fix(deps): update osv-scanner minor

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
deps.dev/api/v3	v3.0.0-20251127011616-f763ce91ff53 → v3.0.0-20251219105704-58e32bc05c71			require	patch
deps.dev/api/v3alpha	f763ce9 → 58e32bc			require	digest
deps.dev/util/maven	f763ce9 → 58e32bc			require	digest
deps.dev/util/resolve	f763ce9 → 58e32bc			require	digest
deps.dev/util/semver	f763ce9 → 58e32bc			require	digest
github.com/BurntSushi/toml	v1.5.0 → v1.6.0			require	minor
github.com/goccy/go-yaml	v1.19.0 → v1.19.1			require	patch
github.com/jedib0t/go-pretty/v6	v6.7.7 → v6.7.8			require	patch
github.com/modelcontextprotocol/go-sdk	v1.1.0 → v1.2.0			require	minor
github.com/ossf/osv-schema/bindings/go	c18cb69 → 88c4875			require	digest
google.golang.org/grpc	v1.77.0 → v1.78.0			require	minor
osv.dev/bindings/go	bdb4de0 → d08ddeb			require	digest

---

Release Notes

BurntSushi/toml (github.com/BurntSushi/toml)

v1.6.0

Compare Source

TOML 1.1 is now enabled by default. The TOML changelog has an overview of changes: https://github.com/toml-lang/toml/blob/main/CHANGELOG.md

Also two small fixes:

• Encode large floats as exponent syntax so that round-tripping things like 5e+22 is correct.

• Using duplicate array keys would not give an error:

  arr = [1]
  arr = [2]
  

  This will now correctly give a "Key 'arr' has already been defined" error.

goccy/go-yaml (github.com/goccy/go-yaml)

v1.19.1: 1.19.1

Compare Source

What's Changed

• Fix decoding of integer keys of map type by @​goccy in #​829
• Support line comment for flow sequence or flow map by @​goccy in #​834

Full Changelog: goccy/go-yaml@v1.19.0...v1.19.1

jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)

v6.7.8

Compare Source

What's Changed

• progress: SortByIndex for better control of sorting by @​jedib0t in #​398
• progress: address race conditions in render/stop/trackers; fixes 399 by @​jedib0t in #​401

Full Changelog: jedib0t/go-pretty@v6.7.7...v6.7.8

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.2.0

Compare Source

This release is equivalent to v1.2.0-pre.2. Thank you to those who tested the prerelease.

This release adds partial support for the 2025-11-25 version of the MCP spec and fixes some bugs in the streamable transports. It also includes some minor new APIs, changes to contributing flows, and small bugfixes.

Contributing changes

• CONTRIBUTING.md is updated to remove the ad-hoc antitrust policy (#​651), and add a dependency update policy (#​635).
• An example server (examples/server/conformance) is added for the new conformance tests at modelcontextprotocol/conformance. Test can be run with scripts/conformance.sh (#​650).

Partial support for the 2025-11-25 spec

The following SEPs from the 2025-11-25 spec are now supported. Please see #​725 for the proposed API additions included to support these SEPs.

• SEP-973: icons and metadata (#​570)
• SEP-986: tool name validation (#​640)
• SEP-1024: elicitation defaults (#​644)
• SEP-1036: URL mode elicitation (#​646)
• SEP-1699: SSE polling (#​663)
• SEP-1330: elicitation enum improvements (#​676)

Other API additions

• Common error codes are now available through the sentinel jsonrpc.Error (#​452)
• OAuth 2.0 Protected Resource Metadata support (#​643)
• ClientCapabilities.RootsV2 and RootCapabilities are added to work around an API bug (#​607)
• Capabilities fields are added to ServerOptions and ClientOptions, to simplify capability configuration (#​706)

Streamable fixes

Several bug fixes are included for the streamable transports:

• mcp: relax SSE connection response handling in non-strict mode by @​zhxie in #​611
• Fix: Skip non-message SSE events in processStream by @​raphaelmansuy in #​637
• mcp: better handling for streamable context cancellation by @​findleyr in #​677
• mcp: don't break the streamable client connection for transient errors by @​findleyr in #​723

Other notable bugfixes

• fix: handle Windows CRLF in MCP client by @​isfzhang in #​665
• auth, mcp: add UserID to TokenInfo for session hijacking prevention by @​findleyr in #​695
• internal/docs: document UserID for session hijacking prevention by @​findleyr in #​697
• mcp: allow re-using connections in more cases by @​howardjohn in #​709
• oauthex: validate URL schemes in auth server metadata and DCR by @​findleyr in #​712
• mcp: debounce server change notifications by @​findleyr in #​717
• oauthex: fix content type check in getJSON by @​nikolavp in #​721

New Contributors

• @​zhxie made their first contribution in #​611
• @​SpringMT made their first contribution in #​614
• @​raphaelmansuy made their first contribution in #​637
• @​markus-kusano made their first contribution in #​644
• @​isfzhang made their first contribution in #​665
• @​orius123 made their first contribution in #​643
• @​howardjohn made their first contribution in #​709
• @​nikolavp made their first contribution in #​721

Full Changelog: modelcontextprotocol/go-sdk@v1.1.0...v1.2.0

grpc/grpc-go (google.golang.org/grpc)

v1.78.0: Release 1.78.0

Compare Source

Behavior Changes

• client: Reject target URLs containing unbracketed colons in the hostname in Go version 1.26+. (#​8716)
  • Special Thanks: @​neild

New Features

• stats/otel: Add backend service label to wrr metrics as part of A89. (#​8737)
• stats/otel: Add subchannel metrics (without the disconnection reason) to eventually replace the pickfirst metrics. (#​8738)
• client: Wait for all pending goroutines to complete when closing a graceful switch balancer. (#​8746)
  • Special Thanks: @​twz123

Bug Fixes

• transport/client : Return status code Unknown on malformed grpc-status. (#​8735)
• client: Add experimental.AcceptCompressors so callers can restrict the grpc-accept-encoding header advertised for a call. (#​8718)
  • Special Thanks: @​iblancasa
• xds: Fix a bug in StringMatcher where regexes would match incorrectly when ignore_case is set to true. (#​8723)
• xds/resolver:
  • Drop previous route resources and report an error when no matching virtual host is found.
  • Only log LDS/RDS configuration errors following a successful update and retain the last valid resource to prevent transient failures. (#​8711)
• client:
  • Change connectivity state to CONNECTING when creating the name resolver (as part of exiting IDLE).
  • Change connectivity state to TRANSIENT_FAILURE if name resolver creation fails (as part of exiting IDLE).
  • Change connectivity state to IDLE after idle timeout expires even when current state is TRANSIENT_FAILURE.
  • Fix a bug that resulted in OnFinish call option not being invoked for RPCs where stream creation failed. (#​8710)
• xdsclient: Fix a race in the xdsClient that could lead to resource-not-found errors. (#​8627)

Performance Improvements

• mem: Round up to nearest 4KiB for pool allocations larger than 1MiB. (#​8705)
  • Special Thanks: @​cjc25

---

Configuration

📅 Schedule: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
google.golang.org/genproto/googleapis/api	v0.0.0-20251124214823-79d6a2a48846 -> v0.0.0-20251213004720-97cd9d5aeac2
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251111163417-95abcf5c77ba -> v0.0.0-20251124214823-79d6a2a48846

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.81%. Comparing base (d57b6b6) to head (6a3146b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2427      +/-   ##
==========================================
- Coverage   67.84%   67.81%   -0.04%     
==========================================
  Files         172      172              
  Lines       13284    13284              
==========================================
- Hits         9013     9009       -4     
- Misses       3567     3569       +2     
- Partials      704      706       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.