +59,7 @@ const (
 	defaultMaxConcurrentStreams = 1000
 )
 
-// Transport is an HTTP/2 Transport.
-//
-// A Transport internally caches connections to servers. It is safe
-// for concurrent use by multiple goroutines.
-type Transport struct {
-	// DialTLSContext specifies an optional dial function with context for
-	// creating TLS connections for requests.
-	//
-	// If DialTLSContext and DialTLS is nil, tls.Dial is used.
-	//
-	// If the returned net.Conn has a ConnectionState method like tls.Conn,
-	// it will be used to set http.Response.TLS.
-	DialTLSContext func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error)
-
-	// DialTLS specifies an optional dial function for creating
-	// TLS connections for requests.
-	//
-	// If DialTLSContext and DialTLS is nil, tls.Dial is used.
-	//
-	// Deprecated: Use DialTLSContext instead, which allows the transport
-	// to cancel dials as soon as they are no longer needed.
-	// If both are set, DialTLSContext takes priority.
-	DialTLS func(network, addr string, cfg *tls.Config) (net.Conn, error)
-
-	// TLSClientConfig specifies the TLS configuration to use with
-	// tls.Client. If nil, the default configuration is used.
-	TLSClientConfig *tls.Config
-
-	// ConnPool optionally specifies an alternate connection pool to use.
-	// If nil, the default is used.
-	ConnPool ClientConnPool
-
-	// DisableCompression, if true, prevents the Transport from
-	// requesting compression with an "Accept-Encoding: gzip"
-	// request header when the Request contains no existing
-	// Accept-Encoding value. If the Transport requests gzip on
-	// its own and gets a gzipped response, it's transparently
-	// decoded in the Response.Body. However, if the user
-	// explicitly requested gzip it is not automatically
-	// uncompressed.
-	DisableCompression bool
-
-	// AllowHTTP, if true, permits HTTP/2 requests using the insecure,
-	// plain-text "http" scheme. Note that this does not enable h2c support.
-	AllowHTTP bool
-
-	// MaxHeaderListSize is the http2 SETTINGS_MAX_HEADER_LIST_SIZE to
-	// send in the initial settings frame. It is how many bytes
-	// of response headers are allowed. Unlike the http2 spec, zero here
-	// means to use a default limit (currently 10MB). If you actually
-	// want to advertise an unlimited value to the peer, Transport
-	// interprets the highest possible value here (0xffffffff or 1<<32-1)
-	// to mean no limit.
-	MaxHeaderListSize uint32
-
-	// MaxReadFrameSize is the http2 SETTINGS_MAX_FRAME_SIZE to send in the
-	// initial settings frame. It is the size in bytes of the largest frame
-	// payload that the sender is willing to receive. If 0, no setting is
-	// sent, and the value is provided by the peer, which should be 16384
-	// according to the spec:
-	// https://datatracker.ietf.org/doc/html/rfc7540#section-6.5.2.
-	// Values are bounded in the range 16k to 16M.
-	MaxReadFrameSize uint32
-
-	// MaxDecoderHeaderTableSize optionally specifies the http2
-	// SETTINGS_HEADER_TABLE_SIZE to send in the initial settings frame. It
-	// informs the remote endpoint of the maximum size of the header compression
-	// table used to decode header blocks, in octets. If zero, the default value
-	// of 4096 is used.
-	MaxDecoderHeaderTableSize uint32
-
-	// MaxEncoderHeaderTableSize optionally specifies an upper limit for the
-	// header compression table used for encoding request headers. Received
-	// SETTINGS_HEADER_TABLE_SIZE settings are capped at this limit. If zero,
-	// the default value of 4096 is used.
-	MaxEncoderHeaderTableSize uint32
-
-	// StrictMaxConcurrentStreams controls whether the server's
-	// SETTINGS_MAX_CONCURRENT_STREAMS should be respected
-	// globally. If false, new TCP connections are created to the
-	// server as needed to keep each under the per-connection
-	// SETTINGS_MAX_CONCURRENT_STREAMS limit. If true, the
-	// server's SETTINGS_MAX_CONCURRENT_STREAMS is interpreted as
-	// a global limit and callers of RoundTrip block when needed,
-	// waiting for their turn.
-	StrictMaxConcurrentStreams bool
-
-	// IdleConnTimeout is the maximum amount of time an idle
-	// (keep-alive) connection will remain idle before closing
-	// itself.
-	// Zero means no limit.
-	IdleConnTimeout time.Duration
-
-	// ReadIdleTimeout is the timeout after which a health check using ping
-	// frame will be carried out if no frame is received on the connection.
-	// Note that a ping response will is considered a received frame, so if
-	// there is no other traffic on the connection, the health check will
-	// be performed every ReadIdleTimeout interval.
-	// If zero, no health check is performed.
-	ReadIdleTimeout time.Duration
-
-	// PingTimeout is the timeout after which the connection will be closed
-	// if a response to Ping is not received.
-	// Defaults to 15s.
-	PingTimeout time.Duration
-
-	// WriteByteTimeout is the timeout after which the connection will be
-	// closed no data can be written to it. The timeout begins when data is
-	// available to write, and is extended whenever any bytes are written.
-	WriteByteTimeout time.Duration
-
-	// CountError, if non-nil, is called on HTTP/2 transport errors.
-	// It's intended to increment a metric for monitoring, such
-	// as an expvar or Prometheus metric.
-	// The errType consists of only ASCII word characters.
-	CountError func(errType string)
-
+type transportInternal struct {
 	// t1, if non-nil, is the standard library Transport using
 	// this transport. Its settings are used (but not its
 	// RoundTrip method, etc).
@@ -217,27 +100,18 @@ func (t *Transport) disableCompression() bool {
 	return t.DisableCompression || (t.t1 != nil && t.t1.DisableCompression)
 }
 
-// ConfigureTransport configures a net/http HTTP/1 Transport to use HTTP/2.
-// It returns an error if t1 has already been HTTP/2-enabled.
-//
-// Use ConfigureTransports instead to configure the HTTP/2 Transport.
-func ConfigureTransport(t1 *http.Transport) error {
-	_, err := ConfigureTransports(t1)
+func configureTransport(t1 *http.Transport) error {
+	_, err := configureTransports(t1)
 	return err
 }
 
-// ConfigureTransports configures a net/http HTTP/1 Transport to use HTTP/2.
-// It returns a new HTTP/2 Transport for further configuration.
-// It returns an error if t1 has already been HTTP/2-enabled.
-func ConfigureTransports(t1 *http.Transport) (*Transport, error) {
-	return configureTransports(t1)
-}
-
 func configureTransports(t1 *http.Transport) (*Transport, error) {
 	connPool := new(clientConnPool)
 	t2 := &Transport{
 		ConnPool: noDialClientConnPool{connPool},
-		t1:       t1,
+		transportInternal: transportInternal{
+			t1: t1,
+		},
 	}
 	connPool.t = t2
 	if err := registerHTTPSProtocol(t1, noDialH2RoundTripper{t2}); err != nil {
@@ -525,68 +399,7 @@ func (sew stickyErrWriter) Write(p []byte) (n int, err error) {
 	return n, err
 }
 
-// noCachedConnError is the concrete type of ErrNoCachedConn, which
-// needs to be detected by net/http regardless of whether it's its
-// bundled version (in h2_bundle.go with a rewritten type name) or
-// from a user's x/net/http2. As such, as it has a unique method name
-// (IsHTTP2NoCachedConnError) that net/http sniffs for via func
-// isNoCachedConnError.
-type noCachedConnError struct{}
-
-func (noCachedConnError) IsHTTP2NoCachedConnError() {}
-func (noCachedConnError) Error() string             { return "http2: no cached connection was available" }
-
-// isNoCachedConnError reports whether err is of type noCachedConnError
-// or its equivalent renamed type in net/http2's h2_bundle.go. Both types
-// may coexist in the same running program.
-func isNoCachedConnError(err error) bool {
-	_, ok := err.(interface{ IsHTTP2NoCachedConnError() })
-	return ok
-}
-
-var ErrNoCachedConn error = noCachedConnError{}
-
-// RoundTripOpt are options for the Transport.RoundTripOpt method.
-type RoundTripOpt struct {
-	// OnlyCachedConn controls whether RoundTripOpt may
-	// create a new TCP connection. If set true and
-	// no cached connection is available, RoundTripOpt
-	// will return ErrNoCachedConn.
-	OnlyCachedConn bool
-
-	allowHTTP bool // allow http:// URLs
-}
-
-func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
-	return t.RoundTripOpt(req, RoundTripOpt{})
-}
-
-// authorityAddr returns a given authority (a host/IP, or host:port / ip:port)
-// and returns a host:port. The port 443 is added if needed.
-func authorityAddr(scheme string, authority string) (addr string) {
-	host, port, err := net.SplitHostPort(authority)
-	if err != nil { // authority didn't have a port
-		host = authority
-		port = ""
-	}
-	if port == "" { // authority's port was empty
-		port = "443"
-		if scheme == "http" {
-			port = "80"
-		}
-	}
-	if a, err := idna.ToASCII(host); err == nil {
-		host = a
-	}
-	// IPv6 address literal, without a port:
-	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
-		return host + ":" + port
-	}
-	return net.JoinHostPort(host, port)
-}
-
-// RoundTripOpt is like RoundTrip, but takes options.
-func (t *Transport) RoundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Response, error) {
+func (t *Transport) roundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Response, error) {
 	switch req.URL.Scheme {
 	case "https":
 		// Always okay.
@@ -597,126 +410,15 @@ func (t *Transport) RoundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Res
 	default:
 		return nil, errors.New("http2: unsupported scheme")
 	}
-
-	addr := authorityAddr(req.URL.Scheme, req.URL.Host)
-	for retry := 0; ; retry++ {
-		cc, err := t.connPool().GetClientConn(req, addr)
-		if err != nil {
-			t.vlogf("http2: Transport failed to get client conn for %s: %v", addr, err)
-			return nil, err
-		}
-		reused := !atomic.CompareAndSwapUint32(&cc.atomicReused, 0, 1)
-		traceGotConn(req, cc, reused)
-		res, err := cc.RoundTrip(req)
-		if err != nil && retry <= 6 {
-			roundTripErr := err
-			if req, err = shouldRetryRequest(req, err); err == nil {
-				// After the first retry, do exponential backoff with 10% jitter.
-				if retry == 0 {
-					t.vlogf("RoundTrip retrying after failure: %v", roundTripErr)
-					continue
-				}
-				backoff := float64(uint(1) << (uint(retry) - 1))
-				backoff += backoff * (0.1 * mathrand.Float64())
-				d := time.Second * time.Duration(backoff)
-				tm := time.NewTimer(d)
-				select {
-				case <-tm.C:
-					t.vlogf("RoundTrip retrying after failure: %v", roundTripErr)
-					continue
-				case <-req.Context().Done():
-					tm.Stop()
-					err = req.Context().Err()
-				}
-			}
-		}
-		if err == errClientConnNotEstablished {
-			// This ClientConn was created recently,
-			// this is the first request to use it,
-			// and the connection is closed and not usable.
-			//
-			// In this state, cc.idleTimer will remove the conn from the pool
-			// when it fires. Stop the timer and remove it here so future requests
-			// won't try to use this connection.
-			//
-			// If the timer has already fired and we're racing it, the redundant
-			// call to MarkDead is harmless.
-			if cc.idleTimer != nil {
-				cc.idleTimer.Stop()
-			}
-			t.connPool().MarkDead(cc)
-		}
-		if err != nil {
-			t.vlogf("RoundTrip failure: %v", err)
-			return nil, err
-		}
-		return res, nil
-	}
+	return t.roundTripViaPool(req, opt, t.connPool())
 }
 
-// CloseIdleConnections closes any connections which were previously
-// connected from previous requests but are now sitting idle.
-// It does not interrupt any connections currently in use.
-func (t *Transport) CloseIdleConnections() {
+func (t *Transport) closeIdleConnections() {
 	if cp, ok := t.connPool().(clientConnPoolIdleCloser); ok {
 		cp.closeIdleConnections()
 	}
 }
 
-var (
-	errClientConnClosed         = errors.New("http2: client conn is closed")
-	errClientConnUnusable       = errors.New("http2: client conn not usable")
-	errClientConnNotEstablished = errors.New("http2: client conn could not be established")
-	errClientConnGotGoAway      = errors.New("http2: Transport received Server's graceful shutdown GOAWAY")
-	errClientConnForceClosed    = errors.New("http2: client connection force closed via ClientConn.Close")
-)
-
-// shouldRetryRequest is called by RoundTrip when a request fails to get
-// response headers. It is always called with a non-nil error.
-// It returns either a request to retry (either the same request, or a
-// modified clone), or an error if the request can't be replayed.
-func shouldRetryRequest(req *http.Request, err error) (*http.Request, error) {
-	if !canRetryError(err) {
-		return nil, err
-	}
-	// If the Body is nil (or http.NoBody), it's safe to reuse
-	// this request and its Body.
-	if req.Body == nil || req.Body == http.NoBody {
-		return req, nil
-	}
-
-	// If the request body can be reset back to its original
-	// state via the optional req.GetBody, do that.
-	if req.GetBody != nil {
-		body, err := req.GetBody()
-		if err != nil {
-			return nil, err
-		}
-		newReq := *req
-		newReq.Body = body
-		return &newReq, nil
-	}
-
-	// The Request.Body can't reset back to the beginning, but we
-	// don't seem to have started to read from it yet, so reuse
-	// the request directly.
-	if err == errClientConnUnusable {
-		return req, nil
-	}
-
-	return nil, fmt.Errorf("http2: Transport: cannot retry err [%v] after Request.Body was written; define Request.GetBody to avoid this error", err)
-}
-
-func canRetryError(err error) bool {
-	if err == errClientConnUnusable || err == errClientConnGotGoAway {
-		return true
-	}
-	if se, ok := err.(StreamError); ok {
-		return se.Code == ErrCodeRefusedStream
-	}
-	return false
-}
-
 func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse bool) (*ClientConn, error) {
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -743,27 +445,6 @@ func (t *Transport) newTLSConfig(host string) *tls.Config {
 	return cfg
 }
 
-func (t *Transport) dialTLS(ctx context.Context, network, addr string, tlsCfg *tls.Config) (net.Conn, error) {
-	if t.DialTLSContext != nil {
-		return t.DialTLSContext(ctx, network, addr, tlsCfg)
-	} else if t.DialTLS != nil {
-		return t.DialTLS(network, addr, tlsCfg)
-	}
-
-	tlsCn, err := t.dialTLSWithContext(ctx, network, addr, tlsCfg)
-	if err != nil {
-		return nil, err
-	}
-	state := tlsCn.ConnectionState()
-	if p := state.NegotiatedProtocol; p != NextProtoTLS {
-		return nil, fmt.Errorf("http2: unexpected ALPN protocol %q; want %q", p, NextProtoTLS)
-	}
-	if !state.NegotiatedProtocolIsMutual {
-		return nil, errors.New("http2: could not negotiate protocol mutually")
-	}
-	return tlsCn, nil
-}
-
 // disableKeepAlives reports whether connections should be closed as
 // soon as possible after handling the first request.
 func (t *Transport) disableKeepAlives() bool {
@@ -777,7 +458,7 @@ func (t *Transport) expectContinueTimeout() time.Duration {
 	return t.t1.ExpectContinueTimeout
 }
 
-func (t *Transport) NewClientConn(c net.Conn) (*ClientConn, error) {
+func (t *Transport) newUserClientConn(c net.Conn) (*ClientConn, error) {
 	return t.newClientConn(c, t.disableKeepAlives(), nil)
 }
 
@@ -890,8 +571,7 @@ func (cc *ClientConn) healthCheck() {
 	}
 }
 
-// SetDoNotReuse marks cc as not reusable for future HTTP requests.
-func (cc *ClientConn) SetDoNotReuse() {
+func (cc *ClientConn) setDoNotReuse() {
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
 	cc.doNotReuse = true
@@ -932,21 +612,13 @@ func (cc *ClientConn) setGoAway(f *GoAwayFrame) {
 	}
 }
 
-// CanTakeNewRequest reports whether the connection can take a new request,
-// meaning it has not been closed or received or sent a GOAWAY.
-//
-// If the caller is going to immediately make a new request on this
-// connection, use ReserveNewRequest instead.
-func (cc *ClientConn) CanTakeNewRequest() bool {
+func (cc *ClientConn) canTakeNewRequest() bool {
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
 	return cc.canTakeNewRequestLocked()
 }
 
-// ReserveNewRequest is like CanTakeNewRequest but also reserves a
-// concurrent stream in cc. The reservation is decremented on the
-// next call to RoundTrip.
-func (cc *ClientConn) ReserveNewRequest() bool {
+func (cc *ClientConn) reserveNewRequest() bool {
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
 	if st := cc.idleStateLocked(); !st.canTakeNewRequest {
@@ -956,41 +628,7 @@ func (cc *ClientConn) ReserveNewRequest() bool {
 	return true
 }
 
-// ClientConnState describes the state of a ClientConn.
-type ClientConnState struct {
-	// Closed is whether the connection is closed.
-	Closed bool
-
-	// Closing is whether the connection is in the process of
-	// closing. It may be closing due to shutdown, being a
-	// single-use connection, being marked as DoNotReuse, or
-	// having received a GOAWAY frame.
-	Closing bool
-
-	// StreamsActive is how many streams are active.
-	StreamsActive int
-
-	// StreamsReserved is how many streams have been reserved via
-	// ClientConn.ReserveNewRequest.
-	StreamsReserved int
-
-	// StreamsPending is how many requests have been sent in excess
-	// of the peer's advertised MaxConcurrentStreams setting and
-	// are waiting for other streams to complete.
-	StreamsPending int
-
-	// MaxConcurrentStreams is how many concurrent streams the
-	// peer advertised as acceptable. Zero means no SETTINGS
-	// frame has been received yet.
-	MaxConcurrentStreams uint32
-
-	// LastIdle, if non-zero, is when the connection last
-	// transitioned to idle state.
-	LastIdle time.Time
-}
-
-// State returns a snapshot of cc's state.
-func (cc *ClientConn) State() ClientConnState {
+func (cc *ClientConn) state() ClientConnState {
 	cc.wmu.Lock()
 	maxConcurrent := cc.maxConcurrentStreams
 	if !cc.seenSettings {
@@ -1161,6 +799,12 @@ func (cc *ClientConn) closeIfIdle() {
 	cc.closeConn()
 }
 
+func (cc *ClientConn) stopIdleTimer() {
+	if cc.idleTimer != nil {
+		cc.idleTimer.Stop()
+	}
+}
+
 func (cc *ClientConn) isDoNotReuseAndIdle() bool {
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
@@ -1169,8 +813,7 @@ func (cc *ClientConn) isDoNotReuseAndIdle() bool {
 
 var shutdownEnterWaitStateHook = func() {}
 
-// Shutdown gracefully closes the client connection, waiting for running streams to complete.
-func (cc *ClientConn) Shutdown(ctx context.Context) error {
+func (cc *ClientConn) shutdown(ctx context.Context) error {
 	if err := cc.sendGoAway(); err != nil {
 		return err
 	}
@@ -1244,10 +887,7 @@ func (cc *ClientConn) closeForError(err error) {
 	cc.closeConn()
 }
 
