OSV scalibr interface #1142
Draft
OSV scalibr interface #1142
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Replicate google#1109 more like google#1030 to avoid Renovate failures like google#1120 (comment) The Docker files are already at 1.22.5, not sure if we want to update to this globally?
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [github.com/charmbracelet/lipgloss](https://togithub.com/charmbracelet/lipgloss) | `v0.11.0` -> `v0.12.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/gkampitakis/go-snaps](https://togithub.com/gkampitakis/go-snaps) | `v0.5.4` -> `v0.5.5` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/google/go-containerregistry](https://togithub.com/google/go-containerregistry) | `v0.19.2` -> `v0.20.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/owenrumney/go-sarif/v2](https://togithub.com/owenrumney/go-sarif) | `v2.3.2` -> `v2.3.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | golang.org/x/exp | `46b0784` -> `8a7402a` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | --- ### Release Notes <details> <summary>charmbracelet/lipgloss (github.com/charmbracelet/lipgloss)</summary> ### [`v0.12.1`](https://togithub.com/charmbracelet/lipgloss/releases/tag/v0.12.1) [Compare Source](https://togithub.com/charmbracelet/lipgloss/compare/v0.12.0...v0.12.1) This release fixes a regression with regard to border calculations introduced in Lip Gloss v0.11.1. *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or on [Discord](https://charm.sh/chat). ### [`v0.12.0`](https://togithub.com/charmbracelet/lipgloss/releases/tag/v0.12.0) [Compare Source](https://togithub.com/charmbracelet/lipgloss/compare/v0.11.1...v0.12.0) ### Lists, Check ✓ This release adds a new sub-package for rendering trees and lists. ```go import "github.com/charmbracelet/lipgloss/list" ``` Define a new list. ```go l := list.New("A", "B", "C") ``` Print the list. ```go fmt.Println(l) // • A // • B // • C ``` Lists have the ability to nest. ```go l := list.New( "A", list.New("Artichoke"), "B", list.New("Baking Flour", "Bananas", "Barley", "Bean Sprouts"), "C", list.New("Cashew Apple", "Cashews", "Coconut Milk", "Curry Paste", "Currywurst"), "D", list.New("Dill", "Dragonfruit", "Dried Shrimp"), "E", list.New("Eggs"), "F", list.New("Fish Cake", "Furikake"), "J", list.New("Jicama"), "K", list.New("Kohlrabi"), "L", list.New("Leeks", "Lentils", "Licorice Root"), ) ``` Print the list. ```go fmt.Println(l) ``` <p align="center"> <img width="600" alt="image" src="https://github.com/charmbracelet/lipgloss/assets/42545625/0dc9f440-0748-4151-a3b0-7dcf29dfcdb0"> </p> Lists can be customized via their enumeration function as well as using `lipgloss.Style`s. ```go enumeratorStyle := lipgloss.NewStyle().Foreground(lipgloss.Color("99")).MarginRight(1) itemStyle := lipgloss.NewStyle().Foreground(lipgloss.Color("212")).MarginRight(1) l := list.New( "Glossier", "Claire’s Boutique", "Nyx", "Mac", "Milk", ). Enumerator(list.Roman). EnumeratorStyle(enumeratorStyle). ItemStyle(itemStyle) ``` Print the list. <p align="center"> <img width="600" alt="List example" src="https://github.com/charmbracelet/lipgloss/assets/42545625/360494f1-57fb-4e13-bc19-0006efe01561"> </p> In addition to the predefined enumerators (`Arabic`, `Alphabet`, `Roman`, `Bullet`, `Tree`), you may also define your own custom enumerator: ```go l := list.New("Duck", "Duck", "Duck", "Duck", "Goose", "Duck", "Duck") func DuckDuckGooseEnumerator(l list.Items, i int) string { if l.At(i).Value() == "Goose" { return "Honk →" } return "" } l = l.Enumerator(DuckDuckGooseEnumerator) ``` Print the list: <p align="center"> <img width="600" alt="image" src="https://github.com/charmbracelet/lipgloss/assets/42545625/157aaf30-140d-4948-9bb4-dfba46e5b87e"> </p> If you need, you can also build lists incrementally: ```go l := list.New() for i := 0; i < repeat; i++ { l.Item("Lip Gloss") } ``` *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or on [Discord](https://charm.sh/chat). ### [`v0.11.1`](https://togithub.com/charmbracelet/lipgloss/releases/tag/v0.11.1) [Compare Source](https://togithub.com/charmbracelet/lipgloss/compare/v0.11.0...v0.11.1) This release is a small patch release to fix text truncation in table cells. For details see: [charmbracelet/lipgloss#324. #### Other stuff - chore: remove deprecated Copy() calls by [@​meowgorithm](https://togithub.com/meowgorithm) in [charmbracelet/lipgloss#306 - feat: deprecate Style.ColorWhitespace by [@​meowgorithm](https://togithub.com/meowgorithm) in [charmbracelet/lipgloss#311 - feat: deprecate Style.ColorWhitespace by [@​meowgorithm](https://togithub.com/meowgorithm) in [charmbracelet/lipgloss#314 - fix: Deprecate UnsetBorderTopBackgroundColor in favor of UnsetBorderTopBackground by [@​nervo](https://togithub.com/nervo) in [charmbracelet/lipgloss#315 **Full Changelog**: charmbracelet/lipgloss@v0.11.0...v0.11.1 *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or [Discord](https://charm.sh/discord). </details> <details> <summary>gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)</summary> ### [`v0.5.5`](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.4...v0.5.5) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.4...v0.5.5) </details> <details> <summary>google/go-containerregistry (github.com/google/go-containerregistry)</summary> ### [`v0.20.1`](https://togithub.com/google/go-containerregistry/releases/tag/v0.20.1) [Compare Source](https://togithub.com/google/go-containerregistry/compare/v0.20.0...v0.20.1) #### What's Changed - Create `remote.Push` by [@​mattmoor](https://togithub.com/mattmoor) in [google/go-containerregistry#1978 **Full Changelog**: google/go-containerregistry@v0.20.0...v0.20.1 ### [`v0.20.0`](https://togithub.com/google/go-containerregistry/releases/tag/v0.20.0) [Compare Source](https://togithub.com/google/go-containerregistry/compare/v0.19.2...v0.20.0) #### What's Changed - Referrer API must return correct Content-Type by [@​GregoireW](https://togithub.com/GregoireW) in [google/go-containerregistry#1968 - 🚨 POTENTIALLY BREAKING: Restore blind-write to remote.Put by [@​jonjohnsonjr](https://togithub.com/jonjohnsonjr) in [google/go-containerregistry#1970 #### New Contributors - [@​GregoireW](https://togithub.com/GregoireW) made their first contribution in [google/go-containerregistry#1968 **Full Changelog**: google/go-containerregistry@v0.19.2...v0.20.0 </details> <details> <summary>owenrumney/go-sarif (github.com/owenrumney/go-sarif/v2)</summary> ### [`v2.3.3`](https://togithub.com/owenrumney/go-sarif/releases/tag/v2.3.3) [Compare Source](https://togithub.com/owenrumney/go-sarif/compare/v2.3.2...v2.3.3) #### What's Changed - fix: Update removed goreleaser flag by [@​kaiwenleee](https://togithub.com/kaiwenleee) in [owenrumney/go-sarif#79 **Full Changelog**: owenrumney/go-sarif@v2.3.2...v2.3.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-a-label > Anyone with triage access to a repository can apply and dismiss labels.
Copying the `EcosystemSpecific` data from the `Manifest` to the `ManifestPatch` is a bit cumbersome for the override strategy, and `ManifestPatch` already has a field for the original manifest. I don't think the current Maven `EcosystemSpecific` data is ever going to differ from the what's in the original manifest?
Currently, Maven dependency management is not added to the override client so they are not considered when computing Maven dependency graph. This PR adds all direct dependency management to override client so that transitive dependencies are resolved correctly.
