*: upgrade dependencies for security issue

[rleungx]

What problem does this PR solve?

Issue Number: ref #8475

What is changed and how does it work?

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Code changes

• Has the configuration change
• Has HTTP APIs changed (Don't forget to add the declarative for the new API)
• Has persistent data change

Side effects

• Possible performance regression
• Increased code complexity
• Breaking backward compatibility

Related changes

• PR to update pingcap/docs/pingcap/docs-cn:
• PR to update pingcap/tiup:
• Need to cherry-pick to the release branch

Release note

None.

Summary by CodeRabbit

• Chores
  • Updated dependencies across build tools, integration test modules, and core utilities to incorporate latest security patches, bug fixes, and compatibility improvements.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three Go module files (go.mod, tests/integrations/go.mod, tools/go.mod) had their direct and indirect dependencies version-upgraded. Updates include golang.org/x/time, golang.org/x/tools, google.golang.org/grpc, AWS SDK v2 modules, QUIC-go packages, and OpenTelemetry libraries. No public API changes or code logic modifications.

Changes

Cohort / File(s)	Summary
Root and Test Module Dependencies go.mod, tests/integrations/go.mod, tools/go.mod	Version bumps for direct dependencies (golang.org/x/time, golang.org/x/tools, google.golang.org/grpc) and numerous indirect modules (AWS SDK v2, QUIC-go, OpenTelemetry, golang.org/x/* ecosystem packages). No functional changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

size/S

Suggested reviewers

• bufferflies
• okJiang

Poem

🐰 Hop through the versions, both near and far,
Dependencies shimmer like each twinkling star,
From gRPC to AWS, all polished and neat,
OpenTelemetry dancing with every heartbeat,
Another round of upgrades—our modules are sweet! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description uses template correctly but lacks concrete details about the security issue being addressed and specific dependency updates justified.	Replace placeholder 'Issue Number: ref #8475' with actual issue number, fill in commit message block with specific security vulnerabilities addressed, and detail which dependencies were updated and why.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly indicates the main change: upgrading dependencies to address a security issue, which matches the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.93%. Comparing base (319d880) to head (1609023).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10598      +/-   ##
==========================================
- Coverage   78.95%   78.93%   -0.02%     
==========================================
  Files         532      532              
  Lines       71862    71965     +103     
==========================================
+ Hits        56741    56809      +68     
- Misses      11094    11122      +28     
- Partials     4027     4034       +7     

Flag	Coverage Δ
unittests	78.93% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rleungx]

/retest

[rleungx]

/retest

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bufferflies

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bufferflies]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-04-15 02:34:37.533442285 +0000 UTC m=+1528482.738802342: ☑️ agreed by bufferflies.

[bufferflies]

/retest

[bufferflies]

Do we need to cp the release version?

[ti-chi-bot]

@rleungx: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-unit-test-next-gen-3	1609023	link	true	/test pull-unit-test-next-gen-3

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.