fix(deps): update module mvdan.cc/sh/v3 to v3.13.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mvdan.cc/sh/v3	v3.12.0 → v3.13.1

---

Release Notes

mvdan/sh (mvdan.cc/sh/v3)

v3.13.1

Compare Source

Initial release.

v3.13.0

Compare Source

This release introduces support for Zsh in the parser and formatter, which was tracked in issue #​120 alongside the label https://github.com/mvdan/sh/labels/zsh. While support is not complete, it should be far enough for many use cases.

This release also drops support for Go 1.24 and includes many other enhancements:

• cmd/shfmt
  • Exit with a non-zero status when -l prints any filenames
  • shfmt -version is now derived from the git current tag, dropping the -ldflags workaround
• syntax
  • New nodes types and node fields are introduced alongside LangZsh
  • LangVariant is now a bitset, allowing the use of sets like "Bash-like"
  • Add InteractiveSeq and StmtsSeq iterator methods for Parser
  • Stop exposing the internal buffer in Printer via struct embedding
  • Support the use of brace expansions like declare {a,b}_c=value
  • Fix a bug where POSIX and Bash incorrectly allowed empty command lists
• interp
  • Add support for shopt -s dotglob and shopt -s extglob
  • Add support for simple uses of !(expr) extended glob patterns
  • Support more builtin flags for declare, type, read
  • Fix various bugs relating to nulls, errors, and arrays
• expand
  • Add Config.DotGlob and Config.ExtGlob for the interpreter
  • Add Variable.Flags to get the one-character declare flags
  • Do not force env vars on Windows to be uppercase
  • Fix various bugs relating to glob pattern matching
• pattern
  • Add GlobLeadingDot and ExtendedOperators for the interpreter
  • Add NegExtGlobError to mark the use of !(expr) negation patterns

Consider becoming a sponsor if you benefit from the work that went into this release!

Binaries built on go version go1.26.1 linux/amd64 with:

CGO_ENABLED=0 go build -trimpath -ldflags="-w -s"

Note that this release no longer includes a sha256sums.txt asset; GitHub now provide digests natively.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: config/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
golang.org/x/sys	v0.41.0 -> v0.42.0

[deepsource-io]

DeepSource Code Review

We reviewed changes in 95f8f42...5031171 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Shell		Apr 27, 2026 1:44p.m.	Review ↗
Go		Apr 27, 2026 1:44p.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	mvdan.cc/​sh/​v3@​v3.12.0 ⏵ v3.13.1

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!