-// Close closes the client connection immediately.
-//
-// In-flight requests are interrupted. For a graceful shutdown, use Shutdown instead.
-func (cc *ClientConn) Close() error {
+func (cc *ClientConn) close() error {
 	cc.closeForError(errClientConnForceClosed)
 	return nil
 }
@@ -1301,11 +941,11 @@ func (cc *ClientConn) decrStreamReservationsLocked() {
 	}
 }
 
-func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
-	return cc.roundTrip(req, nil)
+func (cc *ClientConn) roundTrip(req *http.Request) (*http.Response, error) {
+	return cc.internalRoundTrip(req, nil)
 }
 
-func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream)) (*http.Response, error) {
+func (cc *ClientConn) internalRoundTrip(req *http.Request, streamf func(*clientStream)) (*http.Response, error) {
 	ctx := req.Context()
 	cs := &clientStream{
 		cc:                   cc,
@@ -2125,19 +1765,6 @@ func (cc *ClientConn) readLoop() {
 	}
 }
 
-// GoAwayError is returned by the Transport when the server closes the
-// TCP connection after sending a GOAWAY frame.
-type GoAwayError struct {
-	LastStreamID uint32
-	ErrCode      ErrCode
-	DebugData    string
-}
-
-func (e GoAwayError) Error() string {
-	return fmt.Sprintf("http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%q",
-		e.LastStreamID, e.ErrCode, e.DebugData)
-}
-
 func isEOFOrNetReadError(err error) bool {
 	if err == io.EOF {
 		return true
@@ -2978,7 +2605,7 @@ func (rl *clientConnReadLoop) processResetStream(f *RSTStreamFrame) error {
 }
 
 // Ping sends a PING frame to the server and waits for the ack.
-func (cc *ClientConn) Ping(ctx context.Context) error {
+func (cc *ClientConn) ping(ctx context.Context) error {
 	c := make(chan struct{})
 	// Generate a random payload
 	var p [8]byte
@@ -3092,16 +2719,6 @@ func (cc *ClientConn) vlogf(format string, args ...interface{}) {
 	cc.t.vlogf(format, args...)
 }
 
-func (t *Transport) vlogf(format string, args ...interface{}) {
-	if VerboseLogs {
-		t.logf(format, args...)
-	}
-}
-
-func (t *Transport) logf(format string, args ...interface{}) {
-	log.Printf(format, args...)
-}
-
 var noBody io.ReadCloser = noBodyReader{}
 
 type noBodyReader struct{}
@@ -3417,17 +3034,3 @@ func traceGot1xxResponseFunc(trace *httptrace.ClientTrace) func(int, textproto.M
 	}
 	return nil
 }
-
-// dialTLSWithContext uses tls.Dialer, added in Go 1.15, to open a TLS
-// connection.
-func (t *Transport) dialTLSWithContext(ctx context.Context, network, addr string, cfg *tls.Config) (*tls.Conn, error) {
-	dialer := &tls.Dialer{
-		Config: cfg,
-	}
-	cn, err := dialer.DialContext(ctx, network, addr)
-	if err != nil {
-		return nil, err
-	}
-	tlsCn := cn.(*tls.Conn) // DialContext comment promises this will always succeed
-	return tlsCn, nil
-}

vendor/golang.org/x/net/http2/transport_common.go

@@ -0,0 +1,447 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"log"
+	mathrand "math/rand"
+	"net"
+	"net/http"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"golang.org/x/net/idna"
+)
+
+// ConfigureTransport configures a net/http HTTP/1 Transport to use HTTP/2.
+// It returns an error if t1 has already been HTTP/2-enabled.
+//
+// Use ConfigureTransports instead to configure the HTTP/2 Transport.
+func ConfigureTransport(t1 *http.Transport) error {
+	return configureTransport(t1)
+}
+
+// ConfigureTransports configures a net/http HTTP/1 Transport to use HTTP/2.
+// It returns a new HTTP/2 Transport for further configuration.
+// It returns an error if t1 has already been HTTP/2-enabled.
+func ConfigureTransports(t1 *http.Transport) (*Transport, error) {
+	return configureTransports(t1)
+}
+
+// Transport is an HTTP/2 Transport.
+//
+// A Transport internally caches connections to servers. It is safe
+// for concurrent use by multiple goroutines.
+type Transport struct {
+	// DialTLSContext specifies an optional dial function with context for
+	// creating TLS connections for requests.
+	//
+	// If DialTLSContext and DialTLS is nil, tls.Dial is used.
+	//
+	// If the returned net.Conn has a ConnectionState method like tls.Conn,
+	// it will be used to set http.Response.TLS.
+	DialTLSContext func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error)
+
+	// DialTLS specifies an optional dial function for creating
+	// TLS connections for requests.
+	//
+	// If DialTLSContext and DialTLS is nil, tls.Dial is used.
+	//
+	// Deprecated: Use DialTLSContext instead, which allows the transport
+	// to cancel dials as soon as they are no longer needed.
+	// If both are set, DialTLSContext takes priority.
+	DialTLS func(network, addr string, cfg *tls.Config) (net.Conn, error)
+
+	// TLSClientConfig specifies the TLS configuration to use with
+	// tls.Client. If nil, the default configuration is used.
+	TLSClientConfig *tls.Config
+
+	// ConnPool optionally specifies an alternate connection pool to use.
+	// If nil, the default is used.
+	ConnPool ClientConnPool
+
+	// DisableCompression, if true, prevents the Transport from
+	// requesting compression with an "Accept-Encoding: gzip"
+	// request header when the Request contains no existing
+	// Accept-Encoding value. If the Transport requests gzip on
+	// its own and gets a gzipped response, it's transparently
+	// decoded in the Response.Body. However, if the user
+	// explicitly requested gzip it is not automatically
+	// uncompressed.
+	DisableCompression bool
+
+	// AllowHTTP, if true, permits HTTP/2 requests using the insecure,
+	// plain-text "http" scheme. Note that this does not enable h2c support.
+	AllowHTTP bool
+
+	// MaxHeaderListSize is the http2 SETTINGS_MAX_HEADER_LIST_SIZE to
+	// send in the initial settings frame. It is how many bytes
+	// of response headers are allowed. Unlike the http2 spec, zero here
+	// means to use a default limit (currently 10MB). If you actually
+	// want to advertise an unlimited value to the peer, Transport
+	// interprets the highest possible value here (0xffffffff or 1<<32-1)
+	// to mean no limit.
+	MaxHeaderListSize uint32
+
+	// MaxReadFrameSize is the http2 SETTINGS_MAX_FRAME_SIZE to send in the
+	// initial settings frame. It is the size in bytes of the largest frame
+	// payload that the sender is willing to receive. If 0, no setting is
+	// sent, and the value is provided by the peer, which should be 16384
+	// according to the spec:
+	// https://datatracker.ietf.org/doc/html/rfc7540#section-6.5.2.
+	// Values are bounded in the range 16k to 16M.
+	MaxReadFrameSize uint32
+
+	// MaxDecoderHeaderTableSize optionally specifies the http2
+	// SETTINGS_HEADER_TABLE_SIZE to send in the initial settings frame. It
+	// informs the remote endpoint of the maximum size of the header compression
+	// table used to decode header blocks, in octets. If zero, the default value
+	// of 4096 is used.
+	MaxDecoderHeaderTableSize uint32
+
+	// MaxEncoderHeaderTableSize optionally specifies an upper limit for the
+	// header compression table used for encoding request headers. Received
+	// SETTINGS_HEADER_TABLE_SIZE settings are capped at this limit. If zero,
+	// the default value of 4096 is used.
+	MaxEncoderHeaderTableSize uint32
+
+	// StrictMaxConcurrentStreams controls whether the server's
+	// SETTINGS_MAX_CONCURRENT_STREAMS should be respected
+	// globally. If false, new TCP connections are created to the
+	// server as needed to keep each under the per-connection
+	// SETTINGS_MAX_CONCURRENT_STREAMS limit. If true, the
+	// server's SETTINGS_MAX_CONCURRENT_STREAMS is interpreted as
+	// a global limit and callers of RoundTrip block when needed,
+	// waiting for their turn.
+	StrictMaxConcurrentStreams bool
+
+	// IdleConnTimeout is the maximum amount of time an idle
+	// (keep-alive) connection will remain idle before closing
+	// itself.
+	// Zero means no limit.
+	IdleConnTimeout time.Duration
+
+	// ReadIdleTimeout is the timeout after which a health check using ping
+	// frame will be carried out if no frame is received on the connection.
+	// Note that a ping response will is considered a received frame, so if
+	// there is no other traffic on the connection, the health check will
+	// be performed every ReadIdleTimeout interval.
+	// If zero, no health check is performed.
+	ReadIdleTimeout time.Duration
+
+	// PingTimeout is the timeout after which the connection will be closed
+	// if a response to Ping is not received.
+	// Defaults to 15s.
+	PingTimeout time.Duration
+
+	// WriteByteTimeout is the timeout after which the connection will be
+	// closed no data can be written to it. The timeout begins when data is
+	// available to write, and is extended whenever any bytes are written.
+	WriteByteTimeout time.Duration
+
+	// CountError, if non-nil, is called on HTTP/2 transport errors.
+	// It's intended to increment a metric for monitoring, such
+	// as an expvar or Prometheus metric.
+	// The errType consists of only ASCII word characters.
+	CountError func(errType string)
+
+	// Internal state, differs between wrapped and non-wrapped implementations.
+	transportInternal
+}
+
+var (
+	errClientConnClosed         = errors.New("http2: client conn is closed")
+	errClientConnNotEstablished = errors.New("http2: client conn could not be established")
+	errClientConnGotGoAway      = errors.New("http2: Transport received Server's graceful shutdown GOAWAY")
+	errClientConnForceClosed    = errors.New("http2: client connection force closed via ClientConn.Close")
+	errClientConnUnusable       = errors.New("http2: client conn not usable")
+)
+
+// ClientConnPool manages a pool of HTTP/2 client connections.
+type ClientConnPool interface {
+	// GetClientConn returns a specific HTTP/2 connection (usually
+	// a TLS-TCP connection) to an HTTP/2 server. On success, the
+	// returned ClientConn accounts for the upcoming RoundTrip
+	// call, so the caller should not omit it. If the caller needs
+	// to, ClientConn.RoundTrip can be called with a bogus
+	// new(http.Request) to release the stream reservation.
+	GetClientConn(req *http.Request, addr string) (*ClientConn, error)
+	MarkDead(*ClientConn)
+}
+
+// ClientConnState describes the state of a ClientConn.
+type ClientConnState struct {
+	// Closed is whether the connection is closed.
+	Closed bool
+
+	// Closing is whether the connection is in the process of
+	// closing. It may be closing due to shutdown, being a
+	// single-use connection, being marked as DoNotReuse, or
+	// having received a GOAWAY frame.
+	Closing bool
+
+	// StreamsActive is how many streams are active.
+	StreamsActive int
+
+	// StreamsReserved is how many streams have been reserved via
+	// ClientConn.ReserveNewRequest.
+	StreamsReserved int
+
+	// StreamsPending is how many requests have been sent in excess
+	// of the peer's advertised MaxConcurrentStreams setting and
+	// are waiting for other streams to complete.
+	StreamsPending int
+
+	// MaxConcurrentStreams is how many concurrent streams the
+	// peer advertised as acceptable. Zero means no SETTINGS
+	// frame has been received yet.
+	MaxConcurrentStreams uint32
+
+	// LastIdle, if non-zero, is when the connection last
+	// transitioned to idle state.
+	LastIdle time.Time
+}
+
+// RoundTripOpt are options for the Transport.RoundTripOpt method.
+type RoundTripOpt struct {
+	// OnlyCachedConn controls whether RoundTripOpt may
+	// create a new TCP connection. If set true and
+	// no cached connection is available, RoundTripOpt
+	// will return ErrNoCachedConn.
+
+	// OnlyCachedConn was broken in https://go.dev/cl/16699.
+	OnlyCachedConn bool
+
+	allowHTTP bool // allow http:// URLs
+}
+
+func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+	return t.RoundTripOpt(req, RoundTripOpt{})
+}
+
+// RoundTripOpt is like RoundTrip, but takes options.
+func (t *Transport) RoundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Response, error) {
+	return t.roundTripOpt(req, opt)
+}
+
+// CloseIdleConnections closes any connections which were previously
+// connected from previous requests but are now sitting idle.
+// It does not interrupt any connections currently in use.
+func (t *Transport) CloseIdleConnections() {
+	t.closeIdleConnections()
+}
+
+func (t *Transport) NewClientConn(c net.Conn) (*ClientConn, error) {
+	return t.newUserClientConn(c)
+}
+
+// authorityAddr returns a given authority (a host/IP, or host:port / ip:port)
+// and returns a host:port. The port 443 is added if needed.
+func authorityAddr(scheme string, authority string) (addr string) {
+	host, port, err := net.SplitHostPort(authority)
+	if err != nil { // authority didn't have a port
+		host = authority
+		port = ""
+	}
+	if port == "" { // authority's port was empty
+		port = "443"
+		if scheme == "http" {
+			port = "80"
+		}
+	}
+	if a, err := idna.ToASCII(host); err == nil {
+		host = a
+	}
+	// IPv6 address literal, without a port:
+	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
+		return host + ":" + port
+	}
+	return net.JoinHostPort(host, port)
+}
+
+func (t *Transport) roundTripViaPool(req *http.Request, opt RoundTripOpt, pool ClientConnPool) (*http.Response, error) {
+	addr := authorityAddr(req.URL.Scheme, req.URL.Host)
+	for retry := 0; ; retry++ {
+		cc, err := pool.GetClientConn(req, addr)
+		if err != nil {
+			t.vlogf("http2: Transport failed to get client conn for %s: %v", addr, err)
+			return nil, err
+		}
+		reused := !atomic.CompareAndSwapUint32(&cc.atomicReused, 0, 1)
+		traceGotConn(req, cc, reused)
+		res, err := cc.RoundTrip(req)
+		if err != nil && retry <= 6 {
+			roundTripErr := err
+			if req, err = shouldRetryRequest(req, err); err == nil {
+				// After the first retry, do exponential backoff with 10% jitter.
+				if retry == 0 {
+					t.vlogf("RoundTrip retrying after failure: %v", roundTripErr)
+					continue
+				}
+				backoff := float64(uint(1) << (uint(retry) - 1))
+				backoff += backoff * (0.1 * mathrand.Float64())
+				d := time.Second * time.Duration(backoff)
+				tm := time.NewTimer(d)
+				select {
+				case <-tm.C:
+					t.vlogf("RoundTrip retrying after failure: %v", roundTripErr)
+					continue
+				case <-req.Context().Done():
+					tm.Stop()
+					err = req.Context().Err()
+				}
+			}
+		}
+		if err == errClientConnNotEstablished {
+			// This ClientConn was created recently,
+			// this is the first request to use it,
+			// and the connection is closed and not usable.
+			//
+			// In this state, cc.idleTimer will remove the conn from the pool
+			// when it fires. Stop the timer and remove it here so future requests
+			// won't try to use this connection.
+			//
+			// If the timer has already fired and we're racing it, the redundant
+			// call to MarkDead is harmless.
+			cc.stopIdleTimer()
+			pool.MarkDead(cc)
+		}
+		if err != nil {
+			t.vlogf("RoundTrip failure: %v", err)
+			return nil, err
+		}
+		return res, nil
+	}
+}
+
+// shouldRetryRequest is called by RoundTrip when a request fails to get
+// response headers. It is always called with a non-nil error.
+// It returns either a request to retry (either the same request, or a
+// modified clone), or an error if the request can't be replayed.
+func shouldRetryRequest(req *http.Request, err error) (*http.Request, error) {
+	if !canRetryError(err) {
+		return nil, err
+	}
+	// If the Body is nil (or http.NoBody), it's safe to reuse
+	// this request and its Body.
+	if req.Body == nil || req.Body == http.NoBody {
+		return req, nil
+	}
+
+	// If the request body can be reset back to its original
+	// state via the optional req.GetBody, do that.
+	if req.GetBody != nil {
+		body, err := req.GetBody()
+		if err != nil {
+			return nil, err
+		}
+		newReq := *req
+		newReq.Body = body
+		return &newReq, nil
+	}
+
+	// The Request.Body can't reset back to the beginning, but we
+	// don't seem to have started to read from it yet, so reuse
+	// the request directly.
+	if err == errClientConnUnusable {
+		return req, nil
+	}
+
+	return nil, fmt.Errorf("http2: Transport: cannot retry err [%v] after Request.Body was written; define Request.GetBody to avoid this error", err)
+}
+
+func canRetryError(err error) bool {
+	if err == errClientConnUnusable || err == errClientConnGotGoAway {
+		return true
+	}
+	if se, ok := err.(StreamError); ok {
+		return se.Code == ErrCodeRefusedStream
+	}
+	return false
+}
+
+func (t *Transport) vlogf(format string, args ...interface{}) {
+	if VerboseLogs {
+		t.logf(format, args...)
+	}
+}
+
+func (t *Transport) logf(format string, args ...interface{}) {
+	log.Printf(format, args...)
+}
+
+func (t *Transport) dialTLS(ctx context.Context, network, addr string, tlsCfg *tls.Config) (net.Conn, error) {
+	if t.DialTLSContext != nil {
+		return t.DialTLSContext(ctx, network, addr, tlsCfg)
+	} else if t.DialTLS != nil {
+		return t.DialTLS(network, addr, tlsCfg)
+	}
+
+	tlsCn, err := t.dialTLSWithContext(ctx, network, addr, tlsCfg)
+	if err != nil {
+		return nil, err
+	}
+	state := tlsCn.ConnectionState()
+	if p := state.NegotiatedProtocol; p != NextProtoTLS {
+		return nil, fmt.Errorf("http2: unexpected ALPN protocol %q; want %q", p, NextProtoTLS)
+	}
+	if !state.NegotiatedProtocolIsMutual {
+		return nil, errors.New("http2: could not negotiate protocol mutually")
+	}
+	return tlsCn, nil
+}
+
+// dialTLSWithContext uses tls.Dialer, added in Go 1.15, to open a TLS
+// connection.
+func (t *Transport) dialTLSWithContext(ctx context.Context, network, addr string, cfg *tls.Config) (*tls.Conn, error) {
+	dialer := &tls.Dialer{
+		Config: cfg,
+	}
+	cn, err := dialer.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	tlsCn := cn.(*tls.Conn) // DialContext comment promises this will always succeed
+	return tlsCn, nil
+}
+
+// GoAwayError is returned by the Transport when the server closes the
+// TCP connection after sending a GOAWAY frame.
+type GoAwayError struct {
+	LastStreamID uint32
+	ErrCode      ErrCode
+	DebugData    string
+}
+
+func (e GoAwayError) Error() string {
+	return fmt.Sprintf("http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%q",
+		e.LastStreamID, e.ErrCode, e.DebugData)
+}
+
+// noCachedConnError is the concrete type of ErrNoCachedConn, which
+// needs to be detected by net/http regardless of whether it's its
+// bundled version (in h2_bundle.go with a rewritten type name) or
+// from a user's x/net/http2. As such, as it has a unique method name
+// (IsHTTP2NoCachedConnError) that net/http sniffs for via func
+// isNoCachedConnError.
+type noCachedConnError struct{}
+
+func (noCachedConnError) IsHTTP2NoCachedConnError() {}
+func (noCachedConnError) Error() string             { return "http2: no cached connection was available" }
+
+// isNoCachedConnError reports whether err is of type noCachedConnError
+// or its equivalent renamed type in net/http2's h2_bundle.go. Both types
+// may coexist in the same running program.
+func isNoCachedConnError(err error) bool {
+	_, ok := err.(interface{ IsHTTP2NoCachedConnError() })
+	return ok
+}
+
+var ErrNoCachedConn error = noCachedConnError{}

