Bump the minor-and-patch group across 1 directory with 4 updates

[dependabot]

Bumps the minor-and-patch group with 4 updates in the / directory: actions/checkout, oxsecurity/megalinter, github/codeql-action and wesley-dean/publish_container.

Updates actions/checkout from 6.0.2 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• See full diff in compare view

Updates oxsecurity/megalinter from 9.4.0 to 9.5.0

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Breaking changes

  • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config.
  • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor.
  • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead.

• Core

  • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed.

• New linters

• Disabled linters

• Re-enabled linters

• Deprecated linters

• Removed linters

  • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes)

• Media

• Linters enhancements

• Fixes

  • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
  • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu.
  • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.

• Reporters

• Flavors

• Doc

  • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats

• mega-linter-runner

• Dev

  • Stop generating per-linter Dockerfiles for linters marked disabled: true in their descriptor. The matching images were already excluded from the build matrix (linters_matrix.json) and never published, so the on-disk linters/<linter>/Dockerfile was dead code. Deleted the 8 corresponding stale Dockerfile directories.

... (truncated)

Commits

• 0e3ce9b Fix release workflows.
• 3e132b1 Release MegaLinter v9.5.0
• cbb7fe9 Doc + prepare 9.5.0 release (#7836)
• 29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
• ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
• e04f202 feat: implement user notifications system and replace migration warnings (#7833)
• 54bfad8 chore(deps): update dependency @​stoplight/spectral-cli to v6.16.0 (#7830)
• f809408 Eslint legacy detection & warning (#7831)
• 6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
• cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
• Additional commits viewable in compare view

Updates github/codeql-action from 4.35.3 to 4.36.1

Release notes

Sourced from github/codeql-action's releases.

v4.36.1

No user facing changes.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

... (truncated)

Commits

• 87557b9 Merge pull request #3940 from github/update-v4.36.1-2a1689ed4
• 9431011 Update changelog for v4.36.1
• 2a1689e Merge pull request #3939 from github/henrymercer/skip-overlay-revert-when-exp...
• 5245323 Disable missing diff-ranges fallback when overlay enabled manually
• d1eb120 Merge pull request #3933 from github/update-supported-enterprise-server-versions
• 115001b Merge pull request #3934 from github/dependabot/npm_and_yarn/npm-minor-86fb5c...
• cef2e7a Merge pull request #3925 from github/dependabot/github_actions/dot-github/wor...
• 5e6adf7 Merge pull request #3936 from github/dependabot/npm_and_yarn/tmp-0.2.7
• ad170e6 Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actio...
• 6a37b3a Rebuild
• Additional commits viewable in compare view

Updates wesley-dean/publish_container from 1.0.16 to 1.0.19

Release notes

Sourced from wesley-dean/publish_container's releases.

1.0.19

What's Changed

• build(deps): bump github/codeql-action from 4.35.1 to 4.35.2 in the minor-and-patch group by @​dependabot[bot] in wesley-dean/publish_image#84
• build(deps): bump docker/build-push-action from 6.18.0 to 7.1.0 by @​dependabot[bot] in wesley-dean/publish_image#86
• build(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.1.0 by @​dependabot[bot] in wesley-dean/publish_image#88

Full Changelog: wesley-dean/publish_image@1.0.18...1.0.19

1.0.18

What's Changed

• build(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by @​dependabot[bot] in wesley-dean/publish_image#85

Full Changelog: wesley-dean/publish_image@1.0.17...1.0.18

1.0.17

What's Changed

• Bump the minor-and-patch group across 1 directory with 5 updates by @​dependabot[bot] in wesley-dean/publish_image#83
• Rename publish_container to publish_image by @​wesley-dean in wesley-dean/publish_image#76

Full Changelog: wesley-dean/publish_image@1.0.16...1.0.17

Commits

• 6d4b9c6 Merge pull request #88 from wesley-dean/dependabot/github_actions/dependabot/...
• 856faa9 Merge pull request #86 from wesley-dean/dependabot/github_actions/docker/buil...
• 9aeb362 Merge pull request #84 from wesley-dean/dependabot/github_actions/minor-and-p...
• 6fac9e6 Merge pull request #85 from wesley-dean/dependabot/github_actions/crazy-max/g...
• b5d7fb0 Merge pull request #76 from wesley-dean/rename
• c456226 Merge branch 'main' into rename
• b744269 build(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.1.0
• 697fe10 build(deps): bump docker/build-push-action from 6.18.0 to 7.1.0
• 46e0d92 build(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0
• 88a1b86 build(deps): bump github/codeql-action in the minor-and-patch group
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3		0	0	0.27s
⚠️ ACTION	zizmor	3	0	1	0	0.34s
✅ DOCKERFILE	hadolint	1		0	0	0.07s
✅ JSON	jsonlint	2		0	0	0.4s
✅ JSON	prettier	2	0	0	0	0.33s
✅ JSON	v8r	2		0	0	2.5s
✅ MARKDOWN	markdownlint	1	0	0	0	0.66s
✅ MARKDOWN	markdown-table-formatter	1	0	0	0	0.26s
✅ PYTHON	bandit	1		0	0	2.6s
✅ PYTHON	black	1	0	0	0	1.6s
✅ PYTHON	flake8	1		0	0	1.1s
✅ PYTHON	isort	1	0	0	0	0.29s
✅ PYTHON	mypy	1		0	0	3.88s
✅ PYTHON	pylint	1		0	0	4.0s
✅ PYTHON	pyright	1		0	0	3.01s
✅ PYTHON	ruff	1	0	0	0	0.03s
✅ REPOSITORY	checkov	yes		no	no	25.87s
✅ REPOSITORY	gitleaks	yes		no	no	0.32s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
⚠️ REPOSITORY	grype	yes		2	1	53.71s
⚠️ REPOSITORY	osv-scanner	yes		3	no	0.88s
✅ REPOSITORY	secretlint	yes		no	no	1.43s
✅ REPOSITORY	syft	yes		no	no	2.08s
⚠️ REPOSITORY	trivy	yes		2	1	12.72s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.18s
✅ REPOSITORY	trufflehog	yes		no	no	3.75s
✅ SPELL	lychee	10		0	0	1.46s
✅ YAML	prettier	6	0	0	0	0.51s
✅ YAML	v8r	6		0	0	8.01s
✅ YAML	yamllint	6		0	0	0.54s

Detailed Issues

⚠️ REPOSITORY / grype - 2 errors

error: A high vulnerability in python package: urllib3, version 2.6.3 was found at: /requirements.txt

error: A high vulnerability in python package: urllib3, version 2.6.3 was found at: /requirements.txt

warning: A medium vulnerability in python package: idna, version 3.11 was found at: /requirements.txt

warning: 1 warnings emitted
error: 2 errors emitted

⚠️ REPOSITORY / osv-scanner - 3 errors

Scanning dir .
Starting filesystem walk for root: /
Scanned requirements.txt file and found 13 packages
End status: 32 dirs visited, 90 inodes visited, 1 Extract calls, 11.015787ms elapsed, 11.015948ms wall time

Total 3 packages affected by 7 known vulnerabilities (0 Critical, 3 High, 3 Medium, 1 Low, 0 Unknown) from 1 ecosystem.
7 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+---------+---------+---------------+------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE           |
+-------------------------------------+------+-----------+---------+---------+---------------+------------------+
| https://osv.dev/GHSA-65pc-fj4g-8rjx | 6.9  | PyPI      | idna    | 3.11    | 3.15          | requirements.txt |
| https://osv.dev/PYSEC-2026-175      | 4.2  | PyPI      | pyjwt   | 2.12.1  | 2.13.0        | requirements.txt |
| https://osv.dev/PYSEC-2026-177      | 3.7  | PyPI      | pyjwt   | 2.12.1  | 2.13.0        | requirements.txt |
| https://osv.dev/PYSEC-2026-178      | 5.3  | PyPI      | pyjwt   | 2.12.1  | 2.13.0        | requirements.txt |
| https://osv.dev/PYSEC-2026-179      | 7.4  | PyPI      | pyjwt   | 2.12.1  | 2.13.0        | requirements.txt |
| https://osv.dev/PYSEC-2026-141      | 8.2  | PyPI      | urllib3 | 2.6.3   | 2.7.0         | requirements.txt |
| https://osv.dev/GHSA-qccp-gfcp-xxvc |      |           |         |         |               |                  |
| https://osv.dev/PYSEC-2026-142      | 8.9  | PyPI      | urllib3 | 2.6.3   | 2.7.0         | requirements.txt |
| https://osv.dev/GHSA-mf9v-mfxr-j63j |      |           |         |         |               |                  |
+-------------------------------------+------+-----------+---------+---------+---------------+------------------+

⚠️ REPOSITORY / trivy - 2 errors

warning: Package: idna
Installed Version: 3.11
Vulnerability CVE-2026-45409
Severity: MEDIUM
Fixed Version: 3.15
Link: [CVE-2026-45409](https://avd.aquasec.com/nvd/cve-2026-45409)
    ┌─ requirements.txt:281:1
    │
281 │ idna==3.11 \
    │ ^
    │
    = Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
    = This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process.
      
      ### Impact
      A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.
      
      ### Patches
      Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support).
      
      ### Workarounds
      Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

error: Package: urllib3
Installed Version: 2.6.3
Vulnerability CVE-2026-44431
Severity: HIGH
Fixed Version: 2.7.0
Link: [CVE-2026-44431](https://avd.aquasec.com/nvd/cve-2026-44431)
    ┌─ requirements.txt:336:1
    │
336 │ urllib3==2.6.3 \
    │ ^
    │
    = urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers
    = urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

error: Package: urllib3
Installed Version: 2.6.3
Vulnerability CVE-2026-44432
Severity: HIGH
Fixed Version: 2.7.0
Link: [CVE-2026-44432](https://avd.aquasec.com/nvd/cve-2026-44432)
    ┌─ requirements.txt:336:1
    │
336 │ urllib3==2.6.3 \
    │ ^
    │
    = urllib3: urllib3: Denial of Service due to excessive HTTP response decompression
    = urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

warning: 1 warnings emitted
error: 2 errors emitted

⚠️ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'impostor-commit' audit failed on file://.github/workflows/dependabot_automerge.yml

Caused by:
    0: error in 'impostor-commit' audit
    1: couldn't list tags for dependabot/fetch-metadata
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/dependabot/fetch-metadata.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,ACTION_ZIZMOR,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository