fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/dependency-review-action	action	major	v4.9.0 → v5.0.0
github.com/aperturerobotics/starpc	require	patch	v0.49.7 → v0.49.15
github.com/golangci/golangci-lint/v2	require	minor	v2.11.4 → v2.12.2
github.com/goreleaser/goreleaser/v2	require	minor	v2.15.4 → v2.16.0
github/codeql-action	action	minor	v4.35.2 → v4.36.0
golang.org/x/mod	require	minor	v0.35.0 → v0.36.0
golang.org/x/tools	require	minor	v0.44.0 → v0.45.0
mvdan.cc/gofumpt	require	minor	v0.9.2 → v0.10.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

v5.0.0: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in #​1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in #​1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in #​1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in #​1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in #​1076
• Resolve security findings by @​AshelyTC in #​1094
• v5.0.0 release branch by @​ahpook in #​1098

New Contributors

• @​scottschreckengaust made their first contribution in #​1084
• @​mongolyy made their first contribution in #​1091
• @​Marukome0743 made their first contribution in #​1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

aperturerobotics/starpc (github.com/aperturerobotics/starpc)

v0.49.15

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.14...v0.49.15

v0.49.14

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.13...v0.49.14

v0.49.13

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.12...v0.49.13

v0.49.12

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.11...v0.49.12

v0.49.11

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.10...v0.49.11

v0.49.10

Compare Source

What's Changed

• fix(deps): update github.com/aperturerobotics/util digest to cbfc6d6 by @​renovate[bot] in #​207

Full Changelog: aperturerobotics/starpc@v0.49.9...v0.49.10

v0.49.9

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.8...v0.49.9

v0.49.8

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.7...v0.49.8

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

v2.12.2

Compare Source

Released on 2026-05-06

1. Linters bug fixes
   • gomodguard_v2: fix blocked configuration
   • gomodguard_v2: from 2.1.0 to 2.1.3
   • iface: from 1.4.1 to 1.4.2

v2.12.1

Compare Source

Released on 2026-05-01

1. Linters bug fixes
   • gomodguard_v2: fix panic with migration suggestion
2. Misc.
   • fix install.sh script (if you are still using an URL based on the branch master, please update to use https://golangci-lint.run/install.sh)

v2.12.0

Compare Source

Released on 2026-05-01

1. New linters
   • Add clickhouselint linter https://github.com/ClickHouse/clickhouse-go-linter
2. Linters new features or changes
   • dupl: from f665c8d to c99c5cf (extended detection)
   • funcorder: from 0.5.0 to 0.6.0 (new option: function)
   • goconst: add an option to ignore strings from tests
   • goconst: from 1.8.2 to 1.10.0 (extended detection)
   • gomodguard_v2: from 1.4.1 to 2.1.0 (major version with new configuration)
   • gosec: from 619ce21 to 2.26.1 (new checks: G124, G708, G709, G710)
   • govet: add inline analyzer
   • makezero: from 2.1.0 to 2.2.1 (support slice type aliases)
   • paralleltest: expose checkcleanup option
   • sloglint: from 0.11.1 to 0.12.0 (new options: allowed-keys, custom-funcs)
   • wsl_v5: from 5.6.0 to 5.8.0 (new option: cuddle-max-statements; new checks: after-decl, after-defer, after-expr, after-go, cuddle-group)
3. Linters bug fixes
   • forbidigo: from 2.3.0 to 2.3.1
   • godot: from 1.5.4 to 1.5.6
   • govet-modernize: from 0.43.0 to 0.44.0
   • ireturn: from 0.4.0 to 0.4.1
   • rowserrcheck: from 1.1.1 to c5f79b8
4. Misc.
   • Decrease cache entropy
   • Embed the JSON schema in the binary
   • Filter env vars when cloning the repository with the custom command

goreleaser/goreleaser (github.com/goreleaser/goreleaser/v2)

v2.16.0

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.16.

Changelog

New Features

• bb532b6: feat(archive): xz format (#​6520) (@​jaredallard and @​caarlos0)
• 9500ead: feat(builders): add node sea support (#​6579) (@​caarlos0 and @​vedantmgoyal9)
• 851f8f9: feat(deps): update docker in docker image (@​caarlos0)
• 8da70bc: feat(dockers_v2): baseimage and baseimagedigest template variables (#​6625) (@​caarlos0)
• 9e629ad: feat(dockers_v2): pre/post hooks (#​6634) (@​caarlos0)
• e8d5686: feat(dockers_v2): remove experimental warn (@​caarlos0)
• d5c8e4f: feat(dockers_v2): set extra.platforms in the artifact (#​6628) (@​caarlos0)
• 868767b: feat(nix): support meta.mainProgram (#​6627) (@​caarlos0)
• f72cf9d: feat: go1.26.3 (@​caarlos0)
• a4be92b: feat: proper deprecate brews (@​caarlos0)

Bug fixes

• bb9062f: fix(cask): emit generate_completions_from_executable after postflight (#​6594) (@​caarlos0)
• 6ecba31: fix(github): preserve prerelease on publish (#​6591) (@​caarlos0)
• 2e17678: fix(github): preserve prerelease publish fields (@​caarlos0)
• 17315a5: fix(github): remove author lookup by email (#​6601) (@​caarlos0)
• e696cf8: fix(srpm): set format and extension in extra (#​6623) (@​caarlos0)
• 9fd33f5: fix(xz): rm unused field (@​caarlos0)
• 306e37d: fix: change keyword color (@​caarlos0)
• dd02be1: fix: handle secondary rate limits on github (#​6630) (@​caarlos0)
• 49025ca: fix: run script resolves nightly tags (@​caarlos0)
• bba909e: fix: webhook error handling improvements (@​caarlos0)
• 9f2811b: fix: wrong goreleaser URL (#​6584) (@​ldez)
• 0944b0e: fix:linkedin error handling improvements (@​caarlos0)

Documentation updates

• 9081224: docs(actions): note immutable nightly resolution (#​6590) (@​caarlos0)
• 6c2d9e0: docs: add RWX CI guide (#​6597) (@​robinaugh)
• 3514d8d: docs: add slack to users list (#​6605) (@​zimeg)
• 7b6496f: docs: better install page (#​6631) (@​caarlos0)
• 33dfa25: docs: cleanup install (@​caarlos0)
• be689af: docs: dont include nightlies in releases.json (@​caarlos0)
• 6bc06bf: docs: fix invalid 'neq' template function in pkg example (#​6604) (@​SAY-5)
• f7b59d4: docs: fix logos (@​caarlos0)
• ebc8484: docs: fix rendering issue inside tabs (@​caarlos0)
• c6c834c: docs: improve install page (@​caarlos0)
• d05aaa0: docs: missing required version (@​caarlos0)
• b1e5b9a: docs: parallax effect on homepage (#​6596) (@​caarlos0)
• 6e7c917: docs: rm old docs instructions (@​caarlos0)
• dd37302: docs: updat (@​caarlos0)
• 8b21145: docs: update link (@​caarlos0)
• 8976559: docs: update users.md (@​caarlos0)
• bd4e1a5: docs: updates (@​caarlos0)
• b259380: docs: updates (@​caarlos0)

Other work

• 22004f4: chore(www): update hextra (@​caarlos0)
• 0750c1b: chore: fmt (@​caarlos0)
• 61623ca: chore: gofumpt (@​caarlos0)
• 231e274: chore: remove unused struct (@​caarlos0)
• d76fb40: chore: skip one more docker test on windows (@​caarlos0)
• 6fd4db6: chore: update golang.org/x/ (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.15.4...v2.16.0

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord, Twitter, and Telegram!

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

mvdan/gofumpt (mvdan.cc/gofumpt)

v0.10.0

Compare Source

This release is based on Go 1.26's gofmt, and requires Go 1.25 or later.

A new rule is introduced to drop unnecessary parentheses around expressions
where the inner expression is unambiguous on its own, such as f((3)).
Parentheses are kept where they are useful, such as on binary expressions. See #​44.

A new rule is introduced to require multi-line function calls to match
the opening and closing parenthesis in terms of the use of newlines. See #​74.

The -extra flag now accepts a comma-separated list of rule names to enable
individual extra rules, rather than enabling all of them at once. See #​339.

The following changes are included as well:

• Avoid crashing on go.mod files without a module directive - #​350
• Avoid failing when an ignored directory cannot be read - #​351
• Avoid prefixing more kinds of commented-out Go code with spaces - #​230
• Avoid prefixing a shebang comment with a space - #​237
• Narrow the newlines on assignments rule to ignore complex cases - #​354
• Fix three bugs which caused a second gofumpt run to make changes - #​132, #​345

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 56 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.26.2 -> 1.26.3
github.com/aperturerobotics/common	v0.33.0 -> v0.33.1-0.20260516193515-675cfc5a0c12
cloud.google.com/go/kms	v1.29.0 -> v1.31.0
code.gitea.io/sdk/gitea	v0.24.1 -> v0.25.1
github.com/Masterminds/semver/v3	v3.4.0 -> v3.5.0
github.com/alecthomas/chroma/v2	v2.23.1 -> v2.24.1
github.com/ashanbrown/forbidigo/v2	v2.3.0 -> v2.3.1
github.com/ashanbrown/makezero/v2	v2.1.0 -> v2.2.1
github.com/aws/aws-sdk-go-v2	v1.41.6 -> v1.41.7
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.9 -> v1.7.10
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.22 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.22 -> v2.7.23
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.23 -> v1.4.24
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.8 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.14 -> v1.9.15
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.22 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.22 -> v1.19.23
github.com/aws/aws-sdk-go-v2/service/s3	v1.99.1 -> v1.101.0
github.com/aws/smithy-go	v1.25.0 -> v1.25.1
github.com/bombsimon/wsl/v5	v5.6.0 -> v5.8.0
github.com/butuzov/ireturn	v0.4.0 -> v0.4.1
github.com/caarlos0/env/v11	v11.4.0 -> v11.4.1
github.com/cyphar/filepath-securejoin	v0.5.1 -> v0.6.1
github.com/dlclark/regexp2	v1.11.5 -> v1.12.0
github.com/docker/cli	v29.4.0+incompatible -> v29.4.3+incompatible
github.com/docker/go-connections	v0.6.0 -> v0.7.0
github.com/go-git/go-billy/v5	v5.8.0 -> v5.9.0
github.com/go-git/go-git/v5	v5.18.0 -> v5.19.1
github.com/golangci/dupl	v0.0.0-20250308024227-f665c8d69b32 -> v0.0.0-20260401084720-c99c5cf5c202
github.com/google/go-containerregistry	v0.21.5 -> v0.21.6
github.com/goreleaser/quill	v0.0.0-20260418030907-a259ef5caf05 -> v0.0.0-20260503024558-dbc159c51d43
github.com/hashicorp/go-version	v1.8.0 -> v1.9.0
github.com/in-toto/in-toto-golang	v0.10.0 -> v0.11.0
github.com/invopop/jsonschema	v0.13.0 -> v0.14.0
github.com/jgautheron/goconst	v1.8.2 -> v1.10.0
github.com/klauspost/compress	v1.18.5 -> v1.18.6
github.com/klauspost/cpuid/v2	v2.2.8 -> v2.3.0
github.com/manuelarte/funcorder	v0.5.0 -> v0.6.0
github.com/moby/moby/api	v1.54.1 -> v1.54.2
github.com/moby/moby/client	v0.4.0 -> v0.4.1
github.com/modelcontextprotocol/registry	v1.6.0 -> v1.7.9
github.com/pelletier/go-toml/v2	v2.2.4 -> v2.3.1
github.com/pjbgf/sha1cd	v0.3.2 -> v0.6.0
github.com/securego/gosec/v2	v2.24.8-0.20260309165252-619ce2117e08 -> v2.26.1
github.com/slack-go/slack	v0.22.0 -> v0.23.1
github.com/sourcegraph/go-diff	v0.7.0 -> v0.8.0
github.com/tetafro/godot	v1.5.4 -> v1.5.6
github.com/timakin/bodyclose	v0.0.0-20241222091800-1db5c5ca4d67 -> v0.0.0-20260129054331-73d1f95b84b4
github.com/uudashr/iface	v1.4.1 -> v1.4.2
go-simpler.org/sloglint	v0.11.1 -> v0.12.0
golang.org/x/crypto	v0.50.0 -> v0.52.0
golang.org/x/mod	v0.35.0 -> v0.36.0
golang.org/x/net	v0.53.0 -> v0.54.0
golang.org/x/sys	v0.44.0 -> v0.45.0
golang.org/x/telemetry	v0.0.0-20260409153401-be6f6cb8b1fa -> v0.0.0-20260508192327-42602be52be6
golang.org/x/term	v0.42.0 -> v0.43.0
golang.org/x/text	v0.36.0 -> v0.37.0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​golangci/​golangci-lint/​v2@​v2.11.4 ⏵ v2.12.2	+1
	golang/​github.com/​goreleaser/​goreleaser/​v2@​v2.15.4 ⏵ v2.16.0	+1
	golang/​golang.org/​x/​tools@​v0.44.0 ⏵ v0.45.0	+1
	golang/​github.com/​aperturerobotics/​starpc@​v0.49.7 ⏵ v0.49.15	-8
	golang/​golang.org/​x/​mod@​v0.35.0 ⏵ v0.36.0	+1
	golang/​github.com/​aperturerobotics/​common@​v0.33.0 ⏵ v0.33.1-0.20260516193515-675cfc5a0c12
	golang/​mvdan.cc/​gofumpt@​v0.9.2 ⏵ v0.10.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: golang github.com/goreleaser/quill is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/github.com/goreleaser/goreleaser/v2@v2.16.0 → golang/github.com/goreleaser/quill@v0.0.0-20260503024558-dbc159c51d43 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/goreleaser/quill@v0.0.0-20260503024558-dbc159c51d43. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang github.com/pelletier/go-toml/v2 is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/github.com/golangci/golangci-lint/v2@v2.12.2 → golang/github.com/goreleaser/goreleaser/v2@v2.16.0 → golang/github.com/pelletier/go-toml/v2@v2.3.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/pelletier/go-toml/v2@v2.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang golang.org/x/tools is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: tools/go.mod → golang/golang.org/x/tools@v0.45.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/golang.org/x/tools@v0.45.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report