vendor/golang.org/x/net/http2/transport_wrap.go

@@ -0,0 +1,381 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.27 && !http2legacy
+
+// Transport wrapping a net/http.Transport.
+
+package http2
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"math"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"slices"
+	"sync"
+	"time"
+)
+
+func configureTransport(t1 *http.Transport) error {
+	// ConfigureTransport is a no-op: The http.Transport already supports HTTP/2.
+	return nil
+}
+
+func configureTransports(t1 *http.Transport) (*Transport, error) {
+	// ConfigureTransport returns an http2.Transport with a configuration
+	// linked to the http.Transport's.
+	tr2 := &Transport{}
+	tr2.configure(t1)
+	return tr2, nil
+}
+
+// transportConfig is passed to net/http.Transport.RegisterProtocol("http/2", config).
+// It provides the net/http.Transport with access to the configuration in the
+// x/net/http2.Transport.
+type transportConfig struct {
+	t *Transport
+}
+
+// Registered is called by net/http.Transport.RegisterProtocol,
+// to let us know that it understands the registration mechanism we're using.
+func (t transportConfig) Registered(t1 *http.Transport) {
+	t.t.t1 = t1
+}
+
+func (t transportConfig) DisableCompression() bool {
+	return t.t.DisableCompression
+}
+
+func (t transportConfig) MaxHeaderListSize() int64 {
+	return int64(t.t.MaxHeaderListSize)
+}
+
+func (t transportConfig) IdleConnTimeout() time.Duration {
+	return t.t.IdleConnTimeout
+}
+
+func (t transportConfig) HTTP2Config() http.HTTP2Config {
+	return http.HTTP2Config{
+		StrictMaxConcurrentRequests: t.t.StrictMaxConcurrentStreams,
+		MaxDecoderHeaderTableSize:   int(t.t.MaxDecoderHeaderTableSize),
+		MaxEncoderHeaderTableSize:   int(t.t.MaxEncoderHeaderTableSize),
+		MaxReadFrameSize:            int(t.t.MaxReadFrameSize),
+		SendPingTimeout:             t.t.ReadIdleTimeout,
+		PingTimeout:                 t.t.PingTimeout,
+		WriteByteTimeout:            t.t.WriteByteTimeout,
+		CountError:                  t.t.CountError,
+	}
+}
+
+// ExternalRoundTrip reports whether the Transport wants to take control of the RoundTrip call.
+// If the user hasn't configured a custom connection pool, we leave the RoundTrip up to net/http.
+func (t transportConfig) ExternalRoundTrip() bool {
+	return t.t.ConnPool != nil
+}
+
+// RoundTrip is used when the http.Transport is passing control of the full
+// RoundTrip to us--connection pooling, retries, etc.
+//
+// This is only used when the http2.Transport has a user-provided ConnPool.
+// Any other time, net/http handles everything.
+func (t transportConfig) RoundTrip(req *http.Request) (*http.Response, error) {
+	if t.t.ConnPool == nil {
+		return nil, http.ErrSkipAltProtocol
+	}
+	return t.t.RoundTrip(req)
+}
+
+// netConnContextKey passes a net.Conn to http.Transport.NewClientConn.
+// See http2.Transport.NewClientConn.
+type netConnContextKey struct{}
+
+// ConnFromContext lets the http.Transport fetch a net.Conn out of a context
+// passed to NewClientConn. See http2.Transport.NewClientConn.
+func (t transportConfig) ConnFromContext(ctx context.Context) net.Conn {
+	nc, _ := ctx.Value(netConnContextKey{}).(net.Conn)
+	return nc
+}
+
+// http2TransportContextKey marks a RoundTrip as needing its dial handled by the http2.Transport.
+// We set this for http2.RoundTrip calls, where the historical behavior is to use the
+// http2.Transport's dialer.
+type http2TransportContextKey struct{}
+
+// DialFromContext dials a new connection using the http2.Transport's DialTLS/DialTLSContext.
+func (t transportConfig) DialFromContext(ctx context.Context, network, address string) (net.Conn, error) {
+	if ctx.Value(http2TransportContextKey{}) == nil {
+		// We're being called from a RoundTrip that did not start with an http2.Transport.
+		// Use the http.Transport's dialer.
+		return nil, errors.ErrUnsupported
+	}
+
+	tlsConf := t.t.TLSClientConfig
+	if tlsConf == nil {
+		tlsConf = &tls.Config{}
+	} else {
+		tlsConf = tlsConf.Clone()
+	}
+	if !slices.Contains(tlsConf.NextProtos, "h2") {
+		tlsConf.NextProtos = append([]string{"h2"}, tlsConf.NextProtos...)
+	}
+	if tlsConf.ServerName == "" {
+		host, _, err := net.SplitHostPort(address)
+		if err == nil {
+			tlsConf.ServerName = host
+		}
+	}
+	return t.t.dialTLS(ctx, network, address, tlsConf)
+}
+
+type transportInternal struct {
+	initOnce sync.Once
+	t1       *http.Transport
+}
+
+func (t *Transport) init() {
+	t.initOnce.Do(func() {
+		if t.t1 != nil {
+			return
+		}
+		t1 := &http.Transport{}
+		t.configure(t1)
+	})
+}
+
+func (t *Transport) configure(t1 *http.Transport) {
+	t1.RegisterProtocol("http/2", transportConfig{t})
+	// tr2.t1 is set by transportConfig.Registered.
+	if t.t1 != t1 {
+		panic("http2: net/http does not support this version of x/net/http2")
+	}
+}
+
+func (t *Transport) roundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Response, error) {
+	t.init()
+
+	if req.URL.Scheme == "http" && !t.AllowHTTP {
+		return nil, errors.New("http2: unencrypted HTTP/2 not enabled")
+	}
+
+	// When the Transport has a user-provided connection pool (unusual, deprecated),
+	// we need to handle picking a connection, retrys, etc.
+	if t.ConnPool != nil {
+		return t.roundTripViaPool(req, opt, t.ConnPool)
+	}
+
+	// Setting this context key lets net/http know that if it is necessary to dial
+	// a new connection, we should handle the net.Dial.
+	//
+	// Both http.Transport and http2.Transport allow the user to provide a custom
+	// dial function, and historically you only get the dial function from the
+	// Transport you're calling RoundTrip on.
+	ctx := context.WithValue(req.Context(), http2TransportContextKey{}, t)
+	req = req.WithContext(ctx)
+
+	return t.t1.RoundTrip(req)
+}
+
+func (t *Transport) closeIdleConnections() {
+	t.init()
+	t.t1.CloseIdleConnections()
+}
+
+func (t *Transport) newUserClientConn(c net.Conn) (*ClientConn, error) {
+	// http.Transport's NewClientConn doesn't provide a supported way to create
+	// a connection from a net.Conn. (This might be useful to add in the future?)
+	// We're going to craftily sneak one in via the context key, with the
+	// scheme of "http/2" telling NewClientConn to look for it.
+	ctx := context.WithValue(context.Background(), netConnContextKey{}, c)
+
+	nhcc, err := t.t1.NewClientConn(ctx, "http/2", "")
+	if err != nil {
+		return nil, err
+	}
+	cc := &ClientConn{cc: nhcc, tr: t, tconn: c}
+	nhcc.SetStateHook(cc.stateHook)
+	return cc, nil
+}
+
+// ClientConn is the state of a single HTTP/2 client connection to an
+// HTTP/2 server.
+type ClientConn struct {
+	cc         *http.ClientConn
+	tconn      net.Conn
+	tr         *Transport
+	doNotReuse bool
+
+	mu            sync.Mutex
+	closing       bool
+	closed        bool
+	roundTrips    int
+	reserved      int
+	starting      int
+	pending       int
+	maxConcurrent int
+	lastIdle      time.Time
+	shutdownc     chan struct{}
+
+	atomicReused uint32 // whether conn is being reused; atomic
+}
+
+func (cc *ClientConn) roundTrip(req *http.Request) (*http.Response, error) {
+	err := func() error {
+		cc.mu.Lock()
+		defer cc.mu.Unlock()
+		if cc.doNotReuse {
+			return errClientConnUnusable
+		}
+		cc.roundTrips++
+		if cc.reserved > 0 {
+			// We've already reserved a concurrency slot for this request.
+			cc.reserved--
+		} else if cc.cc.Reserve() != nil {
+			// We don't seem to have an available concurrency slot,
+			// so bump the pending count (requests waiting for a slot).
+			cc.pending++
+		}
+		// ClientConn.Shutdown will not shut down the conn while
+		// cc.starting > 0 or cc.cc.InFlight() > 0.
+		//
+		// The starting state covers the gap between us deciding to
+		// start sending the request, and actually sending it.
+		cc.starting++
+		return nil
+	}()
+	if err != nil {
+		return nil, err
+	}
+	resp, err := cc.cc.RoundTrip(req)
+	cc.mu.Lock()
+	cc.starting--
+	if cc.pending > 0 {
+		// A request completing frees up a concurrency slot for
+		// a pending request to start.
+		cc.pending--
+	}
+	cc.updateStateLocked()
+	cc.mu.Unlock()
+	return resp, err
+}
+
+func (cc *ClientConn) canTakeNewRequest() bool {
+	return cc.cc.Available() > 0 && !cc.doNotReuse
+}
+
+func (cc *ClientConn) close() error {
+	return cc.cc.Close()
+}
+
+func (cc *ClientConn) ping(ctx context.Context) error {
+	// Ask net/http to ping its connection by sending a request with a method of ":ping".
+	_, err := cc.cc.RoundTrip((&http.Request{
+		Method: ":ping",
+	}).WithContext(ctx))
+	return err
+}
+
+func (cc *ClientConn) reserveNewRequest() bool {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+	if cc.doNotReuse {
+		return false
+	}
+	if err := cc.cc.Reserve(); err != nil {
+		return false
+	}
+	cc.reserved++
+	return true
+}
+
+func (cc *ClientConn) setDoNotReuse() {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+	cc.doNotReuse = true
+	cc.closing = true
+}
+
+func (cc *ClientConn) shutdown(ctx context.Context) error {
+	cc.mu.Lock()
+	inFlight := cc.cc.InFlight() + cc.starting
+	if inFlight > 0 && cc.shutdownc == nil {
+		cc.shutdownc = make(chan struct{})
+	}
+	shutdownc := cc.shutdownc
+	cc.mu.Unlock()
+	if shutdownc != nil {
+		// Wait for in-flight requests to finish.
+		select {
+		case <-shutdownc:
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	cc.cc.Close()
+	return nil
+}
+
+func (cc *ClientConn) state() ClientConnState {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+	cc.updateStateLocked()
+	return ClientConnState{
+		Closed:               cc.closed,
+		Closing:              cc.closing,
+		StreamsActive:        cc.cc.InFlight() - cc.reserved,
+		StreamsReserved:      cc.reserved,
+		StreamsPending:       cc.pending,
+		MaxConcurrentStreams: uint32(min(int64(cc.maxConcurrent), math.MaxUint32)),
+		LastIdle:             cc.lastIdle,
+	}
+}
+
+// stateHook is the http.ClientConn's state hook.
+func (cc *ClientConn) stateHook(*http.ClientConn) {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+	cc.updateStateLocked()
+}
+
+func (cc *ClientConn) updateStateLocked() {
+	if cc.cc.Err() != nil && !cc.closed {
+		cc.closing = true
+		cc.closed = true
+		if cc.tr.ConnPool != nil {
+			// Do the ConnPool update in another goroutine,
+			// to avoid holding the conn mutex while it runs.
+			go cc.tr.ConnPool.MarkDead(cc)
+		}
+	}
+	if cc.cc.InFlight() == 0 && cc.roundTrips > 0 && cc.starting == 0 {
+		cc.lastIdle = time.Now()
+	}
+	if !cc.closed {
+		// This is slightly racy (a request could start or finish in between
+		// the Available and InFlight calls), but the best we can do given that
+		// the net/http ClientConn API doesn't expose the conn's max concurrency.
+		cc.maxConcurrent = cc.cc.Available() + cc.cc.InFlight()
+	}
+	if cc.shutdownc != nil && cc.cc.InFlight()+cc.starting == 0 {
+		close(cc.shutdownc)
+		cc.shutdownc = nil
+	}
+}
+
+func (cc *ClientConn) stopIdleTimer() {}
+
+// traceGotConn is (when http2legacy is not enabled) only used for tracing
+// connections acquired while using a user-provided ClientConnPool.
+func traceGotConn(req *http.Request, cc *ClientConn, reused bool) {
+	trace := httptrace.ContextClientTrace(req.Context())
+	if trace == nil || trace.GotConn == nil {
+		return
+	}
+	ci := httptrace.GotConnInfo{Conn: cc.tconn}
+	ci.Reused = reused
+	trace.GotConn(ci)
+}

vendor/golang.org/x/net/http2/writesched.go

@@ -2,54 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 package http2
 
 import "fmt"
 
-// WriteScheduler is the interface implemented by HTTP/2 write schedulers.
-// Methods are never called concurrently.
-//
-// Deprecated: User-provided write schedulers are deprecated.
-type WriteScheduler interface {
-	// OpenStream opens a new stream in the write scheduler.
-	// It is illegal to call this with streamID=0 or with a streamID that is
-	// already open -- the call may panic.
-	OpenStream(streamID uint32, options OpenStreamOptions)
-
-	// CloseStream closes a stream in the write scheduler. Any frames queued on
-	// this stream should be discarded. It is illegal to call this on a stream
-	// that is not open -- the call may panic.
-	CloseStream(streamID uint32)
-
-	// AdjustStream adjusts the priority of the given stream. This may be called
-	// on a stream that has not yet been opened or has been closed. Note that
-	// RFC 7540 allows PRIORITY frames to be sent on streams in any state. See:
-	// https://tools.ietf.org/html/rfc7540#section-5.1
-	AdjustStream(streamID uint32, priority PriorityParam)
-
-	// Push queues a frame in the scheduler. In most cases, this will not be
-	// called with wr.StreamID()!=0 unless that stream is currently open. The one
-	// exception is RST_STREAM frames, which may be sent on idle or closed streams.
-	Push(wr FrameWriteRequest)
-
-	// Pop dequeues the next frame to write. Returns false if no frames can
-	// be written. Frames with a given wr.StreamID() are Pop'd in the same
-	// order they are Push'd, except RST_STREAM frames. No frames should be
-	// discarded except by CloseStream.
-	Pop() (wr FrameWriteRequest, ok bool)
-}
-
-// OpenStreamOptions specifies extra options for WriteScheduler.OpenStream.
-//
-// Deprecated: User-provided write schedulers are deprecated.
-type OpenStreamOptions struct {
-	// PusherID is zero if the stream was initiated by the client. Otherwise,
-	// PusherID names the stream that pushed the newly opened stream.
-	PusherID uint32
-	// priority is used to set the priority of the newly opened stream.
-	priority PriorityParam
-}
-
 // FrameWriteRequest is a request to write a frame.
 //
 // Deprecated: User-provided write schedulers are deprecated.

vendor/golang.org/x/net/http2/writesched_common.go

@@ -0,0 +1,90 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+// WriteScheduler is the interface implemented by HTTP/2 write schedulers.
+// Methods are never called concurrently.
+//
+// Deprecated: User-provided write schedulers are deprecated.
+type WriteScheduler interface {
+	// OpenStream opens a new stream in the write scheduler.
+	// It is illegal to call this with streamID=0 or with a streamID that is
+	// already open -- the call may panic.
+	OpenStream(streamID uint32, options OpenStreamOptions)
+
+	// CloseStream closes a stream in the write scheduler. Any frames queued on
+	// this stream should be discarded. It is illegal to call this on a stream
+	// that is not open -- the call may panic.
+	CloseStream(streamID uint32)
+
+	// AdjustStream adjusts the priority of the given stream. This may be called
+	// on a stream that has not yet been opened or has been closed. Note that
+	// RFC 7540 allows PRIORITY frames to be sent on streams in any state. See:
+	// https://tools.ietf.org/html/rfc7540#section-5.1
+	AdjustStream(streamID uint32, priority PriorityParam)
+
+	// Push queues a frame in the scheduler. In most cases, this will not be
+	// called with wr.StreamID()!=0 unless that stream is currently open. The one
+	// exception is RST_STREAM frames, which may be sent on idle or closed streams.
+	Push(wr FrameWriteRequest)
+
+	// Pop dequeues the next frame to write. Returns false if no frames can
+	// be written. Frames with a given wr.StreamID() are Pop'd in the same
+	// order they are Push'd, except RST_STREAM frames. No frames should be
+	// discarded except by CloseStream.
+	Pop() (wr FrameWriteRequest, ok bool)
+}
+
+// OpenStreamOptions specifies extra options for WriteScheduler.OpenStream.
+//
+// Deprecated: User-provided write schedulers are deprecated.
+type OpenStreamOptions struct {
+	// PusherID is zero if the stream was initiated by the client. Otherwise,
+	// PusherID names the stream that pushed the newly opened stream.
+	PusherID uint32
+	// priority is used to set the priority of the newly opened stream.
+	priority PriorityParam
+}
+
+// PriorityWriteSchedulerConfig configures a priorityWriteScheduler.
+//
+// Deprecated: User-provided write schedulers are deprecated.
+type PriorityWriteSchedulerConfig struct {
+	// MaxClosedNodesInTree controls the maximum number of closed streams to
+	// retain in the priority tree. Setting this to zero saves a small amount
+	// of memory at the cost of performance.
+	//
+	// See RFC 7540, Section 5.3.4:
+	//   "It is possible for a stream to become closed while prioritization
+	//   information ... is in transit. ... This potentially creates suboptimal
+	//   prioritization, since the stream could be given a priority that is
+	//   different from what is intended. To avoid these problems, an endpoint
+	//   SHOULD retain stream prioritization state for a period after streams
+	//   become closed. The longer state is retained, the lower the chance that
+	//   streams are assigned incorrect or default priority values."
+	MaxClosedNodesInTree int
+
+	// MaxIdleNodesInTree controls the maximum number of idle streams to
+	// retain in the priority tree. Setting this to zero saves a small amount
+	// of memory at the cost of performance.
+	//
+	// See RFC 7540, Section 5.3.4:
+	//   Similarly, streams that are in the "idle" state can be assigned
+	//   priority or become a parent of other streams. This allows for the
+	//   creation of a grouping node in the dependency tree, which enables
+	//   more flexible expressions of priority. Idle streams begin with a
+	//   default priority (Section 5.3.5).
+	MaxIdleNodesInTree int
+
+	// ThrottleOutOfOrderWrites enables write throttling to help ensure that
+	// data is delivered in priority order. This works around a race where
+	// stream B depends on stream A and both streams are about to call Write
+	// to queue DATA frames. If B wins the race, a naive scheduler would eagerly
+	// write as much data from B as possible, but this is suboptimal because A
+	// is a higher-priority stream. With throttling enabled, we write a small
+	// amount of data from B to minimize the amount of bandwidth that B can
+	// steal from A.
+	ThrottleOutOfOrderWrites bool
+}

vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 package http2
 
 import (
@@ -13,47 +15,6 @@ import (
 // RFC 7540, Section 5.3.5: the default weight is 16.
 const priorityDefaultWeightRFC7540 = 15 // 16 = 15 + 1
 
-// PriorityWriteSchedulerConfig configures a priorityWriteScheduler.
-//
-// Deprecated: User-provided write schedulers are deprecated.
-type PriorityWriteSchedulerConfig struct {
-	// MaxClosedNodesInTree controls the maximum number of closed streams to
-	// retain in the priority tree. Setting this to zero saves a small amount
-	// of memory at the cost of performance.
-	//
-	// See RFC 7540, Section 5.3.4:
-	//   "It is possible for a stream to become closed while prioritization
-	//   information ... is in transit. ... This potentially creates suboptimal
-	//   prioritization, since the stream could be given a priority that is
-	//   different from what is intended. To avoid these problems, an endpoint
-	//   SHOULD retain stream prioritization state for a period after streams
-	//   become closed. The longer state is retained, the lower the chance that
-	//   streams are assigned incorrect or default priority values."
-	MaxClosedNodesInTree int
-
-	// MaxIdleNodesInTree controls the maximum number of idle streams to
-	// retain in the priority tree. Setting this to zero saves a small amount
-	// of memory at the cost of performance.
-	//
-	// See RFC 7540, Section 5.3.4:
-	//   Similarly, streams that are in the "idle" state can be assigned
-	//   priority or become a parent of other streams. This allows for the
-	//   creation of a grouping node in the dependency tree, which enables
-	//   more flexible expressions of priority. Idle streams begin with a
-	//   default priority (Section 5.3.5).
-	MaxIdleNodesInTree int
-
-	// ThrottleOutOfOrderWrites enables write throttling to help ensure that
-	// data is delivered in priority order. This works around a race where
-	// stream B depends on stream A and both streams are about to call Write
-	// to queue DATA frames. If B wins the race, a naive scheduler would eagerly
-	// write as much data from B as possible, but this is suboptimal because A
-	// is a higher-priority stream. With throttling enabled, we write a small
-	// amount of data from B to minimize the amount of bandwidth that B can
-	// steal from A.
-	ThrottleOutOfOrderWrites bool
-}
-
 // NewPriorityWriteScheduler constructs a WriteScheduler that schedules
 // frames by following HTTP/2 priorities as described in RFC 7540 Section 5.3.
 // If cfg is nil, default options are used.

vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 package http2
 
 import (

vendor/golang.org/x/net/http2/writesched_random.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 package http2
 
 import "math"

vendor/golang.org/x/net/http2/writesched_roundrobin.go

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !(go1.27 && !http2legacy)
+
 package http2
 
 import (

vendor/golang.org/x/net/idna/go118.go

@@ -1,13 +0,0 @@
-// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-
-package idna
-
-// Transitional processing is disabled by default in Go 1.18.
-// https://golang.org/issue/47510
-const transitionalLookup = false

vendor/golang.org/x/net/idna/idna.go

@@ -4,8 +4,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.10
-
 // Package idna implements IDNA2008 using the compatibility processing
 // defined by UTS (Unicode Technical Standard) #46, which defines a standard to
 // deal with the transition from IDNA2003.
@@ -20,6 +18,7 @@ package idna // import "golang.org/x/net/idna"
 import (
 	"fmt"
 	"strings"
+	"unicode"
 	"unicode/utf8"
 
 	"golang.org/x/text/secure/bidirule"
@@ -27,6 +26,8 @@ import (
 	"golang.org/x/text/unicode/norm"
 )
 
+const unicode16 = unicode.Version >= "16.0.0"
+
 // NOTE: Unlike common practice in Go APIs, the functions will return a
 // sanitized domain name in case of errors. Browsers sometimes use a partially
 // evaluated string as lookup.
@@ -101,6 +102,11 @@ func ValidateLabels(enable bool) Option {
 	}
 }
 
+// validateLabels reports whether the ValidateLabels option is enabled.
+func (p *Profile) validateLabels() bool {
+	return p.fromPuny != nil
+}
+
 // CheckHyphens sets whether to check for correct use of hyphens ('-') in
 // labels. Most web browsers do not have this option set, since labels such as
 // "r3---sn-apo3qvuoxuxbt-j5pe" are in common use.
@@ -263,6 +269,10 @@ func (p *Profile) String() string {
 	return s
 }
 
+// Transitional processing is disabled by default as of Go 1.18.
+// https://golang.org/issue/47510
+const transitionalLookup = false
+
 var (
 	// Punycode is a Profile that does raw punycode processing with a minimum
 	// of validation.
@@ -324,15 +334,30 @@ func (e labelError) Error() string {
 	return fmt.Sprintf("idna: invalid label %q", e.label)
 }
 
-type runeError rune
-
-func (e runeError) code() string { return "P1" }
-func (e runeError) Error() string {
-	return fmt.Sprintf("idna: disallowed rune %U", e)
+type runeError struct {
+	r     rune
+	code_ string
 }
 
-// process implements the algorithm described in section 4 of UTS #46,
-// see https://www.unicode.org/reports/tr46.
+func (e runeError) code() string { return e.code_ }
+func (e runeError) Error() string {
+	return fmt.Sprintf("idna: disallowed rune %U", e.r)
+}
+
+// code16 returns old for Unicode < 16, new for Unicode >= 16.
+func code16(old, new string) string {
+	if unicode16 {
+		return new
+	}
+	return old
+}
+
+// process10 implements the algorithm described in section 4 of UTS #46.
+// It implements both the Unicode 10 algorithm
+// (https://www.unicode.org/reports/tr46/tr46-19.html)
+// and the Unicode 16 algorithm
+// (https://www.unicode.org/reports/tr46/tr46-35.html)
+// depending on unicode16, which in turn depends on unicode.Version.
 func (p *Profile) process(s string, toASCII bool) (string, error) {
 	var err error
 	var isBidi bool
@@ -347,8 +372,12 @@ func (p *Profile) process(s string, toASCII bool) (string, error) {
 	// TODO: allow for a quick check of the tables data.
 	// It seems like we should only create this error on ToASCII, but the
 	// UTS 46 conformance tests suggests we should always check this.
+	labelCode := "X4_2"
+	if !unicode16 || toASCII {
+		labelCode = "A4"
+	}
 	if err == nil && p.verifyDNSLength && s == "" {
-		err = &labelError{s, "A4"}
+		err = labelError{s, labelCode}
 	}
 	labels := labelIter{orig: s}
 	for ; !labels.done(); labels.next() {
@@ -357,12 +386,13 @@ func (p *Profile) process(s string, toASCII bool) (string, error) {
 			// Empty labels are not okay. The label iterator skips the last
 			// label if it is empty.
 			if err == nil && p.verifyDNSLength {
-				err = &labelError{s, "A4"}
+				err = labelError{s, labelCode}
 			}
 			continue
 		}
 		if strings.HasPrefix(label, acePrefix) {
-			u, err2 := decode(label[len(acePrefix):])
+			enc := label[len(acePrefix):]
+			u, err2 := decode(enc)
 			if err2 != nil {
 				if err == nil {
 					err = err2
@@ -370,6 +400,9 @@ func (p *Profile) process(s string, toASCII bool) (string, error) {
 				// Spec says keep the old label.
 				continue
 			}
+			if unicode16 && err == nil && len(u) > 0 && isASCII(u) {
+				err = punyError(enc)
+			}
 			isBidi = isBidi || bidirule.DirectionString(u) != bidi.LeftToRight
 			labels.set(u)
 			if err == nil && p.fromPuny != nil {
@@ -379,16 +412,16 @@ func (p *Profile) process(s string, toASCII bool) (string, error) {
 				// This should be called on NonTransitional, according to the
 				// spec, but that currently does not have any effect. Use the
 				// original profile to preserve options.
-				err = p.validateLabel(u)
+				err = p.validateLabel(u, labelCode)
 			}
 		} else if err == nil {
-			err = p.validateLabel(label)
+			err = p.validateLabel(label, labelCode)
 		}
 	}
 	if isBidi && p.bidirule != nil && err == nil {
 		for labels.reset(); !labels.done(); labels.next() {
 			if !p.bidirule(labels.label()) {
-				err = &labelError{s, "B"}
+				err = labelError{s, "B"}
 				break
 			}
 		}
@@ -406,24 +439,36 @@ func (p *Profile) process(s string, toASCII bool) (string, error) {
 			}
 			n := len(label)
 			if p.verifyDNSLength && err == nil && (n == 0 || n > 63) {
-				err = &labelError{label, "A4"}
+				err = labelError{label, labelCode}
 			}
 		}
 	}
 	s = labels.result()
 	if toASCII && p.verifyDNSLength && err == nil {
+		if unicode16 && strings.HasSuffix(s, ".") {
+			err = labelError{s, labelCode}
+		}
 		// Compute the length of the domain name minus the root label and its dot.
 		n := len(s)
 		if n > 0 && s[n-1] == '.' {
 			n--
 		}
 		if len(s) < 1 || n > 253 {
-			err = &labelError{s, "A4"}
+			err = labelError{s, labelCode}
 		}
 	}
 	return s, err
 }
 
+func isASCII(s string) bool {
+	for _, c := range []byte(s) {
+		if c >= 0x80 {
+			return false
+		}
+	}
+	return true
+}
+
 func normalize(p *Profile, s string) (mapped string, isBidi bool, err error) {
 	// TODO: consider first doing a quick check to see if any of these checks
 	// need to be done. This will make it slower in the general case, but
@@ -436,12 +481,12 @@ func normalize(p *Profile, s string) (mapped string, isBidi bool, err error) {
 func validateRegistration(p *Profile, s string) (idem string, bidi bool, err error) {
 	// TODO: filter need for normalization in loop below.
 	if !norm.NFC.IsNormalString(s) {
-		return s, false, &labelError{s, "V1"}
+		return s, false, labelError{s, "V1"}
 	}
 	for i := 0; i < len(s); {
 		v, sz := trie.lookupString(s[i:])
 		if sz == 0 {
-			return s, bidi, runeError(utf8.RuneError)
+			return s, bidi, runeError{utf8.RuneError, "P1"}
 		}
 		bidi = bidi || info(v).isBidi(s[i:])
 		// Copy bytes not copied so far.
@@ -449,9 +494,12 @@ func validateRegistration(p *Profile, s string) (idem string, bidi bool, err err
 		// TODO: handle the NV8 defined in the Unicode idna data set to allow
 		// for strict conformance to IDNA2008.
 		case valid, deviation:
+			if sz == 1 && p.useSTD3Rules && !allowedSTD3(rune(s[i])) {
+				return s, bidi, runeError{rune(s[i]), "P1"}
+			}
 		case disallowed, mapped, unknown, ignored:
 			r, _ := utf8.DecodeRuneInString(s[i:])
-			return s, bidi, runeError(r)
+			return s, bidi, runeError{r, "P1"}
 		}
 		i += sz
 	}
@@ -489,7 +537,7 @@ func validateAndMap(p *Profile, s string) (vm string, bidi bool, err error) {
 			b = append(b, "\ufffd"...)
 			k = len(s)
 			if err == nil {
-				err = runeError(utf8.RuneError)
+				err = runeError{utf8.RuneError, "P1"}
 			}
 			break
 		}
@@ -502,14 +550,26 @@ func validateAndMap(p *Profile, s string) (vm string, bidi bool, err error) {
 		case valid:
 			continue
 		case disallowed:
-			if err == nil {
+			// Unicode 16 delays the error until validateLabels.
+			// Unicode 10 gave an error now.
+			if !unicode16 && err == nil {
 				r, _ := utf8.DecodeRuneInString(s[start:])
-				err = runeError(r)
+				err = runeError{r, "P1"}
 			}
 			continue
-		case mapped, deviation:
+		case deviation:
+			if unicode16 && !p.transitional {
+				break
+			}
+			fallthrough
+		case mapped:
 			b = append(b, s[k:start]...)
-			b = info(v).appendMapping(b, s[start:i])
+			// Unicode 16 requires a special case to handle ẞ -> ss in transitional mode.
+			if unicode16 && p.transitional && s[start:start+sz] == "ẞ" {
+				b = append(b, "ss"...)
+			} else {
+				b = info(v).appendMapping(b, s[start:i])
+			}
 		case ignored:
 			b = append(b, s[k:start]...)
 			// drop the rune
@@ -600,13 +660,13 @@ const acePrefix = "xn--"
 
 func (p *Profile) simplify(cat category) category {
 	switch cat {
-	case disallowedSTD3Mapped:
+	case disallowedSTD3Mapped: // only happens for pre-Unicode 16
 		if p.useSTD3Rules {
 			cat = disallowed
 		} else {
 			cat = mapped
 		}
-	case disallowedSTD3Valid:
+	case disallowedSTD3Valid: // only happens for pre-Unicode 16
 		if p.useSTD3Rules {
 			cat = disallowed
 		} else {
@@ -625,17 +685,18 @@ func (p *Profile) simplify(cat category) category {
 
 func validateFromPunycode(p *Profile, s string) error {
 	if !norm.NFC.IsNormalString(s) {
-		return &labelError{s, "V1"}
+		return labelError{s, "V1"}
 	}
 	// TODO: detect whether string may have to be normalized in the following
 	// loop.
 	for i := 0; i < len(s); {
 		v, sz := trie.lookupString(s[i:])
 		if sz == 0 {
-			return runeError(utf8.RuneError)
+			return runeError{utf8.RuneError, "P1"}
 		}
-		if c := p.simplify(info(v).category()); c != valid && c != deviation {
-			return &labelError{s, "V6"}
+		cat := info(v).category()
+		if c := p.simplify(cat); c != valid && c != deviation {
+			return labelError{s, code16("V6", "V7")}
 		}
 		i += sz
 	}
@@ -704,23 +765,51 @@ var joinStates = [][numJoinTypes]joinState{
 	},
 }
 
+// allowedSTD3 reports whether r is a rune that can appear in a domain name
+// according to STD3. We allow all non-ASCII runes and then letters, digits, hyphens.
+// We also add dot so that this can be run against the whole name and not just
+// a single name element (label). The surrounding code checks dots well enough.
+func allowedSTD3(r rune) bool {
+	return r >= 0x80 || 'a' <= r && r <= 'z' || '0' <= r && r <= '9' || r == '-' || r == '.'
+}
+
 // validateLabel validates the criteria from Section 4.1. Item 1, 4, and 6 are
 // already implicitly satisfied by the overall implementation.
-func (p *Profile) validateLabel(s string) (err error) {
+func (p *Profile) validateLabel(s string, labelCode string) (err error) {
 	if s == "" {
 		if p.verifyDNSLength {
-			return &labelError{s, "A4"}
+			return labelError{s, labelCode}
 		}
 		return nil
 	}
 	if p.checkHyphens {
 		if len(s) > 4 && s[2] == '-' && s[3] == '-' {
-			return &labelError{s, "V2"}
+			return labelError{s, "V2"}
 		}
 		if s[0] == '-' || s[len(s)-1] == '-' {
-			return &labelError{s, "V3"}
+			return labelError{s, "V3"}
 		}
 	}
+
+	// Unicode 16's TR 46 delays the rune validity checks until after the label is decoded.
+	// (validateAndMap did not reject them earlier.)
+	if unicode16 && p.validateLabels() {
+		for i := 0; i < len(s); {
+			v, sz := trie.lookupString(s[i:])
+			if sz == 0 {
+				return runeError{utf8.RuneError, "P1"}
+			}
+			cat := info(v).category()
+			if c := p.simplify(cat); c != valid && (!p.transitional || c != deviation) {
+				return labelError{s, "V7"}
+			}
+			if sz == 1 && p.useSTD3Rules && !allowedSTD3(rune(s[i])) {
+				return runeError{rune(s[i]), "U1"}
+			}
+			i += sz
+		}
+	}
+
 	if !p.checkJoiners {
 		return nil
 	}
@@ -729,7 +818,7 @@ func (p *Profile) validateLabel(s string) (err error) {
 	v, sz := trie.lookupString(s)
 	x := info(v)
 	if x.isModifier() {
-		return &labelError{s, "V5"}
+		return labelError{s, code16("V5", "V6")}
 	}
 	// Quickly return in the absence of zero-width (non) joiners.
 	if strings.Index(s, zwj) == -1 && strings.Index(s, zwnj) == -1 {
@@ -754,8 +843,9 @@ func (p *Profile) validateLabel(s string) (err error) {
 		x = info(v)
 	}
 	if st == stateFAIL || st == stateAfter {
-		return &labelError{s, "C"}
+		return labelError{s, "C"}
 	}
+
 	return nil
 }
 
