chore(deps): update dependency osv-scanner to v2.3.8

[renovate]

This PR contains the following updates:

Package	Update	Change
osv-scanner	patch	2.3.3 → 2.3.8

---

Release Notes

google/osv-scanner (osv-scanner)

v2.3.8

Compare Source

Fixes:

• Fix installation issues with go install due to dependency conflicts (downgrade containerd/cgroups/v3, moby/buildkit and opencontainers/runtime-spec).
• Bug #​2762 Skip packages with short commit hashes instead of aborting scan.
• Bug #​2781 Secure file path handling with os.OpenRoot.
• Bug #​2766 Correct typos across docs, configs, and Go source.

Misc:

• Update osv-scalibr to v0.4.6-0.20260504042738-9293bfa4f86f.
• Remove replace directive (#​2782).
• Update contributing.md (#​2779).

v2.3.7

Compare Source

Fixes:

• Fix installation issues with go install due to dependency conflicts (downgrade containerd/cgroups/v3, moby/buildkit and opencontainers/runtime-spec).
• Bug #​2762 Skip packages with short commit hashes instead of aborting scan.
• Bug #​2781 Secure file path handling with os.OpenRoot.
• Bug #​2766 Correct typos across docs, configs, and Go source.

Misc:

• Update osv-scalibr to v0.4.6-0.20260504042738-9293bfa4f86f.
• Remove replace directive (#​2782).
• Update contributing.md (#​2779).

v2.3.6

Compare Source

Features:

• Feature #​2658 Support regex matching for package name overrides.
• Feature #​2510 Scan Homebrew inventory using git repository metadata.

Fixes:

• Bug #​2750 Sanitize \r/\n in default/table/vertical output to prevent GitHub Actions workflow command injection.
• Bug #​2641 Correctly output packages from osv-scanner.json source in spdx format.
• Bug #​2729 Increase color contrast of vulnerability stats.
• Bug #​2664 Remove second newline at end of vertical output.
• Bug #​2669 Sanitize \r in gh-annotations to prevent GitHub Actions workflow command injection.

Misc:

• Update osv-scalibr to v0.4.6-0.20260428235529-7791e288d6c1.
• Update Go version to 1.26.2 (#​2706).

v2.3.5

Compare Source

Misc:

• Fix broken release workflow.

v2.3.4

Compare Source

[!NOTE] This release was abandoned, due to issues with the release workflow.

Features:

• Feature #​2571 Enable transitive scanning for Python requirements.txt files using the deps.dev API.
• Feature #​2649 Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabled.

Fixes:

• Bug #​2630 Improve startup performance on Windows Terminal by updating lipgloss.
• Bug #​2599 Ensure the package deprecation enricher respects the same configuration as other plugins.
• Bug #​2600 Ensure the Java extractor plugin for call analysis respects the same configuration as other plugins.

Misc:

• Update osv-scalibr from v0.4.2 to v0.4.5. Release notes: v0.4.3, v0.4.4, v0.4.5.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.