chore(deps): bump github.com/mattn/go-shellwords from 1.0.12 to 1.0.13 in the go-dependencies group

[dependabot]

Bumps the go-dependencies group with 1 update: github.com/mattn/go-shellwords.

Updates github.com/mattn/go-shellwords from 1.0.12 to 1.0.13

Commits

• fd1aa6c Run gofmt: add missing //go:build directives and trailing newlines
• e73986e Treat bare ')' as syntax error regardless of ParseBacktick
• 9a78803 Merge pull request #60 from scumfrog/security-fix-cve
• b074fa0 fix: preserve parser compatibility for unmatched ')' handling
• 735b5e8 Implement tests for shellwords parser functionality
• e2951fc Fix dollarQuote state management in shellwords.go
• 551a1d0 Update CI: Go 1.25/1.26 and latest GitHub Actions
• f3bbb6f Merge pull request #53 from ndeloof/master
• f6737fe parse \t as TAB, not escaped t
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[claude]

Claude finished @dependabot[bot]'s task in 1m 38s —— View job

---

Dependency Review: go-shellwords 1.0.12 → 1.0.13

• Review PR diff (go.mod / go.sum changes)
• Analyze upstream changelog for breaking/behavior changes
• Search codebase for go-shellwords usage
• Assess risk and post review

---

Changes in this PR: Only go.mod and go.sum updated — a clean version bump with no other modifications.

Upstream Changes (v1.0.12 → v1.0.13)

The upstream release includes these notable commits:

Commit	Change	Risk
f6737fe	Parse \t as TAB instead of escaped t	Behavior change — but not used in this repo
e2951fc	Fix dollarQuote state management	Bug fix
b074fa0 + 9a78803	Treat bare ) as syntax error (CVE fix)	Behavior change — safe for this repo (see below)
551a1d0	Update CI (Go 1.25/1.26)	No code impact
fd1aa6c	gofmt formatting	No code impact

Usage in This Codebase

go-shellwords is used in exactly one place: cmd/kosli/testHelpers.go:46

args, err := shellwords.Parse(cmd)

This is test-only infrastructure — it splits CLI command strings in cmdTestCase structs into argument arrays for test execution. It is not used in production code paths.

The code uses the package-level Parse() function (default parser: ParseBacktick=false, ParseEnv=false).

Risk Assessment

Low risk. Here's why:

1. \t behavior change: No test command strings in the repo contain literal \t escape sequences. Verified via grep — zero matches across all *_test.go files.

2. Bare ) syntax error: The one test case that includes ) in a command string (createAttestationType_test.go:57) uses it inside single quotes ('.name | startswith("B")'), so shellwords treats it as a literal character — not affected by the bare ) change.

3. Test-only dependency: Even if a behavior change did surface, it would manifest as a test failure, not a production bug.

4. Security fix included: The CVE fix (9a78803) for unmatched ) handling is a good reason to take this update.

Verdict

Safe to merge. This is a minor-version patch with security fixes, and the one place this library is used in the codebase is unaffected by the behavior changes. No follow-up action needed.