…er group (google#1132) Bumps the bundler group in /docs with 1 update: [rexml](https://github.com/ruby/rexml). Updates `rexml` from 3.3.1 to 3.3.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/rexml/releases">rexml's releases</a>.</em></p> <blockquote> <h2>REXML 3.3.2 - 2024-07-16</h2> <h3>Improvements</h3> <ul> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/160">GH-160</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/169">GH-169</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/170">GH-170</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/171">GH-171</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/172">GH-172</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/173">GH-173</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/174">GH-174</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/175">GH-175</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/176">GH-176</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/177">GH-177</a></li> <li>Patch by Watson.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML has extra content after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/161">GH-161</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML declaration exists in wrong position.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/162">GH-162</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Removed needless a space after XML declaration in pretty print mode.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/164">GH-164</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Stopped to emit <code>:text</code> event after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/167">GH-167</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Fixes</h3> <ul> <li>Fixed a bug that SAX2 parser doesn't expand predefined entities for <code>characters</code> callback. <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/168">GH-168</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Thanks</h3> <ul> <li> <p>NAITOH Jun</p> </li> <li> <p>Watson</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ruby/rexml/blob/master/NEWS.md">rexml's changelog</a>.</em></p> <blockquote> <h2>3.3.2 - 2024-07-16 {#version-3-3-2}</h2> <h3>Improvements</h3> <ul> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/160">GH-160</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/169">GH-169</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/170">GH-170</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/171">GH-171</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/172">GH-172</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/173">GH-173</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/174">GH-174</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/175">GH-175</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/176">GH-176</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/177">GH-177</a></li> <li>Patch by Watson.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML has extra content after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/161">GH-161</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML declaration exists in wrong position.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/162">GH-162</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Removed needless a space after XML declaration in pretty print mode.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/164">GH-164</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Stopped to emit <code>:text</code> event after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/167">GH-167</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Fixes</h3> <ul> <li>Fixed a bug that SAX2 parser doesn't expand predefined entities for <code>characters</code> callback. <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/168">GH-168</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Thanks</h3> <ul> <li> <p>NAITOH Jun</p> </li> <li> <p>Watson</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/rexml/commit/2b285ac0804f2918de642f7ed4646dc6d645a7fc"><code>2b285ac</code></a> Add 3.3.2 entry</li> <li><a href="https://github.com/ruby/rexml/commit/0e33d3adfb5069b20622e5ed9393d10b8cc17b40"><code>0e33d3a</code></a> test: improve linear performance test names</li> <li><a href="https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc"><code>910e5a2</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `<xml><!...</li> <li><a href="https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2"><code>1f1e6e9</code></a> Fix ReDoS by using repeated space characters inside `<!DOCTYPE name [<!ATTLIS...</li> <li><a href="https://github.com/ruby/rexml/commit/1cc1d9a74ede52f3d9ce774cafb11c57b3905165"><code>1cc1d9a</code></a> Suppress have_root not initialized warnings on Ruby < 3</li> <li><a href="https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f"><code>67efb59</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `<!DOCTY...</li> <li><a href="https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347"><code>a79ac8b</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `<!DOCTY...</li> <li><a href="https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2"><code>c33ea49</code></a> Fix performance issue caused by using repeated <code>></code> characters after ` <!DOCTY...</li> <li><a href="https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6"><code>9f1415a</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `CDATA [...</li> <li><a href="https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f"><code>c1b64c1</code></a> Fix performance issue caused by using repeated <code>></code> characters inside comments...</li> <li>Additional commits viewable in <a href="https://github.com/ruby/rexml/compare/v3.3.1...v3.3.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/osv-scanner/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
](https://renovatebot.com){kind=link}
This rewrites the package overrides logic to be composition based, granting a lot more flexibility: ``` # ignore everything [[PackageOverrides]] ignore = true # ignore everything in this group [[PackageOverrides]] group = "dev" ignore = true # ignore everything in this ecosystem [[PackageOverrides]] ecosystem = "go" ignore = true # ignore all packages named "axios" regardless of ecosystem or group [[PackageOverrides]] name = "axios" ignore = true # ignore all packages named "axios" in the npm ecosystem that are in the dev group [[PackageOverrides]] name = "axios" ecosystem = "npm" group = "dev" ignore = true # ... and so on ``` While some of these might seem a bit extreme, ultimately I think this is probably the way to go as the logic itself is very straightforward and it gives a lot more power to the people. Since `config` is a public package, I've had to deprecated the related existing public methods and there's a bit of naming & structural yuck but I figure that's not a big deal since v2 is right around the corner and again the logic itself is very straightforward. Resolves google#1211 Resolves google#1155
A few Go vulnerabilities are reported so this PR updates Go to the fixed version 1.22.7. Also `golang.org/x/mod@v0.21.0` requires Go 1.22.0 as mentioned in google#1204. Due to this version update, there are two new lint checks: [copyloopvar](https://github.com/karamaru-alpha/copyloopvar) and [intrange](https://github.com/ckaznocha/intrange).
Currently self-closing tags are marshaled as `<a></a>` which is not the preferred format `<a/>`. With the current implementation of `encoding/xml`, self-closing tags are expanded to `StartElement` and `EndElement` so both elements are written to output. In this PR, a field `Empty` is added to both elements to indicate whether the current element is empty. During encoding: - `/` is written before `>` for an empty `StartElement` - nothing will be written for an empty `EndElement` Considering that we only want tabs not being escaped, this PR modifies `escapeNewline` to `escapeWhitespace` to indicate if we want all whitespace characters escaped.
…#1236) The latest release of osv.dev enforces the Alpine release version suffix in queries. Make the apk-installed parser use the latest Alpine version (`v3.20`) when it can't find the version file to stop it from erroring.
Prepare for v1.8.5 release
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [github.com/charmbracelet/bubbles](https://redirect.github.com/charmbracelet/bubbles) | `v0.19.0` -> `v0.20.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | golang.org/x/exp | `778ce7b` -> `701f63a` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | golang.org/x/mod | `v0.20.0` -> `v0.21.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | golang.org/x/net | `v0.28.0` -> `v0.29.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | golang.org/x/term | `v0.23.0` -> `v0.24.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.65.0` -> `v1.66.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | --- ### Release Notes <details> <summary>charmbracelet/bubbles (github.com/charmbracelet/bubbles)</summary> ### [`v0.20.0`](https://redirect.github.com/charmbracelet/bubbles/releases/tag/v0.20.0) [Compare Source](https://redirect.github.com/charmbracelet/bubbles/compare/v0.19.0...v0.20.0) ### Focus. Breathe. This features support for Bubble Tea's new focus-blur feature as well as a quality-of-life update to `paginator`. Enjoy! #### Focus You heard that right. Focus-blur window events are now enabled for `textinput` and `textarea` which were recently added to [Bubble Tea v1.1.0](https://redirect.github.com/charmbracelet/bubbletea/releases/tag/v1.1.0). As long as [`WithReportFocus`](https://pkg.go.dev/github.com/charmbracelet/bubbletea#WithReportFocus) is enabled in your Program you'll automatically get nicer inputs. To enable focus reporting: ```go p := tea.NewProgram(model{}, tea.WithReportFocus()) ``` Remember to stay focused and hydrated! #### Paginator opts Speaking of functional arguments, `paginator` also received some some new quality-of-life startup options, courtesy [@​nervo](https://redirect.github.com/nervo). ```go p := paginator.New( paginator.WithPerPage(42), paginator.WithTotalPages(42), ) ``` Of course, you can still set the values on the model directly too: ```go p := paginator.New() p.PerPage = 42 p.TotalPages = 24 ``` Happy paging! #### Changelog ##### New! - [`d3bd075`](https://redirect.github.com/charmbracelet/bubbles/commit/d3bd075ed2b27a3b5d76bb79b5d1c928dcd780d0): feat(cursor): focus/blur support ([#​581](https://redirect.github.com/charmbracelet/bubbles/issues/581)) ([@​caarlos0](https://redirect.github.com/caarlos0)) - [`5110925`](https://redirect.github.com/charmbracelet/bubbles/commit/5110925e8788a8ecfd206df0da8dbeed36cde0f0): feat: Introduce paginator options ([@​nervo](https://redirect.github.com/nervo)) ##### Deps - [`3eaf8da`](https://redirect.github.com/charmbracelet/bubbles/commit/3eaf8da348203f12a72ce4f994334dc4cd8d91ba): feat(deps): bump github.com/charmbracelet/bubbletea from 0.27.0 to 1.0.0 ([#​604](https://redirect.github.com/charmbracelet/bubbles/issues/604)) ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) - [`6fc27e9`](https://redirect.github.com/charmbracelet/bubbles/commit/6fc27e99d3b0e0cf5db13111e518b47435c42f5a): feat(deps): bump github.com/charmbracelet/bubbletea from 1.0.0 to 1.1.0 ([#​607](https://redirect.github.com/charmbracelet/bubbles/issues/607)) ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or on [Discord](https://charm.sh/chat). </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.66.1`](https://redirect.github.com/grpc/grpc-go/compare/v1.66.0...v1.66.1) [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.66.0...v1.66.1) ### [`v1.66.0`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.66.0): Release 1.66.0 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.65.0...v1.66.0) ### New Features - metadata: stabilize `ValueFromIncomingContext` ([#​7368](https://redirect.github.com/grpc/grpc-go/issues/7368)) - Special Thanks: [@​KarthikReddyPuli](https://redirect.github.com/KarthikReddyPuli) - client: stabilize the `WaitForStateChange` and `GetState` methods, which were previously experimental. ([#​7425](https://redirect.github.com/grpc/grpc-go/issues/7425)) - xds: Implement ADS flow control mechanism ([#​7458](https://redirect.github.com/grpc/grpc-go/issues/7458)) - See [grpc/grpc#34099 for context. - balancer/rls: Add metrics for data cache and picker internals ([#​7484](https://redirect.github.com/grpc/grpc-go/issues/7484), [#​7495](https://redirect.github.com/grpc/grpc-go/issues/7495)) - xds: LRS load reports now include the `total_issued_requests` field. ([#​7544](https://redirect.github.com/grpc/grpc-go/issues/7544)) ### Bug Fixes - grpc: Clients now return status code INTERNAL instead of UNIMPLEMENTED when the server uses an unsupported compressor. This is consistent with the [gRPC compression spec](https://redirect.github.com/grpc/grpc/blob/master/doc/compression.md#compression-method-asymmetry-between-peers). ([#​7461](https://redirect.github.com/grpc/grpc-go/issues/7461)) - Special Thanks: [@​Gayathri625](https://redirect.github.com/Gayathri625) - transport: Fix a bug which could result in writes busy looping when the underlying `conn.Write` returns errors ([#​7394](https://redirect.github.com/grpc/grpc-go/issues/7394)) - Special Thanks: [@​veshij](https://redirect.github.com/veshij) - client: fix race that could lead to orphaned connections and associated resources. ([#​7390](https://redirect.github.com/grpc/grpc-go/issues/7390)) - xds: use locality from the connected address for load reporting with pick_first ([#​7378](https://redirect.github.com/grpc/grpc-go/issues/7378)) - without this fix, if a priority contains multiple localities with pick_first, load was reported for the wrong locality - client: prevent hanging during ClientConn.Close() when the network is unreachable ([#​7540](https://redirect.github.com/grpc/grpc-go/issues/7540)) ### Performance Improvements - transport: double buffering is avoided when using an http connect proxy and the target server waits for client to send the first message. ([#​7424](https://redirect.github.com/grpc/grpc-go/issues/7424)) - codec: Implement a new `Codec` which uses buffer recycling for encoded message ([#​7356](https://redirect.github.com/grpc/grpc-go/issues/7356)) - introduce a `mem` package to facilitate buffer reuse ([#​7432](https://redirect.github.com/grpc/grpc-go/issues/7432)) - Special Thanks: [@​PapaCharlie](https://redirect.github.com/PapaCharlie) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> --------- Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com> Co-authored-by: Xueqin Cui <cuixq@google.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | minor | `v5.1.1` -> `v5.2.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4.3.6` -> `v4.4.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v3.26.4` -> `v3.26.6` | | [ruby/setup-ruby](https://redirect.github.com/ruby/setup-ruby) | action | minor | `v1.190.0` -> `v1.191.0` | --- ### Release Notes <details> <summary>actions/setup-python (actions/setup-python)</summary> ### [`v5.2.0`](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0) [Compare Source](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) ### [`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) </details> <details> <summary>ruby/setup-ruby (ruby/setup-ruby)</summary> ### [`v1.191.0`](https://redirect.github.com/ruby/setup-ruby/releases/tag/v1.191.0) [Compare Source](https://redirect.github.com/ruby/setup-ruby/compare/v1.190.0...v1.191.0) #### What's Changed - Add ruby-3.3.5 by [@​ruby-builder-bot](https://redirect.github.com/ruby-builder-bot) in [ruby/setup-ruby#634 **Full Changelog**: ruby/setup-ruby@v1.190.0...v1.191.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | patch | `1.23.0-alpine3.19` -> `1.23.1-alpine3.19` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | alpine | final | digest | `0a4eaa0` -> `beefdbd` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
…vulns (google#1235) Adds functionality to allow guided remediation to fix vulns in `dependencyManagement` dependencies that do not appear in the resolved dependency graph of the POM - useful for 'remediating' POMs without any actual dependencies. I've accomplished this by checking if each of the original management dependencies (*excluding* those inherited from parents) appear in the graph after the initial resolution. If they're missing, I add them to the graph as direct dependencies (not resolving their transitive dependencies). This behaviour is disabled by default, and I've added a `--maven-fix-management` flag to enable it. I was going to try combine this and `--ignore-dev` into a `--groups` flag but it seemed like it would be a bit too complicated.
…oogle#1243) This allows you to configure the scanner to completely ignore the license of a package in a way that is explicit, as oppose to configuring `license.overrides` to set the package license to an allowed one. Resolves google#1124
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [github.com/CycloneDX/cyclonedx-go](https://redirect.github.com/CycloneDX/cyclonedx-go) | `v0.9.0` -> `v0.9.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/charmbracelet/bubbletea](https://redirect.github.com/charmbracelet/bubbletea) | `v1.1.0` -> `v1.1.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/ianlancetaylor/demangle](https://redirect.github.com/ianlancetaylor/demangle) | `81f5be9` -> `0a2b629` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.66.1` -> `v1.66.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | --- ### Release Notes <details> <summary>CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)</summary> ### [`v0.9.1`](https://redirect.github.com/CycloneDX/cyclonedx-go/releases/tag/v0.9.1) [Compare Source](https://redirect.github.com/CycloneDX/cyclonedx-go/compare/v0.9.0...v0.9.1) #### Changelog ##### Fixes - [`6f0e0cf`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/6f0e0cf025dd99ab903e33f8e043d92b28dab4f6): fix: `nil` pointer dereference during evidence conversion ([@​nscuro](https://redirect.github.com/nscuro)) - [`ce43b6f`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/ce43b6f4cb5707d3ef2db1af1d597f5b23bf0e15): fix: make linter happy ([@​nscuro](https://redirect.github.com/nscuro)) - [`5d799e6`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/5d799e634b9bed9c86621048544737b210e433e8): fix: remove deprecated goreleaser flag ([@​nscuro](https://redirect.github.com/nscuro)) ##### Building and Packaging - [`6d5bcb0`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/6d5bcb0e277207551dbc728eb29959f1d3cbd685): build(deps): bump actions/checkout from 4.1.6 to 4.1.7 ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) - [`f34fc0c`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/f34fc0c413da74d20d1cc240863aaf2eb6b274f7): build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) - [`71cff22`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/71cff221b8dbbc1d50f839fa76ecea4e42d83a2b): build(deps): bump gitpod/workspace-go from `8d15123` to `2a9e01c` ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) - [`ea69355`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/ea693550558d230b3fbba810b6e75ac2eb0b55c8): build(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) - [`d5cbdad`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/d5cbdad49dfbf54f2dab4ad95bd1a47c710a526c): build(deps): bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 ([@​dependabot](https://redirect.github.com/dependabot)\[bot]) </details> <details> <summary>charmbracelet/bubbletea (github.com/charmbracelet/bubbletea)</summary> ### [`v1.1.1`](https://redirect.github.com/charmbracelet/bubbletea/releases/tag/v1.1.1) [Compare Source](https://redirect.github.com/charmbracelet/bubbletea/compare/v1.1.0...v1.1.1) ### Don't panic! Panicking is a part of life…and a part of workin’ in Go. This release addresses two edge cases where a `panic()` could tank Bubble Tea and break your terminal: #### Panics outside of Bubble Tea If a panic occurs outside of Bubble Tea you can use [`Program.Kill`](https://pkg.go.dev/github.com/charmbracelet/bubbletea#Program.Kill) to restore the terminal state before exiting: ```go func main() { p := tea.NewProgram(model{}) go func() { time.Sleep(3 * time.Second) defer p.Kill() panic("Urgh") }() if _, err := p.Run(); err != nil { log.Fatal(err) } } ``` #### Panics in Cmds If a panic occurs in a `Cmd` Bubble Tea will now automatically restore the terminal to its natural state before exiting. ```go type model struct{} // This command will totally panic. func pancikyCmd() tea.Msg { panic("Oh no! Jk.") } func (m model) Update(msg tea.Msg) (tea.Model, tea.Cmd) { switch msg := msg.(type) { case tea.KeyMsg: switch msg.String() { case "enter": // Panic time! But everything will be OK. return m, pancikyCmd } } return m, nil } ``` Happy panicking (if that makes any sense). #### Changelog ##### Fixed! - [`0589921`](https://redirect.github.com/charmbracelet/bubbletea/commit/0589921d2e5a1ee33e0dba1d54836946e78fe059): fix: recover from panics within cmds ([@​aymanbagabas](https://redirect.github.com/aymanbagabas)) - [`6e71f52`](https://redirect.github.com/charmbracelet/bubbletea/commit/6e71f52a8add0fdeba202d4e1bdd289182b156ac): fix: restore the terminal on kill ([@​aymanbagabas](https://redirect.github.com/aymanbagabas)) *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or on [Discord](https://charm.sh/chat). </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.66.2`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.66.2): Release 1.66.2 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.66.1...v1.66.2) ### Dependencies - Remove unintentional dependency on the `testing` package ([#​7579](https://redirect.github.com/grpc/grpc-go/issues/7579)) - Remove unintentional dependency on the `flate` package ([#​7595](https://redirect.github.com/grpc/grpc-go/issues/7595)) - Special Thanks: [@​ash2k](https://redirect.github.com/ash2k) ### Bug Fixes - client: fix a bug that prevented memory reuse after handling unary RPCs ([#​7571](https://redirect.github.com/grpc/grpc-go/issues/7571)) - Special Thanks: [@​coxley](https://redirect.github.com/coxley) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43NC4xIiwidXBkYXRlZEluVmVyIjoiMzguNzQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-java](https://redirect.github.com/actions/setup-java) | action | minor | `v4.2.2` -> `v4.3.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v3.26.6` -> `v3.26.7` | --- ### Release Notes <details> <summary>actions/setup-java (actions/setup-java)</summary> ### [`v4.3.0`](https://redirect.github.com/actions/setup-java/compare/v4.2.2...v4.3.0) [Compare Source](https://redirect.github.com/actions/setup-java/compare/v4.2.2...v4.3.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43NC4xIiwidXBkYXRlZEluVmVyIjoiMzguNzQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
…code (google#1242) When looking into some other config stuff I realised the current loading logic just assumes that an error is because a config doesn't exist and silently falls back to the default one, when really it could be that there is a config but it's invalid
This reverts commit 4040f08.
This reverts commit 9da956c.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR begins the work of migrating lockfile extractors to use the new interface.
To aid in the review, I copied all of
pkg/lockfileintointernal/lockfilescalibr, and pushed that toosv-scanner-v2, which this is now merging in.Some notes on the migration:
to inventory before returning (currently the only one still using PackageDetails is npm extractor, as adding the merging code is a bit convoluted odd with inventory)
Update:
sharedtesthelpers)othermetadatapackage