fix(deps): update osv-scanner minor (#2674)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[charm.land/lipgloss/v2](https://redirect.github.com/charmbracelet/lipgloss)
| `v2.0.1` → `v2.0.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/charm.land%2flipgloss%2fv2/v2.0.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/charm.land%2flipgloss%2fv2/v2.0.1/v2.0.3?slim=true)
|
|
[github.com/gkampitakis/go-snaps](https://redirect.github.com/gkampitakis/go-snaps)
| `v0.5.20` → `v0.5.21` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgkampitakis%2fgo-snaps/v0.5.21?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgkampitakis%2fgo-snaps/v0.5.20/v0.5.21?slim=true)
|
|
[github.com/jedib0t/go-pretty/v6](https://redirect.github.com/jedib0t/go-pretty)
| `v6.7.8` → `v6.7.9` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fjedib0t%2fgo-pretty%2fv6/v6.7.9?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fjedib0t%2fgo-pretty%2fv6/v6.7.8/v6.7.9?slim=true)
|
|
[github.com/modelcontextprotocol/go-sdk](https://redirect.github.com/modelcontextprotocol/go-sdk)
| `v1.4.1` → `v1.5.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmodelcontextprotocol%2fgo-sdk/v1.5.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmodelcontextprotocol%2fgo-sdk/v1.4.1/v1.5.0?slim=true)
|
|
[github.com/opencontainers/runtime-spec](https://redirect.github.com/opencontainers/runtime-spec)
| `v1.2.1` → `v1.3.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fopencontainers%2fruntime-spec/v1.3.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fopencontainers%2fruntime-spec/v1.2.1/v1.3.0?slim=true)
|
| [github.com/urfave/cli/v3](https://redirect.github.com/urfave/cli) |
`v3.7.0` → `v3.8.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2furfave%2fcli%2fv3/v3.8.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2furfave%2fcli%2fv3/v3.7.0/v3.8.0?slim=true)
|
| [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) | [`v0.40.0`
→
`v0.42.0`](https://cs.opensource.google/go/x/term/+/refs/tags/v0.40.0...refs/tags/v0.42.0)
|
![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fterm/v0.42.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fterm/v0.40.0/v0.42.0?slim=true)
|
| [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) |
`v1.79.3` → `v1.80.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fgrpc/v1.80.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fgrpc/v1.79.3/v1.80.0?slim=true)
|

---

### Release Notes

<details>
<summary>charmbracelet/lipgloss (charm.land/lipgloss/v2)</summary>

###
[`v2.0.3`](https://redirect.github.com/charmbracelet/lipgloss/releases/tag/v2.0.3)

[Compare
Source](https://redirect.github.com/charmbracelet/lipgloss/compare/v2.0.2...v2.0.3)

#### Changelog

##### Fixed

-
[`472d718`](https://redirect.github.com/charmbracelet/lipgloss/commit/472d718e2314596549bee2c0c8ccf8beea5f25ae):
fix: Avoid background color query hang
([#&#8203;636](https://redirect.github.com/charmbracelet/lipgloss/issues/636))
([@&#8203;jedevc](https://redirect.github.com/jedevc))

##### Docs

-
[`9e39a0a`](https://redirect.github.com/charmbracelet/lipgloss/commit/9e39a0ad4f4fc779d620f17783cee3494da6ae29):
docs: fix README typo
([#&#8203;629](https://redirect.github.com/charmbracelet/lipgloss/issues/629))
([@&#8203;Rohan5commit](https://redirect.github.com/Rohan5commit))
-
[`cd93a9f`](https://redirect.github.com/charmbracelet/lipgloss/commit/cd93a9f5d2e3cb151da83150db29751d92585d23):
docs: fix tree comment typo
([#&#8203;634](https://redirect.github.com/charmbracelet/lipgloss/issues/634))
([@&#8203;Rohan5commit](https://redirect.github.com/Rohan5commit))

***

<a href="https://charm.land/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-banner-next.jpg" width="400"></a>

Thoughts? Questions? We love hearing from you. Feel free to reach out on
[X](https://x.com/charmcli), [Discord](https://charm.land/discord),
[Slack](https://charm.land/slack), [The
Fediverse](https://mastodon.social/@&#8203;charmcli),
[Bluesky](https://bsky.app/profile/charm.land).

###
[`v2.0.2`](https://redirect.github.com/charmbracelet/lipgloss/releases/tag/v2.0.2)

[Compare
Source](https://redirect.github.com/charmbracelet/lipgloss/compare/v2.0.1...v2.0.2)

### Table patch

If you don't know, we made big improvements in table rendering recently
shipped in v2.0.0.

[@&#8203;MartinodF](https://redirect.github.com/MartinodF) made a good
job on improving it even further for tricky edge cases, in particular
when content wrapping is enabled.

#### Changelog

##### Fixed

-
[`c289bad`](https://redirect.github.com/charmbracelet/lipgloss/commit/c289bad531f2588fc7506d7fbd5cdfd3daf4cb27):
fix(table): height and overflow with wrapping content
([#&#8203;620](https://redirect.github.com/charmbracelet/lipgloss/issues/620))
([@&#8203;MartinodF](https://redirect.github.com/MartinodF))

***

<a href="https://charm.land/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-banner-next.jpg" width="400"></a>

Thoughts? Questions? We love hearing from you. Feel free to reach out on
[X](https://x.com/charmcli), [Discord](https://charm.land/discord),
[Slack](https://charm.land/slack), [The
Fediverse](https://mastodon.social/@&#8203;charmcli),
[Bluesky](https://bsky.app/profile/charm.land).

</details>

<details>
<summary>gkampitakis/go-snaps
(github.com/gkampitakis/go-snaps)</summary>

###
[`v0.5.21`](https://redirect.github.com/gkampitakis/go-snaps/releases/tag/v0.5.21)

[Compare
Source](https://redirect.github.com/gkampitakis/go-snaps/compare/v0.5.20...v0.5.21)

##### What's Changed

- support nested arrays in json matchers by
[@&#8203;gkampitakis](https://redirect.github.com/gkampitakis) in
[#&#8203;145](https://redirect.github.com/gkampitakis/go-snaps/pull/145)

**Full Changelog**:
<gkampitakis/go-snaps@v0.5.20...v0.5.21>

</details>

<details>
<summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary>

###
[`v6.7.9`](https://redirect.github.com/jedib0t/go-pretty/releases/tag/v6.7.9)

[Compare
Source](https://redirect.github.com/jedib0t/go-pretty/compare/v6.7.8...v6.7.9)

#### What's Changed

- table: markdown padding for human-friendly output; fixes
[#&#8203;402](https://redirect.github.com/jedib0t/go-pretty/issues/402)
by [@&#8203;jedib0t](https://redirect.github.com/jedib0t) in
[#&#8203;403](https://redirect.github.com/jedib0t/go-pretty/pull/403)

**Full Changelog**:
<jedib0t/go-pretty@v6.7.8...v6.7.9>

</details>

<details>
<summary>modelcontextprotocol/go-sdk
(github.com/modelcontextprotocol/go-sdk)</summary>

###
[`v1.5.0`](https://redirect.github.com/modelcontextprotocol/go-sdk/releases/tag/v1.5.0)

[Compare
Source](https://redirect.github.com/modelcontextprotocol/go-sdk/compare/v1.4.1...v1.5.0)

***This release is equivalent to v1.5.0-pre.1. Thank you to those who
tested the pre-release.***

In this release we introduce important enhancements to the client-side
OAuth flows. We also introduce several smaller fixes and improvements.

#### Stabilization of client-side OAuth APIs

As previously communicated, we're stabilizing the client-side OAuth APIs
in `v1.5.0`. This means that the `mcp_go_client_oauth` build tag will no
longer be required to compile the functionality and standard backward
compatibility guarantees apply from now on.

Compared to the experimental support published in `v1.4.0`, we made some
backwards incompatible changes:

- `auth.AuthorizationCodeHandlerConfig.AuthorizationCodeFetcher`'s type
was changed from `func(context.Context, *auth.AuthorizationArgs)
(*auth.AuthorizationResult, error)` to `auth.AuthorizationCodeFetcher`
which is a reusable definition carrying the same underlying function
type.
- `auth.AuthorizationCodeHandlerConfig.PreregisteredClientConfig` was
removed and replaced with
`auth.AuthorizationCodeHandlerConfig.PreregisteredClient` which uses a
newly introduced `oauthex.ClientCredentials` type. The type used
previously (`auth.PreregisteredClientConfig`) has been removed.
- Deprecated functionality has been removed from both `auth` and
`oauthex` packages.

* all: stabilize client OAuth support by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;861](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/861)

#### Enterprise Managed Authorization support added

Support for [Enterprise Managed
Authorization](https://modelcontextprotocol.io/extensions/auth/enterprise-managed-authorization)
has been added to `auth/extauth` package. Huge thanks to
[@&#8203;radar07](https://redirect.github.com/radar07) for the
implementation!

- Enterprise managed authorization by
[@&#8203;radar07](https://redirect.github.com/radar07) in
[#&#8203;770](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/770)

**Note:** this support is part of an official MCP extension and is not
part of the core protocol. The support of this functionality is not
covered by the principles defined in [SDK
tiers](https://modelcontextprotocol.io/community/sdk-tiers).

#### Other changes to the SDK

- examples: fix OAuth client example after latest changes. by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;820](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/820)
- build(deps): bump actions/upload-artifact from 4.6.1 to 7.0.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;824](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/824)
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;825](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/825)
- build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;827](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/827)
- build(deps): bump actions/checkout from 4.2.2 to 6.0.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;826](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/826)
- mcp: simplify and unify unit tests introduced for sampling with tools.
by [@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;799](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/799)
- auth: fix 2025-03-26 backcompat by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;821](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/821)
- chore: update deps after v1.4.0 release by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;829](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/829)
- build(deps): bump github/codeql-action from 3 to 4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;823](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/823)
- mcp: update latestProtocolVersion to 2025-11-25 by
[@&#8203;findleyr](https://redirect.github.com/findleyr) in
[#&#8203;724](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/724)
- mcp: protect ioConn.protocolVersion with a mutex by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;832](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/832)
- examples: add an example that display header forwarding. by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;836](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/836)
- internal: fix Unicode zero character handling by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;841](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/841)
- auth: allow passing custom http.Client to AuthorizationCodeHandler by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;840](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/840)
- mcp: verify 'Origin' and 'Content-Type' headers by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;842](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/842)
- auth: return scope in WWW-Authenticate header. by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;834](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/834)
- mcp: fix setProgressToken when Meta is nil by
[@&#8203;StevenRChen](https://redirect.github.com/StevenRChen) in
[#&#8203;846](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/846)
- all: clean up Go 1.24 specific code. by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;850](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/850)
- mcp: re-enable race test after fixing data races by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;851](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/851)
- mcp: handle empty chunks in MemoryEventStore by
[@&#8203;jba](https://redirect.github.com/jba) in
[#&#8203;862](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/862)
- oauthex: use internal JSON library for decoding. by
[@&#8203;maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#&#8203;866](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/866)
- all: fix typos by
[@&#8203;alexandear](https://redirect.github.com/alexandear) in
[#&#8203;869](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/869)
- mcp: return input validation errors as tool results, not JSON-RPC
errors by [@&#8203;ravyg](https://redirect.github.com/ravyg) in
[#&#8203;863](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/863)
- all: modernize code by
[@&#8203;alexandear](https://redirect.github.com/alexandear) in
[#&#8203;868](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/868)
- mcp: accept parameterized Accept media types by
[@&#8203;kalvinnchau](https://redirect.github.com/kalvinnchau) in
[#&#8203;853](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/853)
- mcp: use http.ResponseController to ensure writes are flushed by
[@&#8203;toofishes](https://redirect.github.com/toofishes) in
[#&#8203;870](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/870)

#### New Contributors

- [@&#8203;StevenRChen](https://redirect.github.com/StevenRChen) made
their first contribution in
[#&#8203;846](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/846)
- [@&#8203;radar07](https://redirect.github.com/radar07) made their
first contribution in
[#&#8203;770](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/770)
- [@&#8203;alexandear](https://redirect.github.com/alexandear) made
their first contribution in
[#&#8203;869](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/869)
- [@&#8203;ravyg](https://redirect.github.com/ravyg) made their first
contribution in
[#&#8203;863](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/863)
- [@&#8203;kalvinnchau](https://redirect.github.com/kalvinnchau) made
their first contribution in
[#&#8203;853](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/853)
- [@&#8203;toofishes](https://redirect.github.com/toofishes) made their
first contribution in
[#&#8203;870](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/870)

**Full Changelog**:
<modelcontextprotocol/go-sdk@v1.4.1...v1.5.0>

</details>

<details>
<summary>opencontainers/runtime-spec
(github.com/opencontainers/runtime-spec)</summary>

###
[`v1.3.0`](https://redirect.github.com/opencontainers/runtime-spec/releases/tag/v1.3.0)

[Compare
Source](https://redirect.github.com/opencontainers/runtime-spec/compare/v1.2.1...v1.3.0)

This is the fourth minor release of the v1 series of the Open Container
Initiative Runtime Specification.
This release features the addition of the specification for FreeBSD.

##### Additions

- config-vm: add hwConfig object
([#&#8203;1209](https://redirect.github.com/opencontainers/runtime-spec/issues/1209))
- config-linux: add intelRdt.schemata field
([#&#8203;1230](https://redirect.github.com/opencontainers/runtime-spec/issues/1230))
- config-linux: add netDevices object
([#&#8203;1271](https://redirect.github.com/opencontainers/runtime-spec/issues/1271))
- config-linux: add memoryPolicy object
([#&#8203;1282](https://redirect.github.com/opencontainers/runtime-spec/issues/1282))
- config-freebsd: add the spec for FreeBSD
([#&#8203;1286](https://redirect.github.com/opencontainers/runtime-spec/issues/1286))
- config-linux: add intelRdt.enableMonitoring field
([#&#8203;1287](https://redirect.github.com/opencontainers/runtime-spec/issues/1287))

##### Minor fixes

- config-linux: clarify intelRdt configuration
([#&#8203;1196](https://redirect.github.com/opencontainers/runtime-spec/issues/1196))
- runtime: fail when a poststart hook fails
([#&#8203;1262](https://redirect.github.com/opencontainers/runtime-spec/issues/1262))
- config-linux: clarify pids cgroup settings
([#&#8203;1279](https://redirect.github.com/opencontainers/runtime-spec/issues/1279))
- config-linux: define default clos for intelRdt
([#&#8203;1289](https://redirect.github.com/opencontainers/runtime-spec/issues/1289))
- features-linux: add intelRdt.enableMonitoring field
([#&#8203;1290](https://redirect.github.com/opencontainers/runtime-spec/issues/1290))
- features-linux: add intelRdt.schemata field
([#&#8203;1291](https://redirect.github.com/opencontainers/runtime-spec/issues/1291))
- config-linux: fix and elaborate memoryPolicy.nodes field
([#&#8203;1294](https://redirect.github.com/opencontainers/runtime-spec/issues/1294))
- config-linux, schema: fix FileMode description
([#&#8203;1298](https://redirect.github.com/opencontainers/runtime-spec/issues/1298))

##### Documentation, CI & Governance

- add systemd-nspawn to implementations.md
([#&#8203;1272](https://redirect.github.com/opencontainers/runtime-spec/issues/1272))
- CI: add codespell, bump golangci-lint
([#&#8203;1281](https://redirect.github.com/opencontainers/runtime-spec/issues/1281))
- docs: add missing backticks for code formatting
([#&#8203;1284](https://redirect.github.com/opencontainers/runtime-spec/issues/1284))
- docs: fix typo
([#&#8203;1285](https://redirect.github.com/opencontainers/runtime-spec/issues/1285))
- principles: fix typo
([#&#8203;1288](https://redirect.github.com/opencontainers/runtime-spec/issues/1288))
- schema: fix json
([#&#8203;1297](https://redirect.github.com/opencontainers/runtime-spec/issues/1297))
- ci: use supported Go versions
([#&#8203;1300](https://redirect.github.com/opencontainers/runtime-spec/issues/1300))
- Add minimum supported Go version to CI
([#&#8203;1303](https://redirect.github.com/opencontainers/runtime-spec/issues/1303))
- Mention FreeBSD platform
([#&#8203;1304](https://redirect.github.com/opencontainers/runtime-spec/issues/1304))

Thanks to the following contributors for making this release possible:
[@&#8203;Artoria2e5](https://redirect.github.com/Artoria2e5)
[@&#8203;Sharmaann](https://redirect.github.com/Sharmaann)
[@&#8203;aojea](https://redirect.github.com/aojea)
[@&#8203;ariel-anieli](https://redirect.github.com/ariel-anieli)
[@&#8203;askervin](https://redirect.github.com/askervin)
[@&#8203;cyphar](https://redirect.github.com/cyphar)
[@&#8203;dfr](https://redirect.github.com/dfr)
[@&#8203;gogolok](https://redirect.github.com/gogolok)
[@&#8203;ipuustin](https://redirect.github.com/ipuustin)
[@&#8203;kolyshkin](https://redirect.github.com/kolyshkin)
[@&#8203;marquiz](https://redirect.github.com/marquiz)
[@&#8203;oleksiimoisieiev](https://redirect.github.com/oleksiimoisieiev)
[@&#8203;tianon](https://redirect.github.com/tianon)

Vote-Results: +9 -0 \*2
([#&#8203;1302](https://redirect.github.com/opencontainers/runtime-spec/issues/1302))
Signed-off-by: Akihiro Suda
([@&#8203;AkihiroSuda](https://redirect.github.com/AkihiroSuda))

</details>

<details>
<summary>urfave/cli (github.com/urfave/cli/v3)</summary>

###
[`v3.8.0`](https://redirect.github.com/urfave/cli/releases/tag/v3.8.0)

[Compare
Source](https://redirect.github.com/urfave/cli/compare/v3.7.0...v3.8.0)

#### What's Changed

- chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in the
python-packages group by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2267](https://redirect.github.com/urfave/cli/pull/2267)
- chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in the
python-packages group by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2272](https://redirect.github.com/urfave/cli/pull/2272)
- chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in the
python-packages group by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2276](https://redirect.github.com/urfave/cli/pull/2276)
- Fix: check MutuallyExclusiveFlags across parent command chain by
[@&#8203;siutsin](https://redirect.github.com/siutsin) in
[#&#8203;2274](https://redirect.github.com/urfave/cli/pull/2274)
- Modernize source code by
[@&#8203;kolyshkin](https://redirect.github.com/kolyshkin) in
[#&#8203;2289](https://redirect.github.com/urfave/cli/pull/2289)
- flag: replace regexp use by
[@&#8203;kolyshkin](https://redirect.github.com/kolyshkin) in
[#&#8203;2288](https://redirect.github.com/urfave/cli/pull/2288)
- chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in the
python-packages group by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2284](https://redirect.github.com/urfave/cli/pull/2284)
- Fix:(issue\_2281) Remove incorrect check for local flag for set by
[@&#8203;dearchap](https://redirect.github.com/dearchap) in
[#&#8203;2290](https://redirect.github.com/urfave/cli/pull/2290)
- Fix:(issue\_2275) Make flag action execution consistent by
[@&#8203;dearchap](https://redirect.github.com/dearchap) in
[#&#8203;2295](https://redirect.github.com/urfave/cli/pull/2295)
- Fix:(issue\_2293) --flag="" no longer rejected as missing argument by
[@&#8203;idelchi](https://redirect.github.com/idelchi) in
[#&#8203;2297](https://redirect.github.com/urfave/cli/pull/2297)
- Fix:(issue\_2292) Empty positional args no longer break parse loop by
[@&#8203;idelchi](https://redirect.github.com/idelchi) in
[#&#8203;2296](https://redirect.github.com/urfave/cli/pull/2296)

#### New Contributors

- [@&#8203;idelchi](https://redirect.github.com/idelchi) made their
first contribution in
[#&#8203;2297](https://redirect.github.com/urfave/cli/pull/2297)

**Full Changelog**:
<urfave/cli@v3.7.0...v3.8.0>

</details>

<details>
<summary>grpc/grpc-go (google.golang.org/grpc)</summary>

### [`v1.80.0`]()

[Compare
Source](https://redirect.github.com/grpc/grpc-go/compare/v1.79.3...v1.80.0)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Australia/Sydney)

- Branch creation
  - "before 6am on monday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

---------

Co-authored-by: Rex P <rexpan@google.com>

Author: renovate-bot

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -2601,14 +2601,12 @@ Total 24 packages affected by 186 known vulnerabilities (20 Critical, 78 High, 6
 
 ---
 
-[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 1]
+[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 1]
 
 ---
 
-[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 2]
-Incorrect Usage: flag needs an argument: --experimental-plugins=
-
-flag needs an argument: --experimental-plugins=
+[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_default - 2]
+No package sources found, --help for usage information.
 
 ---
 
@@ -2761,9 +2759,7 @@ could not determine extractor, requested package-lock.json
 ---
 
 [TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 2]
-Incorrect Usage: flag needs an argument: --experimental-plugins=
-
-flag needs an argument: --experimental-plugins=
+at least one extractor must be enabled
 
 ---
 
@@ -5644,15 +5640,13 @@ No package sources found, --help for usage information.
 [TestCommand_Transitive/pom.xml_multiple_registries - 1]
 Scanned <rootdir>/testdata/maven-transitive/registry.xml file and found 2 packages
 
-Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
-8 vulnerabilities can be fixed.
+Total 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+6 vulnerabilities can be fixed.
 
 +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                                       | VERSION | FIXED VERSION | SOURCE                                 |
 +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+
 | https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1  | Maven     | com.google.android.gms:play-services-basement | 10.0.0  | 18.0.2        | testdata/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.25.4        | testdata/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.25.4        | testdata/maven-transitive/registry.xml |
 | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.16.0        | testdata/maven-transitive/registry.xml |
 | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.17.1        | testdata/maven-transitive/registry.xml |
 | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.15.0        | testdata/maven-transitive/registry.xml |
@@ -5713,14 +5707,12 @@ No issues found
 Scanning dir ./testdata/maven-transitive/pom.xml
 Scanned <rootdir>/testdata/maven-transitive/pom.xml file and found 1 package
 
-Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
-7 vulnerabilities can be fixed.
+Total 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+5 vulnerabilities can be fixed.
 
 +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                             | VERSION | FIXED VERSION | SOURCE                            |
 +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+
-| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.25.4        | testdata/maven-transitive/pom.xml |
-| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.25.4        | testdata/maven-transitive/pom.xml |
 | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.16.0        | testdata/maven-transitive/pom.xml |
 | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.17.1        | testdata/maven-transitive/pom.xml |
 | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.15.0        | testdata/maven-transitive/pom.xml |
@@ -5737,14 +5729,12 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu
 [TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 1]
 Scanned <rootdir>/testdata/maven-transitive/abc.xml file and found 1 package
 
-Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
-7 vulnerabilities can be fixed.
+Total 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+5 vulnerabilities can be fixed.
 
 +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                             | VERSION | FIXED VERSION | SOURCE                            |
 +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+
-| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.25.4        | testdata/maven-transitive/abc.xml |
-| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.25.4        | testdata/maven-transitive/abc.xml |
 | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.16.0        | testdata/maven-transitive/abc.xml |
 | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6  | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.17.1        | testdata/maven-transitive/abc.xml |
 | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven     | org.apache.logging.log4j:log4j-core | 2.14.1  | 2.15.0        | testdata/maven-transitive/abc.xml |
@@ -5761,15 +5751,13 @@ Total 1 package affected by 7 known vulnerabilities (2 Critical, 1 High, 4 Mediu
 [TestCommand_Transitive/pom.xml_transitive_native_source - 1]
 Scanned <rootdir>/testdata/maven-transitive/registry.xml file and found 2 packages
 
-Total 2 packages affected by 8 known vulnerabilities (2 Critical, 1 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
-8 vulnerabilities can be fixed.
+Total 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+6 vulnerabilities can be fixed.
 
 +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                                       | VERSION | FIXED VERSION | SOURCE                                 |
 +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+
 | https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1  | Maven     | com.google.android.gms:play-services-basement | 10.0.0  | 18.0.2        | testdata/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-3pxv-7cmr-fjr4 | 6.9  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.25.4        | testdata/maven-transitive/registry.xml |
-| https://osv.dev/GHSA-6hg6-v5c8-fphq | 6.3  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.25.4        | testdata/maven-transitive/registry.xml |
 | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.16.0        | testdata/maven-transitive/registry.xml |
 | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6  | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.17.1        | testdata/maven-transitive/registry.xml |
 | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven     | org.apache.logging.log4j:log4j-core           | 2.14.1  | 2.15.0        | testdata/maven-transitive/registry.xml |
@@ -5797,8 +5785,8 @@ No package sources found, --help for usage information.
 Scanning dir ./testdata/locks-requirements/requirements.txt
 Scanned <rootdir>/testdata/locks-requirements/requirements.txt file and found 3 packages
 
-Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Medium, 1 Low, 0 Unknown) from 1 ecosystem.
-13 vulnerabilities can be fixed.
+Total 3 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 6 Medium, 1 Low, 0 Unknown) from 1 ecosystem.
+12 vulnerabilities can be fixed.
 
 +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+
 | OSV URL                             | CVSS | ECOSYSTEM | PACKAGE  | VERSION | FIXED VERSION | SOURCE                                       |
@@ -5818,7 +5806,6 @@ Total 3 packages affected by 13 known vulnerabilities (1 Critical, 4 High, 7 Med
 | https://osv.dev/GHSA-j8r2-6x86-q33q |      |           |          |         |               |                                              |
 | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3  | PyPI      | requests | 2.20.0  | 2.32.4        | testdata/locks-requirements/requirements.txt |
 | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6  | PyPI      | requests | 2.20.0  | 2.32.0        | testdata/locks-requirements/requirements.txt |
-| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4  | PyPI      | requests | 2.20.0  | 2.33.0        | testdata/locks-requirements/requirements.txt |
 +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+
 
 ---

cmd/osv-scanner/scan/source/command_test.go

@@ -489,9 +489,9 @@ func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) {
 
 	tests := []testcmd.Case{
 		{
-			Name: "empty_plugins_flag_does_nothing",
+			Name: "empty_plugins_flag_does_default",
 			Args: []string{"", "source", "--experimental-plugins="},
-			Exit: 127,
+			Exit: 128,
 		},
 		{
 			Name: "extractors_cancelled_out_specified_individually",