fix(deps): update osv-scanner minor

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
deps.dev/api/v3	v3.0.0-20260112033243-1270359b191b → v3.0.0-20260225225317-765e10b45d5b			require	patch
deps.dev/api/v3alpha	1270359 → 765e10b			require	digest
deps.dev/util/maven	1270359 → 765e10b			require	digest
deps.dev/util/resolve	1270359 → 765e10b			require	digest
deps.dev/util/semver	1270359 → 765e10b			require	digest
github.com/CycloneDX/cyclonedx-go	v0.9.3 → v0.10.0			require	minor
github.com/charmbracelet/bubbles	v0.21.0 → v0.21.1			require	patch
github.com/gkampitakis/go-snaps	v0.5.19 → v0.5.20			require	patch
github.com/go-git/go-git/v5	v5.16.5 → v5.17.0			require	minor
github.com/modelcontextprotocol/go-sdk	v1.3.1 → v1.4.0			require	minor
github.com/ossf/osv-schema/bindings/go	09a17f8 → ec3272c			require	digest
github.com/package-url/packageurl-go	v0.1.3 → v0.1.4			require	patch
github.com/urfave/cli/v3	v3.6.2 → v3.7.0			require	minor
go.yaml.in/yaml/v4	v4.0.0-rc.3 → v4.0.0-rc.4			require	patch
golang.org/x/net	v0.49.0 → v0.51.0			require	minor
golang.org/x/term	v0.39.0 → v0.40.0			require	minor
google.golang.org/grpc	v1.78.0 → v1.79.1			require	minor
osv.dev/bindings/go	9eebd24 → 4fcedbd			require	digest

---

Release Notes

CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)

v0.10.0

Compare Source

Changelog

Fixes

• f724c55: fix: add missing fields for v1.6 spec (#​249) (@​alistair-mclean)
• 48a212c: fix: migrate golangci-lint config and address issues (@​nscuro)
• 7566298: fix: unset component tags for spec version less than 1.6 (#​253) (@​alistair-mclean)

Building and Packaging

• ff55798: build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (@​dependabot[bot])
• 3781c74: build(deps): bump actions/checkout from 5.0.0 to 6.0.2 (@​dependabot[bot])
• 4a3ab35: build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (@​dependabot[bot])
• 49ee4a3: build(deps): bump actions/setup-go from 6.0.0 to 6.2.0 (@​dependabot[bot])
• 521976f: build(deps): bump apache/skywalking-eyes from 0.7.0 to 0.8.0 (@​dependabot[bot])
• 1149791: build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (@​dependabot[bot])
• 9fa7dc1: build(deps): bump gitpod/workspace-go from 8985eb7 to 08a7c68 (@​dependabot[bot])
• af64af3: build(deps): bump golangci/golangci-lint-action from 6.2.0 to 9.2.0 (@​dependabot[bot])
• 8c642b2: build(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 (@​dependabot[bot])

Others

• 082681c: chore: bump minimum go version to 1.23 (@​nscuro)

charmbracelet/bubbles (github.com/charmbracelet/bubbles)

v0.21.1

Compare Source

Changelog

New!

• dff42dd: feat: update keybindings in list setSize method (@​Broderick-Westrope)

Fixed

• c376ce3: fix(cursor): fix data race on blinkTag (#​784) (@​DryHumour)
• 11d52ca: fix(table): preventing cursor from being out-of-bounds. (@​s0ders)
• 49ff5c0: fix(textinput): improve placeholder (#​768) (@​caarlos0)
• 7c44f63: v1: fix(list): ensure correct cursor positions with page/cursor methods (#​831) (@​lrstanley)

Docs

• 7fcf75d: docs(readme): update footer image and copyright date (@​meowgorithm)
• d4feefe: docs: remove Charm Cloud reference (#​785) (@​ShalokShalom)

Other stuff

• daab808: ci: sync dependabot config (#​786) (@​charmcli)
• 4b2d311: ci: sync dependabot config (#​835) (@​charmcli)
• 8562e90: ci: sync golangci-lint config (#​781) (@​github-actions[bot])
• f54a125: test(table): improve table unit tests (#​601) (@​Broderick-Westrope)

---

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)

v0.5.20

Compare Source

What's Changed

• feat: support setting serializer on config by @​gkampitakis in #​154

Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20

go-git/go-git (github.com/go-git/go-git/v5)

v5.17.0

Compare Source

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in #​1853
• git: Add strict checks for supported extensions by @​pjbgf in #​1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in #​1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in #​1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.4.0

Compare Source

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

• all: client side OAuth support by @​maciej-kisiel in #​785

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

• mcp: implement sampling with tools by @​findleyr in #​699

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The protection can be disabled by specifying StreamableHTTPOptions.DisableLocalhostProtection, but it should be done only if security implications are understood (see documentation for the option).

This protection is a behavior change, as the protection is now enabled by default. Because of that, we have introduced an MCPGODEBUG option to bring back the previous default behavior for users that need more time to adjust. However, if possible, we recommend specifying DisableLocalhostProtection described above, as it is a more future-proof solution. The MCPGODEBUG option to remove this protection (disablelocalhostprotection=1) will be removed in v1.6.0.

• feat: add automatic DNS rebinding protection for localhost servers by @​pcarleton in #​760

Removed JSON content escaping when marshaling

By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default, to be consistent with other SDKs. Since this is a behavior change, we introduced an MCPGODEBUG option to bring back the previous behavior for users that need more time to adjust to it. That option (jsonescaping=1) will be removed in v1.6.0.

• mcp: update JSON marshaling to not HTML-escape messages by @​maciej-kisiel in #​769

Bug fixes

Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.

• all: use case-sensitive JSON unmarshaling by @​maciej-kisiel in #​807

Other fixes:

• mcp: validation only for accept action by @​CocaineCong in #​766
• mcp: allow SSE messages with empty data (SEP-1699) by @​maciej-kisiel in #​779
• jsonrpc2: fix Content-Length header parsing to be case-insensitive by @​nithinputhenveettil in #​789
• mcp: fix multi-select enum elicitation by @​maciej-kisiel in #​795
• mcp: return 400 instead of 500 when body read fails in stateless mode by @​roncodingenthusiast in #​817

Enhancements

Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.

• mcp: add Extensions field to capabilities per SEP-2133 by @​ymmt2005 in #​794

Other enhancements:

• mcp: enforce retry limit when SSE stream makes no progress by @​majiayu000 in #​742
• mcp: export session missing error by @​CocaineCong in #​771
• fix: add JSON tags to ElicitationCapabilities fields by @​awschmeder in #​774
• mcp: improve http transports error handling and make transport work with any size message by @​alexbumbacea in #​734
• examples: bind auth-middleware server to localhost by default by @​TheodorNEngoy in #​784

Repository organization

Some effort was put into better organization of the repository, as well as making sure it's up to date and secure. As a highlight, the repository is not integrated with OSSF Scorecard with a positive score of 8.7. Additionally, the full conformance test suite is now run on every PR and push to main.

• chore: update licensing to Apache 2.0 for new contributions by @​domdomegg in #​750
• chore: update dependencies to newest versions, require Go 1.24 by @​maciej-kisiel in #​765
• conformance: prepare the conformance test suite by @​maciej-kisiel in #​764
• chore: use rand.Text and slog.DiscardHandler over intrernal implementation by @​IAmSurajBobade in #​773
• conformance: mark the new dns-rebinding-protection scenario as failing by @​maciej-kisiel in #​775
• conformance: trigger conformance tests automatically by @​maciej-kisiel in #​776
• mcp: finalize cleanup of Go 1.23, make Go version support explicit by @​maciej-kisiel in #​780
• Use omitzero json tag for byte array field in ResourceContents, instead of omitempty by @​IAmSurajBobade in #​782
• Testing: use synctest for timing-dependent tests by @​La002 in #​756
• chore: add ROADMAP.md by @​maciej-kisiel in #​788
• chore: bump node.js version for conformance test runs. by @​maciej-kisiel in #​796
• Update issue templates by @​maciej-kisiel in #​797
• chore: add an issue template for enhancements by @​maciej-kisiel in #​798
• chore: setup dependabot to update github actions. by @​maciej-kisiel in #​800
• build(deps): bump actions/setup-node from 4.1.0 to 6.2.0 by @​dependabot[bot] in #​801
• build(deps): bump actions/setup-go from 5.5.0 to 6.2.0 by @​dependabot[bot] in #​804
• build(deps): bump actions/checkout from 4.3.0 to 6.0.2 by @​dependabot[bot] in #​803
• Update SECURITY.md to use GitHub Security Advisories by @​localden in #​809
• chore: Configure OSSF Scorecard action by @​maciej-kisiel in #​811
• chore: configure a simple AGENTS.md file and a skill for fixing GitHu… by @​maciej-kisiel in #​810
• chore: update publish-docs permissions to be more targeted. by @​maciej-kisiel in #​812
• chore: increase timeout for conformance server start. by @​maciej-kisiel in #​813
• chore: update the version of the conformance suite. by @​maciej-kisiel in #​814
• chore: Configure advanced CodeQL setup by @​maciej-kisiel in #​819

New Contributors

• @​domdomegg made their first contribution in #​750
• @​majiayu000 made their first contribution in #​742
• @​awschmeder made their first contribution in #​774
• @​alexbumbacea made their first contribution in #​734
• @​TheodorNEngoy made their first contribution in #​784
• @​pcarleton made their first contribution in #​760
• @​nithinputhenveettil made their first contribution in #​789
• @​ymmt2005 made their first contribution in #​794
• @​localden made their first contribution in #​809
• @​roncodingenthusiast made their first contribution in #​817

Full Changelog: modelcontextprotocol/go-sdk@v1.3.0...v1.4.0

package-url/packageurl-go (github.com/package-url/packageurl-go)

v0.1.4

Compare Source

What's Changed

• Fix golangci and update versions by @​shibumi in #​76
• Allow npm names to be case sensitive by @​PFCM in #​73
• add custom validation for pkg:cpan by @​petergardfjall in #​79
• move cpan to known types by @​nikpivkin in #​71
• Run tests using reference data from purl-spec by @​keshav-space in #​80
• update code to honor the canonical purl encoding by @​petergardfjall in #​83

New Contributors

• @​PFCM made their first contribution in #​73
• @​nikpivkin made their first contribution in #​71
• @​keshav-space made their first contribution in #​80

Full Changelog: package-url/packageurl-go@v0.1.3...v0.1.4

urfave/cli (github.com/urfave/cli/v3)

v3.7.0

Compare Source

What's Changed

• Fix: use the correct type name in the tracef message by @​icholy in #​2251
• chore(deps): bump mkdocs-git-revision-date-localized-plugin from 1.5.0 to 1.5.1 in the python-packages group by @​dependabot[bot] in #​2252
• Fix:(issue_2254) Fix incorrect handling of arg after short option token by @​dearchap in #​2255
• feat: ShellComplete for fish by @​marcusramberg in #​2256
• Fix: propagate MutuallyExclusiveFlags persistent flags to subcommands by @​siutsin in #​2266
• feat: support dynamic fish completion by @​Maks1mS in #​2270
• fix(help): show GLOBAL OPTIONS for leaf subcommands when HideHelpCommand is true by @​TimSoethout in #​2269

New Contributors

• @​marcusramberg made their first contribution in #​2256
• @​siutsin made their first contribution in #​2266
• @​TimSoethout made their first contribution in #​2269

Full Changelog: urfave/cli@v3.6.2...v3.7.0

yaml/go-yaml (go.yaml.in/yaml/v4)

v4.0.0-rc.4

Compare Source

grpc/grpc-go (google.golang.org/grpc)

v1.79.1: Release 1.79.1

Compare Source

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (#​8902)

v1.79.0: Release 1.79.0

Compare Source

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#​8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#​8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#​8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#​8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#​8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#​8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#​8650)
  • Special Thanks: @​marek-szews
• server: Include status detail headers, if available, when terminating a stream during request header processing. (#​8754)
  • Special Thanks: @​joybestourous

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#​8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#​8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#​8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#​8769)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#​8791)
• mem: Optimize pooling and creation of buffer objects. (#​8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#​8797)

---

Configuration

📅 Schedule: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 19 additional dependencies were updated

Details:

Package	Change
github.com/charmbracelet/colorprofile	v0.3.1 -> v0.4.1
github.com/charmbracelet/x/ansi	v0.10.1 -> v0.11.5
github.com/charmbracelet/x/cellbuf	v0.0.13 -> v0.0.15
github.com/charmbracelet/x/term	v0.2.1 -> v0.2.2
github.com/go-git/go-billy/v5	v5.6.2 -> v5.8.0
github.com/lucasb-eyer/go-colorful	v1.2.0 -> v1.3.0
github.com/mattn/go-runewidth	v0.0.16 -> v0.0.19
go.opentelemetry.io/otel	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
golang.org/x/crypto	v0.47.0 -> v0.48.0
golang.org/x/mod	v0.31.0 -> v0.32.0
golang.org/x/oauth2	v0.32.0 -> v0.34.0
golang.org/x/sys	v0.40.0 -> v0.41.0
golang.org/x/telemetry	v0.0.0-20251203150158-8fff8a5912fc -> v0.0.0-20260109210033-bd525da824e2
golang.org/x/text	v0.33.0 -> v0.34.0
golang.org/x/tools	v0.40.0 -> v0.41.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260112192933-99fd39fd28a9 -> v0.0.0-20260223185530-2f722ef697dc
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251222181119-0a764e51fe1b -> v0.0.0-20260217215200-42d3e9bedb6d

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.97%. Comparing base (49e4b91) to head (65b4f6a).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2566      +/-   ##
==========================================
- Coverage   68.00%   67.97%   -0.03%     
==========================================
  Files         173      173              
  Lines       13394    13394              
==========================================
- Hits         9109     9105       -4     
- Misses       3574     3576       +2     
- Partials      711      713       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.