fix(deps): update go dependencies (major) by renovate-sh-app[bot] · Pull Request #415 · grafana/plugin-validator

renovate-sh-app · 2025-10-15T09:03:07Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/google/osv-scanner	`v1.9.2` -> `v2.2.3`
github.com/r3labs/diff	`v1.1.0` -> `v3.0.2`
gopkg.in/yaml.v2	`v2.4.0` -> `v3.0.1`

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

google/osv-scanner (github.com/google/osv-scanner)

`v2.2.3`

Compare Source

Features:

Feature #2209 Add support for resolving git packages that have a version specified.
Feature #2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
Feature #2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

Bug #2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
Fix #2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

`v2.2.2`

Compare Source

Features:

Feature #2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
Feature #2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

Bug #2204 Add a warning to guide users to the correct GitHub Action.
Bug #2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
Bug #2188 Fix handling of absolute paths on Windows.

`v2.2.1`

Compare Source

Fixes

Bug #2151 Filter by ecosystem before querying.

`v2.2.0`

Compare Source

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

Feature #2146 Allow manual OSV-Scalibr plugin selection.
Feature #2144 Add OSV-Scalibr version to osv-scanner --version output.
Feature #2021 Add experimental support for running OSV-Scalibr detectors.
Feature #2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
Feature #2032 Add summary section at the top of outputs and a 'Fixed Version' column.
Feature #2076 Support Ubuntu severity type.

Fixes:

Bug #2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
Bug #2084 Show absolute paths when scanning containers.
Bug #2126 Log and preserve package count before continuing on db error.
Bug #2095 Pass through plugin capabilities correctly.
Bug #2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
Bug #2072 Add missing "text" property in description fields.
Bug #2068 Change links in output to go to the specific vulnerability page instead of the list page.
Bug #2064 Fix SARIF v3 output to include results.

API Changes:

API Change #2096 Allow log handler to be overridden.

`v2.1.0`

Compare Source

Features:

Feature #2038 Add CycloneDX location field to the output source string.
Feature #2036 Include upstream source information in vulnerability grouping to improve accuracy.
Feature #1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
Feature #2003 Add experimental summary output format for the reporter.
Feature #1988 Add support for CycloneDX 1.6 report format.
Feature #1987 Add support for gems.locked files used by Bundler.
Feature #1980 Enable transitive dependency extraction for Python requirements.txt files.
Feature #1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
Feature #1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
Feature #1957 Use a dedicated exit code for invalid configuration files.

Fixes:

Bug #2046 Correctly set the user agent string for all outgoing requests.
Bug #2019 Use more natural language in the descriptions for extractor-related flags.
Bug #1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
Bug #2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
Bug #1949 Fix filtering of package types in vulnerability counts.

`v2.0.3`

Compare Source

Features:

Feature #1943 Added a flag to suppress "no package sources found" error.
Feature #1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
Feature #1882 Added a stable tag to container images for releases that follow semantic versioning.
Feature #1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

Bug #1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
Bug #1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
Bug #1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
Bug #1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
Bug #1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
Bug #1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
Bug #1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
Bug #1873 Fix the GitHub Action to not ignore general errors during execution.
Bug #1955 Fix issue causing error messages to be spammed when not running in a git repository.
Bug #1930 Fix issue where Maven client loses auth data during extraction.

Misc:

Update dependencies and updated golang to 1.24.4

`v2.0.2`

Compare Source

Fixes:

Bug #1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
Bug #1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
Fix #1825, #1809, #1805, #1803, #1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

`v2.0.1`

Compare Source

Features:

Feature #1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
Feature #1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
Feature #1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

Bug #1752 Fix paging depth issue when querying the osv.dev API.
Bug #1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
Bug #1717 Fix issue where nested CycloneDX components were not being parsed.
Bug #1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
Bug #1726 De-duplicate references in CycloneDX report output for improved validity.
Bug #1727 Remove automatic opening of HTML reports in the browser (fixes #1721).
Bug #1735 Require a tag when scanning container images to prevent potential errors.

Docs:

Docs #1753 Correct documentation for the OSV-Scanner GitHub Action (fixes osv-scanner-action#68).
Docs #1743 Minor grammar fixes in documentation.

API Changes:

API Change #1763 Made the SourceType enum public.

`v2.0.0`

Compare Source

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

Layer and base image-aware container scanning:
- Rewritten support for Debian, Ubuntu, and Alpine container images.
- Layer level analysis and vulnerability breakdown.
- Supports Go, Java, Node, and Python artifacts within supported distros.
- Base image identification via deps.dev.
- Usage: osv-scanner scan image <image-name>:<tag>
Interactive HTML output:
- Severity breakdown, package/ID/importance filtering, vulnerability details.
- Container image layer filtering, layer info, base image identification.
- Usage: osv-scanner scan --serve ...
Guided Remediation for Maven pom.xml:
- Remediate direct and transitive dependencies (non-interactive mode).
- New override remediation strategy.
- Support for reading/writing pom.xml and parent POM files.
- Private registry support for Maven metadata.
- Machine-readable output for guided remediation.
Enhanced Dependency Extraction with osv-scalibr:
- Haskell: cabal.project.freeze, stack.yaml.lock
- .NET: deps.json
- Python: uv.lock
- Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
Feature #1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
Feature #1582 Add container scanning information to vertical output format.
Feature #1587 Add support for severity in SARIF report format.
Feature #1569 Add support for bun.lock lockfiles.
Feature #1547 Add experimental config support to the scan image command.
Feature #1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

Feature #1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
Feature #1670 Removed the --verbosity=verbose verbosity level.
Feature #1673 & Feature #1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
Feature #1651 Multiple license flags have been merged into a single --license flag.
Feature #1666 API: reporter removed; logging now uses slog, which can be overridden.
Feature #1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

Feature #1561 Updated HTML report for better contrast and usability (from beta2).
Feature #1584 Make skipping the root git repository the default behavior (from beta2).
Feature #1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

Fix #1598 Fix table output vulnerability ordering.
Fix #1616 Filter out Ubuntu unimportant vulnerabilities.
Fix #1585 Fixed issue where base images are occasionally duplicated.
Fix #1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
Fix #1566 Fixed issue where offline scanning returns different results from online scanning.
Fix #1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

r3labs/diff (github.com/r3labs/diff)

go-yaml/yaml (gopkg.in/yaml.v2)

`v3.0.1`

Compare Source

`v3.0.0`

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

renovate-sh-app · 2025-10-15T09:03:09Z

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

10 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.24.0` -> `1.24.6`
`dario.cat/mergo`	`v1.0.1` -> `v1.0.2`
`github.com/ianlancetaylor/demangle`	`v0.0.0-20240912202439-0a2b6291aafd` -> `v0.0.0-20250628045327-2d64ad6b7ec5`
`github.com/jedib0t/go-pretty/v6`	`v6.6.7` -> `v6.6.8`
`golang.org/x/exp`	`v0.0.0-20250305212735-054e65f0b394` -> `v0.0.0-20250711185948-6ae5c78190dc`
`cloud.google.com/go/longrunning`	`v0.6.6` -> `v0.6.7`
`deps.dev/api/v3`	`v3.0.0-20250310223405-f4cf91c9e684` -> `v3.0.0-20250917073939-6ff3dd7d2eea`
`deps.dev/util/maven`	`v0.0.0-20250310223405-f4cf91c9e684` -> `v0.0.0-20250917073939-6ff3dd7d2eea`
`github.com/go-git/go-git/v5`	`v5.14.0` -> `v5.16.2`
`github.com/pjbgf/sha1cd`	`v0.3.2` -> `v0.4.0`
`go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`	`v0.61.0` -> `v0.62.0`

| datasource | package | from | to | | ---------- | ----------------------------- | ------ | ------ | | go | github.com/google/osv-scanner | v1.9.2 | v2.2.3 | | go | github.com/r3labs/diff | v1.1.0 | v3.0.2 | | go | gopkg.in/yaml.v2 | v2.4.0 | v3.0.1 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>

academo · 2025-10-15T12:40:25Z


 	require.NoError(t, err)
 	require.Len(t, interceptor.Diagnostics, 0)
-	require.Equal(t, "Failed to determine version of not a valid yarn.lock file while parsing a yarn.lock - please report this!\n", string(got))


this is testing the library internals (log messages produced by the dependency) we only care if the diagnostics were 0

and will cause problems in future updates

xnyo

LGTM!

renovate-sh-app Bot requested review from a team as code owners October 15, 2025 09:03

renovate-sh-app Bot added the update-major label Oct 15, 2025

renovate-sh-app Bot requested a review from briangann October 15, 2025 09:03

github-project-automation Bot added this to Grafana Catalog Team Oct 15, 2025

renovate-sh-app Bot requested review from academo and andresmgot October 15, 2025 09:03

github-project-automation Bot moved this to 📬 Triage in Grafana Catalog Team Oct 15, 2025

grafana-plugins-platform-bot Bot moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team Oct 15, 2025

renovate-sh-app Bot force-pushed the renovate/major-go-dependencies branch from e01e94b to d09a3f1 Compare October 15, 2025 09:30

academo added 2 commits October 15, 2025 14:32

Update osv scanner for new version

3610f10

remove log check

8ab9b44

academo reviewed Oct 15, 2025

View reviewed changes

academo self-assigned this Oct 15, 2025

Empty commit

6972bca

xnyo approved these changes Oct 15, 2025

View reviewed changes

academo added 3 commits October 15, 2025 16:01

add verbose output to lint

42503e4

Update golang cli lint

1a54b0f

try to see the lint error

025082f

academo merged commit 6c73dba into main Oct 15, 2025
6 checks passed

academo deleted the renovate/major-go-dependencies branch October 15, 2025 14:37

github-project-automation Bot moved this from 🔬 In review to 🚀 Shipped in Grafana Catalog Team Oct 15, 2025

grafana-plugins-platform-bot Bot mentioned this pull request May 8, 2026

chore(main): release plugin-validator 0.42.0 #574

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update go dependencies (major)#415

fix(deps): update go dependencies (major)#415
academo merged 7 commits intomainfrom
renovate/major-go-dependencies

renovate-sh-app Bot commented Oct 15, 2025

Uh oh!

renovate-sh-app Bot commented Oct 15, 2025

Uh oh!

academo Oct 15, 2025 •

edited

Loading

Uh oh!

xnyo left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

renovate-sh-app Bot commented Oct 15, 2025

Release Notes

Features:

Fixes:

Features:

Fixes:

Fixes

Features:

Fixes:

API Changes:

Features:

Fixes:

Features:

Fixes:

Misc:

Fixes:

Features:

Fixes:

Docs:

API Changes:

Features:

Breaking Changes:

Improvements:

Fixes:

Configuration

Uh oh!

renovate-sh-app Bot commented Oct 15, 2025

ℹ Artifact update notice

File name: go.mod

Uh oh!

academo Oct 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

xnyo left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

academo Oct 15, 2025 •

edited

Loading