chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	patch	v6.0.1 → v6.0.2
actions/setup-dotnet	action	minor	v5.0.1 → v5.1.0
actions/setup-java	action	minor	v5.1.0 → v5.2.0
actions/setup-node	action	minor	v6.1.0 → v6.2.0
astral-sh/setup-uv	action	minor	v7.1.6 → v7.2.0
docker/login-action	action	minor	v3.6.0 → v3.7.0
github/codeql-action	action	minor	v4.31.9 → v4.32.0
gradle/actions	action	patch	v5.0.0 → v5.0.1
oxsecurity/megalinter	action	minor	v9.2.0 → v9.3.0
step-security/harden-runner	action	patch	v2.14.0 → v2.14.1
zizmor (source)		minor	1.19.0 → 1.22.0

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/setup-dotnet (actions/setup-dotnet)

v5.1.0

Compare Source

What's Changed

Documentation

• Readme update for environment variable on self hosted linux runners by @​priya-kinthali in #​689
• Contributor icon updates by @​Falco20019 in #​604

Dependency updates

• Upgrade actions/checkout from 5 to 6 by @​dependabot in #​684
• Upgrade to latest actions packages by @​salmanmkc in #​687
• Upgrade dependencies in testproject and checkout in Readme by @​priya-kinthali in #​692

New Contributors

• @​priya-kinthali made their first contribution in #​689
• @​Falco20019 made their first contribution in #​604

Full Changelog: actions/setup-dotnet@v5...v5.1.0

actions/setup-java (actions/setup-java)

v5.2.0

Compare Source

What's Changed

Enhancement

• Retry on HTTP 522 Connection timed out by @​findepi in #​964

Documentation Changes

• Update gradle caching by @​priya-kinthali in #​972
• Update checkout to v6 by @​mahabaleshwars in #​973

Dependency Updates

• Upgrade @​actions/cache to v5 by @​salmanmkc in #​968
• Upgrade actions/checkout from 5 to 6 by @​dependabot in #​961

New Contributors

• @​findepi made their first contribution in #​964

Full Changelog: actions/setup-java@v5...v5.2.0

actions/setup-node (actions/setup-node)

v6.2.0

Compare Source

astral-sh/setup-uv (astral-sh/setup-uv)

v7.2.0: 🌈 add outputs python-version and python-cache-hit

Compare Source

Changes

Among some minor typo fixes and quality of life features for developers of actions the main feature of this release are new outputs:

• python-version: The Python version that was set (same content as existing UV_PYTHON)
• python-cache-hit: A boolean value to indicate the Python cache entry was found

While implementing this it became clear, that it is easier to handle the Python binaries in a separate cache entry. The added benefit for users is that the "normal" cache containing the dependencies can be used in all runs no matter if these cache the Python binaries or not.

[!NOTE]
This release will invalidate caches that contain the Python binaries. This happens a single time.

🐛 Bug fixes

• chore: remove stray space from UV_PYTHON_INSTALL_DIR message @​akx (#​720)

🚀 Enhancements

• add outputs python-version and python-cache-hit @​eifinger (#​728)
• Add action typings with validation @​krzema12 (#​721)

🧰 Maintenance

• fix: use uv_build backend for old-python-constraint-project @​eifinger (#​729)
• chore: update known checksums for 0.9.22 @​github-actions[bot] (#​727)
• chore: update known checksums for 0.9.21 @​github-actions[bot] (#​726)
• chore: update known checksums for 0.9.20 @​github-actions[bot] (#​725)
• chore: update known checksums for 0.9.18 @​github-actions[bot] (#​718)

⬆️ Dependency updates

• Bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 @​dependabot[bot] (#​719)
• Bump github/codeql-action from 4.31.6 to 4.31.9 @​dependabot[bot] (#​723)

docker/login-action (docker/login-action)

v3.7.0

Compare Source

github/codeql-action (github/codeql-action)

v4.32.0

Compare Source

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

gradle/actions (gradle/actions)

v5.0.1

Compare Source

oxsecurity/megalinter (oxsecurity/megalinter)

v9.3.0

Compare Source

• Core

  • Add enum name support in MegaLinter config Json schema for better autocompletion in editors
  • Update base image to python:3.13-alpine3.23

• New linters

  • Add codespell
  • Add kingfisher by @​bdovaz
  • Add rumdl by @​bdovaz

• Linters enhancements

  • Change checkmake Docker image reference by @​bdovaz

• Reporters

  • Handle multiple MegaLinter runs on the same repo using custom value sent in variable MEGALINTER_MULTIRUN_KEY
  • Allow to override url to CI build in Git based reporters using REPORTERS_ACTION_RUN_URL variable
  • Fix sections display in Gitlab console logs

• Doc

  • Classify all JSON schema config variables by category and section

• CI

  • Free disk space on GitHub actions runner when releasing a new flavor
  • Add missing Dockerfile patterns to Renovate Dockerfile manager
  • Remove gitpod custom image, workflow, and makefile targets

• Linter versions upgrades (54)

  • actionlint from 1.7.9 to 1.7.10
  • ansible-lint from 25.11.1 to 25.12.2
  • bash-exec from 5.2.37 to 5.3.3
  • black from 25.11.0 to 25.12.0
  • cfn-lint from 1.41.0 to 1.43.1
  • checkov from 3.2.495 to 3.2.497
  • clang-format from 20.1.8 to 21.1.2
  • clippy from 0.1.91 to 0.1.92
  • clj-kondo from 2025.10.23 to 2025.12.23
  • code-analyzer-apex from 5.6.1 to 5.7.1
  • code-analyzer-aura from 5.6.1 to 5.7.1
  • code-analyzer-lwc from 5.6.1 to 5.7.1
  • cppcheck from 2.14.2 to 2.18.3
  • csharpier from 1.2.1 to 1.2.5
  • cspell from 9.3.2 to 9.4.0
  • dartanalyzer from 3.8.3 to 3.10.7
  • dotnet-format from 9.0.111 to 9.0.112
  • git_diff from 2.49.1 to 2.52.0
  • golangci-lint from 2.6.2 to 2.7.2
  • grype from 0.104.1 to 0.104.3
  • helm from 3.18.4 to 3.19.0
  • htmlhint from 1.7.1 to 1.8.0
  • kics from 2.1.16 to 2.1.18
  • kingfisher from 1.71.0 to 1.73.0
  • kubescape from 3.0.45 to 3.0.47
  • markdown-table-formatter from 1.6.1 to 1.7.0
  • markdownlint from 0.45.0 to 0.47.0
  • mypy from 1.18.2 to 1.19.1
  • npm-groovy-lint from 15.2.2 to 16.1.1
  • npm-package-json-lint from 9.0.0 to 9.1.0
  • php-cs-fixer from 3.90.0 to 3.92.4
  • phplint from 9.6.2 to 9.7.1
  • phpstan from 2.1.32 to 2.1.33
  • pmd from 7.18.0 to 7.20.0
  • prettier from 3.6.2 to 3.7.4
  • psalm from Psalm.6.13.1@​ to Psalm.6.14.3@​
  • pylint from 4.0.3 to 4.0.4
  • robocop from 6.11.0 to 7.2.0
  • roslynator from 0.11.0.0 to 0.12.0.0
  • rubocop from 1.81.7 to 1.82.0
  • rubocop from 1.82.0 to 1.82.1
  • ruff-format from 0.14.6 to 0.14.10
  • ruff from 0.14.6 to 0.14.10
  • rumdl from 0.0.199 to 0.0.208
  • scalafix from 0.14.4 to 0.14.5
  • snakemake from 9.13.7 to 9.14.5
  • stylelint from 16.26.0 to 16.26.1
  • swiftlint from 0.62.2 to 0.63.0
  • syft from 1.38.0 to 1.39.0
  • terraform-fmt from 1.14.0 to 1.14.1
  • terragrunt from 0.93.10 to 0.93.13
  • trivy-sbom from 0.67.2 to 0.68.2
  • trivy from 0.67.2 to 0.68.2
  • trufflehog from 3.91.1 to 3.92.4

step-security/harden-runner (step-security/harden-runner)

v2.14.1

Compare Source

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

zizmorcore/zizmor (zizmor)

v1.22.0

Compare Source

Changes ⚠️🔗

• The misfeature audit now only shows non-"well known" shell: findings when running with the "auditor" persona (#​1532)

Bug Fixes 🐛🔗

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the unpinned-uses audit (#​1536)

v1.21.0

Compare Source

New Features 🌈🔗

• New audit: misfeature detects usage of GitHub Actions features that are considered "misfeatures." (#​1517)

Enhancements 🌱🔗

• zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the exit code documentation for details (#​1515)

• The unpinned-uses audit now supports auto-fixes for many findings (#​1525)

Changes ⚠️🔗

• The obfuscation audit no longer flags shell: cmd. That check has been moved to the new misfeature audit. Users may need to update their ignore comments and/or configuration (#​1517)

Bug Fixes 🐛🔗

• The unpinned-uses audit now flags reusable workflows that are unpinned, in addition to actions (#​1509)

  Many thanks to @​johnbillion for implementing this fix!

v1.20.0

Compare Source

Enhancements 🌱🔗

• The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#​1461)

• The cache-poisoning audit is now aware of the ramsey/composer-install action (#​1489)

• The unpinned-images audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#​1482)

Changes ⚠️🔗

• The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml

rules:
  unpinned-uses:
    config:
      policies:
        actions/*: ref-pin
        github/*: ref-pin
        dependabot/*: ref-pin

Bug Fixes 🐛🔗

• The dependabot-cooldown audit no longer flags missing cooldowns on ecosystems that don't (yet) support cooldowns, such as opentofu (#​1480)

• Fixed a false positive in the cache-poisoning audit where zizmor would treat empty strings (e.g. cache: '') as enabling rather than disabling caching (#​1482)

• Fixed two gaps in the use-trusted-publishing audit's detection of common yarn publishing commands (#​1495)

Miscellaneous 🛠🔗

• zizmor's configuration now has an official JSON schema that will be available via SchemaStore soon!

  Many thanks to @​kiwamizamurai for implementing this improvement!

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.56s
✅ COPYPASTE	jscpd	yes		no	no	1.32s
✅ DOCKERFILE	hadolint	1		0	0	0.15s
✅ JSON	jsonlint	3		0	0	0.27s
✅ JSON	prettier	3		0	0	0.64s
✅ JSON	v8r	3		0	0	2.53s
✅ MARKDOWN	markdownlint	1		0	0	0.59s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.28s
✅ PYTHON	bandit	1		0	0	3.2s
✅ PYTHON	black	1		0	0	0.84s
✅ PYTHON	flake8	1		0	0	0.52s
✅ PYTHON	isort	1		0	0	0.23s
✅ PYTHON	mypy	1		0	0	3.41s
✅ PYTHON	pylint	1		0	0	2.7s
✅ PYTHON	pyright	1		0	0	1.87s
✅ PYTHON	ruff	1		0	0	0.03s
✅ REPOSITORY	checkov	yes		no	no	25.05s
✅ REPOSITORY	dustilock	yes		no	no	0.03s
✅ REPOSITORY	gitleaks	yes		no	no	0.38s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	38.77s
✅ REPOSITORY	kics	yes		no	no	3.85s
❌ REPOSITORY	kingfisher	yes		1	1	5.01s
✅ REPOSITORY	secretlint	yes		no	no	1.35s
✅ REPOSITORY	syft	yes		no	no	2.08s
✅ REPOSITORY	trivy	yes		no	no	11.71s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.1s
✅ REPOSITORY	trufflehog	yes		no	no	3.69s
✅ YAML	prettier	6		0	0	0.69s
✅ YAML	v8r	6		0	0	5.71s
✅ YAML	yamllint	6		0	0	0.64s

Detailed Issues

❌ REPOSITORY / kingfisher - 1 error

warning: Rule GitHub Secret Key matched ./.github/workflows/standard-release.yaml
   ┌─ ./.github/workflows/standard-release.yaml:46:46
   │
46 │       - uses: actions/create-github-app-token@HIDDEN_BY_MEGALINTER# v2.2.1
   │                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

warning: 1 warnings emitted

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-219 (debian 13.3)

36 known vulnerabilities found (CRITICAL: 3 HIGH: 3 MEDIUM: 30 LOW: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libssl3t64	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.3)

36 known vulnerabilities found (LOW: 0 CRITICAL: 3 HIGH: 3 MEDIUM: 30)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libssl3t64	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-219 (debian 13.3)

36 known vulnerabilities found (CRITICAL: 3 HIGH: 3 MEDIUM: 30 LOW: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libssl3t64	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
libssl3t64	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15467	CRITICAL	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69419	HIGH	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-11187	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15468	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-15469	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-66199	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-68160	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69418	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69420	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2025-69421	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2026-22795	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2
openssl-provider-legacy	CVE-2026-22796	MEDIUM	3.5.4-1~deb13u1	3.5.4-1~deb13u2

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found