fix(deps): update tool deps to v2 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golangci/golangci-lint	v1.64.8 → v2.11.3
github.com/google/osv-scanner	v1.9.2 → v2.3.3

⚠️ MAJOR VERSION UPDATE ⚠️ - please manually update this package

---

Release Notes

golangci/golangci-lint (github.com/golangci/golangci-lint)

v2.11.3

Compare Source

Released on 2026-03-10

1. Linters bug fixes
   • gosec: from v2.24.7 to 619ce21

v2.11.2

Compare Source

Released on 2026-03-07

1. Fixes
   • fmt: fix error when using the fmt command with explicit paths.

v2.11.1

Compare Source

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

v2.11.0

Compare Source

Released on 2026-03-06

1. Linters new features or changes
   • errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
   • gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
   • noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
   • prealloc: from 1.0.2 to 1.1.0
   • revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)
2. Linters bug fixes
   • gocognit: from 1.2.0 to 1.2.1
   • gosec: from 2.24.6 to 2.24.7
   • unqueryvet: from 1.5.3 to 1.5.4

v2.10.1

Compare Source

Released on 2026-02-17

1. Fixes
   • buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

1. Linters new features or changes
   • ginkgolinter: from 0.22.0 to 0.23.0
   • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
   • staticcheck: from 0.6.1 to 0.7.0
2. Linters bug fixes
   • godoclint: from 0.11.1 to 0.11.2

v2.9.0

Compare Source

Released on 2026-02-10

1. Enhancements
   • 🎉 go1.26 support
2. Linters new features or changes
   • arangolint: from 0.3.1 to 0.4.0 (new rule: detect potential query injections)
   • ginkgolinter: from 0.21.2 to 0.22.0 (support for wrappers)
   • golines: from 0.14.0 to 0.15.0
   • misspell: from 0.7.0 to 0.8.0
   • unqueryvet: from 1.4.0 to 1.5.3 (new options: check-n1, check-sql-injection, check-tx-leaks, allow, custom-rules)
   • wsl: from 5.3.0 to 5.6.0 (new rule: after-block)
3. Linters bug fixes
   • modernize: from 0.41.0 to 0.42.0
   • prealloc: from 1.0.1 to 1.0.2
   • protogetter: from 0.3.18 to 0.3.20
4. Misc.
   • Log information about files when configuration verification
   • Emit an error when no linters enabled
   • Do not collect VCS information when loading code

v2.8.0

Compare Source

Released on 2026-01-07

1. Linters new features or changes
   • godoc-lint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
   • golines: from 442fd00 to 0.14.0
   • gomoddirectives: from 0.7.1 to 0.8.0
   • gosec: from daccba6 to 2.22.11 (new rule: G116)
   • modernize: from 0.39.0 to 0.40.0 (new analyzers: stringscut, unsafefuncs)
   • prealloc: from 1.0.0 to 1.0.1 (message changes)
   • unqueryvet: from 1.3.0 to 1.4.0 (new options: check-aliased-wildcard, check-string-concat, check-format-strings, check-string-builder, check-subqueries, ignored-functions, sql-builders)
2. Linters bug fixes
   • go-critic: from 0.14.2 to 0.14.3
   • go-errorlint: from 1.8.0 to 1.9.0
   • govet: from 0.39.0 to 0.40.0
   • protogetter: from 0.3.17 to 0.3.18
   • revive: add missing enable-default-rules setting
3. Documentation
   • docs: split installation page

v2.7.2

Compare Source

Released on 2025-12-07

1. Linter bug fixes
   • gosec: from 2.22.10 to daccba6

v2.7.1

Compare Source

Released on 2025-12-04

1. Linter bug fixes
   • modernize: disable stringscut analyzer

v2.7.0

Compare Source

1. Bug fixes
   • fix: clone args used by custom command
2. Linters new features or changes
   • no-sprintf-host-port: from 0.2.0 to 0.3.1 (ignore string literals without a colon)
   • unqueryvet: from 1.2.1 to 1.3.0 (handles const and var declarations)
   • revive: from 1.12.0 to 1.13.0 (new option: enable-default-rules, new rules: forbidden-call-in-wg-go, unnecessary-if, inefficient-map-lookup)
   • modernize: from 0.38.0 to 0.39.0 (new analyzers: plusbuild, stringscut)
3. Linters bug fixes
   • perfsprint: from 0.10.0 to 0.10.1
   • wrapcheck: from 2.11.0 to 2.12.0
   • godoc-lint: from 0.10.1 to 0.10.2
4. Misc.
   • Add some flags to the custom command
5. Documentation
   • docs: split changelog v1 and v2

v2.6.2

Compare Source

Released on 2025-11-14

1. Bug fixes
   • fmt command with symlinks
   • use file depending on build configuration to invalidate cache
2. Linters bug fixes
   • testableexamples: from 1.0.0 to 1.0.1
   • testpackage: from 1.1.1 to 1.1.2

v2.6.1

Compare Source

v2.6.0

Compare Source

1. New linters
   • Add modernize analyzer suite
2. Linters new features or changes
   • arangolint: from 0.2.0 to 0.3.1
   • dupword: from 0.1.6 to 0.1.7 (new option comments-only)
   • go-critic: from 0.13.0 to 0.14.0 (new rules/checkers: zeroByteRepeat, dupOption)
   • gofumpt: from 0.9.1 to 0.9.2 ("clothe" naked returns is now controlled by the extra-rules option)
   • perfsprint: from 0.9.1 to 0.10.0 (new options: concat-loop, loop-other-ops)
   • wsl: from 5.2.0 to 5.3.0
3. Linters bug fixes
   • dupword: from 0.1.6 to 0.1.7
   • durationcheck: from 0.0.10 to 0.0.11
   • exptostd: from 0.4.4 to 0.4.5
   • fatcontext: from 0.8.1 to 0.9.0
   • forbidigo: from 2.1.0 to 2.3.0
   • ginkgolinter: from 0.21.0 to 0.21.2
   • godoc-lint: from 0.10.0 to 0.10.1
   • gomoddirectives: from 0.7.0 to 0.7.1
   • gosec: from 2.22.8 to 2.22.10
   • makezero: from 2.0.1 to 2.1.0
   • nilerr: from 0.1.1 to 0.1.2
   • paralleltest: from 1.0.14 to 1.0.15
   • protogetter: from 0.3.16 to 0.3.17
   • unparam: from 0df0534 to 5beb8c8
4. Misc.
   • fix: ignore some files to hash the version for custom build

v2.5.0

Compare Source

1. New linters
   • Add godoclint linter https://github.com/godoc-lint/godoc-lint
   • Add unqueryvet linter https://github.com/MirrexOne/unqueryvet
   • Add iotamixing linter https://github.com/AdminBenni/iota-mixing
2. Linters new features or changes
   • embeddedstructfieldcheck: from 0.3.0 to 0.4.0 (new option: empty-line)
   • err113: from aea10b5 to 0.1.1 (skip internals of Is methods for error type)
   • ginkgolinter: from 0.20.0 to 0.21.0 (new option: force-tonot)
   • gofumpt: from 0.8.0 to 0.9.1 (new rule is to "clothe" naked returns for the sake of clarity)
   • ineffassign: from 0.1.0 to 0.2.0 (new option: check-escaping-errors)
   • musttag: from 0.13.1 to 0.14.0 (support interface methods)
   • revive: from 1.11.0 to 1.12.0 (new options: identical-ifelseif-branches, identical-ifelseif-conditions, identical-switch-branches, identical-switch-conditions, package-directory-mismatch, unsecure-url-scheme, use-waitgroup-go, useless-fallthrough)
   • thelper: from 0.6.3 to 0.7.1 (skip t.Helper in functions passed to synctest.Test)
   • wsl: from 5.1.1 to 5.2.0 (improvements related to subexpressions)
3. Linters bug fixes
   • asciicheck: from 0.4.1 to 0.5.0
   • errname: from 1.1.0 to 1.1.1
   • fatcontext: from 0.8.0 to 0.8.1
   • go-printf-func-name: from 0.1.0 to 0.1.1
   • godot: from 1.5.1 to 1.5.4
   • gosec: from 2.22.7 to 2.22.8
   • nilerr: from 0.1.1 to a temporary fork
   • nilnil: from 1.1.0 to 1.1.1
   • protogetter: from 0.3.15 to 0.3.16
   • tagliatelle: from 0.7.1 to 0.7.2
   • testifylint: from 1.6.1 to 1.6.4
4. Misc.
   • fix: "no export data" errors are now handled as a standard typecheck error
5. Documentation
   • Improve nolint section about syntax

v2.4.0

Compare Source

1. Enhancements
   • 🎉 go1.25 support
2. Linters new features or changes
   • exhaustruct: from v3.3.1 to 4.0.0 (new options: allow-empty, allow-empty-rx, allow-empty-returns, allow-empty-declarations)
3. Linters bug fixes
   • godox: trim filepath from report messages
   • staticcheck: allow empty options
   • tagalign: from 1.4.2 to 1.4.3
4. Documentation
   • 🌟 New website (with a search engine)

v2.3.1

Compare Source

1. Linters bug fixes
   • gci: from 0.13.6 to 0.13.7
   • gosec: from 2.22.6 to 2.22.7
   • noctx: from 0.3.5 to 0.4.0
   • wsl: from 5.1.0 to 5.1.1
   • tagliatelle: force upper case for custom initialisms

v2.3.0

Compare Source

1. Linters new features or changes
   • ginkgolinter: from 0.19.1 to 0.20.0 (new option: force-assertion-description)
   • iface: from 1.4.0 to 1.4.1 (report message improvements)
   • noctx: from 0.3.4 to 0.3.5 (new detections: log/slog, exec, crypto/tls)
   • revive: from 1.10.0 to 1.11.0 (new rule: enforce-switch-style)
   • wsl: from 5.0.0 to 5.1.0
2. Linters bug fixes
   • gosec: from 2.22.5 to 2.22.6
   • noinlineerr: from 1.0.4 to 1.0.5
   • sloglint: from 0.11.0 to 0.11.1
3. Misc.
   • fix: panic close of closed channel

v2.2.2

Compare Source

1. Linters bug fixes
   • noinlineerr: from 1.0.3 to 1.0.4
2. Documentation
   • Improve debug keys documentation
3. Misc.
   • fix: panic close of closed channel
   • godot: add noinline value into the JSONSchema

v2.2.1

Compare Source

1. Linters bug fixes

• varnamelen: fix configuration

v2.2.0

Compare Source

1. New linters
   • Add arangolint linter https://github.com/Crocmagnon/arangolint
   • Add embeddedstructfieldcheck linter https://github.com/manuelarte/embeddedstructfieldcheck
   • Add noinlineerr linter https://github.com/AlwxSin/noinlineerr
   • Add swaggo formatter https://github.com/golangci/swaggoswag
2. Linters new features or changes
   • errcheck: add verbose option
   • funcorder: from 0.2.1 to 0.5.0 (new option alphabetical)
   • gomoddirectives: from 0.6.1 to 0.7.0 (new option ignore-forbidden)
   • iface: from 1.3.1 to 1.4.0 (new option unexported)
   • noctx: from 0.1.0 to 0.3.3 (new report messages, and new rules related to database/sql)
   • noctx: from 0.3.3 to 0.3.4 (new SQL functions detection)
   • revive: from 1.9.0 to 1.10.0 (new rules: time-date, unnecessary-format, use-fmt-print)
   • usestdlibvars: from 1.28.0 to 1.29.0 (new option time-date-month)
   • wsl: deprecation
   • wsl_v5: from 4.7.0 to 5.0.0 (major version with new configuration)
3. Linters bug fixes
   • dupword: from 0.1.3 to 0.1.6
   • exptostd: from 0.4.3 to 0.4.4
   • forbidigo: from 1.6.0 to 2.1.0
   • gci: consistently format the code
   • go-spancheck: from 0.6.4 to 0.6.5
   • goconst: from 1.8.1 to 1.8.2
   • gosec: from 2.22.3 to 2.22.4
   • gosec: from 2.22.4 to 2.22.5
   • makezero: from 1.2.0 to 2.0.1
   • misspell: from 0.6.0 to 0.7.0
   • usetesting: from 0.4.3 to 0.5.0
4. Misc.
   • exclusions: fix path-expect
   • formatters: write the input to stdout when using stdin and there are no changes
   • migration: improve the error message when trying to migrate a migrated config
   • typecheck: deduplicate errors
   • typecheck: stops the analysis after the first error
   • Deprecate print-resources-usage flag
   • Unique version per custom build
5. Documentation
   • Improves typecheck FAQ
   • Adds plugin systems recommendations
   • Add description for linters.default sets

v2.1.6

Compare Source

1. Linters bug fixes
   • godot: from 1.5.0 to 1.5.1
   • musttag: from 0.13.0 to 0.13.1
2. Documentation
   • Add note about golangci-lint v2 integration in VS Code

v2.1.5

Compare Source

Due to an error related to Snapcraft, some artifacts of the v2.1.4 release have not been published.

This release contains the same things as v2.1.3.

v2.1.4

Compare Source

Due to an error related to Snapcraft, some artifacts of the v2.1.3 release have not been published.

This release contains the same things as v2.1.3.

v2.1.3

Compare Source

1. Linters bug fixes
   • fatcontext: from 0.7.2 to 0.8.0
2. Misc.
   • migration: fix nakedret.max-func-lines: 0
   • migration: fix order of staticcheck settings
   • fix: add go.mod hash to the cache salt
   • fix: use diagnostic position for related information position

v2.1.2

Compare Source

1. Linters bug fixes
   • exptostd: from 0.4.2 to 0.4.3
   • gofumpt: from 0.7.0 to 0.8.0
   • protogetter: from 0.3.13 to 0.3.15
   • usetesting: from 0.4.2 to 0.4.3

v2.1.1

Compare Source

The release process of v2.1.0 failed due to a regression inside goreleaser.

The binaries of v2.1.0 have been published, but not the other artifacts (AUR, Docker, etc.).

v2.1.0

Compare Source

1. Enhancements
   • Add an option to display absolute paths (--path-mode=abs)
   • Add configuration path placeholder (${config-path})
   • Add warn-unused option for fmt command
   • Colored diff for fmt command (golangci-lint fmt --diff-colored)
2. New linters
   • Add funcorder linter https://github.com/manuelarte/funcorder
3. Linters new features or changes
   • go-errorlint: from 1.7.1 to 1.8.0 (automatic error comparison and type assertion fixes)
   • ⚠️ goconst: ignore-strings is deprecated and replaced by ignore-string-values
   • goconst: from 1.7.1 to 1.8.1 (new options: find-duplicates, eval-const-expressions)
   • govet: add httpmux analyzer
   • nilnesserr: from 0.1.2 to 0.2.0 (detect more cases)
   • paralleltest: from 1.0.10 to 1.0.14 (checks only _test.go files)
   • revive: from 1.7.0 to 1.9.0 (support kebab case for setting names)
   • sloglint: from 0.9.0 to 0.11.0 (autofix, new option msg-style, suggest slog.DiscardHandler)
   • wrapcheck: from 2.10.0 to 2.11.0 (new option report-internal-errors)
   • wsl: from 4.6.0 to 4.7.0 (cgo files are always excluded)
4. Linters bug fixes
   • fatcontext: from 0.7.1 to 0.7.2
   • gocritic: fix importshadow checker
   • gosec: from 2.22.2 to 2.22.3
   • ireturn: from 0.3.1 to 0.4.0
   • loggercheck: from 0.10.1 to 0.11.0
   • nakedret: from 2.0.5 to 2.0.6
   • nonamedreturns: from 1.0.5 to 1.0.6
   • protogetter: from 0.3.12 to 0.3.13
   • testifylint: from 1.6.0 to 1.6.1
   • unconvert: update to HEAD
5. Misc.
   • Fixes memory leaks when using go1.(N) with golangci-lint built with go1.(N-X)
   • Adds golangci-lint-fmt pre-commit hook
6. Documentation
   • Improvements
   • Updates section about vscode integration

v2.0.2

Compare Source

1. Misc.
   • Fixes flags parsing for formatters
   • Fixes the filepath used by the exclusion source option
2. Documentation
   • Adds a section about flags migration
   • Cleaning pages with v1 options

v2.0.1

Compare Source

1. Linters/formatters bug fixes
   • golines: fix settings during linter load
2. Misc.
   • Validates the version field before the configuration
   • forbidigo: fix migration

v2.0.0

Compare Source

1. Enhancements
   • 🌟 New golangci-lint fmt command with dedicated formatter configuration
   • ♻️ New golangci-lint migrate command to help migration from v1 to v2 (cf. Migration guide)
   • ⚠️ New default values (cf. Migration guide)
   • ⚠️ No exclusions by default (cf. Migration guide)
   • ⚠️ New default sort order (cf. Migration guide)
   • 🌟 New option run.relative-path-mode (cf. Migration guide)
   • 🌟 New linters configuration (cf. Migration guide)
   • 🌟 New output format configuration (cf. Migration guide)
   • 🌟 New --fast-only flag (cf. Migration guide)
   • 🌟 New option linters.exclusions.warn-unused to log a warning if an exclusion rule is unused.
2. New linters/formatters
   • Add golines formatter https://github.com/segmentio/golines
3. Linters new features
   • ⚠️ Merge staticcheck, stylecheck, gosimple into one linter (staticcheck) (cf. Migration guide)
   • go-critic: from 0.12.0 to 0.13.0
   • gomodguard: from 1.3.5 to 1.4.1 (block explicit indirect dependencies)
   • nilnil: from 1.0.1 to 1.1.0 (new option: only-two)
   • perfsprint: from 0.8.2 to 0.9.1 (checker name in the diagnostic message)
   • staticcheck: new quickfix set of rules
   • testifylint: from 1.5.2 to 1.6.0 (new options: equal-values, suite-method-signature, require-string-msg)
   • wsl: from 4.5.0 to 4.6.0 (new option: allow-cuddle-used-in-block)
4. Linters bug fixes
   • bidichk: from 0.3.2 to 0.3.3
   • errchkjson: from 0.4.0 to 0.4.1
   • errname: from 1.0.0 to 1.1.0
   • funlen: fix ignore-comments option
   • gci: from 0.13.5 to 0.13.6
   • gosmopolitan: from 1.2.2 to 1.3.0
   • inamedparam: from 0.1.3 to 0.2.0
   • intrange: from 0.3.0 to 0.3.1
   • protogetter: from 0.3.9 to 0.3.12
   • unparam: from 8a5130c to 0df0534
5. Misc.
   • 🧹 Configuration options renaming (cf. Migration guide)
   • 🧹 Remove options (cf. Migration guide)
   • 🧹 Remove flags (cf. Migration guide)
   • 🧹 Remove alternative names (cf. Migration guide)
   • 🧹 Remove or replace deprecated elements (cf. Migration guide)
   • Adds an option to display some commands as JSON:
     • golangci-lint config path --json
     • golangci-lint help linters --json
     • golangci-lint help formatters --json
     • golangci-lint linters --json
     • golangci-lint formatters --json
     • golangci-lint version --json
6. Documentation
   • Migration guide

google/osv-scanner (github.com/google/osv-scanner)

v2.3.3

Compare Source

Features:

• Feature #​2458 Add --exclude flag to skip paths during scanning.
• Feature #​2477 Add pylock extractor.
• Feature #​2475 Add base image info to container scanning output header (in table, markdown and vertical formats).

Misc:

• Update Go version to 1.25.7.
• Update osv-scalibr from v0.4.1 to v0.4.2. Release note.
• Refactor to better align with osv-scalibr plugins and inventory data structure.

v2.3.2

Compare Source

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• Bug #​2415 Add more PURL-to-ecosystem mappings
• Bug #​2422 MCP error for get_vulnerability_id because type definition is incorrect.
• Bug #​2460 Enable osv-scanner.json git queries
• Bug #​2456 Properly track if an ignore entry has been used
• Bug #​2450 Performance: Avoid loading the entire advisory unless it will actually be used
• Bug #​2445 Performance: Don't read the entire zip into memory
• Bug #​2433 Allow specifying user agent in v2 osvscanner package

Misc:

• Misc #​2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• Misc #​2447 Include bun.lock as a supported lockfile
• Misc #​2444 Document GoVersionOverride in configuration.md

v2.3.1

Compare Source

Features:

• Feature #​2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #​2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #​2333 Deduplicate SARIF outputs for GitHub.
• Bug #​2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

v2.3.0

Compare Source

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#​2328). This is primarily an internal change and should not impact users.

Features:

• Feature #​2321 Add support for license checks for RubyGems.
• Feature #​2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #​2344 Use osduplicate annotators.

Fixes:

• Bug #​2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #​2311 Improve logic for --all-packages flag.
• Bug #​2309 Exit with a non-zero code when showing help.
• Bug #​2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #​1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

v2.2.4

Compare Source

Features:

• Feature #​2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #​2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #​2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #​2206).

Fixes:

• Bug #​2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #​2291).
• Bug #​2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #​2081).
• Bug #​2295 Fix Go stdlib license result matching (fixes #​2191).

v2.2.3

Compare Source

Features:

• Feature #​2209 Add support for resolving git packages that have a version specified.
• Feature #​2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #​2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #​2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #​2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

v2.2.2

Compare Source

Features:

• Feature #​2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #​2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #​2204 Add a warning to guide users to the correct GitHub Action.
• Bug #​2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #​2188 Fix handling of absolute paths on Windows.

v2.2.1

Compare Source

Fixes

• Bug #​2151 Filter by ecosystem before querying.

v2.2.0

Compare Source

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• Feature #​2146 Allow manual OSV-Scalibr plugin selection.
• Feature #​2144 Add OSV-Scalibr version to osv-scanner --version output.
• Feature #​2021 Add experimental support for running OSV-Scalibr detectors.
• Feature #​2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• Feature #​2032 Add summary section at the top of outputs and a 'Fixed Version' column.
• Feature #​2076 Support Ubuntu severity type.

Fixes:

• Bug #​2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
• Bug #​2084 Show absolute paths when scanning containers.
• Bug #​2126 Log and preserve package count before continuing on db error.
• Bug #​2095 Pass through plugin capabilities correctly.
• Bug #​2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
• Bug #​2072 Add missing "text" property in description fields.
• Bug #​2068 Change links in output to go to the specific vulnerability page instead of the list page.
• Bug #​2064 Fix SARIF v3 output to include results.

API Changes:

• API Change #​2096 Allow log handler to be overridden.

v2.1.0

Compare Source

Features:

• Feature #​2038 Add CycloneDX location field to the output source string.
• Feature #​2036 Include upstream source information in vulnerability grouping to improve accuracy.
• Feature #​1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
• Feature #​2003 Add experimental summary output format for the reporter.
• Feature #​1988 Add support for CycloneDX 1.6 report format.
• Feature #​1987 Add support for gems.locked files used by Bundler.
• Feature #​1980 Enable transitive dependency extraction for Python requirements.txt files.
• Feature #​1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
• Feature #​1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
• Feature #​1957 Use a dedicated exit code for invalid configuration files.

Fixes:

• Bug #​2046 Correctly set the user agent string for all outgoing requests.
• Bug #​2019 Use more natural language in the descriptions for extractor-related flags.
• Bug #​1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
• Bug #​2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
• Bug #​1949 Fix filtering of package types in vulnerability counts.

v2.0.3

Compare Source

Features:

• Feature #​1943 Added a flag to suppress "no package sources found" error.
• Feature #​1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #​1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #​1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #​1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #​1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #​1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #​1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #​1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #​1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #​1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #​1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #​1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #​1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

v2.0.2

Compare Source

Fixes:

• Bug #​1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
• Bug #​1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
• Fix #​1825, #​1809, #​1805, #​1803, #​1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

v2.0.1

Compare Source

Features:

• Feature #​1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
• Feature #​1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
• Feature #​1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

• Bug #​1752 Fix paging depth issue when querying the osv.dev API.
• Bug #​1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
• Bug #​1717 Fix issue where nested CycloneDX components were not being parsed.
• Bug #​1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
• Bug #​1726 De-duplicate references in CycloneDX report output for improved validity.
• Bug #​1727 Remove automatic opening of HTML reports in the browser (fixes #​1721).
• Bug #​1735 Require a tag when scanning container images to prevent potential errors.

Docs:

• Docs #​1753 Correct documentation for the OSV-Scanner GitHub Action (fixes osv-scanner-action#68).
• Docs #​1743 Minor grammar fixes in documentation.

API Changes:

• API Change #​1763 Made the SourceType enum public.

v2.0.0

Compare Source

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

• Layer and base image-aware container scanning:
  • Rewritten support for Debian, Ubuntu, and Alpine container images.
  • Layer level analysis and vulnerability breakdown.
  • Supports Go, Java, Node, and Python artifacts within supported distros.
  • Base image identification via deps.dev.
  • Usage: osv-scanner scan image <image-name>:<tag>
• Interactive HTML output:
  • Severity breakdown, package/ID/importance filtering, vulnerability details.
  • Container image layer filtering, layer info, base image identification.
  • Usage: osv-scanner scan --serve ...
• Guided Remediation for Maven pom.xml:
  • Remediate direct and transitive dependencies (non-interactive mode).
  • New override remediation strategy.
  • Support for reading/writing pom.xml and parent POM files.
  • Private registry support for Maven metadata.
  • Machine-readable output for guided remediation.
• Enhanced Dependency Extraction with osv-scalibr:
  • Haskell: cabal.project.freeze, stack.yaml.lock
  • .NET: deps.json
  • Python: uv.lock
  • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
• Feature #​1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
• Feature #​1582 Add container scanning information to vertical output format.
• Feature #​1587 Add support for severity in SARIF report format.
• Feature #​1569 Add support for bun.lock lockfiles.
• Feature #​1547 Add experimental config support to the scan image command.
• Feature #​1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

• Feature #​1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
• Feature #​1670 Removed the --verbosity=verbose verbosity level.
• Feature #​1673 & Feature #​1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
• Feature #​1651 Multiple license flags have been merged into a single --license flag.
• Feature #​1666 API: reporter removed; logging now uses slog, which can be overridden.
• Feature #​1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

• Feature #​1561 Updated HTML report for better contrast and usability (from beta2).
• Feature #​1584 Make skipping the root git repository the default behavior (from beta2).
• Feature #​1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

• Fix #​1598 Fix table output vulnerability ordering.
• Fix #​1616 Filter out Ubuntu unimportant vulnerabilities.
• Fix #​1585 Fixed issue where base images are occasionally duplicated.
• Fix #​1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #​1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #​1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

• General V2 feedback
• Container scanning feedback

---

Configuration

📅 Schedule: Branch creation - "before 5am" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: internal/tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 115 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.7
github.com/securego/gosec/v2	v2.22.10 -> v2.24.8-0.20260309165252-619ce2117e08
golang.org/x/tools	v0.39.0 -> v0.42.0
honnef.co/go/tools	v0.6.1 -> v0.7.0
deps.dev/api/v3	v3.0.0-20241010035105-b3ba03369df1 -> v3.0.0-20260112033243-1270359b191b
deps.dev/util/maven	v0.0.0-20241218001045-3890182485f3 -> v0.0.0-20260112033243-1270359b191b
deps.dev/util/resolve	v0.0.0-20241218001045-3890182485f3 -> v0.0.0-20260112033243-1270359b191b
deps.dev/util/semver	v0.0.0-20241010035105-b3ba03369df1 -> v0.0.0-20260112033243-1270359b191b
github.com/4meepo/tagalign	v1.4.2 -> v1.4.3
github.com/Abirdcfly/dupword	v0.1.3 -> v0.1.7
github.com/Antonboom/errname	v1.0.0 -> v1.1.1
github.com/Antonboom/nilnil	v1.0.1 -> v1.1.1
github.com/Antonboom/testifylint	v1.5.2 -> v1.6.4
github.com/BurntSushi/toml	v1.4.1-0.20240526193622-a339e1f7089c -> v1.6.0
github.com/CycloneDX/cyclonedx-go	v0.9.1 -> v0.9.3
github.com/Djarvur/go-err113	v0.0.0-20210108212216-aea10b59be24 -> v0.1.1
github.com/alecthomas/chroma/v2	v2.14.0 -> v2.23.1
github.com/alexkohler/nakedret/v2	v2.0.5 -> v2.0.6
github.com/alexkohler/prealloc	v1.0.0 -> v1.1.0
github.com/alingse/nilnesserr	v0.1.2 -> v0.2.0
github.com/anchore/go-struct-converter	v0.0.0-20230627203149-c72ef8859ca9 -> v0.0.0-20250211213226-cce56d595160
github.com/anthropics/anthropic-sdk-go	v1.13.0 -> v1.26.0
github.com/bombsimon/wsl/v4	v4.5.0 -> v4.7.0
github.com/breml/bidichk	v0.3.2 -> v0.3.3
github.com/breml/errchkjson	v0.4.0 -> v0.4.1
github.com/butuzov/ireturn	v0.3.1 -> v0.4.0
github.com/catenacyber/perfsprint	v0.8.2 -> v0.10.1
github.com/charithe/durationcheck	v0.0.10 -> v0.0.11
github.com/charmbracelet/bubbles	v0.20.0 -> v0.21.0
github.com/charmbracelet/bubbletea	v1.2.2 -> v1.3.10
github.com/charmbracelet/glamour	v0.8.0 -> v0.10.0
github.com/charmbracelet/lipgloss	v1.0.0 -> v1.1.1-0.20250404203927-76690c660834
github.com/ckaznocha/intrange	v0.3.0 -> v0.3.1
github.com/containerd/stargz-snapshotter/estargz	v0.15.1 -> v0.16.3
github.com/cpuguy83/go-md2man/v2	v2.0.6 -> v2.0.7
github.com/cyphar/filepath-securejoin	v0.5.0 -> v0.6.0
github.com/daixiang0/gci	v0.13.5 -> v0.13.7
github.com/dlclark/regexp2	v1.11.4 -> v1.11.5
github.com/docker/cli	v27.1.2+incompatible -> v28.3.3+incompatible
github.com/docker/docker-credential-helpers	v0.8.2 -> v0.9.3
github.com/firefart/nonamedreturns	v1.0.5 -> v1.0.6
github.com/ghostiam/protogetter	v0.3.9 -> v0.3.20
github.com/go-critic/go-critic	v0.12.0 -> v0.14.3
github.com/go-git/go-git/v5	v5.16.3 -> v5.16.5
github.com/go-viper/mapstructure/v2	v2.4.0 -> v2.5.0
github.com/gofrs/flock	v0.12.1 -> v0.13.0
github.com/golangci/go-printf-func-name	v0.1.0 -> v0.1.1
github.com/golangci/misspell	v0.6.0 -> v0.8.0
github.com/golangci/plugin-module-register	v0.1.1 -> v0.1.2
github.com/golangci/unconvert	v0.0.0-20240309020433-c5143eacb3ed -> v0.0.0-20250410112200-a129a6e6413e
github.com/google/go-containerregistry	v0.20.2 -> v0.20.6
github.com/gordonklaus/ineffassign	v0.1.0 -> v0.2.0
github.com/gostaticanalysis/nilerr	v0.1.1 -> v0.1.2
github.com/hashicorp/go-version	v1.7.0 -> v1.8.0
github.com/ianlancetaylor/demangle	v0.0.0-20240912202439-0a2b6291aafd -> v0.0.0-20251118225945-96ee0021ea0f
github.com/jedib0t/go-pretty/v6	v6.6.2 -> v6.7.8
github.com/jgautheron/goconst	v1.7.1 -> v1.8.2
github.com/jjti/go-spancheck	v0.6.4 -> v0.6.5
github.com/karamaru-alpha/copyloopvar	v1.2.1 -> v1.2.2
github.com/kisielk/errcheck	v1.9.0 -> v1.10.0
github.com/klauspost/compress	v1.17.9 -> v1.18.0
github.com/kulti/thelper	v0.6.3 -> v0.7.1
github.com/kunwardeep/paralleltest	v1.0.10 -> v1.0.15
github.com/ldez/exptostd	v0.4.2 -> v0.4.5
github.com/ldez/gomoddirectives	v0.6.1 -> v0.8.0
github.com/ldez/grignotin	v0.9.0 -> v0.10.1
github.com/ldez/tagliatelle	v0.7.1 -> v0.7.2
github.com/ldez/usetesting	v0.4.2 -> v0.5.0
github.com/macabu/inamedparam	v0.1.3 -> v0.2.0
github.com/maratori/testableexamples	v1.0.0 -> v1.0.1
github.com/maratori/testpackage	v1.1.1 -> v1.1.2
github.com/mgechev/revive	v1.7.0 -> v1.15.0
github.com/muesli/termenv	v0.15.3-0.20240618155329-98d742f6907a -> v0.16.0
github.com/nunnatsa/ginkgolinter	v0.19.1 -> v0.23.0
github.com/opencontainers/image-spec	v1.1.0 -> v1.1.1
github.com/quasilyte/go-ruleguard	v0.4.3-0.20240823090925-0fe6f58b47b1 -> v0.4.5
github.com/quasilyte/go-ruleguard/dsl	v0.3.22 -> v0.3.23
github.com/ryancurrah/gomodguard	v1.3.5 -> v1.4.1
github.com/santhosh-tekuri/jsonschema/v6	v6.0.1 -> v6.0.2
github.com/sashamelentyev/usestdlibvars	v1.28.0 -> v1.29.0
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4
github.com/sonatard/noctx	v0.1.0 -> v0.5.0
github.com/spdx/gordf	v0.0.0-20221230105357-b735bd5aac89 -> v0.0.0-20250128162952-000978ccd6fb
github.com/spf13/cobra	v1.10.1 -> v1.10.2
github.com/stbenjam/no-sprintf-host-port	v0.2.0 -> v0.3.1
github.com/tetafro/godot	v1.5.0 -> v1.5.4
github.com/timakin/bodyclose	v0.0.0-20241017074812-ed6a65f985e3 -> v0.0.0-20241222091800-1db5c5ca4d67
github.com/timonwong/loggercheck	v0.10.1 -> v0.11.0
github.com/tomarrell/wrapcheck/v2	v2.10.0 -> v2.12.0
github.com/uudashr/gocognit	v1.2.0 -> v1.2.1
github.com/uudashr/iface	v1.3.1 -> v1.4.1
github.com/vbatts/tar-split	v0.11.5 -> v0.12.1
github.com/xen0n/gosmopolitan	v1.2.2 -> v1.3.0
github.com/yuin/goldmark	v1.7.4 -> v1.7.12
github.com/yuin/goldmark-emoji	v1.0.3 -> v1.0.6
go-simpler.org/musttag	v0.13.0 -> v0.14.0
go-simpler.org/sloglint	v0.9.0 -> v0.11.1
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.62.0
golang.org/x/crypto	v0.44.0 -> v0.48.0
golang.org/x/exp	v0.0.0-20241108190413-2d47ceb2692f -> v0.0.0-20250711185948-6ae5c78190dc
golang.org/x/exp/typeparams	v0.0.0-20250210185358-939b2ce775ac -> v0.0.0-20260209203927-2842357ff358
golang.org/x/mod	v0.30.0 -> v0.33.0
golang.org/x/net	v0.47.0 -> v0.51.0
golang.org/x/sync	v0.18.0 -> v0.20.0
golang.org/x/sys	v0.38.0 -> v0.41.0
golang.org/x/telemetry	v0.0.0-20251111182119-bc8e575c7b54 -> v0.0.0-20260209163413-e7419c687ee4
golang.org/x/term	v0.37.0 -> v0.40.0
golang.org/x/text	v0.31.0 -> v0.34.0
google.golang.org/genai	v1.30.0 -> v1.49.0
google.golang.org/genproto/googleapis/api	v0.0.0-20251022142026-3a174f9686a8 -> v0.0.0-20260112192933-99fd39fd28a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251022142026-3a174f9686a8 -> v0.0.0-20251222181119-0a764e51fe1b
google.golang.org/grpc	v1.77.0 -> v1.78.0
google.golang.org/protobuf	v1.36.10 -> v1.36.11
gopkg.in/ini.v1	v1.67.0 -> v1.67.1
mvdan.cc/gofumpt	v0.7.0 -> v0.9.2
mvdan.cc/unparam	v0.0.0-20240528143540-8a5130ca722f -> v0.0.0-20251027182757-5beb8c8f8f15