chore(deps): update all non-major dependencies

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
aquasecurity/trivy		minor	0.66.0 -> 0.67.0
astral-sh/setup-uv	action	minor	v6.7.0 -> v6.8.0
docker/login-action	action	minor	v3.5.0 -> v3.6.0
github/codeql-action	action	patch	v3.30.5 -> v3.30.6
gradle/actions	action	patch	v4.4.3 -> v4.4.4
softprops/action-gh-release	action	patch	v2.3.3 -> v2.3.4
zizmor		patch	1.14.1 -> 1.14.2

---

Release Notes

aquasecurity/trivy (aquasecurity/trivy)

v0.67.0

Compare Source

👉 Trivy v0.67.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

🐳 New Docker Install option

• docker pull get.trivy.dev/image/trivy:0.67.0

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0670-2025-09-30

astral-sh/setup-uv (astral-sh/setup-uv)

v6.8.0: 🌈 Add **/*.py.lock to cache-dependency-glob

Compare Source

Changes

Thanks to @​parched the default cache-dependency-glob now also find all lock files generated by uv lock --script

🚀 Enhancements

• Always show prune cache output @​eifinger (#​597)
• Add **/*.py.lock to cache-dependency-glob @​parched (#​590)

🧰 Maintenance

• persist credentials for version update @​eifinger (#​584)

📚 Documentation

• README.md: Fix Python versions and update checkout action @​cclauss (#​572)

⬆️ Dependency updates

• Bump zizmorcore/zizmor-action from 0.1.2 to 0.2.0 @​dependabot[bot] (#​571)

docker/login-action (docker/login-action)

v3.6.0

Compare Source

• Add registry-auth input for raw authentication to registries by @​crazy-max in #​887
• Bump @​aws-sdk/client-ecr to 3.890.0 in #​882 #​890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in #​882 #​890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​883
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​880
• Bump undici from 5.28.4 to 5.29.0 in #​879
• Bump tmp from 0.2.3 to 0.2.4 in #​881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

github/codeql-action (github/codeql-action)

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

gradle/actions (gradle/actions)

v4.4.4

Compare Source

What's Changed

• Bump the github-actions group across 2 directories with 3 updates by @​dependabot[bot] in #​726
• Regenerating package lock by @​cdsap in #​729
• Update known wrapper checksums by @​github-actions[bot] in #​730
• Bump the github-actions group across 1 directory with 3 updates by @​dependabot[bot] in #​735
• Bump the gradle group across 3 directories with 1 update by @​dependabot[bot] in #​734
• Bump the npm-dependencies group in /sources with 4 updates by @​dependabot[bot] in #​733
• Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 by @​bot-githubaction in #​736
• Handle gracefully parse errors in checksum file by @​jprinet in #​737
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl by @​bot-githubaction in #​742
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/java-toolchain by @​bot-githubaction in #​741
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/groovy-dsl by @​bot-githubaction in #​740
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/gradle-plugin by @​bot-githubaction in #​739
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /sources/test/init-scripts by @​bot-githubaction in #​738
• Update known wrapper checksums by @​github-actions[bot] in #​743
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by @​dependabot[bot] in #​746
• Bump the npm-dependencies group in /sources with 5 updates by @​dependabot[bot] in #​745

Full Changelog: gradle/actions@v4...v4.4.4

softprops/action-gh-release (softprops/action-gh-release)

v2.3.4

Compare Source

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in #​665

Other Changes 🔄

• chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 in the github-actions group by @​dependabot[bot] in #​656
• chore(deps): bump @​types/node from 20.19.11 to 20.19.13 in the npm group by @​dependabot[bot] in #​655
• chore(deps): bump vite from 7.0.0 to 7.1.5 by @​dependabot[bot] in #​657
• chore(deps): bump the npm group across 1 directory with 2 updates by @​dependabot[bot] in #​662
• chore(deps): bump the npm group with 3 updates by @​dependabot[bot] in #​666

Full Changelog: softprops/action-gh-release@v2...v2.3.4

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.09s
✅ COPYPASTE	jscpd	yes		no	no	1.23s
✅ DOCKERFILE	hadolint	1		0	0	0.06s
✅ JSON	jsonlint	3		0	0	0.14s
⚠️ JSON	prettier	3		1	0	0.46s
✅ JSON	v8r	3		0	0	3.48s
✅ MARKDOWN	markdownlint	1		0	0	0.49s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.28s
✅ PYTHON	bandit	1		0	0	1.62s
✅ PYTHON	black	1		0	0	0.92s
✅ PYTHON	flake8	1		0	0	0.82s
✅ PYTHON	isort	1		0	0	0.22s
✅ PYTHON	mypy	1		0	0	3.36s
✅ PYTHON	pylint	1		0	0	3.4s
✅ PYTHON	pyright	1		0	0	1.68s
✅ PYTHON	ruff	1		0	0	0.04s
✅ REPOSITORY	dustilock	yes		no	no	0.02s
✅ REPOSITORY	gitleaks	yes		no	no	0.32s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	29.99s
✅ REPOSITORY	kics	yes		no	no	3.38s
✅ REPOSITORY	secretlint	yes		no	no	1.59s
✅ REPOSITORY	syft	yes		no	no	2.15s
✅ REPOSITORY	trivy	yes		no	no	8.49s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.12s
✅ REPOSITORY	trufflehog	yes		no	no	3.8s
✅ YAML	prettier	6		0	0	0.71s
✅ YAML	v8r	6		0	0	5.99s
✅ YAML	yamllint	6		0	0	0.59s

Detailed Issues

⚠️ JSON / prettier - 1 error

Checking formatting...
[warn] .renovaterc.json
[warn] Code style issues found in the above file. Run Prettier with --write to fix.

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.0.1 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-195 (debian 13.1)

9 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 6 LOW: 3)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libssl3t64	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
libssl3t64	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
libssl3t64	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.1)

9 known vulnerabilities found (LOW: 3 CRITICAL: 0 HIGH: 0 MEDIUM: 6)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libssl3t64	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
libssl3t64	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
libssl3t64	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-195 (debian 13.1)

9 known vulnerabilities found (LOW: 3 CRITICAL: 0 HIGH: 0 MEDIUM: 6)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libssl3t64	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
libssl3t64	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
libssl3t64	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9230	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9231	MEDIUM	3.5.1-1	3.5.1-1+deb13u1
openssl-provider-legacy	CVE-2025-9232	LOW	3.5.1-1	3.5.1-1+deb13u1

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

🎉 This PR is included in version 1.10.62 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