fix: [DGP-1765] bump go-application-framework to pull in asset inventory link from Test API

[bsalomon-snyk]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Bump go-application-framework to pull in asset inventory link from Test API.

** This PR points to a GAF branch so we'll update it to main once merged. **

author: @bsantaus-snyk

Where should the reviewer start?

Unit tests are the GAF

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

Risk assessment (Low | Medium | High)?

Low

Any background context you want to provide?

This is for Open Source stateful tests

What are the relevant tickets?

https://snyksec.atlassian.net/browse/DGP-1765

Screenshots (if appropriate)

N/A

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	"[fix: DGP-1765 bump go-application-framework to pull in asset inventory link from Test API](https://api.github.com/repos/snyk/cli/git/commits/c0dd657d602b6cc17d1ebeda3b52777247e31e51)" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against c0dd657

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Broad Blast Radius 🟡 [minor] Bumping go-application-framework (GAF) from v0.5.0 to v0.6.1 is a significant update for a core dependency that manages configuration, networking, and authentication (see AGENTS.md). While the risk assessment is 'Low', any regression in GAF's networking middleware or configuration loading will impact all CLI workflows across all platforms. github.com/snyk/go-application-framework v0.6.1-0.20260623172939-f1727cc36bcd

📚 Repository Context Analyzed This review considered 13 relevant code sections from 7 files (average relevance: 0.86) scripts/upgrade-snyk-go-dependencies.go (lines 1-149) package-lock.json (7 segments, lines 19727-19949) release-scripts/release.json (lines 1-42) CONTRIBUTING.md (lines 231-413) package.json (lines 1-229) release-scripts/write-ls-protocol-version.go (lines 1-298) cliv2/scripts/prepare_licenses.go (lines 1-189)

🤖 Repository instructions applied (from AGENTS.md)