fix(deps): update vulnfeeds-go major (major)

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/google/osv-scanner	v1.9.2 → v2.3.3
gopkg.in/yaml.v2	v2.4.0 → v3.0.1

---

Release Notes

google/osv-scanner (github.com/google/osv-scanner)

v2.3.3

Compare Source

Features:

• Feature #​2458 Add --exclude flag to skip paths during scanning.
• Feature #​2477 Add pylock extractor.
• Feature #​2475 Add base image info to container scanning output header (in table, markdown and vertical formats).

Misc:

• Update Go version to 1.25.7.
• Update osv-scalibr from v0.4.1 to v0.4.2. Release note.
• Refactor to better align with osv-scalibr plugins and inventory data structure.

v2.3.2

Compare Source

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• Bug #​2415 Add more PURL-to-ecosystem mappings
• Bug #​2422 MCP error for get_vulnerability_id because type definition is incorrect.
• Bug #​2460 Enable osv-scanner.json git queries
• Bug #​2456 Properly track if an ignore entry has been used
• Bug #​2450 Performance: Avoid loading the entire advisory unless it will actually be used
• Bug #​2445 Performance: Don't read the entire zip into memory
• Bug #​2433 Allow specifying user agent in v2 osvscanner package

Misc:

• Misc #​2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• Misc #​2447 Include bun.lock as a supported lockfile
• Misc #​2444 Document GoVersionOverride in configuration.md

v2.3.1

Compare Source

Features:

• Feature #​2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #​2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #​2333 Deduplicate SARIF outputs for GitHub.
• Bug #​2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

v2.3.0

Compare Source

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#​2328). This is primarily an internal change and should not impact users.

Features:

• Feature #​2321 Add support for license checks for RubyGems.
• Feature #​2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #​2344 Use osduplicate annotators.

Fixes:

• Bug #​2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #​2311 Improve logic for --all-packages flag.
• Bug #​2309 Exit with a non-zero code when showing help.
• Bug #​2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #​1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

v2.2.4

Compare Source

Features:

• Feature #​2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #​2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #​2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #​2206).

Fixes:

• Bug #​2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #​2291).
• Bug #​2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #​2081).
• Bug #​2295 Fix Go stdlib license result matching (fixes #​2191).

v2.2.3

Compare Source

Features:

• Feature #​2209 Add support for resolving git packages that have a version specified.
• Feature #​2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #​2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #​2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #​2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

v2.2.2

Compare Source

Features:

• Feature #​2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #​2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #​2204 Add a warning to guide users to the correct GitHub Action.
• Bug #​2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #​2188 Fix handling of absolute paths on Windows.

v2.2.1

Compare Source

Fixes

• Bug #​2151 Filter by ecosystem before querying.

v2.2.0

Compare Source

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• Feature #​2146 Allow manual OSV-Scalibr plugin selection.
• Feature #​2144 Add OSV-Scalibr version to osv-scanner --version output.
• Feature #​2021 Add experimental support for running OSV-Scalibr detectors.
• Feature #​2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• Feature #​2032 Add summary section at the top of outputs and a 'Fixed Version' column.
• Feature #​2076 Support Ubuntu severity type.

Fixes:

• Bug #​2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
• Bug #​2084 Show absolute paths when scanning containers.
• Bug #​2126 Log and preserve package count before continuing on db error.
• Bug #​2095 Pass through plugin capabilities correctly.
• Bug #​2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
• Bug #​2072 Add missing "text" property in description fields.
• Bug #​2068 Change links in output to go to the specific vulnerability page instead of the list page.
• Bug #​2064 Fix SARIF v3 output to include results.

API Changes:

• API Change #​2096 Allow log handler to be overridden.

v2.1.0

Compare Source

Features:

• Feature #​2038 Add CycloneDX location field to the output source string.
• Feature #​2036 Include upstream source information in vulnerability grouping to improve accuracy.
• Feature #​1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
• Feature #​2003 Add experimental summary output format for the reporter.
• Feature #​1988 Add support for CycloneDX 1.6 report format.
• Feature #​1987 Add support for gems.locked files used by Bundler.
• Feature #​1980 Enable transitive dependency extraction for Python requirements.txt files.
• Feature #​1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
• Feature #​1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
• Feature #​1957 Use a dedicated exit code for invalid configuration files.

Fixes:

• Bug #​2046 Correctly set the user agent string for all outgoing requests.
• Bug #​2019 Use more natural language in the descriptions for extractor-related flags.
• Bug #​1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
• Bug #​2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
• Bug #​1949 Fix filtering of package types in vulnerability counts.

v2.0.3

Compare Source

Features:

• Feature #​1943 Added a flag to suppress "no package sources found" error.
• Feature #​1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #​1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #​1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #​1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #​1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #​1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #​1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #​1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #​1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #​1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #​1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #​1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #​1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

v2.0.2

Compare Source

Fixes:

• Bug #​1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
• Bug #​1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
• Fix #​1825, #​1809, #​1805, #​1803, #​1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

v2.0.1

Compare Source

Features:

• Feature #​1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
• Feature #​1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
• Feature #​1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

• Bug #​1752 Fix paging depth issue when querying the osv.dev API.
• Bug #​1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
• Bug #​1717 Fix issue where nested CycloneDX components were not being parsed.
• Bug #​1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
• Bug #​1726 De-duplicate references in CycloneDX report output for improved validity.
• Bug #​1727 Remove automatic opening of HTML reports in the browser (fixes #​1721).
• Bug #​1735 Require a tag when scanning container images to prevent potential errors.

Docs:

• Docs #​1753 Correct documentation for the OSV-Scanner GitHub Action (fixes osv-scanner-action#68).
• Docs #​1743 Minor grammar fixes in documentation.

API Changes:

• API Change #​1763 Made the SourceType enum public.

v2.0.0

Compare Source

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

• Layer and base image-aware container scanning:
  • Rewritten support for Debian, Ubuntu, and Alpine container images.
  • Layer level analysis and vulnerability breakdown.
  • Supports Go, Java, Node, and Python artifacts within supported distros.
  • Base image identification via deps.dev.
  • Usage: osv-scanner scan image <image-name>:<tag>
• Interactive HTML output:
  • Severity breakdown, package/ID/importance filtering, vulnerability details.
  • Container image layer filtering, layer info, base image identification.
  • Usage: osv-scanner scan --serve ...
• Guided Remediation for Maven pom.xml:
  • Remediate direct and transitive dependencies (non-interactive mode).
  • New override remediation strategy.
  • Support for reading/writing pom.xml and parent POM files.
  • Private registry support for Maven metadata.
  • Machine-readable output for guided remediation.
• Enhanced Dependency Extraction with osv-scalibr:
  • Haskell: cabal.project.freeze, stack.yaml.lock
  • .NET: deps.json
  • Python: uv.lock
  • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
• Feature #​1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
• Feature #​1582 Add container scanning information to vertical output format.
• Feature #​1587 Add support for severity in SARIF report format.
• Feature #​1569 Add support for bun.lock lockfiles.
• Feature #​1547 Add experimental config support to the scan image command.
• Feature #​1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

• Feature #​1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
• Feature #​1670 Removed the --verbosity=verbose verbosity level.
• Feature #​1673 & Feature #​1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
• Feature #​1651 Multiple license flags have been merged into a single --license flag.
• Feature #​1666 API: reporter removed; logging now uses slog, which can be overridden.
• Feature #​1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

• Feature #​1561 Updated HTML report for better contrast and usability (from beta2).
• Feature #​1584 Make skipping the root git repository the default behavior (from beta2).
• Feature #​1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

• Fix #​1598 Fix table output vulnerability ordering.
• Fix #​1616 Filter out Ubuntu unimportant vulnerabilities.
• Fix #​1585 Fixed issue where base images are occasionally duplicated.
• Fix #​1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #​1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #​1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

• General V2 feedback
• Container scanning feedback

go-yaml/yaml (gopkg.in/yaml.v2)

v3.0.1

Compare Source

v3.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: vulnfeeds/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated

Details:

Package	Change
github.com/charmbracelet/lipgloss	v1.1.0 -> v1.1.1-0.20250404203927-76690c660834
github.com/ProtonMail/go-crypto	v1.1.6 -> v1.3.0
github.com/charmbracelet/colorprofile	v0.2.3-0.20250311203215-f60798e515dc -> v0.3.1
github.com/charmbracelet/x/ansi	v0.8.0 -> v0.10.1
github.com/charmbracelet/x/cellbuf	v0.0.13-0.20250311204145-2c3ea96c31dd -> v0.0.13
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.0
github.com/pjbgf/sha1cd	v0.3.2 -> v0.4.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.62.0