Allow renovate to keep these version numbers up-to-date

Signed-off-by: Dominic Evans <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.30.6 to 4.30.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.30.8</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>4.30.8 - 10 Oct 2025</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v4.30.8/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v4.30.7</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>4.30.7 - 06 Oct 2025</h2>
<ul>
<li>[v4+ only] The CodeQL Action now runs on Node.js v24. <a
href="https://redirect.github.com/github/codeql-action/pull/3169">#3169</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v4.30.7/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.30.8</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.30.8 - 10 Oct 2025</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.30.8/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.30.7</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.30.7 - 06 Oct 2025</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.30.7/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.30.8 - 10 Oct 2025</h2>
<p>No user facing changes.</p>
<h2>4.30.7 - 06 Oct 2025</h2>
<ul>
<li>[v4+ only] The CodeQL Action now runs on Node.js v24. <a
href="https://redirect.github.com/github/codeql-action/pull/3169">#3169</a></li>
</ul>
<h2>3.30.6 - 02 Oct 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.2. <a
href="https://redirect.github.com/github/codeql-action/pull/3168">#3168</a></li>
</ul>
<h2>3.30.5 - 26 Sep 2025</h2>
<ul>
<li>We fixed a bug that was introduced in <code>3.30.4</code> with
<code>upload-sarif</code> which resulted in files without a
<code>.sarif</code> extension not getting uploaded. <a
href="https://redirect.github.com/github/codeql-action/pull/3160">#3160</a></li>
</ul>
<h2>3.30.4 - 25 Sep 2025</h2>
<ul>
<li>We have improved the CodeQL Action's ability to validate that the
workflow it is used in does not use different versions of the CodeQL
Action for different workflow steps. Mixing different versions of the
CodeQL Action in the same workflow is unsupported and can lead to
unpredictable results. A warning will now be emitted from the
<code>codeql-action/init</code> step if different versions of the CodeQL
Action are detected in the workflow file. Additionally, an error will
now be thrown by the other CodeQL Action steps if they load a
configuration file that was generated by a different version of the
<code>codeql-action/init</code> step. <a
href="https://redirect.github.com/github/codeql-action/pull/3099">#3099</a>
and <a
href="https://redirect.github.com/github/codeql-action/pull/3100">#3100</a></li>
<li>We added support for reducing the size of dependency caches for Java
analyses, which will reduce cache usage and speed up workflows. This
will be enabled automatically at a later time. <a
href="https://redirect.github.com/github/codeql-action/pull/3107">#3107</a></li>
<li>You can now run the latest CodeQL nightly bundle by passing
<code>tools: nightly</code> to the <code>init</code> action. In general,
the nightly bundle is unstable and we only recommend running it when
directed by GitHub staff. <a
href="https://redirect.github.com/github/codeql-action/pull/3130">#3130</a></li>
<li>Update default CodeQL bundle version to 2.23.1. <a
href="https://redirect.github.com/github/codeql-action/pull/3118">#3118</a></li>
</ul>
<h2>3.30.3 - 10 Sep 2025</h2>
<p>No user facing changes.</p>
<h2>3.30.2 - 09 Sep 2025</h2>
<ul>
<li>Fixed a bug which could cause language autodetection to fail. <a
href="https://redirect.github.com/github/codeql-action/pull/3084">#3084</a></li>
<li>Experimental: The <code>quality-queries</code> input that was added
in <code>3.29.2</code> as part of an internal experiment is now
deprecated and will be removed in an upcoming version of the CodeQL
Action. It has been superseded by a new <code>analysis-kinds</code>
input, which is part of the same internal experiment. Do not use this in
production as it is subject to change at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3064">#3064</a></li>
</ul>
<h2>3.30.1 - 05 Sep 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3077">#3077</a></li>
</ul>
<h2>3.30.0 - 01 Sep 2025</h2>
<ul>
<li>Reduce the size of the CodeQL Action, speeding up workflows by
approximately 4 seconds. <a
href="https://redirect.github.com/github/codeql-action/pull/3054">#3054</a></li>
</ul>
<h2>3.29.11 - 21 Aug 2025</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/f443b600d91635bebf5b0d9ebc620189c0d6fba5"><code>f443b60</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3198">#3198</a>
from github/update-v4.30.8-527f0f324</li>
<li><a
href="https://github.com/github/codeql-action/commit/7a2cb623ed691b64b58c7fa6bd6d90f62b322c65"><code>7a2cb62</code></a>
Update changelog for v4.30.8</li>
<li><a
href="https://github.com/github/codeql-action/commit/527f0f324a3fe984f808ba090b51cbe5a6c0118b"><code>527f0f3</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3195">#3195</a>
from github/dependabot/npm_and_yarn/npm-minor-37415c...</li>
<li><a
href="https://github.com/github/codeql-action/commit/f402506f0fedd565aafbfc892e40a5b1c10814af"><code>f402506</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3196">#3196</a>
from github/dependabot/github_actions/dot-github/wor...</li>
<li><a
href="https://github.com/github/codeql-action/commit/f5e53f947672aba2238515474c2b7b9f248ac5bc"><code>f5e53f9</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3197">#3197</a>
from github/dependabot/github_actions/dot-github/wor...</li>
<li><a
href="https://github.com/github/codeql-action/commit/4e90a42a3e28a8bde9c8c11ba90d243ea352e61c"><code>4e90a42</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3193">#3193</a>
from github/mbg/ff/tools-toolcache</li>
<li><a
href="https://github.com/github/codeql-action/commit/413a4a4df19c643ceab05ebad65b0d90532c778a"><code>413a4a4</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/452186448a7a7dd9f635cd74bf6a5df3bac6a795"><code>4521864</code></a>
Bump github/codeql-action from 3 to 4 in /.github/workflows</li>
<li><a
href="https://github.com/github/codeql-action/commit/eadf14bf6efa3061e98bdfbfd3487878f08af99c"><code>eadf14b</code></a>
Bump ruby/setup-ruby</li>
<li><a
href="https://github.com/github/codeql-action/commit/e1257b6fda873a6eba14d2dab41d637243c40d97"><code>e1257b6</code></a>
Rebuild</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/64d10c13136e1c5bce3e5fbde8d4906eeaafc885...f443b600d91635bebf5b0d9ebc620189c0d6fba5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.30.6&new-version=4.30.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…in the actions group (#3348)

Bumps the actions group with 1 update:
[actions/dependency-review-action](https://github.com/actions/dependency-review-action).

Updates `actions/dependency-review-action` from 4.8.0 to 4.8.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/dependency-review-action/releases">actions/dependency-review-action's
releases</a>.</em></p>
<blockquote>
<h2>Dependency Review Action v4.8.1</h2>
<h2>What's Changed</h2>
<ul>
<li>(bug) Fix spamming link test in deprecation warning (again) by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1000">actions/dependency-review-action#1000</a></li>
<li>Bump version for 4.8.1 release by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1001">actions/dependency-review-action#1001</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4...v4.8.1">https://github.com/actions/dependency-review-action/compare/v4...v4.8.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/dependency-review-action/commit/40c09b7dc99638e5ddb0bfd91c1673effc064d8a"><code>40c09b7</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1001">#1001</a>
from actions/ahpook/v4.8.1-release</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/45529485b5eb76184ced07362d2331fd9d26f03f"><code>4552948</code></a>
Bump version for 4.8.1 release</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/e63da9a041de383e50d59f0c8a53ff85ee3adb7f"><code>e63da9a</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1000">#1000</a>
from actions/ahpook/deprecation-redux</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/71365c76bca8972e5f367ca0bb514aec58d70d5b"><code>71365c7</code></a>
(bug) Fix spamming link test in deprecation warning (again)</li>
<li>See full diff in <a
href="https://github.com/actions/dependency-review-action/compare/56339e523c0409420f6c2c9a2f4292bbb3c07dd3...40c09b7dc99638e5ddb0bfd91c1673effc064d8a">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/dependency-review-action&package-manager=github_actions&previous-version=4.8.0&new-version=4.8.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

This PR contains the following updates:

| Package | Update | Change | OpenSSF |
|---|---|---|---|
| [dominikh/go-tools](https://redirect.github.com/dominikh/go-tools) |
major | `v0.6.0` -> `2025.1.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/dominikh/go-tools/badge)](https://securityscorecards.dev/viewer/?uri=github.com/dominikh/go-tools)
|

---

### Release Notes

<details>
<summary>dominikh/go-tools (dominikh/go-tools)</summary>

###
[`v2025.1.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2025.1.1):
Staticcheck 2025.1.1 (v0.6.1)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2025.1...2025.1.1)

This is a re-release of 2025.1 but with prebuilt binaries that have been
built with Go 1.24.1.

###
[`v2025.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2025.1):
Staticcheck 2025.1 (v0.6.0)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2024.1.1...2025.1)

#### Added Go 1.24 support

This release adds support for Go 1.24.

#### Checks

##### Changed checks

The following checks have been improved:

- [U1000](https://staticcheck.dev/docs/checks/#U1000) treats all fields
in a struct as used if the struct has a field of type
structs.HostLayout.
- [S1009](https://staticcheck.dev/docs/checks/#S1009) now emits a
clearer message.
- [S1008](https://staticcheck.dev/docs/checks/#S1008) no longer
recommends simplifying branches that contain comments ([issue
704](https://staticcheck.dev/issues/704), [issue
1488](https://staticcheck.dev/issues/1488)).
- [S1009](https://staticcheck.dev/docs/checks/#S1009) now flags another
redundant nil check ([issue 1605](https://staticcheck.dev/issues/1605)).
- [QF1002](https://staticcheck.dev/docs/checks/#QF1002) now emits a
valid automatic fix for switches that use initialization statements
([issue 1613](https://staticcheck.dev/issues/1613)).

###
[`v2024.1.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2024.1.1):
Staticcheck 2024.1.1 (v0.5.1)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2024.1...2024.1.1)

This release fixes the detection of the used Go version when Go was
compiled with experimental features such as `rangefunc` or
`boringcrypto`
([#&#8203;1586](https://redirect.github.com/dominikh/go-tools/issues/1586)).

###
[`v2024.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2024.1):
Staticcheck 2024.1 (v0.5.0)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.7...2024.1)

### Backwards incompatible changes

Staticcheck 2024.1 contains the following backwards incompatible
changes:

- The `keyify` utility has been removed. The recommended alternative is
gopls.
- `staticcheck -merge` now exits with a non-zero status if any problems
have been found.

### Improved Go 1.22 support

This release updates Staticcheck’s database of deprecated standard
library APIs to cover the Go 1.22 release. Furthermore, checks have been
updated to correctly handle the new “for” loop variable scoping behavior
as well as ranging over integers.

### Added Go 1.23 support

Staticcheck 2024.1 has full support for iterators / range-over-func.
Furthermore, [SA1015](https://staticcheck.dev/docs/checks/#SA1015) will
skip any code targeting Go 1.23 or newer, as it is now possible to use
`time.Tick` without leaking memory.

### Improved handling of Go versions

Go 1.21 more rigorously defined the meaning of the `go` directive in
`go.mod` files, as well as its interactions with `//go:build go1.N`
build constraints. The go directive now specifies a minimum Go version
for the module. Furthermore, it sets the language version that is in
effect, which may change the semantics of Go code. For example, before
Go 1.22, loop variables were reused across iterations, but since Go
1.22, loop variables only exist for the duration of an iteration.
Modules that specify `go 1.22` will use the new semantics, while modules
that specify an older version will not.

Individual files can both upgrade and downgrade their language version
by using `//go:build go1.N` directives. In a module that requires Go
1.22, a file specifying Go 1.21 will experience the old loop variable
semantics, and vice versa. Because the Go module as a whole still
specifies a minimum version, even files specifying an older version will
have access to the standard library of the minimum version.

Staticcheck 2024.1 takes all of this into consideration when analyzing
the behavior of Go code, when determining which checks are applicable,
and when making suggestions. Older versions of Staticcheck were already
aware of Go versions, but 2024.1 works on a more fine-grained, per-file
basis, and differentiates between the pre- and post-1.21 semantics of
the go directive.

The `-go` command line flag continues to exist. It will override any
module-based version selection. This is primarily useful for Go modules
that target older Go versions (because here, the go directive didn’t
specify a minimum version), or when working outside of Go modules.

To prevent misinterpreting code, Staticcheck now refuses to analyze
modules that require a version of Go that is newer than that with which
Staticcheck was built.

### Checks

#### New checks

The following checks have been added:

- [SA1031](https://staticcheck.dev/docs/checks/#SA1031) flags
overlapping destination and source slices passed to certain encoding
functions.
- [SA1032](https://staticcheck.dev/docs/checks/#SA1032) flags calls to
[`errors.Is`](https://pkg.go.dev/errors#Is) where the two arguments have
been swapped.
- [SA4032](https://staticcheck.dev/docs/checks/#SA4032) flags impossible
comparisons of [runtime.GOOS](https://pkg.go.dev/runtime#GOOS) and
[runtime.GOARCH](https://pkg.go.dev/runtime#GOARCH) based on the file’s
build tags.
- [SA6006](https://staticcheck.dev/docs/checks/#SA6006) flags
`io.WriteString(w, string(b))` as it would be both simpler and more
efficient to use `w.Write(b)`.
- [SA9009](https://staticcheck.dev/docs/checks/#SA9009) flags comments
that look like they intend to be compiler directives but which aren’t
due to extraneous whitespace.

#### Changed checks

The following checks have been improved:

- [QF1001](https://staticcheck.dev/docs/checks/#QF1001) no longer panics
on expressions involving “key: value” pairs ([issue
1484](https://staticcheck.dev/issues/1484)).
- [S1008](https://staticcheck.dev/docs/checks/#S1008) now understands
that some built-in functions never return negative values. For example,
it now negates `len(x) > 0` as `len(x) == 0` ([issue
1422](https://staticcheck.dev/issues/1422)).
- [S1009](https://staticcheck.dev/docs/checks/#S1009) now flags
unnecessary nil checks that involve selector expressions ([issue
1527](https://staticcheck.dev/issues/1527)).
- [S1017](https://staticcheck.dev/docs/checks/#S1017) no longer flags
`if else` branches ([issue 1447](https://staticcheck.dev/issues/1447)).
- [SA1006](https://staticcheck.dev/docs/checks/#SA1006) now detects more
Printf-like functions from the standard library ([issue
1528](https://staticcheck.dev/issues/1528)).
- [SA1015](https://staticcheck.dev/docs/checks/#SA1015) now skips any
code targeting Go 1.23 or newer ([issue
1558](https://staticcheck.dev/issues/1558)).
- [SA1029](https://staticcheck.dev/docs/checks/#SA1029) now flags uses
of the empty struct (`struct{}`) as context keys ([issue
1504](https://staticcheck.dev/issues/1504)).
- [SA4003](https://staticcheck.dev/docs/checks/#SA4003) now flags
pointless integer comparisons that involve literals, not just constants
from the `math` package ([issue
1470](https://staticcheck.dev/issues/1470)).
- [SA4015](https://staticcheck.dev/docs/checks/#SA4015) now supports
conversions that involve generics.
- [SA4023](https://staticcheck.dev/docs/checks/#SA4023) no longer panics
on type sets that contain arrays ([issue
1397](https://staticcheck.dev/issues/1397)).
- [SA5001](https://staticcheck.dev/docs/checks/#SA5001) now emits a
clearer message ([issue 1489](https://staticcheck.dev/issues/1489)).
- [SA9003](https://staticcheck.dev/docs/checks/#SA9003) has been
disabled by default because of too many noisy positives ([issue
321](https://staticcheck.dev/issues/321)).
- [ST1000](https://staticcheck.dev/docs/checks/#ST1000) now permits
punctuation following the package name, as in “Package pkg, which …”
([issue 1452](https://staticcheck.dev/issues/1452)).
- [ST1018](https://staticcheck.dev/docs/checks/#ST1018) now accepts
variation selectors in emoji and certain Arabic formatting characters in
string literals ([issue 1456](https://staticcheck.dev/issues/1456)).
- [ST1020](https://staticcheck.dev/docs/checks/#ST1020) no longer flags
comments that start with a deprecation notice ([issue
1378](https://staticcheck.dev/issues/1378)).
- [U1000](https://staticcheck.dev/docs/checks/#U1000) handles generic
interfaces slightly better, reducing the number of false positives.
- Due to improvements in the intermediate representation, various checks
may now detect more problems.

### Miscellaneous changes and fixes

- The `keyify` utility has been deleted. This functionality is provided
by gopls nowadays.
- `staticcheck -merge` now exits with a non-zero exit status if any
problems were found. This matches the behavior of non-merge uses.
- Malformed `staticcheck.conf` files now cause more useful errors to be
emitted.
- Labeled statements with blank labels no longer cause panics.
- Functions with named return parameters that never actually return no
longer cause panics ([issue 1533](https://staticcheck.dev/issues/1533)).

###
[`v2023.1.7`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.7):
Staticcheck 2023.1.7 (v0.4.7)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.6...2023.1.7)

This release fixes some minor issues in Staticcheck’s intermediate
representation. Furthermore, it improves the way
[QF1003](https://staticcheck.io/docs/checks/#QF1003) generates suggested
fixes, working around constraints in the language server protocol.

The released binaries for this version have been built with Go 1.22 and
should no longer panic when checking code targeting Go 1.22.

###
[`v2023.1.6`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.6):
Staticcheck 2023.1.6 (v0.4.6)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.5...2023.1.6)

This release fixes the following bugs:

- A crash when using the upcoming Go 1.22 ([issue
1442](https://staticcheck.io/issues/1442))
- A false positive in
[SA9005](https://staticcheck.io/docs/checks/#SA9005) when embedding
basic types ([issue 1443](https://staticcheck.io/issues/1443))

###
[`v2023.1.5`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.5):
Staticcheck 2023.1.5 (v0.4.5)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.4...2023.1.5)

This release fixes the following bug:

- A crash involving methods named `_`

###
[`v2023.1.4`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.4):
Staticcheck 2023.1.4 (v0.4.4)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.3...2023.1.4)

This release adds support for **Go 1.21** and fixes the following bugs:

- Three crashes when encountering unnecessarily parenthesized statements
([#&#8203;1393](https://redirect.github.com/dominikh/go-tools/issues/1393),
[#&#8203;1400](https://redirect.github.com/dominikh/go-tools/issues/1400))
- Unnecessarily high memory usage when analyzing composite literals such
as `[]int{1<<31: 1}`
([#&#8203;1393](https://redirect.github.com/dominikh/go-tools/issues/1393))
- A false positive in
[S1011](https://staticcheck.dev/docs/checks/#S1011) when appending to a
dynamic left-hand side
([#&#8203;1399](https://redirect.github.com/dominikh/go-tools/issues/1399))
- A crash involving generics
([#&#8203;1410](https://redirect.github.com/dominikh/go-tools/issues/1410))
- A false positive in
[SA9001](https://staticcheck.dev/docs/checks/#SA9001) involving control
flow statements
([#&#8203;488](https://redirect.github.com/dominikh/go-tools/issues/488))
- A false positive in
[ST1003](https://staticcheck.dev/docs/checks/#ST1003), complaining about
the names of fuzz functions
([#&#8203;1420](https://redirect.github.com/dominikh/go-tools/issues/1420))

###
[`v2023.1.3`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.3):
Staticcheck 2023.1.3 (v0.4.3)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.2...2023.1.3)

This release fixes the following bugs:

- A crash when embedding type aliases of unnamed types ([issue
1361](https://staticcheck.io/issues/1361))
- A false positive in U1000, claiming that type aliases are unused
([issue 1365](https://staticcheck.io/issues/1365))
- A bug in the binary formatter that prevented correct merging behavior
for some checks ([issue 1372](https://staticcheck.io/issues/1372))

###
[`v2023.1.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.2):
Staticcheck 2023.1.2 (v0.4.2)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1.1...2023.1.2)

This release fixes a bug that prevented the `binary` formatter from
working ([issue 1370](https://staticcheck.io/issues/1370)).

###
[`v2023.1.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1.1):
Staticcheck 2023.1.1 (v0.4.1)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2023.1...2023.1.1)

This release fixes a crash, a false positive in U1000 ([issue
1360](https://staticcheck.io/issues/1360)) and improves the way
deprecated API is flagged ([issue
1318](https://staticcheck.io/issues/1318)).

When targeting a Go version that is older than the version that
deprecated an API, [SA1019](https://staticcheck.io/docs/checks/#SA1019)
will no longer flag the use even if there is already an alternative
available in the targeted Go version.

For example, `math/rand.Seed` has been deprecated in Go 1.20, but an
alternative has existed since Go 1.0. In the past, we would flag uses of
`Seed` even if targeting e.g. Go 1.19, to encourage better forwards
compatibility. This can lead to unnecessary churn, however, because the
correct change may depend on the Go version in use. For example, for
`Seed` before Go 1.20, the alternative is to use a separate instance of
`math/rand.Rand`, whereas in Go 1.20, a possible alternative is to
simply drop the call to `Seed`.

###
[`v2023.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2023.1):
Staticcheck 2023.1 (v0.4.0)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2022.1.2...2023.1)

Staticcheck 2023.1 adds support for Go 1.20, brings minor improvements
to various checks, and replaces U1000 with a new implementation.

The following checks have been improved:

- The wording of [S1001](https://staticcheck.io/docs/checks/#S1001) has
been made clearer for cases involving arrays. Furthermore, it no longer
suggests using copy when the function has been shadowed.
- [S1011](https://staticcheck.io/docs/checks/#S1011) now recognizes
index-based loops ([issue 881](https://staticcheck.io/issues/881)).
- [SA1019](https://staticcheck.io/docs/checks/#SA1019) no longer flags
tests (internal or external) that use deprecated API from the package
under test ([issue 1285](https://staticcheck.io/issues/1285)).
Furthermore, entire declaration groups (such as groups of constants) can
now be marked as deprecated ([issue
1313](https://staticcheck.io/issues/1313)).
- [SA4017](https://staticcheck.io/docs/checks/#SA4017) now detects more
functions, including those in the time package ([issue
1353](https://staticcheck.io/issues/1353)). Additionally, its wording
has been made clearer.
- [SA5010](https://staticcheck.io/docs/checks/#SA5010) no longer gets
confused by type assertions involving generic types ([issue
1354](https://staticcheck.io/issues/1354)).
- [ST1005](https://staticcheck.io/docs/checks/#ST1005) no longer flags
errors that start with alpha-numeric acronyms such as P384.
- Improvements to our intermediate representation may allow various
checks to find more problems.

Staticcheck now knows about version 2 of the k8s.io/klog package, in
particular which functions abort control flow ([issue
1307](https://staticcheck.io/issues/1307)).

In addition to these minor improvements, U1000 has been rewritten from
the ground up, operating on a program representation more suited to the
task. In practice this means that there will be fewer false positives
and more true positives.

Overall, the rewrite fixes at least eight known bugs, both ones that
have been a nuisance for a while, as well as ones newly introduced by
generics ([issue 507](https://staticcheck.io/issues/507), [issue
633](https://staticcheck.io/issues/633), [issue
810](https://staticcheck.io/issues/810), [issue
812](https://staticcheck.io/issues/812), [issue
1199](https://staticcheck.io/issues/1199), [issue
1249](https://staticcheck.io/issues/1249), [issue
1282](https://staticcheck.io/issues/1282), [issue
1333](https://staticcheck.io/issues/1333)).

###
[`v2022.1.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2022.1.2):
Staticcheck 2022.1.2 (v0.3.2)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2022.1.1...2022.1.2)

This release addresses the following false positives, crashes, infinite
loops, and performance issues:

- For certain packages that contain tens of thousands of types and
methods, such as those generated by
[ygot](https://redirect.github.com/openconfig/ygot), Staticcheck now
finishes [much
faster](https://redirect.github.com/openconfig/featureprofiles/pull/181#issuecomment-1119250596).
- Several infinite loops when handling recursive type parameters have
been fixed
- [S1009](https://staticcheck.io/docs/checks/#S1009) no longer mistakes
user-defined functions named `len` for the builtin ([issue
1181](https://staticcheck.io/issues/1181))
- [ST1015](https://staticcheck.io/docs/checks/#ST1015) no longer
reorders `switch` statements if their order is significant due to the
use of `fallthrough` ([issue 1188](https://staticcheck.io/issues/1188))
- [SA1013](https://staticcheck.io/docs/checks/#SA1013) now detects
constants more robustly, avoiding both false negatives and false
positives. Furthermore, it makes sure that offending methods implement
io.Seeker and doesn’t just rely on the name Seek ([issue
1213](https://staticcheck.io/issues/1213)).
- [SA5008](https://staticcheck.io/docs/checks/#SA5008) now understands
more third-party extensions to json struct tags
- A crash involving functions named `_` has been fixed ([issue
1268](https://staticcheck.io/issues/1268))
- A crash involving slicing type parameters of type `string | []byte`
has been fixed ([issue 1270](https://staticcheck.io/issues/1270))
- [SA1019](https://staticcheck.io/docs/checks/#SA1019) now handles
imports of deprecated standard library packages in the same way it
handles other deprecated API, taking the targeted Go version into
consideration ([issue 1117](https://staticcheck.io/issues/1117))

Additionally it is strongly recommended to use Go 1.18.2 for building
Staticcheck, as it fixes further generics-related bugs in the type
checker.

###
[`v2022.1.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2022.1.1):
Staticcheck 2022.1.1 (v0.3.1)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2022.1...2022.1.1)

This release addresses the following false positives, crashes, and
infinite loops:

- [SA1026](https://staticcheck.io/docs/checks/#SA1026) and
[SA5008](https://staticcheck.io/docs/checks/#SA5008) no longer get stuck
in infinite loops when code attempts to marshal cyclic pointer types
([issue 1202](https://staticcheck.io/issues/1202))
- U1000 no longer crashes when code contains mutually recursive type
instantiations ([issue 1247](https://staticcheck.io/issues/1247))
- U1000 no longer crashes when generic functions use composite literals
of type parameter types
([0ccdb5c9dad7e96a8e3a3136738192491b37dbdb](https://redirect.github.com/dominikh/go-tools/commit/0ccdb5c9dad7e96a8e3a3136738192491b37dbdb))
- [ST1021](https://staticcheck.io/docs/checks/#ST1021) now understands
type names that are also English articles ([issue
1187](https://staticcheck.io/issues/1187))
- [SA4023](https://staticcheck.io/docs/checks/#SA4023) no longer gets
confused by the nilness of type parameters ([issue
1242](https://staticcheck.io/issues/1242))
- Some checks no longer crash when trying to generate automated code
fixes that involve function literals ([issue
1134](https://staticcheck.io/issues/1134))
- [SA1026](https://staticcheck.io/docs/checks/#SA1026) no longer claims
that encoding/json cannot marshal generic maps
([golang/go#52467](https://golang.org/issue/52467))
- The binary format has been improved to handle OS-specific file paths
correctly, in turn making the -merge flag work more reliably
([1846305a946b13d350894512c7ac1e5ed71dc331](https://redirect.github.com/dominikh/go-tools/commit/1846305a946b13d350894512c7ac1e5ed71dc331))
- When using the -merge or -matrix flags, diagnostics reported by
[SA4008](https://staticcheck.io/docs/checks/#SA4008) now have to occur
in all runs to be reported, reducing the number of false positives
([0e678cbe1c8b3f09ac481673453886b1afc9906a](https://redirect.github.com/dominikh/go-tools/commit/0e678cbe1c8b3f09ac481673453886b1afc9906a))
- U1000 now understands struct type conversions involving type
parameters, reducing the number of false positives
([90804df0287d9265e565bcabbe19568efbe374fa](https://redirect.github.com/dominikh/go-tools/commit/90804df0287d9265e565bcabbe19568efbe374fa))

###
[`v2022.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2022.1):
Staticcheck 2022.1 (v0.3.0)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2021.1.2...2022.1)

Staticcheck 2022.1 adds support for Go 1.18 and generics, adds and
tweaks some checks, and introduces the new `-matrix` and `-merge` flags.

Read the full release notes at <https://staticcheck.io/changes/2022.1>

###
[`v2021.1.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2021.1.2):
Staticcheck 2021.1.2 (v0.2.2)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2021.1.1...2021.1.2)

This release fixes some false positives and crashes.

Read the full release notes at
<https://staticcheck.io/changes/2021.1/#&#8203;2021.1.2>

###
[`v2021.1.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2021.1.1):
Staticcheck 2021.1.1 (v0.2.1)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2021.1...2021.1.1)

This release adds support for new language features in Go 1.17, namely
conversions from slices to array pointers, the unsafe.Add function, and
the unsafe.Slice function.

Additionally, it fixes some false positives.

Read the full release notes at
<https://staticcheck.io/changes/2021.1#2021.1.1>

###
[`v2021.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2021.1):
Staticcheck 2021.1 (v0.2.0)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.2.4...2021.1)

Read the full release notes at <https://staticcheck.io/changes/2021.1>

###
[`v2020.2.4`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.2.4):
Staticcheck 2020.2.4 (v0.1.4)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.2.3...2020.2.4)

This release fixes a crash and some false positives.

Read the full release notes at
<https://staticcheck.io/changes/2020.2#2020.2.4>

###
[`v2020.2.3`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.2.3):
Staticcheck 2020.2.3 (v0.1.3)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.2.2...2020.2.3)

This release fixes a false positive in U1000. See
[#&#8203;942](https://redirect.github.com/dominikh/go-tools/issues/942)
for details.

###
[`v2020.2.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.2.2):
Staticcheck 2020.2.2 (v0.1.2)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.2.1...2020.2.2)

This release fixes a rare crash in Staticcheck, reduces the number of
false positives, and adds support for Go 1.16's `io/fs.FileMode` type.

Read the full release notes at
<https://staticcheck.io/changes/2020.2#2020.2.2>

###
[`v2020.2.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.2.1):
Staticcheck 2020.2.1 (v0.1.1)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.2...2020.2.1)

This release eliminates some false negatives as well as false positives,
makes the `staticcheck` command less noisy and fixes a potential
security issue.

See the full release notes at
<https://staticcheck.io/changes/2020.2#2020.2.1>

###
[`v2020.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.2):
Staticcheck 2020.2 (v0.1.0)

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.1.6...2020.2)

Read the full release notes at <https://staticcheck.io/changes/2020.2>

###
[`v2020.1.6`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.1.6):
Staticcheck 2020.1.6

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.1.5...2020.1.6)

This release makes the following fixes and improvements:

- Staticcheck no longer panics when encountering files that have the
following comment: `// Code generated DO NOT EDIT.`
- SA4016 no longer panics when checking bitwise operations that involve
dot-imported identifiers.
- Fixed the suggested fix offered by S1004.
- Fixed a false positive involving byte arrays in SA5009.
- Fixed a false positive involving named byte slice types in SA5009.
- Added another heuristic to avoid flagging function names in error
messages in ST1005.
- SA3000 will no longer flag missing calls to os.Exit in TestMain
functions if targeting Go 1.15 or newer.

###
[`v2020.1.5`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.1.5):
Staticcheck 2020.1.5

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.1.4...2020.1.5)

This release fixes a <a
href="https://redirect.github.com/dominikh/go-tools/issues/806">crash in
the pattern matching engine</a> and a <a
href="https://redirect.github.com/dominikh/go-tools/issues/733">false
positive in SA4006</a>.

###
[`v2020.1.4`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.1.4):
Staticcheck 2020.1.4

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.1.3...2020.1.4)

This release adds special handling for imports of the deprecated
`github.com/golang/protobuf/proto` package.

`github.com/golang/protobuf`has deprecated the `proto` package, but
their `protoc-gen-go` still imports the package and uses one of its
constants, "to enforce a weak dependency on a sufficiently new version
of the legacy package".

Staticcheck would flag the import of this deprecated package in all code
generated by protoc-gen-go. Instead of forcing the project to change
their project structure, we choose to ignore such imports in code
generated by protoc-gen-go. The import still gets flagged in code not
generated by protoc-gen-go.

You can find more information about this in the [upstream
issue](https://redirect.github.com/golang/protobuf/issues/1077).

###
[`v2020.1.3`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.1.3):
Staticcheck 2020.1.3

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2020.1.2...2020.1.3)

This release fixes two bugs involving `//lint:ignore` directives:

- When ignoring U1000 and checking a package that contains tests,
Staticcheck would incorrectly complain that the linter directive didn't
match any problems, even when it did.
- On repeated runs, the position information for a "this linter
directive didn't match anything" report would either be missing, or be
wildly incorrect.

###
[`v2020.1.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2020.1.2):
Staticcheck 2020.1.2

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2019.2.3...2020.1.2)

Staticcheck 2020.1(.2) contains UI improvements, speed enhancements,
numerous new and improved checks, and support for the upcoming Go
1.14.

Read the full release notes at <https://staticcheck.io/changes/2020.1>

(2020.1.2 differs from 2020.1.1 and 2020.1 in that it actually
displays the correct version information.)

###
[`v2019.2.3`](https://redirect.github.com/dominikh/go-tools/releases/tag/2019.2.3):
Staticcheck 2019.2.3

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2019.2.2...2019.2.3)

Staticcheck 2019.2.3 is a re-release of 2019.2.2. Its pre-built binaries
have been built with Go 1.13, to enable checking of code that uses
language features introduced in Go 1.13.

###
[`v2019.2.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2019.2.2):
Staticcheck 2019.2.2

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2019.2.1...2019.2.2)

Staticcheck 2019.2.2 contains the following user-visible fixes:

- S1008 now skips if/else statements where both branches return the same
value.
- SA4006 now considers a value read when a switch statement reads it,
even if the switch statement has no branches.
- 2019.2 introduced a bug that made it impossible to enable non-default
checks via configuration files. This is now possible again.
- 2019.2 introduced a bug that made the `-tags` command line argument
ineffective, making it impossible to pass in build tags. This is now
possible again.
- From this release onward, we will use pseudo versions of the form
`v0.0.1-<year>.<minor>` instead of `v0.0.0-<year>.<minor>`. This fixes
an issue where `go get` would prefer an older commit over a newer
released version due to the way versions sort.

###
[`v2019.2.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2019.2.1):
Staticcheck 2019.2.1

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2019.2...2019.2.1)

The 2019.2 release has an unfortunate bug that prevents staticcheck from
running on 32-bit architectures, causing it to crash unconditionally.
This release fixes that crash.

###
[`v2019.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2019.2):
Staticcheck 2019.2

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2019.1.1...2019.2)

Staticcheck 2019.2 brings impressive performance improvements, many new
and improved checks, and various small improvements to its command line.

Read the full changelog at <https://staticcheck.io/changes/2019.2>

###
[`v2019.1.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2019.1.1):
Staticcheck 2019.1.1

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2019.1...2019.1.1)

The 2019.1.1 release fixes some minor bugs and improves the performance
of the U1000 check:

- The ST category of checks no longer flag style issues of aliased types
when the aliased type exists in a package we aren't explicitly checking.
This avoids crashes and erratic error reports.
- Compiler errors now have correct position information.
- A crash in the Stylish reporter has been fixed.
- We no longer flag unused objects that belong to cgo internals.
- The U1000 check has been optimized, reducing its memory usage and
runtime.

###
[`v2019.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2019.1):
Staticcheck 2019.1

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2017.2.2...2019.1)

Staticcheck 2019.1 makes some major changes to the structure of the
tools. Please make sure to read the [full
changelog](https://staticcheck.io/changes/2019.1) **before** deploying
it.

###
[`v2017.2.2`](https://redirect.github.com/dominikh/go-tools/releases/tag/2017.2.2):
Staticcheck 2017.2.2

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2017.2.1...2017.2.2)

Staticcheck 2017.2.2 fixes minor issues in <em>unused</em>,
<em>keyify</em> and <em>staticcheck</em>:

<ul>
<li><em>unused</em>: correctly apply the NoCopy exemption when using the
<code>-exported</code> flag.</li>
<li><em>keyify</em>: support external test packages (<code>package
foo_test</code>)</li>
<li><em>staticcheck</em>: disable <span class="check-name" title="Field
assignment that will never be observed. Did you mean to use a pointer
receiver?">SA4005</span> – the check, in its current form, is prone to
false positives and will be reimplemented in a future release.</li>
</ul>

###
[`v2017.2.1`](https://redirect.github.com/dominikh/go-tools/releases/tag/2017.2.1):
Staticcheck 2017.2.1

[Compare
Source](https://redirect.github.com/dominikh/go-tools/compare/2017.2...2017.2.1)

Staticcheck 2017.2.1 fixes a small bug in the detection of deprecated
objects, because of course no release can go without bugs!

The (admittedly very short) full changelog:

- Staticcheck 2017.2 made the detection of deprecated objects Go-version
aware. Unfortunately, this only worked correctly for fields and methods,
but not package-level objects. This release fixes that.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/IBM/sarama).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidW1wL21ham9yIiwiZGVwZW5kZW5jaWVzIl19-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

This PR contains the following updates:

| Package | Update | Change | OpenSSF |
|---|---|---|---|
| [vearutop/teststat](https://redirect.github.com/vearutop/teststat) |
patch | `v0.1.26` -> `v0.1.27` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/vearutop/teststat/badge)](https://securityscorecards.dev/viewer/?uri=github.com/vearutop/teststat)
|

---

### Release Notes

<details>
<summary>vearutop/teststat (vearutop/teststat)</summary>

###
[`v0.1.27`](https://redirect.github.com/vearutop/teststat/releases/tag/v0.1.27)

[Compare
Source](https://redirect.github.com/vearutop/teststat/compare/v0.1.26...v0.1.27)

#### What's Changed

- Add support for go test -x build cache output by
[@&#8203;vearutop](https://redirect.github.com/vearutop) in
[#&#8203;34](https://redirect.github.com/vearutop/teststat/pull/34)

**Full Changelog**:
<vearutop/teststat@v0.1.26...v0.1.27>

Download linux amd64 version in GitHub Actions:

```

### Fetching teststat binary.
          wget -q https://github.com/vearutop/teststat/releases/download/v0.1.27/linux_amd64.tar.gz && tar xf linux_amd64.tar.gz && rm linux_amd64.tar.gz
          teststat_hash=$(git hash-object ./teststat)
          [ "$teststat_hash" == "325b9ef9c4e969171cccf11d8becbc856c9cdee2" ] || (echo "::error::unexpected hash for teststat, possible tampering: $teststat_hash" && exit 1)
```

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/IBM/sarama).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidW1wL3BhdGNoIiwiZGVwZW5kZW5jaWVzIl19-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Allow use of errors.Is(...) to test against KError values when
IncrementalAlterConfigs returns an error.

Signed-off-by: Adrian Preston <[email protected]>

As noted in #3354, messages buffered due to the highWatermark would
inadvertently skip the usual sequence number assignment, manifesting as
OutOfOrderSequenceException on the broker.

Wrote a functional test to trigger this behaviour and then used the same
logic as found in partitionProducer.dispatch() to prevent the problem
occurring.

Signed-off-by: Dominic Evans <[email protected]>

…ker digest to 34880b6 (#3360)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| registry.access.redhat.com/ubi9/ubi-minimal | final | digest |
`7c5495d` -> `34880b6` |

---

### Configuration

📅 **Schedule**: Branch creation - Between 09:00 PM and 09:59 PM ( * 21 *
* * ) in timezone Etc/UTC, Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/IBM/sarama).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTYuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidW1wL2RpZ2VzdCIsImRlcGVuZGVuY2llcyIsImRvY2tlciIsImlnbm9yZS1mb3ItcmVsZWFzZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

)

This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[github.com/klauspost/compress](https://redirect.github.com/klauspost/compress)
| require | patch | `v1.18.0` -> `v1.18.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/klauspost/compress/badge)](https://securityscorecards.dev/viewer/?uri=github.com/klauspost/compress)
|

---

### Release Notes

<details>
<summary>klauspost/compress (github.com/klauspost/compress)</summary>

###
[`v1.18.1`](https://redirect.github.com/klauspost/compress/releases/tag/v1.18.1)

[Compare
Source](https://redirect.github.com/klauspost/compress/compare/v1.18.0...v1.18.1)

##### What's Changed

- zstd: Fix incorrect buffer size in dictionary encodes by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1059](https://redirect.github.com/klauspost/compress/pull/1059)
- s2: check for cap, not len of buffer in EncodeBetter/Best by
[@&#8203;vdarulis](https://redirect.github.com/vdarulis) in
[#&#8203;1080](https://redirect.github.com/klauspost/compress/pull/1080)
- zstd: Add simple zstd EncodeTo/DecodeTo functions by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1079](https://redirect.github.com/klauspost/compress/pull/1079)
- zlib: Avoiding extra allocation in zlib.reader.Reset by
[@&#8203;travelpolicy](https://redirect.github.com/travelpolicy) in
[#&#8203;1086](https://redirect.github.com/klauspost/compress/pull/1086)
- gzhttp: remove redundant err check in zstdReader by
[@&#8203;ryanfowler](https://redirect.github.com/ryanfowler) in
[#&#8203;1090](https://redirect.github.com/klauspost/compress/pull/1090)
- Run modernize. Deprecate Go 1.22 by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1095](https://redirect.github.com/klauspost/compress/pull/1095)
- flate: Simplify matchlen by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1101](https://redirect.github.com/klauspost/compress/pull/1101)
- flate: Add examples by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1102](https://redirect.github.com/klauspost/compress/pull/1102)
- flate: Use exact sizes for huffman tables by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1103](https://redirect.github.com/klauspost/compress/pull/1103)
- flate: Faster load+store by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1104](https://redirect.github.com/klauspost/compress/pull/1104)
- Add notice to S2 about MinLZ by
[@&#8203;klauspost](https://redirect.github.com/klauspost) in
[#&#8203;1065](https://redirect.github.com/klauspost/compress/pull/1065)

##### New Contributors

- [@&#8203;wooffie](https://redirect.github.com/wooffie) made their
first contribution in
[#&#8203;1069](https://redirect.github.com/klauspost/compress/pull/1069)
- [@&#8203;vdarulis](https://redirect.github.com/vdarulis) made their
first contribution in
[#&#8203;1080](https://redirect.github.com/klauspost/compress/pull/1080)
- [@&#8203;travelpolicy](https://redirect.github.com/travelpolicy) made
their first contribution in
[#&#8203;1086](https://redirect.github.com/klauspost/compress/pull/1086)
- [@&#8203;ryanfowler](https://redirect.github.com/ryanfowler) made
their first contribution in
[#&#8203;1090](https://redirect.github.com/klauspost/compress/pull/1090)

**Full Changelog**:
<klauspost/compress@v1.18.0...v1.18.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/IBM/sarama).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidW1wL3BhdGNoIiwiZGVwZW5kZW5jaWVzIl19-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 4.30.8 to 4.30.9.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.30.9</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>4.30.9 - 17 Oct 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.3. <a
href="https://redirect.github.com/github/codeql-action/pull/3205">#3205</a></li>
<li>Experimental: A new <code>setup-codeql</code> action has been added
which is similar to <code>init</code>, except it only installs the
CodeQL CLI and does not initialize a database. Do not use this in
production as it is part of an internal experiment and subject to change
at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3204">#3204</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v4.30.9/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.30.9 - 17 Oct 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.3. <a
href="https://redirect.github.com/github/codeql-action/pull/3205">#3205</a></li>
<li>Experimental: A new <code>setup-codeql</code> action has been added
which is similar to <code>init</code>, except it only installs the
CodeQL CLI and does not initialize a database. Do not use this in
production as it is part of an internal experiment and subject to change
at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3204">#3204</a></li>
</ul>
<h2>4.30.8 - 10 Oct 2025</h2>
<p>No user facing changes.</p>
<h2>4.30.7 - 06 Oct 2025</h2>
<ul>
<li>[v4+ only] The CodeQL Action now runs on Node.js v24. <a
href="https://redirect.github.com/github/codeql-action/pull/3169">#3169</a></li>
</ul>
<h2>3.30.6 - 02 Oct 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.2. <a
href="https://redirect.github.com/github/codeql-action/pull/3168">#3168</a></li>
</ul>
<h2>3.30.5 - 26 Sep 2025</h2>
<ul>
<li>We fixed a bug that was introduced in <code>3.30.4</code> with
<code>upload-sarif</code> which resulted in files without a
<code>.sarif</code> extension not getting uploaded. <a
href="https://redirect.github.com/github/codeql-action/pull/3160">#3160</a></li>
</ul>
<h2>3.30.4 - 25 Sep 2025</h2>
<ul>
<li>We have improved the CodeQL Action's ability to validate that the
workflow it is used in does not use different versions of the CodeQL
Action for different workflow steps. Mixing different versions of the
CodeQL Action in the same workflow is unsupported and can lead to
unpredictable results. A warning will now be emitted from the
<code>codeql-action/init</code> step if different versions of the CodeQL
Action are detected in the workflow file. Additionally, an error will
now be thrown by the other CodeQL Action steps if they load a
configuration file that was generated by a different version of the
<code>codeql-action/init</code> step. <a
href="https://redirect.github.com/github/codeql-action/pull/3099">#3099</a>
and <a
href="https://redirect.github.com/github/codeql-action/pull/3100">#3100</a></li>
<li>We added support for reducing the size of dependency caches for Java
analyses, which will reduce cache usage and speed up workflows. This
will be enabled automatically at a later time. <a
href="https://redirect.github.com/github/codeql-action/pull/3107">#3107</a></li>
<li>You can now run the latest CodeQL nightly bundle by passing
<code>tools: nightly</code> to the <code>init</code> action. In general,
the nightly bundle is unstable and we only recommend running it when
directed by GitHub staff. <a
href="https://redirect.github.com/github/codeql-action/pull/3130">#3130</a></li>
<li>Update default CodeQL bundle version to 2.23.1. <a
href="https://redirect.github.com/github/codeql-action/pull/3118">#3118</a></li>
</ul>
<h2>3.30.3 - 10 Sep 2025</h2>
<p>No user facing changes.</p>
<h2>3.30.2 - 09 Sep 2025</h2>
<ul>
<li>Fixed a bug which could cause language autodetection to fail. <a
href="https://redirect.github.com/github/codeql-action/pull/3084">#3084</a></li>
<li>Experimental: The <code>quality-queries</code> input that was added
in <code>3.29.2</code> as part of an internal experiment is now
deprecated and will be removed in an upcoming version of the CodeQL
Action. It has been superseded by a new <code>analysis-kinds</code>
input, which is part of the same internal experiment. Do not use this in
production as it is subject to change at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3064">#3064</a></li>
</ul>
<h2>3.30.1 - 05 Sep 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.23.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3077">#3077</a></li>
</ul>
<h2>3.30.0 - 01 Sep 2025</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/16140ae1a102900babc80a33c44059580f687047"><code>16140ae</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3213">#3213</a>
from github/update-v4.30.9-70205d3d1</li>
<li><a
href="https://github.com/github/codeql-action/commit/30db5fee08fa0be23eee96b4496f7352d9f29f86"><code>30db5fe</code></a>
Update changelog for v4.30.9</li>
<li><a
href="https://github.com/github/codeql-action/commit/70205d3d123f562983bd79625547bda0f3ac0e49"><code>70205d3</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3211">#3211</a>
from github/mbg/init/starting-partial-config</li>
<li><a
href="https://github.com/github/codeql-action/commit/697c209bfca8233b036e2484d56dd6d373055e17"><code>697c209</code></a>
Merge remote-tracking branch 'origin/main' into
mbg/init/starting-partial-config</li>
<li><a
href="https://github.com/github/codeql-action/commit/1bd53ba38c522699e557edfba608ac9423db9a48"><code>1bd53ba</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3205">#3205</a>
from github/update-bundle/codeql-bundle-v2.23.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/cac4df0c798faa8010a1a06712c7d1e8449e9150"><code>cac4df0</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/77e5c0d0a22917bff475a451f4bfaaf2beac0a64"><code>77e5c0d</code></a>
Merge branch 'main' into update-bundle/codeql-bundle-v2.23.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/97a4f751be6792e7470adaf5465d9dbb26b9a3d1"><code>97a4f75</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3204">#3204</a>
from github/mbg/setup-codeql</li>
<li><a
href="https://github.com/github/codeql-action/commit/2d5512b361168357c4197bb366d28d625c8bf747"><code>2d5512b</code></a>
Merge remote-tracking branch 'origin/main' into
mbg/init/starting-partial-config</li>
<li><a
href="https://github.com/github/codeql-action/commit/fa7bdf055936bea552da9c58f425daa8bb13d51d"><code>fa7bdf0</code></a>
Call <code>getAnalysisKinds</code> a second time, and ignore exceptions
thrown during th...</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/f443b600d91635bebf5b0d9ebc620189c0d6fba5...16140ae1a102900babc80a33c44059580f687047">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.30.8&new-version=4.30.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… group (#3356)

Bumps the actions group with 1 update:
[actions/setup-node](https://github.com/actions/setup-node).

Updates `actions/setup-node` from 5.0.0 to 6.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-node/releases">actions/setup-node's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<h2>What's Changed</h2>
<p><strong>Breaking Changes</strong></p>
<ul>
<li>Limit automatic caching to npm, update workflows and documentation
by <a
href="https://github.com/priyagupta108"><code>@​priyagupta108</code></a>
in <a
href="https://redirect.github.com/actions/setup-node/pull/1374">actions/setup-node#1374</a></li>
</ul>
<p><strong>Dependency Upgrades</strong></p>
<ul>
<li>Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes
in v5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/setup-node/pull/1336">#1336</a></li>
<li>Upgrade prettier from 2.8.8 to 3.6.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/setup-node/pull/1334">#1334</a></li>
<li>Upgrade actions/publish-action from 0.3.0 to 0.4.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/setup-node/pull/1362">#1362</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-node/compare/v5...v6.0.0">https://github.com/actions/setup-node/compare/v5...v6.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-node/commit/2028fbc5c25fe9cf00d9f06a71cc4710d4507903"><code>2028fbc</code></a>
Limit automatic caching to npm, update workflows and documentation (<a
href="https://redirect.github.com/actions/setup-node/issues/1374">#1374</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/13427813f706a0f6c9b74603b31103c40ab1c35a"><code>1342781</code></a>
Bump actions/publish-action from 0.3.0 to 0.4.0 (<a
href="https://redirect.github.com/actions/setup-node/issues/1362">#1362</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/89d709d423dc495668cd762a18dd4a070611be3f"><code>89d709d</code></a>
Bump prettier from 2.8.8 to 3.6.2 (<a
href="https://redirect.github.com/actions/setup-node/issues/1334">#1334</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/cd2651c46231bc0d6f48d6b34433b845331235fe"><code>cd2651c</code></a>
Bump ts-jest from 29.1.2 to 29.4.1 (<a
href="https://redirect.github.com/actions/setup-node/issues/1336">#1336</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...2028fbc5c25fe9cf00d9f06a71cc4710d4507903">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=5.0.0&new-version=6.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>