fix(deps): update vulnfeeds-go major (major)

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/charmbracelet/lipgloss	v1.1.0 → v2.0.0
github.com/google/osv-scanner	v1.9.2 → v2.3.3
gopkg.in/yaml.v2	v2.4.0 → v3.0.1

---

Release Notes

charmbracelet/lipgloss (github.com/charmbracelet/lipgloss)

v2.0.0

Compare Source

Do you think you can handle Lip Gloss v2?

We’re really excited for you to try Lip Gloss v2! Read on for new features and a guide to upgrading.

If you (or your LLM) just want the technical details, take a look at Upgrade Guide.

[!NOTE]
We take API changes seriously and strive to make the upgrade process as simple as possible. We believe the changes bring necessary improvements as well as pave the way for the future. If something feels way off, let us know.

What’s new?

The big changes are that Styles are now deterministic (λipgloss!) and you can be much more intentional with your inputs and outputs. Why does this matter?

Playing nicely with others

v2 gives you precise control over I/O. One of the issues we saw with the Lip Gloss and Bubble Tea v1s is that they could fight over the same inputs and outputs, producing lock-ups. The v2s now operate in lockstep.

Querying the right inputs and outputs

In v1, Lip Gloss defaulted to looking at stdin and stdout when downsampling colors and querying for the background color. This was not always necessarily what you wanted. For example, if your application was writing to stderr while redirecting stdout to a file, the program would erroneously think output was not a TTY and strip colors. Lip Gloss v2 gives you control over this.

Going beyond localhost

Did you know TUIs and CLIs can be served over the network? For example, Wish allows you to serve Bubble Tea and Lip Gloss over SSH. In these cases, you need to work with the input and output of the connected clients as opposed to stdin and stdout, which belong to the server. Lip Gloss v2 gives you flexibility around this in a more natural way.

🧋 Using Lip Gloss with Bubble Tea?

Make sure you get all the latest v2s as they’ve been designed to work together.

# Collect the whole set.
go get charm.land/bubbletea/v2
go get charm.land/bubbles/v2
go get charm.land/lipgloss/v2

🐇 Quick upgrade

If you don't have time for changes and just want to upgrade to Lip Gloss v2 as fast as possible? Here’s a quick guide:

Use the compat package

The compat package provides adaptive colors, complete colors, and complete adaptive colors:

import "charm.land/lipgloss/v2/compat"

// Before
color := lipgloss.AdaptiveColor{Light: "#f1f1f1", Dark: "#cccccc"}

// After
color := compat.AdaptiveColor{Light: lipgloss.Color("#f1f1f1"), Dark: lipgloss.Color("#cccccc")}

compat works by looking at stdin and stdout on a global basis. Want to change the inputs and outputs? Knock yourself out:

import (
	"charm.land/lipgloss/v2/compat"
	"github.com/charmbracelet/colorprofile"
)

func init() {
	// Let’s use stderr instead of stdout.
	compat.HasDarkBackground = lipgloss.HasDarkBackground(os.Stdin, os.Stderr)
	compat.Profile = colorprofile.Detect(os.Stderr, os.Environ())
}

Use the new Lip Gloss writer

If you’re using Bubble Tea with Lip Gloss you can skip this step. If you're using Lip Gloss in a standalone fashion, however, you'll want to use lipgloss.Println (and lipgloss.Printf and so on) when printing your output:

s := someStyle.Render("Fancy Lip Gloss Output")

// Before
fmt.Println(s)

// After
lipgloss.Println(s)

Why? Because lipgloss.Println will automatically downsample colors based on the environment.

That’s it!

Yep, you’re done. All this said, we encourage you to read on to get the full benefit of v2.

👀 What’s changing?

Only a couple main things that are changing in Lip Gloss v2:

• Color downsampling in non-Bubble-Tea uses cases is now a manual proccess (don't worry, it's easy)
• Background color detection and adaptive colors are manual, and intentional (but optional)

🪄 Downsampling colors with a writer

One of the best things about Lip Gloss is that it can automatically downsample colors to the best available profile, stripping colors (and ANSI) entirely when output is not a TTY.

