build(deps): Bump github.com/ulikunitz/xz from 0.5.11 to 0.5.14

[dependabot]

Bumps github.com/ulikunitz/xz from 0.5.11 to 0.5.14.

Commits

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• 4f11dce Update README.md and SECURITY.md to address security questions
• f56ebbf TODO.md: fix a typo
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[kusari-inspector]

Kusari Analysis Results:

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Both dependency and code security analyses independently recommend proceeding with this Dependabot update. The PR safely updates github.com/ulikunitz/xz to the latest version (0.5.14) with zero security vulnerabilities, no code issues, no exposed secrets, and no workflow problems. The Go standard library upgrade from 1.20 to 1.21 is routine and safe. While the xz library shows some maintenance concerns, this poses no immediate security risk and the update is to the current latest version. The combined analysis shows no critical security issues that would warrant blocking this dependency update.

---

Expand to see all dependency changes, security advisories, scorecard checks, etc.

Dependency Changes Introduced

Status	Package	Change	Version	Latest Version	Advisories	License
⚠️ Flagged	github.com/ulikunitz/xz	updated	0.5.11 → 0.5.14	v0.5.14	None	BSD-3-Clause (permissive)
⚠️ Flagged	stdlib	updated	1.20 → 1.21	Unknown	None	Unknown

Scorecard Checks

github.com/ulikunitz/xz:

• Maintained: 0/10 ⚠️ Repo is not maintained actively in the last 90 days.
• Code Review: 0/10 ⚠️ Project does not require human code review before all pull requests (aka merge requests) are merged.

stdlib:

No information was found for this package which is very concerning

Files where issues may be found

Dependency Files:

• go.mod

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 3fa22e6, performed at: 2025-08-28T19:41:57Z

Found this helpful? Give it a 👍 or 👎 reaction!