build(deps): bump github.com/pocketbase/pocketbase from 0.35.0 to 0.36.8

[dependabot]

Bumps github.com/pocketbase/pocketbase from 0.35.0 to 0.36.8.

Release notes

Sourced from github.com/pocketbase/pocketbase's releases.

v0.36.8 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed OAuth2 client secret reset when serializing a cached collection model.

• Bumped all Go and npm deps. This should also silence recent spam reports and security scanners regarding CVE-2026-33809 (it is not an issue in PocketBase because we don't support TIFF thumbs).

v0.36.7 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed high memory usage with large file uploads (#7572).

• Updated the rate limiter reset rules to follow a more traditional fixed window strategy (aka. to be more close to how it is presented in the UI - allow max X user requests under Ys) since several users complained that the older algorithm was not intuitive and not suitable for large intervals. Approximated sliding window strategy was also suggested as a better compromise option to help minimize traffic spikes right after reset but the additional tracking could introduce some overhead and for now it is left aside until we have more tests.

• Updated modernc.org/sqlite to v1.46.2 and SQLite 3.51.3. ⚠️ SQLite 3.51.3 fixed a database corruption bug that is very unlikely to happen (with PocketBase even more so because we queue on app level all writes and explicit transactions through a single db connection), but still it is advised to upgrade.

• Updated other minor Go and npm deps. The min Go version in the go.mod of the package was also bumped to Go 1.25.0 because some of the newer deps require it.

v0.36.7-rc.1

[!CAUTION] This is a prerelease to validate a fix for high memory usage when uploading large files (#7572).

v0.36.6 Release

To update the prebuilt executable you can run ./pocketbase update.

• Set NumberField.OnlyInt:true for the generated View collection schema fields when a view column expression is known to return int-only values (#7538).

• Documented the unmarshal JSVM helper (#7543).

• Added extra read check after the Store.GetOrSet write lock to prevent races overwriting an already existing value.

• Added empty records check for the additional client-side filter's ListRule constraint that was introduced in v0.32.0 (presentator#206).

• Set a fixed routine.FireAndForget() debug stack trace limit to 2KB.

• Bumped min Go GitHub action version to 1.26.1 because it comes with some minor bug and security fixes.

• Typos and other minor doc fixes.

v0.36.5 Release

To update the prebuilt executable you can run ./pocketbase update.

• Disabled collection and fields name normalization while in IME mode (#7532; thanks @​miaopan607).

• Updated modernc.org/sqlite to v1.46.1 (resets connection state on Tx.Commit failure).

... (truncated)

Changelog

Sourced from github.com/pocketbase/pocketbase's changelog.

v0.36.8

• Fixed OAuth2 client secret reset when serializing a cached collection model.

• Bumped all Go and npm deps. This should also silent recent spam reports and security scanners regarding CVE-2026-33809 golang.org/x/image bug (it is not an issue in PocketBase because we don't support TIFF thumbs).

v0.36.7

• Fixed high memory usage with large file uploads (#7572).

• Updated the rate limiter reset rules to follow a more traditional fixed window strategy (aka. to be more close to how it is presented in the UI - allow max X user requests under Ys) since several users complained that the older algorithm was not intuitive and not suitable for large intervals. Approximated sliding window strategy was also suggested as a better compromise option to help minimize traffic spikes right after reset but the additional tracking could introduce some overhead and for now it is left aside until we have more tests.

• Updated modernc.org/sqlite to v1.46.2 and SQLite 3.51.3. ⚠️ SQLite 3.51.3 fixed a database corruption bug that is very unlikely to happen (with PocketBase even more so because we queue on app level all writes and explicit transactions through a single db connection), but still it is advised to upgrade.

• Updated other minor Go and npm deps. The min Go version in the go.mod of the package was also bumped to Go 1.25.0 because some of the newer dep versions require it.

v0.36.6

• Set NumberField.OnlyInt:true for the generated View collection schema fields when a view column expression is known to return int-only values (#7538).

• Documented the unmarshal JSVM helper (#7543).

• Added extra read check after the Store.GetOrSet write lock to prevent races overwriting an already existing value.

• Added empty records check for the additional client-side filter's ListRule constraint that was introduced in v0.32.0 (presentator#206).

• Set a fixed routine.FireAndForget() debug stack trace limit to 2KB.

• Bumped min Go GitHub action version to 1.26.1 because it comes with some minor bug and security fixes.

• Typos and other minor doc fixes.

v0.36.5

• Disabled collection and fields name normalization while in IME mode (#7532; thanks @​miaopan607).

• Updated modernc.org/sqlite to v1.46.1 (resets connection state on Tx.Commit failure).

v0.36.4

• Made the optional Bearer token prefix case-insensitive (#7525; thanks @​benjamesfleming).

... (truncated)

Commits

• 78dc12d regenerated jsvm types
• 4b4c2ec updated ui/dist
• d87fa3b bumped go deps
• 45d353f fixed OAuth2 client secret reset when marshalizing a cached collection model
• e5390c3 added missing error return and fixed comment typo
• e3d2608 updated backport changelog
• 650a425 updated changelog
• de70af2 updated npm deps and ui/dist
• ba7ed78 updated modernc.org/sqlite to 1.46.2 (SQLite 3.51.3)
• cea149c updated jsvm types
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #1078.