fix(deps): bump the go-deps group across 1 directory with 2 updates

[dependabot]

Bumps the go-deps group with 2 updates in the / directory: golang.org/x/crypto and modernc.org/sqlite.

Updates golang.org/x/crypto from 0.46.0 to 0.47.0

Commits

• 506e022 go.mod: update golang.org/x dependencies
• 7dacc38 chacha20poly1305: error out in fips140=only mode
• See full diff in compare view

Updates modernc.org/sqlite from 1.41.0 to 1.43.0

Commits

• 9e521c1 builder.json: test += openbsd/arm64
• 234b299 builder.json: test += openbsd/amd64
• cc1c971 make vendor # libsqlite3@v1.11.0
• 27cd881 add conn.IsReadOnly, closes #242
• cbcb1c2 README: add sponsors
• a1e867b lib/mutex.go: robustness++
• 168ece1 adjust int time haqndling, closes #240
• 05f0a52 Merge branch 'fix-241' into 'master'
• f8f5a75 fix TOCTOU interrupt race
• 8f3ecad retract v1.42.0, revert to v1.41.0 state
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

NFR Tests ⬆️ 11 improved · ✅ 17 passed

Regressions: 0 ✅

Thresholds: WARN ≥ +5% • FAIL ≥ +10% • Hotspot ≥ 90% budget

! HOT  listEntrypoints/small      -0.1%      4,795B  budget 91%  63µs
! HOT  analyzeImpact/large        -0.2%     17,966B  budget 91%  364µs
! HOT  summarizeDiff/large        -0.3%     19,939B  budget 91%  249µs
+ SAVE getAffectedTests/xlarge   -50.4%     14,870B  budget 45%  132µs
+ SAVE getAffectedTests/large    -49.9%      7,521B  budget 46%  94µs
+ SAVE getAffectedTests/medium   -48.2%      3,110B  budget 47%  42µs

Hotspots (closest to limit)

Scenario	Budget	Margin
listEntrypoints / small	91%	9%
analyzeImpact / large	91%	9%
summarizeDiff / large	91%	9%

All scenarios

	Scenario	Change	Actual (B)	Baseline	Max	Budget	Margin	Time
⚪	listEntrypoints / small	-0.1%	4,795	4,800	5,280	91%	9%	63µs
⚪	analyzeImpact / large	-0.2%	17,966	18,000	19,800	91%	9%	364µs
⚪	summarizeDiff / large	-0.3%	19,939	20,000	22,000	91%	9%	249µs
⚪	searchSymbols / small	-0.3%	3,588	3,600	3,960	91%	9%	43µs
⚪	searchSymbols / large	-0.8%	90,246	91,000	100,100	90%	10%	307µs
⚪	listEntrypoints / large	-0.8%	23,798	24,000	26,400	90%	10%	455µs
⚪	findReferences / large	-0.9%	445,943	450,000	495,000	90%	10%	2.912344ms
⚪	traceUsage / large	-0.9%	7,728	7,800	8,580	90%	10%	102µs
⚪	searchSymbols / medium	-1.3%	17,766	18,000	19,800	90%	10%	107µs
⚪	getCallGraph / shallow	-1.4%	887	900	990	90%	10%	688µs
⚪	getHotspots / large	-1.5%	16,748	17,000	18,700	90%	10%	272µs
⚪	getHotspots / small	-1.6%	886	900	990	89%	11%	36µs
⚪	findReferences / medium	-1.9%	44,123	45,000	49,500	89%	11%	182µs
⚪	findReferences / small	-2.3%	4,395	4,500	4,950	89%	11%	53µs
⚪	summarizeDiff / small	-3.0%	2,133	2,200	2,420	88%	12%	34µs
⚪	analyzeImpact / small	-3.8%	1,924	2,000	2,200	87%	13%	28µs
⚪	getCallGraph / deep	-4.8%	15,238	16,000	17,600	87%	13%	159µs
🟢	traceUsage / small	-9.4%	725	800	880	82%	18%	17µs
🟢	getArchitecture / large	-16.4%	6,690	8,000	8,800	76%	24%	98µs
🟢	analyzeChange / xlarge	-28.3%	387,417	540,000	594,000	65%	35%	1.869053ms
🟢	analyzeChange / large	-28.5%	193,169	270,000	297,000	65%	35%	1.264704ms
🟢	analyzeChange / medium	-29.9%	38,575	55,000	60,500	64%	36%	303µs
🟢	analyzeChange / small	-32.6%	4,046	6,000	6,600	61%	39%	138µs
🟢	getArchitecture / small	-36.0%	960	1,500	1,650	58%	42%	19µs
🟢	getAffectedTests / small	-39.8%	903	1,500	1,650	55%	45%	18µs
🟢	getAffectedTests / medium	-48.2%	3,110	6,000	6,600	47%	53%	42µs
🟢	getAffectedTests / large	-49.9%	7,521	15,000	16,500	46%	54%	94µs
🟢	getAffectedTests / xlarge	-50.4%	14,870	30,000	33,000	45%	55%	132µs

[github-actions]

🟢 Change Impact Analysis

Metric	Value
Risk Level	LOW 🟢
Files Changed	1
Symbols Changed	1
Directly Affected	0
Transitively Affected	0

Blast Radius: 0 modules, 0 files, 0 unique callers

📝 Changed Symbols (1)

Symbol	File	Type	Confidence
go.mod	go.mod	modified	30%

Recommendations

• ℹ️ coverage: 1 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

⚠️ Index is 0 commit(s) behind HEAD. Results may be incomplete.

---

_{Generated by CKB}

[github-actions]

CKB Analysis

🎯 1 changed → 0 affected · 🔥 2 hotspots · 📚 132 stale

Risk factors: Touches 2 hotspot(s)

Metric	Value
Impact Analysis	1 symbols → 0 affected	🟢
Doc Coverage	9.090909090909092%	⚠️
Complexity	0 violations	✅
Coupling	0 gaps	✅
Blast Radius	0 modules, 0 files	✅
Index	indexed (8s)	🆕

🎯 Change Impact Analysis · 🟢 LOW · 1 changed → 0 affected

Metric	Value
Symbols Changed	1
Directly Affected	0
Transitively Affected	0
Modules in Blast Radius	0
Files in Blast Radius	0

Symbols changed in this PR:

• go.mod [modified] (30%) — go.mod

Recommendations:

• ℹ️ 1 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

⚠️ Index is undefined commit(s) behind HEAD. Results may be incomplete. Run ckb index to refresh.

🔥 Hotspots · 2 volatile files

File	Churn Score
go.mod	13.24
go.sum	16.72

💡 Quick wins · 10 suggestions

• 🟡 Add tests → internal/query/engine_test.go
• 🟡 Add tests → internal/backends/scip/symbols.go
• 🟡 Add tests → internal/paths/paths_test.go
• 🟡 Add tests → internal/webhooks/manager.go
• 🟡 Add tests → internal/backends/git/diff.go
• 🟢 Assign backup owner → internal/query/engine_test.go
• 🟢 Assign backup owner → internal/backends/scip/symbols.go
• 🟢 Assign backup owner → internal/paths/paths_test.go

📚 Stale docs · 132 broken references

• docs/CONTRIBUTING.md:108 → errors.New
• docs/CONTRIBUTING.md:108 → errors.SYMBOL_NOT_FOUND
• docs/CONTRIBUTING.md:111 → errors.Wrap
• docs/backlog/index-refresh-improvements.md:36 → watcher.Add
• docs/backlog/index-refresh-improvements.md:36 → filepath.Join
• docs/backlog/index-refresh-improvements.md:97 → time.Second
• docs/featureplans/change-impact-analysis-checklist.md:208 → coverage.out
• docs/featureplans/change-impact-analysis-checklist.md:214 → lcov.info
• docs/featureplans/change-impact-analysis-checklist.md:309 → coverage.out
• docs/featureplans/change-impact-analysis.md:448 → scip.SCIPIndex
• docs/featureplans/change-impact-analysis.md:478 → context.Context
• docs/featureplans/change-impact-analysis.md:669 → coverage.out
• docs/ideas.md:16 → provenance.backends
• docs/ideas.md:21 → queryPolicy.coalesceWindowMs
• docs/ideas.md:302 → confidence.factors

---

_{Generated by CKB · Run details}

[github-actions]

🔐 Security Audit Results

⚠️ Security gate passed with warnings - 7 issue(s) found (review recommended)

Category	Findings
🔑 Secrets	✅ 0
🛡️ SAST	✅ 0
📦 Dependencies	⚠️ 7
📜 Licenses	⚠️ 119 non-permissive

📦 Dependency Vulnerabilities

Found 7 vulnerability(ies) across 2 scanner(s)

Details

Trivy (4 findings)

• CVE-2026-22036 (LOW): undici - undici: Undici: Denial of Service via excessive de...
• CVE-2025-54410 (LOW): github.com/docker/docker - github.com/moby/moby: Moby's Firewalld reload remo...
• GHSA-vrw8-fxc6-2r93 (MEDIUM): github.com/go-chi/chi/v5 - chi Allows Host Header Injection which Leads to Op...
• CVE-2025-47908 (MEDIUM): github.com/rs/cors - github.com/rs/cors: Denial of service via maliciou...

OSV-Scanner (3 findings)

• github.com/docker/docker: 2 vulnerabilities
• github.com/go-chi/chi/v5: 1 vulnerabilities
• github.com/rs/cors: 2 vulnerabilities

📜 License Issues

Found 119 non-permissive license(s)

Details

• github.com/BurntSushi/toml: MIT (notice)
• github.com/google/uuid: BSD-3-Clause (notice)
• github.com/klauspost/compress: Apache-2.0 (notice)
• github.com/klauspost/compress: BSD-3-Clause (notice)
• github.com/klauspost/compress: MIT (notice)
• github.com/pelletier/go-toml/v2: MIT (notice)
• github.com/smacker/go-tree-sitter: MIT (notice)
• github.com/sourcegraph/go-diff: MIT (notice)
• github.com/sourcegraph/scip: Apache-2.0 (notice)
• github.com/spf13/cobra: Apache-2.0 (notice)
• ... and 109 more

---

_{Generated by CKB Security Audit | View Details | Security Tab}