Skip to content

chore(deps): update non-major github actions#158

Merged
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/non-major-github-actions
Jun 17, 2026
Merged

chore(deps): update non-major github actions#158
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/non-major-github-actions

Conversation

@nbl-renovate

@nbl-renovate nbl-renovate Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action patch v6.0.2v6.0.3
astral-sh/setup-uv action minor v8.1.0v8.2.0
github/codeql-action action patch v4.36.0v4.36.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

astral-sh/setup-uv (astral-sh/setup-uv)

v8.2.0: 🌈 New inputs quiet and download-from-astral-mirror

Compare Source

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
github/codeql-action (github/codeql-action)

v4.36.2

Compare Source

  • Cache CodeQL CLI version information across Actions steps. #​3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #​3937
  • Update default CodeQL bundle version to 2.25.6. #​3948

v4.36.1

Compare Source

No user facing changes.


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • "before 4am on Monday,Tuesday,Wednesday,Thursday,Friday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@nbl-renovate nbl-renovate Bot requested a review from abubnalitic-nbl as a code owner June 8, 2026 00:43
@nbl-renovate nbl-renovate Bot added the dependencies Pull requests that update a dependency file label Jun 8, 2026
@nbl-renovate nbl-renovate Bot requested a review from ltucker as a code owner June 8, 2026 00:43
@nbl-renovate nbl-renovate Bot added the dependencies Pull requests that update a dependency file label Jun 8, 2026
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Vulnerability Scan: Failed — blocking vulnerabilities detected

Image: netbox-mcp-server:scan

Source Library CVE Severity Installed Fixed Title
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-45447 🟠 HIGH 3.5.6-r0 3.5.7-r0 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-34182 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-34183 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-42764 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: NULL pointer dereference in QUIC server initial packet handling
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-45445 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: AES-OCB IV Ignored on EVP_Cipher() Path
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-34180 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-34181 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-42766 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Possible NULL Dereference in Password-Based CMS Decryption
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-42767 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-42768 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_de
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-42769 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-42770 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: FFC-DH Peer Validation Uses Attacker-Supplied q
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-45446 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-7383 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode
netbox-mcp-server:scan (alpine 3.23.4) libcrypto3 CVE-2026-9076 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS passwo
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-45447 🟠 HIGH 3.5.6-r0 3.5.7-r0 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-34182 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-34183 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-42764 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: NULL pointer dereference in QUIC server initial packet handling
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-45445 🟡 MEDIUM 3.5.6-r0 3.5.7-r0 openssl: AES-OCB IV Ignored on EVP_Cipher() Path
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-34180 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-34181 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-42766 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Possible NULL Dereference in Password-Based CMS Decryption
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-42767 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-42768 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_de
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-42769 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-42770 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: FFC-DH Peer Validation Uses Attacker-Supplied q
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-45446 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-7383 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode
netbox-mcp-server:scan (alpine 3.23.4) libssl3 CVE-2026-9076 ⚪ LOW 3.5.6-r0 3.5.7-r0 openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS passwo
Python PyJWT CVE-2026-48526 🟠 HIGH 2.12.1 2.13.0 python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens
Python PyJWT CVE-2026-48522 🟡 MEDIUM 2.12.1 2.13.0 python-pyjwt: PyJWT: Server-Side Request Forgery (SSRF) via uncontrolled URL fet
Python PyJWT CVE-2026-48523 🟡 MEDIUM 2.12.1 2.13.0 python-pyjwt: PyJWT: Verifier-side algorithm bypass leads to unauthorized inform
Python PyJWT CVE-2026-48525 🟡 MEDIUM 2.12.1 2.13.0 python-pyjwt: PyJWT: Denial of Service via processing of crafted detached JWS to
Python PyJWT CVE-2026-48524 ⚪ LOW 2.12.1 2.13.0 python-pyjwt: PyJWT: Denial of Service via unverified JSON Web Token key IDs
Python cryptography GHSA-537c-gmf6-5ccf 🟠 HIGH 46.0.7 48.0.1 Vulnerable OpenSSL included in cryptography wheels
Python python-multipart CVE-2026-53539 🟠 HIGH 0.0.27 0.0.30 python-multipart: Quadratic-time querystring parsing with semicolon separators c
Python python-multipart CVE-2026-53537 ⚪ LOW 0.0.27 0.0.30 python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 exte
Python python-multipart CVE-2026-53538 ⚪ LOW 0.0.27 0.0.30 python-multipart: Semicolon treated as querystring field separator enables param
Python python-multipart CVE-2026-53540 ⚪ LOW 0.0.27 0.0.31 python-multipart: Negative Content-Length in parse_form buffers the entire body
Python starlette CVE-2026-48818 🟠 HIGH 0.52.1 1.1.0 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Window
Python starlette CVE-2026-54283 🟠 HIGH 0.52.1 1.3.1 Starlette: request.form() limits silently ignored for application/x-www-form-url
Python starlette CVE-2026-48710 🟡 MEDIUM 0.52.1 1.0.1 starlette: Starlette: Security restriction bypass via malformed HTTP Host header
Python starlette CVE-2026-48817 🟡 MEDIUM 0.52.1 1.1.0 Starlette: Arbitrary HTTP method dispatched to HTTPEndpoint attributes via `ge
Python starlette CVE-2026-54282 ⚪ LOW 0.52.1 1.3.0 Starlette: Unvalidated request path concatenated into authority poisons request.

Commit: 8d28508

@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-github-actions branch from f56bf05 to 58b7a9d Compare June 9, 2026 10:25
@nbl-renovate nbl-renovate Bot changed the title chore(deps): update non-major github actions to v0.36.0 chore(deps): update non-major github actions Jun 9, 2026
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-github-actions branch 4 times, most recently from f1aff98 to ba8c5ab Compare June 16, 2026 08:10
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-github-actions branch from ba8c5ab to 542f4a9 Compare June 16, 2026 10:45
@abubnalitic-nbl abubnalitic-nbl merged commit 6658b92 into main Jun 17, 2026
13 of 14 checks passed
@abubnalitic-nbl abubnalitic-nbl deleted the renovate/non-major-github-actions branch June 17, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant