Bump github.com/github/go-spdx/v2 from 2.4.0 to 2.6.0

[dependabot]

Bumps github.com/github/go-spdx/v2 from 2.4.0 to 2.6.0.

Release notes

Sourced from github.com/github/go-spdx/v2's releases.

Release v2.6.0

Overview

This release makes two changes:

• more control over how licenses are validated
• performance improvements

Control over license validation

A new function was added, ValidateLicensesWithOptions, that uses options to allow the caller to specify what to consider invalid. All of these are valid by default which is consistent the with current behavior of ValidateLicenses.

• FailComplexExpressions - rejects license that includes a conjunctive (e.g. "MIT AND Apache-2.0")
• FailDeprecatedLicenses - rejects deprecated SPDX license identifiers (e.g. "eCos-2.0")
• FailAllLicenseRefs - rejects all SPDX license references (e.g. "LicenseRef-MyLicense")
• FailAllDocumentRefs - rejects all SPDX document references (e.g. "DocumentRef-MyDocument")

Usage

// equivalent to calling `ValidateLicenses`
valid, invalidLicenses := ValidateLicenses(licenses, ValidateLicensesOptions{})
// reject only expressions that have a conjunctive
valid, invalidLicenses := ValidateLicenses(licenses, ValidateLicensesOptions{FailComplexExpressions: true})
// reject expressions that have a conjunctive and deprecated licenses
valid, invalidLicenses := ValidateLicenses(licenses, ValidateLicensesOptions{FailComplexExpressions: true, FailDeprecatedLicenses: true})

What's Changed

• add options for validating licenses that limits what is considered valid (#144) @​elrayle

Full Changelog: github/go-spdx@v2.5.0...v2.6.0

v2.5.0

What's Changed

• Add simple cli to validate expressions by @​ahpook in github/go-spdx#137
• Make ExtractLicenses handle large expressions by @​dangoor in github/go-spdx#139
• Update SPDX license files (2026-04-10 05:06 UTC) by @​github-actions[bot] in github/go-spdx#135

Full Changelog: github/go-spdx@v2.4.0...v2.5.0

Commits

• 0315d0b Merge pull request #145 from github/v2.6.0-prep
• d440458 Update version to 2.6.0
• 6f11b7c Merge pull request #144 from github/elr/expressions-invalid
• c35ff93 do not expose license maps
• 609007d use strings.Fields to split exception expressions
• 364dd9a remove comment that isMIT ignore whitespace
• fd0ec02 fix exception check to treat deprecated licenses as valid unless options conf...
• 503f295 Update spdxexp/satisfies_test.go
• 02fc36a Update cmd/doc.go
• 2d1b791 fix linter error
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)