deps(deps): bump the go-dependencies group with 2 updates

[dependabot]

Bumps the go-dependencies group with 2 updates: github.com/daulet/tokenizers and modernc.org/sqlite.

Updates github.com/daulet/tokenizers from 1.26.0 to 1.27.0

Release notes

Sourced from github.com/daulet/tokenizers's releases.

v1.27.0

What's Changed

• feat: add Windows support by @​Sg4Dylan in daulet/tokenizers#61

New Contributors

• @​Sg4Dylan made their first contribution in daulet/tokenizers#61

Full Changelog: daulet/tokenizers@v1.26.0...v1.27.0

Commits

• f678a77 feat: add Windows support (#61)
• 453a374 chore: require release push token in release workflow
• 53ff9eb fix: use bypass token when creating GitHub release
• See full diff in compare view

Updates modernc.org/sqlite from 1.48.0 to 1.48.1

Changelog

Sourced from modernc.org/sqlite's changelog.

Changelog

• 2026-04-04 v1.48.2:

  • Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.
  • Ensure the Go trampoline signature correctly aligns with the public sqlite3_preupdate_hook C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).
  • See [GitLab merge request #98](https://gitlab.com/cznic/sqlite/-/merge_requests/98), thanks Josh Bleecher Snyder!
  • Fix the memory allocator used in (*conn).Deserialize.
  • Replace tls.Alloc with sqlite3_malloc64 to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the SQLITE_DESERIALIZE_RESIZEABLE and SQLITE_DESERIALIZE_FREEONCLOSE flags.
  • Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.
  • See [GitLab merge request #100](https://gitlab.com/cznic/sqlite/-/merge_requests/100), thanks Josh Bleecher Snyder!
  • Fix (*conn).Deserialize to explicitly reject nil or empty byte slices.
  • Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when sqlite3_deserialize receives a 0-length buffer.
  • See [GitLab merge request #101](https://gitlab.com/cznic/sqlite/-/merge_requests/101), thanks Josh Bleecher Snyder!
  • Fix commitHookTrampoline and rollbackHookTrampoline signatures by removing the unused pCsr parameter.
  • Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.
  • See [GitLab merge request #102](https://gitlab.com/cznic/sqlite/-/merge_requests/102), thanks Josh Bleecher Snyder!

• 2026-04-03 v1.48.1:

  • Fix memory leaks and double-free vulnerabilities in the multi-statement query execution path.
  • Ensure bind-parameter allocations are reliably freed via strict ownership transfer if an error occurs mid-loop or if multiple statements bind parameters.
  • Fix a resource leak where a subsequent statement's error could orphan a previously generated rows object without closing it, leaking the prepared statement handle.
  • See [GitLab merge request #96](https://gitlab.com/cznic/sqlite/-/merge_requests/96), thanks Josh Bleecher Snyder!

• 2026-03-27 v1.48.0:

  • Add _timezone DSN query parameter to apply IANA timezones (e.g., "America/New_York") to both reads and writes.
  • Writes will convert time.Time values to the target timezone before formatting as a string.
  • Reads will interpret timezone-less strings as being in the target timezone.
  • Does not impact _inttotime integer values, which will always safely evaluate as UTC.
  • Add support for _time_format=datetime URI parameter to format time.Time values identically to SQLite's native datetime() function and CURRENT_TIMESTAMP (YYYY-MM-DD HH:MM:SS).
  • See [GitLab merge request #94](https://gitlab.com/cznic/sqlite/-/merge_requests/94) and [GitLab merge request #95](https://gitlab.com/cznic/sqlite/-/merge_requests/95), thanks Josh Bleecher Snyder!

• 2026-03-17 v1.47.0: Add CGO-free version of the vector extensions from https://github.com/asg017/sqlite-vec. See vec_test.go for example usage. From the GitHub project page:

  • Important: sqlite-vec is a pre-v1, so expect breaking changes!
  • Store and query float, int8, and binary vectors in vec0 virtual tables
  • Written in pure C, no dependencies, runs anywhere SQLite runs (Linux/MacOS/Windows, in the browser with WASM, Raspberry Pis, etc.)
  • Store non-vector data in metadata, auxiliary, or partition key columns
  • See [GitLab merge request #93](https://gitlab.com/cznic/sqlite/-/merge_requests/93), thanks Zhenghao Zhang!

• 2026-03-16 v1.46.2: Upgrade to SQLite 3.51.3.

• 2026-02-17 v1.46.1:

  • Ensure connection state is reset if Tx.Commit fails. Previously, errors like SQLITE_BUSY during COMMIT could leave the underlying connection inside a transaction, causing errors when the connection was reused by the database/sql pool. The driver now detects this state and forces a rollback internally.
  • Fixes [GitHub issue #2](modernc-org/sqlite#2), thanks Edoardo Spadolini!

• 2026-02-17 v1.46.0:

  • Enable ColumnTypeScanType to report time.Time instead of string for TEXT columns declared as DATE, DATETIME, TIME, or TIMESTAMP via a new _texttotime URI parameter.
  • See [GitHub pull request #1](modernc-org/sqlite#1), thanks devhaozi!

• 2026-02-09 v1.45.0:

  • Introduce vtab subpackage (modernc.org/sqlite/vtab) exposing Module, Table, Cursor, and IndexInfo API for Go virtual tables.

... (truncated)

Commits

• 51d1f91 CHANGELOG.md: document v1.48.1...
• 50a8b7f CHANGELOG.md: document v1.48.1
• 6050024 Merge branch 'multi-stmt-double-free' into 'master'
• ef93ba8 improve memory safety of allocs in stmt.query
• 2a97c68 add conn.freeAllocs
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Warning

PR title does not follow the Conventional Commits specification.

Unknown release type "deps" found in pull request title "deps(deps): bump the go-dependencies group with 2 updates".

Available types:

• feat
• fix
• docs
• style
• chore
• refactor
• test
• ci
• perf

---

Semantic Commit Messages

See how a minor change to your commit message style can make you a better programmer.

Format: <type>(<scope>): <subject>

<scope> is optional

Example

feat: add hat wobble
^--^  ^------------^
|     |
|     +-> Summary in present tense.
|
+-------> Type: chore, docs, feat, fix, refactor, style, or test.

More Examples:

• feat: (new feature for the user, not a new feature for build script)
• fix: (bug fix for the user, not a fix to a build script)
• docs: (changes to the documentation)
• style: (formatting, missing semi colons, etc; no production code change)
• refactor: (refactoring production code, eg. renaming a variable)
• test: (adding missing tests, refactoring tests; no production code change)
• chore: (updating grunt tasks etc; no production code change)

References:

• https://www.conventionalcommits.org/
• https://seesparkbox.com/foundry/semantic_commit_messages
• http://karma-runner.github.io/1.0/dev/git-commit-msg.html