build(deps): bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.22 to 1.19.23

[dependabot]

Bumps github.com/aws/aws-sdk-go-v2/credentials from 1.19.22 to 1.19.23.

Commits

• 9a3190f Release 2026-06-08
• b20dd5b Regenerated Clients
• 75a45ea Update API model
• e736f55 Add preview of changes for standard retry mode behind flag (#3400)
• ba08dc9 Release 2026-06-05.2
• 9a67e21 Revert schema serde (#3442)
• 51692f8 s3/transfermanager: avoid double-closing concurrentReader channel after read ...
• f696d5b Release 2026-06-05
• 7efb8fd Regenerated Clients
• 1a420c5 Update endpoints model
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

Release Notes

• Chores

  • Updated AWS SDK Go v2 and related dependencies to latest versions (v1.42.0+).
  • Enhanced retry mechanism with improved backoff and throttle-aware token handling.

• Bug Fixes

  • STS service now properly retries on IDP communication errors.

[coderabbitai]

📝 Walkthrough

Walkthrough

AWS SDK Go v2 is upgraded from v1.41.12 to v1.42.0. A new conditional retry strategy mode (AWS_NEW_RETRIES_2026) is introduced, enabling throttle-aware token costs, configurable base delays, and long-polling backoff support. STS client gains IDPCommunicationError as retryable.

Changes

AWS SDK v2 2026 Retry Mode and Long-Polling Implementation

Layer / File(s)	Summary
Module dependencies and version updates go.mod, vendor/modules.txt	AWS SDK v2 core and submodules are bumped to v1.42.0 and patch versions; versions synchronize across dependency manifests and vendor metadata.
Retry 2026 mode configuration and context helpers vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go, vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go, vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go, vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go	New AWS_NEW_RETRIES_2026 environment-based mode with throttle-aware token costs (DefaultThrottlingRetryCost), StandardOptions fields for throttle detection (Throttles, ThrottlingRetryCost, BaseDelay), and helper functions (newRetries2026, standardDefaults). Context helpers SetIsLongPolling and GetIsLongPolling store/retrieve long-polling flags in middleware stack values.
Exponential jitter backoff with throttle awareness vendor/github.com/aws/aws-sdk-go-v2/aws/retry/jitter_backoff.go	ExponentialJitterBackoff gains baseDelay, throttle checker, and retries2026 mode flag. New backoffDelay2026 method applies throttle-aware base delay selection (1s for throttle errors) followed by exponential growth with MAX_BACKOFF cap before jitter scaling. Mode dispatch in BackoffDelay selects between new and legacy algorithms.
Retry middleware token and delay management vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go	Attempt token release becomes conditional on mode and attempt number under newRetries2026(). Long-polling requests now back off when retry quota is exhausted by applying RetryDelay and adjustForRetryAfterHeader instead of failing immediately. New adjustForRetryAfterHeader helper parses X-Amz-Retry-After header (milliseconds), ignores invalid values, and clamps backoff to [backoff, backoff+5s].
Long-polling retryer wrapper vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retry.go	AddWithLongPolling function wraps a retryer as a long-polling-aware instance implementing IsLongPolling() returning true, enabling special quota backoff behavior.
STS-specific retryable error configuration vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go, vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go	STS client New() invokes finalizeSTSRetryableErrors to add IDPCommunicationError to the retryer's error code set via retry.AddWithErrorCodes.
Module metadata and changelog updates vendor/github.com/aws/aws-sdk-go-v2/*/CHANGELOG.md, vendor/github.com/aws/aws-sdk-go-v2/*/go_module_metadata.go	Version constants and changelogs across credentials, feature/ec2/imds, internal/configsources, internal/endpoints/v2, internal/v4a, service/internal/presigned-url, and service modules (signin, sso, ssooidc, sts) updated to reflect 2026-06-08 release date and patch increments.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• dongjiang1989
• github-actions

🐰 A version hop brings the AWS SDK new life,
Retries grow wise with throttle-aware strife,
Long polls find patience, long queues find grace,
While STS errors now know their true place. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title accurately reflects the primary change: bumping aws-sdk-go-v2/credentials from 1.19.22 to 1.19.23. However, the changeset includes updates to many other aws-sdk-go-v2 modules (core aws module, feature/ec2/imds, internal packages, and multiple service modules), making the title incomplete and somewhat misleading about the full scope of changes.	Update the PR title to reflect the broader scope of changes. Consider: 'build(deps): bump aws-sdk-go-v2 modules including credentials, core SDK, and services' or provide a more comprehensive summary of all updated modules.
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.22% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/github.com/aws/aws-sdk-go-v2/credentials-1.19.23

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch dependabot/go_modules/github.com/aws/aws-sdk-go-v2/credentials-1.19.23

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go`:
- Line 6: The vendored constant goModuleVersion in go_module_metadata.go is set
to "1.43.3" but upstream has no v1.43.3 release; confirm whether the Dependabot
bump intended to update the vendor to an actual upstream tag or if the metadata
should instead reflect the last real release (e.g., "1.43.2"). If the intended
change was a metadata correction, update the const goModuleVersion in
go_module_metadata.go to the valid upstream release string; if the intention was
to upgrade, update the vendor files so they match an existing upstream tag and
set goModuleVersion to that tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7a3ca6a8-627e-438b-85f4-888092b83349

📥 Commits

Reviewing files that changed from the base of the PR and between ddf1cab and b04e86b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (29)

• go.mod
• vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/jitter_backoff.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retry.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/signin/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/signin/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
• vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
• vendor/modules.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify the STS module version and check for security advisories.

# Check if version v1.43.3 exists for the STS module
echo "Checking if version v1.43.3 exists..."
git ls-remote --tags https://github.com/aws/aws-sdk-go-v2.git | grep -E 'service/sts/v1\.43\.3$'

# Check Go module proxy for the version
echo -e "\nChecking Go module proxy..."
curl -s "https://proxy.golang.org/github.com/aws/aws-sdk-go-v2/service/sts/@v/v1.43.3.info" | jq '.'

# Check for security advisories
echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "github.com/aws/aws-sdk-go-v2/service/sts") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: kubeservice-stack/modelx

Length of output: 1941

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

VERSION="1.43.3"
MODULE="github.com/aws/aws-sdk-go-v2/service/sts"
TAG="service/sts/v${VERSION}"

echo "== Go module proxy: ${MODULE} @ v${VERSION} =="
curl -fsSL "https://proxy.golang.org/${MODULE}/@v/v${VERSION}.info" | cat

echo
echo "== Upstream Git tag/ref existence: aws/aws-sdk-go-v2 @ ${TAG} =="
curl -fsSL "https://api.github.com/repos/aws/aws-sdk-go-v2/git/ref/tags/${TAG}" | jq '{ref,object:{sha}}'

echo
echo "== Vulnerabilities (OSV) for ${MODULE} @ ${VERSION} =="
curl -fsSL https://api.osv.dev/v1/query -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${MODULE}\"},\"version\":\"${VERSION}\"}" | jq '.'

Repository: kubeservice-stack/modelx

Length of output: 1960

---

🌐 Web query:

Go module proxy github.com/aws/aws-sdk-go-v2/service/sts v1.43.3.info

💡 Result:

The URL https://proxy.golang.org/github.com/aws/aws-sdk-go-v2/service/sts/@v/v1.43.3.info points to a Go module proxy endpoint that provides JSON-formatted metadata for version v1.43.3 of the github.com/aws/aws-sdk-go-v2/service/sts module [1][2]. Under the Go module proxy protocol, the .info endpoint returns metadata such as the canonical version string, the time the version was created, and, if applicable, the name of the original revision [1][3]. As of June 9, 2026, version v1.43.3 is not listed in the standard version history for this module [4][5][6]; the latest versions shown in official records are v1.43.2 (published June 4, 2026) and v1.43.1 (published June 3, 2026) [4][6]. If the requested version v1.43.3 does not exist, the proxy will return a 404 Not Found or 410 Gone error [1][7]. To verify the availability or metadata of a specific version, you can perform a GET request to that URL using a tool like curl or a web browser, or query the module via the Go CLI [8][1].

Citations:

• 1: https://pkg.go.dev/github.com/golang-design/under-the-hood/gosrc/cmd/go/internal/modfetch
• 2: https://proxy.golang.org/
• 3: cmd/go: module proxy protocol, extending the information endpoint golang/go#41902
• 4: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts
• 5: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts@v1.41.9
• 6: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts@v1.23.1
• 7: https://go.dev/ref/mod
• 8: https://pkg.go.dev/cmd/go/internal/modfetch

---

🌐 Web query:

OSV vulnerabilities github.com/aws/aws-sdk-go-v2/service/sts v1.43.3

💡 Result:

As of June 9, 2026, there are no known security vulnerabilities associated with github.com/aws/aws-sdk-go-v2/service/sts version v1.43.3. While the AWS SDK for Go v2 has had documented security advisories in the past—such as GHSA-xmrv-pmrh-hhx2, which involved a Denial of Service vulnerability in the EventStream decoder [1][2]—these issues were addressed in earlier versions of the affected components [2][3]. Publicly available vulnerability databases and security advisories from the official aws/aws-sdk-go-v2 repository do not list any critical, high, or medium vulnerabilities for version v1.43.3 of the STS service module [4][5][6]. You can continue to monitor the official GitHub security advisories page for the AWS SDK for Go v2 to stay informed about future security disclosures: https://github.com/aws/aws-sdk-go-v2/security/advisories [7][2].

Citations:

• 1: https://test.osv.dev/vulnerability/GHSA-xmrv-pmrh-hhx2
• 2: GHSA-xmrv-pmrh-hhx2
• 3: https://scout.docker.com/vulnerabilities/id/GHSA-xmrv-pmrh-hhx2?n=eventstream&ns=github.com%2Faws%2Faws-sdk-go-v2%2Faws%2Fprotocol&s=github&t=golang&vr=%3C1.7.8
• 4: https://guide.sonatype.com/component/golang/github.com%2Faws%2Faws-sdk-go-v2%2Fservice%2Fsts/v1.42.1
• 5: https://guide.sonatype.com/component/golang/github.com%2Faws%2Faws-sdk-go-v2%2Fservice%2Fsts/v1.42.2
• 6: https://guide.sonatype.com/component/golang/github.com%2Faws%2Faws-sdk-go-v2%2Fservice%2Fsts/v1.42.0
• 7: GHSA-3jcv-796g-cpjg

---

🌐 Web query:

aws-sdk-go-v2 tag service/sts/v1.43.3

💡 Result:

As of June 9, 2026, the specific version "v1.43.3" for the github.com/aws/aws-sdk-go-v2/service/sts module has not been released [1]. The latest available version of the service/sts module in the AWS SDK for Go v2 as of this date is v1.43.2, which was published on June 4, 2026 [1]. The version v1.43.0 was released on June 2, 2026 [1][2]. The AWS SDK for Go v2 uses a modular versioning system where individual service packages (like service/sts) are tagged and versioned independently [1]. You can track the release history and latest tags for this specific module via its Go package registry page or the main repository's release history [1][3].

Citations:

• 1: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts
• 2: https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-06-02
• 3: https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-06-04

---

STS module metadata: goModuleVersion set to 1.43.3, but upstream appears to have no such release

In vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go (line 6: const goModuleVersion = "1.43.3"), public module/version records indicate v1.43.3 for github.com/aws/aws-sdk-go-v2/service/sts has not been released (latest shown is v1.43.2). That means this vendored metadata value likely doesn’t match an upstream tag—please confirm the intended Dependabot version update (and adjust to an existing release if needed). Vulnerability lookups for v1.43.3 don’t show known issues, but the primary concern is the apparent version mismatch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go` at
line 6, The vendored constant goModuleVersion in go_module_metadata.go is set to
"1.43.3" but upstream has no v1.43.3 release; confirm whether the Dependabot
bump intended to update the vendor to an actual upstream tag or if the metadata
should instead reflect the last real release (e.g., "1.43.2"). If the intended
change was a metadata correction, update the const goModuleVersion in
go_module_metadata.go to the valid upstream release string; if the intention was
to upgrade, update the vendor files so they match an existing upstream tag and
set goModuleVersion to that tag.