diff --git a/_service b/_service
index f98e6f1..c0fa3cf 100644
--- a/_service
+++ b/_service
@@ -3,7 +3,7 @@
     <param name="url">https://github.com/anchore/syft</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v0.59.0</param>
+    <param name="revision">v0.60.3</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>
@@ -16,6 +16,6 @@
     <param name="compression">gz</param>
   </service>
   <service name="go_modules" mode="disabled">
-    <param name="archive">syft-0.59.0.tar.gz</param>
+    <param name="archive">syft-0.60.3.tar.gz</param>
   </service>
 </services>
diff --git a/_servicedata b/_servicedata
index c46336e..7c17549 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/anchore/syft</param>
-              <param name="changesrevision">41bc6bb410352845f22766e27dd48ba93aa825a4</param></service></servicedata>
\ No newline at end of file
+              <param name="changesrevision">bc9740d50a38e9660f2f98ed91d84c6d8799cf70</param></service></servicedata>
\ No newline at end of file
diff --git a/syft-0.59.0.tar.gz b/syft-0.59.0.tar.gz
deleted file mode 100644
index 9b80081..0000000
--- a/syft-0.59.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:087c53b1c47a0dcc672c95c3142e596196257e66e393b3cb294588b07efb8adc
-size 3834468
diff --git a/syft-0.60.3.tar.gz b/syft-0.60.3.tar.gz
new file mode 100644
index 0000000..969d86b
--- /dev/null
+++ b/syft-0.60.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98b6098157222130a3bb304ad6ea869058d97586daf1e91bafe0b1f1a98e4f3e
+size 3846500
diff --git a/syft.changes b/syft.changes
index 916e0ab..314e5c8 100644
--- a/syft.changes
+++ b/syft.changes
@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de
+
+- Update to version 0.60.3:
+  * javascript cataloger: node binary: nil pointer dereference (#1313)
+  * Fix: Include version information in binary cataloger CPEs (#1310)
+  * fix: only generate PURL on empty string (#1312)
+  * add s3 credentials to release (#1309)
+  * port javascript cataloger to new generic cataloger pattern (#1308)
+
+-------------------------------------------------------------------
+Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de
+
+- Update to version 0.60.2:
+  * chore: update goreleaser brew token (#1306)
+  * fix: Decode binary and unknown metadata (#1307)
+
+-------------------------------------------------------------------
+Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de
+
+- Update to version 0.60.1:
+  * chore: update github token permissions for goreleaser (#1305)
+
+-------------------------------------------------------------------
+Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de
+
+- Update to version 0.60.0:
+  * fix: update ci secret to use new password (#1304)
+  * fix: update secret value to use new cert cahin (#1303)
+  * fix: verbose quill release failures (#1302)
+  * fix: unterminated quoted string (#1300)
+  * fix: update Makefile to remove old signing arch (#1299)
+  * feat: add nodejs-binary package classifier (#1296)
+  * update go-rpmdb to improve parsing of installed files (#1297)
+  * docs: update attestation directions with new cosign changes
+  * fix: Continue parsing Python RECORD files when bad lines encountered (#1295)
+  * Fix #1245 Update SPDX license list to 3.18 (#1259)
+  * fix: Resolve Maven POM expressions (#1251) (#1278)
+  * port haskell cataloger to new generic cataloger pattern (#1290)
+  * port golang cataloger to new generic cataloger pattern (#1289)
+  * port deb/dpkg cataloger to new generic cataloger pattern (#1288)
+  * update cataloger tests to use pkgtest utils (#1287)
+  * port dotnet cataloger to new generic cataloger pattern (#1286)
+  * port dart cataloger to new generic cataloger pattern (#1285)
+  * port conan cataloger to new generic cataloger pattern (#1284)
+  * port apk cataloger to new generic cataloger pattern (#1283)
+  * replace signing tooling with quill (#1280)
+  * Upgrade generic cataloger (#1281)
+  * Update syft bootstrap tools to latest versions. (#1282)
+  * replace logger interface with anchore/go-logger (#1279)
+  * Update syft bootstrap tools to latest versions. (#1267)
+  * Add go binary h1 digest to SPDX (#1265)
+  * fix: move reproduction to top of issue (#1264)
+  * fix: update syftjson ID to match major schema version (#1274)
+  * Use in-toto CycloneDX predicate to be compatible with cosign (#1270)
+  * chore: handle deprecated SPDX license: StandardML-NJ (#1266)
+
 -------------------------------------------------------------------
 Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de
 
diff --git a/syft.spec b/syft.spec
index 3c9ef85..77f721c 100644
--- a/syft.spec
+++ b/syft.spec
@@ -19,7 +19,7 @@
 %define __arch_install_post export NO_BRP_STRIP_DEBUG=true
 
 Name:           syft
-Version:        0.59.0
+Version:        0.60.3
 Release:        0
 Summary:        CLI tool and library for generating a Software Bill of Materials
 License:        Apache-2.0
diff --git a/vendor.tar.gz b/vendor.tar.gz
index f77f54e..41072ec 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b1e5ea0c877b34187f2fae624d2711694520972756c0a9271d7b93e13d05cb66
-size 51620629
+oid sha256:db7fd23c3a78c2062661751bdeedbb51e495cacc614111743c0e21952864ecd4
+size 51460921