@@ -767,3 +857,24 @@ func ascii(s string) bool {
 	}
 	return true
 }
+
+// appendMapping appends the mapping for the respective rune. isMapped must be
+// true. A mapping is a categorization of a rune as defined in UTS #46.
+func (c info) appendMapping(b []byte, s string) []byte {
+	index := int(c >> indexShift)
+	if c&xorBit == 0 {
+		p := index
+		return append(b, mappings[mappingIndex[p]:mappingIndex[p+1]]...)
+	}
+	b = append(b, s...)
+	if c&inlineXOR == inlineXOR {
+		// TODO: support and handle two-byte inline masks
+		b[len(b)-1] ^= byte(index)
+	} else {
+		for p := len(b) - int(xorData[index]); p < len(b); p++ {
+			index++
+			b[p] ^= xorData[index]
+		}
+	}
+	return b
+}

vendor/golang.org/x/net/idna/idna9.0.0.go

@@ -1,717 +0,0 @@
-// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.10
-
-// Package idna implements IDNA2008 using the compatibility processing
-// defined by UTS (Unicode Technical Standard) #46, which defines a standard to
-// deal with the transition from IDNA2003.
-//
-// IDNA2008 (Internationalized Domain Names for Applications), is defined in RFC
-// 5890, RFC 5891, RFC 5892, RFC 5893 and RFC 5894.
-// UTS #46 is defined in https://www.unicode.org/reports/tr46.
-// See https://unicode.org/cldr/utility/idna.jsp for a visualization of the
-// differences between these two standards.
-package idna // import "golang.org/x/net/idna"
-
-import (
-	"fmt"
-	"strings"
-	"unicode/utf8"
-
-	"golang.org/x/text/secure/bidirule"
-	"golang.org/x/text/unicode/norm"
-)
-
-// NOTE: Unlike common practice in Go APIs, the functions will return a
-// sanitized domain name in case of errors. Browsers sometimes use a partially
-// evaluated string as lookup.
-// TODO: the current error handling is, in my opinion, the least opinionated.
-// Other strategies are also viable, though:
-// Option 1) Return an empty string in case of error, but allow the user to
-//    specify explicitly which errors to ignore.
-// Option 2) Return the partially evaluated string if it is itself a valid
-//    string, otherwise return the empty string in case of error.
-// Option 3) Option 1 and 2.
-// Option 4) Always return an empty string for now and implement Option 1 as
-//    needed, and document that the return string may not be empty in case of
-//    error in the future.
-// I think Option 1 is best, but it is quite opinionated.
-
-// ToASCII is a wrapper for Punycode.ToASCII.
-func ToASCII(s string) (string, error) {
-	return Punycode.process(s, true)
-}
-
-// ToUnicode is a wrapper for Punycode.ToUnicode.
-func ToUnicode(s string) (string, error) {
-	return Punycode.process(s, false)
-}
-
-// An Option configures a Profile at creation time.
-type Option func(*options)
-
-// Transitional sets a Profile to use the Transitional mapping as defined in UTS
-// #46. This will cause, for example, "ß" to be mapped to "ss". Using the
-// transitional mapping provides a compromise between IDNA2003 and IDNA2008
-// compatibility. It is used by some browsers when resolving domain names. This
-// option is only meaningful if combined with MapForLookup.
-func Transitional(transitional bool) Option {
-	return func(o *options) { o.transitional = transitional }
-}
-
-// VerifyDNSLength sets whether a Profile should fail if any of the IDN parts
-// are longer than allowed by the RFC.
-//
-// This option corresponds to the VerifyDnsLength flag in UTS #46.
-func VerifyDNSLength(verify bool) Option {
-	return func(o *options) { o.verifyDNSLength = verify }
-}
-
-// RemoveLeadingDots removes leading label separators. Leading runes that map to
-// dots, such as U+3002 IDEOGRAPHIC FULL STOP, are removed as well.
-func RemoveLeadingDots(remove bool) Option {
-	return func(o *options) { o.removeLeadingDots = remove }
-}
-
-// ValidateLabels sets whether to check the mandatory label validation criteria
-// as defined in Section 5.4 of RFC 5891. This includes testing for correct use
-// of hyphens ('-'), normalization, validity of runes, and the context rules.
-// In particular, ValidateLabels also sets the CheckHyphens and CheckJoiners flags
-// in UTS #46.
-func ValidateLabels(enable bool) Option {
-	return func(o *options) {
-		// Don't override existing mappings, but set one that at least checks
-		// normalization if it is not set.
-		if o.mapping == nil && enable {
-			o.mapping = normalize
-		}
-		o.trie = trie
-		o.checkJoiners = enable
-		o.checkHyphens = enable
-		if enable {
-			o.fromPuny = validateFromPunycode
-		} else {
-			o.fromPuny = nil
-		}
-	}
-}
-
-// CheckHyphens sets whether to check for correct use of hyphens ('-') in
-// labels. Most web browsers do not have this option set, since labels such as
-// "r3---sn-apo3qvuoxuxbt-j5pe" are in common use.
-//
-// This option corresponds to the CheckHyphens flag in UTS #46.
-func CheckHyphens(enable bool) Option {
-	return func(o *options) { o.checkHyphens = enable }
-}
-
-// CheckJoiners sets whether to check the ContextJ rules as defined in Appendix
-// A of RFC 5892, concerning the use of joiner runes.
-//
-// This option corresponds to the CheckJoiners flag in UTS #46.
-func CheckJoiners(enable bool) Option {
-	return func(o *options) {
-		o.trie = trie
-		o.checkJoiners = enable
-	}
-}
-
-// StrictDomainName limits the set of permissible ASCII characters to those
-// allowed in domain names as defined in RFC 1034 (A-Z, a-z, 0-9 and the
-// hyphen). This is set by default for MapForLookup and ValidateForRegistration,
-// but is only useful if ValidateLabels is set.
-//
-// This option is useful, for instance, for browsers that allow characters
-// outside this range, for example a '_' (U+005F LOW LINE). See
-// http://www.rfc-editor.org/std/std3.txt for more details.
-//
-// This option corresponds to the UseSTD3ASCIIRules flag in UTS #46.
-func StrictDomainName(use bool) Option {
-	return func(o *options) { o.useSTD3Rules = use }
-}
-
-// NOTE: the following options pull in tables. The tables should not be linked
-// in as long as the options are not used.
-
-// BidiRule enables the Bidi rule as defined in RFC 5893. Any application
-// that relies on proper validation of labels should include this rule.
-//
-// This option corresponds to the CheckBidi flag in UTS #46.
-func BidiRule() Option {
-	return func(o *options) { o.bidirule = bidirule.ValidString }
-}
-
-// ValidateForRegistration sets validation options to verify that a given IDN is
-// properly formatted for registration as defined by Section 4 of RFC 5891.
-func ValidateForRegistration() Option {
-	return func(o *options) {
-		o.mapping = validateRegistration
-		StrictDomainName(true)(o)
-		ValidateLabels(true)(o)
-		VerifyDNSLength(true)(o)
-		BidiRule()(o)
-	}
-}
-
-// MapForLookup sets validation and mapping options such that a given IDN is
-// transformed for domain name lookup according to the requirements set out in
-// Section 5 of RFC 5891. The mappings follow the recommendations of RFC 5894,
-// RFC 5895 and UTS 46. It does not add the Bidi Rule. Use the BidiRule option
-// to add this check.
-//
-// The mappings include normalization and mapping case, width and other
-// compatibility mappings.
-func MapForLookup() Option {
-	return func(o *options) {
-		o.mapping = validateAndMap
-		StrictDomainName(true)(o)
-		ValidateLabels(true)(o)
-		RemoveLeadingDots(true)(o)
-	}
-}
-
-type options struct {
-	transitional      bool
-	useSTD3Rules      bool
-	checkHyphens      bool
-	checkJoiners      bool
-	verifyDNSLength   bool
-	removeLeadingDots bool
-
-	trie *idnaTrie
-
-	// fromPuny calls validation rules when converting A-labels to U-labels.
-	fromPuny func(p *Profile, s string) error
-
-	// mapping implements a validation and mapping step as defined in RFC 5895
-	// or UTS 46, tailored to, for example, domain registration or lookup.
-	mapping func(p *Profile, s string) (string, error)
-
-	// bidirule, if specified, checks whether s conforms to the Bidi Rule
-	// defined in RFC 5893.
-	bidirule func(s string) bool
-}
-
-// A Profile defines the configuration of a IDNA mapper.
-type Profile struct {
-	options
-}
-
-func apply(o *options, opts []Option) {
-	for _, f := range opts {
-		f(o)
-	}
-}
-
-// New creates a new Profile.
-//
-// With no options, the returned Profile is the most permissive and equals the
-// Punycode Profile. Options can be passed to further restrict the Profile. The
-// MapForLookup and ValidateForRegistration options set a collection of options,
-// for lookup and registration purposes respectively, which can be tailored by
-// adding more fine-grained options, where later options override earlier
-// options.
-func New(o ...Option) *Profile {
-	p := &Profile{}
-	apply(&p.options, o)
-	return p
-}
-
-// ToASCII converts a domain or domain label to its ASCII form. For example,
-// ToASCII("bücher.example.com") is "xn--bcher-kva.example.com", and
-// ToASCII("golang") is "golang". If an error is encountered it will return
-// an error and a (partially) processed result.
-func (p *Profile) ToASCII(s string) (string, error) {
-	return p.process(s, true)
-}
-
-// ToUnicode converts a domain or domain label to its Unicode form. For example,
-// ToUnicode("xn--bcher-kva.example.com") is "bücher.example.com", and
-// ToUnicode("golang") is "golang". If an error is encountered it will return
-// an error and a (partially) processed result.
-func (p *Profile) ToUnicode(s string) (string, error) {
-	pp := *p
-	pp.transitional = false
-	return pp.process(s, false)
-}
-
-// String reports a string with a description of the profile for debugging
-// purposes. The string format may change with different versions.
-func (p *Profile) String() string {
-	s := ""
-	if p.transitional {
-		s = "Transitional"
-	} else {
-		s = "NonTransitional"
-	}
-	if p.useSTD3Rules {
-		s += ":UseSTD3Rules"
-	}
-	if p.checkHyphens {
-		s += ":CheckHyphens"
-	}
-	if p.checkJoiners {
-		s += ":CheckJoiners"
-	}
-	if p.verifyDNSLength {
-		s += ":VerifyDNSLength"
-	}
-	return s
-}
-
-var (
-	// Punycode is a Profile that does raw punycode processing with a minimum
-	// of validation.
-	Punycode *Profile = punycode
-
-	// Lookup is the recommended profile for looking up domain names, according
-	// to Section 5 of RFC 5891. The exact configuration of this profile may
-	// change over time.
-	Lookup *Profile = lookup
-
-	// Display is the recommended profile for displaying domain names.
-	// The configuration of this profile may change over time.
-	Display *Profile = display
-
-	// Registration is the recommended profile for checking whether a given
-	// IDN is valid for registration, according to Section 4 of RFC 5891.
-	Registration *Profile = registration
-
-	punycode = &Profile{}
-	lookup   = &Profile{options{
-		transitional:      true,
-		removeLeadingDots: true,
-		useSTD3Rules:      true,
-		checkHyphens:      true,
-		checkJoiners:      true,
-		trie:              trie,
-		fromPuny:          validateFromPunycode,
-		mapping:           validateAndMap,
-		bidirule:          bidirule.ValidString,
-	}}
-	display = &Profile{options{
-		useSTD3Rules:      true,
-		removeLeadingDots: true,
-		checkHyphens:      true,
-		checkJoiners:      true,
-		trie:              trie,
-		fromPuny:          validateFromPunycode,
-		mapping:           validateAndMap,
-		bidirule:          bidirule.ValidString,
-	}}
-	registration = &Profile{options{
-		useSTD3Rules:    true,
-		verifyDNSLength: true,
-		checkHyphens:    true,
-		checkJoiners:    true,
-		trie:            trie,
-		fromPuny:        validateFromPunycode,
-		mapping:         validateRegistration,
-		bidirule:        bidirule.ValidString,
-	}}
-
-	// TODO: profiles
-	// Register: recommended for approving domain names: don't do any mappings
-	// but rather reject on invalid input. Bundle or block deviation characters.
-)
-
-type labelError struct{ label, code_ string }
-
-func (e labelError) code() string { return e.code_ }
-func (e labelError) Error() string {
-	return fmt.Sprintf("idna: invalid label %q", e.label)
-}
-
-type runeError rune
-
-func (e runeError) code() string { return "P1" }
-func (e runeError) Error() string {
-	return fmt.Sprintf("idna: disallowed rune %U", e)
-}
-
-// process implements the algorithm described in section 4 of UTS #46,
-// see https://www.unicode.org/reports/tr46.
-func (p *Profile) process(s string, toASCII bool) (string, error) {
-	var err error
-	if p.mapping != nil {
-		s, err = p.mapping(p, s)
-	}
-	// Remove leading empty labels.
-	if p.removeLeadingDots {
-		for ; len(s) > 0 && s[0] == '.'; s = s[1:] {
-		}
-	}
-	// It seems like we should only create this error on ToASCII, but the
-	// UTS 46 conformance tests suggests we should always check this.
-	if err == nil && p.verifyDNSLength && s == "" {
-		err = &labelError{s, "A4"}
-	}
-	labels := labelIter{orig: s}
-	for ; !labels.done(); labels.next() {
-		label := labels.label()
-		if label == "" {
-			// Empty labels are not okay. The label iterator skips the last
-			// label if it is empty.
-			if err == nil && p.verifyDNSLength {
-				err = &labelError{s, "A4"}
-			}
-			continue
-		}
-		if strings.HasPrefix(label, acePrefix) {
-			u, err2 := decode(label[len(acePrefix):])
-			if err2 != nil {
-				if err == nil {
-					err = err2
-				}
-				// Spec says keep the old label.
-				continue
-			}
-			labels.set(u)
-			if err == nil && p.fromPuny != nil {
-				err = p.fromPuny(p, u)
-			}
-			if err == nil {
-				// This should be called on NonTransitional, according to the
-				// spec, but that currently does not have any effect. Use the
-				// original profile to preserve options.
-				err = p.validateLabel(u)
-			}
-		} else if err == nil {
-			err = p.validateLabel(label)
-		}
-	}
-	if toASCII {
-		for labels.reset(); !labels.done(); labels.next() {
-			label := labels.label()
-			if !ascii(label) {
-				a, err2 := encode(acePrefix, label)
-				if err == nil {
-					err = err2
-				}
-				label = a
-				labels.set(a)
-			}
-			n := len(label)
-			if p.verifyDNSLength && err == nil && (n == 0 || n > 63) {
-				err = &labelError{label, "A4"}
-			}
-		}
-	}
-	s = labels.result()
-	if toASCII && p.verifyDNSLength && err == nil {
-		// Compute the length of the domain name minus the root label and its dot.
-		n := len(s)
-		if n > 0 && s[n-1] == '.' {
-			n--
-		}
-		if len(s) < 1 || n > 253 {
-			err = &labelError{s, "A4"}
-		}
-	}
-	return s, err
-}
-
-func normalize(p *Profile, s string) (string, error) {
-	return norm.NFC.String(s), nil
-}
-
-func validateRegistration(p *Profile, s string) (string, error) {
-	if !norm.NFC.IsNormalString(s) {
-		return s, &labelError{s, "V1"}
-	}
-	for i := 0; i < len(s); {
-		v, sz := trie.lookupString(s[i:])
-		// Copy bytes not copied so far.
-		switch p.simplify(info(v).category()) {
-		// TODO: handle the NV8 defined in the Unicode idna data set to allow
-		// for strict conformance to IDNA2008.
-		case valid, deviation:
-		case disallowed, mapped, unknown, ignored:
-			r, _ := utf8.DecodeRuneInString(s[i:])
-			return s, runeError(r)
-		}
-		i += sz
-	}
-	return s, nil
-}
-
-func validateAndMap(p *Profile, s string) (string, error) {
-	var (
-		err error
-		b   []byte
-		k   int
-	)
-	for i := 0; i < len(s); {
-		v, sz := trie.lookupString(s[i:])
-		start := i
-		i += sz
-		// Copy bytes not copied so far.
-		switch p.simplify(info(v).category()) {
-		case valid:
-			continue
-		case disallowed:
-			if err == nil {
-				r, _ := utf8.DecodeRuneInString(s[start:])
-				err = runeError(r)
-			}
-			continue
-		case mapped, deviation:
-			b = append(b, s[k:start]...)
-			b = info(v).appendMapping(b, s[start:i])
-		case ignored:
-			b = append(b, s[k:start]...)
-			// drop the rune
-		case unknown:
-			b = append(b, s[k:start]...)
-			b = append(b, "\ufffd"...)
-		}
-		k = i
-	}
-	if k == 0 {
-		// No changes so far.
-		s = norm.NFC.String(s)
-	} else {
-		b = append(b, s[k:]...)
-		if norm.NFC.QuickSpan(b) != len(b) {
-			b = norm.NFC.Bytes(b)
-		}
-		// TODO: the punycode converters require strings as input.
-		s = string(b)
-	}
-	return s, err
-}
-
-// A labelIter allows iterating over domain name labels.
-type labelIter struct {
-	orig     string
-	slice    []string
-	curStart int
-	curEnd   int
-	i        int
-}
-
-func (l *labelIter) reset() {
-	l.curStart = 0
-	l.curEnd = 0
-	l.i = 0
-}
-
-func (l *labelIter) done() bool {
-	return l.curStart >= len(l.orig)
-}
-
-func (l *labelIter) result() string {
-	if l.slice != nil {
-		return strings.Join(l.slice, ".")
-	}
-	return l.orig
-}
-
-func (l *labelIter) label() string {
-	if l.slice != nil {
-		return l.slice[l.i]
-	}
-	p := strings.IndexByte(l.orig[l.curStart:], '.')
-	l.curEnd = l.curStart + p
-	if p == -1 {
-		l.curEnd = len(l.orig)
-	}
-	return l.orig[l.curStart:l.curEnd]
-}
-
-// next sets the value to the next label. It skips the last label if it is empty.
-func (l *labelIter) next() {
-	l.i++
-	if l.slice != nil {
-		if l.i >= len(l.slice) || l.i == len(l.slice)-1 && l.slice[l.i] == "" {
-			l.curStart = len(l.orig)
-		}
-	} else {
-		l.curStart = l.curEnd + 1
-		if l.curStart == len(l.orig)-1 && l.orig[l.curStart] == '.' {
-			l.curStart = len(l.orig)
-		}
-	}
-}
-
-func (l *labelIter) set(s string) {
-	if l.slice == nil {
-		l.slice = strings.Split(l.orig, ".")
-	}
-	l.slice[l.i] = s
-}
-
-// acePrefix is the ASCII Compatible Encoding prefix.
-const acePrefix = "xn--"
-
-func (p *Profile) simplify(cat category) category {
-	switch cat {
-	case disallowedSTD3Mapped:
-		if p.useSTD3Rules {
-			cat = disallowed
-		} else {
-			cat = mapped
-		}
-	case disallowedSTD3Valid:
-		if p.useSTD3Rules {
-			cat = disallowed
-		} else {
-			cat = valid
-		}
-	case deviation:
-		if !p.transitional {
-			cat = valid
-		}
-	case validNV8, validXV8:
-		// TODO: handle V2008
-		cat = valid
-	}
-	return cat
-}
-
-func validateFromPunycode(p *Profile, s string) error {
-	if !norm.NFC.IsNormalString(s) {
-		return &labelError{s, "V1"}
-	}
-	for i := 0; i < len(s); {
-		v, sz := trie.lookupString(s[i:])
-		if c := p.simplify(info(v).category()); c != valid && c != deviation {
-			return &labelError{s, "V6"}
-		}
-		i += sz
-	}
-	return nil
-}
-
-const (
-	zwnj = "\u200c"
-	zwj  = "\u200d"
-)
-
-type joinState int8
-
-const (
-	stateStart joinState = iota
-	stateVirama
-	stateBefore
-	stateBeforeVirama
-	stateAfter
-	stateFAIL
-)
-
-var joinStates = [][numJoinTypes]joinState{
-	stateStart: {
-		joiningL:   stateBefore,
-		joiningD:   stateBefore,
-		joinZWNJ:   stateFAIL,
-		joinZWJ:    stateFAIL,
-		joinVirama: stateVirama,
-	},
-	stateVirama: {
-		joiningL: stateBefore,
-		joiningD: stateBefore,
-	},
-	stateBefore: {
-		joiningL:   stateBefore,
-		joiningD:   stateBefore,
-		joiningT:   stateBefore,
-		joinZWNJ:   stateAfter,
-		joinZWJ:    stateFAIL,
-		joinVirama: stateBeforeVirama,
-	},
-	stateBeforeVirama: {
-		joiningL: stateBefore,
-		joiningD: stateBefore,
-		joiningT: stateBefore,
-	},
-	stateAfter: {
-		joiningL:   stateFAIL,
-		joiningD:   stateBefore,
-		joiningT:   stateAfter,
-		joiningR:   stateStart,
-		joinZWNJ:   stateFAIL,
-		joinZWJ:    stateFAIL,
-		joinVirama: stateAfter, // no-op as we can't accept joiners here
-	},
-	stateFAIL: {
-		0:          stateFAIL,
-		joiningL:   stateFAIL,
-		joiningD:   stateFAIL,
-		joiningT:   stateFAIL,
-		joiningR:   stateFAIL,
-		joinZWNJ:   stateFAIL,
-		joinZWJ:    stateFAIL,
-		joinVirama: stateFAIL,
-	},
-}
-
-// validateLabel validates the criteria from Section 4.1. Item 1, 4, and 6 are
-// already implicitly satisfied by the overall implementation.
-func (p *Profile) validateLabel(s string) error {
-	if s == "" {
-		if p.verifyDNSLength {
-			return &labelError{s, "A4"}
-		}
-		return nil
-	}
-	if p.bidirule != nil && !p.bidirule(s) {
-		return &labelError{s, "B"}
-	}
-	if p.checkHyphens {
-		if len(s) > 4 && s[2] == '-' && s[3] == '-' {
-			return &labelError{s, "V2"}
-		}
-		if s[0] == '-' || s[len(s)-1] == '-' {
-			return &labelError{s, "V3"}
-		}
-	}
-	if !p.checkJoiners {
-		return nil
-	}
-	trie := p.trie // p.checkJoiners is only set if trie is set.
-	// TODO: merge the use of this in the trie.
-	v, sz := trie.lookupString(s)
-	x := info(v)
-	if x.isModifier() {
-		return &labelError{s, "V5"}
-	}
-	// Quickly return in the absence of zero-width (non) joiners.
-	if strings.Index(s, zwj) == -1 && strings.Index(s, zwnj) == -1 {
-		return nil
-	}
-	st := stateStart
-	for i := 0; ; {
-		jt := x.joinType()
-		if s[i:i+sz] == zwj {
-			jt = joinZWJ
-		} else if s[i:i+sz] == zwnj {
-			jt = joinZWNJ
-		}
-		st = joinStates[st][jt]
-		if x.isViramaModifier() {
-			st = joinStates[st][joinVirama]
-		}
-		if i += sz; i == len(s) {
-			break
-		}
-		v, sz = trie.lookupString(s[i:])
-		x = info(v)
-	}
-	if st == stateFAIL || st == stateAfter {
-		return &labelError{s, "C"}
-	}
-	return nil
-}
-
-func ascii(s string) bool {
-	for i := 0; i < len(s); i++ {
-		if s[i] >= utf8.RuneSelf {
-			return false
-		}
-	}
-	return true
-}

vendor/golang.org/x/net/idna/pre_go118.go

@@ -1,11 +0,0 @@
-// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.18
-
-package idna
-
-const transitionalLookup = true

vendor/golang.org/x/net/idna/punycode.go

@@ -28,7 +28,7 @@ const (
 	tmin        int32 = 1
 )
 
-func punyError(s string) error { return &labelError{s, "A3"} }
+func punyError(s string) error { return &labelError{s, code16("A3", "P4")} }
 
 // decode decodes a string as specified in section 6.2.
 func decode(encoded string) (string, error) {
@@ -108,6 +108,9 @@ func encode(prefix, s string) (string, error) {
 	delta, n, bias := int32(0), initialN, initialBias
 	b, remaining := int32(0), int32(0)
 	for _, r := range s {
+		if unicode16 && r == 0xfffd {
+			return s, &labelError{s, "A3"}
+		}
 		if r < 0x80 {
 			b++
 			output = append(output, byte(r))

vendor/golang.org/x/net/idna/tables15.0.0.go

@@ -1,6 +1,6 @@
 // Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
 
-//go:build go1.21
+//go:build !go1.27
 
 package idna
 

vendor/golang.org/x/net/idna/trie12.0.0.go

@@ -1,30 +0,0 @@
-// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.16
-
-package idna
-
-// appendMapping appends the mapping for the respective rune. isMapped must be
-// true. A mapping is a categorization of a rune as defined in UTS #46.
-func (c info) appendMapping(b []byte, s string) []byte {
-	index := int(c >> indexShift)
-	if c&xorBit == 0 {
-		s := mappings[index:]
-		return append(b, s[1:s[0]+1]...)
-	}
-	b = append(b, s...)
-	if c&inlineXOR == inlineXOR {
-		// TODO: support and handle two-byte inline masks
-		b[len(b)-1] ^= byte(index)
-	} else {
-		for p := len(b) - int(xorData[index]); p < len(b); p++ {
-			index++
-			b[p] ^= xorData[index]
-		}
-	}
-	return b
-}

vendor/golang.org/x/net/idna/trie13.0.0.go

@@ -1,30 +0,0 @@
-// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.16
-
-package idna
-
-// appendMapping appends the mapping for the respective rune. isMapped must be
-// true. A mapping is a categorization of a rune as defined in UTS #46.
-func (c info) appendMapping(b []byte, s string) []byte {
-	index := int(c >> indexShift)
-	if c&xorBit == 0 {
-		p := index
-		return append(b, mappings[mappingIndex[p]:mappingIndex[p+1]]...)
-	}
-	b = append(b, s...)
-	if c&inlineXOR == inlineXOR {
-		// TODO: support and handle two-byte inline masks
-		b[len(b)-1] ^= byte(index)
-	} else {
-		for p := len(b) - int(xorData[index]); p < len(b); p++ {
-			index++
-			b[p] ^= xorData[index]
-		}
-	}
-	return b
-}

vendor/golang.org/x/net/internal/httpcommon/request.go

@@ -448,6 +448,14 @@ func NewServerRequest(rp ServerRequestParam) ServerRequestResult {
 		url_ = &url.URL{Host: rp.Authority}
 		requestURI = rp.Authority // mimic HTTP/1 server behavior
 	} else {
+		// "[The :path] pseudo-header field MUST NOT be empty [...]"
+		// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.4.2
+		if rp.Path == "" || (rp.Path[0] != '/' && rp.Path != "*") {
+			return ServerRequestResult{
+				InvalidReason: "bad_path",
+			}
+		}
+
 		var err error
 		url_, err = url.ParseRequestURI(rp.Path)
 		if err != nil {

vendor/golang.org/x/sys/cpu/cpu.go

@@ -152,13 +152,17 @@ var ARM struct {
 // The booleans in Loong64 contain the correspondingly named cpu feature bit.
 // The struct is padded to avoid false sharing.
 var Loong64 struct {
-	_         CacheLinePad
-	HasLSX    bool // support 128-bit vector extension
-	HasLASX   bool // support 256-bit vector extension
-	HasCRC32  bool // support CRC instruction
-	HasLAM_BH bool // support AM{SWAP/ADD}[_DB].{B/H} instruction
-	HasLAMCAS bool // support AMCAS[_DB].{B/H/W/D} instruction
-	_         CacheLinePad
+	_              CacheLinePad
+	HasLSX         bool // support 128-bit vector extension
+	HasLASX        bool // support 256-bit vector extension
+	HasCRC32       bool // support CRC instruction
+	HasLAMCAS      bool // support AMCAS[_DB].{B/H/W/D}
+	HasLAM_BH      bool // support AM{SWAP/ADD}[_DB].{B/H} instruction
+	HasLLACQ_SCREL bool // support LLACQ.{W/D}, SCREL.{W/D} instruction
+	HasSCQ         bool // support SC.Q instruction
+	HasDBAR_HINTS  bool // supports finer-grained DBAR hints
+
+	_ CacheLinePad
 }
 
 // MIPS64X contains the supported CPU features of the current mips64/mips64le
@@ -232,6 +236,7 @@ var RISCV64 struct {
 	HasZba            bool // Address generation instructions extension
 	HasZbb            bool // Basic bit-manipulation extension
 	HasZbs            bool // Single-bit instructions extension
+	HasZbc            bool // Carryless multiplication extension
 	HasZvbb           bool // Vector Basic Bit-manipulation
 	HasZvbc           bool // Vector Carryless Multiplication
 	HasZvkb           bool // Vector Cryptography Bit-manipulation

vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go

@@ -58,6 +58,7 @@ const (
 	riscv_HWPROBE_EXT_ZBA         = 0x8
 	riscv_HWPROBE_EXT_ZBB         = 0x10
 	riscv_HWPROBE_EXT_ZBS         = 0x20
+	riscv_HWPROBE_EXT_ZBC         = 0x80
 	riscv_HWPROBE_EXT_ZVBB        = 0x20000
 	riscv_HWPROBE_EXT_ZVBC        = 0x40000
 	riscv_HWPROBE_EXT_ZVKB        = 0x80000
@@ -108,6 +109,7 @@ func doinit() {
 			RISCV64.HasZba = isSet(v, riscv_HWPROBE_EXT_ZBA)
 			RISCV64.HasZbb = isSet(v, riscv_HWPROBE_EXT_ZBB)
 			RISCV64.HasZbs = isSet(v, riscv_HWPROBE_EXT_ZBS)
+			RISCV64.HasZbc = isSet(v, riscv_HWPROBE_EXT_ZBC)
 			RISCV64.HasZvbb = isSet(v, riscv_HWPROBE_EXT_ZVBB)
 			RISCV64.HasZvbc = isSet(v, riscv_HWPROBE_EXT_ZVBC)
 			RISCV64.HasZvkb = isSet(v, riscv_HWPROBE_EXT_ZVKB)

vendor/golang.org/x/sys/cpu/cpu_loong64.go

@@ -15,8 +15,13 @@ const (
 	cpucfg1_CRC32 = 1 << 25
 
 	// CPUCFG2 bits
-	cpucfg2_LAM_BH = 1 << 27
-	cpucfg2_LAMCAS = 1 << 28
+	cpucfg2_LAM_BH      = 1 << 27
+	cpucfg2_LAMCAS      = 1 << 28
+	cpucfg2_LLACQ_SCREL = 1 << 29
+	cpucfg2_SCQ         = 1 << 30
+
+	// CPUCFG3 bits
+	cpucfg3_DBAR_HINTS = 1 << 17
 )
 
 func initOptions() {
@@ -26,6 +31,9 @@ func initOptions() {
 		{Name: "crc32", Feature: &Loong64.HasCRC32},
 		{Name: "lam_bh", Feature: &Loong64.HasLAM_BH},
 		{Name: "lamcas", Feature: &Loong64.HasLAMCAS},
+		{Name: "llacq_screl", Feature: &Loong64.HasLLACQ_SCREL},
+		{Name: "scq", Feature: &Loong64.HasSCQ},
+		{Name: "dbar_hints", Feature: &Loong64.HasDBAR_HINTS},
 	}
 
 	// The CPUCFG data on Loong64 only reflects the hardware capabilities,
@@ -37,10 +45,14 @@ func initOptions() {
 	// through CPUCFG
 	cfg1 := get_cpucfg(1)
 	cfg2 := get_cpucfg(2)
+	cfg3 := get_cpucfg(3)
 
 	Loong64.HasCRC32 = cfgIsSet(cfg1, cpucfg1_CRC32)
 	Loong64.HasLAMCAS = cfgIsSet(cfg2, cpucfg2_LAMCAS)
 	Loong64.HasLAM_BH = cfgIsSet(cfg2, cpucfg2_LAM_BH)
+	Loong64.HasLLACQ_SCREL = cfgIsSet(cfg2, cpucfg2_LLACQ_SCREL)
+	Loong64.HasSCQ = cfgIsSet(cfg2, cpucfg2_SCQ)
+	Loong64.HasDBAR_HINTS = cfgIsSet(cfg3, cpucfg3_DBAR_HINTS)
 }
 
 func get_cpucfg(reg uint32) uint32

vendor/golang.org/x/sys/cpu/cpu_other_arm64.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !darwin && !linux && !netbsd && !openbsd && arm64
+//go:build !darwin && !linux && !netbsd && !openbsd && !windows && arm64
 
 package cpu
 

vendor/golang.org/x/sys/cpu/cpu_riscv64.go

@@ -16,6 +16,7 @@ func initOptions() {
 		{Name: "zba", Feature: &RISCV64.HasZba},
 		{Name: "zbb", Feature: &RISCV64.HasZbb},
 		{Name: "zbs", Feature: &RISCV64.HasZbs},
+		{Name: "zbc", Feature: &RISCV64.HasZbc},
 		// RISC-V Cryptography Extensions
 		{Name: "zvbb", Feature: &RISCV64.HasZvbb},
 		{Name: "zvbc", Feature: &RISCV64.HasZvbc},

vendor/golang.org/x/sys/cpu/cpu_windows.go

@@ -0,0 +1,26 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cpu
+
+//go:generate go run golang.org/x/sys/windows/mkwinsyscall -systemdll=false -output zcpu_windows.go cpu_windows.go
+
+//sys	isProcessorFeaturePresent(ProcessorFeature uint32) (ret bool) = kernel32.IsProcessorFeaturePresent
+
+// The processor features to be tested for IsProcessorFeaturePresent, see
+// https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-isprocessorfeaturepresent
+const (
+	_PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE  = 30
+	_PF_ARM_V8_CRC32_INSTRUCTIONS_AVAILABLE   = 31
+	_PF_ARM_V81_ATOMIC_INSTRUCTIONS_AVAILABLE = 34
+	_PF_ARM_V82_DP_INSTRUCTIONS_AVAILABLE     = 43
+
+	_PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE = 44
+	_PF_ARM_V83_LRCPC_INSTRUCTIONS_AVAILABLE = 45
+	_PF_ARM_SVE_INSTRUCTIONS_AVAILABLE       = 46
+	_PF_ARM_SVE2_INSTRUCTIONS_AVAILABLE      = 47
+
+	_PF_ARM_SHA3_INSTRUCTIONS_AVAILABLE   = 64
+	_PF_ARM_SHA512_INSTRUCTIONS_AVAILABLE = 65
+)

vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go

@@ -0,0 +1,38 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cpu
+
+func doinit() {
+	// set HasASIMD and HasFP to true as per
+	// https://learn.microsoft.com/en-us/cpp/build/arm64-windows-abi-conventions?view=msvc-170#base-requirements
+	//
+	// The ARM64 version of Windows always presupposes that it's running on an ARMv8 or later architecture.
+	// Both floating-point and NEON support are presumed to be present in hardware.
+	//
+	ARM64.HasASIMD = true
+	ARM64.HasFP = true
+
+	if isProcessorFeaturePresent(_PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) {
+		ARM64.HasAES = true
+		ARM64.HasPMULL = true
+		ARM64.HasSHA1 = true
+		ARM64.HasSHA2 = true
+	}
+	ARM64.HasSHA3 = isProcessorFeaturePresent(_PF_ARM_SHA3_INSTRUCTIONS_AVAILABLE)
+	ARM64.HasCRC32 = isProcessorFeaturePresent(_PF_ARM_V8_CRC32_INSTRUCTIONS_AVAILABLE)
+	ARM64.HasSHA512 = isProcessorFeaturePresent(_PF_ARM_SHA512_INSTRUCTIONS_AVAILABLE)
+	ARM64.HasATOMICS = isProcessorFeaturePresent(_PF_ARM_V81_ATOMIC_INSTRUCTIONS_AVAILABLE)
+	if isProcessorFeaturePresent(_PF_ARM_V82_DP_INSTRUCTIONS_AVAILABLE) {
+		ARM64.HasASIMDDP = true
+		ARM64.HasASIMDRDM = true
+	}
+	if isProcessorFeaturePresent(_PF_ARM_V83_LRCPC_INSTRUCTIONS_AVAILABLE) {
+		ARM64.HasLRCPC = true
+		ARM64.HasSM3 = true
+	}
+	ARM64.HasSVE = isProcessorFeaturePresent(_PF_ARM_SVE_INSTRUCTIONS_AVAILABLE)
+	ARM64.HasSVE2 = isProcessorFeaturePresent(_PF_ARM_SVE2_INSTRUCTIONS_AVAILABLE)
+	ARM64.HasJSCVT = isProcessorFeaturePresent(_PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE)
+}

vendor/golang.org/x/sys/cpu/zcpu_windows.go

@@ -0,0 +1,48 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package cpu
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modkernel32 = syscall.NewLazyDLL("kernel32.dll")
+
+	procIsProcessorFeaturePresent = modkernel32.NewProc("IsProcessorFeaturePresent")
+)
+
+func isProcessorFeaturePresent(ProcessorFeature uint32) (ret bool) {
+	r0, _, _ := syscall.SyscallN(procIsProcessorFeaturePresent.Addr(), uintptr(ProcessorFeature))
+	ret = r0 != 0
+	return
+}

vendor/golang.org/x/sys/unix/affinity_linux.go

@@ -13,11 +13,19 @@ import (
 
 const cpuSetSize = _CPU_SETSIZE / _NCPUBITS
 
-// CPUSet represents a CPU affinity mask.
+// CPUSet represents a bit mask of CPUs, to be used with [SchedGetaffinity], [SchedSetaffinity],
+// and [SetMemPolicy].
+//
+// Note this type can only represent CPU IDs 0 through 1023.
+// Use [CPUSetDynamic]/[NewCPUSet] instead to avoid this limit.
 type CPUSet [cpuSetSize]cpuMask
 
-func schedAffinity(trap uintptr, pid int, set *CPUSet) error {
-	_, _, e := RawSyscall(trap, uintptr(pid), uintptr(unsafe.Sizeof(*set)), uintptr(unsafe.Pointer(set)))
+// CPUSetDynamic represents a bit mask of CPUs, to be used with [SchedGetaffinityDynamic],
+// [SchedSetaffinityDynamic], and [SetMemPolicyDynamic]. Use [NewCPUSet] to allocate.
+type CPUSetDynamic []cpuMask
+
+func schedAffinity(trap uintptr, pid int, size uintptr, ptr unsafe.Pointer) error {
+	_, _, e := RawSyscall(trap, uintptr(pid), uintptr(size), uintptr(ptr))
 	if e != 0 {
 		return errnoErr(e)
 	}
@@ -27,13 +35,13 @@ func schedAffinity(trap uintptr, pid int, set *CPUSet) error {
 // SchedGetaffinity gets the CPU affinity mask of the thread specified by pid.
 // If pid is 0 the calling thread is used.
 func SchedGetaffinity(pid int, set *CPUSet) error {
-	return schedAffinity(SYS_SCHED_GETAFFINITY, pid, set)
+	return schedAffinity(SYS_SCHED_GETAFFINITY, pid, unsafe.Sizeof(*set), unsafe.Pointer(set))
 }
 
 // SchedSetaffinity sets the CPU affinity mask of the thread specified by pid.
 // If pid is 0 the calling thread is used.
 func SchedSetaffinity(pid int, set *CPUSet) error {
-	return schedAffinity(SYS_SCHED_SETAFFINITY, pid, set)
+	return schedAffinity(SYS_SCHED_SETAFFINITY, pid, unsafe.Sizeof(*set), unsafe.Pointer(set))
 }
 
 // Zero clears the set s, so that it contains no CPUs.
@@ -45,9 +53,7 @@ func (s *CPUSet) Zero() {
 // will silently ignore any invalid CPU bits in [CPUSet] so this is an
 // efficient way of resetting the CPU affinity of a process.
 func (s *CPUSet) Fill() {
-	for i := range s {
-		s[i] = ^cpuMask(0)
-	}
+	cpuMaskFill(s[:])
 }
 
 func cpuBitsIndex(cpu int) int {
@@ -58,24 +64,27 @@ func cpuBitsMask(cpu int) cpuMask {
 	return cpuMask(1 << (uint(cpu) % _NCPUBITS))
 }
 
-// Set adds cpu to the set s.
-func (s *CPUSet) Set(cpu int) {
+func cpuMaskFill(s []cpuMask) {
+	for i := range s {
+		s[i] = ^cpuMask(0)
+	}
+}
+
+func cpuMaskSet(s []cpuMask, cpu int) {
 	i := cpuBitsIndex(cpu)
 	if i < len(s) {
 		s[i] |= cpuBitsMask(cpu)
 	}
 }
 
-// Clear removes cpu from the set s.
-func (s *CPUSet) Clear(cpu int) {
+func cpuMaskClear(s []cpuMask, cpu int) {
 	i := cpuBitsIndex(cpu)
 	if i < len(s) {
 		s[i] &^= cpuBitsMask(cpu)
 	}
 }
 
-// IsSet reports whether cpu is in the set s.
-func (s *CPUSet) IsSet(cpu int) bool {
+func cpuMaskIsSet(s []cpuMask, cpu int) bool {
 	i := cpuBitsIndex(cpu)
 	if i < len(s) {
 		return s[i]&cpuBitsMask(cpu) != 0
@@ -83,11 +92,98 @@ func (s *CPUSet) IsSet(cpu int) bool {
 	return false
 }
 
-// Count returns the number of CPUs in the set s.
-func (s *CPUSet) Count() int {
+func cpuMaskCount(s []cpuMask) int {
 	c := 0
 	for _, b := range s {
 		c += bits.OnesCount64(uint64(b))
 	}
 	return c
 }
+
+// Set adds cpu to the set s. If cpu is out of bounds for s, no action is taken.
+func (s *CPUSet) Set(cpu int) {
+	cpuMaskSet(s[:], cpu)
+}
+
+// Clear removes cpu from the set s. If cpu is out of bounds for s, no action is taken.
+func (s *CPUSet) Clear(cpu int) {
+	cpuMaskClear(s[:], cpu)
+}
+
+// IsSet reports whether cpu is in the set s.
+func (s *CPUSet) IsSet(cpu int) bool {
+	return cpuMaskIsSet(s[:], cpu)
+}
+
+// Count returns the number of CPUs in the set s.
+func (s *CPUSet) Count() int {
+	return cpuMaskCount(s[:])
+}
+
+// NewCPUSet creates a CPU affinity mask capable of representing CPU IDs
+// up to maxCPU (exclusive).
+func NewCPUSet(maxCPU int) CPUSetDynamic {
+	numMasks := (maxCPU + _NCPUBITS - 1) / _NCPUBITS
+	if numMasks == 0 {
+		numMasks = 1
+	}
+	return make(CPUSetDynamic, numMasks)
+}
+
+// Zero clears the set s, so that it contains no CPUs.
+func (s CPUSetDynamic) Zero() {
+	clear(s)
+}
+
+// Fill adds all possible CPU bits to the set s. On Linux, [SchedSetaffinityDynamic]
+// will silently ignore any invalid CPU bits in [CPUSetDynamic] so this is an
+// efficient way of resetting the CPU affinity of a process.
+func (s CPUSetDynamic) Fill() {
+	cpuMaskFill(s)
+}
+
+// Set adds cpu to the set s. If cpu is out of bounds for s, no action is taken.
+func (s CPUSetDynamic) Set(cpu int) {
+	cpuMaskSet(s, cpu)
+}
+
+// Clear removes cpu from the set s. If cpu is out of bounds for s, no action is taken.
+func (s CPUSetDynamic) Clear(cpu int) {
+	cpuMaskClear(s, cpu)
+}
+
+// IsSet reports whether cpu is in the set s.
+func (s CPUSetDynamic) IsSet(cpu int) bool {
+	return cpuMaskIsSet(s, cpu)
+}
+
+// Count returns the number of CPUs in the set s.
+func (s CPUSetDynamic) Count() int {
+	return cpuMaskCount(s)
+}
+
+func (s CPUSetDynamic) size() uintptr {
+	return uintptr(len(s)) * unsafe.Sizeof(cpuMask(0))
+}
+
+func (s CPUSetDynamic) pointer() unsafe.Pointer {
+	if len(s) == 0 {
+		return nil
+	}
+	return unsafe.Pointer(&s[0])
+}
+
+// SchedGetaffinityDynamic gets the CPU affinity mask of the thread specified by pid.
+// If pid is 0 the calling thread is used.
+//
+// If the set is smaller than the size of the affinity mask used by the kernel,
+// [EINVAL] is returned.
+func SchedGetaffinityDynamic(pid int, set CPUSetDynamic) error {
+	return schedAffinity(SYS_SCHED_GETAFFINITY, pid, set.size(), set.pointer())
+}
+
+// SchedSetaffinityDynamic sets the CPU affinity mask of the thread specified by pid.
+// If pid is 0 the calling thread is used.
+func SchedSetaffinityDynamic(pid int, set CPUSetDynamic) error {
+	return schedAffinity(SYS_SCHED_SETAFFINITY, pid, set.size(), set.pointer())
+}

vendor/golang.org/x/sys/unix/mkall.sh

@@ -51,7 +51,7 @@ if [[ "$GOOS" = "linux" ]]; then
 	# Files generated through docker (use $cmd so you can Ctl-C the build or run)
 	set -e
 	$cmd docker build --tag generate:$GOOS $GOOS
-	$cmd docker run --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && pwd):/build generate:$GOOS
+	$cmd docker run --rm --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && pwd):/build generate:$GOOS
 	exit
 fi
 

vendor/golang.org/x/sys/unix/mkerrors.sh

@@ -354,6 +354,9 @@ struct ltchars {
 // Renamed in v6.16, commit c6d732c38f93 ("net: ethtool: remove duplicate defines for family info")
 #define ETHTOOL_FAMILY_NAME	ETHTOOL_GENL_NAME
 #define ETHTOOL_FAMILY_VERSION	ETHTOOL_GENL_VERSION
+
+// Removed in v6.17, commit 760e6f7befba ("futex: Remove support for IMMUTABLE")
+#define PR_FUTEX_HASH_GET_IMMUTABLE 3
 '
 
 includes_NetBSD='

vendor/golang.org/x/sys/unix/readv_unix.go

@@ -0,0 +1,103 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build darwin || linux || openbsd
+
+package unix
+
+import "unsafe"
+
+// minIovec is the size of the small initial allocation used by
+// Readv, Writev, etc.
+//
+// This small allocation gets stack allocated, which lets the
+// common use case of len(iovs) <= minIovec avoid more expensive
+// heap allocations.
+const minIovec = 8
+
+// appendBytes converts bs to Iovecs and appends them to vecs.
+func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
+	for _, b := range bs {
+		var v Iovec
+		v.SetLen(len(b))
+		if len(b) > 0 {
+			v.Base = &b[0]
+		} else {
+			v.Base = (*byte)(unsafe.Pointer(&_zero))
+		}
+		vecs = append(vecs, v)
+	}
+	return vecs
+}
+
+// writevRaceDetect tells the race detector that the program
+// has read the first n bytes stored in iovecs.
+func writevRaceDetect(iovecs []Iovec, n int) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := min(int(iovecs[i].Len), n)
+		n -= m
+		if m > 0 {
+			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+}
+
+// readvRaceDetect tells the race detector that the program
+// has written to the first n bytes stored in iovecs.
+func readvRaceDetect(iovecs []Iovec, n int, err error) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := min(int(iovecs[i].Len), n)
+		n -= m
+		if m > 0 {
+			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+	if err == nil {
+		raceAcquire(unsafe.Pointer(&ioSync))
+	}
+}
+
+func Readv(fd int, iovs [][]byte) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = readv(fd, iovecs)
+	readvRaceDetect(iovecs, n, err)
+	return n, err
+}
+
+func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = preadv(fd, iovecs, offset)
+	readvRaceDetect(iovecs, n, err)
+	return n, err
+}
+
+func Writev(fd int, iovs [][]byte) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = writev(fd, iovecs)
+	writevRaceDetect(iovecs, n)
+	return n, err
+}
+
+func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = pwritev(fd, iovecs, offset)
+	writevRaceDetect(iovecs, n)
+	return n, err
+}

vendor/golang.org/x/sys/unix/syscall_darwin.go

@@ -602,95 +602,6 @@ func Connectx(fd int, srcIf uint32, srcAddr, dstAddr Sockaddr, associd SaeAssocI
 	return
 }
 
-const minIovec = 8
-
-func Readv(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	n, err = readv(fd, iovecs)
-	readvRacedetect(iovecs, n, err)
-	return n, err
-}
-
-func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	n, err = preadv(fd, iovecs, offset)
-	readvRacedetect(iovecs, n, err)
-	return n, err
-}
-
-func Writev(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
-	n, err = writev(fd, iovecs)
-	writevRacedetect(iovecs, n)
-	return n, err
-}
-
-func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
-	n, err = pwritev(fd, iovecs, offset)
-	writevRacedetect(iovecs, n)
-	return n, err
-}
-
-func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
-	for _, b := range bs {
-		var v Iovec
-		v.SetLen(len(b))
-		if len(b) > 0 {
-			v.Base = &b[0]
-		} else {
-			v.Base = (*byte)(unsafe.Pointer(&_zero))
-		}
-		vecs = append(vecs, v)
-	}
-	return vecs
-}
-
-func writevRacedetect(iovecs []Iovec, n int) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
-		n -= m
-		if m > 0 {
-			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-}
-
-func readvRacedetect(iovecs []Iovec, n int, err error) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
-		n -= m
-		if m > 0 {
-			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-	if err == nil {
-		raceAcquire(unsafe.Pointer(&ioSync))
-	}
-}
-
 //sys	connectx(fd int, endpoints *SaEndpoints, associd SaeAssocID, flags uint32, iov []Iovec, n *uintptr, connid *SaeConnID) (err error)
 //sys	sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error)
 

vendor/golang.org/x/sys/unix/syscall_linux.go

@@ -2150,33 +2150,10 @@ func Signalfd(fd int, sigmask *Sigset_t, flags int) (newfd int, err error) {
 //sys	exitThread(code int) (err error) = SYS_EXIT
 //sys	readv(fd int, iovs []Iovec) (n int, err error) = SYS_READV
 //sys	writev(fd int, iovs []Iovec) (n int, err error) = SYS_WRITEV
-//sys	preadv(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PREADV
-//sys	pwritev(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PWRITEV
-//sys	preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PREADV2
-//sys	pwritev2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PWRITEV2
-
-// minIovec is the size of the small initial allocation used by
-// Readv, Writev, etc.
-//
-// This small allocation gets stack allocated, which lets the
-// common use case of len(iovs) <= minIovs avoid more expensive
-// heap allocations.
-const minIovec = 8
-
-// appendBytes converts bs to Iovecs and appends them to vecs.
-func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
-	for _, b := range bs {
-		var v Iovec
-		v.SetLen(len(b))
-		if len(b) > 0 {
-			v.Base = &b[0]
-		} else {
-			v.Base = (*byte)(unsafe.Pointer(&_zero))
-		}
-		vecs = append(vecs, v)
-	}
-	return vecs
-}
+//sys	preadvSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PREADV
+//sys	pwritevSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PWRITEV
+//sys	preadv2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PREADV2
+//sys	pwritev2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PWRITEV2
 
 // offs2lohi splits offs into its low and high order bits.
 func offs2lohi(offs int64) (lo, hi uintptr) {
@@ -2184,69 +2161,23 @@ func offs2lohi(offs int64) (lo, hi uintptr) {
 	return uintptr(offs), uintptr(uint64(offs) >> (longBits - 1) >> 1) // two shifts to avoid false positive in vet
 }
 
-func Readv(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	n, err = readv(fd, iovecs)
-	readvRacedetect(iovecs, n, err)
-	return n, err
-}
-
-func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
 	lo, hi := offs2lohi(offset)
-	n, err = preadv(fd, iovecs, lo, hi)
-	readvRacedetect(iovecs, n, err)
-	return n, err
+	return preadvSyscall(fd, iovecs, lo, hi)
 }
 
 func Preadv2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error) {
 	iovecs := make([]Iovec, 0, minIovec)
 	iovecs = appendBytes(iovecs, iovs)
 	lo, hi := offs2lohi(offset)
-	n, err = preadv2(fd, iovecs, lo, hi, flags)
-	readvRacedetect(iovecs, n, err)
+	n, err = preadv2Syscall(fd, iovecs, lo, hi, flags)
+	readvRaceDetect(iovecs, n, err)
 	return n, err
 }
 
-func readvRacedetect(iovecs []Iovec, n int, err error) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := min(int(iovecs[i].Len), n)
-		n -= m
-		if m > 0 {
-			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-	if err == nil {
-		raceAcquire(unsafe.Pointer(&ioSync))
-	}
-}
-
-func Writev(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
-	n, err = writev(fd, iovecs)
-	writevRacedetect(iovecs, n)
-	return n, err
-}
-
-func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
 	lo, hi := offs2lohi(offset)
-	n, err = pwritev(fd, iovecs, lo, hi)
-	writevRacedetect(iovecs, n)
-	return n, err
+	return pwritevSyscall(fd, iovecs, lo, hi)
 }
 
 func Pwritev2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error) {
@@ -2256,24 +2187,11 @@ func Pwritev2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error)
 		raceReleaseMerge(unsafe.Pointer(&ioSync))
 	}
 	lo, hi := offs2lohi(offset)
-	n, err = pwritev2(fd, iovecs, lo, hi, flags)
-	writevRacedetect(iovecs, n)
+	n, err = pwritev2Syscall(fd, iovecs, lo, hi, flags)
+	writevRaceDetect(iovecs, n)
 	return n, err
 }
 
-func writevRacedetect(iovecs []Iovec, n int) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := min(int(iovecs[i].Len), n)
-		n -= m
-		if m > 0 {
-			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-}
-
 // mmap varies by architecture; see syscall_linux_*.go.
 //sys	munmap(addr uintptr, length uintptr) (err error)
 //sys	mremap(oldaddr uintptr, oldlength uintptr, newlength uintptr, flags int, newaddr uintptr) (xaddr uintptr, err error)
@@ -2644,8 +2562,12 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) {
 //sys	Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error)
 //sys	Mseal(b []byte, flags uint) (err error)
 
-//sys	setMemPolicy(mode int, mask *CPUSet, size int) (err error) = SYS_SET_MEMPOLICY
+//sys	setMemPolicy(mode int, mask unsafe.Pointer, size uintptr) (err error) = SYS_SET_MEMPOLICY
 
 func SetMemPolicy(mode int, mask *CPUSet) error {
-	return setMemPolicy(mode, mask, _CPU_SETSIZE)
+	return setMemPolicy(mode, unsafe.Pointer(mask), _CPU_SETSIZE)
+}
+
+func SetMemPolicyDynamic(mode int, mask CPUSetDynamic) error {
+	return setMemPolicy(mode, mask.pointer(), mask.size())
 }

vendor/golang.org/x/sys/unix/syscall_linux_arm.go

@@ -82,6 +82,9 @@ func Time(t *Time_t) (Time_t, error) {
 }
 
 func Utime(path string, buf *Utimbuf) error {
+	if buf == nil {
+		return Utimes(path, nil)
+	}
 	tv := []Timeval{
 		{Sec: buf.Actime},
 		{Sec: buf.Modtime},

vendor/golang.org/x/sys/unix/syscall_linux_arm64.go

@@ -113,6 +113,9 @@ func Time(t *Time_t) (Time_t, error) {
 }
 
 func Utime(path string, buf *Utimbuf) error {
+	if buf == nil {
+		return Utimes(path, nil)
+	}
 	tv := []Timeval{
 		{Sec: buf.Actime},
 		{Sec: buf.Modtime},

vendor/golang.org/x/sys/unix/syscall_linux_loong64.go

@@ -150,6 +150,9 @@ func Time(t *Time_t) (Time_t, error) {
 }
 
 func Utime(path string, buf *Utimbuf) error {
+	if buf == nil {
+		return Utimes(path, nil)
+	}
 	tv := []Timeval{
 		{Sec: buf.Actime},
 		{Sec: buf.Modtime},

vendor/golang.org/x/sys/unix/syscall_linux_riscv64.go

@@ -112,6 +112,9 @@ func Time(t *Time_t) (Time_t, error) {
 }
 
 func Utime(path string, buf *Utimbuf) error {
+	if buf == nil {
+		return Utimes(path, nil)
+	}
 	tv := []Timeval{
 		{Sec: buf.Actime},
 		{Sec: buf.Modtime},

vendor/golang.org/x/sys/unix/syscall_openbsd.go

@@ -300,6 +300,10 @@ func Uname(uname *Utsname) error {
 //sys	Pathconf(path string, name int) (val int, err error)
 //sys	pread(fd int, p []byte, offset int64) (n int, err error)
 //sys	pwrite(fd int, p []byte, offset int64) (n int, err error)
+//sys	readv(fd int, iovecs []Iovec) (n int, err error)
+//sys	writev(fd int, iovecs []Iovec) (n int, err error)
+//sys	preadv(fd int, iovecs []Iovec, offset int64) (n int, err error)
+//sys	pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error)
 //sys	read(fd int, p []byte) (n int, err error)
 //sys	Readlink(path string, buf []byte) (n int, err error)
 //sys	Readlinkat(dirfd int, path string, buf []byte) (n int, err error)

