chore(deps): update dependabot/fetch-metadata action to v3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
dependabot/fetch-metadata	action	major	v2 → v3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

dependabot/fetch-metadata (dependabot/fetch-metadata)

v3.1.0

Compare Source

What's Changed

• Add permissions to all workflows by @​truggeri in #​687
• build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @​dependabot[bot] in #​690
• build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @​dependabot[bot] in #​693
• build(deps-dev): bump @​hono/node-server from 1.19.10 to 1.19.13 by @​dependabot[bot] in #​694
• build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @​dependabot[bot] in #​695
• Dynamically update the tracking tag in action by @​truggeri in #​696
• fix: handle duplicate dependency names in parseMetadataLinks by @​devantler in #​700
• fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @​devantler in #​698
• Updates to README for permissions clarification by @​truggeri in #​697
• fix: resolve update-type null for Python, Composer, and Terraform PRs by @​vitorsdcs in #​704
• build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @​dependabot[bot] in #​703
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in #​701
• build(deps): bump @​actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @​dependabot[bot] in #​702
• build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @​dependabot[bot] in #​705
• v3.1.0 by @​fetch-metadata-action-automation[bot] in #​692

New Contributors

• @​devantler made their first contribution in #​700
• @​vitorsdcs made their first contribution in #​704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

v3

Compare Source

v3.0.0

Compare Source

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

• feat: Parse versions from metadata links by @​ppkarwasz in #​632
• Upgrade actions core and actions github packages by @​truggeri in #​649
• docs: Add notes for using alert-lookup with App Token by @​sue445 in #​656
• feat!: update Node.js version to v24 by @​sturman in #​671
• Switch build tooling from ncc to esbuild by @​truggeri in #​676
• Add --legal-comments=none to esbuild build commands by @​jeffwidman in #​679
• Bump tsconfig target from es2022 to es2024 by @​jeffwidman in #​680
• Remove vestigial outDir from tsconfig.json by @​jeffwidman in #​681
• Switch tsconfig module resolution to bundler by @​jeffwidman in #​682
• Remove skipLibCheck from tsconfig.json by @​jeffwidman in #​683
• Add typecheck step to CI by @​jeffwidman in #​685
• Enable noImplicitAny in tsconfig.json by @​jeffwidman in #​684
• Upgrade @​actions/core to ^3.0.0 by @​truggeri in #​677
• Upgrade @​actions/github to ^9.0.0 and @​octokit/request-error to ^7.1.0 by @​truggeri in #​678
• Bump qs from 6.14.0 to 6.14.1 by @​dependabot[bot] in #​651
• Bump hono from 4.11.1 to 4.11.4 by @​dependabot[bot] in #​652
• Bump hono from 4.11.4 to 4.11.7 by @​dependabot[bot] in #​653
• Bump hono from 4.11.7 to 4.12.0 by @​dependabot[bot] in #​657
• Bump qs from 6.14.1 to 6.14.2 by @​dependabot[bot] in #​655
• Bump @​modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @​dependabot[bot] in #​654
• Bump @​hono/node-server from 1.19.9 to 1.19.10 by @​dependabot[bot] in #​665
• Bump hono from 4.12.2 to 4.12.5 by @​dependabot[bot] in #​664
• Bump minimatch from 3.1.2 to 3.1.5 by @​dependabot[bot] in #​667
• Bump hono from 4.12.5 to 4.12.7 by @​dependabot[bot] in #​668
• Bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @​dependabot[bot] in #​669
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in #​670
• build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 by @​dependabot[bot] in #​674

New Contributors

• @​ppkarwasz made their first contribution in #​632
• @​truggeri made their first contribution in #​649
• @​sue445 made their first contribution in #​656
• @​sturman made their first contribution in #​671

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

v2.5.0

Compare Source

What's Changed

• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot[bot] in #​628
• Bump the dev-dependencies group with 11 updates by @​dependabot[bot] in #​629
• Bump actions/create-github-app-token from 2.0.6 to 2.1.1 by @​dependabot[bot] in #​635
• Bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @​dependabot[bot] in #​638
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​636
• Bump actions/setup-node from 4 to 5 by @​dependabot[bot] in #​637
• Bump actions/setup-node from 5 to 6 by @​dependabot[bot] in #​639
• Bump actions/create-github-app-token from 2.1.4 to 2.2.0 by @​dependabot[bot] in #​643
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​642
• Bump actions/create-github-app-token from 2.2.0 to 2.2.1 by @​dependabot[bot] in #​648
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​644
• Bump express from 5.1.0 to 5.2.1 by @​dependabot[bot] in #​645
• Bump @​modelcontextprotocol/sdk from 1.11.2 to 1.24.0 by @​dependabot[bot] in #​647
• v2.5.0 by @​fetch-metadata-action-automation[bot] in #​631

Full Changelog: dependabot/fetch-metadata@v2...v2.5.0

v2.4.0

Compare Source

What's Changed

• Bump actions/create-github-app-token from 1.11.0 to 1.11.3 by @​dependabot in #​598
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​578
• Add missing @octokit/request-error to package.json by @​jeffwidman in #​605
• Bump to ESLint 9 by @​jeffwidman in #​606
• Stop using a node16 devcontainer image by @​jeffwidman in #​608
• Make typescript compile to "es2022" by @​jeffwidman in #​609
• Bump the dev-dependencies group across 1 directory with 8 updates by @​dependabot in #​607
• Tidy up examples slightly by @​jeffwidman in #​611
• Fixup some anchor tags that weren't deeplinking by @​jeffwidman in #​614
• Remove unnecessary hardcoding of ref by @​jeffwidman in #​617
• Bump actions/create-github-app-token from 1.11.3 to 2.0.2 by @​dependabot in #​616
• Enable caching of npm install/npm ci for setup-node action by @​jeffwidman in #​618
• Add workflow to publish new version of immutable action on every release by @​jeffwidman in #​623
• Bump actions/create-github-app-token from 2.0.2 to 2.0.6 by @​dependabot in #​621
• v2.4.0 by @​fetch-metadata-action-automation in #​594

Full Changelog: dependabot/fetch-metadata@v2...v2.4.0

v2.3.0

Compare Source

What's Changed

• Bump actions/create-github-app-token from 1.10.2 to 1.10.3 by @​dependabot in #​537
• Update readme to include an if conditional by @​Nishnha in #​548
• Silence audit and funding messages from npm by @​jeffwidman in #​550
• Bump actions/create-github-app-token from 1.10.3 to 1.11.0 by @​dependabot in #​554
• fix readme action example by @​CloudNStoyan in #​563
• Fixed missing outputs in action.yml by @​CatChen in #​564
• Handle branch names containing dependency group by @​CloudNStoyan in #​565
• v2.3.0 by @​fetch-metadata-action-automation in #​543

New Contributors

• @​CloudNStoyan made their first contribution in #​563
• @​CatChen made their first contribution in #​564

Full Changelog: dependabot/fetch-metadata@v2...v2.3.0

v2.2.0

Compare Source

What's Changed

• Bump actions/create-github-app-token from 1.9.0 to 1.10.0 by @​dependabot in #​523
• Bump actions/create-github-app-token from 1.10.0 to 1.10.2 by @​dependabot in #​534
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in #​532
• v2.2.0 by @​fetch-metadata-action-automation in #​520

Full Changelog: dependabot/fetch-metadata@v2...v2.2.0

v2.1.0

Compare Source

What's Changed

• Relax engine-strict=true by @​jeffwidman in #​510
• Handle branch names containing hyphen separators by @​tspencer244 in #​450
• Switch to monthly release cadence by @​jeffwidman in #​509
• v2.1.0 by @​fetch-metadata-action-automation in #​518

New Contributors

• @​tspencer244 made their first contribution in #​450

Full Changelog: dependabot/fetch-metadata@v2.0.0...v2.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

KICS version: v2.1.20

Category Results CRITICAL 0 HIGH 0 MEDIUM 4 LOW 0 INFO 0 TRACE 0 TOTAL 4	Metric Values Files scanned 7 Files parsed 7 Files failed to scan 0 Total executed queries 73 Queries failed to execute 0 Execution time 1

Queries Results

Query Name Query Id Severity Platform Cwe Risk Score Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 94 MissingAttribute FROM={{dev AS compile}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends binutils patchelf && rm -rf /var/lib/apt/lists/*}} Package 'binutils' has version defined Package 'binutils' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 46 MissingAttribute FROM={{base AS dev}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends build-essential && rm -rf /var/lib/apt/lists/*}} Package 'build-essential' has version defined Package 'build-essential' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 36 MissingAttribute FROM={{debian:stable-slim@sha256:e51bfcd2226c480a5416730e0fa2c40df28b0da5ff562fc465202feeef2f1116 AS base}}.RUN={{apt-get update && apt-get upgrade --yes && apt-get install --yes --no-install-recommends curl && rm -rf /var/lib/apt/lists/*}} Package 'curl' has version defined Package 'curl' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 94 MissingAttribute FROM={{dev AS compile}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends binutils patchelf && rm -rf /var/lib/apt/lists/*}} Package 'patchelf' has version defined Package 'patchelf' does not have version defined

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.03s
✅ COPYPASTE	jscpd	yes		no	no	1.38s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.01s
✅ REPOSITORY	checkov	yes		no	no	22.54s
✅ REPOSITORY	gitleaks	yes		no	no	2.48s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
⚠️ REPOSITORY	grype	yes		no	2	44.03s
✅ REPOSITORY	secretlint	yes		no	no	1.52s
✅ REPOSITORY	semgrep	yes		no	no	24.39s
✅ REPOSITORY	syft	yes		no	no	3.06s
✅ REPOSITORY	trivy	yes		no	no	12.96s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.16s
✅ REPOSITORY	trufflehog	yes		no	no	4.4s
✅ SPELL	lychee	1		0	0	0.1s
✅ YAML	prettier	1	0	0	0	0.43s
✅ YAML	v8r	1		0	0	2.74s
✅ YAML	yamllint	1		0	0	0.41s

Detailed Issues

⚠️ REPOSITORY / grype - 2 warnings

warning: A medium vulnerability in python package: python-multipart, version 0.0.24 was found at: /uv.lock

warning: A medium vulnerability in python package: pytest, version 9.0.2 was found at: /uv.lock

warning: 2 warnings emitted

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository