fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/dependency-review-action	action	minor	v4.8.3 → v4.9.0
actions/setup-go	action	minor	v6.2.0 → v6.3.0
actions/setup-node	action	minor	v6.2.0 → v6.3.0
github.com/aperturerobotics/controllerbus	require	patch	v0.52.3 → v0.52.5
github.com/aperturerobotics/starpc	require	minor	v0.48.0 → v0.49.0
github.com/sirupsen/logrus	require	digest	00992ca → 9f06009
github.com/sirupsen/logrus	require	digest	34027ea → 9f06009
github/codeql-action	action	patch	v4.32.4 → v4.32.6
go (source)	toolchain	patch	1.26.0 → 1.26.1
golang.org/x/mod	require	minor	v0.33.0 → v0.34.0
golang.org/x/tools	require	minor	v0.42.0 → v0.43.0
starpc	dependencies	minor	^0.48.0 → ^0.49.0

---

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in #​1056
• Make purl comparisons case insensitive by @​juxtin in #​1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in #​1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in #​1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​1021
• Updates for release 4.9.0 by @​ahpook in #​1064

New Contributors

• @​jantiebot made their first contribution in #​1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

actions/setup-go (actions/setup-go)

v6.3.0

Compare Source

What's Changed

• Update default Go module caching to use go.mod by @​priyagupta108 in #​705
• Fix golang download url to go.dev by @​178inaba in #​469

Full Changelog: actions/setup-go@v6...v6.3.0

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

aperturerobotics/controllerbus (github.com/aperturerobotics/controllerbus)

v0.52.5

Compare Source

v0.52.4

Compare Source

aperturerobotics/starpc (github.com/aperturerobotics/starpc)

v0.49.0

Compare Source

Full Changelog: aperturerobotics/starpc@v0.48.0...v0.49.0

github/codeql-action (github/codeql-action)

v4.32.6

Compare Source

• Update default CodeQL bundle version to 2.24.3. #​3548

v4.32.5

Compare Source

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #​3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #​3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #​3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #​3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #​3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #​3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #​3503, #​3504

golang/go (go)

v1.26.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​golang.org/​x/​tools@​v0.43.0
	npm/​starpc@​0.49.0
	golang/​golang.org/​x/​mod@​v0.34.0
	golang/​github.com/​sirupsen/​logrus@​v1.9.5-0.20260226151524-34027eac4204 ⏵ v1.9.5-0.20260309202648-9f0600962f75
	golang/​github.com/​aperturerobotics/​starpc@​v0.47.0 ⏵ v0.49.0	+1
	golang/​github.com/​aperturerobotics/​controllerbus@​v0.52.3 ⏵ v0.52.5	+1

View full report

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25 -> 1.25.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.41.0 -> v0.42.0