chore(deps): bump golang.org/x/vuln to v1.5.0

[Copilot]

This updates golang.org/x/vuln from v1.4.0 to v1.5.0, matching the requested minor release for the govulncheck tool dependency. The upstream delta is dependency metadata-only, with no expected functional change to govulncheck.

• Dependency updates

  • go.mod: upgraded golang.org/x/vuln to v1.5.0
  • go.sum: refreshed checksums for golang.org/x/vuln and related transitive module updates from resolution

• Tooling context

  • The repo tracks govulncheck as a tools dependency via blank import in tools.go; this change keeps that toolchain pinned to the latest requested version.

// tools.go
import (
	_ "golang.org/x/vuln/cmd/govulncheck"
)

[Copilot]

Pull request overview

This PR updates the govulncheck tool dependency by bumping golang.org/x/vuln to v1.5.0, and refreshes module resolution to keep go.mod/go.sum consistent.

Changes:

• Bumped golang.org/x/vuln from v1.4.0 → v1.5.0.
• Updated golang.org/x/tools from v0.46.0 → v0.47.0 and refreshed transitive module versions/checksums (including golang.org/x/telemetry).

Show a summary per file

File	Description
go.mod	Updates direct module requirements (x/vuln, x/tools) and refreshes an indirect dependency (x/telemetry).
go.sum	Refreshes checksums to match the updated module graph after the version bumps.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/2 changed files
• Comments generated: 1
• Review effort level: Low

[github-actions]

✅ Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. PR #41726 only bumps golang.org/x/vuln to v1.5.0 (go.mod and go.sum changes only). Test Quality Sentinel skipped.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories.

[github-actions]

Skills-Based Review 🧠

Applied /zoom-out — approving with one minor documentation note.

📋 Key Themes & Highlights

Key Themes

• Title accuracy: PR title names only golang.org/x/vuln but golang.org/x/tools is also bumped as a direct dep (v0.46.0 → v0.47.0). Worth updating the title or PR body for searchable history. (See inline comment.)
• Transitive churn: golang.org/x/telemetry is a pseudo-version date bump — expected collateral from tools/vuln resolution.

Positive Highlights

• ✅ go.mod and go.sum are consistent — no dangling or missing checksums
• ✅ PR description clearly explains the intent and tooling context (tools.go blank import)
• ✅ Minimal blast radius — dependency metadata only, no functional code changes

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 25.2 AIC · ⌖ 9.49 AIC · ⊞ 6.5K

[github-actions]

[/zoom-out] The PR title and description mention only golang.org/x/vuln but golang.org/x/tools is also bumped as a direct dependency (v0.46.0 → v0.47.0), not just a transitive one.

💡 Suggestion

Consider updating the PR title to reflect both direct dependency bumps, e.g.:

chore(deps): bump golang.org/x/vuln to v1.5.0 and golang.org/x/tools to v0.47.0

Or add a bullet under Dependency updates in the PR body:

- `go.mod`: upgraded `golang.org/x/tools` to `v0.47.0`

This keeps the PR history accurate for anyone git log-searching for the tools bump later.

[github-actions]

No additional blocking issues found beyond the existing inline comment.

Analysis summary

Findings

• golang.org/x/vuln v1.4.0 → v1.5.0: intended change; go.sum h1 and /go.mod hash pairs are consistent.
• golang.org/x/tools v0.46.0 → v0.47.0: expected minimum-version upgrade triggered by golang.org/x/vuln@v1.5.0's transitive requirements, but undocumented in the PR — already flagged by existing inline comment.
• golang.org/x/telemetry pseudo-version update: expected indirect transitive bump; low risk.
• go.sum integrity: all three changed modules have both h1: and /go.mod hash entries correctly updated; no entries are missing or extraneous.

Grumpy-coder sub-agent and independent second pass found no new actionable correctness, security, or performance issues beyond the scope/description mismatch already noted inline.

🔎 Code quality review by PR Code Quality Reviewer · 35.1 AIC · ⌖ 6.98 AIC · ⊞ 5.2K