Skip to content

chore(deps): update oxsecurity/megalinter action to v9 #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update oxsecurity/megalinter action to v9 #122

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 20, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
oxsecurity/megalinter action major v8 -> v9

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9

Compare Source

  • New linters

  • Linters enhancements

    • Python Linting: Added more file type supports for various linters. Full description here

  • Doc

    • Add OLLAMA_BASE_URL is MegaLinter config Json schema

  • Flavors

    • Custom flavors: Add workflow to automate detection of new MegaLinter versions and generation of new Custom Flavor

  • CI

    • Fix v9 release issue + mark hardcoded versions to upgrade at each new major release.

  • Linter versions upgrades (22)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 20, 2025
edited
Loading

MegaLinter analysis: Error

Descriptor Linter Files Fixed Errors Warnings Elapsed time
⚠️ ACTION actionlint 5 2 0 0.07s
✅ COPYPASTE jscpd yes no no 1.88s
✅ JAVASCRIPT eslint 10 0 0 1.42s
✅ JSON jsonlint 7 0 0 0.17s
✅ JSON npm-package-json-lint yes no no 0.46s
⚠️ JSON prettier 7 1 0 0.46s
✅ JSON v8r 7 0 0 11.3s
⚠️ MARKDOWN markdownlint 5 5 0 0.72s
⚠️ MARKDOWN markdown-table-formatter 5 1 0 0.24s
✅ REPOSITORY gitleaks yes no no 0.58s
✅ REPOSITORY git_diff yes no no 0.01s
✅ REPOSITORY grype yes no no 29.6s
✅ REPOSITORY secretlint yes no no 1.08s
✅ REPOSITORY syft yes no no 1.57s
❌ REPOSITORY trivy yes 1 no 7.35s
✅ REPOSITORY trivy-sbom yes no no 0.91s
✅ REPOSITORY trufflehog yes no no 4.05s
✅ SPELL cspell 39 0 0 3.82s
❌ SPELL lychee 24 2 0 0.72s
⚠️ YAML prettier 10 1 4 0.56s
✅ YAML v8r 10 0 0 6.39s
✅ YAML yamllint 10 0 0 0.42s

Detailed Issues

❌ SPELL / lychee - 2 errors 
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://npmjs.org/package/java-caller | Network error: Forbidden
📝 Summary
---------------------
🔍 Total...........73
✅ Successful......22
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded........49
❓ Unknown..........0
🚫 Errors...........2

Errors in README.md
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://npmjs.org/package/java-caller | Network error: Forbidden
❌ REPOSITORY / trivy - 1 error 
2025-09-20T13:28:52Z	INFO	[vulndb] Need to update DB
2025-09-20T13:28:52Z	INFO	[vulndb] Downloading vulnerability DB...
2025-09-20T13:28:52Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
14.08 MiB / 71.28 MiB [------------>________________________________________________] 19.75% ? p/s ?47.12 MiB / 71.28 MiB [---------------------------------------->____________________] 66.10% ? p/s ?71.28 MiB / 71.28 MiB [----------------------------------------------------------->] 100.00% ? p/s ?71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 95.30 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 95.30 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 95.30 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 89.15 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 89.15 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 89.15 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 83.40 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 83.40 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 83.40 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 78.02 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 78.02 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 78.02 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 72.99 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 72.99 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 72.99 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 68.28 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [---------------------------------------------->] 100.00% 68.28 MiB p/s ETA 0s71.28 MiB / 71.28 MiB [-------------------------------------------------] 100.00% 18.44 MiB p/s 4.1s2025-09-20T13:28:56Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-09-20T13:28:56Z	INFO	[vuln] Vulnerability scanning is enabled
2025-09-20T13:28:56Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-09-20T13:28:56Z	INFO	[misconfig] Need to update the checks bundle
2025-09-20T13:28:56Z	INFO	[misconfig] Downloading the checks bundle...
165.20 KiB / 165.20 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-09-20T13:28:59Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2025-09-20T13:28:59Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-09-20T13:28:59Z	INFO	Number of language-specific files	num=1
2025-09-20T13:28:59Z	INFO	[npm] Detecting vulnerabilities...
2025-09-20T13:28:59Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │
├───────────────────┼──────┼─────────────────┼───────────────────┤
│ package-lock.json │ npm  │        1        │         -         │
└───────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.66/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability │ Severity │ Status │ Installed Version │        Fixed Version        │                         Title                          │
├─────────────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼────────────────────────────────────────────────────────┤
│ brace-expansion │ CVE-2025-5889 │ LOW      │ fixed  │ 2.0.1             │ 2.0.2, 1.1.12, 3.0.1, 4.0.1 │ brace-expansion: juliangruber brace-expansion index.js │
│                 │               │          │        │                   │                             │ expand redos                                           │
│                 │               │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-5889              │
└─────────────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴────────────────────────────────────────────────────────┘
⚠️ ACTION / actionlint - 2 errors 
.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
⚠️ MARKDOWN / markdown-table-formatter - 1 error 
1 files contain markdown tables to format:
- README.md
⚠️ MARKDOWN / markdownlint - 5 errors 
CODE_OF_CONDUCT.md:58:44 MD034/no-bare-urls Bare URL used [Context: "nicolas.vuillamy@gmail.com"]
CODE_OF_CONDUCT.md:71:14 MD034/no-bare-urls Bare URL used [Context: "https://www.contributor-covena..."]
CODE_OF_CONDUCT.md:76:1 MD034/no-bare-urls Bare URL used [Context: "https://www.contributor-covena..."]
README.md:69:362 MD055/table-pipe-style Table pipe style [Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe]
README.md:75:315 MD055/table-pipe-style Table pipe style [Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe]
⚠️ JSON / prettier - 1 error 
Checking formatting...
[warn] .cspell.json
[warn] .vscode/launch.json
[warn] examples/cli_app/lib/java-caller-config.json
[warn] examples/cli_app/package.json
[warn] examples/module_app/package.json
[warn] renovate.json
[warn] Code style issues found in 6 files. Run Prettier with --write to fix.
⚠️ YAML / prettier - 1 error 
Checking formatting...
[warn] .github/workflows/deploy-beta.yml
[warn] .github/workflows/deploy-release.yml
[warn] .github/workflows/test.yml
[warn] Code style issues found in 3 files. Run Prettier with --write to fix.

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.0.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,JAVASCRIPT_ES,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security

@codecov-commenter
Copy link

codecov-commenter commented Sep 20, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.95%. Comparing base (bafed7d) to head (ef7282c).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #122   +/-   ##
=======================================
  Coverage   89.95%   89.95%           
=======================================
  Files           3        3           
  Lines         229      229           
=======================================
  Hits          206      206           
  Misses         23       23
Flag Coverage Δ
unittests 89.95% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@codecov-commenter