fix(deps): update vulnfeeds-go (major)

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/google/osv-scanner	v1.9.2 → v2.3.2
gopkg.in/yaml.v2	v2.4.0 → v3.0.1

---

Release Notes

google/osv-scanner (github.com/google/osv-scanner)

v2.3.2

Compare Source

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• Bug #​2415 Add more PURL-to-ecosystem mappings
• Bug #​2422 MCP error for get_vulnerability_id because type definition is incorrect.
• Bug #​2460 Enable osv-scanner.json git queries
• Bug #​2456 Properly track if an ignore entry has been used
• Bug #​2450 Performance: Avoid loading the entire advisory unless it will actually be used
• Bug #​2445 Performance: Don't read the entire zip into memory
• Bug #​2433 Allow specifying user agent in v2 osvscanner package

Misc:

• Misc #​2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• Misc #​2447 Include bun.lock as a supported lockfile
• Misc #​2444 Document GoVersionOverride in configuration.md

v2.3.1

Compare Source

Features:

• Feature #​2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #​2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #​2333 Deduplicate SARIF outputs for GitHub.
• Bug #​2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

v2.3.0

Compare Source

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#​2328). This is primarily an internal change and should not impact users.

Features:

• Feature #​2321 Add support for license checks for RubyGems.
• Feature #​2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #​2344 Use osduplicate annotators.

Fixes:

• Bug #​2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #​2311 Improve logic for --all-packages flag.
• Bug #​2309 Exit with a non-zero code when showing help.
• Bug #​2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #​1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

v2.2.4

Compare Source

Features:

• Feature #​2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #​2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #​2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #​2206).

Fixes:

• Bug #​2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #​2291).
• Bug #​2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #​2081).
• Bug #​2295 Fix Go stdlib license result matching (fixes #​2191).

v2.2.3

Compare Source

Features:

• Feature #​2209 Add support for resolving git packages that have a version specified.
• Feature #​2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #​2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #​2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #​2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

v2.2.2

Compare Source

Features:

• Feature #​2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #​2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #​2204 Add a warning to guide users to the correct GitHub Action.
• Bug #​2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #​2188 Fix handling of absolute paths on Windows.

v2.2.1

Compare Source

Fixes

• Bug #​2151 Filter by ecosystem before querying.

v2.2.0

Compare Source

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• Feature #​2146 Allow manual OSV-Scalibr plugin selection.
• Feature #​2144 Add OSV-Scalibr version to osv-scanner --version output.
• Feature #​2021 Add experimental support for running OSV-Scalibr detectors.
• Feature #​2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• Feature #​2032 Add summary section at the top of outputs and a 'Fixed Version' column.
• Feature #​2076 Support Ubuntu severity type.

Fixes:

• Bug #​2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
• Bug #​2084 Show absolute paths when scanning containers.
• Bug #​2126 Log and preserve package count before continuing on db error.
• Bug #​2095 Pass through plugin capabilities correctly.
• Bug #​2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
• Bug #​2072 Add missing "text" property in description fields.
• Bug #​2068 Change links in output to go to the specific vulnerability page instead of the list page.
• Bug #​2064 Fix SARIF v3 output to include results.

API Changes:

• API Change #​2096 Allow log handler to be overridden.

v2.1.0

Compare Source

Features:

• Feature #​2038 Add CycloneDX location field to the output source string.
• Feature #​2036 Include upstream source information in vulnerability grouping to improve accuracy.
• Feature #​1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
• Feature #​2003 Add experimental summary output format for the reporter.
• Feature #​1988 Add support for CycloneDX 1.6 report format.
• Feature #​1987 Add support for gems.locked files used by Bundler.
• Feature #​1980 Enable transitive dependency extraction for Python requirements.txt files.
• Feature #​1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
• Feature #​1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
• Feature #​1957 Use a dedicated exit code for invalid configuration files.

Fixes:

• Bug #​2046 Correctly set the user agent string for all outgoing requests.
• Bug #​2019 Use more natural language in the descriptions for extractor-related flags.
• Bug #​1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
• Bug #​2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
• Bug #​1949 Fix filtering of package types in vulnerability counts.

v2.0.3

Compare Source

Features:

• Feature #​1943 Added a flag to suppress "no package sources found" error.
• Feature #​1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #​1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #​1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #​1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #​1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #​1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #​1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #​1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #​1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #​1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #​1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #​1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #​1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

v2.0.2

Compare Source

Fixes:

• Bug #​1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
• Bug #​1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
• Fix #​1825, #​1809, #​1805, #​1803, #​1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

v2.0.1

Compare Source

Features:

• Feature #​1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
• Feature #​1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
• Feature #​1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

• Bug #​1752 Fix paging depth issue when querying the osv.dev API.
• Bug #​1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
• Bug #​1717 Fix issue where nested CycloneDX components were not being parsed.
• Bug #​1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
• Bug #​1726 De-duplicate references in CycloneDX report output for improved validity.
• Bug #​1727 Remove automatic opening of HTML reports in the browser (fixes #​1721).
• Bug #​1735 Require a tag when scanning container images to prevent potential errors.

Docs:

• Docs #​1753 Correct documentation for the OSV-Scanner GitHub Action (fixes osv-scanner-action#68).
• Docs #​1743 Minor grammar fixes in documentation.

API Changes:

• API Change #​1763 Made the SourceType enum public.

v2.0.0

Compare Source

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

• Layer and base image-aware container scanning:
  • Rewritten support for Debian, Ubuntu, and Alpine container images.
  • Layer level analysis and vulnerability breakdown.
  • Supports Go, Java, Node, and Python artifacts within supported distros.
  • Base image identification via deps.dev.
  • Usage: osv-scanner scan image <image-name>:<tag>
• Interactive HTML output:
  • Severity breakdown, package/ID/importance filtering, vulnerability details.
  • Container image layer filtering, layer info, base image identification.
  • Usage: osv-scanner scan --serve ...
• Guided Remediation for Maven pom.xml:
  • Remediate direct and transitive dependencies (non-interactive mode).
  • New override remediation strategy.
  • Support for reading/writing pom.xml and parent POM files.
  • Private registry support for Maven metadata.
  • Machine-readable output for guided remediation.
• Enhanced Dependency Extraction with osv-scalibr:
  • Haskell: cabal.project.freeze, stack.yaml.lock
  • .NET: deps.json
  • Python: uv.lock
  • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
• Feature #​1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
• Feature #​1582 Add container scanning information to vertical output format.
• Feature #​1587 Add support for severity in SARIF report format.
• Feature #​1569 Add support for bun.lock lockfiles.
• Feature #​1547 Add experimental config support to the scan image command.
• Feature #​1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

• Feature #​1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
• Feature #​1670 Removed the --verbosity=verbose verbosity level.
• Feature #​1673 & Feature #​1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
• Feature #​1651 Multiple license flags have been merged into a single --license flag.
• Feature #​1666 API: reporter removed; logging now uses slog, which can be overridden.
• Feature #​1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

• Feature #​1561 Updated HTML report for better contrast and usability (from beta2).
• Feature #​1584 Make skipping the root git repository the default behavior (from beta2).
• Feature #​1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

• Fix #​1598 Fix table output vulnerability ordering.
• Fix #​1616 Filter out Ubuntu unimportant vulnerabilities.
• Fix #​1585 Fixed issue where base images are occasionally duplicated.
• Fix #​1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #​1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #​1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

• General V2 feedback
• Container scanning feedback

go-yaml/yaml (gopkg.in/yaml.v2)

v3.0.1

Compare Source

v3.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: vulnfeeds/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated

Details:

Package	Change
github.com/charmbracelet/lipgloss	v1.1.0 -> v1.1.1-0.20250404203927-76690c660834
github.com/ProtonMail/go-crypto	v1.1.6 -> v1.3.0
github.com/charmbracelet/colorprofile	v0.2.3-0.20250311203215-f60798e515dc -> v0.3.1
github.com/charmbracelet/x/ansi	v0.8.0 -> v0.10.1
github.com/charmbracelet/x/cellbuf	v0.0.13-0.20250311204145-2c3ea96c31dd -> v0.0.13
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.0
github.com/pjbgf/sha1cd	v0.3.2 -> v0.4.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.62.0
google.golang.org/genproto/googleapis/api	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20251222181119-0a764e51fe1b

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[cuixq]

Updating github.com/google/osv-scanner is blocked by #4700