Skip to content

Bump the minor-updates group across 1 directory with 2 updates#470

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/minor-updates-b92c0e93a3
Closed

Bump the minor-updates group across 1 directory with 2 updates#470
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/minor-updates-b92c0e93a3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-updates group with 2 updates in the / directory: OWASP/cve-lite-cli and github/codeql-action/upload-sarif.

Updates OWASP/cve-lite-cli from 1.25.0 to 1.26.0

Release notes

Sourced from OWASP/cve-lite-cli's releases.

v1.26.0 - GitHub Action fix mode and Dependabot alternative

Added

  • GitHub Action: fix: true and create-pr: true inputs enable scheduled security fix PRs - a direct Dependabot alternative for npm/pnpm/yarn/bun repos. A single batched PR is opened (or updated in place) with advisory IDs, before/after finding counts, and OSV-validated fix versions
  • GitHub Action: base-branch, labels, and token inputs for the fix PR workflow
  • Override hygiene hint shown when overrides/resolutions/patchedDependencies are detected but --check-overrides was not passed - single tip line at end of terminal output, suppressed in --json/--sarif/--cdx/--ratchet modes

Fixed

  • --fix exit code suppressed when fix mode is active so remaining transitive findings do not block the Action PR creation step
  • bun.lockb added to DEPENDENCY_FILES_TO_STAGE in create-pr.ts
  • cve-lite-fix-result.json added to .gitignore
  • Circular ESM import between override-findings-terminal.ts and formatters.ts causing 35 test failures
  • ReversingLabs logo on homepage press bar: red square had no fill, LABS text had wrong fill color, REVERSING text was black on dark background
  • HTML override report: severity group rows now carry the severity CSS class; location cell shows file > jsonPath separator; fix commands render with inline block and copy button
  • e2e test fixture fragility when new CVEs appear in the live OSV DB
  • pnpm dual-document lockfile (bootstrap + project sections) fails to parse
  • Exact-pinned transitive dependency misclassified as within-range refresh
  • JSON parse errors in local-db.ts now caught and handled gracefully

Performance

  • Compact JSON serialization in advisory cache reduces file size and I/O overhead
  • Parallelized validateDirectFixTargets with runWithConcurrency and promise-based packument cache deduplication
  • publishedAt included in fix version resolutions to eliminate redundant registry call
  • Parsed version tuples cached in compareVersions to avoid redundant string splits
  • Cache timestamp hoisted before write loop; three findings.filter() passes collapsed into a single counted loop
  • Inline base64 logo constants in HTML reporter replaced with runtime PNG loader and module-level Map cache

Changed

  • Override hygiene terminal output: verbose mode uses cyan header without separators; compact mode wraps section in separator lines
  • .npmrc added with allow-git=none to block git-sourced dependencies
  • Third-party GitHub Actions pinned to immutable commit SHA digests across all workflows
  • GitHub Action: --report flag exposed as input with --no-open applied automatically in CI context

Docs

  • GitHub Action inputs reference page covering all inputs grouped by purpose
  • 5 new case studies: Cline, CopilotKit, Dyad, Builder.io, Mitosis
  • Usage-aware triage sections added to Analog, NestJS, and Juice Shop case studies
  • Override hygiene auditing documentation with per-rule pages and real-world fixtures
  • The Register coverage added to press page, README, and homepage bar
  • Comparison page expanded with DependencyCheck and dep-scan sections
  • Override hygiene docs updated to use --check-overrides flag throughout

Validation

  • npm test
  • npm run build
Changelog

Sourced from OWASP/cve-lite-cli's changelog.

Changelog

All notable changes to CVE Lite CLI will be documented in this file.

[1.26.0] - 2026-07-04

Added

  • GitHub Action: fix: true and create-pr: true inputs enable scheduled security fix PRs - a direct Dependabot alternative for npm/pnpm/yarn/bun repos. A single batched PR is opened (or updated in place) with advisory IDs, before/after finding counts, and OSV-validated fix versions (#790)
  • GitHub Action: base-branch, labels, and token inputs for the fix PR workflow (#790)
  • Override hygiene hint shown when overrides/resolutions/patchedDependencies are detected but --check-overrides was not passed - single tip line at end of terminal output, suppressed in --json/--sarif/--cdx/--ratchet modes (#759)

Fixed

  • --fix exit code suppressed when fix mode is active so remaining transitive findings do not block the Action PR creation step (#790)
  • bun.lockb added to DEPENDENCY_FILES_TO_STAGE in create-pr.ts (was staged in the Action shell but missing from the CLI --create-pr path) (#790)
  • cve-lite-fix-result.json added to .gitignore (#790)
  • Circular ESM import between override-findings-terminal.ts and formatters.ts causing 35 test failures - extracted formatSeverityLabel and SEVERITY_ORDER to src/utils/severity.ts (#757)
  • ReversingLabs logo on homepage press bar: red square had no fill, LABS text had wrong fill color, REVERSING text was black (invisible on dark background) (#778)
  • HTML override report: severity group rows now carry the severity CSS class for border-color styling; location cell shows file > jsonPath separator; fix commands render with inline block and copy button (#757)
  • e2e test fixture fragility: "clean" project fixtures fail when new CVEs appear in the live OSV DB (#726)
  • pnpm dual-document lockfile (bootstrap + project sections) fails to parse - add YAML multi-doc support with project section selector (#743)
  • Exact-pinned transitive dependency misclassified as within-range refresh - add regression fixture and shared registry-mock test helper (#661)
  • JSON parse errors in local-db.ts now caught and handled gracefully (#775)

Performance

  • Use compact JSON serialization in advisory cache to reduce file size and I/O overhead (#736)
  • Parallelize validateDirectFixTargets with runWithConcurrency and add promise-based packument cache deduplication (#738)
  • Include publishedAt in fix version resolutions to eliminate redundant resolveVersionPublishDate call (#741)
  • Cache parsed version tuples in compareVersions to avoid redundant string splits (#739)
  • Hoist new Date().toISOString() before cache-write loop and collapse three separate findings.filter() passes into a single counted loop (#780)
  • Replace inline base64 logo constants in HTML reporter with runtime PNG loader using fs.readFileSync and a module-level Map cache (#783)

Changed

  • Override hygiene terminal output: verbose mode uses cyan header without separators; compact mode wraps section in separator lines; override count and package manager surfaced in quick-take, status line, and compact header (#757)
  • Add .npmrc with allow-git=none to block git-sourced dependencies (#745)
  • Pin all third-party GitHub Actions to immutable commit SHA digests across CI, CodeQL, docs-site, release, and self-scan workflows (#705)
  • GitHub Action: --report flag exposed as input; --no-open applied automatically in CI context (#787)

Docs

  • Add GitHub Action inputs reference page covering all inputs grouped by purpose (#789)
  • Add Cline case study: Bun lockfile, direct findings with copy-run fix commands (#656)
  • Add CopilotKit case study: npm lockfile, direct findings with copy-run fix commands (#657)
  • Add Dyad case study: Yarn Berry lockfile example and verified baseline (#658)
  • Add Builder.io case study: Yarn Berry + Nx monorepo, 5,655 packages, 2 direct fixes (#660)
  • Add Mitosis case study: Yarn Berry 4.1.1 + Nx monorepo, 6 measured passes 153 to 124 findings (#659)
  • Add usage-aware triage sections to Analog, NestJS, and Juice Shop case studies (#744)
  • Add override hygiene auditing documentation with per-rule pages and real-world fixtures (#728)
  • Add The Register coverage to press page, README, and homepage bar (#747)
  • Expand comparison page with DependencyCheck and dep-scan sections (#295)
  • Fix override hygiene docs and README to use --check-overrides flag throughout (#764)

... (truncated)

Commits
  • 99b7b0d release: v1.26.0 (#795)
  • 01a8644 feat: GitHub Action fix mode with scheduled PR workflow (Dependabot alternati...
  • 2445c67 refactor(output): replace inline base64 logos with runtime PNG loader (#783)
  • 099fe87 docs: add GitHub Action inputs reference page (#789)
  • 0a151f0 feat: expose --report flag in GitHub Action with --no-open applied automatica...
  • 510cee8 Fix: Handle JSON parse errors in local-db.ts gracefully (#781)
  • 87ba4f0 security(ci): pin third-party GitHub Actions to commit SHAs (#705)
  • e647998 feat: add no-fix-available regression fixture (#528) (#772)
  • def8950 perf: hoist cache timestamp and consolidate relationship filter passes in sca...
  • 2c2805c fix: restore reversinglabs logo brand colors on homepage press bar (#779)
  • Additional commits viewable in compare view

Updates github/codeql-action/upload-sarif from 4.36.2 to 4.36.3

Release notes

Sourced from github/codeql-action/upload-sarif's releases.

v4.36.3

No user facing changes.

Changelog

Sourced from github/codeql-action/upload-sarif's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.20.6 and earlier. These versions of CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise Server 3.16, and will be unsupported by the next minor release of the CodeQL Action. #3956

4.37.0 - 08 Jul 2026

  • Update default CodeQL bundle version to 2.26.0. #3995
  • In addition to the existing input format, the config-file input for the codeql-action/init step will soon support a new [owner/]repo[@ref][:path] format. All components except the repository name are optional. If omitted, owner defaults to the same owner as the repository the analysis is running for, ref to main, and path to .github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #3973

4.36.3 - 01 Jul 2026

No user facing changes.

4.36.2 - 04 Jun 2026

  • Cache CodeQL CLI version information across Actions steps. #3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
  • Update default CodeQL bundle version to 2.25.6. #3948

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893
  • Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

  • Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852

... (truncated)

Commits
  • 54f647b Merge pull request #3984 from github/update-v4.36.3-1f34ec164
  • e78819e Trigger checks
  • 2c9d3d6 Update changelog for v4.36.3
  • 1f34ec1 Merge pull request #3983 from github/mbg/repo-props/ff-for-config-file-prop
  • d5f0145 Log when repository property has a value but is ignored
  • f27f563 Add test for when the FF is off
  • 0025d0f Use FF
  • f7fa18f Add FF for config file repo property
  • 628fc3f Merge pull request #3979 from github/henrymercer/overlay-db-cleanup-size-tele...
  • 9cfb67b Add clarifying comments
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the minor-updates group with 2 updates in the / directory: [OWASP/cve-lite-cli](https://github.com/owasp/cve-lite-cli) and [github/codeql-action/upload-sarif](https://github.com/github/codeql-action).


Updates `OWASP/cve-lite-cli` from 1.25.0 to 1.26.0
- [Release notes](https://github.com/owasp/cve-lite-cli/releases)
- [Changelog](https://github.com/OWASP/cve-lite-cli/blob/main/CHANGELOG.md)
- [Commits](OWASP/cve-lite-cli@2eed959...99b7b0d)

Updates `github/codeql-action/upload-sarif` from 4.36.2 to 4.36.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@8aad20d...54f647b)

---
updated-dependencies:
- dependency-name: OWASP/cve-lite-cli
  dependency-version: 1.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 4.36.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 10, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 13, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/minor-updates-b92c0e93a3 branch July 13, 2026 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants