build(deps): bump github.com/pocketbase/pocketbase from 0.35.0 to 0.36.9

[dependabot]

Bumps github.com/pocketbase/pocketbase from 0.35.0 to 0.36.9.

Release notes

Sourced from github.com/pocketbase/pocketbase's releases.

v0.36.9 Release

To update the prebuilt executable you can run ./pocketbase update.

• Updated the Discord AuthUser.Name field to use global_name (#7603; thanks @​HansHans135).

• Fixed settings SMTP password clear persistence.

• Added extra OAuth2 checks when downloading the avatar URL to prevent internal network probing requests in case of a malicious/vulnerable vendor.

• Updated modernc.org/sqlite to v1.48.2 (vfs and other error path related fixes).

• Updated min Go GitHub action version to 1.26.2 because it comes with some minor security fixes.

• Other small improvements (updated $apis.static JSVM documentation, fixed comment typos, added missing file close on seek error, etc.).

v0.36.8 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed OAuth2 client secret reset when serializing a cached collection model.

• Bumped all Go and npm deps. This should also silence recent spam reports and security scanners regarding CVE-2026-33809 (it is not an issue in PocketBase because we don't support TIFF thumbs).

v0.36.7 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed high memory usage with large file uploads (#7572).

• Updated the rate limiter reset rules to follow a more traditional fixed window strategy (aka. to be more close to how it is presented in the UI - allow max X user requests under Ys) since several users complained that the older algorithm was not intuitive and not suitable for large intervals. Approximated sliding window strategy was also suggested as a better compromise option to help minimize traffic spikes right after reset but the additional tracking could introduce some overhead and for now it is left aside until we have more tests.

• Updated modernc.org/sqlite to v1.46.2 and SQLite 3.51.3. ⚠️ SQLite 3.51.3 fixed a database corruption bug that is very unlikely to happen (with PocketBase even more so because we queue on app level all writes and explicit transactions through a single db connection), but still it is advised to upgrade.

• Updated other minor Go and npm deps. The min Go version in the go.mod of the package was also bumped to Go 1.25.0 because some of the newer deps require it.

v0.36.7-rc.1

[!CAUTION] This is a prerelease to validate a fix for high memory usage when uploading large files (#7572).

v0.36.6 Release

To update the prebuilt executable you can run ./pocketbase update.

• Set NumberField.OnlyInt:true for the generated View collection schema fields when a view column expression is known to return int-only values (#7538).

• Documented the unmarshal JSVM helper (#7543).

• Added extra read check after the Store.GetOrSet write lock to prevent races overwriting an already existing value.

... (truncated)

Changelog

Sourced from github.com/pocketbase/pocketbase's changelog.

v0.36.9

• Updated the Discord AuthUser.Name field to use global_name (#7603; thanks @​HansHans135).

• Fixed settings SMTP password clear persistence.

• Added extra OAuth2 checks when downloading the avatar URL to prevent internal network probing requests in case of a malicious/vulnerable vendor.

• Updated modernc.org/sqlite to v1.48.2 (vfs and other error path related fixes).

• Updated min Go GitHub action version to 1.26.2 because it comes with some minor security fixes.

• Other small improvements (updated $apis.static JSVM documentation, fixed comment typos, added missing file close on seek error, etc.).

v0.36.8

• Fixed OAuth2 client secret reset when serializing a cached collection model.

• Bumped all Go and npm deps. This should also silence recent spam reports and security scanners regarding golang.org/x/image CVE-2026-33809 (it is not an issue in PocketBase because we don't support TIFF thumbs).

v0.36.7

• Fixed high memory usage with large file uploads (#7572).

• Updated the rate limiter reset rules to follow a more traditional fixed window strategy (aka. to be more close to how it is presented in the UI - allow max X user requests under Ys) since several users complained that the older algorithm was not intuitive and not suitable for large intervals. Approximated sliding window strategy was also suggested as a better compromise option to help minimize traffic spikes right after reset but the additional tracking could introduce some overhead and for now it is left aside until we have more tests.

• Updated modernc.org/sqlite to v1.46.2 and SQLite 3.51.3. ⚠️ SQLite 3.51.3 fixed a database corruption bug that is very unlikely to happen (with PocketBase even more so because we queue on app level all writes and explicit transactions through a single db connection), but still it is advised to upgrade.

• Updated other minor Go and npm deps. The min Go version in the go.mod of the package was also bumped to Go 1.25.0 because some of the newer dep versions require it.

v0.36.6

• Set NumberField.OnlyInt:true for the generated View collection schema fields when a view column expression is known to return int-only values (#7538).

• Documented the unmarshal JSVM helper (#7543).

• Added extra read check after the Store.GetOrSet write lock to prevent races overwriting an already existing value.

• Added empty records check for the additional client-side filter's ListRule constraint that was introduced in v0.32.0 (presentator#206).

• Set a fixed routine.FireAndForget() debug stack trace limit to 2KB.

• Bumped min Go GitHub action version to 1.26.1 because it comes with some minor bug and security fixes.

... (truncated)

Commits

• 58f605e bumped modernc.org/sqlite to 1.48.2
• 6ae3d47 updated changelog
• cb185ad ratelimit test flakiness adjustments
• f89858f #7632 added missing error check in the jsvm watcher
• 0695ca2 #7630 added missing file close after seek error
• e916941 bumped ui/dist and go action version
• b251a4c updated backport changelog
• 01949b0 removed unnecessery struct wrapping
• 89f3668 updated settings update test
• 7865ca7 updated jsvm types
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #1091.