Bump the global group across 1 directory with 4 updates #70

dependabot · 2025-10-07T19:03:03Z

Bumps the global group with 3 updates in the / directory: github.com/go-git/go-git/v5, github.com/spf13/cobra and github.com/spf13/viper.

Updates github.com/go-git/go-git/v5 from 5.16.2 to 5.16.3

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.3

What's Changed

internal: Expand regex to fix build [5.x] by @baloo in go-git/go-git#1644

build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by @baloo in go-git/go-git#1646

plumbing: support commits extra headers, support jujutsu signed commit [5.x] by @baloo in go-git/go-git#1633

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

Commits

ad9a3a5 Merge pull request #1633 from baloo/baloo/release-5.x/jj-signed-commits
f2c3467 plumbing: support extra headers, support jujutsu signed commit [5.x]
c12263d Merge pull request #1646 from baloo/baloo/release-5.x/fixup-windows-ci
111f374 build: disable fuzzing on maintenance branch
15d46ce build: raise timeouts for windows CI tests
ce83ba1 Merge pull request #1644 from baloo/baloo/release-5.x/fixup-build
b486201 internal: Expand regex to fix build
See full diff in compare view

Updates github.com/spf13/cobra from 1.9.1 to 1.10.1

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.1

🐛 Fix

chore: upgrade pflags v1.0.9 by @jpmcb in spf13/cobra#2305

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

What's Changed

🚨 Attention!

Bump pflag to 1.0.8 by @tomasaschan in spf13/cobra#2303

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`

or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

More details can be found here: spf13/cobra#2303

✨ Features

Flow context to command in SetHelpFunc by @Frassle in spf13/cobra#2241

The default ShellCompDirective can be customized for a command and its subcommands by @albers in spf13/cobra#2238

🐛 Fix

Upgrade golangci-lint to v2, address findings by @scop in spf13/cobra#2279

🪠 Testing

Test with Go 1.24 by @harryzcy in spf13/cobra#2236

chore: Rm GitHub Action PR size labeler by @jpmcb in spf13/cobra#2256

📝 Docs

Remove traling curlybrace by @yedayak in spf13/cobra#2237

Update command.go by @styee in spf13/cobra#2248

feat: Add security policy by @jpmcb in spf13/cobra#2253

Update Readme (Warp) by @ericdachen in spf13/cobra#2267

Add Periscope to the list of projects using Cobra by @anishathalye in spf13/cobra#2299

New Contributors

@harryzcy made their first contribution in spf13/cobra#2236

@yedayak made their first contribution in spf13/cobra#2237

@Frassle made their first contribution in spf13/cobra#2241

... (truncated)

Commits

7da941c chore: Bump pflag to v1.0.9 (#2305)
51d6751 Bump pflag to 1.0.8 (#2303)
3f3b818 Update README.md with new logo
dcaf42e Add Periscope to the list of projects using Cobra (#2299)
6dec1ae The default ShellCompDirective can be customized for a command and its subcom...
c8289c1 chore(golangci-lint): add some exclusion presets
4af7b64 refactor: apply golangci-lint autofixes, work around false positives
75790e4 chore(golangci-lint): upgrade to v2
db3ddb5 Adding sponsorship to README.md
67171d6 putting sponsorship below header
Additional commits viewable in compare view

Updates github.com/spf13/viper from 1.20.1 to 1.21.0

Release notes

Sourced from github.com/spf13/viper's releases.

v1.21.0

What's Changed

Enhancements 🚀

Add support for flags pflag.BoolSlice, pflag.UintSlice and pflag.Float64Slice by @nmvalera in spf13/viper#2015

feat: use maintained yaml library by @sagikazarmark in spf13/viper#2040

Bug Fixes 🐛

fix(config): get config type from v.configType or config file ext by @GuillaumeBAECHLER in spf13/viper#2003

fix: config type check when loading any config by @sagikazarmark in spf13/viper#2007

Dependency Updates ⬆️

Update dependencies by @sagikazarmark in spf13/viper#1993

build(deps): bump github.com/spf13/cast from 1.7.1 to 1.8.0 by @dependabot[bot] in spf13/viper#2017

build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 by @dependabot[bot] in spf13/viper#2013

build(deps): bump github.com/sagikazarmark/locafero from 0.8.0 to 0.9.0 by @dependabot[bot] in spf13/viper#2008

build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /remote by @dependabot[bot] in spf13/viper#2016

build(deps): bump github.com/spf13/cast from 1.8.0 to 1.9.2 by @dependabot[bot] in spf13/viper#2020

build(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot[bot] in spf13/viper#2028

build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 by @dependabot[bot] in spf13/viper#2035

build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 by @dependabot[bot] in spf13/viper#2036

build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0 by @dependabot[bot] in spf13/viper#2012

build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @dependabot[bot] in spf13/viper#2052

build(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 in /remote by @dependabot[bot] in spf13/viper#2048

build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 by @dependabot[bot] in spf13/viper#2056

chore: update dependencies by @sagikazarmark in spf13/viper#2057

Other Changes

Update update guide with mapstructure package replacement. by @aldas in spf13/viper#2004

refactor: use the built-in max/min to simplify the code by @yingshanghuangqiao in spf13/viper#2029

New Contributors

@GuillaumeBAECHLER made their first contribution in spf13/viper#2003

@aldas made their first contribution in spf13/viper#2004

@nmvalera made their first contribution in spf13/viper#2015

@yingshanghuangqiao made their first contribution in spf13/viper#2029

@ccoVeille made their first contribution in spf13/viper#2046

@spacez320 made their first contribution in spf13/viper#2050

Full Changelog: spf13/viper@v1.20.0...v1.21.0

Commits

394040c ci: build on go 1.25
812f548 chore: update dependencies
d5271ef ci: update stale workflow
dff303b feat: add a stale issue scheduled action
1287976 build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
38932cd build(deps): bump github.com/go-viper/mapstructure/v2 in /remote
6d014be build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1
b74c7ee build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0
acd05e1 fix: linting issues
ae5a8e2 ci: upgrade golangci-lint
Additional commits viewable in compare view

Updates github.com/stretchr/testify from 1.10.0 to 1.11.1

Release notes

Sourced from github.com/stretchr/testify's releases.

v1.11.1

This release fixes #1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

Backport #1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers by @brackendawson in stretchr/testify#1788

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

Call stack perf change for CallerInfo by @mikeauclair in stretchr/testify#1614

Lazily render mock diff output on successful match by @mikeauclair in stretchr/testify#1615

assert: check early in Eventually, EventuallyWithT, and Never by @cszczepaniak in stretchr/testify#1427

assert: add IsNotType by @bartventer in stretchr/testify#1730

assert.JSONEq: shortcut if same strings by @dolmen in stretchr/testify#1754

assert.YAMLEq: shortcut if same strings by @dolmen in stretchr/testify#1755

assert: faster and simpler isEmpty using reflect.Value.IsZero by @dolmen in stretchr/testify#1761

suite: faster methods filtering (internal refactor) by @dolmen in stretchr/testify#1758

Fixes

assert.ErrorAs: log target type by @craig65535 in stretchr/testify#1345

Fix failure message formatting for Positive and Negative asserts in stretchr/testify#1062

Improve ErrorIs message when error is nil but an error was expected by @tsioftas in stretchr/testify#1681

fix Subset/NotSubset when calling with mixed input types by @siliconbrain in stretchr/testify#1729

Improve ErrorAs failure message when error is nil by @ccoVeille in stretchr/testify#1734

mock.AssertNumberOfCalls: improve error msg by @3scalation in stretchr/testify#1743

Documentation, Build & CI

docs: Fix typo in README by @alexandear in stretchr/testify#1688

Replace deprecated io/ioutil with io and os by @alexandear in stretchr/testify#1684

Document consequences of calling t.FailNow() by @greg0ire in stretchr/testify#1710

chore: update docs for Unset #1621 by @techfg in stretchr/testify#1709

README: apply gofmt to examples by @alexandear in stretchr/testify#1687

refactor: use %q and %T to simplify fmt.Sprintf by @alexandear in stretchr/testify#1674

Propose Christophe Colombier (ccoVeille) as approver by @brackendawson in stretchr/testify#1716

Update documentation for the Error function in assert or require package by @architagr in stretchr/testify#1675

assert: remove deprecated build constraints by @alexandear in stretchr/testify#1671

assert: apply gofumpt to internal test suite by @ccoVeille in stretchr/testify#1739

CI: fix shebang in .ci.*.sh scripts by @dolmen in stretchr/testify#1746

assert,require: enable parallel testing on (almost) all top tests by @dolmen in stretchr/testify#1747

suite.Passed: add one more status test report by @Ararsa-Derese in stretchr/testify#1706

Add Helper() method in internal mocks and assert.CollectT by @dolmen in stretchr/testify#1423

assert.Same/NotSame: improve usage of Sprintf by @ccoVeille in stretchr/testify#1742

mock: enable parallel testing on internal testsuite by @dolmen in stretchr/testify#1756

suite: cleanup use of 'testing' internals at runtime by @dolmen in stretchr/testify#1751

assert: check test failure message for Empty and NotEmpty by @ccoVeille in stretchr/testify#1745

... (truncated)

Commits

2a57335 Merge pull request #1788 from brackendawson/1785-backport-1.11
af8c912 Backport #1786 to release/1.11
b7801fb Merge pull request #1778 from stretchr/dependabot/github_actions/actions/chec...
69831f3 build(deps): bump actions/checkout from 4 to 5
a53be35 Improve captureTestingT helper
aafb604 mock: improve formatting of error message
7218e03 improve error msg
929a212 Merge pull request #1758 from stretchr/dolmen/suite-faster-method-filtering
bc7459e suite: faster filtering of methods (-testify.m)
7d37b5c suite: refactor methodFilter
Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

socket-security · 2025-10-07T19:03:43Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/go-git/go-git/v5@v5.16.2 ⏵ v5.16.3	⁺¹
	github.com/spf13/cobra@v1.9.1 ⏵ v1.10.1	⁺¹
	github.com/stretchr/testify@v1.10.0 ⏵ v1.11.1	⁺¹
	github.com/spf13/viper@v1.20.1 ⏵ v1.21.0	⁺¹

View full report

socket-security · 2025-10-07T19:03:44Z

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

emlowe · 2025-11-21T21:17:01Z

@dependabot rebase

Bumps the global group with 3 updates in the / directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git), [github.com/spf13/cobra](https://github.com/spf13/cobra) and [github.com/spf13/viper](https://github.com/spf13/viper). Updates `github.com/go-git/go-git/v5` from 5.16.2 to 5.16.3 - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.2...v5.16.3) Updates `github.com/spf13/cobra` from 1.9.1 to 1.10.1 - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.9.1...v1.10.1) Updates `github.com/spf13/viper` from 1.20.1 to 1.21.0 - [Release notes](https://github.com/spf13/viper/releases) - [Commits](spf13/viper@v1.20.1...v1.21.0) Updates `github.com/stretchr/testify` from 1.10.0 to 1.11.1 - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.10.0...v1.11.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: global - dependency-name: github.com/spf13/cobra dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: global - dependency-name: github.com/spf13/viper dependency-version: 1.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: global - dependency-name: github.com/stretchr/testify dependency-version: 1.11.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: global ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Oct 7, 2025

dependabot bot force-pushed the dependabot/go_modules/global-16f237f18a branch from eac36ea to c40a75c Compare November 21, 2025 21:18

dependabot bot force-pushed the dependabot/go_modules/global-16f237f18a branch from c40a75c to a68d4e4 Compare November 24, 2025 17:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the global group across 1 directory with 4 updates #70

Bump the global group across 1 directory with 4 updates #70

dependabot bot commented on behalf of github Oct 7, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Oct 7, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Oct 7, 2025 •

edited

Loading

Uh oh!

emlowe commented Nov 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Bump the global group across 1 directory with 4 updates #70

Are you sure you want to change the base?

Bump the global group across 1 directory with 4 updates #70

Conversation

dependabot bot commented on behalf of github Oct 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.16.3

What's Changed

v1.10.1

🐛 Fix

v1.10.0

What's Changed

🚨 Attention!

✨ Features

🐛 Fix

🪠 Testing

📝 Docs

New Contributors

v1.21.0

What's Changed

Enhancements 🚀

Bug Fixes 🐛

Dependency Updates ⬆️

Other Changes

New Contributors

v1.11.1

What's Changed

v1.11.0

What's Changed

Functional Changes

Fixes

Documentation, Build & CI

Uh oh!

socket-security bot commented Oct 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Oct 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

emlowe commented Nov 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot bot commented on behalf of github Oct 7, 2025 •

edited

Loading

socket-security bot commented Oct 7, 2025 •

edited

Loading

socket-security bot commented Oct 7, 2025 •

edited

Loading