vendor/golang.org/x/sys/unix/zerrors_linux.go

@@ -353,8 +353,10 @@ const (
 	AUDIT_MAC_IPSEC_EVENT                       = 0x587
 	AUDIT_MAC_MAP_ADD                           = 0x581
 	AUDIT_MAC_MAP_DEL                           = 0x582
+	AUDIT_MAC_OBJ_CONTEXTS                      = 0x592
 	AUDIT_MAC_POLICY_LOAD                       = 0x57b
 	AUDIT_MAC_STATUS                            = 0x57c
+	AUDIT_MAC_TASK_CONTEXTS                     = 0x591
 	AUDIT_MAC_UNLBL_ALLOW                       = 0x57e
 	AUDIT_MAC_UNLBL_STCADD                      = 0x588
 	AUDIT_MAC_UNLBL_STCDEL                      = 0x589
@@ -591,8 +593,13 @@ const (
 	CAN_CTRLMODE_LOOPBACK                       = 0x1
 	CAN_CTRLMODE_ONE_SHOT                       = 0x8
 	CAN_CTRLMODE_PRESUME_ACK                    = 0x40
+	CAN_CTRLMODE_RESTRICTED                     = 0x800
 	CAN_CTRLMODE_TDC_AUTO                       = 0x200
 	CAN_CTRLMODE_TDC_MANUAL                     = 0x400
+	CAN_CTRLMODE_XL                             = 0x1000
+	CAN_CTRLMODE_XL_TDC_AUTO                    = 0x2000
+	CAN_CTRLMODE_XL_TDC_MANUAL                  = 0x4000
+	CAN_CTRLMODE_XL_TMS                         = 0x8000
 	CAN_EFF_FLAG                                = 0x80000000
 	CAN_EFF_ID_BITS                             = 0x1d
 	CAN_EFF_MASK                                = 0x1fffffff
@@ -800,6 +807,8 @@ const (
 	DEVLINK_PORT_FN_CAP_IPSEC_PACKET            = 0x8
 	DEVLINK_PORT_FN_CAP_MIGRATABLE              = 0x2
 	DEVLINK_PORT_FN_CAP_ROCE                    = 0x1
+	DEVLINK_RATE_TCS_MAX                        = 0x8
+	DEVLINK_RATE_TC_INDEX_MAX                   = 0x7
 	DEVLINK_SB_THRESHOLD_TO_ALPHA_MAX           = 0x14
 	DEVLINK_SUPPORTED_FLASH_OVERWRITE_SECTIONS  = 0x3
 	DEVMEM_MAGIC                                = 0x454d444d
@@ -1186,6 +1195,7 @@ const (
 	ETH_P_MPLS_UC                               = 0x8847
 	ETH_P_MRP                                   = 0x88e3
 	ETH_P_MVRP                                  = 0x88f5
+	ETH_P_MXLGSW                                = 0x88c3
 	ETH_P_NCSI                                  = 0x88f8
 	ETH_P_NSH                                   = 0x894f
 	ETH_P_PAE                                   = 0x888e
@@ -1218,6 +1228,7 @@ const (
 	ETH_P_WCCP                                  = 0x883e
 	ETH_P_X25                                   = 0x805
 	ETH_P_XDSA                                  = 0xf8
+	ETH_P_YT921X                                = 0x9988
 	ET_CORE                                     = 0x4
 	ET_DYN                                      = 0x3
 	ET_EXEC                                     = 0x2
@@ -1258,6 +1269,7 @@ const (
 	FALLOC_FL_NO_HIDE_STALE                     = 0x4
 	FALLOC_FL_PUNCH_HOLE                        = 0x2
 	FALLOC_FL_UNSHARE_RANGE                     = 0x40
+	FALLOC_FL_WRITE_ZEROES                      = 0x80
 	FALLOC_FL_ZERO_RANGE                        = 0x10
 	FANOTIFY_METADATA_VERSION                   = 0x3
 	FAN_ACCESS                                  = 0x1
@@ -1477,6 +1489,7 @@ const (
 	GRND_INSECURE                               = 0x4
 	GRND_NONBLOCK                               = 0x1
 	GRND_RANDOM                                 = 0x2
+	GUEST_MEMFD_MAGIC                           = 0x474d454d
 	HDIO_DRIVE_CMD                              = 0x31f
 	HDIO_DRIVE_CMD_AEB                          = 0x31e
 	HDIO_DRIVE_CMD_HDR_SIZE                     = 0x4
@@ -1517,6 +1530,7 @@ const (
 	HDIO_SET_XFER                               = 0x306
 	HDIO_TRISTATE_HWIF                          = 0x31b
 	HDIO_UNREGISTER_HWIF                        = 0x32a
+	HIDIOCTL_LAST                               = 0xd
 	HID_MAX_DESCRIPTOR_SIZE                     = 0x1000
 	HOSTFS_SUPER_MAGIC                          = 0xc0ffee
 	HPFS_SUPER_MAGIC                            = 0xf995e849
@@ -1809,6 +1823,8 @@ const (
 	KEXEC_ARCH_X86_64                           = 0x3e0000
 	KEXEC_CRASH_HOTPLUG_SUPPORT                 = 0x8
 	KEXEC_FILE_DEBUG                            = 0x8
+	KEXEC_FILE_FORCE_DTB                        = 0x20
+	KEXEC_FILE_NO_CMA                           = 0x10
 	KEXEC_FILE_NO_INITRAMFS                     = 0x4
 	KEXEC_FILE_ON_CRASH                         = 0x2
 	KEXEC_FILE_UNLOAD                           = 0x1
@@ -1905,6 +1921,7 @@ const (
 	LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON      = 0x2
 	LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF    = 0x1
 	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF   = 0x4
+	LANDLOCK_RESTRICT_SELF_TSYNC                = 0x8
 	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET         = 0x1
 	LANDLOCK_SCOPE_SIGNAL                       = 0x2
 	LINUX_REBOOT_CMD_CAD_OFF                    = 0x0
@@ -2412,6 +2429,7 @@ const (
 	NN_PRXFPREG                                 = "LINUX"
 	NN_RISCV_CSR                                = "LINUX"
 	NN_RISCV_TAGGED_ADDR_CTRL                   = "LINUX"
+	NN_RISCV_USER_CFI                           = "LINUX"
 	NN_RISCV_VECTOR                             = "LINUX"
 	NN_S390_CTRS                                = "LINUX"
 	NN_S390_GS_BC                               = "LINUX"
@@ -2493,6 +2511,7 @@ const (
 	NT_PRXFPREG                                 = 0x46e62b7f
 	NT_RISCV_CSR                                = 0x900
 	NT_RISCV_TAGGED_ADDR_CTRL                   = 0x902
+	NT_RISCV_USER_CFI                           = 0x903
 	NT_RISCV_VECTOR                             = 0x901
 	NT_S390_CTRS                                = 0x304
 	NT_S390_GS_BC                               = 0x30c
@@ -2515,6 +2534,7 @@ const (
 	NT_X86_SHSTK                                = 0x204
 	NT_X86_XSAVE_LAYOUT                         = 0x205
 	NT_X86_XSTATE                               = 0x202
+	NULL_FS_MAGIC                               = 0x4e554c4c
 	OCFS2_SUPER_MAGIC                           = 0x7461636f
 	OCRNL                                       = 0x8
 	OFDEL                                       = 0x80
@@ -2594,6 +2614,7 @@ const (
 	PERF_ATTR_SIZE_VER6                         = 0x78
 	PERF_ATTR_SIZE_VER7                         = 0x80
 	PERF_ATTR_SIZE_VER8                         = 0x88
+	PERF_ATTR_SIZE_VER9                         = 0x90
 	PERF_AUX_FLAG_COLLISION                     = 0x8
 	PERF_AUX_FLAG_CORESIGHT_FORMAT_CORESIGHT    = 0x0
 	PERF_AUX_FLAG_CORESIGHT_FORMAT_RAW          = 0x100
@@ -2629,6 +2650,7 @@ const (
 	PERF_MEM_LVLNUM_ANY_CACHE                   = 0xb
 	PERF_MEM_LVLNUM_CXL                         = 0x9
 	PERF_MEM_LVLNUM_IO                          = 0xa
+	PERF_MEM_LVLNUM_L0                          = 0x7
 	PERF_MEM_LVLNUM_L1                          = 0x1
 	PERF_MEM_LVLNUM_L2                          = 0x2
 	PERF_MEM_LVLNUM_L2_MHB                      = 0x5
@@ -2662,6 +2684,23 @@ const (
 	PERF_MEM_OP_PFETCH                          = 0x8
 	PERF_MEM_OP_SHIFT                           = 0x0
 	PERF_MEM_OP_STORE                           = 0x4
+	PERF_MEM_REGION_L_NON_SHARE                 = 0x3
+	PERF_MEM_REGION_L_SHARE                     = 0x2
+	PERF_MEM_REGION_MEM0                        = 0x8
+	PERF_MEM_REGION_MEM1                        = 0x9
+	PERF_MEM_REGION_MEM2                        = 0xa
+	PERF_MEM_REGION_MEM3                        = 0xb
+	PERF_MEM_REGION_MEM4                        = 0xc
+	PERF_MEM_REGION_MEM5                        = 0xd
+	PERF_MEM_REGION_MEM6                        = 0xe
+	PERF_MEM_REGION_MEM7                        = 0xf
+	PERF_MEM_REGION_MMIO                        = 0x7
+	PERF_MEM_REGION_NA                          = 0x0
+	PERF_MEM_REGION_O_IO                        = 0x4
+	PERF_MEM_REGION_O_NON_SHARE                 = 0x6
+	PERF_MEM_REGION_O_SHARE                     = 0x5
+	PERF_MEM_REGION_RSVD                        = 0x1
+	PERF_MEM_REGION_SHIFT                       = 0x2e
 	PERF_MEM_REMOTE_REMOTE                      = 0x1
 	PERF_MEM_REMOTE_SHIFT                       = 0x25
 	PERF_MEM_SNOOPX_FWD                         = 0x1
@@ -2776,6 +2815,10 @@ const (
 	PR_CAP_AMBIENT_IS_SET                       = 0x1
 	PR_CAP_AMBIENT_LOWER                        = 0x3
 	PR_CAP_AMBIENT_RAISE                        = 0x2
+	PR_CFI_BRANCH_LANDING_PADS                  = 0x0
+	PR_CFI_DISABLE                              = 0x2
+	PR_CFI_ENABLE                               = 0x1
+	PR_CFI_LOCK                                 = 0x4
 	PR_ENDIAN_BIG                               = 0x0
 	PR_ENDIAN_LITTLE                            = 0x1
 	PR_ENDIAN_PPC_LITTLE                        = 0x2
@@ -2798,6 +2841,7 @@ const (
 	PR_FUTEX_HASH_GET_SLOTS                     = 0x2
 	PR_FUTEX_HASH_SET_SLOTS                     = 0x1
 	PR_GET_AUXV                                 = 0x41555856
+	PR_GET_CFI                                  = 0x50
 	PR_GET_CHILD_SUBREAPER                      = 0x25
 	PR_GET_DUMPABLE                             = 0x3
 	PR_GET_ENDIAN                               = 0x13
@@ -2834,6 +2878,7 @@ const (
 	PR_MDWE_REFUSE_EXEC_GAIN                    = 0x1
 	PR_MPX_DISABLE_MANAGEMENT                   = 0x2c
 	PR_MPX_ENABLE_MANAGEMENT                    = 0x2b
+	PR_MTE_STORE_ONLY                           = 0x80000
 	PR_MTE_TAG_MASK                             = 0x7fff8
 	PR_MTE_TAG_SHIFT                            = 0x3
 	PR_MTE_TCF_ASYNC                            = 0x4
@@ -2877,6 +2922,10 @@ const (
 	PR_RISCV_V_VSTATE_CTRL_NEXT_MASK            = 0xc
 	PR_RISCV_V_VSTATE_CTRL_OFF                  = 0x1
 	PR_RISCV_V_VSTATE_CTRL_ON                   = 0x2
+	PR_RSEQ_SLICE_EXTENSION                     = 0x4f
+	PR_RSEQ_SLICE_EXTENSION_GET                 = 0x1
+	PR_RSEQ_SLICE_EXTENSION_SET                 = 0x2
+	PR_RSEQ_SLICE_EXT_ENABLE                    = 0x1
 	PR_SCHED_CORE                               = 0x3e
 	PR_SCHED_CORE_CREATE                        = 0x1
 	PR_SCHED_CORE_GET                           = 0x0
@@ -2886,6 +2935,7 @@ const (
 	PR_SCHED_CORE_SCOPE_THREAD_GROUP            = 0x1
 	PR_SCHED_CORE_SHARE_FROM                    = 0x3
 	PR_SCHED_CORE_SHARE_TO                      = 0x2
+	PR_SET_CFI                                  = 0x51
 	PR_SET_CHILD_SUBREAPER                      = 0x24
 	PR_SET_DUMPABLE                             = 0x4
 	PR_SET_ENDIAN                               = 0x14
@@ -2951,11 +3001,14 @@ const (
 	PR_SVE_SET_VL_ONEXEC                        = 0x40000
 	PR_SVE_VL_INHERIT                           = 0x20000
 	PR_SVE_VL_LEN_MASK                          = 0xffff
+	PR_SYS_DISPATCH_EXCLUSIVE_ON                = 0x1
+	PR_SYS_DISPATCH_INCLUSIVE_ON                = 0x2
 	PR_SYS_DISPATCH_OFF                         = 0x0
 	PR_SYS_DISPATCH_ON                          = 0x1
 	PR_TAGGED_ADDR_ENABLE                       = 0x1
 	PR_TASK_PERF_EVENTS_DISABLE                 = 0x1f
 	PR_TASK_PERF_EVENTS_ENABLE                  = 0x20
+	PR_THP_DISABLE_EXCEPT_ADVISED               = 0x2
 	PR_TIMER_CREATE_RESTORE_IDS                 = 0x4d
 	PR_TIMER_CREATE_RESTORE_IDS_GET             = 0x2
 	PR_TIMER_CREATE_RESTORE_IDS_OFF             = 0x0
@@ -2987,8 +3040,10 @@ const (
 	PTP_STRICT_FLAGS                            = 0x8
 	PTP_SYS_OFFSET_EXTENDED                     = 0xc4c03d09
 	PTP_SYS_OFFSET_EXTENDED2                    = 0xc4c03d12
+	PTP_SYS_OFFSET_EXTENDED_CYCLES              = 0xc4c03d16
 	PTP_SYS_OFFSET_PRECISE                      = 0xc0403d08
 	PTP_SYS_OFFSET_PRECISE2                     = 0xc0403d11
+	PTP_SYS_OFFSET_PRECISE_CYCLES               = 0xc0403d15
 	PTRACE_ATTACH                               = 0x10
 	PTRACE_CONT                                 = 0x7
 	PTRACE_DETACH                               = 0x11
@@ -3330,8 +3385,9 @@ const (
 	RWF_DSYNC                                   = 0x2
 	RWF_HIPRI                                   = 0x1
 	RWF_NOAPPEND                                = 0x20
+	RWF_NOSIGNAL                                = 0x100
 	RWF_NOWAIT                                  = 0x8
-	RWF_SUPPORTED                               = 0xff
+	RWF_SUPPORTED                               = 0x1ff
 	RWF_SYNC                                    = 0x4
 	RWF_WRITE_LIFE_NOT_SET                      = 0x0
 	SCHED_BATCH                                 = 0x3
@@ -3714,7 +3770,7 @@ const (
 	TASKSTATS_GENL_NAME                         = "TASKSTATS"
 	TASKSTATS_GENL_VERSION                      = 0x1
 	TASKSTATS_TYPE_MAX                          = 0x6
-	TASKSTATS_VERSION                           = 0x10
+	TASKSTATS_VERSION                           = 0x11
 	TCIFLUSH                                    = 0x0
 	TCIOFF                                      = 0x2
 	TCIOFLUSH                                   = 0x2
@@ -4052,6 +4108,7 @@ const (
 	XDP_FLAGS_REPLACE                           = 0x10
 	XDP_FLAGS_SKB_MODE                          = 0x2
 	XDP_FLAGS_UPDATE_IF_NOEXIST                 = 0x1
+	XDP_MAX_TX_SKB_BUDGET                       = 0x9
 	XDP_MMAP_OFFSETS                            = 0x1
 	XDP_OPTIONS                                 = 0x8
 	XDP_OPTIONS_ZEROCOPY                        = 0x1

vendor/golang.org/x/sys/unix/zerrors_linux_386.go

@@ -159,6 +159,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -305,6 +306,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -352,6 +354,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -596,6 +599,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -819,7 +824,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go

@@ -159,6 +159,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -306,6 +307,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -353,6 +355,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -596,6 +599,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -819,7 +824,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_arm.go

@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -311,6 +312,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -358,6 +360,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -601,6 +604,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -824,7 +829,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go

@@ -161,6 +161,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -598,6 +601,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -821,7 +826,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go

@@ -160,6 +160,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -298,6 +299,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -345,6 +347,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -588,6 +591,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -811,7 +816,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_mips.go

@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go

@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go

@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go

@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go

@@ -158,6 +158,7 @@ const (
 	NL3                              = 0x300
 	NLDLY                            = 0x300
 	NOFLSH                           = 0x80000000
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -359,6 +360,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -406,6 +408,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -653,6 +656,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -877,7 +882,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go

@@ -158,6 +158,7 @@ const (
 	NL3                              = 0x300
 	NLDLY                            = 0x300
 	NOFLSH                           = 0x80000000
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -363,6 +364,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -410,6 +412,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -657,6 +660,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -881,7 +886,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go

@@ -158,6 +158,7 @@ const (
 	NL3                              = 0x300
 	NLDLY                            = 0x300
 	NOFLSH                           = 0x80000000
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -363,6 +364,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -410,6 +412,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -657,6 +660,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -881,7 +886,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go

@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -367,6 +368,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -414,6 +416,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -657,6 +660,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -880,7 +885,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go

@@ -161,6 +161,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -358,6 +359,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x58
 	SCM_DEVMEM_LINEAR                = 0x57
+	SCM_INQ                          = 0x5d
 	SCM_TIMESTAMPING                 = 0x23
 	SCM_TIMESTAMPING_OPT_STATS       = 0x38
 	SCM_TIMESTAMPING_PKTINFO         = 0x3c
@@ -453,6 +455,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x33
 	SO_INCOMING_NAPI_ID              = 0x3a
+	SO_INQ                           = 0x5d
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x28
@@ -694,6 +697,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x27)
 	EDOTDOT         = syscall.Errno(0x58)
 	EDQUOT          = syscall.Errno(0x45)
+	EFSBADCRC       = syscall.Errno(0x4c)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x40)
 	EHOSTUNREACH    = syscall.Errno(0x41)
 	EHWPOISON       = syscall.Errno(0x87)
@@ -921,7 +926,7 @@ var errorList = [...]struct {
 	{114, "ELIBACC", "can not access a needed shared library"},
 	{115, "ENOTUNIQ", "name not unique on network"},
 	{116, "ERESTART", "interrupted system call should be restarted"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},

vendor/golang.org/x/sys/unix/zsyscall_linux.go

@@ -1785,7 +1785,7 @@ func writev(fd int, iovs []Iovec) (n int, err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
-func preadv(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
+func preadvSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1802,7 +1802,7 @@ func preadv(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err er
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
-func pwritev(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
+func pwritevSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1819,7 +1819,7 @@ func pwritev(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err e
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
-func preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
+func preadv2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1836,7 +1836,7 @@ func preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
-func pwritev2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
+func pwritev2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -2241,8 +2241,8 @@ func Mseal(b []byte, flags uint) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
-func setMemPolicy(mode int, mask *CPUSet, size int) (err error) {
-	_, _, e1 := Syscall(SYS_SET_MEMPOLICY, uintptr(mode), uintptr(unsafe.Pointer(mask)), uintptr(size))
+func setMemPolicy(mode int, mask unsafe.Pointer, size uintptr) (err error) {
+	_, _, e1 := Syscall(SYS_SET_MEMPOLICY, uintptr(mode), uintptr(mask), uintptr(size))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}

vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go

@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), uintptr(offset>>32), 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), uintptr(offset>>32), 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {

vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s

@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pwrite_trampoline_addr(SB)/4, $libc_pwrite_trampoline<>(SB)
 
+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_readv_trampoline_addr(SB)/4, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_writev_trampoline_addr(SB)/4, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_preadv_trampoline_addr(SB)/4, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_pwritev_trampoline_addr(SB)/4, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $4

vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go

@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {

vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s

@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)
 
+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8

vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go

@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), 0, uintptr(offset), uintptr(offset>>32))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), 0, uintptr(offset), uintptr(offset>>32))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {

vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s

@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pwrite_trampoline_addr(SB)/4, $libc_pwrite_trampoline<>(SB)
 
+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_readv_trampoline_addr(SB)/4, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_writev_trampoline_addr(SB)/4, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_preadv_trampoline_addr(SB)/4, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_pwritev_trampoline_addr(SB)/4, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $4

vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go

@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {

vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s

@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)
 
+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8

vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go

@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {