chore(deps): update tools

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Update
github.com/anchore/syft	v1.42.0 → v1.42.1					patch
github.com/cli/cli/v2	v2.86.0 → v2.87.0					minor
github.com/golangci/golangci-lint/v2	v2.9.0 → v2.10.1					minor
rclone/rclone	v1.73.0 → v1.73.1					patch
vmware-tanzu/carvel-ytt	v0.53.0 → v0.53.1					patch

---

Release Notes

anchore/syft (github.com/anchore/syft)

v1.42.1

Compare Source

Bug Fixes

• Use redhat as namespace for hummingbird rpms [#​4615 @​scoheb]
• False Positive: Emacs snap package version CVE-2024-39331 [#​4485]

Additional Changes

• call cleanup on tmpfile and replace some io.ReadAlls with streams [#​4629 @​willmurphyscode]
• bumps go mod version to 1.25; ci takes latest patch [#​4628 @​spiffcs]

(Full Changelog)

cli/cli (github.com/cli/cli/v2)

v2.87.0: GitHub CLI 2.87.0

Compare Source

gh workflow run immediately returns workflow run URL

One of our most requested features - with the latest changes in GitHub API, gh workflow run will immediately print the created workflow run URL.

Improved gh auth login experience in VM/WSL environments

We have observed rare cases of time drift between the wall and monotonic clocks, mostly in WSL or VM environments, causing failures during polling for the OAuth token. This new release implements measures to account for such situations.

If you continue to experience gh auth login issues in WSL, please comment in #​9370

Request Copilot Code Review from gh + performance improvements

gh pr edit now supports Copilot Code Review as a reviewer. You can request a review from Copilot using the --add-reviewer @​copilot flag or interactively by selecting reviewers in the prompts.

This release also introduces a new search experience for selecting reviewers and assignees in gh pr edit. Instead of loading all collaborators and teams upfront, results are now fetched based on inputs to a new search option. Initial options are suggestions based on those involved with the pull request already.

? Reviewers  [Use arrows to move, space to select, <right> to all, <left> to none, type to filter]
  [ ]  Search (7472 more)
  [x]  BagToad (Kynan Ware)
> [x]  Copilot (AI)

This experience will follow in gh pr create and gh issue for assignees in a later release.

What's Changed

✨ Features

• Bundle licenses at release time by @​williammartin in #​12625
• Add --query flag to project item-list by @​williammartin in #​12696
• feat(workflow run): retrieve workflow dispatch run details by @​babakks in #​12695
• Pin REST API version to 2022-11-28 by @​williammartin in #​12680
• Respect --exit-status with --log and --log-failed in run view by @​williammartin in #​12679
• Fork with default branch only during pr create by @​williammartin in #​12673
• gh pr edit: Add support for Copilot as reviewer with search capability, performance and accessibility improvements by @​BagToad in #​12567
• gh pr edit: new interactive prompt for assignee selection, performance and accessibility improvements by @​BagToad in #​12526

📚 Docs & Chores

• Clean up project item-list query addition changes by @​williammartin in #​12714
• gh release upload: Clarify --clobber flag deletes assets before re-uploading by @​BagToad in #​12711
• Add usage examples to gh gist edit command by @​BagToad in #​12710
• Remove feedback issue template by @​BagToad in #​12708
• Migrate issue triage workflows to shared workflows by @​BagToad in #​12677
• Migrate PR triage workflows to shared workflows by @​BagToad in #​12707
• Add missing TODO comments for featuredetection if-statements by @​BagToad in #​12701
• Add manual dispatch to bump-go workflow by @​BagToad in #​12631
• typo: dont to don't by @​cuiweixie in #​12554
• Fix fmt.Errorf format argument in ParseFullReference by @​mikelolasagasti in #​12516
• Lint source.md by @​Sethispr in #​12521

Dependencies

• chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​12468
• chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 by @​dependabot[bot] in #​12616
• Bump go to 1.25.7 by @​BagToad in #​12630
• chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @​dependabot[bot] in #​12629
• chore: bump cli/oauth to v1.2.2 by @​babakks in #​12573
• update Go to 1.25.6 by @​BagToad in #​12580
• chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @​dependabot[bot] in #​12558
• chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @​dependabot[bot] in #​12524
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 by @​dependabot[bot] in #​12555
• chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.4 to 2.13.7 by @​dependabot[bot] in #​12469
• chore(deps): bump github.com/sigstore/sigstore from 1.10.0 to 1.10.4 by @​dependabot[bot] in #​12525
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 by @​dependabot[bot] in #​12515
• chore(deps): bump actions/download-artifact from 6 to 7 by @​dependabot[bot] in #​12314
• chore(deps): bump actions/upload-artifact from 5 to 6 by @​dependabot[bot] in #​12315
• chore(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.4.0 by @​dependabot[bot] in #​12354

New Contributors

• @​Sethispr made their first contribution in #​12521
• @​cuiweixie made their first contribution in #​12554

Full Changelog: cli/cli@v2.86.0...v2.87.0

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

v2.10.1

Compare Source

Released on 2026-02-17

1. Fixes
   • buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

1. Linters new features or changes
   • ginkgolinter: from 0.22.0 to 0.23.0
   • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
   • staticcheck: from 0.6.1 to 0.7.0
2. Linters bug fixes
   • godoclint: from 0.11.1 to 0.11.2

rclone/rclone (rclone/rclone)

v1.73.1: rclone v1.73.1

Compare Source

This is the v1.73.1 release of rclone.

Full details of the changes can be found in the changelog.

vmware-tanzu/carvel-ytt (vmware-tanzu/carvel-ytt)

v0.53.1

Compare Source

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/ytt-linux-amd64

# Move the binary in to your PATH
mv kapp-linux-amd64 /usr/local/bin/ytt

# Make the binary executable
chmod +x /usr/local/bin/ytt

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install ytt
$ ytt version  

Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC(Refer this page for cosign installation). To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/checksums.txt
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/checksums.txt.pem
curl -LO https://github.com/carvel-dev/ytt/releases/download/v0.53.1/checksums.txt.sig

# Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

• Bump golang to 1.25.7 to fix CVEs in #​976 from @​CodesbyUnnati

Full Changelog: carvel-dev/ytt@v0.53.0...v0.53.1

📂 Files Checksum

2eaafe06d5e22203da2b74819685f9fd06ddc0a5cd38afc458821824990c78c0  ./ytt-darwin-arm64
36adcaa1f02681b0e7ceb73bda70ab11e3880588b51a188fd0318f6009bdeb36  ./ytt-windows-amd64.exe
5e479410a478385f6209624765e21c9880c07c6528ce6ed5e3dcca1e8b4a5677  ./ytt-linux-arm64
6b250c85d94b6b0643a58129ebf37244edb519fb9bc4aded1a8508d542d94ed3  ./ytt-linux-riscv64
764dadb577e680fa8fd09a28d281c570cb0e75accebb2ab0a328ab24b4032cfe  ./ytt-darwin-amd64
cf675039fa1bde77ebd12ed79eeaa698f7d9862a2b5fd82078260974ec311649  ./ytt-windows-arm64.exe
ecdc1439e52139335e42a23d1aa8941f575c52e70e58da709d2bad5038ecadae  ./ytt-linux-amd64

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jakexks for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment