search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.49k stars 186 forks source link

chore(deps): lock file maintenance vulnfeeds #2562

Closed renovate-bot closed 2 weeks ago

renovate-bot commented 3 weeks ago

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
lockFileMaintenance All locks refreshed
cloud.google.com/go/logging require minor v1.10.0 -> v1.11.0 age adoption passing confidence
cloud.google.com/go/secretmanager require minor v1.13.1 -> v1.14.0 age adoption passing confidence
github.com/google/osv-scanner require minor v1.7.4 -> v1.8.4 age adoption passing confidence
github.com/sethvargo/go-retry require minor v0.2.4 -> v0.3.0 age adoption passing confidence
golang stage minor 1.22.5-alpine -> 1.23.1-alpine age adoption passing confidence
golang.org/x/exp require digest fc45aab -> 701f63a age adoption passing confidence
markdownify dependencies minor ==0.11.6 -> ==0.13.1 age adoption passing confidence
pandas (source) dependencies minor ==2.1.3 -> ==2.2.2 age adoption passing confidence
pylint (changelog) dev-dependencies patch 3.2.5 -> 3.2.7 age adoption passing confidence
python-dateutil dependencies minor ==2.8.2 -> ==2.9.0.post0 age adoption passing confidence

πŸ”§ This Pull Request updates lock files to use the latest dependency versions.

Release Notes

google/osv-scanner (github.com/google/osv-scanner) ### [`v1.8.4`](https://redirect.github.com/google/osv-scanner/blob/HEAD/CHANGELOG.md#v184) [Compare Source](https://redirect.github.com/google/osv-scanner/compare/v1.8.3...v1.8.4) ##### Features: - [Feature #​1177](https://redirect.github.com/google/osv-scanner/pull/1177) Adds `--upgrade-config` flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous `--disallow-major-upgrades` and `--disallow-package-upgrades` flags. ##### Fixes: - [Bug #​1123](https://redirect.github.com/google/osv-scanner/issues/1123) Issue when running osv-scanner on project running with golang 1.22 [#​1123](https://redirect.github.com/google/osv-scanner/issues/1123) ##### Misc: - [Feature #​638](https://redirect.github.com/google/osv-scanner/issues/638) Update go policy to use stable go version for builds (updated to go 1.23) ### [`v1.8.3`](https://redirect.github.com/google/osv-scanner/blob/HEAD/CHANGELOG.md#v183) [Compare Source](https://redirect.github.com/google/osv-scanner/compare/v1.8.2...v1.8.3) ##### Features: - [Feature #​889](https://redirect.github.com/google/osv-scanner/pull/889) OSV-Scanner now provides "vertical" output format! ##### Fixes: - [Bug #​1115](https://redirect.github.com/google/osv-scanner/issues/1115) Ensure that `semantic` is passed a valid `models.Ecosystem`. - [Bug #​1140](https://redirect.github.com/google/osv-scanner/pull/1140) Add Maven dependency management to override client. - [Bug #​1149](https://redirect.github.com/google/osv-scanner/pull/1149) Handle Maven parent relative path. ##### Misc: - [Feature #​1091](https://redirect.github.com/google/osv-scanner/pull/1091) Improved the runtime of DiffVulnerabilityResults. Thanks [@​neilnaveen](https://redirect.github.com/neilnaveen)! - [Feature #​1125](https://redirect.github.com/google/osv-scanner/pull/1125) Workflow for stale issue and PR management. ### [`v1.8.2`](https://redirect.github.com/google/osv-scanner/blob/HEAD/CHANGELOG.md#v182) [Compare Source](https://redirect.github.com/google/osv-scanner/compare/v1.8.1...v1.8.2) ##### Features: - [Feature #​1014](https://redirect.github.com/google/osv-scanner/pull/1014) Adding CycloneDX 1.4 and 1.5 output format. Thanks [@​marcwieserdev](https://redirect.github.com/marcwieserdev)! ##### Fixes: - [Bug #​769](https://redirect.github.com/google/osv-scanner/issues/769) Fixed missing vulnerabilities for debian purls for `--experimental-local-db`. - [Bug #​1055](https://redirect.github.com/google/osv-scanner/issues/1055) Ensure that `package` exists in `affected` property. - [Bug #​1072](https://redirect.github.com/google/osv-scanner/issues/1072) Filter out unimportant vulnerabilities from vuln group. - [Bug #​1077](https://redirect.github.com/google/osv-scanner/issues/1077) Fix rate osv-scanner deadlock. - [Bug #​924](https://redirect.github.com/google/osv-scanner/issues/924) Ensure that npm dependencies retain their "production" grouping. ### [`v1.8.1`](https://redirect.github.com/google/osv-scanner/blob/HEAD/CHANGELOG.md#v180v181) [Compare Source](https://redirect.github.com/google/osv-scanner/compare/v1.8.0...v1.8.1) ##### Features: - [Feature #​35](https://redirect.github.com/google/osv-scanner/issues/35) OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files! See [our documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#transitive-dependency-scanning) for more information. - [Feature #​944](https://redirect.github.com/google/osv-scanner/pull/944) The `osv-scanner.toml` configuration file can now filter specific packages with new `[[PackageOverrides]]` sections: ```toml [[PackageOverrides]] ``` ### [`v1.8.0`](https://redirect.github.com/google/osv-scanner/blob/HEAD/CHANGELOG.md#v180v181) [Compare Source](https://redirect.github.com/google/osv-scanner/compare/v1.7.4...v1.8.0) ##### Features: - [Feature #​35](https://redirect.github.com/google/osv-scanner/issues/35) OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files! See [our documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#transitive-dependency-scanning) for more information. - [Feature #​944](https://redirect.github.com/google/osv-scanner/pull/944) The `osv-scanner.toml` configuration file can now filter specific packages with new `[[PackageOverrides]]` sections: ```toml [[PackageOverrides]] ```
sethvargo/go-retry (github.com/sethvargo/go-retry) ### [`v0.3.0`](https://redirect.github.com/sethvargo/go-retry/releases/tag/v0.3.0) [Compare Source](https://redirect.github.com/sethvargo/go-retry/compare/v0.2.4...v0.3.0) #### What's Changed - Add DoValue, which requires generics and bumps to Go 1.21 by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/sethvargo/go-retry/pull/26](https://redirect.github.com/sethvargo/go-retry/pull/26) **Full Changelog**: https://github.com/sethvargo/go-retry/compare/v0.2.4...v0.3.0
matthewwithanm/python-markdownify (markdownify) ### [`v0.13.1`](https://redirect.github.com/matthewwithanm/python-markdownify/releases/tag/0.13.1) [Compare Source](https://redirect.github.com/matthewwithanm/python-markdownify/compare/0.13.0...0.13.1) #### What's Changed - Migrated the metadata into PEP 621-compliant pyproject.toml by [@​KOLANICH](https://redirect.github.com/KOLANICH) in [https://github.com/matthewwithanm/python-markdownify/pull/138](https://redirect.github.com/matthewwithanm/python-markdownify/pull/138) **Full Changelog**: https://github.com/matthewwithanm/python-markdownify/compare/0.13.0...0.13.1 ### [`v0.13.0`](https://redirect.github.com/matthewwithanm/python-markdownify/releases/tag/0.13.0) [Compare Source](https://redirect.github.com/matthewwithanm/python-markdownify/compare/0.12.1...0.13.0) #### What's Changed - Avoid inline styles inside `` / `
` conversion by [@​jsm28](https://redirect.github.com/jsm28) in [https://github.com/matthewwithanm/python-markdownify/pull/117](https://redirect.github.com/matthewwithanm/python-markdownify/pull/117)
-   Escape all characters with Markdown significance by [@​jsm28](https://redirect.github.com/jsm28) in [https://github.com/matthewwithanm/python-markdownify/pull/118](https://redirect.github.com/matthewwithanm/python-markdownify/pull/118)
-   Update MANIFEST.in to exclude tests during packaging by [@​samypr100](https://redirect.github.com/samypr100) in [https://github.com/matthewwithanm/python-markdownify/pull/125](https://redirect.github.com/matthewwithanm/python-markdownify/pull/125)
-   Special-case use of HTML tags for converting `` / `` by [@​jsm28](https://redirect.github.com/jsm28) in [https://github.com/matthewwithanm/python-markdownify/pull/119](https://redirect.github.com/matthewwithanm/python-markdownify/pull/119)
-   handle ol start value is not number by [@​microdnd](https://redirect.github.com/microdnd) in [https://github.com/matthewwithanm/python-markdownify/pull/127](https://redirect.github.com/matthewwithanm/python-markdownify/pull/127)

#### New Contributors

-   [@​jsm28](https://redirect.github.com/jsm28) made their first contribution in [https://github.com/matthewwithanm/python-markdownify/pull/117](https://redirect.github.com/matthewwithanm/python-markdownify/pull/117)
-   [@​samypr100](https://redirect.github.com/samypr100) made their first contribution in [https://github.com/matthewwithanm/python-markdownify/pull/125](https://redirect.github.com/matthewwithanm/python-markdownify/pull/125)
-   [@​microdnd](https://redirect.github.com/microdnd) made their first contribution in [https://github.com/matthewwithanm/python-markdownify/pull/127](https://redirect.github.com/matthewwithanm/python-markdownify/pull/127)

**Full Changelog**: https://github.com/matthewwithanm/python-markdownify/compare/0.12.1...0.13.0

### [`v0.12.1`](https://redirect.github.com/matthewwithanm/python-markdownify/releases/tag/0.12.1): Fix wrong version

[Compare Source](https://redirect.github.com/matthewwithanm/python-markdownify/compare/0.11.6...0.12.1)
pandas-dev/pandas (pandas) ### [`v2.2.2`](https://redirect.github.com/pandas-dev/pandas/compare/v2.2.1...v2.2.2) [Compare Source](https://redirect.github.com/pandas-dev/pandas/compare/v2.2.1...v2.2.2) ### [`v2.2.1`](https://redirect.github.com/pandas-dev/pandas/releases/tag/v2.2.1): Pandas 2.2.1 [Compare Source](https://redirect.github.com/pandas-dev/pandas/compare/v2.2.0...v2.2.1) We are pleased to announce the release of pandas 2.2.1. This release includes some new features, bug fixes, and performance improvements. We recommend that all users upgrade to this version. See the [full whatsnew](https://pandas.pydata.org/pandas-docs/version/2.2.1/whatsnew/v2.2.1.html) for a list of all the changes. Pandas 2.2.1 supports Python 3.9 and higher. The release will be available on the defaults and conda-forge channels: conda install pandas Or via PyPI: python3 -m pip install --upgrade pandas Please report any issues with the release on the [pandas issue tracker](https://redirect.github.com/pandas-dev/pandas/issues). Thanks to all the contributors who made this release possible. ### [`v2.2.0`](https://redirect.github.com/pandas-dev/pandas/compare/v2.1.4...v2.2.0) [Compare Source](https://redirect.github.com/pandas-dev/pandas/compare/v2.1.4...v2.2.0) ### [`v2.1.4`](https://redirect.github.com/pandas-dev/pandas/releases/tag/v2.1.4): Pandas 2.1.4 [Compare Source](https://redirect.github.com/pandas-dev/pandas/compare/v2.1.3...v2.1.4) This is a patch release in the 2.1.x series and includes some regression and bug fixes, and a security fix. We recommend that all users upgrade to this version. See the [full whatsnew](https://pandas.pydata.org/pandas-docs/version/2.1.4/whatsnew/v2.1.4.html) for a list of all the changes. The release will be available on the defaults and conda-forge channels: conda install pandas Or via PyPI: python3 -m pip install --upgrade pandas Please report any issues with the release on the [pandas issue tracker](https://redirect.github.com/pandas-dev/pandas/issues). Thanks to all the contributors who made this release possible.
pylint-dev/pylint (pylint) ### [`v3.2.7`](https://redirect.github.com/pylint-dev/pylint/releases/tag/v3.2.7) [Compare Source](https://redirect.github.com/pylint-dev/pylint/compare/v3.2.6...v3.2.7) ## What's new in Pylint 3.2.7? Release date: 2024-08-31 ## False Positives Fixed - Fixed a false positive `unreachable` for `NoReturn` coroutine functions. Closes [#​9840](https://redirect.github.com/pylint-dev/pylint/issues/9840) ## Other Bug Fixes - Fix crash in refactoring checker when calling a lambda bound as a method. Closes [#​9865](https://redirect.github.com/pylint-dev/pylint/issues/9865) - Fix a crash in `undefined-loop-variable` when providing the `iterable` argument to `enumerate()`. Closes [#​9875](https://redirect.github.com/pylint-dev/pylint/issues/9875) - Fix to address indeterminacy of error message in case a module name is same as another in a separate namespace. Refs [#​9883](https://redirect.github.com/pylint-dev/pylint/issues/9883) ### [`v3.2.6`](https://redirect.github.com/pylint-dev/pylint/releases/tag/v3.2.6) [Compare Source](https://redirect.github.com/pylint-dev/pylint/compare/v3.2.5...v3.2.6) ## What's new in Pylint 3.2.6? Release date: 2024-07-21 ## False Positives Fixed - Quiet false positives for `unexpected-keyword-arg` when pylint cannot determine which of two or more dynamically defined classes is being instantiated. Closes [#​9672](https://redirect.github.com/pylint-dev/pylint/issues/9672) - Fix a false positive for `missing-param-doc` where a method which is decorated with `typing.overload` was expected to have a docstring specifying its parameters. Closes [#​9739](https://redirect.github.com/pylint-dev/pylint/issues/9739) - Fix a regression that raised `invalid-name` on class attributes merely overriding invalid names from an ancestor. Closes [#​9765](https://redirect.github.com/pylint-dev/pylint/issues/9765) - Treat `assert_never()` the same way when imported from `typing_extensions`. Closes [#​9780](https://redirect.github.com/pylint-dev/pylint/issues/9780) - Fix a false positive for `consider-using-min-max-builtin` when the assignment target is an attribute. Refs [#​9800](https://redirect.github.com/pylint-dev/pylint/issues/9800) ## Other Bug Fixes - Fix an `AssertionError` arising from properties that return partial functions. Closes [#​9214](https://redirect.github.com/pylint-dev/pylint/issues/9214) - Fix a crash when a subclass extends `__slots__`. Closes [#​9814](https://redirect.github.com/pylint-dev/pylint/issues/9814)
dateutil/dateutil (python-dateutil) ### [`v2.9.0.post0`](https://redirect.github.com/dateutil/dateutil/releases/tag/2.9.0.post0) [Compare Source](https://redirect.github.com/dateutil/dateutil/compare/2.9.0...2.9.0.post0) ### Version 2.9.0.post0 (2024-03-01) #### Bugfixes - Pinned `setuptools_scm` to `<8`, which should make the generated `_version.py` file compatible with all supported versions of Python. ### [`v2.9.0`](https://redirect.github.com/dateutil/dateutil/releases/tag/2.9.0) [Compare Source](https://redirect.github.com/dateutil/dateutil/compare/2.8.2...2.9.0) ### Version 2.9.0 (2024-02-29) #### Data updates - Updated tzdata version to 2024a. (gh pr [#​1342](https://redirect.github.com/dateutil/dateutil/issues/1342)) #### Features - Made all `dateutil` submodules lazily imported using [PEP 562](https://www.python.org/dev/peps/pep-0562/). On Python 3.7+, things like `import dateutil; dateutil.tz.gettz("America/New_York")` will now work without explicitly importing `dateutil.tz`, with the import occurring behind the scenes on first use. The old behavior remains on Python 3.6 and earlier. Fixed by Orson Adams. (gh issue [#​771](https://redirect.github.com/dateutil/dateutil/issues/771), gh pr [#​1007](https://redirect.github.com/dateutil/dateutil/issues/1007)) #### Bugfixes - Removed a call to `datetime.utcfromtimestamp`, which is deprecated as of Python 3.12. Reported by Hugo van Kemenade (gh pr [#​1284](https://redirect.github.com/dateutil/dateutil/issues/1284)), fixed by Thomas Grainger (gh pr [#​1285](https://redirect.github.com/dateutil/dateutil/issues/1285)). #### Documentation changes - Added note into docs and tests where relativedelta would return last day of the month only if the same day on a different month resolves to a date that doesn't exist. Reported by [@​hawkEye-01](https://redirect.github.com/hawkEye-01) (gh issue [#​1167](https://redirect.github.com/dateutil/dateutil/issues/1167)). Fixed by [@​Mifrill](https://redirect.github.com/Mifrill) (gh pr [#​1168](https://redirect.github.com/dateutil/dateutil/issues/1168))

Configuration

πŸ“… Schedule: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ‘» Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

forking-renovate[bot] commented 3 weeks ago

β„Ή Artifact update notice

File name: vulnfeeds/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 29 additional dependencies were updated

Details:

Package Change
cloud.google.com/go v0.113.0 -> v0.115.1
cloud.google.com/go/auth v0.4.1 -> v0.9.0
cloud.google.com/go/auth/oauth2adapt v0.2.2 -> v0.2.4
cloud.google.com/go/compute/metadata v0.3.0 -> v0.5.0
cloud.google.com/go/iam v1.1.8 -> v1.1.13
cloud.google.com/go/longrunning v0.5.7 -> v0.5.11
github.com/go-logr/logr v1.4.1 -> v1.4.2
github.com/google/s2a-go v0.1.7 -> v0.1.8
github.com/googleapis/gax-go/v2 v2.12.4 -> v2.13.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 -> v0.52.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 -> v0.53.0
go.opentelemetry.io/otel v1.24.0 -> v1.28.0
go.opentelemetry.io/otel/metric v1.24.0 -> v1.28.0
go.opentelemetry.io/otel/trace v1.24.0 -> v1.28.0
golang.org/x/crypto v0.24.0 -> v0.27.0
golang.org/x/mod v0.18.0 -> v0.21.0
golang.org/x/net v0.26.0 -> v0.29.0
golang.org/x/oauth2 v0.20.0 -> v0.22.0
golang.org/x/sync v0.7.0 -> v0.8.0
golang.org/x/sys v0.21.0 -> v0.25.0
golang.org/x/text v0.16.0 -> v0.18.0
golang.org/x/time v0.5.0 -> v0.6.0
golang.org/x/tools v0.22.0 -> v0.25.0
google.golang.org/api v0.180.0 -> v0.193.0
google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda -> v0.0.0-20240814211410-ddb44dafa142
google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 -> v0.0.0-20240814211410-ddb44dafa142
google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 -> v0.0.0-20240814211410-ddb44dafa142
google.golang.org/grpc v1.64.1 -> v1.65.0
google.golang.org/protobuf v1.34.1 -> v1.34.2