From 22e78c7be17479a6a03212be071894246052abb1 Mon Sep 17 00:00:00 2001
From: "anchore-actions-token-generator[bot]"
 <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 12:17:09 -0400
Subject: [PATCH] chore(deps): update tools to latest versions (#4630)

* chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(lint): fix errors in new golangci-lint

Two fixes:

First, replace sb.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...)
Second, suppress errors where we read from the local file system at a
user provided path. This is a CLI tool, and reads from user provided
paths on the local file system by design.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---
 .binny.yaml                               | 10 +++++-----
 cmd/syft/cli/ui/handle_attestation.go     |  2 +-
 cmd/syft/internal/options/writer.go       |  2 +-
 examples/decode_sbom/main.go              |  3 ++-
 syft/pkg/cataloger/golang/upx.go          |  2 +-
 syft/pkg/cataloger/lua/rockspec_parser.go |  2 +-
 6 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/.binny.yaml b/.binny.yaml
index 23d77143a..6bc61f642 100644
--- a/.binny.yaml
+++ b/.binny.yaml
@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v2.9.0
+      want: v2.11.2
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -42,7 +42,7 @@ tools:
   # used for signing the checksums file at release
   - name: cosign
     version:
-      want: v3.0.4
+      want: v3.0.5
     method: github-release
     with:
       repo: sigstore/cosign
@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v2.13.3
+      want: v2.14.2
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -90,7 +90,7 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.48.0
+      want: v3.49.1
     method: github-release
     with:
       repo: go-task/task
@@ -98,7 +98,7 @@ tools:
   # used for triggering a release
   - name: gh
     version:
-      want: v2.86.0
+      want: v2.87.3
     method: github-release
     with:
       repo: cli/cli
diff --git a/cmd/syft/cli/ui/handle_attestation.go b/cmd/syft/cli/ui/handle_attestation.go
index 6fbdebdda..838d77c89 100644
--- a/cmd/syft/cli/ui/handle_attestation.go
+++ b/cmd/syft/cli/ui/handle_attestation.go
@@ -219,7 +219,7 @@ func (l attestLogFrame) View() string {
 	sb := strings.Builder{}
 
 	for _, line := range l.lines {
-		sb.WriteString(fmt.Sprintf("     %s %s\n", l.borderStype.Render("░░"), line))
+		fmt.Fprintf(&sb, "     %s %s\n", l.borderStype.Render("░░"), line)
 	}
 
 	return sb.String()
diff --git a/cmd/syft/internal/options/writer.go b/cmd/syft/internal/options/writer.go
index 801ca2bef..d53d3bfcc 100644
--- a/cmd/syft/internal/options/writer.go
+++ b/cmd/syft/internal/options/writer.go
@@ -122,7 +122,7 @@ func formatVersionOptions(nameVersionPairs []string) string {
 	for _, name := range sortedAvailableFormats {
 		s.WriteString("\n")
 
-		s.WriteString(fmt.Sprintf("   - %s", name))
+		fmt.Fprintf(&s, "   - %s", name)
 
 		if len(availableVersions[name]) > 0 {
 			s.WriteString(" @ ")
diff --git a/examples/decode_sbom/main.go b/examples/decode_sbom/main.go
index fbdcb7667..0d24f49cb 100644
--- a/examples/decode_sbom/main.go
+++ b/examples/decode_sbom/main.go
@@ -44,7 +44,8 @@ func sbomReader() io.Reader {
 		reader = strings.NewReader(sbomContents)
 	} else {
 		var err error
-		reader, err = os.Open(os.Args[1])
+		// suppress gosec error: reads from local file system by design
+		reader, err = os.Open(os.Args[1]) //nolint:gosec
 		if err != nil {
 			panic(err)
 		}
diff --git a/syft/pkg/cataloger/golang/upx.go b/syft/pkg/cataloger/golang/upx.go
index c52c80b88..2e15b64af 100644
--- a/syft/pkg/cataloger/golang/upx.go
+++ b/syft/pkg/cataloger/golang/upx.go
@@ -509,7 +509,7 @@ func decompressLZMA(compressedData []byte, uncompressedSize uint32) ([]byte, err
 
 	// construct standard 13-byte LZMA header
 	header := make([]byte, 13)
-	header[0] = props //nolint:gosec
+	header[0] = props
 	binary.LittleEndian.PutUint32(header[1:5], dictSize)
 	binary.LittleEndian.PutUint64(header[5:13], uint64(uncompressedSize))
 
diff --git a/syft/pkg/cataloger/lua/rockspec_parser.go b/syft/pkg/cataloger/lua/rockspec_parser.go
index a71f0e6d1..19f251aea 100644
--- a/syft/pkg/cataloger/lua/rockspec_parser.go
+++ b/syft/pkg/cataloger/lua/rockspec_parser.go
@@ -376,7 +376,7 @@ out:
 			if c != ']' {
 				return "", fmt.Errorf("unterminated literal at %d", *i)
 			}
-			buf.WriteString(fmt.Sprintf("[\"%s\"]", nested.String()))
+			fmt.Fprintf(&buf, "[\"%s\"]", nested.String())
 		case isLiteral(c):
 			buf.WriteByte(c)
 		default: