chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/cache	action	minor	v4.2.3 -> v4.3.0
alpine	final	minor	3.21 -> 3.22
anchore/sbom-action	action	minor	v0.18.0 -> v0.20.9
github.com/golang-jwt/jwt/v5	require	minor	v5.2.2 -> v5.3.0
github.com/lestrrat-go/jwx/v2	require	patch	v2.1.4 -> v2.1.6
github.com/spf13/cobra	require	minor	v1.9.1 -> v1.10.1
github.com/spf13/pflag	require	patch	v1.0.6 -> v1.0.10
github.com/spf13/viper	require	minor	v1.20.1 -> v1.21.0

---

Release Notes

actions/cache (actions/cache)

v4.3.0

Compare Source

What's Changed

• Add note on runner versions by @​GhadimiR in #​1642
• Prepare v4.3.0 release by @​Link- in #​1655

New Contributors

• @​GhadimiR made their first contribution in #​1642

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

Compare Source

What's Changed

• Update README.md by @​nebuk89 in #​1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in #​1634
• Prepare release 4.2.4 by @​Link- in #​1636

New Contributors

• @​nebuk89 made their first contribution in #​1620

Full Changelog: actions/cache@v4...v4.2.4

anchore/sbom-action (anchore/sbom-action)

v0.20.9

Compare Source

Changes in v0.20.9

• chore(deps): update Syft to v1.36.0 (#​546) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.20.8

Compare Source

Changes in v0.20.8

• chore(deps): update Syft to v1.34.2 (#​545) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.20.7

Compare Source

Changes in v0.20.7

• chore(deps): update Syft to v1.34.1 (#​544)

v0.20.6

Compare Source

Changes in v0.20.6

• chore(deps): update Syft to v1.33.0 (#​537) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]
• chore: update actions library to resolve critical vulnerability (#​536) [spiffcs]

v0.20.5

Compare Source

Changes in v0.20.5

• Update Syft to v1.31.0 (#​531)

v0.20.4

Compare Source

Changes in v0.20.4

• chore: update Syft to v1.29.0 (#​529)

v0.20.3

Compare Source

Changes in v0.20.3

• Fix: Strip emojis from correlator before using github APIs (#​527) [AndrewHendry]

v0.20.2

Compare Source

Changes in v0.20.2

• Update Syft to v1.28.0 (#​526)

v0.20.1

Compare Source

Changes in v0.20.1

• Update Syft to v1.27.1 (#​525)

v0.20.0

Compare Source

Changes in v0.20.0

• chore(deps): update Syft to v1.24.0 (#​522)

v0.19.0

Compare Source

Changes in v0.19.0

• chore(deps): update Syft to v1.23.0 (#​521)
• chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#​519)
• chore(deps): bump cross-spawn (#​514)

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.3.0

Compare Source

This release is almost identical to to v5.2.3 but now correctly indicates Go 1.21 as minimum requirement.

What's Changed

• Create CODEOWNERS by @​oxisto in #​449
• Bump Go version to indicate correct minimum requirement by @​oxisto in #​452

Full Changelog: golang-jwt/jwt@v5.2.3...v5.3.0

v5.2.3

Compare Source

What's Changed

• Bump GitHub workflows and Go versions by @​mfridman in #​438
• Implementing validation of multiple audiences by @​oxisto in #​433
• Bump golangci/golangci-lint-action from 7 to 8 by @​dependabot[bot] in #​440
• replaced interface{} to any by @​aachex in #​445
• Fix bug in validation of multiple audiences by @​sfinnman-cotn in #​441

New Contributors

• @​aachex made their first contribution in #​445
• @​sfinnman-cotn made their first contribution in #​441

Full Changelog: golang-jwt/jwt@v5.2.2...v5.2.3

lestrrat-go/jwx (github.com/lestrrat-go/jwx/v2)

v2.1.6

Compare Source

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

• DIRECT mode content encryption
• Using A256CBC_HS512
• With an erroneously created CEK of exactly 32-bytes.

---

• jws: backport jws parsing ehancements by @​lestrrat in #​1363
• [v2] Backport #​1367 by @​lestrrat in #​1368

Full Changelog: lestrrat-go/jwx@v2.1.5...v2.1.6

v2.1.5

Compare Source

What's Changed

• jws/jwe: split token into fixed number of parts (#​1308) by @​lestrrat in #​1309
• Bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in #​1317
• Bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 by @​dependabot in #​1319
• Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 by @​dependabot in #​1327
• Remove use of go1.22 in CI by @​lestrrat in #​1356
• v2: jws/jwe: split token into fixed number of parts (#​1308) by @​lestrrat in #​1355
• Bump github.com/lestrrat-go/blackmagic from 1.0.2 to 1.0.3 by @​dependabot in #​1354
• autodoc updates by @​github-actions in #​1359

Full Changelog: lestrrat-go/jwx@v2.1.4...v2.1.5

spf13/cobra (github.com/spf13/cobra)

v1.10.1

Compare Source

🐛 Fix

• chore: upgrade pflags v1.0.9 by @​jpmcb in #​2305

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

Compare Source

What's Changed

🚨 Attention!

• Bump pflag to 1.0.8 by @​tomasaschan in #​2303

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

• If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`
• or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

More details can be found here: #​2303 (comment)

✨ Features

• Flow context to command in SetHelpFunc by @​Frassle in #​2241
• The default ShellCompDirective can be customized for a command and its subcommands by @​albers in #​2238

🐛 Fix

• Upgrade golangci-lint to v2, address findings by @​scop in #​2279

🪠 Testing

• Test with Go 1.24 by @​harryzcy in #​2236
• chore: Rm GitHub Action PR size labeler by @​jpmcb in #​2256

📝 Docs

• Remove traling curlybrace by @​yedayak in #​2237
• Update command.go by @​styee in #​2248
• feat: Add security policy by @​jpmcb in #​2253
• Update Readme (Warp) by @​ericdachen in #​2267
• Add Periscope to the list of projects using Cobra by @​anishathalye in #​2299

New Contributors

• @​harryzcy made their first contribution in #​2236
• @​yedayak made their first contribution in #​2237
• @​Frassle made their first contribution in #​2241
• @​styee made their first contribution in #​2248
• @​ericdachen made their first contribution in #​2267
• @​albers made their first contribution in #​2238
• @​anishathalye made their first contribution in #​2299
• @​tomasaschan made their first contribution in #​2303

Full Changelog: spf13/cobra@v1.9.1...v1.9.2

spf13/pflag (github.com/spf13/pflag)

v1.0.10

Compare Source

What's Changed

• fix deprecation comment for (FlagSet.)ParseErrorsWhitelist by @​thaJeztah in #​447
• remove uses of errors.Is, which requires go1.13, move go1.16/go1.21 tests to separate file by @​thaJeztah in #​448

New Contributors

• @​thaJeztah made their first contribution in #​447

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

v1.0.9

Compare Source

What's Changed

• fix: Restore ParseErrorsWhitelist name for now by @​tomasaschan in #​446

Full Changelog: spf13/pflag@v1.0.8...v1.0.9

v1.0.8

Compare Source

⚠️ Breaking Change

This version, while only a patch bump, includes a (very minor) breaking change: the flag.ParseErrorsWhitelist struct and corresponding FlagSet.parseErrorsWhitelist field have been renamed to ParseErrorsAllowlist.

This should result in compilation errors in any code that uses these fields, which can be fixed by adjusting the names at call sites. There is no change in semantics or behavior of the struct or field referred to by these names. If your code compiles without errors after bumping to/past v1.0.8, you are not affected by this change.

The breaking change was reverted in v1.0.9, by means of re-introducing the old names with deprecation warnings. The plan is still to remove them in a future release, so if your code does depend on the old names, please change them to use the new names at your earliest convenience.

What's Changed

• Remove Redundant "Unknown-Flag" Error by @​vaguecoder in #​364
• Switching from whitelist to Allowlist terminology by @​dubrie in #​261
• Omit zero time.Time default from usage line by @​mologie in #​438
• implement CopyToGoFlagSet by @​pohly in #​330
• flag: Emulate stdlib behavior and do not print ErrHelp by @​tmc in #​407
• Print Default Values of String-to-String in Sorted Order by @​vaguecoder in #​365
• fix: Don't print ErrHelp in ParseAll by @​tomasaschan in #​443
• Reset args on re-parse even if empty by @​tomasaschan in #​444

New Contributors

• @​vaguecoder made their first contribution in #​364
• @​dubrie made their first contribution in #​261
• @​mologie made their first contribution in #​438
• @​pohly made their first contribution in #​330
• @​tmc made their first contribution in #​407
• @​tomasaschan made their first contribution in #​443

Full Changelog: spf13/pflag@v1.0.7...v1.0.8

v1.0.7

Compare Source

What's Changed

• Fix defaultIsZeroValue check for generic Value types by @​MidnightRocket in #​422
• feat: Use structs for errors returned by pflag. by @​eth-p in #​425
• Fix typos by @​co63oc in #​428
• fix #​423 : Add helper function and some documentation to parse shorthand go test flags. by @​valdar in #​424
• add support equivalent to golang flag.TextVar(), also fixes the test failure as described in #​368 by @​hujun-open in #​418
• add support for Func() and BoolFunc() #​426 by @​LeGEC in #​429
• fix: correct argument length check in FlagSet.Parse by @​ShawnJeffersonWang in #​409
• fix usage message for func flags, fix arguments order by @​LeGEC in #​431
• Add support for time.Time flags by @​max-frank in #​348

New Contributors

• @​MidnightRocket made their first contribution in #​422
• @​eth-p made their first contribution in #​425
• @​co63oc made their first contribution in #​428
• @​valdar made their first contribution in #​424
• @​hujun-open made their first contribution in #​418
• @​LeGEC made their first contribution in #​429
• @​ShawnJeffersonWang made their first contribution in #​409
• @​max-frank made their first contribution in #​348

Full Changelog: spf13/pflag@v1.0.6...v1.0.7

spf13/viper (github.com/spf13/viper)

v1.21.0

Compare Source

What's Changed

Enhancements 🚀

• Add support for flags pflag.BoolSlice, pflag.UintSlice and pflag.Float64Slice by @​nmvalera in #​2015
• feat: use maintained yaml library by @​sagikazarmark in #​2040

Bug Fixes 🐛

• fix(config): get config type from v.configType or config file ext by @​GuillaumeBAECHLER in #​2003
• fix: config type check when loading any config by @​sagikazarmark in #​2007

Dependency Updates ⬆️

• Update dependencies by @​sagikazarmark in #​1993
• build(deps): bump github.com/spf13/cast from 1.7.1 to 1.8.0 by @​dependabot[bot] in #​2017
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 by @​dependabot[bot] in #​2013
• build(deps): bump github.com/sagikazarmark/locafero from 0.8.0 to 0.9.0 by @​dependabot[bot] in #​2008
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /remote by @​dependabot[bot] in #​2016
• build(deps): bump github.com/spf13/cast from 1.8.0 to 1.9.2 by @​dependabot[bot] in #​2020
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @​dependabot[bot] in #​2028
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 by @​dependabot[bot] in #​2035
• build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 by @​dependabot[bot] in #​2036
• build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0 by @​dependabot[bot] in #​2012
• build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @​dependabot[bot] in #​2052
• build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 in /remote by @​dependabot[bot] in #​2048
• build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 by @​dependabot[bot] in #​2056
• chore: update dependencies by @​sagikazarmark in #​2057

Other Changes

• Update update guide with mapstructure package replacement. by @​aldas in #​2004
• refactor: use the built-in max/min to simplify the code by @​yingshanghuangqiao in #​2029

New Contributors

• @​GuillaumeBAECHLER made their first contribution in #​2003
• @​aldas made their first contribution in #​2004
• @​nmvalera made their first contribution in #​2015
• @​yingshanghuangqiao made their first contribution in #​2029
• @​ccoVeille made their first contribution in #​2046
• @​spacez320 made their first contribution in #​2050

Full Changelog: spf13/viper@v1.20.0...v1.21.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/lestrrat-go/jwx/[email protected] requires go >= 1.23.0; switching to go1.24.9
go: downloading go1.24.9 (linux/amd64)
go: download go1.24.9: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off