fix(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@aptre/common	^0.31.1 → ^0.34.0					devDependencies	minor
actions/cache	v5 → v6					action	major
actions/checkout	v6.0.2 → v7.0.0					action	major
actions/checkout	v4.1.7 → v7.0.0					action	major
actions/dependency-review-action	v4.3.3 → v5.0.0					action	major
actions/setup-go	v6.2.0 → v6.5.0					action	minor
github.com/aperturerobotics/common	v0.30.7 → v0.34.0					require	minor
github.com/aperturerobotics/protobuf-go-lite	v0.12.2 → v0.14.0					require	minor
github.com/aperturerobotics/starpc	v0.47.2-0.20260228105112-f1337c4314e9 → v0.49.18					require	minor
github.com/sirupsen/logrus	34027ea → 86fcec7					require	digest
github/codeql-action	v3.25.11 → v4.36.2					action	major
starpc	^0.47.1 → ^0.49.0					dependencies	minor
typescript (source)	^5.2.2 → ^6.0.0					devDependencies	major

---

Release Notes

aperturerobotics/common (@​aptre/common)

v0.34.0

Compare Source

Full Changelog: aperturerobotics/common@v0.33.1...v0.34.0

v0.33.1

Compare Source

Full Changelog: aperturerobotics/common@v0.33.0...v0.33.1

v0.33.0

Compare Source

Full Changelog: aperturerobotics/common@v0.32.10...v0.33.0

v0.32.10

Compare Source

What's Changed

• fix(deps): update module github.com/aperturerobotics/starpc to v0.49.7 by @​renovate[bot] in #​47

Full Changelog: aperturerobotics/common@v0.32.9...v0.32.10

v0.32.9

Compare Source

Full Changelog: aperturerobotics/common@v0.32.8...v0.32.9

v0.32.6

Compare Source

Full Changelog: aperturerobotics/common@v0.32.5...v0.32.6

v0.32.5

Compare Source

Full Changelog: aperturerobotics/common@v0.32.4...v0.32.5

v0.32.4

Compare Source

Full Changelog: aperturerobotics/common@v0.32.3...v0.32.4

v0.32.3

Compare Source

Full Changelog: aperturerobotics/common@v0.32.2...v0.32.3

v0.32.2

Compare Source

Full Changelog: aperturerobotics/common@v0.32.1...v0.32.2

v0.32.1

Compare Source

Full Changelog: aperturerobotics/common@v0.32.0...v0.32.1

v0.32.0

Compare Source

Full Changelog: aperturerobotics/common@v0.31.1...v0.32.0

actions/cache (actions/cache)

v6.1.0

Compare Source

What's Changed

• Bump @​actions/cache to v6.1.0 - handle read-only cache access by @​jasongin in #​1768

Full Changelog: actions/cache@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

• Update packages, migrate to ESM by @​Samirat in #​1760

Full Changelog: actions/cache@v5...v6.0.0

v6

Compare Source

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

actions/dependency-review-action (actions/dependency-review-action)

v5.0.0: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in #​1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in #​1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in #​1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in #​1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in #​1076
• Resolve security findings by @​AshelyTC in #​1094
• v5.0.0 release branch by @​ahpook in #​1098

New Contributors

• @​scottschreckengaust made their first contribution in #​1084
• @​mongolyy made their first contribution in #​1091
• @​Marukome0743 made their first contribution in #​1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in #​1056
• Make purl comparisons case insensitive by @​juxtin in #​1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in #​1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in #​1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​1021
• Updates for release 4.9.0 by @​ahpook in #​1064

New Contributors

• @​jantiebot made their first contribution in #​1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

v4.8.3: 4.8.3

Compare Source

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in #​1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in #​995
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​1003
• Bump actions/setup-node from 4 to 6 by @​dependabot[bot] in #​1005
• Upgrade glob to address a vulnerability by @​brrygrdn in #​1024
• Bump js-yaml by @​dependabot[bot] in #​1020
• Addressing vulnerabilities by @​Ahmed3lmallah in #​1036
• Bump fast-xml-parser from 5.3.3 to 5.3.5 by @​dependabot[bot] in #​1050
• Bump fast-xml-parser from 5.3.5 to 5.3.6 by @​dependabot[bot] in #​1053
• Properly truncate long summaries and catch errors by @​juxtin in #​1052
• Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @​dependabot[bot] in #​931
• Changes for Release 4.8.3 by @​ahpook in #​1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in #​966
• Claire153/fix spamming mentioned issue by @​claire153 in #​974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

v4.7.2: 4.7.2

Compare Source

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in #​945
• Deprecate deny lists by @​claire153 in #​958
• Address discrepancy between docs and reality by @​ahpook in #​960

New Contributors

• @​KyFaSt made their first contribution in #​945
• @​claire153 made their first contribution in #​958
• @​ahpook made their first contribution in #​960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

Compare Source

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #​889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

Compare Source

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #​809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

Compare Source

What's Changed

• Updating multiple dependency versions by @​Ahmed3lmallah in #​870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @​Ahmed3lmallah in #​876
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in #​878
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​877
• DR Action should link to the proxima stamp when appropriate in error messages by @​AshelyTC in #​891
• Allow deny package removal by @​ellenfieldn in #​888
• Fix typos by @​omahs in #​893
• Bump esbuild from 0.19.5 to 0.25.0 by @​dependabot in #​900
• Bump octokit and related dependencies by @​RomanIakovlev in #​904
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot in #​905
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in #​899
• Update transitive dependency spdx-license-ids by @​ailox in #​855
• To not print OpenSSF Scorecard section if no dependencies scanned by @​fabasoad in #​884
• Improve usage of this action in dependency-review.yml by @​fabasoad in #​883
• Clarify comment-summary-in-pr behaviour by @​Pantelis-Santorinios in #​902
• Prepare 4.6.0 Release candidate by @​brrygrdn in #​910

New Contributors

• @​AshelyTC made their first contribution in #​891
• @​ellenfieldn made their first contribution in #​888
• @​omahs made their first contribution in #​893
• @​RomanIakovlev made their first contribution in #​904
• @​ailox made their first contribution in #​855
• @​fabasoad made their first contribution in #​884
• @​Pantelis-Santorinios made their first contribution in #​902
• @​brrygrdn made their first contribution in #​910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

v4.5.0

Compare Source

What's Changed

• Bump got from 14.4.2 to 14.4.3 by @​dependabot in #​844
• Bump nodemon from 3.1.0 to 3.1.7 by @​dependabot in #​847
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​849
• Overriding the cross-spawn dependency to use a safe version by @​Ahmed3lmallah in #​850
• fix: add summary comment on failure when warn-only: true by @​ebickle in #​827
• Prepare for 4.5.0 release by @​Ahmed3lmallah in #​851

New Contributors

• @​ebickle made their first contribution in #​827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

Compare Source

What's Changed

• Fix for merge_group event bug by @​Ahmed3lmallah in #​846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

Compare Source

What's Changed

• fix: getRefs function to handle merge_group events by @​louis-bompart in #​766
• Create pull_request_template.md by @​jonjanego in #​794
• Update CONTRIBUTING.md by @​jonjanego in #​793
• Bump @​types/node from 20.11.28 to 20.16.0 by @​dependabot in #​815
• Upgrade transitive micromatch library by @​elireisman in #​829
• Do not list changed dependencies in summary by @​hmaurer in #​828
• Update stale.yaml by @​jonjanego in #​832
• Bump got from 14.4.1 to 14.4.2 by @​dependabot in #​822
• Bump eslint-plugin-jest and ts-jest by @​Ahmed3lmallah in #​840

New Contributors

• @​louis-bompart made their first contribution in #​766
• @​Ahmed3lmallah made their first contribution in #​840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

• Include all added dependencies in scorecard entries by @​elireisman in #​783
• Update SPDX Expression Parsing by @​febuiles in #​719
  • This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

actions/setup-go (actions/setup-go)

v6.5.0

Compare Source

v6.4.0

Compare Source

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in #​721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in #​724
• Fix Microsoft build of Go link by @​gdams in #​734

New Contributors

• @​gdams made their first contribution in #​721

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

• Update default Go module caching to use go.mod by @​priyagupta108 in #​705
• Fix golang download url to go.dev by @​178inaba in #​469

Full Changelog: actions/setup-go@v6...v6.3.0

aperturerobotics/protobuf-go-lite (github.com/aperturerobotics/protobuf-go-lite)

v0.14.0

Compare Source

v0.13.0

Compare Source

aperturerobotics/starpc (github.com/aperturerobotics/starpc)

v0.49.18

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.17...v0.49.18

v0.49.17

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.16...v0.49.17

v0.49.16

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.15...v0.49.16

v0.49.15

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.14...v0.49.15

v0.49.14

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.13...v0.49.14

v0.49.13

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.12...v0.49.13

v0.49.12

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.11...v0.49.12

v0.49.11

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.10...v0.49.11

v0.49.10

Compare Source

What's Changed

• fix(deps): update github.com/aperturerobotics/util digest to cbfc6d6 by @​renovate[bot] in #​207

Full Changelog: aperturerobotics/starpc@v0.49.9...v0.49.10

v0.49.9

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.8...v0.49.9

v0.49.8

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.7...v0.49.8

v0.49.7

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.6...v0.49.7

v0.49.6

Compare Source

What's Changed

• fix(deps): update module github.com/aperturerobotics/util to v1.34.3 by @​renovate[bot] in #​205

Full Changelog: aperturerobotics/starpc@v0.49.5...v0.49.6

v0.49.5

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.4...v0.49.5

v0.49.4

Compare Source

What's Changed

• chore(deps): update dependency esbuild to ^0.28.0 by @​renovate[bot] in #​203
• fix(deps): update module github.com/aperturerobotics/util to v1.33.1 by @​renovate[bot] in #​204

Full Changelog: aperturerobotics/starpc@v0.49.3...v0.49.4

v0.49.3

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.2...v0.49.3

v0.49.2

Compare Source

Full Changelog: aperturerobotics/starpc@v0.49.1...v0.49.2

v0.49.1

Compare Source

Released rust crate: at crates.io

Full Changelog: aperturerobotics/starpc@v0.49.0...v0.49.1

v0.49.0

Compare Source

Full Changelog: aperturerobotics/starpc@v0.48.0...v0.49.0

github/codeql-action (github/codeql-action)

v4.36.2

Compare Source

• Cache CodeQL CLI version information across Actions steps. #​3943
• Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #​3937
• Update default CodeQL bundle version to 2.25.6. #​3948

v4.36.1

Compare Source

No user facing changes.

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#​3852](https://redirect.g

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22 -> 1.25
github.com/aperturerobotics/util	v1.23.7 -> v1.31.4
github.com/aperturerobotics/json-iterator-lite	v1.0.0 -> v1.0.1-0.20240713111131-be6bf89c3008
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.3.0 -> v4.4.0
github.com/ipfs/go-cid	v0.4.1 -> v0.5.0
github.com/klauspost/cpuid/v2	v2.2.7 -> v2.2.10
github.com/libp2p/go-libp2p	v0.35.1 -> v0.45.0
github.com/multiformats/go-multiaddr	v0.12.4 -> v0.16.0
github.com/multiformats/go-multicodec	v0.9.0 -> v0.9.1
github.com/multiformats/go-multistream	v0.5.0 -> v0.6.1
golang.org/x/crypto	v0.23.0 -> v0.41.0
golang.org/x/exp	v0.0.0-20240613232115-7f521ea00fb8 -> v0.0.0-20250606033433-dcc06ee1d476
golang.org/x/sys	v0.20.0 -> v0.35.0
lukechampine.com/blake3	v1.2.1 -> v1.4.1

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​aptre/​common@​0.31.1 ⏵ 0.34.0	+1
	npm/​starpc@​0.47.1 ⏵ 0.49.18	+1
	golang/​github.com/​aperturerobotics/​starpc@​v0.47.2-0.20260228105112-f1337c4314e9 ⏵ v0.49.18	-8
	npm/​typescript@​5.9.3 ⏵ 6.0.3	+1		+1
	golang/​github.com/​aperturerobotics/​common@​v0.30.7 ⏵ v0.34.0
	golang/​github.com/​sirupsen/​logrus@​v1.9.5-0.20260226151524-34027eac4204 ⏵ v1.9.5-0.20260626163630-86fcec785443
	golang/​github.com/​aperturerobotics/​protobuf-go-lite@​v0.12.2 ⏵ v0.14.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: golang github.com/tetratelabs/wazero is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/github.com/aperturerobotics/common@v0.34.0 → golang/github.com/tetratelabs/wazero@v1.12.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/tetratelabs/wazero@v1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: golang github.com/tetratelabs/wazero is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → golang/github.com/aperturerobotics/common@v0.34.0 → golang/github.com/tetratelabs/wazero@v1.12.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/tetratelabs/wazero@v1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/@aptre/common@0.34.0 → npm/@typescript-eslint/eslint-plugin@8.62.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25 -> 1.25.0
github.com/aperturerobotics/util	v1.32.4 -> v1.34.5
github.com/aperturerobotics/go-protoc-gen-prost	v0.0.0-20260204215916-dc1f0fed8cfc -> v0.0.0-20260329113538-218ccd8f20e0
github.com/aperturerobotics/go-protoc-wasi	v0.0.0-20260131050911-b5f94b044584 -> v0.0.0-20260329113540-600516012db3
github.com/aperturerobotics/go-websocket	v1.8.15-0.20260228104546-35e37959349c -> v1.8.15-0.20260329113544-74dbfb8f11c6
github.com/tetratelabs/wazero	v1.11.0 -> v1.12.0
golang.org/x/mod	v0.33.0 -> v0.37.0
golang.org/x/sys	v0.40.0 -> v0.44.0