Bump oxsecurity/megalinter from 9.3.0 to 9.5.0 by dependabot[bot] · Pull Request #139 · HealthDataInsight/structured_store

dependabot · 2026-05-19T01:55:44Z

Bumps oxsecurity/megalinter from 9.3.0 to 9.5.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

Breaking changes

Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9

oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta

oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

extends: ["airbnb"] → extends: ["airbnb-extended"]

extends: ["standard"] → extends: ["neostandard"]

Core

User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings

Security: more default hidden environment variables, so a compromised linter cannot leak your secrets

Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)

Upgrade GO runtime to 1.26.3

New linters

osv-scanner: trivy-like vulnerability scanner by Google

zizmor: GitHub Actions static analysis

Disabled linters

KICS (until upstream security issue is fixed)

Spectral (crashing)

Re-enabled linters

Trivy (v0.70.0): the supply chain security incident is resolved

Deprecated linters

Removed linters

Media

Linters enhancements

ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config

shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file

raku (Rakudo): now ships on ARM64 too

scala: linter installation is now deterministic (same binary across rebuilds)

v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)

lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)

Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

Fixes

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

[v9.5.0] - 2026-05-16

Take 2 mn to read MegaLinter v9.5.0 announcements

Breaking changes

Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9

oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta

oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

extends: ["airbnb"] → extends: ["airbnb-extended"]

extends: ["standard"] → extends: ["neostandard"]

Core

User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings

Security: more default hidden environment variables, so a compromised linter cannot leak your secrets

Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)

Upgrade GO runtime to 1.26.3

New linters

osv-scanner: trivy-like vulnerability scanner by Google

zizmor: GitHub Actions static analysis

Disabled linters

KICS (until upstream security issue is fixed)

Spectral (crashing)

Re-enabled linters

Trivy (v0.70.0): the supply chain security incident is resolved

Deprecated linters

Removed linters

Media

Linters enhancements

ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config

shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file

raku (Rakudo): now ships on ARM64 too

scala: linter installation is now deterministic (same binary across rebuilds)

v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)

lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)

Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

Fixes

Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved

... (truncated)

Commits

0e3ce9b Fix release workflows.
3e132b1 Release MegaLinter v9.5.0
cbb7fe9 Doc + prepare 9.5.0 release (#7836)
29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
e04f202 feat: implement user notifications system and replace migration warnings (#7833)
54bfad8 chore(deps): update dependency @stoplight/spectral-cli to v6.16.0 (#7830)
f809408 Eslint legacy detection & warning (#7831)
6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter) from 9.3.0 to 9.5.0. - [Release notes](https://github.com/oxsecurity/megalinter/releases) - [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md) - [Commits](oxsecurity/megalinter@v9.3.0...v9.5.0) --- updated-dependencies: - dependency-name: oxsecurity/megalinter dependency-version: 9.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-19T02:01:32Z

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3	0	0	0.2s
❌ COPYPASTE	jscpd	yes	3	no	1.7s
✅ CSS	stylelint	1	0	0	0.56s
✅ HTML	htmlhint	4	0	0	0.14s
✅ JAVASCRIPT	standard	1	0	0	0.91s
✅ JSON	jsonlint	1	0	0	0.05s
✅ JSON	v8r	1	0	0	2.51s
⚠️ MARKDOWN	markdownlint	18	11	0	0.56s
✅ MARKDOWN	markdown-table-formatter	18	0	0	0.21s
❌ REPOSITORY	checkov	yes	1	no	27.91s
❌ REPOSITORY	devskim	yes	1	no	1.66s
✅ REPOSITORY	dustilock	yes	no	no	0.23s
✅ REPOSITORY	gitleaks	yes	no	no	0.22s
✅ REPOSITORY	git_diff	yes	no	no	0.01s
❌ REPOSITORY	grype	yes	57	no	43.79s
❌ REPOSITORY	secretlint	yes	1	no	1.23s
✅ REPOSITORY	syft	yes	no	no	1.32s
❌ REPOSITORY	trivy	yes	1	no	11.36s
✅ REPOSITORY	trivy-sbom	yes	no	no	0.95s
✅ REPOSITORY	trufflehog	yes	no	no	3.86s
❌ SPELL	lychee	38	5	0	4.72s
✅ YAML	v8r	15	0	0	4.45s
❌ YAML	yamllint	15	2	0	1.79s

Detailed Issues

❌ REPOSITORY / checkov - 1 error

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_4: "Basic Auth Credentials"
	FAILED for resource: HIDDEN_BY_MEGALINTER	File: /test/dummy/config/database.yml:80-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-4

		80 | #   DATABASE_URL="postgres://myuser:m**********@localhost/somedatabase"

github_actions scan results:

Passed checks: 83, Failed checks: 0, Skipped checks: 0

❌ REPOSITORY / devskim - 1 error

{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"devskim","fullName":"Microsoft DevSkim Command Line Interface","version":"1.0.70+d69541fde7","informationUri":"https://github.com/microsoft/DevSkim/","rules":[{"id":"DS176209","name":"SuspiciousComment","fullDescription":{"text":"Suspicious comment: A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"help":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md) for additional guidance on this issue."},"shortDescription":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md","properties":{"precision":"high","problem.severity":"recommendation","DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"id":"DS162092","name":"DoNotLeaveDebugCodeInProduction","fullDescription":{"text":"Do not leave debug code in production: Accessing localhost could indicate debug code, or could hinder scaling."},"help":{"text":"Accessing localhost could indicate debug code, or could hinder scaling.","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md) for additional guidance on this issue."},"shortDescription":{"text":"Accessing localhost could indicate debug code, or could hinder scaling."},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md","properties":{"precision":"high","problem.severity":"recommendation","DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}]}},"versionControlProvenance":[{"repositoryUri":"https://github.com/HealthDataInsight/structured_store","revisionId":"HIDDEN_BY_MEGALINTER","branch":"(no branch)"}],"results":[{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/ci.yml"},"region":{"startLine":51,"startColumn":47,"endLine":51,"endColumn":56,"charOffset":1077,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lib/structured_store/schema_inspector.rb"},"region":{"startLine":49,"startColumn":12,"endLine":49,"endColumn":16,"charOffset":1346,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"ruby"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/dummy/config/database.yml"},"region":{"startLine":69,"startColumn":8,"endLine":69,"endColumn":17,"charOffset":2208,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/dummy/config/database.yml"},"region":{"startLine":28,"startColumn":8,"endLine":28,"endColumn":17,"charOffset":798,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}

❌ REPOSITORY / grype - 57 errors

7.2.3.1   gem   GHSA-2j26-frm8-cmj9  Medium    < 0.1% (8th)   < 0.1  
rack           3.2.3                       3.2.6     gem   GHSA-v569-hp3g-36wr  High      < 0.1% (6th)   < 0.1  
rack           3.2.3                       3.2.6     gem   GHSA-v6x5-cg8r-vv6x  High      < 0.1% (6th)   < 0.1  
activestorage  7.2.3                       7.2.3.1   gem   GHSA-73f9-jhhh-hr5m  Medium    < 0.1% (8th)   < 0.1  
net-imap       0.5.12                      0.5.14    gem   GHSA-hm49-wcqc-g2xg  Medium    < 0.1% (8th)   < 0.1  
activestorage  7.2.3                       7.2.3.1   gem   GHSA-r46p-8f7g-vvvg  Medium    < 0.1% (6th)   < 0.1  
rack           3.2.3                       3.2.5     gem   GHSA-whrj-4476-wvmp  Medium    < 0.1% (7th)   < 0.1  
activesupport  7.2.3                       7.2.3.1   gem   GHSA-cg4j-q9v8-6v38  Medium    < 0.1% (5th)   < 0.1  
rack           3.2.3                       3.2.6     gem   GHSA-x8cg-fq8g-mxfx  Medium    < 0.1% (5th)   < 0.1  
rack           3.2.3                       3.2.6     gem   GHSA-rx22-g9mx-qrhv  Medium    < 0.1% (6th)   < 0.1  
activestorage  7.2.3                       7.2.3.1   gem   GHSA-qcfx-2mfw-w4cg  Medium    < 0.1% (3rd)   < 0.1  
activestorage  7.2.3                       7.2.3.1   gem   GHSA-p9fm-f462-ggrg  Low       < 0.1% (5th)   < 0.1  
rack           3.2.3                       3.2.6     gem   GHSA-vgpv-f759-9wx3  Medium    < 0.1% (2nd)   < 0.1  
actionview     7.2.3                       7.2.3.1   gem   GHSA-v55j-83pf-r9cq  Low       < 0.1% (7th)   < 0.1  
activesupport  7.2.3                       7.2.3.1   gem   GHSA-89vf-4333-qx8v  Medium    < 0.1% (1st)   < 0.1  
nokogiri       1.18.10-aarch64-linux-gnu   1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-aarch64-linux-musl  1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-arm-linux-gnu       1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-arm-linux-musl      1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-arm64-darwin        1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-x86_64-darwin       1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-x86_64-linux-gnu    1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-x86_64-linux-musl   1.19.3    gem   GHSA-c4rq-3m3g-8wgx  High      N/A            N/A    
nokogiri       1.18.10-aarch64-linux-gnu   1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-aarch64-linux-gnu   1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-aarch64-linux-musl  1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-aarch64-linux-musl  1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-arm-linux-gnu       1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-arm-linux-gnu       1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-arm-linux-musl      1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-arm-linux-musl      1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-arm64-darwin        1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-arm64-darwin        1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-x86_64-darwin       1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-x86_64-darwin       1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-x86_64-linux-gnu    1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-x86_64-linux-gnu    1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri       1.18.10-x86_64-linux-musl   1.19.3    gem   GHSA-v2fc-qm4h-8hqv  Medium    N/A            N/A    
nokogiri       1.18.10-x86_64-linux-musl   1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A
[0043] ERROR discovered vulnerabilities at or above the severity threshold

(Truncated to last 4444 characters out of 6769)

❌ COPYPASTE / jscpd - 3 errors

Clone found (ruby):
 - test/dummy/test/ref_resolvers/blank_ref_resolver_test.rb [32:13 - 48:23] (16 lines, 97 tokens)
   test/dummy/test/ref_resolvers/definitions_resolver_test.rb [23:13 - 39:24]

Clone found (ruby):
 - test/dummy/test/models/example_record_test.rb [115:54 - 136:39] (21 lines, 178 tokens)
   test/dummy/test/models/example_record_test.rb [72:60 - 93:56]

Clone found (ruby):
 - test/dummy/test/models/example_record_test.rb [139:5 - 155:4] (16 lines, 133 tokens)
   test/dummy/test/models/example_record_test.rb [98:5 - 115:7]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ javascript │ 1              │ 25          │ 50           │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ruby       │ 72             │ 3846        │ 23190        │ 3            │ 53 (1.38%)       │ 408 (1.76%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 73             │ 3871        │ 23240        │ 3            │ 53 (1.37%)       │ 408 (1.76%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 3 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (1.37%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (1.37%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

❌ SPELL / lychee - 5 errors

📝 Summary
---------------------
🔍 Total..........158
🔗 Unique.........140
✅ Successful.....149
⏳ Timeouts.........0
🔀 Redirected......12
👻 Excluded.........1
❓ Unknown..........0
🚫 Errors...........5
⛔ Unsupported......5

Errors in .github/workflows/mega-linter.yml
[404] https://megalinter.io/configuration/ (at 48:13) | Rejected status code: 404 Not Found
[404] https://megalinter.io/flavors/ (at 44:24) | Rejected status code: 404 Not Found

Errors in .mega-linter.yml
[404] https://megalinter.io/configuration/ (at 3:34) | Rejected status code: 404 Not Found

Errors in docs/way_of_working/code-of-conduct.md
[ERROR] file://docs/way_of_working/CODE_OF_CONDUCT.md (at 6:1) | File not found. Check if file exists and path is correct

Errors in docs/way_of_working/decision-records.md
[ERROR] https://gds-way.cloudapps.digital/standards/architecture-decisions.html (at 14:71) | Connection failed. Check network connectivity and firewall settings

Hint: Followed 12 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`

❌ REPOSITORY / secretlint - 1 error

test/dummy/config/database.yml
  80:18  error  [PostgreSQLConnection] found PostgreSQL connection string: ************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 1 problem (1 error, 0 warnings, 0 infos)

❌ REPOSITORY / trivy - 1 error

│
│               │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34826                   │
│               ├─────────────────────┤          │        │                   │                                                        ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-34830      │          │        │                   │                                                        │ rack: Rack: Information disclosure via regular expression    │
│               │                     │          │        │                   │                                                        │ injection in X-Accel-Mapping header                          │
│               │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34830                   │
│               ├─────────────────────┤          │        │                   │                                                        ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-34831      │          │        │                   │                                                        │ rack: Rack: HTTP response desynchronization via incorrect    │
│               │                     │          │        │                   │                                                        │ Content-Length calculation with UTF-8 characters...          │
│               │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34831                   │
│               ├─────────────────────┤          │        │                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-34835      │          │        │                   │ ~> 3.1.21, >= 3.2.6                                    │ rack: Rack: Host header poisoning due to malformed Host      │
│               │                     │          │        │                   │                                                        │ header bypasses validation...                                │
│               │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34835                   │
│               ├─────────────────────┼──────────┤        │                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-26961      │ LOW      │        │                   │ ~> 2.2.23, ~> 3.1.21, >= 3.2.6                         │ github.com/rack/rack: Rack: Content smuggling via multipart  │
│               │                     │          │        │                   │                                                        │ boundary parsing mismatch                                    │
│               │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-26961                   │
├───────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ rack-session  │ CVE-2026-39324      │ CRITICAL │        │ 2.1.1             │ >= 2.1.2                                               │ Rack::Session is a session management implementation for     │
│               │                     │          │        │                   │                                                        │ Rack. From 2. ...                                            │
│               │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-39324                   │
└───────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 4444 characters out of 33540)

❌ YAML / yamllint - 2 errors

.github/workflows/mega-linter.yml
  53:7      warning  comment not indented like content  (comments-indentation)

test/dummy/config/database.yml
  62:1      error    syntax error: could not find expected ':' (syntax)

⚠️ MARKDOWN / markdownlint - 11 errors

.github/ISSUE_TEMPLATE/job-story.md:8 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Job Story"]
.github/pull_request_template.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## What?"]
.github/pull_request_template.md:29 error MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
CHANGELOG.md:18 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:24 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:36 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:42 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Added"]
CHANGELOG.md:57 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Added"]
docs/way_of_working/code-linting/index.md:25:288 error MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/way_of_working/pull-request-template-and-guidelines.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 497]
README.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 451]

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

oxsecurity/megalinter/flavors/javascript@v9.5.0 (62 linters)
oxsecurity/megalinter/flavors/dotnetweb@v9.5.0 (76 linters)
oxsecurity/megalinter/flavors/cupcake@v9.5.0 (92 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

Documentation: Custom Flavors
Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,CSS_STYLELINT,HTML_HTMLHINT,JAVASCRIPT_STANDARD,JSON_JSONLINT,JSON_V8R,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DEVSKIM,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 19, 2026

dependabot Bot mentioned this pull request May 19, 2026

Bump oxsecurity/megalinter from 9.3.0 to 9.4.0 #119

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump oxsecurity/megalinter from 9.3.0 to 9.5.0#139

Bump oxsecurity/megalinter from 9.3.0 to 9.5.0#139
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/oxsecurity/megalinter-9.5.0

dependabot Bot commented on behalf of github May 19, 2026

Uh oh!

github-actions Bot commented May 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 19, 2026

v9.5.0

What's Changed

[v9.5.0] - 2026-05-16

Uh oh!

github-actions Bot commented May 19, 2026

❌MegaLinter analysis: Error

Detailed Issues

Notices

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants