[action] bump dependabot/fetch-metadata from 2.4.0 to 3.0.0 by dependabot[bot] · Pull Request #146 · rasa/scoops

dependabot · 2026-03-27T15:04:01Z

Bumps dependabot/fetch-metadata from 2.4.0 to 3.0.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.0.0

What's Changed

feat: Parse versions from metadata links by @ppkarwasz in dependabot/fetch-metadata#632

Upgrade actions core and actions github packages by @truggeri in dependabot/fetch-metadata#649

docs: Add notes for using alert-lookup with App Token by @sue445 in dependabot/fetch-metadata#656

feat!: update Node.js version to v24 by @sturman in dependabot/fetch-metadata#671

Switch build tooling from ncc to esbuild by @truggeri in dependabot/fetch-metadata#676

Add --legal-comments=none to esbuild build commands by @jeffwidman in dependabot/fetch-metadata#679

Bump tsconfig target from es2022 to es2024 by @jeffwidman in dependabot/fetch-metadata#680

Remove vestigial outDir from tsconfig.json by @jeffwidman in dependabot/fetch-metadata#681

Switch tsconfig module resolution to bundler by @jeffwidman in dependabot/fetch-metadata#682

Remove skipLibCheck from tsconfig.json by @jeffwidman in dependabot/fetch-metadata#683

Add typecheck step to CI by @jeffwidman in dependabot/fetch-metadata#685

Enable noImplicitAny in tsconfig.json by @jeffwidman in dependabot/fetch-metadata#684

Upgrade @actions/core to ^3.0.0 by @truggeri in dependabot/fetch-metadata#677

Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 by @truggeri in dependabot/fetch-metadata#678

Bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in dependabot/fetch-metadata#651

Bump hono from 4.11.1 to 4.11.4 by @dependabot[bot] in dependabot/fetch-metadata#652

Bump hono from 4.11.4 to 4.11.7 by @dependabot[bot] in dependabot/fetch-metadata#653

Bump hono from 4.11.7 to 4.12.0 by @dependabot[bot] in dependabot/fetch-metadata#657

Bump qs from 6.14.1 to 6.14.2 by @dependabot[bot] in dependabot/fetch-metadata#655

Bump @modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @dependabot[bot] in dependabot/fetch-metadata#654

Bump @hono/node-server from 1.19.9 to 1.19.10 by @dependabot[bot] in dependabot/fetch-metadata#665

Bump hono from 4.12.2 to 4.12.5 by @dependabot[bot] in dependabot/fetch-metadata#664

Bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in dependabot/fetch-metadata#667

Bump hono from 4.12.5 to 4.12.7 by @dependabot[bot] in dependabot/fetch-metadata#668

Bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @dependabot[bot] in dependabot/fetch-metadata#669

Bump flatted from 3.3.3 to 3.4.2 by @dependabot[bot] in dependabot/fetch-metadata#670

build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 by @dependabot[bot] in dependabot/fetch-metadata#674

New Contributors

@ppkarwasz made their first contribution in dependabot/fetch-metadata#632

@truggeri made their first contribution in dependabot/fetch-metadata#649

@sue445 made their first contribution in dependabot/fetch-metadata#656

@sturman made their first contribution in dependabot/fetch-metadata#671

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

v2.5.0

What's Changed

Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by @dependabot[bot] in dependabot/fetch-metadata#628

Bump the dev-dependencies group with 11 updates by @dependabot[bot] in dependabot/fetch-metadata#629

Bump actions/create-github-app-token from 2.0.6 to 2.1.1 by @dependabot[bot] in dependabot/fetch-metadata#635

Bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in dependabot/fetch-metadata#638

Bump actions/checkout from 4 to 5 by @dependabot[bot] in dependabot/fetch-metadata#636

Bump actions/setup-node from 4 to 5 by @dependabot[bot] in dependabot/fetch-metadata#637

Bump actions/setup-node from 5 to 6 by @dependabot[bot] in dependabot/fetch-metadata#639

Bump actions/create-github-app-token from 2.1.4 to 2.2.0 by @dependabot[bot] in dependabot/fetch-metadata#643

Bump actions/checkout from 5 to 6 by @dependabot[bot] in dependabot/fetch-metadata#642

Bump actions/create-github-app-token from 2.2.0 to 2.2.1 by @dependabot[bot] in dependabot/fetch-metadata#648

... (truncated)

Commits

ffa630c v3.0.0 (#686)
ec8fff2 Merge pull request #674 from dependabot/dependabot/npm_and_yarn/picomatch-2.3.2
caf48bd build(deps-dev): bump picomatch from 2.3.1 to 2.3.2
13d8274 Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 (#678)
b603099 Upgrade @actions/core from ^1.11.1 to ^3.0.0 (#677)
c5dc5b1 Enable noImplicitAny in tsconfig.json (#684)
a183f3c Add typecheck step to CI (#685)
5e17564 Remove skipLibCheck from tsconfig.json (#683)
bb56eeb Switch tsconfig module resolution to bundler (#682)
3632e3d Remove vestigial outDir from tsconfig.json (#681)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 2.4.0 to 3.0.0. - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v2.4.0...v3.0.0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-03-27T15:07:49Z

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.04s
⚠️ COPYPASTE	jscpd	yes		2	no	2.09s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.01s
✅ REPOSITORY	checkov	yes		no	no	25.39s
⚠️ REPOSITORY	devskim	yes		118	68	18.64s
✅ REPOSITORY	dustilock	yes		no	no	0.88s
✅ REPOSITORY	gitleaks	yes		no	no	2.32s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	51.12s
⚠️ REPOSITORY	kics	yes		20	no	30.83s
✅ REPOSITORY	kingfisher	yes		no	no	4.5s
✅ REPOSITORY	secretlint	yes		no	no	1.72s
✅ REPOSITORY	syft	yes		no	no	2.19s
✅ REPOSITORY	trivy	yes		no	no	14.32s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.3s
✅ REPOSITORY	trufflehog	yes		no	no	5.81s
✅ SPELL	cspell	2		0	0	2.99s
✅ SPELL	lychee	1		0	0	0.6s
✅ YAML	prettier	1	0	0	0	0.48s
✅ YAML	v8r	1		0	0	2.97s
✅ YAML	yamllint	1		0	0	0.56s

Detailed Issues

⚠️ REPOSITORY / devskim - 118 errors

kimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/mklnk.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":238,"charLength":66,"snippet":{"text":"\"3526a7b87190366aa667bba66e7a45cf753597c9a77940228dfb030879a6eaab\"","rendered":{"text":"\"3526a7b87190366aa667bba66e7a45cf753597c9a77940228dfb030879a6eaab\"","markdown":"`\"3526a7b87190366aa667bba66e7a45cf753597c9a77940228dfb030879a6eaab\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/stc.json"},"region":{"startLine":14,"startColumn":20,"endLine":14,"endColumn":86,"charOffset":559,"charLength":66,"snippet":{"text":"\"bf7d793d055ade91aac94ff7602837697230588e823954c2c7633232865cce05\"","rendered":{"text":"\"bf7d793d055ade91aac94ff7602837697230588e823954c2c7633232865cce05\"","markdown":"`\"bf7d793d055ade91aac94ff7602837697230588e823954c2c7633232865cce05\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/stc.json"},"region":{"startLine":10,"startColumn":20,"endLine":10,"endColumn":86,"charOffset":335,"charLength":66,"snippet":{"text":"\"6fcaceca3df465d155fe656fb137a0340e4067894ac53b21a7e5110b6b41562e\"","rendered":{"text":"\"6fcaceca3df465d155fe656fb137a0340e4067894ac53b21a7e5110b6b41562e\"","markdown":"`\"6fcaceca3df465d155fe656fb137a0340e4067894ac53b21a7e5110b6b41562e\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/display-changer.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":280,"charLength":66,"snippet":{"text":"\"58206498b126839e681a3fb85a4ce073e070233b3e6842727bf0cb2b6234e54e\"","rendered":{"text":"\"58206498b126839e681a3fb85a4ce073e070233b3e6842727bf0cb2b6234e54e\"","markdown":"`\"58206498b126839e681a3fb85a4ce073e070233b3e6842727bf0cb2b6234e54e\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/vvv.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":356,"charLength":66,"snippet":{"text":"\"2739acb5f0051f676941bb1e9f622ade04cb14d171e3cc6509bc0099c285e7cf\"","rendered":{"text":"\"2739acb5f0051f676941bb1e9f622ade04cb14d171e3cc6509bc0099c285e7cf\"","markdown":"`\"2739acb5f0051f676941bb1e9f622ade04cb14d171e3cc6509bc0099c285e7cf\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/outwit.json"},"region":{"startLine":10,"startColumn":12,"endLine":10,"endColumn":78,"charOffset":368,"charLength":66,"snippet":{"text":"\"677b142ee01d69d43b31a4dfff9e06465fd4d4545fb1441cf703171cb598dba7\"","rendered":{"text":"\"677b142ee01d69d43b31a4dfff9e06465fd4d4545fb1441cf703171cb598dba7\"","markdown":"`\"677b142ee01d69d43b31a4dfff9e06465fd4d4545fb1441cf703171cb598dba7\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":25,"startColumn":16,"endLine":25,"endColumn":38,"charOffset":741,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":741,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":239,"charLength":66,"snippet":{"text":"\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"","rendered":{"text":"\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"","markdown":"`\"d045e45f523a6c0c7a2a8e06831f4b2d705fb84f4995791b5a70b28424a49d2b\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":6,"startColumn":12,"endLine":6,"endColumn":34,"charOffset":162,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":162,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/api-monitor.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":39,"charOffset":85,"charLength":22,"snippet":{"text":"http://www.rohitab.com","rendered":{"text":"http://www.rohitab.com","markdown":"`http://www.rohitab.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/api-monitor.json"},"replacements":[{"deletedRegion":{"charOffset":85,"charLength":22},"insertedContent":{"text":"https://www.rohitab.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/exetype.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":267,"charLength":66,"snippet":{"text":"\"ed08a70b96daa4cfa9521b94f260009e8183264b290b237c25ed0ebd68dcdfa8\"","rendered":{"text":"\"ed08a70b96daa4cfa9521b94f260009e8183264b290b237c25ed0ebd68dcdfa8\"","markdown":"`\"ed08a70b96daa4cfa9521b94f260009e8183264b290b237c25ed0ebd68dcdfa8\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/diffpdf.json"},"region":{"startLine":14,"startColumn":16,"endLine":14,"endColumn":39,"charOffset":564,"charLength":23,"snippet":{"text":"http://soft.rubypdf.com","rendered":{"text":"http://soft.rubypdf.com","markdown":"`http://soft.rubypdf.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/diffpdf.json"},"replacements":[{"deletedRegion":{"charOffset":564,"charLength":23},"insertedContent":{"text":"https://soft.rubypdf.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/diffpdf.json"},"region":{"startLine":10,"startColumn":16,"endLine":10,"endColumn":39,"charOffset":406,"charLength":23,"snippet":{"text":"http://soft.rubypdf.com","rendered":{"text":"http://soft.rubypdf.com","markdown":"`http://soft.rubypdf.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/diffpdf.json"},"replacements":[{"deletedRegion":{"charOffset":406,"charLength":23},"insertedContent":{"text":"https://soft.rubypdf.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/diffpdf.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":275,"charLength":66,"snippet":{"text":"\"b698b9c3c3c0582c2b5ea474d4df0c5f864b649774e857fdc423b4949ef79b6d\"","rendered":{"text":"\"b698b9c3c3c0582c2b5ea474d4df0c5f864b649774e857fdc423b4949ef79b6d\"","markdown":"`\"b698b9c3c3c0582c2b5ea474d4df0c5f864b649774e857fdc423b4949ef79b6d\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/diffpdf.json"},"region":{"startLine":6,"startColumn":12,"endLine":6,"endColumn":35,"charOffset":178,"charLength":23,"snippet":{"text":"http://soft.rubypdf.com","rendered":{"text":"http://soft.rubypdf.com","markdown":"`http://soft.rubypdf.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/diffpdf.json"},"replacements":[{"deletedRegion":{"charOffset":178,"charLength":23},"insertedContent":{"text":"https://soft.rubypdf.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/diffpdf.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":40,"charOffset":90,"charLength":23,"snippet":{"text":"http://soft.rubypdf.com","rendered":{"text":"http://soft.rubypdf.com","markdown":"`http://soft.rubypdf.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/diffpdf.json"},"replacements":[{"deletedRegion":{"charOffset":90,"charLength":23},"insertedContent":{"text":"https://soft.rubypdf.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/diskspd.json"},"region":{"startLine":15,"startColumn":12,"endLine":15,"endColumn":78,"charOffset":430,"charLength":66,"snippet":{"text":"\"4cc4ff00e76b8f476cf183fc1e4ef2a45fdad563bdd11879607ba5ad52dab6ec\"","rendered":{"text":"\"4cc4ff00e76b8f476cf183fc1e4ef2a45fdad563bdd11879607ba5ad52dab6ec\"","markdown":"`\"4cc4ff00e76b8f476cf183fc1e4ef2a45fdad563bdd11879607ba5ad52dab6ec\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/res-set.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":299,"charLength":66,"snippet":{"text":"\"5fff2f32683a8801935350c7f527faab444c47add9fc6b3cc9a48e0f1a7e42e9\"","rendered":{"text":"\"5fff2f32683a8801935350c7f527faab444c47add9fc6b3cc9a48e0f1a7e42e9\"","markdown":"`\"5fff2f32683a8801935350c7f527faab444c47add9fc6b3cc9a48e0f1a7e42e9\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 13333 characters out of 155173)

⚠️ COPYPASTE / jscpd - 2 errors

Clone found (powershell):
 - bin/describe.ps1 [11:1 - 24:36] (13 lines, 122 tokens)
   bin/formatjson.ps1 [10:1 - 23:38]

Clone found (powershell):
 - bin/checkhashes.ps1 [58:1 - 68:2] (10 lines, 114 tokens)
   bin/checkver.ps1 [72:1 - 82:2]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ powershell │ 12             │ 467         │ 2681         │ 2            │ 23 (4.93%)       │ 236 (8.8%)        │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ bash       │ 2              │ 9           │ 25           │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ python     │ 9              │ 1918        │ 15335        │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ini        │ 2              │ 58          │ 220          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown   │ 5              │ 65          │ 900          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 30             │ 2517        │ 19161        │ 2            │ 23 (0.91%)       │ 236 (1.23%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 2 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (0.91%) over threshold (0.5%)
Error: ERROR: jscpd found too many duplicates (0.91%) over threshold (0.5%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

⚠️ REPOSITORY / kics - 20 errors

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.19





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 20
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Risk Score: 4.1
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/issue_comment.yml:12

		011:     - name: Pull Request Validation
		012:       uses: Ash258/Scoop-GithubActions@stable
		013:       if: startsWith(github.event.comment.body, '/verify')


	[2]: .github/workflows/issue.yml:12

		011:       - name: Verify Issue
		012:         uses: Ash258/Scoop-GithubActions@stable
		013:         if: github.event.action == 'opened' || (github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'verify'))


	[3]: .github/workflows/update-readme.yml:27

		026: 
		027:     - uses: EndBug/add-and-commit@v9
		028:       with:


	[4]: .github/workflows/mega-linter.yml:119

		118:         # More info at https://megalinter.io/flavors/
		119:         uses: oxsecurity/megalinter@v9 # changed from v7 by @rasa
		120: 


	[5]: .github/workflows/clean-logs.yml:157

		156:         if: github.event_name != 'schedule'
		157:         uses: rasa/delete-workflow-runs@main
		158:         # was Mattraks/delete-workflow-runs@main


	[6]: .github/workflows/excavator.yml:14

		013:     - name: Excavate
		014:       uses: ScoopInstaller/GithubActions@main
		015:       env:


	[7]: .github/workflows/codeql.yml:58

		057:       # Perform CodeQL Analysis
		058:       - uses: github/codeql-action/analyze@v4
		059: 


	[8]: .github/workflows/debug-rasa.yml:61

		060: 
		061:       - uses: crazy-max/ghaction-dump-context@v2.3.0
		062: 


	[9]: .github/workflows/codeql.yml:44

		043:       # If this step fails, then you should remove it and run the build manually (see below).
		044:       - uses: github/codeql-action/autobuild@v4
		045: 


	[10]: .github/workflows/codeql.yml:37

		036:       # Initializes the CodeQL tools for scanning.
		037:       - uses: github/codeql-action/init@v4
		038:         # Override language selection by uncommenting this and choosing your languages


	[11]: .github/workflows/mega-linter.yml:234

		233:       - name: Commit and push applied linter fixes
		234:         uses: stefanzweifel/git-auto-commit-action@v7.1.0 # changed from v4 by @rasa
		235:         if: env.APPLY_FIXES_IF_COMMIT == 'true'


	[12]: .github/workflows/pull_request.yml:12

		011:     - name: Pull Request Validation
		012:       uses: Ash258/Scoop-GithubActions@stable
		013:       env:


	[13]: .github/workflows/dependabot.yml:36

		035:     steps:
		036:       - uses: dependabot/fetch-metadata@v3.0.0
		037:         id: dependabot-metadata


	[14]: .github/workflows/clean-logs.yml:145

		144:         if: github.event_name == 'schedule'
		145:         uses: rasa/delete-workflow-runs@main
		146:         # was Mattraks/delete-workflow-runs@main


	[15]: .github/workflows/black.yml:51

		050:       if: steps.black.outputs.changes == 'true'
		051:       uses: ad-m/github-push-action@master
		052:       with:


	[16]: .github/workflows/mega-linter.yml:212

		211:       - name: Create Pull Request with applied fixes
		212:         uses: peter-evans/create-pull-request@v8.1.0 # changed from v5 by @rasa
		213:         id: cpr


	[17]: .github/workflows/debug-matrix.yml:106

		105:         continue-on-error: true
		106:         uses: MinoruSekine/setup-scoop@main
		107:         with:


	[18]: .github/workflows/debug-matrix.yml:77

		076:     steps:
		077:       - uses: crazy-max/ghaction-dump-context@v2.3.0
		078: 


	[19]: .github/workflows/toc.yml:57

		056: 
		057:       - uses: stefanzweifel/git-auto-commit-action@v7.1.0
		058:         with:


	[20]: .github/workflows/clean-logs.yml:141

		140:       #   uses: rasa/ghaction-dump-context@master
		141:       - uses: crazy-max/ghaction-dump-context@v2.3.0
		142: 



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 20
INFO: 0
TOTAL: 20

A new version 'v2.1.20' of KICS is available, please consider updating

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 27, 2026

dependabot bot requested a review from rasa as a code owner March 27, 2026 15:04

dependabot bot mentioned this pull request Mar 27, 2026

[action] bump dependabot/fetch-metadata from 2.4.0 to 2.5.0 #138

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[action] bump dependabot/fetch-metadata from 2.4.0 to 3.0.0#146

[action] bump dependabot/fetch-metadata from 2.4.0 to 3.0.0#146
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/github_actions/dependabot/fetch-metadata-3.0.0

dependabot bot commented on behalf of github Mar 27, 2026

Uh oh!

github-actions bot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot bot commented on behalf of github Mar 27, 2026

v3.0.0

What's Changed

New Contributors

v2.5.0

What's Changed

Uh oh!

github-actions bot commented Mar 27, 2026

✅⚠️MegaLinter analysis: Success with warnings

Detailed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants