Skip to content

[action] bump dependabot/fetch-metadata from 3.0.0 to 3.1.0#153

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/dependabot/fetch-metadata-3.1.0
Open

[action] bump dependabot/fetch-metadata from 3.0.0 to 3.1.0#153
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/dependabot/fetch-metadata-3.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps dependabot/fetch-metadata from 3.0.0 to 3.1.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

Commits
  • 25dd0e3 v3.1.0 (#692)
  • e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
  • 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
  • 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
  • 5168191 Updating dist build
  • 23882e1 build(deps): bump @​actions/github in the dependencies group
  • 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
  • 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
  • b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
  • c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@v3.0.0...v3.1.0)

---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 6, 2026
@dependabot dependabot Bot requested a review from rasa as a code owner July 6, 2026 15:03
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

⚠️MegaLinter analysis: Success with warnings

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 1 0 0 0.16s
⚠️ ACTION zizmor 1 0 4 0 0.4s
⚠️ COPYPASTE jscpd yes 6 no 0.5s
✅ EDITORCONFIG editorconfig-checker 1 0 0 0.02s
✅ REPOSITORY betterleaks yes no no 0.86s
✅ REPOSITORY checkov yes no no 18.36s
⚠️ REPOSITORY devskim yes 118 68 12.26s
✅ REPOSITORY dustilock yes no no 0.45s
✅ REPOSITORY gitleaks yes no no 1.43s
✅ REPOSITORY git_diff yes no no 0.01s
✅ REPOSITORY grype yes no no 50.85s
✅ REPOSITORY kingfisher yes no no 8.15s
⚠️ REPOSITORY osv-scanner yes 5 no 1.69s
✅ REPOSITORY secretlint yes no no 1.29s
✅ REPOSITORY syft yes no no 1.78s
✅ REPOSITORY trivy yes no no 10.98s
✅ REPOSITORY trivy-sbom yes no no 0.21s
✅ REPOSITORY trufflehog yes no no 4.72s
✅ SPELL cspell 2 0 0 3.94s
✅ SPELL lychee 1 0 0 3.78s
✅ YAML prettier 1 0 0 0 0.5s
✅ YAML v8r 1 0 0 2.72s
✅ YAML yamllint 1 0 0 0.57s

Detailed Issues

⚠️ REPOSITORY / devskim - 118 errors
e12356\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":39,"charOffset":93,"charLength":22,"snippet":{"text":"http://lame.buanzo.org","rendered":{"text":"http://lame.buanzo.org","markdown":"`http://lame.buanzo.org`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"replacements":[{"deletedRegion":{"charOffset":93,"charLength":22},"insertedContent":{"text":"https://lame.buanzo.org"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":25,"startColumn":16,"endLine":25,"endColumn":38,"charOffset":741,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":741,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":239,"charLength":66,"snippet":{"text":"\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"","rendered":{"text":"\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"","markdown":"`\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":6,"startColumn":12,"endLine":6,"endColumn":34,"charOffset":162,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":162,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":39,"charOffset":85,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":85,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"wip/nirsoft-installer.json"},"region":{"startLine":47,"startColumn":12,"endLine":47,"endColumn":78,"charOffset":1281,"charLength":66,"snippet":{"text":"\"30ca07147d18fd9365313e0be771eb80f223df2be54855a18af6acb2be586ad5\"","rendered":{"text":"\"30ca07147d18fd9365313e0be771eb80f223df2be54855a18af6acb2be586ad5\"","markdown":"`\"30ca07147d18fd9365313e0be771eb80f223df2be54855a18af6acb2be586ad5\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"wip/si-installer.json"},"region":{"startLine":153,"startColumn":12,"endLine":153,"endColumn":78,"charOffset":4899,"charLength":66,"snippet":{"text":"\"839a47cdd7d3aeb78bc8c9a820f014c6556b6e360544dc476e9a1dd58fbf66fb\"","rendered":{"text":"\"839a47cdd7d3aeb78bc8c9a820f014c6556b6e360544dc476e9a1dd58fbf66fb\"","markdown":"`\"839a47cdd7d3aeb78bc8c9a820f014c6556b6e360544dc476e9a1dd58fbf66fb\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".mega-linter.yml"},"region":{"startLine":86,"startColumn":20,"endLine":86,"endColumn":24,"charOffset":2574,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS104456","level":"error","message":{"text":"Use of restricted functions."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":53,"startColumn":38,"endLine":53,"endColumn":55,"charOffset":1763,"charLength":17,"snippet":{"text":"Invoke-Expression","rendered":{"text":"Invoke-Expression","markdown":"`Invoke-Expression`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Implementation.Scripting.PowerShell.DangeousFunction"],"DevSkimSeverity":"Important","DevSkimConfidence":"High"}},{"ruleId":"DS104456","level":"error","message":{"text":"Use of restricted functions."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":51,"startColumn":47,"endLine":51,"endColumn":64,"charOffset":1635,"charLength":17,"snippet":{"text":"Invoke-Expression","rendered":{"text":"Invoke-Expression","markdown":"`Invoke-Expression`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Implementation.Scripting.PowerShell.DangeousFunction"],"DevSkimSeverity":"Important","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":28,"startColumn":36,"endLine":28,"endColumn":40,"charOffset":920,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":27,"startColumn":41,"endLine":27,"endColumn":45,"charOffset":878,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":25,"startColumn":41,"endLine":25,"endColumn":45,"charOffset":794,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":24,"startColumn":41,"endLine":24,"endColumn":45,"charOffset":744,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":22,"startColumn":41,"endLine":22,"endColumn":45,"charOffset":676,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":21,"startColumn":41,"endLine":21,"endColumn":45,"charOffset":629,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 10000 characters out of 155660)
⚠️ COPYPASTE / jscpd - 6 errors
Using config from .github/linters/.jscpd.json
Clone found (powershell)
 - bin/checkhashes.ps1 [38:25 - 43:43] (6 lines, 57 tokens)
   bin/checkver.ps1 [56:17 - 61:43]
Clone found (powershell)
 - bin/checkhashes.ps1 [58:1 - 68:50] (11 lines, 61 tokens)
   bin/checkver.ps1 [72:1 - 82:50]
Clone found (powershell)
 - bin/checkurls.ps1 [28:51 - 36:6] (9 lines, 65 tokens)
   bin/checkver.ps1 [52:96 - 60:6]
Clone found (powershell)
 - bin/checkurls.ps1 [28:51 - 35:46] (8 lines, 63 tokens)
   bin/describe.ps1 [9:29 - 16:46]
Clone found (powershell)
 - bin/describe.ps1 [8:33 - 24:67] (17 lines, 120 tokens)
   bin/formatjson.ps1 [7:34 - 23:67]
Clone found (python)
 - jsonfmt.py [19:1 - 29:31] (11 lines, 50 tokens)
   validate.py [26:1 - 36:31]
┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ini        │ 2              │ 60          │ 136          │ 0            │ 0 (0.00%)        │ 0 (0.00%)         │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ powershell │ 11             │ 471         │ 3103         │ 5            │ 46 (9.77%)       │ 366 (11.80%)      │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ python     │ 9              │ 1927        │ 8304         │ 1            │ 10 (0.52%)       │ 50 (0.60%)        │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ toml       │ 2              │ 75          │ 276          │ 0            │ 0 (0.00%)        │ 0 (0.00%)         │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ txt        │ 3              │ 275         │ 2699         │ 0            │ 0 (0.00%)        │ 0 (0.00%)         │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 27             │ 2808        │ 14518        │ 6            │ 56 (1.99%)       │ 416 (2.87%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 6 clones.
HTML report saved to megalinter-reports/copy-paste/jscpd-report.html
ERROR: jscpd found too many duplicates (2.0%) over threshold (0.5%)
time: 75.787ms
⚠️ REPOSITORY / osv-scanner - 5 errors
Scanning dir .
Starting filesystem walk for root: /
Scanned requirements.txt file and found 5 packages
End status: 38 dirs visited, 274 inodes visited, 1 Extract calls, 10.290978ms elapsed, 10.291309ms wall time

Total 1 package affected by 5 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
5 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE  | VERSION | FIXED VERSION | SOURCE           |
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
| https://osv.dev/PYSEC-2018-28       | 7.5  | PyPI      | requests | 2.9.2   | 2.20.0        | requirements.txt |
| https://osv.dev/GHSA-x84v-xcm2-53pg |      |           |          |         |               |                  |
| https://osv.dev/PYSEC-2023-74       | 6.1  | PyPI      | requests | 2.9.2   | 2.31.0        | requirements.txt |
| https://osv.dev/GHSA-j8r2-6x86-q33q |      |           |          |         |               |                  |
| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3  | PyPI      | requests | 2.9.2   | 2.32.4        | requirements.txt |
| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6  | PyPI      | requests | 2.9.2   | 2.32.0        | requirements.txt |
| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4  | PyPI      | requests | 2.9.2   | 2.33.0        | requirements.txt |
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
⚠️ ACTION / zizmor - 4 errors
INFO zizmor: 🌈 zizmor v1.25.0
 INFO audit: zizmor: 🌈 completed .github/workflows/dependabot.yml
error[template-injection]: code injection via template expansion
  --> .github/workflows/dependabot.yml:39:45
   |
39 |       - run: gh pr merge --auto --merge ${{ github.event.pull_request.html_url }}
   |         --- this run block                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix
   = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

4 findings (3 suppressed, 1 unsafe fixes): 0 informational, 0 low, 0 medium, 1 high
No fixes available to apply (1 held back by safe mode). Use --fix=unsafe or --fix=all to apply unsafe fixes.

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants