chore(deps): update tools

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Update
github.com/anchore/syft	v1.42.0 → v1.42.1					patch
github.com/cli/cli/v2	v2.86.0 → v2.87.2					minor
github.com/golangci/golangci-lint/v2	v2.9.0 → v2.10.1					minor
github.com/google/go-containerregistry	v0.20.7 → v0.21.0					minor
github.com/goreleaser/goreleaser/v2	v2.13.3 → v2.14.0					minor
kyverno/kyverno	v1.17.0 → v1.17.1					patch
rclone/rclone	v1.73.0 → v1.73.1					patch
vmware-tanzu/carvel-ytt	v0.53.0 → v0.53.2					patch

---

Release Notes

anchore/syft (github.com/anchore/syft)

v1.42.1

Compare Source

Bug Fixes

• Use redhat as namespace for hummingbird rpms [#​4615 @​scoheb]
• False Positive: Emacs snap package version CVE-2024-39331 [#​4485]

Additional Changes

• call cleanup on tmpfile and replace some io.ReadAlls with streams [#​4629 @​willmurphyscode]
• bumps go mod version to 1.25; ci takes latest patch [#​4628 @​spiffcs]

(Full Changelog)

cli/cli (github.com/cli/cli/v2)

v2.87.2: GitHub CLI 2.87.2

Compare Source

ℹ️ Note

This release was cut primarily to resolve a publishing issue. We recommend reviewing the v2.87.1 release notes for the complete set of latest features and fixes.

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @​dependabot[bot] in #​12659

Full Changelog: cli/cli@v2.87.1...v2.87.2

v2.87.1: GitHub CLI 2.87.1

Compare Source

⚠️ Incomplete Release

The v2.87.1 release experienced a failure in our workflow and is not fully published to the designated package managers/repositories. This is resolved in v2.87.2, so we recommend using that release instead.

What's Changed

• Remove license bundling debris by @​williammartin in #​12716
• fix(agent-task/capi): use a fixed CAPI API version by @​babakks in #​12731

Full Changelog: cli/cli@v2.87.0...v2.87.1

v2.87.0: GitHub CLI 2.87.0

Compare Source

gh workflow run immediately returns workflow run URL

One of our most requested features - with the latest changes in GitHub API, gh workflow run will immediately print the created workflow run URL.

Improved gh auth login experience in VM/WSL environments

We have observed rare cases of time drift between the wall and monotonic clocks, mostly in WSL or VM environments, causing failures during polling for the OAuth token. This new release implements measures to account for such situations.

If you continue to experience gh auth login issues in WSL, please comment in #​9370

Request Copilot Code Review from gh + performance improvements

gh pr edit now supports Copilot Code Review as a reviewer. You can request a review from Copilot using the --add-reviewer @​copilot flag or interactively by selecting reviewers in the prompts.

This release also introduces a new search experience for selecting reviewers and assignees in gh pr edit. Instead of loading all collaborators and teams upfront, results are now fetched based on inputs to a new search option. Initial options are suggestions based on those involved with the pull request already.

? Reviewers  [Use arrows to move, space to select, <right> to all, <left> to none, type to filter]
  [ ]  Search (7472 more)
  [x]  BagToad (Kynan Ware)
> [x]  Copilot (AI)

This experience will follow in gh pr create and gh issue for assignees in a later release.

What's Changed

✨ Features

• Bundle licenses at release time by @​williammartin in #​12625
• Add --query flag to project item-list by @​williammartin in #​12696
• feat(workflow run): retrieve workflow dispatch run details by @​babakks in #​12695
• Pin REST API version to 2022-11-28 by @​williammartin in #​12680
• Respect --exit-status with --log and --log-failed in run view by @​williammartin in #​12679
• Fork with default branch only during pr create by @​williammartin in #​12673
• gh pr edit: Add support for Copilot as reviewer with search capability, performance and accessibility improvements by @​BagToad in #​12567
• gh pr edit: new interactive prompt for assignee selection, performance and accessibility improvements by @​BagToad in #​12526

📚 Docs & Chores

• Clean up project item-list query addition changes by @​williammartin in #​12714
• gh release upload: Clarify --clobber flag deletes assets before re-uploading by @​BagToad in #​12711
• Add usage examples to gh gist edit command by @​BagToad in #​12710
• Remove feedback issue template by @​BagToad in #​12708
• Migrate issue triage workflows to shared workflows by @​BagToad in #​12677
• Migrate PR triage workflows to shared workflows by @​BagToad in #​12707
• Add missing TODO comments for featuredetection if-statements by @​BagToad in #​12701
• Add manual dispatch to bump-go workflow by @​BagToad in #​12631
• typo: dont to don't by @​cuiweixie in #​12554
• Fix fmt.Errorf format argument in ParseFullReference by @​mikelolasagasti in #​12516
• Lint source.md by @​Sethispr in #​12521

Dependencies

• chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​12468
• chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 by @​dependabot[bot] in #​12616
• Bump go to 1.25.7 by @​BagToad in #​12630
• chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @​dependabot[bot] in #​12629
• chore: bump cli/oauth to v1.2.2 by @​babakks in #​12573
• update Go to 1.25.6 by @​BagToad in #​12580
• chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @​dependabot[bot] in #​12558
• chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @​dependabot[bot] in #​12524
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 by @​dependabot[bot] in #​12555
• chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.4 to 2.13.7 by @​dependabot[bot] in #​12469
• chore(deps): bump github.com/sigstore/sigstore from 1.10.0 to 1.10.4 by @​dependabot[bot] in #​12525
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 by @​dependabot[bot] in #​12515
• chore(deps): bump actions/download-artifact from 6 to 7 by @​dependabot[bot] in #​12314
• chore(deps): bump actions/upload-artifact from 5 to 6 by @​dependabot[bot] in #​12315
• chore(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.4.0 by @​dependabot[bot] in #​12354

New Contributors

• @​Sethispr made their first contribution in #​12521
• @​cuiweixie made their first contribution in #​12554

Full Changelog: cli/cli@v2.86.0...v2.87.0

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

v2.10.1

Compare Source

Released on 2026-02-17

1. Fixes
   • buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

1. Linters new features or changes
   • ginkgolinter: from 0.22.0 to 0.23.0
   • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
   • staticcheck: from 0.6.1 to 0.7.0
2. Linters bug fixes
   • godoclint: from 0.11.1 to 0.11.2

google/go-containerregistry (github.com/google/go-containerregistry)

v0.21.0

Compare Source

This release updates the minimum Go version to 1.25.6.

What's Changed

• fix(mutate): don't skip dir replacements via whiteout in export by @​r4f4 in #​2191
• Improve performance of v1.NewHash by @​bmoylan in #​2194
• Bump the actions group across 1 directory with 4 updates by @​dependabot[bot] in #​2207
• Bump the root-deps group across 1 directory with 7 updates by @​dependabot[bot] in #​2195
• Fix error messages in crane_test.go by @​jammie-jelly in #​2189
• Bump go version across packages to 1.25.6 by @​Subserial in #​2211
• Join go.mod dependency updates by @​Subserial in #​2212
• Bump the go-deps group across 3 directories with 3 updates by @​dependabot[bot] in #​2213
• Disable taint gosec lints by @​Subserial in #​2215
• Update go version used in goreleaser by @​Subserial in #​2216

New Contributors

• @​r4f4 made their first contribution in #​2191
• @​jammie-jelly made their first contribution in #​2189

Full Changelog: google/go-containerregistry@v0.20.7...v0.21.0

v0.20.8

Compare Source

goreleaser/goreleaser (github.com/goreleaser/goreleaser/v2)

v2.14.0

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

New Features

• 3161f6d: feat(dockers/v2): allow to skip load image in snapshot for daemonless clients (#​6348) (@​BaptisteLalanne and @​caarlos0)
• 3368f3d: feat(dockers/v2): template platforms (#​6347) (@​caarlos0)
• cfa0bce: feat(dockers_v2): warn user if it seems like they're rebuilding binaries (#​6342) (@​caarlos0)
• de60363: feat(homebrew_cask): allow globs in manpages (#​6324) (@​caarlos0)
• 34583a4: feat(nfpm): allow to filter by goamd64 (@​caarlos0)
• c8aef2a: feat(nfpm): set archvariant in deb for goamd64 (@​caarlos0)
• 4ead70b: feat(nix): add formatter support (#​6357) (@​caarlos0)
• 8df15da: feat(tmpl): englishJoin (@​caarlos0)
• 3702e4d: feat(winget): allow to set package name (#​6371) (@​caarlos0)
• bf2608c: feat(winget): update manifest schema to latest (1.12.0) (#​6370) (@​vedantmgoyal9)
• 20d273b: feat: detect if binary is dynamically linked, proper nix configuration (#​6346) (@​caarlos0)
• 3a92bcc: feat: extract co-authors (#​6322) (@​caarlos0)
• 1c03c92: feat: go 1.25.6 (@​caarlos0)
• a57d7b1: feat: go1.25.7 (@​caarlos0)
• 323bb9e: feat: improve gerrors (@​caarlos0)
• 086ddd5: feat: use go1.26 (@​caarlos0)

Security updates

• 4f4893f: fixup! sec: redact secrets from command outputs and logs (@​caarlos0)
• 09cd360: sec: redact secrets from command outputs and logs (@​caarlos0)

Bug fixes

• aa3844d: fix(aur): src info should replace version with pkgver (@​caarlos0)
• f811af1: fix(brews): brew style sorbet error (#​6373) (@​gliptak)
• 1c4d6d4: fix(cask): handle WrappedIn (@​caarlos0)
• 1101aeb: fix(changelog): de-duplicate authors (@​caarlos0)
• e008893: fix(deps): fix github enterprise urls (@​caarlos0)
• 1c79913: fix(docker): bump Go to 1.25.7 to match go.mod (@​jacarui)
• 56f411e: fix(docker): regression with new buildx versions (@​caarlos0)
• b611c6f: fix(dockers/v2): improve log output, do not complain on driver=docker (@​caarlos0)
• 2c45558: fix(dockers/v2): improve logs (@​caarlos0)
• a9dbf93: fix(dockers/v2): simplify code a bit (@​caarlos0)
• b2d8862: fix(nfpm): properly handle meta packages (@​caarlos0)
• ae1b623: fix(nix): auPatchelHook should be a dependency (#​6364) (@​malikwirin)
• 075c670: fix(nix): autoPatchelfHook on Linux only (@​caarlos0)
• fb8547c: fix(sbom): improve log output (@​caarlos0)
• 49934c3: fix(tmpl): better englishJoin, added slice (@​caarlos0)
• 8807b97: fix: better debug output (@​caarlos0)
• 7d683d7: fix: git-lfs on Dockerfile (@​caarlos0)
• 15cde46: fix: github enteprise upload URLs (@​caarlos0)
• b5c6487: fix: lint (@​caarlos0)
• b62b13c: fix: some rewording (@​caarlos0)
• 4b5e9fd: fix: update sha3 and minor code style update (#​6350) (@​caarlos0)
• df2bab4: fixup! fix: better debug output (@​caarlos0)

Documentation updates

• 87dfeca: docs(deps): bump mkdocs-include-markdown-plugin from 7.2.0 to 7.2.1 in /www in the docs group (#​6367) (@​dependabot[bot])
• cd3d34c: docs(deps): bump mkdocs-material in /www in the docs group (@​dependabot[bot])
• 123dbd9: docs(nfpm): document deb compression (@​scop)
• 231ed16: docs(schema): add missing zstd deb compression enum value (@​scop)
• ea8f0eb: docs: Fix typo In Deprecation Docs on Homebrew Formulas (#​6340) (@​bwagner5)
• 996d78c: docs: document artifacts.json structure (#​6341) (@​caarlos0 and @​Copilot)
• 100822e: docs: document how to disable manifests in dockers_v2 (@​caarlos0)
• f7594cc: docs: gemfury link (@​caarlos0)
• d76db96: docs: image (@​caarlos0)
• d7e6a82: docs: preparing for v2.14 (@​caarlos0)
• 6ae4126: docs: secure fund (@​caarlos0)
• b1e27d1: docs: udpate (@​caarlos0)
• 26d008a: docs: update sponsors (@​caarlos0)

Other work

• 2bc0d08: Apply suggestion from @​caarlos0 (@​caarlos0)
• 0d408a1: chore: dockerfile (@​caarlos0)
• c7afd06: chore: fix date (@​caarlos0)
• 782a160: chore: fmt (@​caarlos0)
• c97cd28: chore: fmt (@​caarlos0)
• a04cbc1: chore: move go-shellwords fork to goreleaser (#​6372) (@​caarlos0)
• ef778d3: chore: update schema-pro (@​caarlos0)
• 9056ecd: ci(deps): bump astral-sh/setup-uv in the actions group (@​dependabot[bot])
• a32cb2c: ci(deps): bump the actions group with 4 updates (@​dependabot[bot])
• 183fae8: ci(deps): bump the actions group with 4 updates (@​dependabot[bot])
• 36bb7ce: ci(deps): bump the actions group with 4 updates (#​6344) (@​dependabot[bot])
• 2b1f112: ci(deps): bump the actions group with 7 updates (#​6355) (@​dependabot[bot])
• ecc5b83: ci(deps): bump the actions group with 8 updates (#​6366) (@​dependabot[bot])

Full Changelog: goreleaser/goreleaser@v2.13.3...v2.14.0

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

kyverno/kyverno (kyverno/kyverno)

v1.17.1

Compare Source

rclone/rclone (rclone/rclone)

v1.73.1: rclone v1.73.1

Compare Source

This is the v1.73.1 release of rclone.

Full details of the changes can be found in the changelog.

vmware-tanzu/carvel-ytt (vmware-tanzu/carvel-ytt)

v0.53.2

Compare Source

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.2/ytt-linux-amd64

# Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/ytt

# Make the binary executable
chmod +x /usr/local/bin/ytt

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install ytt
$ ytt version  

Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC(Refer this page for cosign installation). To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.2/checksums.txt
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.2/checksums.txt.pem
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.2/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Fix empty maps and list issue #​817 #​911 by @​emh-jump

Full Changelog: carvel-dev/ytt@v0.53.1...v0.53.2

📂 Files Checksum

0e9e75b7a5f59161d2413e9d6163a1a13218f270daa1c525656195d1fcef28f6  ./ytt-linux-arm64
18fe794d01c2539db39acb90994db0d8e51faa7892d0e749d74c29818017247a  ./ytt-linux-amd64
4cc85a5e954d651d547cdef1e673742d995a38b0840273a5897e5318185b4e18  ./ytt-darwin-arm64
641f84d65af7459ccaaa83694666bc9e5deb92b2b2dd94c34f51ddd94f0c69d2  ./ytt-windows-amd64.exe
7c825bfb2e11565904d23bd9b850fb73de3a73bf5019986d9f08807875a86c6b  ./ytt-windows-arm64.exe
b1d90bf73071c78edb62a0f37663c655c99a3203783593e6e7988c2eeee5f935  ./ytt-linux-riscv64
cc51c3040b91bb0871967f9960cd9286bafd334ffd153a86914b883f3adad9ef  ./ytt-darwin-amd64

v0.53.1

Compare Source

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/ytt-linux-amd64

# Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/ytt

# Make the binary executable
chmod +x /usr/local/bin/ytt

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install ytt
$ ytt version  

Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC(Refer this page for cosign installation). To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/checksums.txt
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/checksums.txt.pem
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Bump golang to 1.25.7 to fix CVEs in #​976 from @​CodesbyUnnati

Full Changelog: carvel-dev/ytt@v0.53.0...v0.53.1

📂 Files Checksum

2eaafe06d5e22203da2b74819685f9fd06ddc0a5cd38afc458821824990c78c0  ./ytt-darwin-arm64
36adcaa1f02681b0e7ceb73bda70ab11e3880588b51a188fd0318f6009bdeb36  ./ytt-windows-amd64.exe
5e479410a478385f6209624765e21c9880c07c6528ce6ed5e3dcca1e8b4a5677  ./ytt-linux-arm64
6b250c85d94b6b0643a58129ebf37244edb519fb9bc4aded1a8508d542d94ed3  ./ytt-linux-riscv64
764dadb577e680fa8fd09a28d281c570cb0e75accebb2ab0a328ab24b4032cfe  ./ytt-darwin-amd64
cf675039fa1bde77ebd12ed79eeaa698f7d9862a2b5fd82078260974ec311649  ./ytt-windows-arm64.exe
ecdc1439e52139335e42a23d1aa8941f575c52e70e58da709d2bad5038ecadae  ./ytt-linux-amd64

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[erikgb]

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment