Skip to content

deps: bump the production-dependencies group across 1 directory with 5 updates #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

deps: bump the production-dependencies group across 1 directory with 5 updates #55

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 5, 2025
edited
Loading

Bumps the production-dependencies group with 5 updates in the / directory:

Package From To
dtolnay/rust-toolchain 56f84321dbccf38fb67ce29ab63e4754056677e0 b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
docker/build-push-action 6.15.0 6.16.0
actions/attest-build-provenance 2.2.3 2.3.0
anchore/scan-action 6.1.0 6.2.0
42ByteLabs/patch-release-me 0.5.3 0.6.0

Updates dtolnay/rust-toolchain from 56f84321dbccf38fb67ce29ab63e4754056677e0 to b3b07ba8b418998c39fb20f53e8b695cdcc8de1b

Commits
  • b3b07ba Merge pull request #152 from dtolnay/trailingwhitespace
  • 6ff96e9 Clean up trailing whitespace from PR 145
  • 3038d43 Merge pull request #151 from dtolnay/winrustup
  • d69c8f6 Use rustup.rs advertised download URLs
  • c9b8f05 Merge pull request #149 from dtolnay/wincargohome
  • eceb16e Respect pre-existing CARGO_HOME on Windows
  • 449259c Merge pull request #150 from dtolnay/githubpath
  • f36efba Fix GITHUB_PATH
  • 3d21cbb Merge pull request #148 from dtolnay/backslash
  • 802126c Consistently use backslash directories on Windows
  • Additional commits viewable in compare view

Updates docker/build-push-action from 6.15.0 to 6.16.0

Release notes

Sourced from docker/build-push-action's releases.

v6.16.0

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

Commits
  • 14487ce Merge pull request #1343 from crazy-max/fix-no-default-attest
  • 0ec9126 Merge pull request #1366 from crazy-max/pr-assign-author
  • b749522 pr-assign-author workflow
  • c566248 Merge pull request #1363 from crazy-max/fix-codecov
  • 13275dd ci: fix missing source for codecov
  • 67dc78b Merge pull request #1361 from mschoettle/patch-1
  • 0760504 docs: add validating build configuration example
  • 1c198f4 chore: update generated content
  • 288d9e2 handle no default attestations env var
  • 88844b9 Merge pull request #1353 from crazy-max/summary-secret-keys
  • Additional commits viewable in compare view

Updates actions/attest-build-provenance from 2.2.3 to 2.3.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v2.3.0

What's Changed

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

Commits
  • db473fd bump actions/attest from 2.2.1 to 2.3.0 (#615)
  • d3b713a Bump the actions-minor group with 2 updates (#566)
  • e042adb Bump the npm-development group with 4 updates (#567)
  • 9d3beef Bump the npm-development group with 4 updates (#554)
  • 877f50d Bump typescript-eslint in the npm-development group (#516)
  • b7ab740 Bump the npm-development group across 1 directory with 6 updates (#506)
  • See full diff in compare view

Updates anchore/scan-action from 6.1.0 to 6.2.0

Release notes

Sourced from anchore/scan-action's releases.

v6.2.0

New in scan-action v6.2.0

  • feat: update Scan action to use grype db v6 (#462) [spiffcs]
Commits
  • 2c901ab Scan action grype db v6 (#462)
  • 39c42ea chore(deps-dev): bump lint-staged from 15.5.0 to 15.5.1 (#458)
  • eec251a chore(deps): bump actions/setup-node from 4.3.0 to 4.4.0 (#457)
  • c8820f3 chore(deps-dev): bump eslint from 9.24.0 to 9.25.1 (#460)
  • b1d1a26 chore(deps-dev): bump eslint from 9.23.0 to 9.24.0 (#456)
  • dc6246f chore(deps-dev): bump lint-staged from 15.4.3 to 15.5.0 (#448)
  • 4736597 chore(deps): bump actions/setup-node from 4.2.0 to 4.3.0 (#449)
  • 0883344 chore(deps-dev): bump eslint from 9.22.0 to 9.23.0 (#452)
  • 11388f2 chore(deps-dev): bump eslint from 9.21.0 to 9.22.0 (#447)
  • 8b28347 chore(deps-dev): bump eslint from 9.19.0 to 9.21.0 (#440)
  • Additional commits viewable in compare view

Updates 42ByteLabs/patch-release-me from 0.5.3 to 0.6.0

Release notes

Sourced from 42ByteLabs/patch-release-me's releases.

v0.6.0

What's Changed

Full Changelog: 42ByteLabs/patch-release-me@0.5.5...0.6.0

v0.5.5

What's Changed

Full Changelog: 42ByteLabs/patch-release-me@0.5.4...0.5.5

v0.5.4

What's Changed

Full Changelog: 42ByteLabs/patch-release-me@0.5.3...0.5.4

Changelog

Sourced from 42ByteLabs/patch-release-me's changelog.

name: "patch-release-me" version: "0.6.0" repository: "42ByteLabs/patch-release-me"

ecosystems:

  • Rust

locations:

  • name: "Actions Docs" paths:
    • 'README.md'
    • '.github/workflows/*.yml'
    • 'actions/Dockerfile' patterns:

    Actions

    • '{repository}@{version}'

    Containers

    • 'ghcr.io/{repository}:{version}'
Commits
  • 63750b1 feat(version): v0.6.0
  • 2325e54 feat: Update interactive mode to fix issues
  • e3fabad fix: Update version check
  • 066bce0 feat: Update bumping support and add Sync
  • 44ae8f0 feat: Update defaults.yml to exclude additional directories from processing
  • 9ad3f4c deps: bump clap in the production-dependencies group
  • e6f9961 feat(version): 0.5.5
  • fef256b feat: Update CLI interface and logging output
  • 7365f4a deps: bump the production-dependencies group with 2 updates
  • 67fb9fa feat(version): v0.5.4
  • Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot requested review from a team, aegilops and felickz and removed request for a team May 5, 2025 12:51
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 5, 2025
@github-actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/dtolnay/rust-toolchain b3b07ba8b418998c39fb20f53e8b695cdcc8de1b 🟢 6.2
Details
CheckScoreReason
Code-Review⚠️ 1Found 2/19 approved changesets -- score normalized to 1
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Maintained🟢 1019 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy🟢 3security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/actions/attest-build-provenance db473fddc028af60658334401dc6fa3ffd8669fd UnknownUnknown
actions/docker/build-push-action 263435318d21b8e681c14492fe198d362a7d2c83 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 8Found 8/9 approved changesets -- score normalized to 8
Security-Policy🟢 9security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 37 existing vulnerabilities detected
actions/anchore/scan-action 2c901ab7378897c01b8efaa2d0c9bf519cc64b9e 🟢 6.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1016 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 9binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 10security policy file detected
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 19 existing vulnerabilities detected
actions/docker/build-push-action 263435318d21b8e681c14492fe198d362a7d2c83 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 8Found 8/9 approved changesets -- score normalized to 8
Security-Policy🟢 9security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 37 existing vulnerabilities detected
actions/42ByteLabs/patch-release-me 9ff3c04cb0802fd8dcd3100e5c0b4801e88daf3a UnknownUnknown

Scanned Files

  • .github/workflows/codeql-ql.yml
  • .github/workflows/container-publish.yml
  • .github/workflows/container-security.yml
  • .github/workflows/release.yml

@github-actions
Copy link

github-actions bot commented May 5, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/dtolnay/rust-toolchain b3b07ba8b418998c39fb20f53e8b695cdcc8de1b 🟢 6.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review⚠️ 1Found 2/19 approved changesets -- score normalized to 1
Maintained🟢 1019 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy🟢 3security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/actions/attest-build-provenance db473fddc028af60658334401dc6fa3ffd8669fd UnknownUnknown
actions/docker/build-push-action 14487ce63c7a62a4a324b0bfb37086795e31c6c1 🟢 5.8
Details
CheckScoreReason
Maintained🟢 1028 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 6/8 approved changesets -- score normalized to 7
Security-Policy🟢 9security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Fuzzing⚠️ 0project is not fuzzed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/anchore/scan-action 2c901ab7378897c01b8efaa2d0c9bf519cc64b9e 🟢 6.4
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1012 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 9binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy🟢 10security policy file detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 28 existing vulnerabilities detected
actions/docker/build-push-action 14487ce63c7a62a4a324b0bfb37086795e31c6c1 🟢 5.8
Details
CheckScoreReason
Maintained🟢 1028 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 6/8 approved changesets -- score normalized to 7
Security-Policy🟢 9security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Fuzzing⚠️ 0project is not fuzzed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/42ByteLabs/patch-release-me 63750b1c6fc917cdb605f13ad44c9e10e9d6ef5d UnknownUnknown

Scanned Files

  • .github/workflows/codeql-ql.yml
  • .github/workflows/container-publish.yml
  • .github/workflows/container-security.yml
  • .github/workflows/release.yml

@dependabot
deps: bump the production-dependencies group across 1 directory with …
cd3cc18 
…5 updates

Bumps the production-dependencies group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [dtolnay/rust-toolchain](https://github.com/dtolnay/rust-toolchain) | `56f84321dbccf38fb67ce29ab63e4754056677e0` | `b3b07ba8b418998c39fb20f53e8b695cdcc8de1b` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.15.0` | `6.16.0` |
| [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.2.3` | `2.3.0` |
| [anchore/scan-action](https://github.com/anchore/scan-action) | `6.1.0` | `6.2.0` |
| [42ByteLabs/patch-release-me](https://github.com/42bytelabs/patch-release-me) | `0.5.3` | `0.6.0` |



Updates `dtolnay/rust-toolchain` from 56f84321dbccf38fb67ce29ab63e4754056677e0 to b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
- [Release notes](https://github.com/dtolnay/rust-toolchain/releases)
- [Commits](dtolnay/rust-toolchain@56f8432...b3b07ba)

Updates `docker/build-push-action` from 6.15.0 to 6.16.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@471d1dc...14487ce)

Updates `actions/attest-build-provenance` from 2.2.3 to 2.3.0
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@c074443...db473fd)

Updates `anchore/scan-action` from 6.1.0 to 6.2.0
- [Release notes](https://github.com/anchore/scan-action/releases)
- [Changelog](https://github.com/anchore/scan-action/blob/main/RELEASE.md)
- [Commits](anchore/scan-action@7c05671...2c901ab)

Updates `42ByteLabs/patch-release-me` from 0.5.3 to 0.6.0
- [Release notes](https://github.com/42bytelabs/patch-release-me/releases)
- [Changelog](https://github.com/42ByteLabs/patch-release-me/blob/main/.release.yml)
- [Commits](42ByteLabs/patch-release-me@f950db6...63750b1)

---
updated-dependencies:
- dependency-name: dtolnay/rust-toolchain
  dependency-version: b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
  dependency-type: direct:production
  dependency-group: production-dependencies
- dependency-name: docker/build-push-action
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: actions/attest-build-provenance
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: anchore/scan-action
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: 42ByteLabs/patch-release-me
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/github_actions/main/production-dependencies-47b3b438af branch from 7d7c853 to cd3cc18 Compare June 9, 2025 12:43
@dependabot dependabot bot requested a review from a team as a code owner June 9, 2025 12:43
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 23, 2025

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Jun 23, 2025
@dependabot dependabot bot deleted the dependabot/github_actions/main/production-dependencies-47b3b438af branch June 23, 2025 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felickz felickz Awaiting requested review from felickz felickz is a code owner automatically assigned from advanced-security/oss-maintainers

@aegilops aegilops Awaiting requested review from aegilops aegilops is a code owner automatically assigned from advanced-security/oss-maintainers

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant