chore(deps): bump the go-minor-patch group across 1 directory with 2 updates

[dependabot]

Bumps the go-minor-patch group with 2 updates in the / directory: github.com/charmbracelet/bubbles and github.com/meigma/blob.

Updates github.com/charmbracelet/bubbles from 0.21.0 to 0.21.1

Release notes

Sourced from github.com/charmbracelet/bubbles's releases.

v0.21.1

Changelog

New!

• dff42ddb7cf28f022da475c69dba2e74f75af34d: feat: update keybindings in list setSize method (@​Broderick-Westrope)

Fixed

• c376ce3ef18cc26bbf1f6338cc8518ae329a18d6: fix(cursor): fix data race on blinkTag (#784) (@​DryHumour)
• 11d52ca426e5c594f7c6c10766935a7f30a83225: fix(table): preventing cursor from being out-of-bounds. (@​s0ders)
• 49ff5c03b7bada572da36c79269dc15ab03d569b: fix(textinput): improve placeholder (#768) (@​caarlos0)
• 7c44f63d3185e6f1d795e9369ba85185e6efe956: v1: fix(list): ensure correct cursor positions with page/cursor methods (#831) (@​lrstanley)

Docs

• 7fcf75da535ee7db938586044a02f0f74f40339e: docs(readme): update footer image and copyright date (@​meowgorithm)
• d4feefed7d674edbfbc8f09e99c56704706038c5: docs: remove Charm Cloud reference (#785) (@​ShalokShalom)

Other stuff

• daab808a4d85e0b616ca9e30c1c5d9acd365aa02: ci: sync dependabot config (#786) (@​charmcli)
• 4b2d311076480670a00b3f24fd9ad280c35c7c57: ci: sync dependabot config (#835) (@​charmcli)
• 8562e9075fb87edf45e99c5d63a6610254d6c6e7: ci: sync golangci-lint config (#781) (@​github-actions[bot])
• f54a125f7decd8fefa0db4a0853720200d50a631: test(table): improve table unit tests (#601) (@​Broderick-Westrope)

---

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

Commits

• 9329772 chore: update dependencies
• ff8b5a8 chore(deps): bump actions/checkout from 5 to 6 in the all group (#863)
• 62c7911 chore(deps): bump the all group with 2 updates (#855)
• 49ff5c0 fix(textinput): improve placeholder (#768)
• d6934a1 chore(deps): bump github.com/mattn/go-runewidth in the all group (#852)
• f2d1266 chore(deps): bump github.com/charmbracelet/bubbletea in the all group (#850)
• 5caedd7 chore(deps): bump the all group with 2 updates (#848)
• cfdc19b chore(deps): bump actions/setup-go from 5 to 6 in the all group (#842)
• 3532a32 chore(deps): bump github.com/charmbracelet/bubbletea in the all group (#841)
• 7c44f63 v1: fix(list): ensure correct cursor positions with page/cursor methods (#831)
• Additional commits viewable in compare view

Updates github.com/meigma/blob from 1.1.1 to 1.1.2

Release notes

Sourced from github.com/meigma/blob's releases.

v1.1.2

1.1.2 (2026-01-25)

Bug Fixes

• wire blockCache through to registry Pull (#62) (7857128)
• wire WithRefCacheTTL to ref cache creation (#60) (5d4b964)

Changelog

Sourced from github.com/meigma/blob's changelog.

1.1.2 (2026-01-25)

Bug Fixes

• wire blockCache through to registry Pull (#62) (7857128)
• wire WithRefCacheTTL to ref cache creation (#60) (5d4b964)

Commits

• 36e2e64 chore(master): release 1.1.2 (#61)
• 7857128 fix: wire blockCache through to registry Pull (#62)
• 5d4b964 fix: wire WithRefCacheTTL to ref cache creation (#60)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the dependency health profile is acceptable with no deprecated packages and permissive licenses, this PR contains 6 critical security vulnerabilities that must be addressed before merging. Most severe are: (1) Two crypto/tls vulnerabilities in Go stdlib (CVE-2025-68121, CVE-2025-61730) that could enable session hijacking and compromise secure communications, (2) Path traversal vulnerability in go-tuf (CVE-2026-24686) allowing arbitrary file writes to the system, and (3) Memory exhaustion in net/url (CVE-2025-61726) enabling DoS attacks. These exploitable CVEs in critical infrastructure components (Go stdlib and go-tuf) pose immediate security risks that override the otherwise healthy dependency maintenance profile. Required actions: Update Go stdlib to latest patched version, upgrade go-tuf v0.7.0 and v2.3.1 to patched releases addressing the path traversal vulnerabilities. The maintenance concerns noted for indirect UI dependencies can be monitored post-remediation but are not blocking issues.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Update Go stdlib to address crypto/tls and net/url vulnerabilities (CVE-2025-68121, CVE-2025-61730, CVE-2025-61726). Upgrade to the latest patched Go version that addresses these vulnerabilities.

Update github.com/theupdateframework/go-tuf from v0.7.0 to the latest patched version that addresses CVE-2026-23991, CVE-2026-23992, and CVE-2026-24686. The path traversal vulnerability (CVE-2026-24686) is particularly critical as it allows arbitrary file writes.

Update github.com/theupdateframework/go-tuf/v2 from v2.3.1 to address the path traversal vulnerability (CVE-2026-24686).

Required Dependency Mitigations

• MAINTENANCE MONITORING REQUIRED: Three packages show low maintenance scores - github.com/lucasb-eyer/go-colorful (1/10), github.com/mattn/go-runewidth (0/10), and github.com/charmbracelet/bubbles (1/10). These are indirect dependencies of your UI library. Consider monitoring these packages for future updates or alternative solutions if maintenance issues persist.
• OPTIONAL UPDATES: Three packages are not at their latest versions: github.com/clipperhouse/uax29/v2 (current: v2.5.0, latest: v2.6.0), github.com/charmbracelet/x/ansi (current: v0.11.5, latest: v0.11.6), and github.com/clipperhouse/displaywidth (current: v0.9.0, latest: v0.10.0). These are minor version differences and not critical, but consider updating in a future PR for completeness.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 523c7c1, performed at: 2026-02-09T10:14:28Z

Found this helpful? Give it a 👍 or 👎 reaction!

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.