chore(deps): update dependency lefthook to v2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
lefthook	1.12.2 → 2.1.4

---

Release Notes

evilmartians/lefthook (lefthook)

v2.1.4

Compare Source

• pkg: fix scripts (#​1348) by @​mrexox
• fix: bring back {lefthook_job_name} template (#​1347) by @​mrexox
• pkg: refactor packaging (2) (#​1346) by @​mrexox
• fix: separate more commands' non-option args with -- (#​1339) by @​scop
• docs: change logo to point to landing page instead of itself (#​1343) by @​igas
• pkg: make it easier to read (#​1340) by @​mrexox
• pkg: refactor packaging scripts (#​1308) by @​mrexox

v2.1.3

Compare Source

• chore: switch artifact attestations gen to actions/attest v4 (#​1338) by @​scop
• chore: describe ENV variables usage in CLI help output (#​1337) by @​mrexox
• fix: support git debug versions (#​1334) by @​mrexox
• deps: March 2026 (#​1330) by @​mrexox
• feat: update minimum go version (#​1331) by @​mrexox

v2.1.2

Compare Source

• feat: introduce setup hook option (#​1326) by @​mrexox
• refactor: recovering logic for changesets (#​1324) by @​mrexox
• fix: rollback auto-staged changes if unwanted changes detected (#​1251) by @​tuchfarber
• docs: improve docs ui (#​1323) by @​mrexox
• docs: additional skip example and note about reinstallation (#​1319) by @​iloveitaly
• docs: fix incorrect --verbose usage (#​1318) by @​iloveitaly
• pkg: fix python packages publishing by @​mrexox

v2.1.1

Compare Source

• ci: fix publishing to PyPi by @​mrexox
• fix: reset colors on config read (#​1309) by @​mrexox
• chore: reduce verbosity of hints in lefthook install (#​1303) by @​joevin-slq-docto
• docs: add missing /v2 suffix for go get -tool (#​1304) by @​alexandregv

v2.1.0

Compare Source

• ci: skip Python publishing by [@​mrexox][]
• chore: fancy wording and indentation for hits by [@​mrexox][]
• feat: check core.hooksPath when lefthook install (#​1292) by [@​joevin-slq-docto][]
• feat: allow installing non-git hooks (#​1301) by [@​mrexox][]

v2.0.16

Compare Source

• chore: timeout cleanup (#​1297) by @​mrexox
• feat: add timeout argument (#​1263) by @​franzramadhan
• deps: January 2026 (#​1285) by @​mrexox
• pkg: pack one binary per platform into python wheels (#​1181) by @​danfimov
• fix: accept string in file_types (#​1288) by @​scop
• docs: elaborate on when to refetch and failure mode (#​1287) by @​scop
• fix: try reading direct file instead of all remotes (#​1243) by @​mrexox
• perf: [breaking] skip ghost hook when hooks are already configured (#​1255) by @​WooWan
• chore: upgrade to 2.8.0 (#​1278) by @​scop

v2.0.15

Compare Source

• docs: clarify remote settings (#​1260) by @​mrexox
• feat: skip scripts if args given with empty file template (#​1277) by @​mrexox

v2.0.14

Compare Source

• fix: skip if any files template is empty (#​1275) by @​mrexox
• feat: add jsonc support (#​1274) by @​mrexox
• deps: switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#​1261) by @​scop
• fix: don't install custom hooks to hooks dir (#​1246) by @​scop
• deps: December 2025 (#​1209) by @​mrexox

v2.0.13

Compare Source

• fix: set extends to empty slice after loading remotes (#​1259) by @​mrexox
• fix: allow custom hooks in JSON schema by updating generator (#​1250) by @​jeonghoon11
• docs: remove duplicate config: false description (#​1245) by @​scop
• chore: add more tests (#​1244) by @​mrexox

v2.0.12

Compare Source

• chore: small changes on diff printing (#​1242) by @​mrexox
• feat: ability to show diff when failing on changes (#​1227) by @​scop
• fix: make short status parser more robust (#​1236) by @​scop
• docs: fix readme (#​1235) by @​matdibu

v2.0.11

Compare Source

• feat: refetch and cleanup on ref change (#​1210) by @​mrexox
• ci: npm trusted publishing (#​1234) by @​mrexox
• feat: more rudimentary shell completions (#​1230) by @​scop

v2.0.10

Compare Source

• feat: add no_auto_install to lefthook.yml (#​1231) by @​pavelzw
• fix: skip if empty files template (#​1233) by @​mrexox

v2.0.9

Compare Source

• fix: skip pre commit hook if no staged files (#​1229) by @​mrexox
• fix: do not try to hash-object directories (#​1220) by @​scop
• fix: check and report Scanner errors (#​1222) by @​scop
• refactor: command executor tweaks (#​1224) by @​scop
• refactor: remove some redundant code (#​1221) by @​scop
• fix: improve separation of options and filenames for more git commands (#​1225) by @​scop
• chore: upgrade golangci-lint to 2.7.1, add godoclint (#​1223) by @​scop
• chore: remove unnecessary .svg executable permissions (#​1219) by @​scop

v2.0.8

Compare Source

• fix: do not escape custom templates in command replacement (#​1213) by @​joevin-sql-docto

v2.0.7

Compare Source

• fix: prefer using lefthook from the $PATH (#​1211) by @​joevin-sql-docto

v2.0.6

Compare Source

• feat: save original executable location in hooks (#​1208) by @​mrexox
• docs: encourage python install using pipx (#​1207) by @​franzramadhan

v2.0.5

Compare Source

• feat: add optional args to scripts (#​1206) by @​mrexox
• deps: November 2025 (#​1200) by @​mrexox
• chore: upgrade golangci-lint to 2.6.1, add modernize (#​1190) by @​scop
• chore: publish artifact attestations (#​1189) by @​scop

v2.0.4

Compare Source

• fix: glob_matcher jsonschema values
• feat: add optional standard glob matcher (doublestar) (#​1188) by @​jasonwbarnett

v2.0.3

Compare Source

• feat: fail_on_changes non-ci option (#​1186) by @​scop
• deps: update mimetypes (#​1185) by @​mrexox

v2.0.2

Compare Source

• fix: add mutex lock before all git commands (#​1178) by @​mrexox

v2.0.1

Compare Source

• fix: set extends to empty slice after loading remotes (#​1259) by @​mrexox
• fix: allow custom hooks in JSON schema by updating generator (#​1250) by @​jeonghoon11
• docs: remove duplicate config: false description (#​1245) by @​scop
• chore: add more tests (#​1244) by @​mrexox

v2.0.0

Compare Source

Breaking changes

• exclude option no longer accepts regexp, only globs.
• skip_output option is dropped, use output instead.
• Some CLI arguments have changed their names to make it more consistent. See lefthook run -h for details.
• for only and skip options with - run: '...' values the command executer was changed to Bourne Shell.

Commits

• fix: accept --fail-on-changes=false as override value (#​1168) by @​mrexox
• feat: [breaking] use sh as command executor on Windows (#​1166) by @​mrexox
• refactor: [breaking] drop support for exclude regexp (#​1162) by @​mrexox
• refactor: [breaking] drop deprecated skip_output option (#​1159) by @​mrexox
• refactor: [breaking] use another cli framework (#​1155) by @​mrexox

v1.13.6

Compare Source

• fix: embed jsonschema into binary (#​1158) by @​mrexox

v1.13.5

Compare Source

• chore: a small cleanup by @​mrexox
• refactor: use semver to check versions (#​1152) by @​mrexox
• fix: add comprehensive tests for spinner name formatting (#​1145) @​technicalpickles
• docs: add LEFTHOOK_BIN environment variable to documentation (#​1151) @​technicalpickles
• chore: tests improvements (#​1148) by @​mrexox
• chore: fix naming for integration tests (#​1146) by @​mrexox
• docs: use codecov coverage badge by @​mrexox
• ci: codecov (#​1147) by @​mrexox
• docs: use actual latest version (#​1143) by @​mrexox
• docs: add exclude to hook-level settings by @​mrexox

v1.13.4

Compare Source

• fix: add exclude option to hook level (#​1141) by @​mrexox
• fix: allow skipping groups (#​1140) by @​mrexox

v1.13.3

Compare Source

• deps: September 2025 (#​1139) by @​mrexox
• fix: concurrent map access issue (#​1138) by @​mrexox

v1.13.2

Compare Source

• feat: inherit file_types from parent jobs (#​1135) by @​mrexox
• fix: move gen at root (#​1133) by @​mrexox
• refactor: better scope subpackages (#​1132) by @​mrexox

v1.13.1

Compare Source

• feat: add no stage fixed argument (#​1130) by @​mrexox
• refactor: reduce the amount of code in a single file (#​1131) by @​mrexox
• fix: re-evaluate status for changeset (#​1129) by @​mrexox
• refactor: reduce the amount of code in a single file (#​1118) by @​mrexox
• chore: update issue templates by @​mrexox
• docs: add fail_on_changes to configuration/README.md (#​1119) by @​7crabs
• docs: update go installation note (#​1117) by @​leakedmemory

v1.13.0

Compare Source

• fix: use batched cmd for calculating git hashes (#​1116) by @​mrexox
• fix: add mutex to prevent concurrent git adds (#​1115) by @​mrexox
• refactor: improve structuring (#​1103) by @​mrexox
• feat: fail on change (#​1095) by @​olivier-lacroix
• fix: set --force for git add command (#​1104) by @​michaelm
• feat: recursively log successful results in summary (#​1108) by @​siler
• fix: groups with successes and skips are successful (#​1107) by @​siler

v1.12.4

Compare Source

• deps: September 2025 (#​1102) by @​mrexox
• feat: add tags argument (#​1101) by @​mrexox
• chore: bump github.com/go-viper/mapstructure/v2 (#​1094)

v1.12.3

Compare Source

• feat: add MIME types to file_types filters (#​1092)
• fix: respect LEFTHOOK_CONFIG in lefthook install (#​1090) by @​TECHNOFAB11
• docs: update pnpm installation note (#​1089) by @​skoch13
• docs: improve wording of run, files, and files-global config descriptions, document that the sh shell is used (#​1086) by @​ItsHarper
• docs: 404 for local-config (#​1082) by @​rammanoj
• docs: fix typo (#​1079) by @​eai04191

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	utility-types@​3.11.0
	tweakpane@​4.0.5
	tsx@​4.20.3
	typescript@​5.9.3
	lefthook@​1.12.2 ⏵ 2.1.4	+1			+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client CVE: GHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client (HIGH) Affected versions: >= 6.0.0 < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: pnpm-lock.yaml → npm/pointe@5.15.1 → npm/undici@7.16.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation CVE: GHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: pnpm-lock.yaml → npm/pointe@5.15.1 → npm/undici@7.16.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression CVE: GHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: pnpm-lock.yaml → npm/pointe@5.15.1 → npm/undici@7.16.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report