chore(deps): update tools to latest versions (#4630)

* chore(deps): update tools to latest versions Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(lint): fix errors in new golangci-lint Two fixes: First, replace sb.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...) Second, suppress errors where we read from the local file system at a user provided path. This is a CLI tool, and reads from user provided paths on the local file system by design. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-30 05:33:24 +02:00 · 2026-03-09 12:17:09 -04:00 · 2026-03-09 12:17:09 -04:00 · 22e78c7be1
commit 22e78c7be1
parent d2461a9e0a
6 changed files with 11 additions and 10 deletions
--- a/.binny.yaml
+++ b/.binny.yaml
@ -26,7 +26,7 @@ tools:
  # used for linting
  - name: golangci-lint
    version:
-      want: v2.9.0
+      want: v2.11.2
    method: github-release
    with:
      repo: golangci/golangci-lint
@ -42,7 +42,7 @@ tools:
  # used for signing the checksums file at release
  - name: cosign
    version:
-      want: v3.0.4
+      want: v3.0.5
    method: github-release
    with:
      repo: sigstore/cosign
@ -58,7 +58,7 @@ tools:
  # used to release all artifacts
  - name: goreleaser
    version:
-      want: v2.13.3
+      want: v2.14.2
    method: github-release
    with:
      repo: goreleaser/goreleaser
@ -90,7 +90,7 @@ tools:
  # used for running all local and CI tasks
  - name: task
    version:
-      want: v3.48.0
+      want: v3.49.1
    method: github-release
    with:
      repo: go-task/task
@ -98,7 +98,7 @@ tools:
  # used for triggering a release
  - name: gh
    version:
-      want: v2.86.0
+      want: v2.87.3
    method: github-release
    with:
      repo: cli/cli
--- a/cmd/syft/cli/ui/handle_attestation.go
+++ b/cmd/syft/cli/ui/handle_attestation.go
@ -219,7 +219,7 @@ func (l attestLogFrame) View() string {
 	sb := strings.Builder{}
 	for _, line := range l.lines {
-		sb.WriteString(fmt.Sprintf("     %s %s\n", l.borderStype.Render("░░"), line))
+		fmt.Fprintf(&sb, "     %s %s\n", l.borderStype.Render("░░"), line)
 	}
 	return sb.String()
--- a/cmd/syft/internal/options/writer.go
+++ b/cmd/syft/internal/options/writer.go
@ -122,7 +122,7 @@ func formatVersionOptions(nameVersionPairs []string) string {
 	for _, name := range sortedAvailableFormats {
 		s.WriteString("\n")
-		s.WriteString(fmt.Sprintf("   - %s", name))
+		fmt.Fprintf(&s, "   - %s", name)
 		if len(availableVersions[name]) > 0 {
 			s.WriteString(" @ ")
--- a/examples/decode_sbom/main.go
+++ b/examples/decode_sbom/main.go
@ -44,7 +44,8 @@ func sbomReader() io.Reader {
 		reader = strings.NewReader(sbomContents)
 	} else {
 		var err error
-		reader, err = os.Open(os.Args[1])
+		// suppress gosec error: reads from local file system by design
 		reader, err = os.Open(os.Args[1]) //nolint:gosec
 		if err != nil {
 			panic(err)
 		}
--- a/syft/pkg/cataloger/golang/upx.go
+++ b/syft/pkg/cataloger/golang/upx.go
@ -509,7 +509,7 @@ func decompressLZMA(compressedData []byte, uncompressedSize uint32) ([]byte, err
 	// construct standard 13-byte LZMA header
 	header := make([]byte, 13)
-	header[0] = props //nolint:gosec
+	header[0] = props
 	binary.LittleEndian.PutUint32(header[1:5], dictSize)
 	binary.LittleEndian.PutUint64(header[5:13], uint64(uncompressedSize))
--- a/syft/pkg/cataloger/lua/rockspec_parser.go
+++ b/syft/pkg/cataloger/lua/rockspec_parser.go
@ -376,7 +376,7 @@ out:
 			if c != ']' {
 				return "", fmt.Errorf("unterminated literal at %d", *i)
 			}
-			buf.WriteString(fmt.Sprintf("[\"%s\"]", nested.String()))
+			fmt.Fprintf(&buf, "[\"%s\"]", nested.String())
 		case isLiteral(c):
 			buf.WriteByte(c)
 		default: