Skip to content

chore(deps): bump osv-scanner to v2.3.8 and update indirect dependencies#592

Open
tolzhabayev wants to merge 3 commits into
mainfrom
chore/bump-osv-scanner-v2.3.8
Open

chore(deps): bump osv-scanner to v2.3.8 and update indirect dependencies#592
tolzhabayev wants to merge 3 commits into
mainfrom
chore/bump-osv-scanner-v2.3.8

Conversation

@tolzhabayev
Copy link
Copy Markdown
Contributor

@tolzhabayev tolzhabayev commented May 20, 2026

Summary

  • Bumps github.com/google/osv-scanner/v2 from v2.3.1 to v2.3.8
  • Updates all indirect dependencies pulled in transitively (docker, containerd, moby, go-containerregistry, etc.)
  • Go toolchain version in go.mod bumped from 1.25.5 → 1.26.2 (required by osv-scanner v2.3.8)

Test plan

  • go build ./... succeeds
  • go test ./pkg/analysis/passes/osvscanner/... passes

@tolzhabayev tolzhabayev requested a review from a team as a code owner May 20, 2026 15:15
@tolzhabayev tolzhabayev self-assigned this May 20, 2026
@tolzhabayev tolzhabayev moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team May 20, 2026
@tolzhabayev
chore(deps): bump osv-scanner to v2.3.3 and golangci-lint to v2.12.2
9345865 
Stay on osv-scanner v2.3.3 (last release still compatible with Go 1.25)
to avoid the v2.3.4+ jump to Go 1.26, which golangci-lint cannot lint
against until a Go-1.26-built release ships. Bump golangci-lint to the
current latest (v2.12.2) at the same time.
@tolzhabayev tolzhabayev force-pushed the chore/bump-osv-scanner-v2.3.8 branch from 6f7c3df to 9345865 Compare May 22, 2026 10:11
@tolzhabayev
fix(docker): pin golangci-lint install.sh to release tag
16cb369 
The install.sh on master hard-codes a checksum for the latest release,
so passing an older version arg causes a sha256 mismatch. Pin the
script to the same tag as the requested version.
@tolzhabayev
chore(docker): bump golang base image to provide go 1.25.7+
f30eb8b 
osv-scanner v2.3.3 requires go >= 1.25.7, but the previous pinned digest
of golang:1.25-alpine3.22 shipped go 1.25.6. Refresh the digest to the
current floating tag (go 1.25.10).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s4kh s4kh s4kh approved these changes

@toddtreece toddtreece Awaiting requested review from toddtreece toddtreece is a code owner automatically assigned from grafana/grafana-catalog

@andresmgot andresmgot Awaiting requested review from andresmgot andresmgot is a code owner automatically assigned from grafana/grafana-catalog

@leventebalogh leventebalogh Awaiting requested review from leventebalogh leventebalogh is a code owner automatically assigned from grafana/grafana-catalog

Assignees

@tolzhabayev tolzhabayev

Labels

None yet

Projects

Grafana Catalog Team
Status: 🔬 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tolzhabayev @s4kh