fix(deps): update go dependencies

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
github.com/bmatcuk/doublestar/v4	v4.9.1 → v4.9.2			require	patch
github.com/google/osv-scanner/v2	v2.3.0 → v2.3.1			require	patch
github.com/ossf/osv-schema/bindings/go	9fb6c88 → 88c4875			require	digest
golang.org/x/crypto	v0.45.0 → v0.46.0			require	minor
golang.org/x/mod	v0.30.0 → v0.31.0			require	minor	v0.32.0
google.golang.org/api	v0.257.0 → v0.258.0			require	minor	v0.259.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

bmatcuk/doublestar (github.com/bmatcuk/doublestar/v4)

v4.9.2: Fixed Handling of Paths With Meta Chars Using Alts

Compare Source

@​toga4 submitted a PR that fixed a small bug with the way paths were handled when the pattern used {alts}: if some part of the on-disk path that came before the {alt} included meta characters (say, a directory name that included the character ?), these meta characters were not escaped when they were passed back through the globbing routines. This caused doublestar to interpret them as actual meta characters, rather than a fixed-string path as it should have. Nice find, @​toga4 !

What's Changed

• fix: escape meta characters in paths during brace expansion by @​toga4 in #​108

New Contributors

• @​toga4 made their first contribution in #​108

Full Changelog: bmatcuk/doublestar@v4.9.1...v4.9.2

google/osv-scanner (github.com/google/osv-scanner/v2)

v2.3.1

Compare Source

Features:

• Feature #​2370 Add support for the packagedeprecation plugin via the new --experimental-flag-deprecated-packages flag. The result is available in all output formats except SPDX.

Fixes:

• Bug #​2395 Fix license scanning to correctly match new deps.dev package names.
• Bug #​2333 Deduplicate SARIF outputs for GitHub.
• Bug #​2259 Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.

Misc:

• Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.

googleapis/google-api-go-client (google.golang.org/api)

v0.258.0

Compare Source

Features

• all: Auto-regenerate discovery clients (#​3392) (db6e653)
• all: Auto-regenerate discovery clients (#​3394) (7a9ae94)
• all: Auto-regenerate discovery clients (#​3395) (dd93f67)
• all: Auto-regenerate discovery clients (#​3396) (302ad5f)
• all: Auto-regenerate discovery clients (#​3398) (5dfcd09)
• all: Auto-regenerate discovery clients (#​3401) (cd3e656)
• all: Auto-regenerate discovery clients (#​3402) (9e6446a)
• all: Auto-regenerate discovery clients (#​3404) (453c04a)
• all: Auto-regenerate discovery clients (#​3406) (af03509)
• all: Auto-regenerate discovery clients (#​3407) (41e2f8f)
• all: Auto-regenerate discovery clients (#​3408) (ba64741)
• all: Auto-regenerate discovery clients (#​3409) (5d17056)
• all: Auto-regenerate discovery clients (#​3410) (90b301b)
• option: Deprecate unsafe credentials JSON loading options (#​3356) (a5426fa)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 19 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.4 -> 1.25.5
github.com/ianlancetaylor/demangle	v0.0.0-20251114061303-68c556c8ce09 -> v0.0.0-20251118225945-96ee0021ea0f
github.com/jedib0t/go-pretty/v6	v6.7.2 -> v6.7.5
golang.org/x/sync	v0.18.0 -> v0.19.0
deps.dev/api/v3	v3.0.0-20251104021112-20ad94767ddf -> v3.0.0-20251127011616-f763ce91ff53
deps.dev/api/v3alpha	v0.0.0-20251104021112-20ad94767ddf -> v0.0.0-20251127011616-f763ce91ff53
deps.dev/util/maven	v0.0.0-20251104021112-20ad94767ddf -> v0.0.0-20251127011616-f763ce91ff53
deps.dev/util/resolve	v0.0.0-20251104021112-20ad94767ddf -> v0.0.0-20251127011616-f763ce91ff53
deps.dev/util/semver	v0.0.0-20251104021112-20ad94767ddf -> v0.0.0-20251127011616-f763ce91ff53
github.com/go-git/go-git/v5	v5.16.3 -> v5.16.4
github.com/google/osv-scalibr	v0.3.7-0.20251118161533-ed0917ecede1 -> v0.4.1-0.20251202121049-5e7e15f4a036
golang.org/x/net	v0.47.0 -> v0.48.0
golang.org/x/oauth2	v0.33.0 -> v0.34.0
golang.org/x/sys	v0.38.0 -> v0.39.0
golang.org/x/telemetry	v0.0.0-20251008203120-078029d740a8 -> v0.0.0-20251111182119-bc8e575c7b54
golang.org/x/text	v0.31.0 -> v0.32.0
golang.org/x/tools	v0.38.0 -> v0.39.0
google.golang.org/genproto/googleapis/api	v0.0.0-20251111163417-95abcf5c77ba -> v0.0.0-20251124214823-79d6a2a48846
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251124214823-79d6a2a48846 -> v0.0.0-20251213004720-97cd9d5aeac2
osv.dev/bindings/go	v0.0.0-20251114023950-43ef4fb673ff -> v0.0.0-20251208025524-721e0912c3f8