chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/download-artifact	action	patch	v8.0.0 → v8.0.1
astral-sh/setup-uv	action	minor	v7.3.1 → v7.6.0
github/codeql-action	action	minor	v4.32.6 → v4.34.1
sigstore/cosign-installer	action	minor	v4.0.0 → v4.1.0
softprops/action-gh-release	action	minor	v2.5.0 → v2.6.1
step-security/harden-runner	action	minor	v2.15.1 → v2.16.0
zizmor (source)		minor	1.22.0 → 1.23.1

---

Release Notes

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

astral-sh/setup-uv (astral-sh/setup-uv)

v7.6.0: 🌈 Fetch uv from Astral's mirror by default

Compare Source

Changes

We now default to download uv from releases.astral.sh.
This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements

• Fetch uv from Astral's mirror by default @​zsol (#​809)

🧰 Maintenance

• Switch to ESM for source and test, use CommonJS for dist @​eifinger (#​806)
• chore: update known checksums for 0.10.10 @​github-actions[bot] (#​804)

⬆️ Dependency updates

• chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 @​dependabot[bot] (#​808)
• Bump deps @​eifinger (#​805)

v7.5.0: 🌈 Use `astral-sh/versions` as version provider

Compare Source

No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.

The manifest-file input was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.
However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.

This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:

https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson

By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.

---

[!TIP]
The next section is only interesting for users of the manifest-file input

The manifest-file input lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.

The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:

{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}

[!WARNING]
The old format still works but is deprecated. A warning will be logged when you use it.

Changes

• docs: replace copilot instructions with AGENTS.md @​eifinger (#​794)

🚀 Enhancements

• Use astral-sh/versions as primary version provider @​eifinger (#​802)

📚 Documentation

• docs: add cross-client dependabot rollup skill @​eifinger (#​793)

v7.4.0: 🌈 Add riscv64 architecture support to platform detection

Compare Source

Changes

Thank you @​luhenry for adding support for riscv64 arch

🚀 Enhancements

• Add riscv64 architecture support to platform detection @​luhenry (#​791)

🧰 Maintenance

• Delete .github/workflows/dependabot-build.yml @​eifinger (#​789)
• Harden Dependabot build workflow @​eifinger (#​788)
• Fix: check PR author instead of event sender for Dependabot detection @​eifinger-bot (#​787)
• chore: update known checksums for 0.10.9 @​github-actions[bot] (#​783)
• Add workflow to auto-build dist on Dependabot PRs @​eifinger-bot (#​782)
• chore: update known checksums for 0.10.8 @​github-actions[bot] (#​779)
• chore: update known checksums for 0.10.7 @​github-actions[bot] (#​775)

⬆️ Dependency updates

• chore(deps): bump versions @​eifinger (#​792)
• Bump actions/setup-node from 6.2.0 to 6.3.0 @​dependabot[bot] (#​790)
• Bump eifinger/actionlint-action from 1.10.0 to 1.10.1 @​dependabot[bot] (#​778)

github/codeql-action (github/codeql-action)

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.0

Compare Source

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

• Bump cosign to 3.0.5 in #​220
• fix: add retry to curl downloads for transient network failures in #​210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

softprops/action-gh-release (softprops/action-gh-release)

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

step-security/harden-runner (step-security/harden-runner)

v2.16.0

Compare Source

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

zizmorcore/zizmor (zizmor)

v1.23.1

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#​1724)

v1.23.0

Compare Source

New Features 🌈🔗

• New audit: secrets-outside-env detects usage of the secrets context in jobs that don't have a corresponding environment (#​1599)

• New audit: superfluous-actions detects usage of actions that perform operations already provided by GitHub's own runner images (#​1618)

Enhancements 🌱🔗

• zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (#​1555)

• zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (#​1566)

• zizmor now supports inputs that contain duplicated anchor names (#​1575)

• zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (#​1586)

• zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#​1641)

• The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (#​1656)

• Added awalsh128/cache-apt-pkgs-action as a cache-aware action to the cache-poisoning audit (#​1708)

Changes ⚠️🔗

• SARIF categories have been regraded. zizmor's "medium" is changed from SARIF's "warning" to "low" (#​1635)
  Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash on uses: clauses containing non-significant whitespace while performing the unpinned-uses audit (#​1544)

• Fixed a bug in yamlpath where sequences containing anchors were splatted instead of being properly nested (#​1557)

  Many thanks to @​DarkaMaul for implementing this fix!

• Fixed a bug in yamlpath where anchor prefixes in sequences and mapping were not stripped during path queries (#​1562)

• Fixed a bug where "merge into" autofixes would produce incorrect patches in the presence of multi-byte Unicode characters (#​1581)

  Many thanks to @​ManuelLerchnerQC for implementing this fix!

• Fixed a bug where the template-injection audit would produce duplicated pedantic-only findings (#​1589)

• Fixed a bug where the obfuscation audit would produce incorrect autofixes for a subset of constant-reducible expressions (#​1597)

• Fixed a bug where the obfuscation audit would fail to apply fixes to a subset of inputs with leading whitespace (#​1597)

• Fixed a bug where the concurrency-limits audit would incorrectly flag reusable-only workflows as needing a concurrency: key (#​1620)

• Fixed a bug where the known-vulnerable-actions audit would fail when applying some fixes (#​1640)

  Many thanks to @​reubenwong97 for implementing this fix!

• Fixed a bug where the pre-commit ecosystem was not recognized in Dependabot configuration files (#​1637)

• Fixed a bug where the template-injection audit would incorrectly flag github.triggering_actor as an injection risk in the default persona (#​1645)

• Fixed a bug where zizmor's expression parser did not correctly handle number literals in GitHub Actions expressions (#​1625)

• Fixed a bug where the template-injection audit would crash on some forms of multi-line expressions (#​1669)

• Fixed a bug where deserialization of a workflow containing fractional minutes would fail (#​1675)

• Fixed a bug where deserialization of a workflow where a workflow_run with a scalar types would fail (#​1676)

• Fixed a bug where zizmor would crash on workflows containing bare numeric values in if: conditions (#​1683)

• Fixed a bug where GitHub Actions expression string comparisons were not case-insensitive (#​1687)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.12s
✅ COPYPASTE	jscpd	yes		no	no	1.4s
✅ DOCKERFILE	hadolint	1		0	0	0.11s
✅ JSON	jsonlint	3		0	0	0.11s
✅ JSON	prettier	3		0	0	0.39s
✅ JSON	v8r	3		0	0	2.81s
✅ MARKDOWN	markdownlint	1		0	0	0.51s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.29s
✅ PYTHON	bandit	1		0	0	2.22s
✅ PYTHON	black	1		0	0	0.83s
✅ PYTHON	flake8	1		0	0	0.51s
✅ PYTHON	isort	1		0	0	0.22s
✅ PYTHON	mypy	1		0	0	3.18s
✅ PYTHON	pylint	1		0	0	3.05s
✅ PYTHON	pyright	1		0	0	1.98s
✅ PYTHON	ruff	1		0	0	0.03s
✅ REPOSITORY	checkov	yes		no	no	22.07s
✅ REPOSITORY	dustilock	yes		no	no	0.01s
✅ REPOSITORY	gitleaks	yes		no	no	0.32s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	39.83s
✅ REPOSITORY	kics	yes		no	no	3.38s
✅ REPOSITORY	kingfisher	yes		no	no	4.77s
✅ REPOSITORY	secretlint	yes		no	no	1.49s
✅ REPOSITORY	syft	yes		no	no	2.1s
✅ REPOSITORY	trivy	yes		no	no	12.52s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.15s
✅ REPOSITORY	trufflehog	yes		no	no	3.88s
✅ YAML	prettier	6		0	0	0.72s
✅ YAML	v8r	6		0	0	6.14s
✅ YAML	yamllint	6		0	0	0.58s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-223 (debian 13.3)

8 known vulnerabilities found (CRITICAL: 0 HIGH: 2 MEDIUM: 5 LOW: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
dpkg	CVE-2026-2219	UNKNOWN	1.22.21	1.22.22
libc-bin	CVE-2026-0861	HIGH	2.41-12+deb13u1	2.41-12+deb13u2
libc-bin	CVE-2025-15281	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc-bin	CVE-2026-0915	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2026-0861	HIGH	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2025-15281	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2026-0915	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libsqlite3-0	CVE-2025-7709	MEDIUM	3.46.1-7	3.46.1-7+deb13u1

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.3)

8 known vulnerabilities found (HIGH: 2 MEDIUM: 5 LOW: 0 CRITICAL: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
dpkg	CVE-2026-2219	UNKNOWN	1.22.21	1.22.22
libc-bin	CVE-2026-0861	HIGH	2.41-12+deb13u1	2.41-12+deb13u2
libc-bin	CVE-2025-15281	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc-bin	CVE-2026-0915	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2026-0861	HIGH	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2025-15281	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2026-0915	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libsqlite3-0	CVE-2025-7709	MEDIUM	3.46.1-7	3.46.1-7+deb13u1

No Misconfigurations found

Python

1 known vulnerabilities found (MEDIUM: 0 LOW: 1 CRITICAL: 0 HIGH: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-223 (debian 13.3)

8 known vulnerabilities found (LOW: 0 CRITICAL: 0 HIGH: 2 MEDIUM: 5)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
dpkg	CVE-2026-2219	UNKNOWN	1.22.21	1.22.22
libc-bin	CVE-2026-0861	HIGH	2.41-12+deb13u1	2.41-12+deb13u2
libc-bin	CVE-2025-15281	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc-bin	CVE-2026-0915	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2026-0861	HIGH	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2025-15281	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libc6	CVE-2026-0915	MEDIUM	2.41-12+deb13u1	2.41-12+deb13u2
libsqlite3-0	CVE-2025-7709	MEDIUM	3.46.1-7	3.46.1-7+deb13u1

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

🎉 This PR is included in version 1.11.18 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