If you're using Lip Gloss with Bubble Tea there's nothing to do here: downsampling is built into Bubble Tea v2. If you're not using Bubble Tea you now need to use a writer to downsample colors. Lip Gloss writers are a drop-in replacement for the usual functions found in the fmt package:

s := someStyle.Render("Hello!")

// Downsample and print to stdout.
lipgloss.Println(s)

// Render to a variable.
downsampled := lipgloss.Sprint(s)

// Print to stderr.
lipgloss.Fprint(os.Stderr, s)

🌛 Background color detection and adaptive colors

Rendering different colors depending on whether the terminal has a light or dark background is an awesome power. Lip Gloss v2 gives you more control over this progress. This especially matters when input and output are not stdin and stdout.

If that doesn’t matter to you and you're only working with stdout you skip this via compat above, though we encourage you to explore this new functionality.

With Bubble Tea

In Bubble Tea, request the background color, listen for a BackgroundColorMsg in your update, and respond accordingly.

// Query for the background color.
func (m model) Init() tea.Cmd {
	return tea.RequestBackgroundColor
}

// Listen for the response and initialize your styles accordigly.
func (m model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
	switch msg := msg.(type) {
	case tea.BackgroundColorMsg:
		// Initialize your styles now that you know the background color.
		m.styles = newStyles(msg.IsDark())
		return m, nil
	}
}

type styles {
    myHotStyle lipgloss.Style
}

func newStyles(bgIsDark bool) (s styles) {
	lightDark := lipgloss.LightDark(bgIsDark) // just a helper function
	return styles{
		myHotStyle := lipgloss.NewStyle().Foreground(lightDark("#f1f1f1", "#​333333"))
	}
}

Standalone

If you're not using Bubble Tea you simply can perform the query manually:

// Detect the background color. Notice we're writing to stderr.
hasDarkBG, err := lipgloss.HasDarkBackground(os.Stdin, os.Stderr)
if err != nil {
    log.Fatal("Oof:", err)
}

// Create a helper for choosing the appropriate color.
lightDark := lipgloss.LightDark(hasDarkBG)

// Declare some colors.
thisColor := lightDark("#C5ADF9", "#​864EFF")
thatColor := lightDark("#​37CD96", "#​22C78A")

// Render some styles.
a := lipgloss.NewStyle().Foreground(thisColor).Render("this")
b := lipgloss.NewStyle().Foreground(thatColor).Render("that")

// Print to stderr.
lipgloss.Fprintf(os.Stderr, "my fave colors are %s and %s...for now.", a, b)

🥕 Other stuff

Colors are now color.Color

lipgloss.Color() now produces an idiomatic color.Color, whereas before colors were type lipgloss.TerminalColor. Generally speaking, this is more of an implementation detail, but it’s worth noting the structural differences.

// Before
type TerminalColor interface{/* ... */}
type Color string

// After
func Color(string) color.Color
type RGBColor struct{R, G, B uint8}

func LightDark(isDark bool) LightDarkFunc
type LightDarkFunc func(light, dark color.Color) color.Color
func Complete(colorprofile.Profile) CompleteFunc
type CompleteFunc func(ansi, ansi256, truecolor color.Color) color.Color

Changelog

New!

• b259725e46e9fbb2af6673d74f26917ed42df370: feat(blending): early return when steps <= num stops (#​566) (@​lrstanley)
• 71dd8ee66ac1f4312844a792952789102513c9c5: feat(borders): initial border blend implementation (#​560) (@​lrstanley)
• 2166ce88ec1cca66e8a820a86baafd7cfd34bcd0: feat(canvas): accept any type as layer content (@​aymanbagabas)
• 0303864674b37235e99bc14cd4da17c409ec448e: feat(colors): refactor colors sub-package into root package (@​lrstanley)
• 9c86c1f950fbfffd6c56a007de6bd3e61d67a1ea: feat(colors): switch from int to float64 for inputs (@​lrstanley)
• 0334bb4562ca1f72a684c1c2a63c848ac21fffc6: feat(tree): support width and indenter styling (#​446) (@​dlvhdr)
• 9a771f5a242df0acf862c7acd72124469eb4635a: feat: BlendLinear* -> Blend* (@​lrstanley)
• 34443e82a7ddcbe37b9dc0d69b84385e400b8a5c: feat: add brightness example, misc example tweaks (@​lrstanley)
• c95c5f3c5b27360d344bf82736a8ce9257aaf71e: feat: add hyperlink support (#​473) (@​aymanbagabas)
• 5e542b8c69a0f20ea62b2caa422bbee5337fbb48: feat: add underline style and color (@​aymanbagabas)
• d3032608aa74f458a7330e17cc304f1ebb5fa1b9: feat: add wrap implementation preserving styles and links (#​582) (@​aymanbagabas)
• 7bf18447c8729839ca7e79aa3ba9aa00ecb8f963: feat: further simplify colors in examples (@​lrstanley)
• 27a8cf99a81d1bd5ab875cd773ac8647320b02ba: feat: implement uv Drawable for Canvas and Layer (@​aymanbagabas)
• c4c08fc4f8a107b00bc54407ad9094b9642dd103: feat: implement uv.Drawable for *Layer (#​607) (@​ayn2op)
• 18b4bb86c515f93eede5720fe66b0d9ba83fa489: feat: initial implementation of color blending & brightness helpers (@​lrstanley)
• 63610090044b782caa8ce8b1b53cc81b98264eaa: feat: update examples/layout to use colors.BlendLinear1D (@​lrstanley)
• de4521b8baa33c49a96e9458e9d9213c7ba407bd: feat: update examples/list/sublist to use colors.BlendLinear1D (@​lrstanley)
• 1b3716cc53b5cc29c2b1b0c655a684b797fef075: feat: use custom hex parsing for increased perf (@​lrstanley)

Fixed

• 06ca257e382fa107afcfe147c9cda836b3cdb4be: fix(canvas): Hit method should return Layer ID as string instead of *Layer (@​aymanbagabas)
• d1fa8790efbd70df8b0dd8bd139434f3ac6e063b: fix(canvas): handle misc edge cases (#​588) (@​lrstanley)
• 7869489d8971e2e3a8de8e0a4a1e1dfe4895a352: fix(canvas): simplify Render handling (@​aymanbagabas)
• 68f38bdee72b769ff9c137a4097d9e64d401b703: fix(ci): use local golangci config (@​aymanbagabas)
• ff11224963a33f6043dfb3408e67c7fea7759f34: fix(color): update deprecated types (@​aymanbagabas)
• 3f659a836c78f6ad31f5652571007cb4ab9d1eb8: fix(colors): update examples to use new method locations (@​lrstanley)
• 3248589b24c9894694be6d1862817acb77e119cc: fix(layers): allow recursive rendering for layers that only contain children (#​589) (@​lrstanley)
• 6c33b19c3f0a1e7d50ce9028ef4bda3ca631cd68: fix(lint): remove nolint:exhaustive comments and ignore var-naming rule for revive (@​aymanbagabas)
• d267651963ad3ba740b30ecf394d7a5ef86704fc: fix(style): use alias for Underline type from ansi package (@​aymanbagabas)
• 76690c6608346fc7ef09db388ee82feaa7920630: fix(table): fix wrong behavior of headers regarding margins (#​513) (@​andreynering)
• 41ff0bf215ea2a444c5161d0bd7fa38b4a70af27: fix(terminal): switch to uv.NewCancelReader for Windows compatibility (@​aymanbagabas)
• 5d69c0e790f24cbfaa94f8f8b2b64d1bb926c96d: fix: ensure we strip out \r\n from strings when getting lines (@​aymanbagabas)
• 2e570c2690b61bac103e7eef9da917d1dfc6512d: fix: linear-2d example (@​lrstanley)
• 0d6a022f7d075e14d61a755b3e9cab9d97519f21: fix: lint issues (@​aymanbagabas)
• 832bc9d6b9d209e002bf1131938ffe7dbba07652: fix: prevent infinite loop with zero-width whitespace chars (#​108) (#​604) (@​calobozan)
• 354e70d6d0762e6a54cfc45fe8d019d6087a4c00: fix: rename underline constants to be consistent with other style properties (@​raphamorim)

