Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix GHSA Filtering #623

Merged
merged 4 commits into from
Nov 28, 2023
Merged

Fix GHSA Filtering #623

merged 4 commits into from
Nov 28, 2023

Conversation

febuiles
Copy link
Contributor

@febuiles febuiles commented Nov 24, 2023

We support an allow-ghsas option that lets the user indicate if a specific vulnerability should be ignored during Action runs.

Currently, when the system finds a dependency that contains a vulnerability that matches a value in allow-ghsas, it marks that dependency as "clean", regardless of other GHSAs (vulnerabilities) that can affect the same package.

This PR changes the filtering behavior. Instead of dropping all the vulnerabilities related to a single dependency, we now only drop the vulnerability specified by the user-provided GHSA.

__tests__/filter.test.ts Outdated Show resolved Hide resolved
@febuiles febuiles merged commit 4b4f0de into main Nov 28, 2023
4 checks passed
karfau referenced this pull request in xmldom/xmldom Nov 29, 2023
…#586)

[![Mend Renovate logo
banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
| action | patch | `v3.1.3` -> `v3.1.4` |

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://github.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://github.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://github.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://github.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://github.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://github.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.4

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/xmldom/xmldom).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Th3S4mur41 pushed a commit to Th3S4mur41/demo-auto-security-release that referenced this pull request Jan 19, 2024
## [1.0.11](v1.0.10...v1.0.11) (2024-01-19)

### Dependencies and Other Build Updates

* **deps-dev:** Bump @commitlint/cli from 18.4.3 to 18.4.4 ([#103](#103)) ([d83e5bb](d83e5bb))
* **deps-dev:** Bump @commitlint/config-conventional from 18.4.3 to 18.4.4 ([#102](#102)) ([9039762](9039762))
* **deps-dev:** Bump prettier from 3.1.1 to 3.2.2 ([#104](#104)) ([15733ae](15733ae))
* **deps-dev:** Bump prettier from 3.2.2 to 3.2.4 ([#106](#106)) ([4153de3](4153de3))
* **deps-dev:** Bump pretty-quick from 3.1.3 to 4.0.0 ([#107](#107)) ([a9d7f95](a9d7f95)), closes [#182](https://github.com/Th3S4mur41/demo-auto-security-release/issues/182) [#185](https://github.com/Th3S4mur41/demo-auto-security-release/issues/185) [#180](https://github.com/Th3S4mur41/demo-auto-security-release/issues/180) [#183](https://github.com/Th3S4mur41/demo-auto-security-release/issues/183) [prettier/pretty-quick#180](prettier/pretty-quick#180) [#178](https://github.com/Th3S4mur41/demo-auto-security-release/issues/178) [#175](https://github.com/Th3S4mur41/demo-auto-security-release/issues/175) [#172](https://github.com/Th3S4mur41/demo-auto-security-release/issues/172) [#182](https://github.com/Th3S4mur41/demo-auto-security-release/issues/182) [#185](https://github.com/Th3S4mur41/demo-auto-security-release/issues/185) [#180](https://github.com/Th3S4mur41/demo-auto-security-release/issues/180) [#183](https://github.com/Th3S4mur41/demo-auto-security-release/issues/183) [#178](https://github.com/Th3S4mur41/demo-auto-security-release/issues/178) [#175](https://github.com/Th3S4mur41/demo-auto-security-release/issues/175) [#172](https://github.com/Th3S4mur41/demo-auto-security-release/issues/172) [#187](https://github.com/Th3S4mur41/demo-auto-security-release/issues/187) [#182](https://github.com/Th3S4mur41/demo-auto-security-release/issues/182) [#186](https://github.com/Th3S4mur41/demo-auto-security-release/issues/186) [#185](https://github.com/Th3S4mur41/demo-auto-security-release/issues/185) [#181](https://github.com/Th3S4mur41/demo-auto-security-release/issues/181) [#73](#73) [#125](#125) [#184](https://github.com/Th3S4mur41/demo-auto-security-release/issues/184) [#183](https://github.com/Th3S4mur41/demo-auto-security-release/issues/183) [#180](https://github.com/Th3S4mur41/demo-auto-security-release/issues/180) [#179](https://github.com/Th3S4mur41/demo-auto-security-release/issues/179) [#178](https://github.com/Th3S4mur41/demo-auto-security-release/issues/178)
* **deps-dev:** Bump semantic-release from 22.0.12 to 23.0.0 ([#105](#105)) ([027262e](027262e)), closes [#3105](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3105) [#3079](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3079) [#2085](https://github.com/Th3S4mur41/demo-auto-security-release/issues/2085) [semantic-release/gitlab#647](semantic-release/gitlab#647) [#2085](https://github.com/Th3S4mur41/demo-auto-security-release/issues/2085) [#3079](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3079) [#3111](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3111) [#3136](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3136) [#3134](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3134) [#2085](https://github.com/Th3S4mur41/demo-auto-security-release/issues/2085) [#3079](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3079) [#3128](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3128) [#3126](https://github.com/Th3S4mur41/demo-auto-security-release/issues/3126)
* **deps:** Bump actions/dependency-review-action from 3 to 4 ([#108](#108)) ([4448648](4448648)), closes [actions/dependency-review-action#639](actions/dependency-review-action#639) [actions/dependency-review-action#639](actions/dependency-review-action#639) [actions/dependency-review-action#649](actions/dependency-review-action#649) [actions/dependency-review-action#630](actions/dependency-review-action#630) [actions/dependency-review-action#629](actions/dependency-review-action#629) [actions/dependency-review-action#637](actions/dependency-review-action#637) [actions/dependency-review-action#636](actions/dependency-review-action#636) [actions/dependency-review-action#638](actions/dependency-review-action#638) [actions/dependency-review-action#644](actions/dependency-review-action#644) [actions/dependency-review-action#640](actions/dependency-review-action#640) [actions/dependency-review-action#645](actions/dependency-review-action#645) [actions/dependency-review-action#646](actions/dependency-review-action#646) [actions/dependency-review-action#623](actions/dependency-review-action#623) [actions/dependency-review-action#619](actions/dependency-review-action#619) [actions/dependency-review-action#625](actions/dependency-review-action#625) [actions/dependency-review-action#624](actions/dependency-review-action#624) [actions/dependency-review-action#617](actions/dependency-review-action#617) [actions/dependency-review-action#611](actions/dependency-review-action#611) [#639](https://github.com/Th3S4mur41/demo-auto-security-release/issues/639) [#663](https://github.com/Th3S4mur41/demo-auto-security-release/issues/663) [#661](https://github.com/Th3S4mur41/demo-auto-security-release/issues/661) [#660](https://github.com/Th3S4mur41/demo-auto-security-release/issues/660) [#653](https://github.com/Th3S4mur41/demo-auto-security-release/issues/653)
Racer159 referenced this pull request in zarf-dev/zarf Feb 20, 2024
)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
| action | major | `v2.5.1` -> `v4.1.3` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.1.3`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.3):
4.1.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3)

Fixes a bug in 4.1.2 that would introduce comments in every pull
request, regardless of the user's configuration (see
[https://github.com/actions/dependency-review-action/issues/697](https://github.com/actions/dependency-review-action/issues/697)).

**Full Changelog**:
actions/dependency-review-action@v4.1.2...v4.1.3

###
[`v4.1.2`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.2):
4.1.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2)

#### What's Changed

- Expose dependency comment content by
[@&#8203;jsoref](https://github.com/jsoref) in
[https://github.com/actions/dependency-review-action/pull/696](https://github.com/actions/dependency-review-action/pull/696)

**Full Changelog**:
actions/dependency-review-action@v4.1.1...v4.1.2

###
[`v4.1.1`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.1):
4.1.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1)

#### What's Changed

- Bump `undici` to fix
[GHSA-wqq4-5wpv-mx2g](https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g)
- Bump [@&#8203;types/node](https://github.com/types/node) from
20.11.17 to 20.11.19 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/693](https://github.com/actions/dependency-review-action/pull/693)

**Full Changelog**:
actions/dependency-review-action@v4.1.0...v4.1.1

###
[`v4.1.0`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.0):
4.1.0

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add `warn-only` by [@&#8203;tgrall](https://github.com/tgrall) in
[https://github.com/actions/dependency-review-action/pull/432](https://github.com/actions/dependency-review-action/pull/432)

Added a new configuration option (`warn-only`, boolean) that makes the
action always succeed while still displaying found vulnerabilities in
the log.

- Create stale.yaml by
[@&#8203;jonjanego](https://github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/671](https://github.com/actions/dependency-review-action/pull/671)
- Use manual codeql config by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/678](https://github.com/actions/dependency-review-action/pull/678)
- Multiple dependency updates (see the changelog below for more
information)

#### New Contributors

- [@&#8203;jonjanego](https://github.com/jonjanego) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/671](https://github.com/actions/dependency-review-action/pull/671)
- [@&#8203;tgrall](https://github.com/tgrall) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/432](https://github.com/actions/dependency-review-action/pull/432)

**Full Changelog**:
actions/dependency-review-action@v4...v4.1.0

###
[`v4.0.0`](https://github.com/actions/dependency-review-action/releases/tag/v4.0.0)

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0)

- Update action to Node 20 by
[@&#8203;takost](https://github.com/takost) in
[https://github.com/actions/dependency-review-action/pull/639](https://github.com/actions/dependency-review-action/pull/639)
-   Dependabot updates, see the full changelog for more details.

#### New Contributors

- [@&#8203;takost](https://github.com/takost) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/639](https://github.com/actions/dependency-review-action/pull/639)

**Full Changelog**:
actions/dependency-review-action@v3.1.5...v4.0.0

###
[`v3.1.5`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://github.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://github.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://github.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://github.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://github.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://github.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://github.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://github.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://github.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://github.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://github.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
actions/dependency-review-action@v3.1.4...v3.1.5

###
[`v3.1.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://github.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://github.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://github.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://github.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://github.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://github.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.4

###
[`v3.1.3`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://github.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.3

###
[`v3.1.2`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://github.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.2

###
[`v3.1.1`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
actions/dependency-review-action@v3.1.0...v3.1.1

###
[`v3.1.0`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://github.com/oerd) in
[https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551)

#### New Contributors

- [@&#8203;oerd](https://github.com/oerd) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.0

###
[`v3.0.8`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://github.com/sgmurphy) in
[https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540)

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://github.com/sgmurphy) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.8

###
[`v3.0.7`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.7):
3.0.7

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7)

#### What's Changed

- Make GHES support / setup more clear by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/actions/dependency-review-action/pull/534](https://github.com/actions/dependency-review-action/pull/534)
- Add an option to deny packages or groups of packages by
[@&#8203;adrienpessu](https://github.com/adrienpessu) in
[https://github.com/actions/dependency-review-action/pull/544](https://github.com/actions/dependency-review-action/pull/544)

#### New Contributors

- [@&#8203;rajbos](https://github.com/rajbos) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/534](https://github.com/actions/dependency-review-action/pull/534)
- [@&#8203;adrienpessu](https://github.com/adrienpessu) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/544](https://github.com/actions/dependency-review-action/pull/544)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.7

###
[`v3.0.6`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.6):
3.0.6

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6)

Fixes a bug introduced in 3.0.5 where we raised PURL errors when
Dependency Graph returns an empty `package_url`.

###
[`v3.0.5`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.5):
3.0.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5)

#### What's Changed

Thanks to [@&#8203;theztefan](https://github.com/theztefan), we now
have a new `allow-dependencies-licenses` option that takes a list of
dependencies that will be excluded from license checks. See the
[configuration
options](https://github.com/actions/dependency-review-action#configuration-options)
for more information on how to use it.

- Exclude dependencies from license checks by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/423](https://github.com/actions/dependency-review-action/pull/423)
- Documentation examples by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/423](https://github.com/actions/dependency-review-action/pull/423)
- Show snapshot warnings in the summary by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/439](https://github.com/actions/dependency-review-action/pull/439)
- Fix default values for fail-on-severity by
[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/451](https://github.com/actions/dependency-review-action/pull/451)
-   Updated dependencies.

#### New Contributors

- [@&#8203;juxtin](https://github.com/juxtin) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/439](https://github.com/actions/dependency-review-action/pull/439)
- [@&#8203;theztefan](https://github.com/theztefan) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/423](https://github.com/actions/dependency-review-action/pull/423)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.5

###
[`v3.0.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.4):
3.0.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4)

#### What's New?

The Action can now publish a comment in the pull request if the
`comment-summary-in-pr` option is set. More information can be found in
the
[README](https://github.com/actions/dependency-review-action#configuration-options).

#### New Contributors

- [@&#8203;davelosert](https://github.com/davelosert) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/393](https://github.com/actions/dependency-review-action/pull/393)

#### Changelog

- Write Summary as comment to the pull request by
[@&#8203;davelosert](https://github.com/davelosert) in
[https://github.com/actions/dependency-review-action/pull/393](https://github.com/actions/dependency-review-action/pull/393)
- Adjust summary format by
[@&#8203;davelosert](https://github.com/davelosert) in
[https://github.com/actions/dependency-review-action/pull/416](https://github.com/actions/dependency-review-action/pull/416)
-   Security updates.

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.4

###
[`v3.0.3`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.3):
3.0.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3)

#### What's Changed

- Use cache in check-dist.yml by
[@&#8203;jongwooo](https://github.com/jongwooo) in
[https://github.com/actions/dependency-review-action/pull/359](https://github.com/actions/dependency-review-action/pull/359)
- Fix Dependency Review API response error handling by
[@&#8203;felickz](https://github.com/felickz) in
[https://github.com/actions/dependency-review-action/pull/370](https://github.com/actions/dependency-review-action/pull/370)
-   Security updates

#### New Contributors

- [@&#8203;jongwooo](https://github.com/jongwooo) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/359](https://github.com/actions/dependency-review-action/pull/359)
- [@&#8203;felickz](https://github.com/felickz) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/370](https://github.com/actions/dependency-review-action/pull/370)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.3

###
[`v3.0.2`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.2):
3.0.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2)

This release fixes spelling errors
[https://github.com/actions/dependency-review-action/pull/348](https://github.com/actions/dependency-review-action/pull/348)
and upgrades dependencies to fix known vulnerabilities

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.2

###
[`v3.0.1`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.1):
3.0.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.0...v3.0.1)

This release contains the following bugfixes:

- Fixing API URL for GHES:
[https://github.com/actions/dependency-review-action/pull/331](https://github.com/actions/dependency-review-action/pull/331)
- Improve list handling for external config files:
[https://github.com/actions/dependency-review-action/pull/330](https://github.com/actions/dependency-review-action/pull/330)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.1

###
[`v3.0.0`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.0):
3.0.0

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v2.5.1...v3.0.0)

#### Breaking Changes

By default the action now expects [SPDX-compliant
licenses](https://spdx.org/licenses/) everywhere. If you were previously
using license names in the allow or deny lists make sure they're valid!

#### What's Changed

##### Support for external configuration files

You can now specify a [configuration file external to your
repository](https://github.com/actions/dependency-review-action/#configuration-file).
This allows organizations to have a single configuration file for all
their repos.

##### Broader license support

We've added support for a much broader set of project licenses by using
GitHub's [Licenses API](https://docs.github.com/en/rest/licenses).

##### SPDX Compliance

All of our license-related code now expects [SPDX-compliant licenses or
expressions](https://spdx.org/licenses/). This allows us to standardize
on a license naming scheme that already supports `OR`/`AND` expressions.

##### Disable individual checks

You can now use the boolean options `license-check` and
`vulnerability-check` to disable either one of the checks. More
information in [our configuration
options](https://github.com/actions/dependency-review-action/#configuration-options).

#### Thanks

Contributors for this release include:

-   [@&#8203;cnagadya](https://github.com/cnagadya)
-   [@&#8203;courtneycl](https://github.com/courtneycl)
-   [@&#8203;ericcornelissen](https://github.com/ericcornelissen)
-   [@&#8203;elireisman](https://github.com/elireisman)
-   [@&#8203;hmaurer](https://github.com/hmaurer)

Thanks everyone!
**Full Changelog**:
actions/dependency-review-action@v2...v3.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/defenseunicorns/zarf).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMDAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIwMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
laurentsimon referenced this pull request in slsa-framework/slsa-verifier Mar 22, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
| action | patch | `v3.1.0` -> `v3.1.5` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v2.22.1` -> `v2.24.8` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.1` |
|
[slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.9.0` -> `v1.10.0` |
|
[slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
| action | patch | `v2.4.0` -> `v2.4.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.5`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://github.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://github.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://github.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://github.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://github.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://github.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://github.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://github.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://github.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://github.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://github.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
actions/dependency-review-action@v3.1.4...v3.1.5

###
[`v3.1.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://github.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://github.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://github.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://github.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://github.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://github.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.4

###
[`v3.1.3`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://github.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.3

###
[`v3.1.2`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://github.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.2

###
[`v3.1.1`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
actions/dependency-review-action@v3.1.0...v3.1.1

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.2`](https://github.com/actions/setup-node/releases/tag/v3.8.2)

[Compare
Source](https://github.com/actions/setup-node/compare/v3.8.1...v3.8.2)

##### What's Changed

- Update semver by
[@&#8203;dmitry-shibanov](https://github.com/dmitry-shibanov) in
[https://github.com/actions/setup-node/pull/861](https://github.com/actions/setup-node/pull/861)
- Update temp directory creation by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/859](https://github.com/actions/setup-node/pull/859)
- Bump [@&#8203;babel/traverse](https://github.com/babel/traverse)
from 7.15.4 to 7.23.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/setup-node/pull/870](https://github.com/actions/setup-node/pull/870)
- Add notice about binaries not being updated yet by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/872](https://github.com/actions/setup-node/pull/872)
- Update toolkit cache and core by
[@&#8203;dmitry-shibanov](https://github.com/dmitry-shibanov) and
[@&#8203;seongwon-privatenote](https://github.com/seongwon-privatenote)
in
[https://github.com/actions/setup-node/pull/875](https://github.com/actions/setup-node/pull/875)

**Full Changelog**:
actions/setup-node@v3...v3.8.2

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.8`](https://github.com/github/codeql-action/compare/v2.24.7...v2.24.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.7...v2.24.8)

###
[`v2.24.7`](https://github.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.6...v2.24.7)

###
[`v2.24.6`](https://github.com/github/codeql-action/compare/v2.24.5...v2.24.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.5...v2.24.6)

###
[`v2.24.5`](https://github.com/github/codeql-action/compare/v2.24.4...v2.24.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.4...v2.24.5)

###
[`v2.24.4`](https://github.com/github/codeql-action/compare/v2.24.3...v2.24.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.3...v2.24.4)

###
[`v2.24.3`](https://github.com/github/codeql-action/compare/v2.24.2...v2.24.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.2...v2.24.3)

###
[`v2.24.2`](https://github.com/github/codeql-action/compare/v2.24.1...v2.24.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.1...v2.24.2)

###
[`v2.24.1`](https://github.com/github/codeql-action/compare/v2.24.0...v2.24.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.0...v2.24.1)

###
[`v2.24.0`](https://github.com/github/codeql-action/compare/v2.23.2...v2.24.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.2...v2.24.0)

###
[`v2.23.2`](https://github.com/github/codeql-action/compare/v2.23.1...v2.23.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.1...v2.23.2)

###
[`v2.23.1`](https://github.com/github/codeql-action/compare/v2.23.0...v2.23.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.0...v2.23.1)

###
[`v2.23.0`](https://github.com/github/codeql-action/compare/v2.22.12...v2.23.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.12...v2.23.0)

###
[`v2.22.12`](https://github.com/github/codeql-action/compare/v2.22.11...v2.22.12)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.11...v2.22.12)

###
[`v2.22.11`](https://github.com/github/codeql-action/compare/v2.22.10...v2.22.11)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.10...v2.22.11)

###
[`v2.22.10`](https://github.com/github/codeql-action/compare/v2.22.9...v2.22.10)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.9...v2.22.10)

###
[`v2.22.9`](https://github.com/github/codeql-action/compare/v2.22.8...v2.22.9)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.8...v2.22.9)

###
[`v2.22.8`](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8)

###
[`v2.22.7`](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7)

###
[`v2.22.6`](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6)

###
[`v2.22.5`](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5)

###
[`v2.22.4`](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4)

###
[`v2.22.3`](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3)

###
[`v2.22.2`](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://github.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://github.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release \[v1.10.0] includes bug fixes and new features.

See the [full change
list](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://github.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://github.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://github.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://github.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.1`](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1)

[Compare
Source](https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1)

#### What's Changed

- Fix a verification issue when verifying npm's publish attestations -
Low severity
GHSA-r2xv-vpr2-42m9.
This part of the code remains *experimental*.

#### New Contributors

- [@&#8203;trishankatdatadog](https://github.com/trishankatdatadog)
made their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/702](https://github.com/slsa-framework/slsa-verifier/pull/702)

**Full Changelog**:
v2.4.0...v2.4.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Racer159 referenced this pull request in defenseunicorns/uds-package-mattermost Mar 29, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action |
major | `v3.6.0` -> `v4.1.1` |
|
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
| action | major | `v2.5.1` -> `v4.2.5` |
|
[actions/upload-artifact](https://github.com/actions/upload-artifact)
| action | minor | `v4.0.0` -> `v4.3.1` |
|
[defenseunicorns/uds-common](https://github.com/defenseunicorns/uds-common)
| | patch | `v0.3.3` -> `v0.3.9` |
|
[defenseunicorns/uds-common](https://github.com/defenseunicorns/uds-common)
| action | patch | `v0.3.3` -> `v0.3.9` |
|
[defenseunicorns/uds-common-tasks](https://github.com/defenseunicorns/uds-common-tasks)
| | patch | `v0.3.3` -> `v0.3.9` |
| [defenseunicorns/zarf](https://github.com/defenseunicorns/zarf) | |
minor | `v0.29.1` -> `v0.32.6` |
| [docker/login-action](https://github.com/docker/login-action) |
action | digest | `343f7c4` -> `e92390c` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v3.22.12` -> `v3.24.9` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | major | `v2.24.5` -> `v3.24.9` |
| [golangci/golangci-lint](https://github.com/golangci/golangci-lint)
| repository | minor | `v1.55.2` -> `v1.57.2` |
|
[google-github-actions/release-please-action](https://github.com/google-github-actions/release-please-action)
| action | minor | `v4.0.2` -> `v4.1.0` |
|
[python-jsonschema/check-jsonschema](https://github.com/python-jsonschema/check-jsonschema)
| repository | minor | `0.27.4` -> `0.28.0` |
|
[renovatebot/pre-commit-hooks](https://github.com/renovatebot/pre-commit-hooks)
| repository | minor | `37.165.5` -> `37.275.0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

Note: The `pre-commit` manager in Renovate is not supported by the
`pre-commit` maintainers or community. Please do not report any problems
there, instead [create a Discussion in the Renovate
repository](https://github.com/renovatebot/renovate/discussions/new)
if you have any questions.

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.1`](https://github.com/actions/checkout/releases/tag/v4.1.1)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.0...v4.1.1)

##### What's Changed

- Update CODEOWNERS to Launch team by
[@&#8203;joshmgross](https://github.com/joshmgross) in
[https://github.com/actions/checkout/pull/1510](https://github.com/actions/checkout/pull/1510)
- Correct link to GitHub Docs by
[@&#8203;peterbe](https://github.com/peterbe) in
[https://github.com/actions/checkout/pull/1511](https://github.com/actions/checkout/pull/1511)
- Link to release page from what's new section by
[@&#8203;cory-miller](https://github.com/cory-miller) in
[https://github.com/actions/checkout/pull/1514](https://github.com/actions/checkout/pull/1514)

##### New Contributors

- [@&#8203;joshmgross](https://github.com/joshmgross) made their first
contribution in
[https://github.com/actions/checkout/pull/1510](https://github.com/actions/checkout/pull/1510)
- [@&#8203;peterbe](https://github.com/peterbe) made their first
contribution in
[https://github.com/actions/checkout/pull/1511](https://github.com/actions/checkout/pull/1511)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.0...v4.1.1

###
[`v4.1.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410)

[Compare
Source](https://github.com/actions/checkout/compare/v4.0.0...v4.1.0)

- [Add support for partial checkout
filters](https://github.com/actions/checkout/pull/1396)

###
[`v4.0.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400)

[Compare
Source](https://github.com/actions/checkout/compare/v3.6.0...v4.0.0)

- [Support fetching without the --progress
option](https://github.com/actions/checkout/pull/1067)
-   [Update to node20](https://github.com/actions/checkout/pull/1436)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.2.5`](https://github.com/actions/dependency-review-action/releases/tag/v4.2.5):
4.2.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5)

#### What's Changed

- Fixed a bug where some configuration options in external files were
not being properly picked up --
[https://github.com/actions/dependency-review-action/pull/722](https://github.com/actions/dependency-review-action/pull/722)
-   Bump eslint from 8.56.0 to 8.57.0

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5

###
[`v4.2.4`](https://github.com/actions/dependency-review-action/releases/tag/v4.2.4)

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4)

#### What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

#### New Contributors

- [@&#8203;sporkmonger](https://github.com/sporkmonger) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/721](https://github.com/actions/dependency-review-action/pull/721)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4

###
[`v4.2.3`](https://github.com/actions/dependency-review-action/releases/tag/v4.2.3):
4.2.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3)

#### What's Changed

- Set comment as output by [@&#8203;jsoref](https://github.com/jsoref)
in
[https://github.com/actions/dependency-review-action/pull/698](https://github.com/actions/dependency-review-action/pull/698)
- Add support for calculating OpenSSF Scorecards by
[@&#8203;jhutchings1](https://github.com/jhutchings1) in
[https://github.com/actions/dependency-review-action/pull/709](https://github.com/actions/dependency-review-action/pull/709)
- Add outputs for the changes data by
[@&#8203;laughedelic](https://github.com/laughedelic) in
[https://github.com/actions/dependency-review-action/pull/707](https://github.com/actions/dependency-review-action/pull/707)

#### New Contributors

- [@&#8203;jhutchings1](https://github.com/jhutchings1) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/709](https://github.com/actions/dependency-review-action/pull/709)
- [@&#8203;laughedelic](https://github.com/laughedelic) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/707](https://github.com/actions/dependency-review-action/pull/707)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3

###
[`v4.1.3`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.3):
4.1.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3)

Fixes a bug in 4.1.2 that would introduce comments in every pull
request, regardless of the user's configuration (see
[https://github.com/actions/dependency-review-action/issues/697](https://github.com/actions/dependency-review-action/issues/697)).

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3

###
[`v4.1.2`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.2):
4.1.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2)

#### What's Changed

- Expose dependency comment content by
[@&#8203;jsoref](https://github.com/jsoref) in
[https://github.com/actions/dependency-review-action/pull/696](https://github.com/actions/dependency-review-action/pull/696)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2

###
[`v4.1.1`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.1):
4.1.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1)

#### What's Changed

- Bump `undici` to fix
[GHSA-wqq4-5wpv-mx2g](https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g)
- Bump [@&#8203;types/node](https://github.com/types/node) from
20.11.17 to 20.11.19 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/693](https://github.com/actions/dependency-review-action/pull/693)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1

###
[`v4.1.0`](https://github.com/actions/dependency-review-action/releases/tag/v4.1.0):
4.1.0

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add `warn-only` by [@&#8203;tgrall](https://github.com/tgrall) in
[https://github.com/actions/dependency-review-action/pull/432](https://github.com/actions/dependency-review-action/pull/432)

Added a new configuration option (`warn-only`, boolean) that makes the
action always succeed while still displaying found vulnerabilities in
the log.

- Create stale.yaml by
[@&#8203;jonjanego](https://github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/671](https://github.com/actions/dependency-review-action/pull/671)
- Use manual codeql config by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/678](https://github.com/actions/dependency-review-action/pull/678)
- Multiple dependency updates (see the changelog below for more
information)

#### New Contributors

- [@&#8203;jonjanego](https://github.com/jonjanego) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/671](https://github.com/actions/dependency-review-action/pull/671)
- [@&#8203;tgrall](https://github.com/tgrall) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/432](https://github.com/actions/dependency-review-action/pull/432)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.1.0

###
[`v4.0.0`](https://github.com/actions/dependency-review-action/releases/tag/v4.0.0)

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0)

- Update action to Node 20 by
[@&#8203;takost](https://github.com/takost) in
[https://github.com/actions/dependency-review-action/pull/639](https://github.com/actions/dependency-review-action/pull/639)
-   Dependabot updates, see the full changelog for more details.

#### New Contributors

- [@&#8203;takost](https://github.com/takost) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/639](https://github.com/actions/dependency-review-action/pull/639)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0

###
[`v3.1.5`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://github.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://github.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://github.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://github.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://github.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://github.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://github.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://github.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://github.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://github.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://github.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5

###
[`v3.1.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://github.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://github.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://github.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://github.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://github.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://github.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.4

###
[`v3.1.3`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://github.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.3

###
[`v3.1.2`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://github.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.2

###
[`v3.1.1`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1

###
[`v3.1.0`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://github.com/oerd) in
[https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551)

#### New Contributors

- [@&#8203;oerd](https://github.com/oerd) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.0

###
[`v3.0.8`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://github.com/sgmurphy) in
[https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540)

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://github.com/sgmurphy) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.8

###
[`v3.0.7`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.7):
3.0.7

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7)

#### What's Changed

- Make GHES support / setup more clear by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/actions/dependency-review-action/pull/534](https://github.com/actions/dependency-review-action/pull/534)
- Add an option to deny packages or groups of packages by
[@&#8203;adrienpessu](https://github.com/adrienpessu) in
[https://github.com/actions/dependency-review-action/pull/544](https://github.com/actions/dependency-review-action/pull/544)

#### New Contributors

- [@&#8203;rajbos](https://github.com/rajbos) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/534](https://github.com/actions/dependency-review-action/pull/534)
- [@&#8203;adrienpessu](https://github.com/adrienpessu) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/544](https://github.com/actions/dependency-review-action/pull/544)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.7

###
[`v3.0.6`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.6):
3.0.6

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6)

Fixes a bug introduced in 3.0.5 where we raised PURL errors when
Dependency Graph returns an empty `package_url`.

###
[`v3.0.5`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.5):
3.0.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5)

#### What's Changed

Thanks to [@&#8203;theztefan](https://github.com/theztefan), we now
have a new `allow-dependencies-licenses` option that takes a list of
dependencies that will be excluded from license checks. See the
[configuration
options](https://github.com/actions/dependency-review-action#configuration-options)
for more information on how to use it.

- Exclude dependencies from license checks by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/423](https://github.com/actions/dependency-review-action/pull/423)
- Documentation examples by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/423](https://github.com/actions/dependency-review-action/pull/423)
- Show snapshot warnings in the summary by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/439](https://github.com/actions/dependency-review-action/pull/439)
- Fix default values for fail-on-severity by
[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/451](https://github.com/actions/dependency-review-action/pull/451)
-   Updated dependencies.

#### New Contributors

- [@&#8203;juxtin](https://github.com/juxtin) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/439](https://github.com/actions/dependency-review-action/pull/439)
- [@&#8203;theztefan](https://github.com/theztefan) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/423](https://github.com/actions/dependency-review-action/pull/423)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.5

###
[`v3.0.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.4):
3.0.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4)

#### What's New?

The Action can now publish a comment in the pull request if the
`comment-summary-in-pr` option is set. More information can be found in
the
[README](https://github.com/actions/dependency-review-action#configuration-options).

#### New Contributors

- [@&#8203;davelosert](https://github.com/davelosert) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/393](https://github.com/actions/dependency-review-action/pull/393)

#### Changelog

- Write Summary as comment to the pull request by
[@&#8203;davelosert](https://github.com/davelosert) in
[https://github.com/actions/dependency-review-action/pull/393](https://github.com/actions/dependency-review-action/pull/393)
- Adjust summary format by
[@&#8203;davelosert](https://github.com/davelosert) in
[https://github.com/actions/dependency-review-action/pull/416](https://github.com/actions/dependency-review-action/pull/416)
-   Security updates.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.4

###
[`v3.0.3`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.3):
3.0.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3)

#### What's Changed

- Use cache in check-dist.yml by
[@&#8203;jongwooo](https://github.com/jongwooo) in
[https://github.com/actions/dependency-review-action/pull/359](https://github.com/actions/dependency-review-action/pull/359)
- Fix Dependency Review API response error handling by
[@&#8203;felickz](https://github.com/felickz) in
[https://github.com/actions/dependency-review-action/pull/370](https://github.com/actions/dependency-review-action/pull/370)
-   Security updates

#### New Contributors

- [@&#8203;jongwooo](https://github.com/jongwooo) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/359](https://github.com/actions/dependency-review-action/pull/359)
- [@&#8203;felickz](https://github.com/felickz) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/370](https://github.com/actions/dependency-review-action/pull/370)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.3

###
[`v3.0.2`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.2):
3.0.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2)

This release fixes spelling errors
[https://github.com/actions/dependency-review-action/pull/348](https://github.com/actions/dependency-review-action/pull/348)
and upgrades dependencies to fix known vulnerabilities

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.2

###
[`v3.0.1`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.1):
3.0.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.0.0...v3.0.1)

This release contains the following bugfixes:

- Fixing API URL for GHES:
[https://github.com/actions/dependency-review-action/pull/331](https://github.com/actions/dependency-review-action/pull/331)
- Improve list handling for external config files:
[https://github.com/actions/dependency-review-action/pull/330](https://github.com/actions/dependency-review-action/pull/330)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.1

###
[`v3.0.0`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.0):
3.0.0

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v2.5.1...v3.0.0)

#### Breaking Changes

By default the action now expects [SPDX-compliant
licenses](https://spdx.org/licenses/) everywhere. If you were previously
using license names in the allow or deny lists make sure they're valid!

#### What's Changed

##### Support for external configuration files

You can now specify a [configuration file external to your
repository](https://github.com/actions/dependency-review-action/#configuration-file).
This allows organizations to have a single configuration file for all
their repos.

##### Broader license support

We've added support for a much broader set of project licenses by using
GitHub's [Licenses API](https://docs.github.com/en/rest/licenses).

##### SPDX Compliance

All of our license-related code now expects [SPDX-compliant licenses or
expressions](https://spdx.org/licenses/). This allows us to standardize
on a license naming scheme that already supports `OR`/`AND` expressions.

##### Disable individual checks

You can now use the boolean options `license-check` and
`vulnerability-check` to disable either one of the checks. More
information in [our configuration
options](https://github.com/actions/dependency-review-action/#configuration-options).

#### Thanks

Contributors for this release include:

-   [@&#8203;cnagadya](https://github.com/cnagadya)
-   [@&#8203;courtneycl](https://github.com/courtneycl)
-   [@&#8203;ericcornelissen](https://github.com/ericcornelissen)
-   [@&#8203;elireisman](https://github.com/elireisman)
-   [@&#8203;hmaurer](https://github.com/hmaurer)

Thanks everyone!
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v2...v3.0.0

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.1`](https://github.com/actions/upload-artifact/releases/tag/v4.3.1)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v4.3.0...v4.3.1)

- Bump
[@&#8203;actions/artifacts](https://github.com/actions/artifacts) to
latest version to include [updated GHES host
check](https://github.com/actions/toolkit/pull/1648)

###
[`v4.3.0`](https://github.com/actions/upload-artifact/releases/tag/v4.3.0)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v4.2.0...v4.3.0)

##### What's Changed

- Reorganize upload code in prep for merge logic & add more tests by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/504](https://github.com/actions/upload-artifact/pull/504)
- Add sub-action to merge artifacts by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/505](https://github.com/actions/upload-artifact/pull/505)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.3.0

###
[`v4.2.0`](https://github.com/actions/upload-artifact/releases/tag/v4.2.0)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v4.1.0...v4.2.0)

##### What's Changed

- Ability to overwrite an Artifact by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/501](https://github.com/actions/upload-artifact/pull/501)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.2.0

###
[`v4.1.0`](https://github.com/actions/upload-artifact/releases/tag/v4.1.0)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add migrations docs by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/482](https://github.com/actions/upload-artifact/pull/482)
- Update README.md by
[@&#8203;samuelwine](https://github.com/samuelwine) in
[https://github.com/actions/upload-artifact/pull/492](https://github.com/actions/upload-artifact/pull/492)
- Support artifact-url output by
[@&#8203;konradpabjan](https://github.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/496](https://github.com/actions/upload-artifact/pull/496)
- Update readme to reflect new 500 artifact per job limit by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/497](https://github.com/actions/upload-artifact/pull/497)

#### New Contributors

- [@&#8203;samuelwine](https://github.com/samuelwine) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/492](https://github.com/actions/upload-artifact/pull/492)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.1.0

</details>

<details>
<summary>defenseunicorns/uds-common
(defenseunicorns/uds-common)</summary>

###
[`v0.3.9`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.9)

[Compare
Source](https://github.com/defenseunicorns/uds-common/compare/v0.3.8...v0.3.9)

##### Miscellaneous

- fix missing keys in setup actions
([#&#8203;93](https://github.com/defenseunicorns/uds-common/issues/93))
([39d7395](https://github.com/defenseunicorns/uds-common/commit/39d73955ebb35f4e844a45fe23a7acf7d65d239a))

###
[`v0.3.8`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.8)

[Compare
Source](https://github.com/defenseunicorns/uds-common/compare/v0.3.7...v0.3.8)

##### Miscellaneous

- add upgrade tests to common
([#&#8203;91](https://github.com/defenseunicorns/uds-common/issues/91))
([bb2e590](https://github.com/defenseunicorns/uds-common/commit/bb2e59021355172db2cfcca7dbf5a2434ce41b6d))
- **deps:** update dependency defenseunicorns/uds-cli to v0.10.1
([#&#8203;84](https://github.com/defenseunicorns/uds-common/issues/84))
([6b455b7](https://github.com/defenseunicorns/uds-common/commit/6b455b7cef8ddab022c758a6309d8993f0a564b7))
- **deps:** update dependency defenseunicorns/uds-core to v0.17.0
([#&#8203;83](https://github.com/defenseunicorns/uds-common/issues/83))
([b8d8181](https://github.com/defenseunicorns/uds-common/commit/b8d818165c7c676f56898c2d15ae14a2f7ff5f0c))
- **deps:** update uds common package dependencies to v6.6.1
([#&#8203;92](https://github.com/defenseunicorns/uds-common/issues/92))
([862b635](https://github.com/defenseunicorns/uds-common/commit/862b63512b4b53ff963b85e25e8011818bb8e4e3))
- update registry login to happen in the common env setup action
([#&#8203;88](https://github.com/defenseunicorns/uds-common/issues/88))
([b7bce88](https://github.com/defenseunicorns/uds-common/commit/b7bce888d1d62c5d382d7d88a54e59da72e0d3ae))

###
[`v0.3.7`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.7)

[Compare
Source](https://github.com/defenseunicorns/uds-common/compare/v0.3.6...v0.3.7)

##### Miscellaneous

- remove schedule on renovate
([#&#8203;85](https://github.com/defenseunicorns/uds-common/issues/85))
([fda7e57](https://github.com/defenseunicorns/uds-common/commit/fda7e57ad878cc70bf3905948911daa84c67db27))
- update k3d-core-istio-dev to k3d-core-slim-dev
([#&#8203;86](https://github.com/defenseunicorns/uds-common/issues/86))
([aa0e6da](https://github.com/defenseunicorns/uds-common/commit/aa0e6dad40126ead465b102ea28a3ac961883493))

###
[`v0.3.6`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.6)

[Compare
Source](https://github.com/defenseunicorns/uds-common/compare/v0.3.5...v0.3.6)

##### Miscellaneous

- hotfix the spoof containing a dash in the input and add a publish step
([#&#8203;81](https://github.com/defenseunicorns/uds-common/issues/81))
([f9c7aac](https://github.com/defenseunicorns/uds-common/commit/f9c7aac4a30e5c3e627c44946f2f212af1573b39))

###
[`v0.3.5`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.5)

[Compare
Source](https://github.com/defenseunicorns/uds-common/compare/v0.3.4...v0.3.5)

##### Miscellaneous

- fix spoof to not include a dash
([#&#8203;79](https://github.com/defenseunicorns/uds-common/issues/79))
([5d1738b](https://github.com/defenseunicorns/uds-common/commit/5d1738ba0ca2cd19c7fdf6dfe6873339e129c3bb))

###
[`v0.3.4`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.4)

[Compare
Source](https://github.com/defenseunicorns/uds-common/compare/v0.3.3...v0.3.4)

##### Miscellaneous

- add the ability to spoof to common
([#&#8203;77](https://github.com/defenseunicorns/uds-common/issues/77))
([49634e1](https://github.com/defenseunicorns/uds-common/commit/49634e1b69c6b2eadcc2497f6baba8bd349f3d38))
- **deps:** update dependency defenseunicorns/uds-core to v0.16.1
([#&#8203;72](https://github.com/defenseunicorns/uds-common/issues/72))
([32d1ad6](https://github.com/defenseunicorns/uds-common/commit/32d1ad6812a3ef6ad750447296f5644b14ff2855))

</details>

<details>
<summary>defenseunicorns/uds-common-tasks
(defenseunicorns/uds-common-tasks)</summary>

###
[`v0.3.9`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.9)

[Compare
Source](https://github.com/defenseunicorns/uds-common-tasks/compare/v0.3.8...v0.3.9)

##### Miscellaneous

- fix missing keys in setup actions
([#&#8203;93](https://github.com/defenseunicorns/uds-common/issues/93))
([39d7395](https://github.com/defenseunicorns/uds-common/commit/39d73955ebb35f4e844a45fe23a7acf7d65d239a))

###
[`v0.3.8`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.8)

[Compare
Source](https://github.com/defenseunicorns/uds-common-tasks/compare/v0.3.7...v0.3.8)

##### Miscellaneous

- add upgrade tests to common
([#&#8203;91](https://github.com/defenseunicorns/uds-common/issues/91))
([bb2e590](https://github.com/defenseunicorns/uds-common/commit/bb2e59021355172db2cfcca7dbf5a2434ce41b6d))
- **deps:** update dependency defenseunicorns/uds-cli to v0.10.1
([#&#8203;84](https://github.com/defenseunicorns/uds-common/issues/84))
([6b455b7](https://github.com/defenseunicorns/uds-common/commit/6b455b7cef8ddab022c758a6309d8993f0a564b7))
- **deps:** update dependency defenseunicorns/uds-core to v0.17.0
([#&#8203;83](https://github.com/defenseunicorns/uds-common/issues/83))
([b8d8181](https://github.com/defenseunicorns/uds-common/commit/b8d818165c7c676f56898c2d15ae14a2f7ff5f0c))
- **deps:** update uds common package dependencies to v6.6.1
([#&#8203;92](https://github.com/defenseunicorns/uds-common/issues/92))
([862b635](https://github.com/defenseunicorns/uds-common/commit/862b63512b4b53ff963b85e25e8011818bb8e4e3))
- update registry login to happen in the common env setup action
([#&#8203;88](https://github.com/defenseunicorns/uds-common/issues/88))
([b7bce88](https://github.com/defenseunicorns/uds-common/commit/b7bce888d1d62c5d382d7d88a54e59da72e0d3ae))

###
[`v0.3.7`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.7)

[Compare
Source](https://github.com/defenseunicorns/uds-common-tasks/compare/v0.3.6...v0.3.7)

##### Miscellaneous

- remove schedule on renovate
([#&#8203;85](https://github.com/defenseunicorns/uds-common/issues/85))
([fda7e57](https://github.com/defenseunicorns/uds-common/commit/fda7e57ad878cc70bf3905948911daa84c67db27))
- update k3d-core-istio-dev to k3d-core-slim-dev
([#&#8203;86](https://github.com/defenseunicorns/uds-common/issues/86))
([aa0e6da](https://github.com/defenseunicorns/uds-common/commit/aa0e6dad40126ead465b102ea28a3ac961883493))

###
[`v0.3.6`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.6)

[Compare
Source](https://github.com/defenseunicorns/uds-common-tasks/compare/v0.3.5...v0.3.6)

##### Miscellaneous

- hotfix the spoof containing a dash in the input and add a publish step
([#&#8203;81](https://github.com/defenseunicorns/uds-common/issues/81))
([f9c7aac](https://github.com/defenseunicorns/uds-common/commit/f9c7aac4a30e5c3e627c44946f2f212af1573b39))

###
[`v0.3.5`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.5)

[Compare
Source](https://github.com/defenseunicorns/uds-common-tasks/compare/v0.3.4...v0.3.5)

##### Miscellaneous

- fix spoof to not include a dash
([#&#8203;79](https://github.com/defenseunicorns/uds-common/issues/79))
([5d1738b](https://github.com/defenseunicorns/uds-common/commit/5d1738ba0ca2cd19c7fdf6dfe6873339e129c3bb))

###
[`v0.3.4`](https://github.com/defenseunicorns/uds-common/releases/tag/v0.3.4)

[Compare
Source](https://github.com/defenseunicorns/uds-common-tasks/compare/v0.3.3...v0.3.4)

##### Miscellaneous

- add the ability to spoof to common
([#&#8203;77](https://github.com/defenseunicorns/uds-common/issues/77))
([49634e1](https://github.com/defenseunicorns/uds-common/commit/49634e1b69c6b2eadcc2497f6baba8bd349f3d38))
- **deps:** update dependency defenseunicorns/uds-core to v0.16.1
([#&#8203;72](https://github.com/defenseunicorns/uds-common/issues/72))
([32d1ad6](https://github.com/defenseunicorns/uds-common/commit/32d1ad6812a3ef6ad750447296f5644b14ff2855))

</details>

<details>
<summary>defenseunicorns/zarf (defenseunicorns/zarf)</summary>

###
[`v0.32.6`](https://github.com/defenseunicorns/zarf/releases/tag/v0.32.6)

[Compare
Source](https://github.com/defenseunicorns/zarf/compare/v0.32.5...v0.32.6)

##### \[0.32.6] - 2024-03-22

> trying out some different release note generators, formatting may vary
for a few releases while we figure out what works best
~[@&#8203;Noxsios](https://github.com/Noxsios)

##### 🚀 Features

- \[**ALPHA**] feat: package generation ALPHA by
[@&#8203;andrewg-xyz](https://github.com/andrewg-xyz) in
[#&#8203;2269](https://github.com/defenseunicorns/zarf/pull/2269)
- *(lib)* feat(lib): configurable log file location by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2380](https://github.com/defenseunicorns/zarf/pull/2380)
- \[**BREAKING**] feat!: filter package components with strategy
interface by [@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2321](https://github.com/defenseunicorns/zarf/pull/2321)

##### 🐛 Bug Fixes

- fix: refactor create stages into separate lib by
[@&#8203;lucasrod16](https://github.com/lucasrod16) in
[#&#8203;2223](https://github.com/defenseunicorns/zarf/pull/2223)
- fix: handle registry caBundle as a multiline string by
[@&#8203;AbrohamLincoln](https://github.com/AbrohamLincoln) in
[#&#8203;2381](https://github.com/defenseunicorns/zarf/pull/2381)
- *(regression)* fix: populate `p.sbomViewFiles` on `deploy` and
`mirror` by [@&#8203;lucasrod16](https://github.com/lucasrod16) in
[#&#8203;2386](https://github.com/defenseunicorns/zarf/pull/2386)
- fix: allow absolute paths for differential packages by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2397](https://github.com/defenseunicorns/zarf/pull/2397)
- fix: hotfix skeleton publish by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2398](https://github.com/defenseunicorns/zarf/pull/2398)

##### 🚜 Refactor

- refactor: split helpers/exec libs by
[@&#8203;Racer159](https://github.com/Racer159) in
[#&#8203;2379](https://github.com/defenseunicorns/zarf/pull/2379)

##### 🧪 Testing

- test: data injection flake by
[@&#8203;lucasrod16](https://github.com/lucasrod16) in
[#&#8203;2361](https://github.com/defenseunicorns/zarf/pull/2361)

##### ⚙️ Miscellaneous Tasks

- ci: add commitlint workflow and update contributing guide by
[@&#8203;lucasrod16](https://github.com/lucasrod16) in
[#&#8203;2391](https://github.com/defenseunicorns/zarf/pull/2391)

##### 🛡️ Security

- *(release)* build: create PRs on `homebrew-tap` by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2385](https://github.com/defenseunicorns/zarf/pull/2385)

**Full Changelog**:
https://github.com/defenseunicorns/zarf/compare/v0.32.5...v0.32.6

###
[`v0.32.5`](https://github.com/defenseunicorns/zarf/releases/tag/v0.32.5)

[Compare
Source](https://github.com/defenseunicorns/zarf/compare/v0.32.4...v0.32.5)

##### \[0.32.5] - 2024-03-11

> trying out some different release note generators, formatting may vary
for a few releases while we figure out what works best
~[@&#8203;Noxsios](https://github.com/Noxsios)

##### 🚀 Features

- feat: add missing vendored tool version commands by
[@&#8203;eddiezane](https://github.com/eddiezane) in
[#&#8203;2232](https://github.com/defenseunicorns/zarf/pull/2232)
- feat: add `--why` flag for `zarf dev find-images` by
[@&#8203;waveywaves](https://github.com/waveywaves) in
[#&#8203;2309](https://github.com/defenseunicorns/zarf/pull/2309)
- feat: set variables on find images by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2282](https://github.com/defenseunicorns/zarf/pull/2282)
- feat: add configurable backoff and retries for Zarf operations by
[@&#8203;Racer159](https://github.com/Racer159) in
[#&#8203;2345](https://github.com/defenseunicorns/zarf/pull/2345)

##### 🐛 Bug Fixes

- *(deps)*: update github.com/anchore/clio digest to
[`abcb719`](https://github.com/defenseunicorns/zarf/commit/abcb719) by
[@&#8203;renovate](https://github.com/renovate)\[bot] in
[#&#8203;2347](https://github.com/defenseunicorns/zarf/pull/2347)
- *(ci)*: change ECR image to docker.io image by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2353](https://github.com/defenseunicorns/zarf/pull/2353)
- fix: added OCI Image Index mediaType by
[@&#8203;mdaizcorbe](https://github.com/mdaizcorbe) in
[#&#8203;2352](https://github.com/defenseunicorns/zarf/pull/2352)
- fix: package publish progress bar frozen at zero by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2367](https://github.com/defenseunicorns/zarf/pull/2367)
- *(release)* hotfix `publish` not respecting source package
architecture by [@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2376](https://github.com/defenseunicorns/zarf/pull/2376)

##### 📚 Documentation

- chore: fix spelling by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2333](https://github.com/defenseunicorns/zarf/pull/2333)
- docs: formatting and grammar by
[@&#8203;beholdenkey](https://github.com/beholdenkey) in
[#&#8203;2350](https://github.com/defenseunicorns/zarf/pull/2350)

##### ⚙️ Miscellaneous Tasks

- chore: sorted go imports by
[@&#8203;naveensrinivasan](https://github.com/naveensrinivasan) in
[#&#8203;2349](https://github.com/defenseunicorns/zarf/pull/2349)
- chore: fix bb test by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2340](https://github.com/defenseunicorns/zarf/pull/2340)
- chore: update CODEOWNERS with
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) by
[@&#8203;Racer159](https://github.com/Racer159) in
[#&#8203;2354](https://github.com/defenseunicorns/zarf/pull/2354)
- chore: refactor and purify the OCI library within Zarf by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2235](https://github.com/defenseunicorns/zarf/pull/2235)
- chore: default to temp zarf cache in e2e tests by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[#&#8203;2355](https://github.com/defenseunicorns/zarf/pull/2355)

##### 🛡️ Security

- chore: configure agent server to avoid slowloris attack by
[@&#8203;naveensrinivasan](https://github.com/naveensrinivasan) in
[#&#8203;2342](https://github.com/defenseunicorns/zarf/pull/2342)
- chore: fix implicit memory aliasing in for loop by
[@&#8203;naveensrinivasan](https://github.com/naveensrinivasan) in
[#&#8203;2341](https://github.com/defenseunicorns/zarf/pull/2341)
- *(release)*: update release workflow to use token from gh app by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2368](https://github.com/defenseunicorns/zarf/pull/2368)
- *(release)*: use release environment secrets by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[#&#8203;2374](https://github.com/defenseunicorns/zarf/pull/2374)

##### First Time Contributors

- [@&#8203;eddiezane](https://github.com/eddiezane) made their first
contribution in
[#&#8203;2232](https://github.com/defenseunicorns/zarf/issues/2232)
- [@&#8203;beholdenkey](https://github.com/beholdenkey) made their
first contribution in
[#&#8203;2350](https://github.com/defenseunicorns/zarf/issues/2350)
- [@&#8203;mdaizcorbe](https://github.com/mdaizcorbe) made their first
contribution in
[#&#8203;2352](https://github.com/defenseunicorns/zarf/issues/2352)

**Full Changelog**:
https://github.com/defenseunicorns/zarf/compare/v0.32.4...v0.32.5

###
[`v0.32.4`](https://github.com/defenseunicorns/zarf/releases/tag/v0.32.4)

[Compare
Source](https://github.com/defenseunicorns/zarf/compare/v0.32.3...v0.32.4)

##### What's Changed

##### Fixes

- Improve `cmd` failure messaging when no timeout or retries are given
by [@&#8203;docandrew](https://github.com/docandrew) in
[https://github.com/defenseunicorns/zarf/pull/2301](https://github.com/defenseunicorns/zarf/pull/2301)
- Revert init package storageclass checks for git server and seed
registry by [@&#8203;lucasrod16](https://github.com/lucasrod16) in
[https://github.com/defenseunicorns/zarf/pull/2311](https://github.com/defenseunicorns/zarf/pull/2311)
- Fix multi-part tarballs being mismatched sizes by
[@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2314](https://github.com/defenseunicorns/zarf/pull/2314)
- Change text template detection to check first *and* last 512 bytes by
[@&#8203;WeaponX314](https://github.com/WeaponX314) in
[https://github.com/defenseunicorns/zarf/pull/2310](https://github.com/defenseunicorns/zarf/pull/2310)
- Improve `zarf tools registry prune` messaging by
[@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2323](https://github.com/defenseunicorns/zarf/pull/2323)
- Add http request header timeout to mitigate stalling image push by
[@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2319](https://github.com/defenseunicorns/zarf/pull/2319)
- Allow host+subpath as the source registry for `--registry-override` in
package create by [@&#8203;waveywaves](https://github.com/waveywaves)
in
[https://github.com/defenseunicorns/zarf/pull/2306](https://github.com/defenseunicorns/zarf/pull/2306)

##### Dependencies

- Update github.com/anchore/clio digest to
[`cb94e40`](https://github.com/defenseunicorns/zarf/commit/cb94e40) by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2294](https://github.com/defenseunicorns/zarf/pull/2294),
[https://github.com/defenseunicorns/zarf/pull/2297](https://github.com/defenseunicorns/zarf/pull/2297)
and
[https://github.com/defenseunicorns/zarf/pull/2300](https://github.com/defenseunicorns/zarf/pull/2300)
- **\[security]** Update module helm.sh/helm/v3 to v3.14.2 by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2307](https://github.com/defenseunicorns/zarf/pull/2307)
and
[https://github.com/defenseunicorns/zarf/pull/2329](https://github.com/defenseunicorns/zarf/pull/2329)
- Update actions/checkout action to v4 by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2317](https://github.com/defenseunicorns/zarf/pull/2317)
- Update actions/dependency-review-action action to v4 by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2318](https://github.com/defenseunicorns/zarf/pull/2318)

##### Docs

- Update [Zarf roadmap](https://docs.zarf.dev/docs/roadmap) per 2024
goals by [@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2305](https://github.com/defenseunicorns/zarf/pull/2305)

##### Development

- Included Dependency Review action for PR reviews by
[@&#8203;naveensrinivasan](https://github.com/naveensrinivasan) in
[https://github.com/defenseunicorns/zarf/pull/2298](https://github.com/defenseunicorns/zarf/pull/2298)
- Resolve CodeQL linting issues across Zarf by
[@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2322](https://github.com/defenseunicorns/zarf/pull/2322)

##### New Contributors

- [@&#8203;docandrew](https://github.com/docandrew) made their first
contribution in
[https://github.com/defenseunicorns/zarf/pull/2301](https://github.com/defenseunicorns/zarf/pull/2301)
- [@&#8203;naveensrinivasan](https://github.com/naveensrinivasan) made
their first contribution in
[https://github.com/defenseunicorns/zarf/pull/2298](https://github.com/defenseunicorns/zarf/pull/2298)
- [@&#8203;waveywaves](https://github.com/waveywaves) made their first
contribution in
[https://github.com/defenseunicorns/zarf/pull/2306](https://github.com/defenseunicorns/zarf/pull/2306)

**Full Changelog**:
https://github.com/defenseunicorns/zarf/compare/v0.32.3...v0.32.4

###
[`v0.32.3`](https://github.com/defenseunicorns/zarf/releases/tag/v0.32.3)

[Compare
Source](https://github.com/defenseunicorns/zarf/compare/v0.32.2...v0.32.3)

##### What's Changed

##### Fixes

- Properly handle panic that could occur during checksum validation by
[@&#8203;mjnagel](https://github.com/mjnagel) in
[https://github.com/defenseunicorns/zarf/pull/2262](https://github.com/defenseunicorns/zarf/pull/2262)
- Add the `--key` flag to the init cmd to properly allow for signed init
packages by [@&#8203;dgershman](https://github.com/dgershman) in
[https://github.com/defenseunicorns/zarf/pull/2259](https://github.com/defenseunicorns/zarf/pull/2259)
- Restore destroy script functionality during `zarf destroy` by
[@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2274](https://github.com/defenseunicorns/zarf/pull/2274)
- Fix symlink inclusion within component resources by
[@&#8203;dgershman](https://github.com/dgershman) in
[https://github.com/defenseunicorns/zarf/pull/2256](https://github.com/defenseunicorns/zarf/pull/2256)
- Use memory friendly file split logic for partial packages by
[@&#8203;daniel-palmer-gu](https://github.com/daniel-palmer-gu) in
[https://github.com/defenseunicorns/zarf/pull/2264](https://github.com/defenseunicorns/zarf/pull/2264)
- Fix reproducible tarball creation on Windows systems by
[@&#8203;Noxsios](https://github.com/Noxsios) in
[https://github.com/defenseunicorns/zarf/pull/2293](https://github.com/defenseunicorns/zarf/pull/2293)

##### Docs

- Make branding more consistent and add community meetup references to
docs by [@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2258](https://github.com/defenseunicorns/zarf/pull/2258)

##### Dependencies

- Update github.com/anchore/clio digest by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2277](https://github.com/defenseunicorns/zarf/pull/2277)
and
[https://github.com/defenseunicorns/zarf/pull/2283](https://github.com/defenseunicorns/zarf/pull/2283)
- Update all non-major dependencies (including Gitea v1.21.5, Syft
v0.100.0, K9s v0.31.7 and Crane v0.19.0) by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2187](https://github.com/defenseunicorns/zarf/pull/2187)

##### Development

- Add a more robust chart search regexManager by
[@&#8203;Racer159](https://github.com/Racer159) in
[https://github.com/defenseunicorns/zarf/pull/2278](https://github.com/defenseunicorns/zarf/pull/2278)
and
[https://github.com/defenseunicorns/zarf/pull/2284](https://github.com/defenseunicorns/zarf/pull/2284)
- Partial refactor of injector logic in `k8s`, and `cluster` packages by
[@&#8203;chrishorton](https://github.com/chrishorton) in
[https://github.com/defenseunicorns/zarf/pull/2271](https://github.com/defenseunicorns/zarf/pull/2271)

##### New Contributors

- [@&#8203;daniel-palmer-gu](https://github.com/daniel-palmer-gu) made
their first contribution in
[https://github.com/defenseunicorns/zarf/pull/2264](https://github.com/defenseunicorns/zarf/pull/2264)

**Full Changelog**:
https://github.com/defenseunicorns/zarf/compare/v0.32.2...v0.32.3

###
[`v0.32.2`](https://github.com/defenseunicorns/zarf/releases/tag/v0.32.2)

[Compare
Source](https://github.com/defenseunicorns/zarf/compare/v0.32.1...v0.32.2)

#### What's Changed

#### Features

- Support authenticated Helm repositories that have been configured with
`helm repo add` by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[https://github.com/defenseunicorns/zarf/pull/2196](https://github.com/defenseunicorns/zarf/pull/2196)
- Verify that the specified storage class exists during `zarf init` by
[@&#8203;lucasrod16](https://github.com/lucasrod16) in
[https://github.com/defenseunicorns/zarf/pull/2180](https://github.com/defenseunicorns/zarf/pull/2180)
- Check for available node resources before building injector pod by
[@&#8203;chrishorton](https://github.com/chrishorton) in
[https://github.com/defenseunicorns/zarf/pull/2220](https://github.com/defenseunicorns/zarf/pull/2220)
- Officially support yaml extensions within the `zarf.yaml` using `x-`
keys by [@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[https://github.com/defenseunicorns/zarf/pull/2217](https://github.com/defenseunicorns/zarf/pull/2217)

#### Fixes

- Fix the inclusion of helm sub commands when rendering `zarf tools
help` by [@&#8203;jbrewer3](https://github.com/jbrewer3) in
[https://github.com/defenseunicorns/zarf/pull/2216](https://github.com/defenseunicorns/zarf/pull/2216)

#### Docs

- Fix typos in the extension `README.md` by
[@&#8203;mjnagel](https://github.com/mjnagel) in
[https://github.com/defenseunicorns/zarf/pull/2227](https://github.com/defenseunicorns/zarf/pull/2227)
- Fix a small grammatical error in the base `README.md` by
[@&#8203;cmwylie19](https://github.com/cmwylie19) in
[https://github.com/defenseunicorns/zarf/pull/2219](https://github.com/defenseunicorns/zarf/pull/2219)

#### Dependencies

- Update github.com/anchore/clio digest to
[`89e2fe8`](https://github.com/defenseunicorns/zarf/commit/89e2fe8) by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2214](https://github.com/defenseunicorns/zarf/pull/2214)
- Update github.com/anchore/clio digest to
[`a5e93b6`](https://github.com/defenseunicorns/zarf/commit/a5e93b6) by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2229](https://github.com/defenseunicorns/zarf/pull/2229)
- Update github.com/anchore/stereoscope digest to
[`eb656fc`](https://github.com/defenseunicorns/zarf/commit/eb656fc) by
[@&#8203;renovate](https://github.com/renovate) in
[https://github.com/defenseunicorns/zarf/pull/2230](https://github.com/defenseunicorns/zarf/pull/2230)

#### Development

- Remove workflow for automatically adding issues to the zarf project by
[@&#8203;YrrepNoj](https://github.com/YrrepNoj) in
[https://github.com/defenseunicorns/zarf/pull/2239](https://github.com/defenseunicorns/zarf/pull/2239)
- Delete unnecessary waitgroup from concurrencyTools by
[@&#8203;AustinAbro321](https://github.com/AustinAbro321) in
[https://github.com/defenseunicorns/zarf/pull/2244](https://github.com/defenseunicorns/zarf/pull/2244)
- Update `NewOrasRemote` to take `ocispec.Platform` as an argument by
[@&#8203;decleaver](https://github.com/decleaver) in
[https://github.com/defenseunicorns/zarf/pull/2241](https://github.com/defenseunicorns/zarf/pull/2241)

#### New Contributors

- [@&#8203;jbrewer3](https://github.com/jbrewer3) made their first
contribution in
[https://github.com/defenseunicorns/zarf/pull/2216](https://github.com/defenseunicorns/zarf/pull/2216)
- [@&#8203;chrishorton](https://github.com/chrishorton) made their
first contribution in
[https://github.com/defenseunicorns/zarf/pull/2220](https://github.com/defenseunicorns/zarf/pull/2220)

**Full Changelog**:
https://github.com/defenseunicorns/zarf/compare/v0.32.1...v0.32.2

###
[`v0.32.1`](https://github.com/defenseunicorns/zarf/releases/tag/v0.32

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/defenseunicorns/uds-package-mattermost).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Wayne Starr <me@racer159.com>
ramonpetgrave64 referenced this pull request in ramonpetgrave64/slsa-verifier Apr 10, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
| action | patch | `v3.1.0` -> `v3.1.5` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v2.22.1` -> `v2.24.8` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.1` |
|
[slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.9.0` -> `v1.10.0` |
|
[slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
| action | patch | `v2.4.0` -> `v2.4.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.5`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://github.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://github.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://github.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://github.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://github.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://github.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://github.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://github.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://github.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://github.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://github.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://github.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
actions/dependency-review-action@v3.1.4...v3.1.5

###
[`v3.1.4`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://github.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://github.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://github.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://github.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://github.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://github.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.4

###
[`v3.1.3`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://github.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://github.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.3

###
[`v3.1.2`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://github.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.2

###
[`v3.1.1`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
actions/dependency-review-action@v3.1.0...v3.1.1

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.2`](https://github.com/actions/setup-node/releases/tag/v3.8.2)

[Compare
Source](https://github.com/actions/setup-node/compare/v3.8.1...v3.8.2)

##### What's Changed

- Update semver by
[@&#8203;dmitry-shibanov](https://github.com/dmitry-shibanov) in
[https://github.com/actions/setup-node/pull/861](https://github.com/actions/setup-node/pull/861)
- Update temp directory creation by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/859](https://github.com/actions/setup-node/pull/859)
- Bump [@&#8203;babel/traverse](https://github.com/babel/traverse)
from 7.15.4 to 7.23.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/setup-node/pull/870](https://github.com/actions/setup-node/pull/870)
- Add notice about binaries not being updated yet by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/872](https://github.com/actions/setup-node/pull/872)
- Update toolkit cache and core by
[@&#8203;dmitry-shibanov](https://github.com/dmitry-shibanov) and
[@&#8203;seongwon-privatenote](https://github.com/seongwon-privatenote)
in
[https://github.com/actions/setup-node/pull/875](https://github.com/actions/setup-node/pull/875)

**Full Changelog**:
actions/setup-node@v3...v3.8.2

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.8`](https://github.com/github/codeql-action/compare/v2.24.7...v2.24.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.7...v2.24.8)

###
[`v2.24.7`](https://github.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.6...v2.24.7)

###
[`v2.24.6`](https://github.com/github/codeql-action/compare/v2.24.5...v2.24.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.5...v2.24.6)

###
[`v2.24.5`](https://github.com/github/codeql-action/compare/v2.24.4...v2.24.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.4...v2.24.5)

###
[`v2.24.4`](https://github.com/github/codeql-action/compare/v2.24.3...v2.24.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.3...v2.24.4)

###
[`v2.24.3`](https://github.com/github/codeql-action/compare/v2.24.2...v2.24.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.2...v2.24.3)

###
[`v2.24.2`](https://github.com/github/codeql-action/compare/v2.24.1...v2.24.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.1...v2.24.2)

###
[`v2.24.1`](https://github.com/github/codeql-action/compare/v2.24.0...v2.24.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.0...v2.24.1)

###
[`v2.24.0`](https://github.com/github/codeql-action/compare/v2.23.2...v2.24.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.2...v2.24.0)

###
[`v2.23.2`](https://github.com/github/codeql-action/compare/v2.23.1...v2.23.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.1...v2.23.2)

###
[`v2.23.1`](https://github.com/github/codeql-action/compare/v2.23.0...v2.23.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.0...v2.23.1)

###
[`v2.23.0`](https://github.com/github/codeql-action/compare/v2.22.12...v2.23.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.12...v2.23.0)

###
[`v2.22.12`](https://github.com/github/codeql-action/compare/v2.22.11...v2.22.12)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.11...v2.22.12)

###
[`v2.22.11`](https://github.com/github/codeql-action/compare/v2.22.10...v2.22.11)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.10...v2.22.11)

###
[`v2.22.10`](https://github.com/github/codeql-action/compare/v2.22.9...v2.22.10)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.9...v2.22.10)

###
[`v2.22.9`](https://github.com/github/codeql-action/compare/v2.22.8...v2.22.9)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.8...v2.22.9)

###
[`v2.22.8`](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8)

###
[`v2.22.7`](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7)

###
[`v2.22.6`](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6)

###
[`v2.22.5`](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5)

###
[`v2.22.4`](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4)

###
[`v2.22.3`](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3)

###
[`v2.22.2`](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://github.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://github.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release \[v1.10.0] includes bug fixes and new features.

See the [full change
list](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://github.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://github.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://github.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://github.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.1`](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1)

[Compare
Source](https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1)

#### What's Changed

- Fix a verification issue when verifying npm's publish attestations -
Low severity
GHSA-r2xv-vpr2-42m9.
This part of the code remains *experimental*.

#### New Contributors

- [@&#8203;trishankatdatadog](https://github.com/trishankatdatadog)
made their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/702](https://github.com/slsa-framework/slsa-verifier/pull/702)

**Full Changelog**:
slsa-framework/slsa-verifier@v2.4.0...v2.4.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants