chore(deps): bump dependencies (security)

[ehl-jf]

Summary

Routine security-driven dependency bump. Minor + patch only, no major version bumps.

Also includes a small fix to common/commands/execution_context_test.go for a pre-existing go vet failure (sync.Once was being copied via plain assignment) — caught while validating this bump.

Modules bumped

Direct

• github.com/gocarina/gocsv: v0.0.0-20240520201108-78e41c74b4b1 → v0.0.0-20260523204920-c264028e67ea
• github.com/vbauerster/mpb/v8: v8.12.0 → v8.12.1
• golang.org/x/exp: v0.0.0-20260410095643-746e56fc9e2f → v0.0.0-20260527015227-08cc5374adb3

Indirect

• github.com/BurntSushi/toml: v1.5.0 → v1.6.0
• github.com/CycloneDX/cyclonedx-go: v0.9.3 → v0.11.0
• github.com/ProtonMail/go-crypto: v1.3.0 → v1.4.1
• github.com/andybalholm/brotli: v1.2.0 → v1.2.1
• github.com/fsnotify/fsnotify: v1.9.0 → v1.10.1
• github.com/go-viper/mapstructure/v2: v2.4.0 → v2.5.0
• github.com/jfrog/archiver/v3: v3.6.1 → v3.6.3
• github.com/kevinburke/ssh_config: v1.2.0 → v1.6.0
• github.com/klauspost/compress: v1.18.0 → v1.18.6
• github.com/mattn/go-colorable: v0.1.13 → v0.1.14
• github.com/mattn/go-isatty: v0.0.17 → v0.0.22
• github.com/mattn/go-runewidth: v0.0.20 → v0.0.23
• github.com/mattn/go-tty: v0.0.3 → v0.0.8
• github.com/pelletier/go-toml/v2: v2.2.4 → v2.3.1
• github.com/pierrec/lz4/v4: v4.1.22 → v4.1.26
• github.com/sagikazarmark/locafero: v0.11.0 → v0.12.0
• github.com/sergi/go-diff: v1.3.2-0.20230802210424-5b0b94c5c0d3 → v1.4.0
• github.com/skeema/knownhosts: v1.3.1 → v1.3.2
• golang.org/x/crypto: v0.50.0 → v0.52.0
• golang.org/x/net: v0.53.0 → v0.55.0
• golang.org/x/sys: v0.44.0 → v0.45.0
• replaced: github.com/nwaples/rardecode v1.1.3 → github.com/nwaples/rardecode/v2 v2.2.3 (transitive import-path change pulled in by jfrog/archiver/v3 upgrade)

Validation

• go test ./... — passed locally (989 tests, 58 packages)
• go vet -v ./... — passed locally