Bump github.com/jedib0t/go-pretty/v6 from 6.7.9 to 6.8.1

[dependabot]

Bumps github.com/jedib0t/go-pretty/v6 from 6.7.9 to 6.8.1.

Release notes

Sourced from github.com/jedib0t/go-pretty/v6's releases.

v6.8.1

What's Changed

A hardening pass across the table, list, progress, and text packages, fixing security issues, crash/race bugs, and performance problems in the render hot paths, with benchmarks added to back the optimizations.

Security

• table/list (HTML): escape the title, caption, and CSS class names in RenderHTML() to prevent HTML/attribute injection.
• table (CSV): make RenderCSV() output RFC 4180 compliant, and add an opt-in Style().CSV.FieldProtection option that neutralizes spreadsheet formula-injection fields (=, +, -, @, tab, CR).
• text: sanitize hyperlink URLs and bound the escape-sequence parser buffer so adversarial input can't grow it without limit.

Correctness

• progress: fix a render panic on tiny tracker lengths, data races on tracker/indicator state, and a leaked time.Ticker in the terminal-size watcher.
• table: guard auto-index rendering against empty maxColumnLengths.
• text: prevent a panic in VAlign.Apply on negative maxLines.

Performance

• table: compile regex filters once per render; pre-size render builders.
• list: hoist repeated width math out of the render loops.
• text: speed up Align.Apply and StringWidthWithoutEscSequences.
• progress: build PacManChomp frames with a strings.Builder.

Tooling

• Moved root-level benchmarks into their packages and wired up make bench; added benchmarks for the table/text/list/progress render hot paths and tests covering the retained-done-tracker render paths.

Full Changelog: jedib0t/go-pretty@v6.8.0...v6.8.1

v6.8.0

What's Changed

• progress: fix speed decay on done trackers and log overwrite; fixes #405 by @​jedib0t in jedib0t/go-pretty#406
• fix: wrap wide runes when wrapLen is odd in WrapHard by @​koriyoshi2041 in jedib0t/go-pretty#408

New Contributors

• @​koriyoshi2041 made their first contribution in jedib0t/go-pretty#408

Full Changelog: jedib0t/go-pretty@v6.7.10...v6.8.0

v6.7.10

What's Changed

• Fix panic on text align with unicode by @​edznux-dd in jedib0t/go-pretty#404

... (truncated)

Commits

• 22c68f6 fix panics, races, and injection vectors; speed up render hot paths (#409)
• 45fb00d text: wrap wide runes when wrapLen is odd in WrapHard (#408)
• ad17549 progress: fix speed decay on done trackers and log overwrite; fixes #405 (#406)
• 66563fd text: fix panic on align with unicode (#404)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mendral-app]

Supply Chain Security Review

⚠️ Review recommended — 1 finding in 1 file

⚠️ github.com/jedib0t/go-pretty/v6 v6.8.1 — version published <2 hours ago, not yet indexed by deps.dev

This version was released on GitHub at 2026-06-11T02:37:39Z — well within the 72-hour detection-latency window for supply-chain attacks. deps.dev returns 404 for this version (not yet indexed).

Mitigating factors:

• Well-established package (~1.4k stars) with regular release cadence (v6.7.9 → v6.7.10 → v6.8.0 → v6.8.1)
• No known vulnerabilities (OSV clean)
• Raised by Dependabot (automated)
• OpenSSF Scorecard: 5.7/10

Recommendation: Wait 48–72 hours before merging so that the version is indexed by deps.dev and has passed through the community's early-detection window. Alternatively, pin to v6.8.0 (released June 3) which has had a week to bake.

_{Tag @mendral-app with feedback or questions. View session}

[mendral-app]

maintainability (P3): Version v6.8.1 was published <2 hours ago and is not yet indexed by deps.dev. Consider waiting 48-72h before merging, or pinning to v6.8.0 (released 2026-06-03) which has had more bake time.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At go.mod, line 18:

<issue>
Version v6.8.1 was published <2 hours ago and is not yet indexed by deps.dev. Consider waiting 48-72h before merging, or pinning to v6.8.0 (released 2026-06-03) which has had more bake time.
</issue>