Docs

• 60df47f8000b6cb5dfec46af37bceb2c9050bef0: docs(readme): cleanup badges (@​meowgorithm)
• 881a1ffc54b6afb5f22ead143d10f8dce05e7e66: docs(readme): update art (@​meowgorithm)
• ee74a03efa8363cf3b17ee7a128b9825c8f3791e: docs(readme): update footer art and copyright date (@​meowgorithm)
• 8863cc06da67b8ef9f4b6f80c567738fa53bd090: docs(readme): update header image (@​meowgorithm)
• 4e8ca2d9f045d6bca78ee0150420e26cda8bcccf: docs: add underline styles and colors caveats (@​aymanbagabas)
• a8cfc26d7de7bdb335a8c7c2f0c8fc4f18ea8993: docs: add v2 upgrade and changes guide (#​611) (@​aymanbagabas)
• 454007a0ad4e8b60afc1f6fdc3e3424e4d3a4c16: docs: update comments in for GetPaddingChar and GetMarginChar (@​aymanbagabas)
• 95f30dbdc90cc409e8645de4bd2296a33ba37c70: docs: update mascot header image (@​aymanbagabas)
• a06a847849dbd1726c72047a98ab8cce0f73a65f: docs: update readme in prep for v2 (#​613) (@​aymanbagabas)

Other stuff

• 5ca0343ec7be2e85521e79734f4392cdb19e4949: Fix(table): BorderRow (#​514) (@​bashbunni)
• f2d1864a58cd455ca118e04123feae177d7d2eef: Improve performance of maxRuneWidth (#​592) (@​clipperhouse)
• 10c048e361129dd601eb6ff8c0c2458814291156: Merge v2-uv-canvas into v2-exp (@​aymanbagabas)
• d02a007bb19e14f6bf351ed71a47beb6bee9cae3: ci: sync dependabot config (#​521) (@​charmcli)
• 8708a8925b60c610e68b9aa6e509ebd513a8244e: ci: sync dependabot config (#​561) (@​charmcli)
• 7d1b622c64d1a68cdc94b30864ae5ec3e6abc2dd: ci: sync dependabot config (#​572) (@​charmcli)
• 19a4b99cb3bbbd2ab3079adc500faa1875da87e8: ci: sync golangci-lint config (@​aymanbagabas)
• a6c079dc8a3fc6e68a00214a767627ec8447adb5: ci: sync golangci-lint config (@​aymanbagabas)
• 350edde4903bcc2eee5a8ce1552dd90c3b89c125: ci: sync golangci-lint config (#​553) (@​github-actions[bot])
• 1e3ee3483a907facd98ca0a56f6694a0e9365f26: ci: sync golangci-lint config (#​598) (@​github-actions[bot])
• e729228ac14e63057e615a2241ce4303d59fef08: lint: fix lint for newer go versions (#​540) (@​andreynering)
• 66093c8cf3b79596597c1e39fd4c67a954010fb3: perf: remove allocations from getFirstRuneAsString (#​578) (@​clipperhouse)
• ad876c4132d61951d091a1a535c27237f6a90ad6: refactor: new Canvas, Compositor, and Layer API (#​591) (@​aymanbagabas)
• 3aae2866142214f5b8ce9cbfc1939645928dcb8f: refactor: update imports to use charm.land domain (@​aymanbagabas)

🌈 Feedback

That's a wrap! Feel free to reach out, ask questions, and let us know how it's going. We'd love to know what you think.

• Discord
• Matrix
• Email

---

Part of Charm.

Charm热爱开源 • Charm loves open source • نحنُ نحب المصادر المفتوحة

google/osv-scanner (github.com/google/osv-scanner)

v2.3.3

Compare Source

Features:

• Feature #​2458 Add --exclude flag to skip paths during scanning.
• Feature #​2477 Add pylock extractor.
• Feature #​2475 Add base image info to container scanning output header (in table, markdown and vertical formats).

Misc:

• Update Go version to 1.25.7.
• Update osv-scalibr from v0.4.1 to v0.4.2. Release note.
• Refactor to better align with osv-scalibr plugins and inventory data structure.

v2.3.2

Compare Source

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• Bug #​2415 Add more PURL-to-ecosystem mappings
• Bug #​2422 MCP error for get_vulnerability_id because type definition is incorrect.
• Bug #​2460 Enable osv-scanner.json git queries
• Bug #​2456 Properly track if an ignore entry has been used
• Bug #​2450 Performance: Avoid loading the entire advisory unless it will actually be used
• Bug #​2445 Performance: Don't read the entire zip into memory
• Bug #​2433 Allow specifying user agent in v2 osvscanner package

Misc:

• Misc #​2453 Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• Misc #​2447 Include bun.lock as a supported lockfile
• Misc #​2444 Document GoVersionOverride in configuration.md

v2.3.1

Compare Source

Features:

• Feature #​2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #​2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #​2333 Deduplicate SARIF outputs for GitHub.
• Bug #​2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

v2.3.0

Compare Source

This release migrates to the new osv.dev and osv-schema proto bindings for its internal data models (#​2328). This is primarily an internal change and should not impact users.

Features:

• Feature #​2321 Add support for license checks for RubyGems.
• Feature #​2294 Replace requirementsenhanceable extractor with transitive enricher.
• Feature #​2344 Use osduplicate annotators.

Fixes:

• Bug #​2329 Add --ignore-scripts flag to npm lockfile generation.
• Bug #​2311 Improve logic for --all-packages flag.
• Bug #​2309 Exit with a non-zero code when showing help.
• Bug #​2316 Pre-commit hook now defaults to scanning current directory instead of failing.
• Bug #​1507 (osv-scalibr) Interpolate Maven projects before extracting repositories.

v2.2.4

Compare Source

Features:

• Feature #​2256 Add experimental OSV-Scanner MCP server. (osv-scanner experimental-mcp)
• Feature #​2284 Update osv-scalibr integration, replacing baseimagematch with the base image enricher.
• Feature #​2216 Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes #​2206).

Fixes:

• Bug #​2305 Ignore common protocols and .git suffix when checking if an advisory affects a git repository (fixes #​2291).
• Bug #​2300 Ensure the global logger is used in cmdlogger and osv-scalibr when set (fixes #​2081).
• Bug #​2295 Fix Go stdlib license result matching (fixes #​2191).

v2.2.3

Compare Source

Features:

• Feature #​2209 Add support for resolving git packages that have a version specified.
• Feature #​2210 Make the --experimental-plugins flag additive by default, and introduce a new --experimental-no-default-plugins flag.
• Feature #​2203 Update osv-scalibr to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.

Fixes:

• Bug #​2214 Fix issue where input.Path was incorrectly constructed on Windows when using the -L flag.
• Fix #​2241 Performance: Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.

v2.2.2

Compare Source

Features:

• Feature #​2113 Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.
• Feature #​2177 Automatically parse osv-scanner-custom.json files as osv-scanner.json custom lockfiles.

Fixes:

• Bug #​2204 Add a warning to guide users to the correct GitHub Action.
• Bug #​2202 Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.
• Bug #​2188 Fix handling of absolute paths on Windows.

v2.2.1

Compare Source

Fixes

• Bug #​2151 Filter by ecosystem before querying.

v2.2.0

Compare Source

OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (--experimental-plugins, see details here)!

Features:

• Feature #​2146 Allow manual OSV-Scalibr plugin selection.
• Feature #​2144 Add OSV-Scalibr version to osv-scanner --version output.
• Feature #​2021 Add experimental support for running OSV-Scalibr detectors.
• Feature #​2079 Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.
• Feature #​2032 Add summary section at the top of outputs and a 'Fixed Version' column.
• Feature #​2076 Support Ubuntu severity type.

Fixes:

• Bug #​2141 Fix OSV-Scanner json scans not matching with correct ecosystem.
• Bug #​2084 Show absolute paths when scanning containers.
• Bug #​2126 Log and preserve package count before continuing on db error.
• Bug #​2095 Pass through plugin capabilities correctly.
• Bug #​2051 Properly flag if running on Linux or Mac OSs for plugin compatibility.
• Bug #​2072 Add missing "text" property in description fields.
• Bug #​2068 Change links in output to go to the specific vulnerability page instead of the list page.
• Bug #​2064 Fix SARIF v3 output to include results.

API Changes:

• API Change #​2096 Allow log handler to be overridden.

v2.1.0

Compare Source

Features:

• Feature #​2038 Add CycloneDX location field to the output source string.
• Feature #​2036 Include upstream source information in vulnerability grouping to improve accuracy.
• Feature #​1970 Hide unimportant vulnerabilities by default to reduce noise, and adds a --show-all-vulns flag to show all.
• Feature #​2003 Add experimental summary output format for the reporter.
• Feature #​1988 Add support for CycloneDX 1.6 report format.
• Feature #​1987 Add support for gems.locked files used by Bundler.
• Feature #​1980 Enable transitive dependency extraction for Python requirements.txt files.
• Feature #​1961 Deprecate the --sbom flag in favor of the existing -L/--lockfile flag for scanning SBOMs.
• Feature #​1963 Stabilize various experimental fields in the output by moving them out of the experimental struct.
• Feature #​1957 Use a dedicated exit code for invalid configuration files.

Fixes:

• Bug #​2046 Correctly set the user agent string for all outgoing requests.
• Bug #​2019 Use more natural language in the descriptions for extractor-related flags.
• Bug #​1982 Correctly parse Ubuntu package information with suffixes (e.g. :Pro, :LTS).
• Bug #​2000 Ensure CDATA content in XML is correctly outputted in guided remediation.
• Bug #​1949 Fix filtering of package types in vulnerability counts.

v2.0.3

Compare Source

Features:

• Feature #​1943 Added a flag to suppress "no package sources found" error.
• Feature #​1844 Allow flags to be passed after scan targets, e.g. osv-scanner ./scan-this-dir --format=vertical, by updating to cli/v3
• Feature #​1882 Added a stable tag to container images for releases that follow semantic versioning.
• Feature #​1846 Experimental: Add --experimental-extractors and --experimental-disable-extractors flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.

Fixes:

• Bug #​1856 Improve XML output by guessing and matching the indentation of existing <dependency> elements.
• Bug #​1850 Prevent escaping of single quotes in XML attributes for better readability and correctness.
• Bug #​1922 Prevent a potential panic in MatchVulnerabilities when the API response is nil, particularly on timeout.
• Bug #​1916 Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.
• Bug #​1871 Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.
• Bug #​1919 Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.
• Bug #​1857 Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.
• Bug #​1873 Fix the GitHub Action to not ignore general errors during execution.
• Bug #​1955 Fix issue causing error messages to be spammed when not running in a git repository.
• Bug #​1930 Fix issue where Maven client loses auth data during extraction.

Misc:

• Update dependencies and updated golang to 1.24.4

v2.0.2

Compare Source

Fixes:

• Bug #​1842 Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
• Bug #​1806 Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
• Fix #​1825, #​1809, #​1805, #​1803, #​1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

v2.0.1

Compare Source

Features:

• Feature #​1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
• Feature #​1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
• Feature #​1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

• Bug #​1752 Fix paging depth issue when querying the osv.dev API.
• Bug #​1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
• Bug #​1717 Fix issue where nested CycloneDX components were not being parsed.
• Bug #​1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
• Bug #​1726 De-duplicate references in CycloneDX report output for improved validity.
• Bug #​1727 Remove automatic opening of HTML reports in the browser (fixes #​1721).
• Bug #​1735 Require a tag when scanning container images to prevent potential errors.

Docs:

• Docs #​1753 Correct documentation for the OSV-Scanner GitHub Action (fixes osv-scanner-action#68).
• Docs #​1743 Minor grammar fixes in documentation.

API Changes:

• API Change #​1763 Made the SourceType enum public.

v2.0.0

Compare Source

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

• Layer and base image-aware container scanning:
  • Rewritten support for Debian, Ubuntu, and Alpine container images.
  • Layer level analysis and vulnerability breakdown.
  • Supports Go, Java, Node, and Python artifacts within supported distros.
  • Base image identification via deps.dev.
  • Usage: osv-scanner scan image <image-name>:<tag>
• Interactive HTML output:
  • Severity breakdown, package/ID/importance filtering, vulnerability details.
  • Container image layer filtering, layer info, base image identification.
  • Usage: osv-scanner scan --serve ...
• Guided Remediation for Maven pom.xml:
  • Remediate direct and transitive dependencies (non-interactive mode).
  • New override remediation strategy.
  • Support for reading/writing pom.xml and parent POM files.
  • Private registry support for Maven metadata.
  • Machine-readable output for guided remediation.
• Enhanced Dependency Extraction with osv-scalibr:
  • Haskell: cabal.project.freeze, stack.yaml.lock
  • .NET: deps.json
  • Python: uv.lock
  • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
• Feature #​1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
• Feature #​1582 Add container scanning information to vertical output format.
• Feature #​1587 Add support for severity in SARIF report format.
• Feature #​1569 Add support for bun.lock lockfiles.
• Feature #​1547 Add experimental config support to the scan image command.
• Feature #​1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

• Feature #​1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
• Feature #​1670 Removed the --verbosity=verbose verbosity level.
• Feature #​1673 & Feature #​1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
• Feature #​1651 Multiple license flags have been merged into a single --license flag.
• Feature #​1666 API: reporter removed; logging now uses slog, which can be overridden.
• Feature #​1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

• Feature #​1561 Updated HTML report for better contrast and usability (from beta2).
• Feature #​1584 Make skipping the root git repository the default behavior (from beta2).
• Feature #​1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

• Fix #​1598 Fix table output vulnerability ordering.
• Fix #​1616 Filter out Ubuntu unimportant vulnerabilities.
• Fix #​1585 Fixed issue where base images are occasionally duplicated.
• Fix #​1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #​1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #​1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

• General V2 feedback
• Container scanning feedback

go-yaml/yaml (gopkg.in/yaml.v2)

v3.0.1

Compare Source

v3.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: vulnfeeds/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated

Details:

Package	Change
github.com/charmbracelet/lipgloss	v1.1.0 -> v1.1.1-0.20250404203927-76690c660834
github.com/ProtonMail/go-crypto	v1.1.6 -> v1.3.0
github.com/charmbracelet/colorprofile	v0.2.3-0.20250311203215-f60798e515dc -> v0.3.1
github.com/charmbracelet/x/ansi	v0.8.0 -> v0.10.1
github.com/charmbracelet/x/cellbuf	v0.0.13-0.20250311204145-2c3ea96c31dd -> v0.0.13
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.0
github.com/pjbgf/sha1cd	v0.3.2 -> v0.4.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.62.0

[forking-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: vulnfeeds/go.sum

Command failed: go get -t ./...
go: github.com/charmbracelet/lipgloss/v2@v2.0.0: parsing go.mod:
	module declares its path as: charm.land/lipgloss/v2
	        but was required as: github.com/charmbracelet/lipgloss/v2