fix(deps): update zarf to v0.74.2

[emoskito]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
github.com/zarf-dev/zarf	v0.74.1 → v0.74.2			require	patch
zarf-dev/zarf	0.74.1 → 0.74.2				patch
zarf-dev/zarf	v0.74.1 → v0.74.2				patch

---

Release Notes

zarf-dev/zarf (github.com/zarf-dev/zarf)

v0.74.2

Compare Source

What's Changed

🚀 Updates

• chore(dependencies): update init package registry image from 3.0.0 to 3.1.0 by @​AustinAbro321 in #​4792
• fix: git host matching by @​AustinAbro321 in #​4801
• fix: sanitize inspect output path by @​AustinAbro321 in #​4793
• chore(main): release 0.74.2 by @​zarf-release-please[bot] in #​4802

📦 Dependencies

• chore(deps): bump github.com/fatih/color from 1.18.0 to 1.19.0 by @​dependabot[bot] in #​4778
• chore(deps): bump github.com/fluxcd/source-controller/api from 1.8.0 to 1.8.1 by @​dependabot[bot] in #​4779
• chore(deps): bump actions/setup-go from 6.3.0 to 6.4.0 in the actions-organization group by @​dependabot[bot] in #​4785
• chore(deps): bump docker/login-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​4786
• chore(deps): bump github.com/moby/moby/client from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​4787
• chore(deps): bump github.com/distribution/distribution/v3 from 3.0.1-0.20250417064513-e016d9595f53 to 3.1.0 by @​dependabot[bot] in #​4788
• chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.5 to 3.0.6 by @​dependabot[bot] in #​4790
• chore(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @​dependabot[bot] in #​4791

Full Changelog: zarf-dev/zarf@v0.74.1...v0.74.2

---

Note that this PR contains a configuration change to the dependency-check workflow to allow GHSA-hfvc-g4fc-pqhx (CVE-2026-39883) in the dependency-review-action. This vulnerability is a BSD/Solaris-only PATH hijacking issue in go.opentelemetry.io/otel/sdk < 1.43.0, pulled in transitively by Zarf v0.74.2. The allowlist entry becomes a no-op once otel/sdk is bumped to >= 1.43.0.