Bump oxsecurity/megalinter from a151007c426d6bc89bfde35a7bd3cd64cf373493 to 76b516d4a55064d1b0ae4dac7e9d894a1ee18413

[dependabot]

Bumps oxsecurity/megalinter from a151007c426d6bc89bfde35a7bd3cd64cf373493 to 76b516d4a55064d1b0ae4dac7e9d894a1ee18413.

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Breaking changes

  • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config.
  • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor.
  • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead.

• Core

  • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed.
  • Skipped-linters summary now explains why a linter was skipped by an activation rule, including the variable to set to activate it (e.g. MARKDOWN_RUMDL: MARKDOWN_DEFAULT_STYLE=markdownlint (set MARKDOWN_DEFAULT_STYLE=rumdl to activate)), fixing #8017.

• New linters

• Disabled linters

• Re-enabled linters

• Deprecated linters

• Removed linters

  • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes)

• Media

• Linters enhancements

  • REPOSITORY_CHECKOV: in pull-request mode, scan only the files modified in the PR instead of the whole repository (#7119)

• Fixes

  • REPOSITORY_OSV_SCANNER: exit code 128 ("No package sources found") is now treated as a clean pass instead of a failure — osv-scanner returns this code when the repo contains no lockfiles/manifests/SBOMs, which is not a vulnerability finding (#7917).
  • Fix intermittent ansible-lint load-failure[not-found] error on github_conf/branch_protection_rules.json caused by a race condition with checkov running in parallel. Checkov's transient GitHub-conf directory is now written to a hidden path (.megalinter_github_conf) that project-mode linters skip, eliminating the conflict (#8092).
  • Complete the Alpine 3.24 upgrade across the whole image and fix how alpine version is detected.
  • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
  • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu.
  • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.
  • Fix make bootstrap appearing to hang because exported Make color variables re-evaluated tput during recursive make invocations.
  • Allow MegaLinter containers to run in an opt-in non-root mode matching the host UID:GID on POSIX systems, avoiding root-owned generated files on the host (#1975).
  • Restore missing examples in the Dart descriptor that were dropped from the generated documentation (#7913).

• Reporters

  • Update Bitbucket pipeline generator template to trigger builds on pull requests from any branch, by @​yermulnik in oxsecurity/megalinter#7421

• Flavors

... (truncated)

Commits

• 76b516d [automation] Auto-update linters version, help and documentation (#8185)
• 6166957 chore(deps): update dependency @​eslint-react/eslint-plugin to v5.9.1 (#8183)
• 2a973bd chore(deps): update dependency langsmith to v0.9.0 (#8184)
• 391ecfa chore(deps): update dependency rubocop-rails to v2.35.5 (#8180)
• 5aa99c1 chore(deps): update dependency mongodb/kingfisher to v1.104.0 (#8181)
• def2113 Update changelog (#8179)
• 71bb721 [automation] Auto-update linters version, help and documentation (#8176)
• 4d2818a fix: Treat osv-scanner exit code 128 as success when no package sources found...
• 93af979 feat: add pnpm doc for JavaScript and TypeScript linters (#8177)
• 72d42f7 fix: Explain why linters are skipped by activation rules (#8017) (#8174)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ COPYPASTE	jscpd	yes		3	no	2.08s
✅ REPOSITORY	gitleaks	yes		no	no	1.18s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
✅ REPOSITORY	grype	yes		no	no	47.25s
❌ REPOSITORY	osv-scanner	yes		1	no	0.51s
✅ REPOSITORY	secretlint	yes		no	no	1.06s
✅ REPOSITORY	syft	yes		no	no	2.75s
✅ REPOSITORY	trivy	yes		no	no	11.74s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.21s
✅ REPOSITORY	trufflehog	yes		no	no	5.45s

Detailed Issues

❌ COPYPASTE / jscpd - 3 errors

Clone found (cpp):
 - WinMTRNet-Getters.cpp [20:1 - 33:7] (13 lines, 70 tokens)
   WinMTRNet-Tracing.cpp [20:1 - 33:2]

Clone found (cpp):
 - WinMTRDialog-display.cpp [1:1 - 33:30] (32 lines, 66 tokens)
   WinMTRDialog-exporter.cpp [1:1 - 33:57]

Clone found (cpp):
 - WinMTRDialog-StateMachine.cpp [46:1 - 58:5] (12 lines, 75 tokens)
   WinMTRNet-Tracing.cpp [40:1 - 50:7]

┌──────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format   │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ c-header │ 6              │ 353         │ 1173         │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ cpp      │ 10             │ 2087        │ 14697        │ 3            │ 57 (2.73%)       │ 211 (1.44%)       │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown │ 1              │ 35          │ 114          │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:   │ 17             │ 2475        │ 15984        │ 3            │ 57 (2.3%)        │ 211 (1.32%)       │
└──────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 3 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (2.3%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (2.3%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

❌ REPOSITORY / osv-scanner - 1 error

Scanning dir .
Starting filesystem walk for root: /
End status: 33 dirs visited, 127 inodes visited, 0 Extract calls, 4.137006ms elapsed, 4.137227ms wall time
No package sources found, --help for usage information.

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository