fix(deps): update all dependencies by renovate[bot] · Pull Request #47 · aperturerobotics/common

renovate · 2026-02-23T13:35:57Z

This PR contains the following updates:

Package	Type	Update	Change
actions/dependency-review-action	action	minor	`v4.8.3` → `v4.9.0`
actions/setup-go	action	minor	`v6.2.0` → `v6.3.0`
actions/setup-node	action	minor	`v6.2.0` → `v6.3.0`
github.com/aperturerobotics/starpc	require	minor	`v0.47.1` → `v0.49.0`
github.com/aperturerobotics/starpc	require	minor	`v0.48.0` → `v0.49.0`
github.com/golangci/golangci-lint/v2	require	minor	`v2.10.1` → `v2.11.3`
github.com/goreleaser/goreleaser/v2	require	patch	`v2.14.0` → `v2.14.3`
github/codeql-action	action	minor	`v4.32.4` → `v4.33.0`
golang.org/x/mod	require	minor	`v0.33.0` → `v0.34.0`
golang.org/x/tools	require	minor	`v0.42.0` → `v0.43.0`
starpc	dependencies	minor	`^0.48.0` → `^0.49.0`

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

`v4.9.0`: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!
Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @jantiebot!
There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!

What's Changed

Compare normalized purls to account for encoding quirks by @juxtin in #1056
Make purl comparisons case insensitive by @juxtin in #1057
Feat: Add Patched Version to Vulnerabilities summary by @felickz in #1045
fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @jantiebot in #1060
Bump actions/stale from 10.1.0 to 10.2.0 by @dependabot[bot] in #1058
Bump actions/checkout from 4 to 6 by @dependabot[bot] in #1021
Updates for release 4.9.0 by @ahpook in #1064

New Contributors

@jantiebot made their first contribution in #1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

actions/setup-go (actions/setup-go)

`v6.3.0`

Compare Source

What's Changed

Update default Go module caching to use go.mod by @priyagupta108 in #705
Fix golang download url to go.dev by @178inaba in #469

Full Changelog: actions/setup-go@v6...v6.3.0

actions/setup-node (actions/setup-node)

`v6.3.0`

Compare Source

What's Changed

Enhancements:

Support parsing devEngines field by @susnux in #1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

Fix npm audit issues by @gowridurgad in #1491
Replace uuid with crypto.randomUUID() by @trivikr in #1378
Upgrade minimatch from 3.1.2 to 3.1.5 by @dependabot in #1498

Bug fixes:

Remove hardcoded bearer for mirror-url @marco-ippolito in #1467
Scope test lockfiles by package manager and update cache tests by @gowridurgad in #1495

New Contributors

@susnux made their first contribution in #1283

Full Changelog: actions/setup-node@v6...v6.3.0

aperturerobotics/starpc (github.com/aperturerobotics/starpc)

`v0.49.0`

Compare Source

Full Changelog: aperturerobotics/starpc@v0.48.0...v0.49.0

`v0.48.0`

Compare Source

Full Changelog: aperturerobotics/starpc@v0.47.1...v0.48.0

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

`v2.11.3`

Compare Source

Released on 2026-03-10

Linters bug fixes
- gosec: from v2.24.7 to 619ce21

`v2.11.2`

Compare Source

Released on 2026-03-07

Fixes
- fmt: fix error when using the fmt command with explicit paths.

`v2.11.1`

Compare Source

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

`v2.11.0`

Compare Source

Released on 2026-03-06

Linters new features or changes
- errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
- gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
- noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
- prealloc: from 1.0.2 to 1.1.0
- revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)
Linters bug fixes
- gocognit: from 1.2.0 to 1.2.1
- gosec: from 2.24.6 to 2.24.7
- unqueryvet: from 1.5.3 to 1.5.4

goreleaser/goreleaser (github.com/goreleaser/goreleaser/v2)

`v2.14.3`

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

Other work

7cc4509: chore: fix svu config (@caarlos0)

Full Changelog: goreleaser/goreleaser@v2.14.2...v2.14.3

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

Find examples and commented usage of all options in our website.
Reach out on Discord and Twitter!

