dependabot[bot] opened a new pull request, #16193: URL: https://github.com/apache/lucene/pull/16193
Bumps [zizmor](https://github.com/zizmorcore/zizmor) from 1.24.1 to 1.25.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/releases";>zizmor's releases</a>.</em></p> <blockquote> <h2>v1.25.2</h2> <h2>Bug Fixes 🐛<a href="https://docs.zizmor.sh/release-notes/#bug-fixes";>🔗</a></h2> <ul> <li>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#unpinned-tools";>unpinned-tools</a> audit would incorrectly flag the <a href="https://github.com/aquasecurity/trivy-action";>aquasecurity/trivy-action</a> action as installing an unpinned tool version, rather than <a href="https://github.com/aquasecurity/setup-trivy";>aquasecurity/setup-trivy</a> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2018";>#2018</a>)</li> </ul> <h2>v1.25.1</h2> <h2>Bug Fixes 🐛<a href="https://docs.zizmor.sh/release-notes/#bug-fixes";>🔗</a></h2> <ul> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#cache-poisoning";>cache-poisoning</a> audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2004";>#2004</a>)</p> </li> <li> <p>Fixed a typo when suggesting --fix flags for findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2010";>#2010</a>)</p> <p>Many thanks to <a href="https://github.com/0xdea";><code>@0xdea</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a typo in <a href="https://docs.zizmor.sh/audits/#unpinned-tools";>unpinned-tools</a> annotations (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2008";>#2008</a>)</p> <p>Many thanks to <a href="https://github.com/martincostello";><code>@martincostello</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#github-app";>github-app</a> audit would incorrectly flag some safe uses of <a href="https://github.com/actions/create-github-app-token";>actions/create-github-app-token</a> as unsafe (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2011";>#2011</a>)</p> </li> </ul> <h2>v1.25.0</h2> <h2>New Features 🌈<a href="https://docs.zizmor.sh/release-notes/#new-features";>🔗</a></h2> <ul> <li> <p>zizmor's finding severities can now be remapped on a per-audit basis. See <a href="https://docs.zizmor.sh/configuration/#rules-id-remap";>the configuration</a> for details (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1913";>#1913</a>)</p> <p>Many thanks to <a href="https://github.com/Proximyst";><code>@Proximyst</code></a> for proposing and implementing this improvement!</p> </li> <li> <p>New audit: <a href="https://docs.zizmor.sh/audits/#github-app";>github-app</a> detects dangerous usages of GitHub App installation tokens (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1926";>#1926</a>)</p> </li> <li> <p>New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1820";>#1820</a>)</p> </li> <li> <p>zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1935";>#1935</a>)</p> </li> <li> <p>zizmor's LSP now honors the --persona flag on the CLI (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1943";>#1943</a>)</p> </li> <li> <p>zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1965";>#1965</a>)</p> </li> </ul> <h2>Enhancements<a href="https://docs.zizmor.sh/release-notes/#enhancements";>🔗</a></h2> <ul> <li> <p>Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for <a href="https://github.com/actions-ecosystem/action-add-labels";>actions-ecosystem/action-add-labels</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a></p> </li> <li> <p>Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for <a href="https://github.com/actions-ecosystem/action-remove-labels";>actions-ecosystem/action-remove-labels</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a></p> </li> <li> <p>Recommend jq as a replacement for <a href="https://github.com/sergeysova/jq-action";>sergeysova/jq-action</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a></p> </li> <li> <p>Recommend git add, git commit, and git push as a replacement for <a href="https://github.com/stefanzweifel/git-auto-commit-action";>stefanzweifel/git-auto-commit-action</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a></p> </li> <li> <p>Recommend git add, git commit, and git push as a replacement for <a href="https://github.com/EndBug/add-and-commit";>EndBug/add-and-commit</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a></p> </li> <li> <p><a href="https://github.com/tibdex/github-app-token";>tibdex/github-app-token</a> is now recognized as an archived action by <a href="https://docs.zizmor.sh/audits/#archived-uses";>archived-uses</a> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1910";>#1910</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md";>zizmor's changelog</a>.</em></p> <blockquote> <h2>1.25.2</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Fixed a bug where the [unpinned-tools] audit would incorrectly flag the <code>@aquasecurity/trivy-action</code> action as installing an unpinned tool version, rather than <code>@aquasecurity/setup-trivy</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2018";>#2018</a>)</li> </ul> <h2>1.25.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li> <p>Fixed a bug where the [cache-poisoning] audit would fail to consider <code>release</code> events as exempt from cache usage findings when filtered by a tag condition (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2004";>#2004</a>)</p> </li> <li> <p>Fixed a typo when suggesting <code>--fix</code> flags for findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2010";>#2010</a>)</p> <p>Many thanks to <a href="https://github.com/0xdea";><code>@0xdea</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a typo in [unpinned-tools] annotations (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2008";>#2008</a>)</p> <p>Many thanks to <a href="https://github.com/martincostello";><code>@martincostello</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of <code>@actions/create-github-app-token</code> as unsafe (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2011";>#2011</a>)</p> </li> </ul> <h2>1.25.0</h2> <h3>New Features 🌈</h3> <ul> <li> <p>zizmor's finding severities can now be remapped on a per-audit basis. See <a href="https://github.com/zizmorcore/zizmor/blob/main/docs/configuration.md#rules-id-remap";>the configuration</a> for details (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1913";>#1913</a>)</p> <p>Many thanks to <a href="https://github.com/Proximyst";><code>@Proximyst</code></a> for proposing and implementing this improvement!</p> </li> <li> <p><strong>New audit</strong>: [github-app] detects dangerous usages of GitHub App installation tokens (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1926";>#1926</a>)</p> </li> <li> <p><strong>New audit</strong>: [unpinned-tools] detects actions that install tools without pinning to a specific version (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1820";>#1820</a>)</p> </li> <li> <p><code>zizmor</code> now accepts the <code>--no-ignores</code> flag to disable all ignore comments and configurations when reporting findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1935";>#1935</a>)</p> </li> <li> <p><code>zizmor</code>'s LSP now honors the <code>--persona</code> flag on the CLI (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1943";>#1943</a>)</p> </li> <li> <p><code>zizmor</code> is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1965";>#1965</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zizmorcore/zizmor/commit/b50d8f60e27e0084aa3a5f5dff46054a8253ac2a";><code>b50d8f6</code></a> zizmor 1.25.2 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2022";>#2022</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/e8c96481b76ee03dc3e72cc744ad77cfc62cc238";><code>e8c9648</code></a> Bump rustls-webpki to 0.103.13 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2021";>#2021</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/9e19bdedaa4af986b47d7f3ffdadcdd7b226c8a6";><code>9e19bde</code></a> Bump aws-lc crates (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2020";>#2020</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/49cb189191c75a18d73a92ae47985424cc0acd3e";><code>49cb189</code></a> Bump rand to 0.9.4 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2019";>#2019</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/bfdb64993cecb911e385622b989a44431fc2d13f";><code>bfdb649</code></a> unpinned-tools: fix trivy action being detected (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2018";>#2018</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/9300d3b5a7f06a3d77f092d01434dab99399f3e5";><code>9300d3b</code></a> ww/release (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2016";>#2016</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/331917af1e4f7c6aed23ddd41477c2042d8a857d";><code>331917a</code></a> chore: drop <code>serde_yaml</code> rename (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2015";>#2015</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/506f0856dec8a5c863a4dce695a83491187c543d";><code>506f085</code></a> github-app: test <code>repositories</code>, not <code>repository</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2011";>#2011</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/53dea374e8a01f8df00f9d1acd7dbdfb1838acd8";><code>53dea37</code></a> unpinned-tools, docs: fix typos (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2008";>#2008</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/8068e115f99b6b84611a8865a8cad0858bd5e07c";><code>8068e11</code></a> fix: replace <code>--fix=unsafe</code> with <code>--fix=unsafe-only</code> in suggestion (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2010";>#2010</a>)</li> <li>Additional commits viewable in <a href="https://github.com/zizmorcore/zizmor/compare/v1.24.1...v1.25.2";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
