fix(deps): update osv-scanner minor

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
deps.dev/api/v3	v3.0.0-20251104021112-20ad94767ddf -> v3.0.0-20251127011616-f763ce91ff53			require	patch
deps.dev/api/v3alpha	20ad947 -> f763ce9			require	digest
deps.dev/util/maven	20ad947 -> f763ce9			require	digest
deps.dev/util/resolve	20ad947 -> f763ce9			require	digest
deps.dev/util/semver	20ad947 -> f763ce9			require	digest
github.com/gkampitakis/go-snaps	v0.5.15 -> v0.5.17			require	patch
github.com/go-git/go-git/v5	v5.16.3 -> v5.16.4			require	patch
github.com/goccy/go-yaml	v1.18.0 -> v1.19.0			require	minor
github.com/ianlancetaylor/demangle	68c556c -> 96ee002			require	digest
github.com/ossf/osv-schema/bindings/go	9fb6c88 -> ec7a519			require	digest
google.golang.org/grpc	v1.76.0 -> v1.77.0			require	minor
osv.dev/bindings/go	43ef4fb -> 393b8fb			require	digest

---

Release Notes

gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)

v0.5.17

Compare Source

v0.5.16

Compare Source

What's Changed

• fix: don't drop /r character when scanning by @​gkampitakis in #​139
• chore: replace vendored go-diff with upstream by @​gkampitakis in #​143
• chore: update golangci-lint to v2 by @​G-Rath in #​141
• fix: detect no_color support by @​gkampitakis in #​123
• experimenting with inline snapshot support by @​gkampitakis in #​70

Full Changelog: gkampitakis/go-snaps@v0.5.15...v0.5.16

go-git/go-git (github.com/go-git/go-git/v5)

v5.16.4

Compare Source

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in #​1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in #​1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

goccy/go-yaml (github.com/goccy/go-yaml)

v1.19.0: 1.19.0

Compare Source

What's Changed

• Revert "feat: Dont make copies of structs for validation" by @​shuheiktgw in #​763
• Add decode option that allows specific field prefixes by @​cpuguy83 in #​795
• Normalize CR and CRLF in multi-line strings by @​shuheiktgw in #​754
• Support non string map keys by @​shuheiktgw in #​756
• Skip directive in path operations by @​shuheiktgw in #​758
• Add indentation to flow values on new lines by @​shuheiktgw in #​759
• Add support for RawMessage, similar to json.RawMessage by @​thanethomson in #​790

New Contributors

• @​cpuguy83 made their first contribution in #​795
• @​thanethomson made their first contribution in #​790

Full Changelog: goccy/go-yaml@v1.18.0...v1.19.0

grpc/grpc-go (google.golang.org/grpc)

v1.77.0: Release 1.77.0

Compare Source

API Changes

• mem: Replace the Reader interface with a struct for better performance and maintainability. (#​8669)

Behavior Changes

• balancer/pickfirst: Remove support for the old pick_first LB policy via the environment variable GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false. The new pick_first has been the default since v1.71.0. (#​8672)

Bug Fixes

• xdsclient: Fix a race condition in the ADS stream implementation that could result in resource-not-found errors, causing the gRPC client channel to move to TransientFailure. (#​8605)
• client: Ignore HTTP status header for gRPC streams. (#​8548)
• client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. (#​8534)
  • Special Thanks: @​jgold2-stripe
• client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy.
  • Setting environment variable GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false disables this change; please file a bug if any problems are encountered as we will remove this option soon. (#​8613)
• balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. (#​8611)
• server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. (#​8573)
  • Special Thanks: @​hugehoo
• balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to pick_first but don't set endpoints. (#​8610)
• mem: Clear large buffers before re-using. (#​8670)

Performance Improvements

• transport: Reduce heap allocations to reduce time spent in garbage collection. (#​8624, #​8630, #​8639, #​8668)
• transport: Avoid copies when reading and writing Data frames. (#​8657, #​8667)
• mem: Avoid clearing newly allocated buffers. (#​8670)

New Features

• outlierdetection: Add metrics specified in gRFC A91. (#​8644)
  • Special Thanks: @​davinci26, @​PardhuKonakanchi
• stats/opentelemetry: Add support for optional label grpc.lb.backend_service in per-call metrics (#​8637)
• xds: Add support for JWT Call Credentials as specified in gRFC A97. Set environment variable GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true to enable this feature. (#​8536)
  • Special Thanks: @​dimpavloff
• experimental/stats: Add support for up/down counters. (#​8581)

---

Configuration

📅 Schedule: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go/compute/metadata	v0.8.4 -> v0.9.0
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
golang.org/x/oauth2	v0.30.0 -> v0.32.0
google.golang.org/genproto/googleapis/api	v0.0.0-20251111163417-95abcf5c77ba -> v0.0.0-20251124214823-79d6a2a48846
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251103181224-f26f9409b101 -> v0.0.0-20251111163417-95abcf5c77ba

[cuixq]

it seems https://github.com/jedib0t/go-pretty/releases/tag/v6.7.4 brings in the style change

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.46%. Comparing base (7bfb2ad) to head (86a7aaf).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2365      +/-   ##
==========================================
- Coverage   67.71%   67.46%   -0.25%     
==========================================
  Files         172      172              
  Lines       13147    13147              
==========================================
- Hits         8902     8870      -32     
- Misses       3549     3573      +24     
- Partials      696      704       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[G-Rath]

The remaining CI failure is related to the go-snaps update, which I'm also getting on osv-detector - I'll dig into it