`v2.14.2`

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

Bug fixes

a5070ed: fix(sbom): fix Windows CI test failure in catalog_source_archives (@caarlos0 and @Copilot)
89d4957: fix(telegram): chat_id should be allowed in the @channelname form (@caarlos0)
7089915: fix(telegram): improve default message template (@caarlos0)
6a3f983: fix(upload): prevent sendFile race condition on Windows (@caarlos0 and @Copilot)
0c0906d: fix: go1.26.1 (@caarlos0)
0dfb84b: fix: improve logs (@caarlos0)
53dd3b7: fix: lint (@caarlos0)

Documentation updates

b2b85e0: docs(deps): bump mkdocs-material in /www in the docs group (@dependabot[bot])
3227c59: docs(deps): bump mkdocs-material in /www in the docs group (@dependabot[bot])
a6aee4a: docs: fix badges (@caarlos0)
3722f3c: docs: improve telegram docs (@caarlos0)
43ce1c2: docs: telegram link (@caarlos0)
ed620f1: docs: update install.md (@caarlos0)

Other work

7e53058: chore(ci): switch artifact attestations gen to actions/attest (@scop)
b8b56ef: chore: add .env to .gitignore (@caarlos0)
0513ddb: chore: add comment (@caarlos0)
ec28ed7: ci(deps): bump the actions group with 11 updates (@dependabot[bot])
b51c2e8: ci(deps): bump the actions group with 7 updates (@dependabot[bot])

Full Changelog: goreleaser/goreleaser@v2.14.1...v2.14.2

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

Find examples and commented usage of all options in our website.
Reach out on Discord and Twitter!

`v2.14.1`

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

Security updates

6bce54f: sec(deps): update filippo.io/edwards25519 (@caarlos0)

Bug fixes

6e813e9: fix(docker/v2): output in error (@caarlos0)
4621880: fix(tmpl): rename toSlice to list (@caarlos0)
c174134: fix(tmpl): slice -> toSlice (@caarlos0)

Documentation updates

8d53236: docs: announce v2.14 (@caarlos0)
c5c6637: docs: fix gemfury links (@caarlos0)
79922a2: docs: fix more divider (@caarlos0)
fe23919: docs: fix syntax (@caarlos0)
0c1ac6d: docs: fmt (@caarlos0)
ce778c3: docs: typo (@caarlos0)
63e1434: docs: update github action (@caarlos0)

Other work

d525fe7: chore: remove unused file (@caarlos0)
fd46e47: fix (@caarlos0)

Full Changelog: goreleaser/goreleaser@v2.14.0...v2.14.1

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

Find examples and commented usage of all options in our website.
Reach out on Discord and Twitter!

github/codeql-action (github/codeql-action)

`v4.33.0`

Compare Source

Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

To opt out of this change:
- Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
- User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
- User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557
The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559
Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563
Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564
A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

`v4.32.6`

Compare Source

Update default CodeQL bundle version to 2.24.3. #3548

`v4.32.5`

Compare Source

Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

socket-security · 2026-02-23T13:36:53Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/github.com/goreleaser/goreleaser/v2@v2.14.0 ⏵ v2.14.3
	golang/github.com/golangci/golangci-lint/v2@v2.10.1 ⏵ v2.11.3	⁺¹
	golang/golang.org/x/tools@v0.42.0 ⏵ v0.43.0	⁺¹
	golang/golang.org/x/mod@v0.33.0 ⏵ v0.34.0
	golang/github.com/aperturerobotics/starpc@v0.47.1 ⏵ v0.49.0	⁺¹

View full report

renovate · 2026-03-06T13:57:14Z

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.25` -> `1.25.0`

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

55 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.26.0` -> `1.26.1`
`charm.land/lipgloss/v2`	`v2.0.0-beta.3.0.20251120230642-dcccabe2cd63` -> `v2.0.0`
`cloud.google.com/go/storage`	`v1.57.1` -> `v1.57.2`
`github.com/Azure/azure-sdk-for-go/sdk/storage/azblob`	`v1.6.1` -> `v1.6.3`
`github.com/MirrexOne/unqueryvet`	`v1.5.3` -> `v1.5.4`
`github.com/alexkohler/prealloc`	`v1.0.2` -> `v1.1.0`
`github.com/aws/aws-sdk-go-v2`	`v1.41.1` -> `v1.41.3`
`github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream`	`v1.7.4` -> `v1.7.6`
`github.com/aws/aws-sdk-go-v2/config`	`v1.32.5` -> `v1.32.10`
`github.com/aws/aws-sdk-go-v2/credentials`	`v1.19.5` -> `v1.19.10`
`github.com/aws/aws-sdk-go-v2/feature/ec2/imds`	`v1.18.16` -> `v1.18.18`
`github.com/aws/aws-sdk-go-v2/internal/configsources`	`v1.4.17` -> `v1.4.19`
`github.com/aws/aws-sdk-go-v2/internal/endpoints/v2`	`v2.7.17` -> `v2.7.19`
`github.com/aws/aws-sdk-go-v2/internal/v4a`	`v1.4.17` -> `v1.4.20`
`github.com/aws/aws-sdk-go-v2/service/ecr`	`v1.54.4` -> `v1.55.3`
`github.com/aws/aws-sdk-go-v2/service/ecrpublic`	`v1.38.8` -> `v1.38.10`
`github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding`	`v1.13.4` -> `v1.13.6`
`github.com/aws/aws-sdk-go-v2/service/internal/checksum`	`v1.9.8` -> `v1.9.11`
`github.com/aws/aws-sdk-go-v2/service/internal/presigned-url`	`v1.13.17` -> `v1.13.19`
`github.com/aws/aws-sdk-go-v2/service/internal/s3shared`	`v1.19.17` -> `v1.19.19`
`github.com/aws/aws-sdk-go-v2/service/s3`	`v1.96.0` -> `v1.96.4`
`github.com/aws/aws-sdk-go-v2/service/signin`	`v1.0.4` -> `v1.0.6`
`github.com/aws/aws-sdk-go-v2/service/sso`	`v1.30.7` -> `v1.30.11`
`github.com/aws/aws-sdk-go-v2/service/ssooidc`	`v1.35.12` -> `v1.35.15`
`github.com/aws/aws-sdk-go-v2/service/sts`	`v1.41.5` -> `v1.41.7`
`github.com/aws/smithy-go`	`v1.24.0` -> `v1.24.2`
`github.com/awslabs/amazon-ecr-credential-helper/ecr-login`	`v0.11.0` -> `v0.12.0`
`github.com/caarlos0/env/v11`	`v11.3.1` -> `v11.4.0`
`github.com/charmbracelet/colorprofile`	`v0.4.1` -> `v0.4.2`
`github.com/charmbracelet/ultraviolet`	`v0.0.0-20251120225753-26363bddd922` -> `v0.0.0-20251205161215-1948445e3318`
`github.com/charmbracelet/x/ansi`	`v0.11.4` -> `v0.11.6`
`github.com/clipperhouse/displaywidth`	`v0.8.0` -> `v0.11.0`
`github.com/clipperhouse/uax29/v2`	`v2.4.0` -> `v2.7.0`
`github.com/cloudflare/circl`	`v1.6.1` -> `v1.6.3`
`github.com/cncf/xds/go`	`v0.0.0-20251022180443-0feb69152e9f` -> `v0.0.0-20251110193048-8bfbf64dc13e`
`github.com/docker/docker-credential-helpers`	`v0.9.4` -> `v0.9.5`
`github.com/envoyproxy/go-control-plane/envoy`	`v1.35.0` -> `v1.36.0`
`github.com/google/go-containerregistry`	`v0.21.0` -> `v0.21.2`
`github.com/kisielk/errcheck`	`v1.9.0` -> `v1.10.0`
`github.com/mattn/go-mastodon`	`v0.0.10` -> `v0.0.11`
`github.com/mgechev/revive`	`v1.14.0` -> `v1.15.0`
`github.com/securego/gosec/v2`	`v2.23.0` -> `v2.24.8-0.20260309165252-619ce2117e08`
`github.com/slack-go/slack`	`v0.17.3` -> `v0.19.0`
`github.com/sonatard/noctx`	`v0.4.0` -> `v0.5.0`
`github.com/tomnomnom/linkheader`	`v0.0.0-20180905144013-02ca5825eb80` -> `v0.0.0-20250811210735-e5fe3b51442e`
`github.com/uudashr/gocognit`	`v1.2.0` -> `v1.2.1`
`gitlab.com/gitlab-org/api/client-go`	`v1.39.0` -> `v1.46.0`
`gocloud.dev`	`v0.44.0` -> `v0.45.0`
`golang.org/x/crypto`	`v0.48.0` -> `v0.49.0`
`golang.org/x/mod`	`v0.33.0` -> `v0.34.0`
`golang.org/x/net`	`v0.50.0` -> `v0.52.0`
`golang.org/x/sync`	`v0.19.0` -> `v0.20.0`
`golang.org/x/sys`	`v0.41.0` -> `v0.42.0`
`golang.org/x/telemetry`	`v0.0.0-20260209163413-e7419c687ee4` -> `v0.0.0-20260311193753-579e4da9a98c`
`golang.org/x/term`	`v0.40.0` -> `v0.41.0`
`golang.org/x/text`	`v0.34.0` -> `v0.35.0`

renovate bot force-pushed the renovate/all branch from 4006dc0 to 548fcdc Compare February 23, 2026 18:42

renovate bot changed the title ~~fix(deps): update dependency starpc to ^0.47.0~~ fix(deps): update all dependencies Feb 23, 2026

renovate bot changed the title ~~fix(deps): update all dependencies~~ fix(deps): update all dependencies - autoclosed Feb 24, 2026

renovate bot closed this Feb 24, 2026

renovate bot deleted the renovate/all branch February 24, 2026 11:20

renovate bot changed the title ~~fix(deps): update all dependencies - autoclosed~~ fix(deps): update module github.com/goreleaser/goreleaser/v2 to v2.14.1 Feb 25, 2026

renovate bot reopened this Feb 25, 2026

renovate bot force-pushed the renovate/all branch 3 times, most recently from ee4bec6 to 578e7f0 Compare February 26, 2026 05:58

renovate bot changed the title ~~fix(deps): update module github.com/goreleaser/goreleaser/v2 to v2.14.1~~ fix(deps): update all dependencies Feb 26, 2026

renovate bot force-pushed the renovate/all branch 7 times, most recently from 107b6a8 to e40a5b5 Compare March 6, 2026 13:57

renovate bot force-pushed the renovate/all branch 7 times, most recently from 724bb01 to 8925dcd Compare March 12, 2026 05:20

renovate bot force-pushed the renovate/all branch 3 times, most recently from 213d25c to 97a2058 Compare March 18, 2026 08:38

fix(deps): update all dependencies

7de3a59

renovate bot force-pushed the renovate/all branch from 97a2058 to 7de3a59 Compare March 18, 2026 13:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update all dependencies#47

fix(deps): update all dependencies#47
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/all

renovate bot commented Feb 23, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Feb 23, 2026 •

edited

Loading

Uh oh!

renovate bot commented Mar 6, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v4.9.0: Dependency Review Action 4.9.0

What's Changed

New Contributors

What's Changed

What's Changed

Enhancements:

Dependency updates:

Bug fixes:

New Contributors

Announcement

Changelog

Other work

Helping out

Where to go next?

Announcement

Changelog

Bug fixes

Documentation updates

Other work

Helping out

Where to go next?

Announcement

Changelog

Security updates

Bug fixes

Documentation updates

Other work

Helping out

Where to go next?

Configuration

Uh oh!

socket-security bot commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

renovate bot commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ️ Artifact update notice

File name: go.mod

File name: tools/go.mod

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants

renovate bot commented Feb 23, 2026 •

edited

Loading

`v4.9.0`: Dependency Review Action 4.9.0

socket-security bot commented Feb 23, 2026 •

edited

Loading

renovate bot commented Mar 6, 2026 •

edited

Loading