[action] bump dependabot/fetch-metadata from 3.0.0 to 3.1.0#153
Open
dependabot[bot] wants to merge 1 commit into
Open
[action] bump dependabot/fetch-metadata from 3.0.0 to 3.1.0#153dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v3.0.0...v3.1.0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 1 | 0 | 0 | 0.16s | |
| zizmor | 1 | 0 | 4 | 0 | 0.4s | |
| jscpd | yes | 6 | no | 0.5s | ||
| ✅ EDITORCONFIG | editorconfig-checker | 1 | 0 | 0 | 0.02s | |
| ✅ REPOSITORY | betterleaks | yes | no | no | 0.86s | |
| ✅ REPOSITORY | checkov | yes | no | no | 18.36s | |
| devskim | yes | 118 | 68 | 12.26s | ||
| ✅ REPOSITORY | dustilock | yes | no | no | 0.45s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 1.43s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.01s | |
| ✅ REPOSITORY | grype | yes | no | no | 50.85s | |
| ✅ REPOSITORY | kingfisher | yes | no | no | 8.15s | |
| osv-scanner | yes | 5 | no | 1.69s | ||
| ✅ REPOSITORY | secretlint | yes | no | no | 1.29s | |
| ✅ REPOSITORY | syft | yes | no | no | 1.78s | |
| ✅ REPOSITORY | trivy | yes | no | no | 10.98s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.21s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 4.72s | |
| ✅ SPELL | cspell | 2 | 0 | 0 | 3.94s | |
| ✅ SPELL | lychee | 1 | 0 | 0 | 3.78s | |
| ✅ YAML | prettier | 1 | 0 | 0 | 0 | 0.5s |
| ✅ YAML | v8r | 1 | 0 | 0 | 2.72s | |
| ✅ YAML | yamllint | 1 | 0 | 0 | 0.57s |
Detailed Issues
⚠️ REPOSITORY / devskim - 118 errors
e12356\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":39,"charOffset":93,"charLength":22,"snippet":{"text":"http://lame.buanzo.org","rendered":{"text":"http://lame.buanzo.org","markdown":"`http://lame.buanzo.org`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"replacements":[{"deletedRegion":{"charOffset":93,"charLength":22},"insertedContent":{"text":"https://lame.buanzo.org"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":25,"startColumn":16,"endLine":25,"endColumn":38,"charOffset":741,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":741,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":239,"charLength":66,"snippet":{"text":"\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"","rendered":{"text":"\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"","markdown":"`\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":6,"startColumn":12,"endLine":6,"endColumn":34,"charOffset":162,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":162,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":39,"charOffset":85,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":85,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"wip/nirsoft-installer.json"},"region":{"startLine":47,"startColumn":12,"endLine":47,"endColumn":78,"charOffset":1281,"charLength":66,"snippet":{"text":"\"30ca07147d18fd9365313e0be771eb80f223df2be54855a18af6acb2be586ad5\"","rendered":{"text":"\"30ca07147d18fd9365313e0be771eb80f223df2be54855a18af6acb2be586ad5\"","markdown":"`\"30ca07147d18fd9365313e0be771eb80f223df2be54855a18af6acb2be586ad5\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"wip/si-installer.json"},"region":{"startLine":153,"startColumn":12,"endLine":153,"endColumn":78,"charOffset":4899,"charLength":66,"snippet":{"text":"\"839a47cdd7d3aeb78bc8c9a820f014c6556b6e360544dc476e9a1dd58fbf66fb\"","rendered":{"text":"\"839a47cdd7d3aeb78bc8c9a820f014c6556b6e360544dc476e9a1dd58fbf66fb\"","markdown":"`\"839a47cdd7d3aeb78bc8c9a820f014c6556b6e360544dc476e9a1dd58fbf66fb\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".mega-linter.yml"},"region":{"startLine":86,"startColumn":20,"endLine":86,"endColumn":24,"charOffset":2574,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS104456","level":"error","message":{"text":"Use of restricted functions."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":53,"startColumn":38,"endLine":53,"endColumn":55,"charOffset":1763,"charLength":17,"snippet":{"text":"Invoke-Expression","rendered":{"text":"Invoke-Expression","markdown":"`Invoke-Expression`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Implementation.Scripting.PowerShell.DangeousFunction"],"DevSkimSeverity":"Important","DevSkimConfidence":"High"}},{"ruleId":"DS104456","level":"error","message":{"text":"Use of restricted functions."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":51,"startColumn":47,"endLine":51,"endColumn":64,"charOffset":1635,"charLength":17,"snippet":{"text":"Invoke-Expression","rendered":{"text":"Invoke-Expression","markdown":"`Invoke-Expression`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Implementation.Scripting.PowerShell.DangeousFunction"],"DevSkimSeverity":"Important","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":28,"startColumn":36,"endLine":28,"endColumn":40,"charOffset":920,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":27,"startColumn":41,"endLine":27,"endColumn":45,"charOffset":878,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":25,"startColumn":41,"endLine":25,"endColumn":45,"charOffset":794,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":24,"startColumn":41,"endLine":24,"endColumn":45,"charOffset":744,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":22,"startColumn":41,"endLine":22,"endColumn":45,"charOffset":676,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bin/checkurls.ps1"},"region":{"startLine":21,"startColumn":41,"endLine":21,"endColumn":45,"charOffset":629,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"powershell"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}
(Truncated to last 10000 characters out of 155660)
⚠️ COPYPASTE / jscpd - 6 errors
Using config from .github/linters/.jscpd.json
Clone found (powershell)
- bin/checkhashes.ps1 [38:25 - 43:43] (6 lines, 57 tokens)
bin/checkver.ps1 [56:17 - 61:43]
Clone found (powershell)
- bin/checkhashes.ps1 [58:1 - 68:50] (11 lines, 61 tokens)
bin/checkver.ps1 [72:1 - 82:50]
Clone found (powershell)
- bin/checkurls.ps1 [28:51 - 36:6] (9 lines, 65 tokens)
bin/checkver.ps1 [52:96 - 60:6]
Clone found (powershell)
- bin/checkurls.ps1 [28:51 - 35:46] (8 lines, 63 tokens)
bin/describe.ps1 [9:29 - 16:46]
Clone found (powershell)
- bin/describe.ps1 [8:33 - 24:67] (17 lines, 120 tokens)
bin/formatjson.ps1 [7:34 - 23:67]
Clone found (python)
- jsonfmt.py [19:1 - 29:31] (11 lines, 50 tokens)
validate.py [26:1 - 36:31]
┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ini │ 2 │ 60 │ 136 │ 0 │ 0 (0.00%) │ 0 (0.00%) │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ powershell │ 11 │ 471 │ 3103 │ 5 │ 46 (9.77%) │ 366 (11.80%) │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ python │ 9 │ 1927 │ 8304 │ 1 │ 10 (0.52%) │ 50 (0.60%) │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ toml │ 2 │ 75 │ 276 │ 0 │ 0 (0.00%) │ 0 (0.00%) │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ txt │ 3 │ 275 │ 2699 │ 0 │ 0 (0.00%) │ 0 (0.00%) │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total: │ 27 │ 2808 │ 14518 │ 6 │ 56 (1.99%) │ 416 (2.87%) │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 6 clones.
HTML report saved to megalinter-reports/copy-paste/jscpd-report.html
ERROR: jscpd found too many duplicates (2.0%) over threshold (0.5%)
time: 75.787ms
⚠️ REPOSITORY / osv-scanner - 5 errors
Scanning dir .
Starting filesystem walk for root: /
Scanned requirements.txt file and found 5 packages
End status: 38 dirs visited, 274 inodes visited, 1 Extract calls, 10.290978ms elapsed, 10.291309ms wall time
Total 1 package affected by 5 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
5 vulnerabilities can be fixed.
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
| https://osv.dev/PYSEC-2018-28 | 7.5 | PyPI | requests | 2.9.2 | 2.20.0 | requirements.txt |
| https://osv.dev/GHSA-x84v-xcm2-53pg | | | | | | |
| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.9.2 | 2.31.0 | requirements.txt |
| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |
| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.9.2 | 2.32.4 | requirements.txt |
| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.9.2 | 2.32.0 | requirements.txt |
| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.9.2 | 2.33.0 | requirements.txt |
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
⚠️ ACTION / zizmor - 4 errors
INFO zizmor: 🌈 zizmor v1.25.0
INFO audit: zizmor: 🌈 completed .github/workflows/dependabot.yml
error[template-injection]: code injection via template expansion
--> .github/workflows/dependabot.yml:39:45
|
39 | - run: gh pr merge --auto --merge ${{ github.event.pull_request.html_url }}
| --- this run block ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection
4 findings (3 suppressed, 1 unsafe fixes): 0 informational, 0 low, 0 medium, 1 high
No fixes available to apply (1 held back by safe mode). Use --fix=unsafe or --fix=all to apply unsafe fixes.
Notices
📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)
See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps dependabot/fetch-metadata from 3.0.0 to 3.1.0.
Release notes
Sourced from dependabot/fetch-metadata's releases.
Commits
25dd0e3v3.1.0 (#692)e073f50Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.140670e16build(deps-dev): bump hono from 4.12.12 to 4.12.147a7fe10Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...5168191Updating dist build23882e1build(deps): bump@actions/githubin the dependencies group1072469Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...43f8a00build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1b4d904aMerge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0c8046bbbuild(deps-dev): bump globals from 17.4.0 to 17.5.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)