chore: update dependencies

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
cgr.dev/chainguard/wolfi-base		digest	31da656 → 5743937
cloudflare/cloudflared		patch	2026.5.0 → 2026.5.1
github.com/anchore/grype	indirect	minor	v0.111.0 → v0.112.0
github.com/anchore/syft	indirect	minor	v1.42.4 → v1.44.0
github.com/dsseng/syft	replace	patch	v1.42.4-0.20260415171054-31b9430f030f → v1.42.4
golang.org/x/sys	require	minor	v0.43.0 → v0.45.0
google/gvisor		minor	20260427.0 → 20260520.0
https://github.com/qemu/qemu.git		patch	11.0.0 → 11.0.1
https://gitlab.gnome.org/GNOME/glib.git		minor	2.88.1 → 2.89.0
netbirdio/netbird		patch	0.71.2 → 0.71.4
nvidia/nvidia-container-toolkit		patch	v1.19.0 → v1.19.1
tailscale/tailscale		patch	1.98.2 → 1.98.3

---

Release Notes

cloudflare/cloudflared (cloudflare/cloudflared)

v2026.5.1

Compare Source

anchore/grype (github.com/anchore/grype)

v0.112.0

Compare Source

Added Features

• Expand ignore rules to owned sub packages of distro packages [#​3368 #​3326 @​kzantow]

Additional Changes

• update anchore dependencies [#​3391 @​anchore-oss-update-bot]

(Full Changelog)

v0.111.1

Compare Source

Bug Fixes

• apply overlap by ownership removal to dynamically created relationships [#​3363 @​kzantow]
• compare mismatched package / db versions [#​3372 @​kzantow]
• Grype doesn't recognize debian component when "group" : "debian" is specified [#​2967]
• HelpURI missing information in SARIF output [#​2874 #​3351 @​will-bates11]

(Full Changelog)

anchore/syft (github.com/anchore/syft)

v1.44.0

Compare Source

Added Features

• Add support for linux-riscv64 [#​4757 @​luhenry]

Bug Fixes

• Yarn lockfile cataloguing does not handle aliases [#​4833 #​4836 @​cyphercodes]
• Some snippet files are saved in the previous test directory [#​4829 #​4830 @​witchcraze]
• empty rockspec causes index out of range [#​4824 #​4827 @​aki1770-del]
• PE cataloger shows asp.net core ref assemblies using fileversion build stamp instead of productversion [#​4813 #​4814 @​rezmoss]
• Syft safeCopy silently swallows archive decompression errors [#​4806 #​4807 @​SAY-5]

(Full Changelog)

v1.43.0

Compare Source

Added Features

• added deno bin classifiers [#​4677 @​rezmoss]
• Support haskell old versions [#​3237 #​4793 @​witchcraze]
• Add support for OpenLDAP binary detection [#​4768 #​4755 @​nadimz]
• Support erlang ols versions [#​3235 #​4766 @​witchcraze]

Bug Fixes

• improve redhat-release parsing fallback for RHEL clones [#​4808 @​westonsteimel]
• fix format string in search results struct [#​4775 @​willmurphyscode]
• prevent infinite recursion in Document.UnmarshalJSON with encoding/json/v2 [#​4748 @​benja-M-1]
• Syft can not complete scanning golang image [#​4686]
• javascript-package-cataloger drops entire package.json when authors/contributors/maintainers is a single string [#​4778 #​4779 @​yoav-orca]
• pnpm lock file cataloger produces unstable output [#​4648 #​4765 @​lawrence3699]
• Linux Kernel bzImage and zImage not cataloged by linux-kernel-cataloger [#​4769 #​4751 @​nadimz]
• Support istio binary (pilot-discovery, pilot-agent) alpha,beta,rc,dev version [#​4546 #​4645 @​witchcraze]
• Scanning mounted ISO: duplicate entries [#​4759]

Additional Changes

• update CPE dictionary index [#​4767 @​anchore-oss-update-bot]

(Full Changelog)

dsseng/syft (github.com/dsseng/syft)

v1.42.4

Compare Source

google/gvisor (google/gvisor)

v20260520.0

Compare Source

v20260511.0

Compare Source

v20260504.0

Compare Source

qemu/qemu (https://github.com/qemu/qemu.git)

v11.0.1

Compare Source

GNOME/glib (https://gitlab.gnome.org/GNOME/glib.git)

v2.89.0

Compare Source

Overview of changes in GLib 2.89.0, 2026-05-20

• Fix miscompilation with GCC 16 due to GLib’s use of the wrong function
  attribute (!5145, work by Sam James)

• Integrate better with the System Trash on macOS (#​1161, work by Byoungchan Lee)

• Add g_set_strv(), g_set_strv_take() and g_set_str_take() convenience
  functions (#​3907, !5118, work by Christian Hergert and Philip Withnall)

• Fix flag confusion security issue when using GRegex with G_REGEX_RAW which
  can result in unbounded out-of-bounds heap reads off the start of a regex
  input string (#​3919, work by linhlhq)

• Fix various minor (low severity) security issues, typically one-to-five-byte
  out-of-bounds reads (#​3915, #​3916, #​3917, #​3918, #​3930) or ones relying on
  very specific (and unlikely) API calls (#​3925) or ones relying on
  discouraged P2P D-Bus configurations (#​3931, #​3933) (work by linhlhq)

• Add support for GTypeInstance-derived types in generic marshaller (#​3954,
  work by Christian Hergert)

• Change g_get_num_processors() to report number of performance cores, rather
  than number of performance+low-power cores on macOS (!5153, work by John Cupitt)

• Add support for XDG_PROJECTS_DIR special directory (!5141, work by
  Emmanuele Bassi and Jakub Steiner)

• Bugs fixed:

  • #​1161 g_file_trash() Files not moved to System Trash on Mac OSX
  • #​1853 DBus activated GApplications and G_APPLICATION_HANDLES_OPEN (Guido
    Günther)
  • #​2173 g_ascii_strtod() spec doesn't match C99/C11 standard for underflow
    behavior (depuc8)
  • #​3069 gio/trash test fails on macOS
  • #​3791 g_error causes -Wanalyzer-infinite-loop warnings in downstream code
    (correctmost)
  • #​3854 GRegex uses int for string length (Philip Withnall)
  • #​3907 Add g_set_strv() helper similar to g_set_str() (Christian Hergert)
  • #​3911 GMarkup chokes on BOM
  • #​3915 (#YWH-PGM9867-190) Buffer Over-read on GLib through glib/gvariant-
    serialiser.c:1253 via gvs_tuple_is_normal() (Philip Withnall)
  • #​3916 (#YWH-PGM9867-187) OOB Read on GLib through
    glib/gmarkup.c:g_markup_escape_text() via
    glib/gmarkup.c:append_escaped_text() (Philip Withnall)
  • #​3917 (#YWH-PGM9867-191) OOB Read on GLib through
    glib/gdatetime.c:g_date_time_get_ymd via invalid GDateTime (Philip
    Withnall)
  • #​3918 (#YWH-PGM9867-193) Buffer Over-read on GLib's g_regex_replace()
    through glib/gregex.c:string_append() via g_utf8_next_char() (Philip
    Withnall)
  • #​3919 (#YWH-PGM9867-194) Buffer Over-read on GLib through
    glib/gregex.c:g_regex_split_full() via glib/gutf8.c:g_utf8_prev_char()
    (Philip Withnall)
  • #​3925 (#YWH-PGM9867-199) Buffer Over-read on GLib through glib/giochannel.c
    via "g_io_channel_read_line_backend" (Philip Withnall)
  • #​3930 (#YWH-PGM9867-200) Off-by-one Error on GLib through glib/gkeyfile.c
    via "g_key_file_get_locale_string_list" (Philip Withnall)
  • #​3931 (#YWH-PGM9867-203) Path Traversal on GLib DBus through
    glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry,
    mechanism_client_data_receive (COOKIE_SHA1 Client Authentication) leads to
    Arbitrary File Read (Philip Withnall)
  • #​3932 (#YWH-PGM9867-204) Integer Underflow (CWE-191) on GLib through
    gio/gdbusintrospection.c via "g_dbus_node_info_new_for_xml" (Philip
    Withnall)
  • #​3933 Integer overflow in g_dbus_message_bytes_needed() bypasses 128 MiB
    size check (pre-auth DoS on P2P connections) (Philip Withnall)
  • #​3954 Generic marshaller lacks support for GTypeInstance derived types
    (Christian Hergert)
  • #​3958 FTBFS for vs2019-arm64 in libcharset due to undefined _CountOneBits64
  • !4990 gdbusauthmechanismsha1: Ignore G_DBUS_COOKIE_SHA1_KEYRING_DIR when
    suid
  • !5094 gtestdbus: Keep config file around until bus daemon exits
  • !5099 liststore: Micro-optimize no-op bulk operations
  • !5101 Update Serbian translation
  • !5102 g_base64_decode_step: fix documented type of in
  • !5103 gdbusmessage: Documentation improvements
  • !5105 docs: Expand docs for GLIB_VERSION_MAX_ALLOWED
  • !5106 gmarkup: Add api to get attribute locations
  • !5107 gmessages: Remove incorrect callback annotations
  • !5110 gmarkup: fix type of length parameter of text_validate()
  • !5111 Update Russian translation
  • !5112 docs: Clarify default/user signal handlers
  • !5113 Update Polish translation
  • !5114 docs: Remove myself from CODEOWNERS
  • !5115 build: Post-release version bump
  • !5116 Update Slovenian translation
  • !5117 fuzzing: Add a fuzz test for g_markup_escape_text()
  • !5118 gstrfuncs: Add g_set_str_take() helper function
  • !5119 tests: Check that g_markup_escape_text() returns something parseable
  • !5120 Update Chinese (China) translation
  • !5121 gio: Apply property accessor annotations to GDBus types
  • !5123 Update Romanian translation
  • !5124 gvariant: Tweak GVariantIter heap allocation casting
  • !5125 gregex: Fix some missing Markdown formatting in docs
  • !5126 Add missing annotations
  • !5127 libffi: don't build testsuite when building as subproject
  • !5128 gmarkup: Swap the argument order for g_realloc_n()
  • !5136 docs: Clarify UTF-8 validity for functions which accept a length
  • !5138 Update Slovenian translation
  • !5140 Update Romanian translation
  • !5141 Support XDG_PROJECTS_DIR
  • !5142 gsocketconnection: Fix annotations for get_socket()
  • !5145 gvarianttype: use pure attribute, not inappropriate const
  • !5146 gmessages: Add missing stdlib.h include for abort()
  • !5148 registrysettingsbackend: Chain up vfuncs
  • !5149 gtype: Improve G_DEFINE and G_DECLARE docs
  • !5153 g_get_num_processors(): on macOS, report n_pcore
  • !5155 Update German translation
  • !5157 Update Dutch translation
  • !5158 gsocket: Fix g_socket_new_from_fd() on unbound sockets on windows
  • !5159 gvariant: Tweak GVariantIter heap allocation size
  • !5161 [docs] Gio.MenuModel: Fix bulleted list
  • !5162 gvariant: Match allocation size of g_slice_new to g_slice_free
  • !5163 gvariant test: Fix a leak
  • !5164 tests: Avoid undefined signed left-shift in bitlock test
  • !5167 docs: Add docs for G_GNUC_FLAG_ENUM
  • !5176 gnulib: Fix unused flags variable warning
  • !5177 gio/tests/pollable.c: Fix test on FreeBSD
  • !5180 meson: Add valgrind suppression file to VALGRIND_OPTS in devenv
  • !5182 Meson: Don't hardcode FFI_STATIC_BUILD / G_INTL_STATIC_COMPILATION
  • !5183 gio/tests/pollable.c: Conditionalize on FreeBSD version in the
    /dev/null test case
  • !5185 gio/gdesktopappinfo: Add precondition assertions
  • !5187 Add safety documentation regarding use of g_shell_quote()
  • !5188 Improve performance of g_array_maybe_expand()

• Translation updates:

  • Chinese (China) (luming zh)
  • Dutch (Nathan Follens)
  • German (Christian Kirbach)
  • Polish (Victoria Niedzielska)
  • Romanian (Antonio Marin)
  • Russian (Artur S0)
  • Serbian (Марко Костић)
  • Slovenian (Martin)

netbirdio/netbird (netbirdio/netbird)

v0.71.4

Compare Source

What's Changed

• [client] Revert legacy registry cleanup on Windows install by @​lixmal in #​6232

Full Changelog: netbirdio/netbird@v0.71.3...v0.71.4

v0.71.3

Compare Source

What's Changed

• [management] fix: device redirect uri wasn't registered by @​jnfrati in #​6191
• [management] Fence peer status updates with a session token by @​mlsmaycon in #​6193
• [management] Add metrics for peer status updates and ephemeral cleanup by @​mlsmaycon in #​6196
• [management] Ensure SessionStartedAt has a default value by @​mlsmaycon in #​6211
• [proxy] clusters API surfaces type, online status, and capability flags by @​mlsmaycon in #​6148
• [misc] Update contribution guidelines by @​mlsmaycon in #​6219
• [client] Bump macOS sleep callback timeout to 20s by @​lixmal in #​6220
• [doc] Clean up README by @​lixmal in #​6178
• [proxy] concurrent proxy snapshot apply by @​pascal-fischer in #​6207
• [management] scope network router update call by @​pascal-fischer in #​6222
• [client] Fix nil channel panic in external chain monitor stop by @​lixmal in #​6224

Full Changelog: netbirdio/netbird@v0.71.2...v0.71.3

nvidia/nvidia-container-toolkit (nvidia/nvidia-container-toolkit)

v1.19.1

Compare Source

NOTE: This release is a unified release of the NVIDIA Container Toolkit that consists of the following packages:

• libnvidia-container 1.19.1
• nvidia-container-toolkit 1.19.1

The packages for this release are published to the libnvidia-container package repositories.

What's Changed

• Fix the nvidia-cdi-refresh systemd unit conditions to work on WSL2.
• Remove the dependency on multi-user.target in the nvidia-cdi-refresh systemd service. For more information, see issue #​1735.
• The egl-wayland2 library and configuration file are now discovered and added to CDI specifications.
• Fix handling of the CUDA compat header on Orin systems.
• Fix default path used by nvidia-ctk and nvidia-ctk-installer for cri-o’s drop-in configuration directory.
• Add support for injecting /dev/dri* device nodes for MIG devices.
• Add disable-ipc-discoverer feature flag to the nvcdi library for disabling the discovery of IPC sockets.

tailscale/tailscale (tailscale/tailscale)

v1.98.3

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: internal/grype-scan/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 49 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go/auth	v0.18.1 -> v0.18.2
cloud.google.com/go/storage	v1.60.0 -> v1.61.3
github.com/anchore/stereoscope	v0.1.22 -> v0.1.23
github.com/aws/aws-sdk-go-v2	v1.41.2 -> v1.41.5
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.4 -> v1.7.8
github.com/aws/aws-sdk-go-v2/config	v1.32.10 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials	v1.19.10 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.18 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.18 -> v1.4.21
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.18 -> v2.7.21
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.17 -> v1.4.22
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.5 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.8 -> v1.9.13
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.18 -> v1.13.21
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.17 -> v1.19.21
github.com/aws/aws-sdk-go-v2/service/s3	v1.96.0 -> v1.97.3
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.6 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.11 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.15 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.7 -> v1.41.9
github.com/aws/smithy-go	v1.24.1 -> v1.24.2
github.com/containerd/containerd/v2	v2.2.1 -> v2.2.2
github.com/containerd/platforms	v1.0.0-rc.2 -> v1.0.0-rc.4
github.com/docker/cli	v29.3.0+incompatible -> v29.4.0+incompatible
github.com/go-git/go-git/v5	v5.17.0 -> v5.18.0
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/google/go-containerregistry	v0.21.3 -> v0.21.5
github.com/googleapis/enterprise-certificate-proxy	v0.3.11 -> v0.3.14
github.com/hashicorp/aws-sdk-go-base/v2	v2.0.0-beta.70 -> v2.0.0-beta.72
github.com/hashicorp/go-getter	v1.8.5 -> v1.8.6
github.com/moby/moby/api	v1.54.0 -> v1.54.1
github.com/moby/moby/client	v0.3.0 -> v0.4.0
github.com/openvex/go-vex	v0.2.7 -> v0.2.8
github.com/package-url/packageurl-go	v0.1.3 -> v0.1.5
go.opentelemetry.io/otel	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.43.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/mod	v0.34.0 -> v0.35.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
golang.org/x/tools	v0.43.0 -> v0.44.0
google.golang.org/api	v0.267.0 -> v0.271.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260226221140-a57be14db171