Update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
github.com/anthropics/anthropic-sdk-go	v1.48.0 → v1.50.1			require	minor
github.com/felixge/httpsnoop	v1.0.4 → v1.1.0			indirect	minor
github.com/onsi/ginkgo/v2	v2.29.0 → v2.31.0			require	minor
github.com/onsi/gomega	v1.41.0 → v1.42.0			require	minor
go.yaml.in/yaml/v4	v4.0.0-rc.2 → v4.0.0-rc.5			indirect	patch
golang.org/x/crypto	v0.52.0 → v0.53.0			require	minor
golang.org/x/mod	v0.36.0 → v0.37.0			indirect	minor
golang.org/x/net	v0.55.0 → v0.56.0			indirect	minor
golang.org/x/sync	v0.20.0 → v0.21.0			require	minor
golang.org/x/sys	v0.45.0 → v0.46.0			indirect	minor
golang.org/x/text	v0.37.0 → v0.38.0			require	minor
golang.org/x/tools	v0.45.0 → v0.46.0			require	minor
google.golang.org/api	v0.283.0 → v0.284.0			indirect	minor
google.golang.org/genai	v1.59.0 → v1.60.0			require	minor
google.golang.org/genproto/googleapis/rpc	3dc84a4 → 7ab31c2			indirect	digest

---

Release Notes

anthropics/anthropic-sdk-go (github.com/anthropics/anthropic-sdk-go)

v1.50.1

Compare Source

Full Changelog: v1.50.0...v1.50.1

Bug Fixes

• api: add frontier_llm refusal category (9ebbaf7)

v1.50.0

Compare Source

Full Changelog: v1.50.0...v1.50.1

Bug Fixes

• api: add frontier_llm refusal category (9ebbaf7)

v1.49.0

Compare Source

Full Changelog: v1.49.0...v1.50.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (f72e1d8)

felixge/httpsnoop (github.com/felixge/httpsnoop)

v1.1.0

Compare Source

onsi/ginkgo (github.com/onsi/ginkgo/v2)

v2.31.0

Compare Source

2.31.0

Add a bunch of Claude Skills via the marketplace:

/plugin marketplace add onsi/ginkgo
/plugin install ginkgo@ginkgo

v2.30.0

Compare Source

2.30.0

Features

Ginkgo now allows extentions/global.Reset to support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.

Thanks @​lawrencejones !

Fixes

• Fix nested --github-output group for progress report nested inside timeline [4f62d7a]

onsi/gomega (github.com/onsi/gomega)

v1.42.0

Compare Source

1.42.0

Add a set of Claude skill as a marketplace plugin

yaml/go-yaml (go.yaml.in/yaml/v4)

v4.0.0-rc.5

Compare Source

v4.0.0-rc.4

Compare Source

v4.0.0-rc.3

Compare Source

googleapis/google-api-go-client (google.golang.org/api)

v0.284.0

Compare Source

Features

• all: Auto-regenerate discovery clients (#​3613) (5f02153)
• all: Auto-regenerate discovery clients (#​3616) (25b429a)
• all: Auto-regenerate discovery clients (#​3617) (1ef3625)

googleapis/go-genai (google.golang.org/genai)

v1.60.0

Compare Source

Features

• Add ServiceTier to UsageMetadata (74b1290)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🤖 Barry Security Review

[github-actions]

🤖 Security Issue: The PR updates the dependency 'go.yaml.in/yaml/v4' and several core Go libraries (golang.org/x/, google.golang.org/) to versions and domains that are highly suspicious. 'go.yaml.in' is a known typosquatting pattern for 'gopkg.in'. Furthermore, the versions (e.g., v0.53.0 for x/crypto, v0.284.0 for google api) and the commit timestamps (June 2026) in go.sum significantly exceed currently existing official releases, indicating a dependency confusion or supply chain hijack attempt.

Severity: HIGH
Category: supply_chain_attack
Confidence: 95%
Tool: Barry AI Security Analysis (Gemini)

Exploit Scenario:
An attacker who has published malicious packages to a public repository with higher version numbers or typosquatted domains (like go.yaml.in) can trick automated tools like Renovate into creating this PR. If merged, the build process will download and execute arbitrary code from these untrusted sources, leading to a compromise of the CI/CD pipeline, theft of secrets (such as the AI API keys mentioned in the environment), and potential persistence in the codebase.

Recommendation:
Do not merge this PR. Investigate why the automated update tool is suggesting non-existent or typosquatted versions. Revert all dependencies to their official canonical paths (e.g., 'gopkg.in/yaml.v3') and verify the latest legitimate versions on pkg.go.dev. Audit the GOPROXY and module resolution settings in the CI environment.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.46%. Comparing base (f1c81de) to head (7f282d0).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1695   +/-   ##
=======================================
  Coverage   80.46%   80.46%           
=======================================
  Files         110      110           
  Lines       10255    10255           
=======================================
  Hits         8252     8252           
  Misses       1516     1516           
  Partials      487      487           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.