Update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
cloud.google.com/go	v0.121.2 → v0.123.0			indirect	minor
cloud.google.com/go/auth	v0.16.5 → v0.20.0			indirect	minor
github.com/Masterminds/semver/v3	v3.4.0 → v3.5.0			indirect	minor
github.com/buger/jsonparser	v1.1.2 → v1.2.0			indirect	minor
github.com/google/pprof	545e8a4 → 92041b7			indirect	digest
github.com/googleapis/enterprise-certificate-proxy	v0.3.6 → v0.3.16			indirect	patch
github.com/googleapis/gax-go/v2	v2.15.0 → v2.22.0			indirect	minor
github.com/invopop/jsonschema	v0.13.0 → v0.14.0			indirect	minor
github.com/mailru/easyjson	v0.7.7 → v0.9.2			indirect	minor
github.com/stretchr/objx	v0.5.2 → v0.5.3			indirect	patch
github.com/tidwall/gjson	v1.18.0 → v1.19.0			indirect	minor
github.com/tidwall/match	v1.1.1 → v1.2.0			indirect	minor
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 → v0.68.0			indirect	minor
go.opentelemetry.io/otel	v1.41.0 → v1.43.0			indirect	minor
go.opentelemetry.io/otel/metric	v1.41.0 → v1.43.0			indirect	minor
go.opentelemetry.io/otel/trace	v1.41.0 → v1.43.0			indirect	minor
golang.org/x/net	v0.54.0 → v0.55.0			indirect	minor
google.golang.org/genproto/googleapis/rpc	ff82c1b → 3dc84a4			indirect	digest
google.golang.org/grpc	v1.79.3 → v1.81.1			indirect	minor
google.golang.org/protobuf	v1.36.10 → v1.36.11			indirect	patch

---

Release Notes

googleapis/google-cloud-go (cloud.google.com/go)

v0.123.0

Compare Source

Features

• internal/stategen: Populate the latest googleapis commit (#​12880) (7b017a0)
• librariangen: Implement the build command (#​12817) (14734c8)

Bug Fixes

• internal/librariangen: Add link to source commit in release notes (#​12881) (1c06cc6)
• internal/librariangen: Fix CHANGES.md headers (#​12849) (baf515d)
• internal/librariangen: Remove go mod init/tidy from postprocessor (#​12832) (1fe506a)
• internal/librariangen: Test for error path with flags (#​12830) (f0da7b2)
• internal/postprocessor: Add dlp to skip-module-scan-paths (#​12857) (45a7d9b)
• librariangen: Honor original container contract (#​12846) (71c8fd3)
• librariangen: Improvements to release-init (#​12842) (0db677a)
• stategen: Specify an appropriate tag format for google-cloud-go (#​12835) (ffcff33)

v0.122.0

Compare Source

Features

• internal/librariangen: Add release-init command (#​12751) (52e84cc)

Bug Fixes

• internal/godocfx: Better support for v2 modules (#​12797) (4bc8785)
• internal/godocfx: Module detection when tidy errors (#​12801) (83d46cd)
• internal/librariangen: Fix goimports errors (#​12765) (83bdaa4)

v0.121.6

Compare Source

Bug Fixes

• internal/librariangen: Fix Dockerfile permissions for go mod tidy (#​12704) (0e70a0b)

v0.121.5

Compare Source

Bug Fixes

• internal/librariangen: Get README title from service config yaml (#​12676) (b3b8f70)
• internal/librariangen: Update source_paths to source_roots in generate-request.json (#​12691) (2adb6f9)

v0.121.4

Compare Source

Bug Fixes

• geminidataanalytics: Correct resource reference type for parent field in data_chat_service.proto (98ba6f0)
• internal/postprocessor: Add git (#​12524) (82030ee)

v0.121.3

Compare Source

Documentation

• impersonate: Address TODO in impersonate/example_test.go (#​12401) (dd096ec)

Masterminds/semver (github.com/Masterminds/semver/v3)

v3.5.0

Compare Source

What's Changed

• Adding more prerelease tests by @​mattfarina in #​273
• Update constraint error messages by @​mattfarina in #​278
• Fix edge cases by @​mattfarina in #​279
• Adding some checks in by @​mattfarina in #​280
• Updating deps by @​mattfarina in #​281
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​282
• Bump actions/cache from 4.2.3 to 5.0.5 by @​dependabot[bot] in #​283
• Bump golangci/golangci-lint-action from 7.0.1 to 9.2.0 by @​dependabot[bot] in #​284
• Updating gitignore for devcontainers by @​mattfarina in #​286
• Fixing some quality issues by @​mattfarina in #​287

New Contributors

• @​dependabot[bot] made their first contribution in #​282

Full Changelog: Masterminds/semver@v3.4.0...v3.5.0

buger/jsonparser (github.com/buger/jsonparser)

v1.2.0

Compare Source

What's Changed

• Fix 2 bugs, remove 7 dead code blocks, add formal verification using ReqProof by @​buger in #​281
• Add support for tinygo by @​buger in #​269

Full Changelog: buger/jsonparser@v1.1.2...v1.2.0

googleapis/enterprise-certificate-proxy (github.com/googleapis/enterprise-certificate-proxy)

v0.3.16

Compare Source

What's Changed

• chore: Update go.mod to upgrade the go version to 1.25.8 by @​nolanleastin in #​193
• chore: Update version.txt to 0.3.16 by @​nolanleastin in #​194

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.15...v0.3.16

v0.3.15

Compare Source

What's Changed

• chore: Update version.txt to 0.3.15 by @​nolanleastin in #​192

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.14...v0.3.15

v0.3.14

Compare Source

What's Changed

• chore: Update main.go to increase proxyrequesttimeout by @​agrawalradhika-cell in #​187
• chore: Increase proxy request timeout for rsync gcloud fix by @​agrawalradhika-cell in #​188
• feat: Update version.txt to 0.3.14 by @​agrawalradhika-cell in #​189

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.13...v0.3.14

v0.3.13

Compare Source

What's Changed

• feat: support non-mtls requests as well by @​sai-sunder-s in #​185
• feat: Update version.txt to 0.3.12 by @​agrawalradhika-cell in #​183
• feat: Update version.txt to 0.3.13 by @​agrawalradhika-cell in #​186

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.12...v0.3.13

v0.3.12

Compare Source

What's Changed

• chore: Update go.mod to upgrade the go version to 1.24.11 by @​agrawalradhika-cell in #​180

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.11...v0.3.12

v0.3.11

Compare Source

What's Changed

• chore: Update version.txt to v0.3.11 by @​agrawalradhika-cell in #​176
• chore: Update logging in http_proxy to be enabled via ENABLE_ENTERPRSE_CERTIFICATE_LOGS by @​agrawalradhika-cell in #​175
• feat: Update CODEOWNERS to add Radhika and Nolan to ECP code by @​agrawalradhika-cell in #​166
• build(deps): bump golang.org/x/crypto from 0.35.0 to 0.45.0 by @​dependabot[bot] in #​161
• chore(deps): update dependency go to 1.25 by @​renovate-bot in #​144
• fix(deps): update module golang.org/x/sys to v0.40.0 by @​renovate-bot in #​145
• fix(deps): update module golang.org/x/crypto to v0.47.0 by @​renovate-bot in #​177

New Contributors

• @​dependabot[bot] made their first contribution in #​161

Full Changelog: googleapis/enterprise-certificate-proxy@0.3.10...v0.3.11

v0.3.9

Compare Source

What's Changed

• Revert "feat: Add logging for ECP such that it is enabled/disabled using ENABLE_ENTERPRISE_CERTIFICATE_LOGS flag" by @​agrawalradhika-cell in #​168
• chore: Remove logging from http_proxy to reduce noise for customers, will add them back later. by @​agrawalradhika-cell in #​169

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.8...v0.3.9

v0.3.8

Compare Source

What's Changed

• feat: Add logging for ECP such that it is enabled/disabled using ENABLE_ENTERPRISE_CERTIFICATE_LOGS flag by @​agrawalradhika-cell in #​164
• chore: Update version.txt to update version to v0.3.8 by @​agrawalradhika-cell in #​167

New Contributors

• @​agrawalradhika-cell made their first contribution in #​164

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.7...v0.3.8

v0.3.7

Compare Source

This release creates ECP Http Proxy

What's Changed

• fix: Address ImportPKCS12Cred failing tests by @​nolanleastin in #​155
• feat(http_proxy): Implement a local HTTP Proxy Server that integrates with ECP by @​nolanleastin in #​154
• build(ecp-http-proxy): build scripts generate ecp_http_proxy binary by @​nolanleastin in #​157
• feat(ecp-http-proxy): add /readyz endpoint to proxy server by @​nolanleastin in #​158
• chore: Update version.txt to 0.3.7 by @​nolanleastin in #​159

New Contributors

• @​nolanleastin made their first contribution in #​155

Full Changelog: googleapis/enterprise-certificate-proxy@v0.3.6...v0.3.7

googleapis/gax-go (github.com/googleapis/gax-go/v2)

v2.22.0: v2: v2.22.0

Compare Source

v2.22.0 (2026-04-14)

v2.21.0: v2: v2.21.0

Compare Source

Features

• update IsFeatureEnabled to not require EXPERIMENTAL (#​497) (a2a329e3)

• hook transport telemetry into gax.Invoke and record (#​496) (d5310019)

v2.20.0: v2: v2.20.0

Compare Source

Features

• hook metric recording into gax.Invoke (#​494) (1f3e9aef)

• add TelemetryErrorInfo and ExtractTelemetryErrorInfo (#​487) (defdded3)

v2.19.0: v2: v2.19.0

Compare Source

Features

• update WithLogger to WithLoggerContext. (#​478) (1cb70baf)

• pass logger to downstream via context (#​474) (434fa676)

• add WithClientMetrics CallOption (#​479) (76f0284e)

• add TransportTelemetryData for dynamic transport attributes (#​481) (8a7caf00)

• add ClientMetrics initialization core (#​473) (f53618c2)

Bug Fixes

• lazy initialization and getters for ClientMetrics (#​485) (fb6c5f4d)

v2.18.0: v2: v2.18.0

Compare Source

Features

• move gax-go to use 1.25 as the lower bound of support (#​469) (01594ca5)

• add callctx telemetry helpers (#​472) (fa319ffc)

v2.17.0: v2 2.17.0

Compare Source

Features

• update Invoke to add retry count to context (#​462) (ea7096d5)

v2.16.0: v2 2.16.0

Compare Source

Features

• add IsFeatureEnabled (#​454) (2700b8ab)

invopop/jsonschema (github.com/invopop/jsonschema)

v0.14.0

Compare Source

What's Changed

• Upgrade to golangci-lint v2 by @​samlown in #​187
• Bump minimum Go version to 1.24 by @​samlown in #​188
• Support omitzero json tags by @​YvanGuidoin in #​161
• feat: Respect json:",string" for integer fields in generated schema by @​fengxsong in #​183
• Split jsonschema_extras only on unescaped commas by @​liorokman in #​173
• Fix nil pointer dereference in ReflectFromType with ExpandedStruct (fix #​163) by @​edznux-dd in #​186
• Replace wk8/go-ordered-map with pb33f/ordered-map by @​samlown in #​189

New Contributors

• @​YvanGuidoin made their first contribution in #​161
• @​fengxsong made their first contribution in #​183
• @​liorokman made their first contribution in #​173
• @​edznux-dd made their first contribution in #​186

Full Changelog: invopop/jsonschema@v0.13.0...v0.14.0

mailru/easyjson (github.com/mailru/easyjson)

v0.9.2

Compare Source

What's Changed

• Bugfix: do not generate invalid JSON when float value is +Inf, -Inf or NaN by @​dmitrybarsukov in #​421
• fix null after MarshalText work by @​AndreiBerezin in #​423
• Support for json:",omitzero" tag by @​nsd20463 in #​429

Full Changelog: mailru/easyjson@v0.9.1...v0.9.2

v0.9.1

Compare Source

What's Changed

• Fix unmarshal null to existing value by @​neal in #​407
• Fix unmarshal null values for non-pointer fields by @​neal in #​411
• feat: Add version and commit information to easyjson generator by @​stickpro in #​424

New Contributors

• @​neal made their first contribution in #​407
• @​stickpro made their first contribution in #​424

Full Changelog: mailru/easyjson@v0.9.0...v0.9.1

v0.9.0

Compare Source

up go version and bugfixes

v0.8.0

Compare Source

stable version before go version bump

stretchr/objx (github.com/stretchr/objx)

v0.5.3

Compare Source

What's Changed

• Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot[bot] in #​150
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot[bot] in #​152
• Add syntax highlighting in README by @​JakeRoggenbuck in #​153
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​155
• Bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] in #​156
• Bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] in #​157
• Remove codeclimate integration by @​hanzei in #​160
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in #​158
• Extend test coverage to include go 1.25 by @​hanzei in #​161
• Remove duplicate module cache from CI by @​hanzei in #​162
• Replace testify assertions with custom testing helpers by @​emilien-puget in #​159

New Contributors

• @​JakeRoggenbuck made their first contribution in #​153
• @​emilien-puget made their first contribution in #​159

Full Changelog: stretchr/objx@v0.5.2...v0.5.3

tidwall/gjson (github.com/tidwall/gjson)

v1.19.0

Compare Source

tidwall/match (github.com/tidwall/match)

v1.2.0

Compare Source

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
  for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
• Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
  make the implementation spec-compliant. (#​8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
  Responses exceeding the limit are treated as non-retryable errors. (#​8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)

What's Changed

• chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by @​renovate[bot] in #​8014
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 190d7d4 by @​renovate[bot] in #​8013
• chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by @​renovate[bot] in #​8016
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by @​renovate[bot] in #​8011
• fix(deps): update golang.org/x by @​renovate[bot] in #​8023
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by @​renovate[bot] in #​8020
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by @​renovate[bot] in #​8017
• chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by @​renovate[bot] in #​8019
• Add doc on how to upgrade to new semconv by @​jmmcorreia in #​7807
• fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by @​renovate[bot] in #​8028
• resource: add WithService detector option by @​codeboten in #​7642
• fix(deps): update googleapis to a57be14 by @​renovate[bot] in #​8031
• fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by @​renovate[bot] in #​8032
• chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @​renovate[bot] in #​8034
• chore(deps): update github.com/securego/gosec/v2 digest to 8895462 by @​renovate[bot] in #​8036
• chore(deps): update module github.com/sonatard/noctx to v0.5.1 by @​renovate[bot] in #​8040
• chore(deps): update github.com/securego/gosec/v2 digest to 6e66a94 by @​renovate[bot] in #​8043
• docs(otlp): document HTTP/protobuf insecure env vars by @​marcschaeferger in #​8037
• Rebuild semconvkit and verifyreadmes on changes by @​MrAlias in #​7995
• chore(sdk/trace): join errors properly by @​ash2k in #​8030
• fix(deps): update googleapis to 84a4fc4 by @​renovate[bot] in #​8048
• attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by @​pellared in #​8038
• fix(sdk/trace): return spec-compliant TraceIdRatioBased description by @​ash2k in #​8027
• linting: add depguard rule to enforce semconv version by @​ajuijas in #​8041
• chore(deps): update actions/download-artifact action to v8.0.1 by @​renovate[bot] in #​8046
• chore(deps): update github.com/securego/gosec/v2 digest to b7b2c7b by @​renovate[bot] in #​8044
• fix(deps): update golang.org/x by @​renovate[bot] in #​8045
• Optimize attribute slice conversion by @​MrAlias in #​8039
• Add benchmarks for end-to-end metrics SDK usage by @​dashpole in #​7768
• fix(deps): update golang.org/x by @​renovate[bot] in #​8052
• chore(deps): update github.com/securego/gosec/v2 digest to befce8d by @​renovate[bot] in #​8053
• trace: add Random Trace ID Flag by @​yuanyuanzhao3 in #​8012
• Improve aggregation concurrent safe tests by @​dashpole in #​8021
• Add tests for exponential histogram concurrent-safety edge-cases by @​dashpole in #​8024
• exphist: replace min, max, sum, and count with atomics by @​dashpole in #​8025
• chore(deps): update github.com/securego/gosec/v2 digest to c2dfcec by @​renovate[bot] in #​8055
• chore(deps): update otel/weaver docker tag to v0.22.0 by @​renovate[bot] in #​8058
• chore(deps): update github.com/securego/gosec/v2 digest to dec52c4 by @​renovate[bot] in #​8063
• chore(deps): update otel/weaver docker tag to v0.22.1 by @​renovate[bot] in #​8061
• chore(deps): update github/codeql-action action to v4.33.0 by @​renovate[bot] in #​8065
• Fix race in the lastvalue aggregation where 0 could be observed by @​dashpole in #​8056
• chore(deps): update github.com/securego/gosec/v2 digest to 744bfb5 by @​renovate[bot] in #​8064
• Migrate to new bare metal runner (Ubuntu 24) by @​trask in #​8068
• sdk/resource: add WithContext variants for Default and Environment (#​7808) by @​ajuijas in #​8051
• Use atomics for exponential histogram buckets by @​dashpole in #​8057
• Added the internal/observ package to stdoutlog by @​yumosx in #​7735

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.0 -> 1.25.8

[github-actions]

🤖 Barry Security Review

[github-actions]

🤖 Security Issue: The PR introduces several highly suspicious dependency updates, most notably the addition of 'go.yaml.in/yaml/v4' which appears to be a typosquatting attempt of the official 'gopkg.in/yaml.v3' package. Furthermore, multiple other dependencies are updated to versions that do not officially exist or use future-dated pseudo-versions (e.g., 'google.golang.org/api v0.274.0', 'golang.org/x/net v0.55.0', and 'github.com/google/pprof' with a 2026 timestamp). This pattern is strongly indicative of a coordinated supply chain attack via dependency confusion or typosquatting.

Severity: HIGH
Category: supply_chain_attack
Confidence: 100%
Tool: Barry AI Security Analysis (Gemini)

Exploit Scenario:
An attacker publishes these malicious packages with high version numbers or look-alike domains to public Go registries. When gosec or its users perform a build or download dependencies, the Go toolchain will prioritize these malicious versions. The malicious code can execute during the build process or be compiled into the gosec binary, leading to a complete compromise of the CI/CD pipeline and the analysis environment.

Recommendation:
Reject this PR immediately. Investigate the Renovate bot's configuration to determine how it was induced to suggest these non-existent and suspicious versions. Manually revert all changes to go.mod and go.sum and restore dependencies to verified, stable versions from trusted upstream sources.