-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 Bump github.com/google/osv-scanner from 1.4.3 to 1.5.0 #3716
🌱 Bump github.com/google/osv-scanner from 1.4.3 to 1.5.0 #3716
Conversation
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.3 to 1.5.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.3...v1.5.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3716 +/- ##
==========================================
- Coverage 75.21% 70.86% -4.35%
==========================================
Files 213 213
Lines 14557 14557
==========================================
- Hits 10949 10316 -633
- Misses 2971 3638 +667
+ Partials 637 603 -34 |
I'd be curious what difference this makes before merging. I think it's a good one, just would like to investigate this more than your typical dependabot change. |
/scdiff generate Vulnerabilities |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with call analysis for Go enabled by default
I'd be curious what difference this makes before merging. I think it's a good one, just would like to investigate this more than your typical dependabot change.
It seems call analysis is on by default only for the CLI, whereas we use osvscanner.DoScan
as our entrypoint. So we'd need to pass additional arguments to enable call analysis, which is something we should consider separately.
Bumps github.com/google/osv-scanner from 1.4.3 to 1.5.0.
Release notes
Sourced from github.com/google/osv-scanner's releases.
Changelog
Sourced from github.com/google/osv-scanner's changelog.
Commits
060799c
Add changelog for verson 1.5.0 (#692)6d2154f
Fix go mod (#691)b2e8e85
chore(deps): lock file maintenance (#653)41a9c5b
refactor: switch golang.org/x/exp/slices usages to stdlib (#690)56a6590
Include available formats in--format
help message (#685)979ca0b
chore(deps): update golang:alpine docker digest to 70afe55 (#687)d5052e7
chore(deps): update alpine:3.18 docker digest to 34871e7 (#686)289f653
fix(deps): update osv-scanner minor (#688)b7ef0d7
Addosv-scanner
pre-commit hook (#669)9b4d714
Fix goreleaser build (#683)You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)