Update module github.com/urfave/cli/v3 to v3.9.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/urfave/cli/v3	v3.8.0 → v3.9.0

---

Release Notes

urfave/cli (github.com/urfave/cli/v3)

v3.9.0

Compare Source

What's Changed

• chore(deps): bump codecov/codecov-action from 5 to 6 by @​dependabot[bot] in #​2300
• chore(deps): bump the python-packages group across 1 directory with 3 updates by @​dependabot[bot] in #​2301
• docs: fix typo by @​acrobatstick in #​2299
• feat: add descriptions for bash and powershell autocompletion by @​gabelluardo in #​2298
• Made command help more consistent by @​markshep-wbg in #​2287
• Fix:(issue_2285): correct function and variable naming in fish completion script by @​TimSoethout in #​2286
• fix(ci): update docs after bash completion update by @​gabelluardo in #​2307
• fix: apply SliceFlagSeparator to env var sources by @​lawrence3699 in #​2309
• fix: don't print empty line to stderr when Exit message is empty by @​Yanhu007 in #​2310
• flag: prevent BoolWithInverseFlag.String from panicking without a tab by @​alliasgher in #​2311
• refactor: bash completion script by @​gabelluardo in #​2308
• fix: drop shebang from bash completion template by @​barry3406 in #​2317
• fix: show flag completions when completing a double-dash prefix by @​morozov in #​2316
• fix: parse flags for help subcommand (#​2271) by @​barry3406 in #​2319
• fix: show BoolWithInverseFlag aliases in help text by @​wucm667 in #​2321

New Contributors

• @​gabelluardo made their first contribution in #​2298
• @​markshep-wbg made their first contribution in #​2287
• @​lawrence3699 made their first contribution in #​2309
• @​Yanhu007 made their first contribution in #​2310
• @​alliasgher made their first contribution in #​2311
• @​barry3406 made their first contribution in #​2317
• @​morozov made their first contribution in #​2316
• @​wucm667 made their first contribution in #​2321

Full Changelog: urfave/cli@v3.8.0...v3.9.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because a CI failure in GitHub Actions directly related to the upgrade is blocking the PR. The go.sum file is out of sync: it still contains stale checksum entries for the previous version (lines 7–8 of go.sum) alongside the correct entries for the new version, causing go mod tidy to exit with code 1. The fix is straightforward — running go mod tidy locally and committing the updated go.sum — but must be completed before merge. A secondary SonarQube CI failure exists due to a conflicting Automatic Analysis configuration, but this is unrelated to the dependency upgrade. The application's core CLI usage in cmd/syspkg/main.go uses only standard urfave/cli/v3 APIs (cli.Command, cli.BoolFlag, cmd.Bool(), cmd.Args().Slice(), app.Run()) and is not affected by any breaking API changes. A typosquat package (github.com/utfave/cli, note the transposed 'r' and 't') exists in the wild and should be treated as a reminder to double-check import paths, but the codebase correctly imports github.com/urfave/cli/v3 throughout.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 2 fixable issues in this upgrade.

• Run 'go mod tidy' to remove stale github.com/urfave/cli/v3 v3.8.0 checksum entries from go.sum and ensure all dependencies are properly resolved. This will remove lines 7-8 in go.sum (the v3.8.0 h1: and v3.8.0/go.mod h1: entries) and may add/update other transitive dependency checksums. Commit the resulting go.sum (and go.mod if changed). Manual alternative: open go.sum and delete the two lines containing 'github.com/urfave/cli/v3 v3.8.0'.
  Run: cd . && go mod tidy
  Files: go.sum, go.mod
• Disable Automatic Analysis in SonarQube Cloud for the 'bluet_syspkg' project. Go to SonarQube Cloud → Project 'bluet_syspkg' → Administration → Analysis Method, and disable 'Automatic Analysis' so that only the CI-based analysis (via SonarSource/sonarqube-scan-action in GitHub Actions) runs. Alternatively, remove the SonarSource/sonarqube-scan-action step from the GitHub Actions workflow if Automatic Analysis is preferred.
  Files: .github/workflows/sonarqube.yml

AI Assistant Prompt

Copy prompt for AI assistant

# Fix CI Failures After `github.com/urfave/cli/v3` Upgrade (v3.8.0 → v3.9.0)

Repository: syspkg, PR #68

## Context

The `github.com/urfave/cli/v3` dependency was bumped from v3.8.0 to v3.9.0 in `go.mod`, but `go.sum` still contains stale checksum entries for v3.8.0, causing the CI lint/format check to fail (`go mod tidy` exits with code 1).

The application code in `cmd/syspkg/main.go` uses only standard APIs (`cli.Command`, `cli.BoolFlag`, `cmd.Bool()`, `cmd.Args().Slice()`, `app.Run()`) and is **not affected** by any breaking changes — no code changes are needed.

## Fix 1 (Primary): Clean up `go.sum`

Run `go mod tidy` to remove stale v3.8.0 checksum entries from `go.sum`.

**Files:** `go.sum`, `go.mod`

**What to do:**
1. Run `go mod tidy` in the repository root
2. Verify that `go.sum` no longer contains lines referencing `github.com/urfave/cli/v3 v3.8.0` (previously around lines 7-8)
3. Verify that `go.sum` contains entries for `github.com/urfave/cli/v3 v3.9.0`
4. Commit the updated `go.sum` (and `go.mod` if it changed)

**Manual alternative:** Open `go.sum` and delete the two lines containing `github.com/urfave/cli/v3 v3.8.0` (the `h1:` and `/go.mod h1:` entries).

## Fix 2 (Separate Issue — Manual Action Required): SonarQube CI Failure

A second CI failure (SonarQube scan, exit code 3) is **unrelated** to the dependency upgrade. It's caused by both Automatic Analysis and CI-triggered analysis being enabled simultaneously for the `bluet_syspkg` project.

**Resolution (requires human action in SonarQube Cloud UI):**
- Go to SonarQube Cloud → Project `bluet_syspkg` → Administration → Analysis Method
- Disable "Automatic Analysis" so only the CI-based scan (via `SonarSource/sonarqube-scan-action` in `.github/workflows/sonarqube.yml`) runs
- Alternatively, remove the `SonarSource/sonarqube-scan-action` step from the workflow if Automatic Analysis is preferred

## Verification

After applying Fix 1, run:
```bash
go mod tidy
go build ./...
go test ./...
```

All should pass without errors. The CI lint/format check should then succeed on the next push.

What we checked

• go.mod correctly declares github.com/urfave/cli/v3 v3.9.0 as the required version, but go.sum still retains the old v3.8.0 checksum entries, causing a mismatch that go mod tidy detects and removes — triggering the CI failure. ^[1]
• Stale github.com/urfave/cli/v3 v3.8.0 h1:... and v3.8.0/go.mod h1:... checksum entries (lines 7–8) are present alongside the correct v3.9.0 entries (lines 9–10). Running go mod tidy removes the stale entries; these changes must be committed to unblock CI. ^[2]
• Correct github.com/urfave/cli/v3 v3.9.0 checksums are already present in go.sum, confirming the dependency was resolved properly. Only cleanup of stale v3.8.0 entries is needed. ^[3]
• The sole import of github.com/urfave/cli/v3 is at line 12. All usages — cli.Command, cli.BoolFlag, cmd.Bool(), cmd.Args().Slice(), app.Run() — rely on stable, long-standing public APIs in urfave/cli/v3 that are unaffected by this minor version bump. ^[4]
• app.Run(context.Background(), os.Args) at line 362 is the entry point for the CLI framework. This call signature is the standard urfave/cli/v3 pattern and is not impacted by this upgrade. ^[5]
• getOptions() helper at line 370 uses cmd.Bool() for flag retrieval across all commands. This API is stable and unchanged between the two versions. ^[6]
• A typosquat package github.com/utfave/cli (transposed 'r'/'t' in 'urfave') exists and exfiltrates system info via an init() function. The codebase correctly imports github.com/urfave/cli/v3, not the malicious variant — no direct risk, but worth confirming no dependency pulls in the typosquat transitively. ^[7]

Dependency Usage

github.com/urfave/cli/v3 is the foundational CLI framework for this project, powering the entire cmd/syspkg/main.go entry point — the user-facing syspkg command-line tool. It drives all user interactions including commands for package install, delete, refresh, upgrade, find, and nested show subcommands (upgradable, installed, package info), along with global flags for dry-run, verbose, interactive, and per-package-manager targeting (e.g., --apt, --snap, --flatpak). The dependency is architecturally critical: without it, the application has no CLI surface, as it is the sole mechanism translating user input into calls to the underlying syspkg package manager abstraction layer.

• go.mod correctly declares github.com/urfave/cli/v3 v3.9.0 as the required version, but go.sum still retains the old v3.8.0 checksum entries, causing a mismatch that go mod tidy detects and removes — triggering the CI failure.
  

  syspkg/go.mod

  Line 5 in 456b204

  require github.com/urfave/cli/v3 v3.9.0

• Stale github.com/urfave/cli/v3 v3.8.0 h1:... and v3.8.0/go.mod h1:... checksum entries (lines 7–8) are present alongside the correct v3.9.0 entries (lines 9–10). Running go mod tidy removes the stale entries; these changes must be committed to unblock CI.
  

  syspkg/go.sum

  Line 7 in 456b204

  github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=

View 4 more usages

• Correct github.com/urfave/cli/v3 v3.9.0 checksums are already present in go.sum, confirming the dependency was resolved properly. Only cleanup of stale v3.8.0 entries is needed.
  

  syspkg/go.sum

  Line 9 in 456b204

  github.com/urfave/cli/v3 v3.9.0 h1:AV9lIiPv3ukYnxunaCUsHnEozptYmDN2F0+yWqLMn/c=

• The sole import of github.com/urfave/cli/v3 is at line 12. All usages — cli.Command, cli.BoolFlag, cmd.Bool(), cmd.Args().Slice(), app.Run() — rely on stable, long-standing public APIs in urfave/cli/v3 that are unaffected by this minor version bump.
  

  syspkg/cmd/syspkg/main.go

  Line 12 in 456b204

  "github.com/urfave/cli/v3"

• app.Run(context.Background(), os.Args) at line 362 is the entry point for the CLI framework. This call signature is the standard urfave/cli/v3 pattern and is not impacted by this upgrade.
  

  syspkg/cmd/syspkg/main.go

  Line 362 in 456b204

  err = app.Run(context.Background(), os.Args)

• getOptions() helper at line 370 uses cmd.Bool() for flag retrieval across all commands. This API is stable and unchanged between the two versions.
  

  syspkg/cmd/syspkg/main.go

  Line 370 in 456b204

  func getOptions(cmd *cli.Command) *manager.Options {

Changes

github.com/urfave/cli/v3 was updated with several bug fixes including a panic prevention in BoolWithInverseFlag.String(), correct SliceFlagSeparator handling for environment variable sources, and suppression of empty stderr lines on exit. New features include flag completions for double-dash prefixes, descriptions in bash/PowerShell autocompletion, and BoolWithInverseFlag alias display in help text.

• Made command help more consistent by @​markshep-wbg in https://redirect.github.com/urfave/cli/pull/2287 (v3.9.0, release notes)
• (issue_2285): correct function and variable naming in fish completion script by @​TimSoethout in https://redirect.github.com/urfave/cli/pull/2286 (v3.9.0, release notes)
• apply SliceFlagSeparator to env var sources by @​lawrence3699 in https://redirect.github.com/urfave/cli/pull/2309 (v3.9.0, release notes)

View 13 more changes

• don't print empty line to stderr when Exit message is empty by @​Yanhu007 in https://redirect.github.com/urfave/cli/pull/2310 (v3.9.0, release notes)
• flag: prevent BoolWithInverseFlag.String from panicking without a tab by @​alliasgher in https://redirect.github.com/urfave/cli/pull/2311 (v3.9.0, release notes)
• feat: add descriptions for bash and powershell autocompletion by @​gabelluardo in https://redirect.github.com/urfave/cli/pull/2298 (v3.9.0, release notes)
• show flag completions when completing a double-dash prefix by @​morozov in https://redirect.github.com/urfave/cli/pull/2316 (v3.9.0, release notes)
• parse flags for help subcommand (#2271) by @​barry3406 in https://redirect.github.com/urfave/cli/pull/2319 (v3.9.0, release notes)
• show BoolWithInverseFlag aliases in help text by @​wucm667 in https://redirect.github.com/urfave/cli/pull/2321 (v3.9.0, release notes)
• chore(deps): bump codecov/codecov-action from 5 to 6 by @​dependabot[bot] in https://redirect.github.com/urfave/cli/pull/2300 (v3.9.0, release notes)
• chore(deps): bump the python-packages group across 1 directory with 3 updates by @​dependabot[bot] in https://redirect.github.com/urfave/cli/pull/2301 (v3.9.0, release notes)
• docs: fix typo by @​acrobatstick in https://redirect.github.com/urfave/cli/pull/2299 (v3.9.0, release notes)
• fix(ci): update docs after bash completion update by @​gabelluardo in https://redirect.github.com/urfave/cli/pull/2307 (v3.9.0, release notes)
• refactor: bash completion script by @​gabelluardo in https://redirect.github.com/urfave/cli/pull/2308 (v3.9.0, release notes)
• drop shebang from bash completion template by @​barry3406 in https://redirect.github.com/urfave/cli/pull/2317 (v3.9.0, release notes)
• @​gabelluardo made their first contribution in https://redirect.github.com/urfave/cli/pull/2298 (v3.9.0, release notes)

References (7)

[1]: go.mod correctly declares github.com/urfave/cli/v3 v3.9.0 as the required version, but go.sum still retains the old v3.8.0 checksum entries, causing a mismatch that go mod tidy detects and removes — triggering the CI failure.

syspkg/go.mod

Line 5 in 456b204

require github.com/urfave/cli/v3 v3.9.0

[2]: Stale github.com/urfave/cli/v3 v3.8.0 h1:... and v3.8.0/go.mod h1:... checksum entries (lines 7–8) are present alongside the correct v3.9.0 entries (lines 9–10). Running go mod tidy removes the stale entries; these changes must be committed to unblock CI.

syspkg/go.sum

Line 7 in 456b204

github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=

[3]: Correct github.com/urfave/cli/v3 v3.9.0 checksums are already present in go.sum, confirming the dependency was resolved properly. Only cleanup of stale v3.8.0 entries is needed.

syspkg/go.sum

Line 9 in 456b204

github.com/urfave/cli/v3 v3.9.0 h1:AV9lIiPv3ukYnxunaCUsHnEozptYmDN2F0+yWqLMn/c=

[4]: The sole import of github.com/urfave/cli/v3 is at line 12. All usages — cli.Command, cli.BoolFlag, cmd.Bool(), cmd.Args().Slice(), app.Run() — rely on stable, long-standing public APIs in urfave/cli/v3 that are unaffected by this minor version bump.

syspkg/cmd/syspkg/main.go

Line 12 in 456b204

"github.com/urfave/cli/v3"

[5]: app.Run(context.Background(), os.Args) at line 362 is the entry point for the CLI framework. This call signature is the standard urfave/cli/v3 pattern and is not impacted by this upgrade.

syspkg/cmd/syspkg/main.go

Line 362 in 456b204

err = app.Run(context.Background(), os.Args)

[6]: getOptions() helper at line 370 uses cmd.Bool() for flag retrieval across all commands. This API is stable and unchanged between the two versions.

syspkg/cmd/syspkg/main.go

Line 370 in 456b204

func getOptions(cmd *cli.Command) *manager.Options {

[7]: A typosquat package github.com/utfave/cli (transposed 'r'/'t' in 'urfave') exists and exfiltrates system info via an init() function. The codebase correctly imports github.com/urfave/cli/v3, not the malicious variant — no direct risk, but worth confirming no dependency pulls in the typosquat transitively. (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web