chore(deps): update dependency pytest to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pytest (changelog)	==8.4.2 -> ==9.0.1

---

Release Notes

pytest-dev/pytest (pytest)

v9.0.1

Compare Source

pytest 9.0.1 (2025-11-12)

Bug fixes

• #​13895: Restore support for skipping tests via raise unittest.SkipTest.
• #​13896: The terminal progress plugin added in pytest 9.0 is now automatically disabled when iTerm2 is detected, it generated desktop notifications instead of the desired functionality.
• #​13904: Fixed the TOML type of the verbosity settings in the API reference from number to string.
• #​13910: Fixed UserWarning: Do not expect file_or_dir on some earlier Python 3.12 and 3.13 point versions.

Packaging updates and notes for downstreams

• #​13933: The tox configuration has been adjusted to make sure the desired
  version string can be passed into its package_env through
  the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment
  variable as a part of the release process -- by webknjaz.

Contributor-facing changes

• #​13891, #​13942: The CI/CD part of the release automation is now capable of
  creating GitHub Releases without having a Git checkout on
  disk -- by bluetech and webknjaz.
• #​13933: The tox configuration has been adjusted to make sure the desired
  version string can be passed into its package_env through
  the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment
  variable as a part of the release process -- by webknjaz.

v9.0.0

Compare Source

pytest 9.0.0 (2025-11-05)

New features

• #​1367: Support for subtests has been added.

  subtests <subtests> are an alternative to parametrization, useful in situations where the parametrization values are not all known at collection time.

  Example:

  def contains_docstring(p: Path) -> bool:
      """Return True if the given Python file contains a top-level docstring."""
      ...
  
  def test_py_files_contain_docstring(subtests: pytest.Subtests) -> None:
      for path in Path.cwd().glob("*.py"):
          with subtests.test(path=str(path)):
              assert contains_docstring(path)

  Each assert failure or error is caught by the context manager and reported individually, giving a clear picture of all files that are missing a docstring.

  In addition, unittest.TestCase.subTest is now also supported.

  This feature was originally implemented as a separate plugin in pytest-subtests, but since then has been merged into the core.

  [!NOTE]
  This feature is experimental and will likely evolve in future releases. By that we mean that we might change how subtests are reported on failure, but the functionality and how to use it are stable.

• #​13743: Added support for native TOML configuration files.

  While pytest, since version 6, supports configuration in pyproject.toml files under [tool.pytest.ini_options],
  it does so in an "INI compatibility mode", where all configuration values are treated as strings or list of strings.
  Now, pytest supports the native TOML data model.

  In pyproject.toml, the native TOML configuration is under the [tool.pytest] table.

  # pyproject.toml
  [tool.pytest]
  minversion = "9.0"
  addopts = ["-ra", "-q"]
  testpaths = [
      "tests",
      "integration",
  ]

  The [tool.pytest.ini_options] table remains supported, but both tables cannot be used at the same time.

  If you prefer to use a separate configuration file, or don't use pyproject.toml, you can use pytest.toml or .pytest.toml:

  # pytest.toml or .pytest.toml
  [pytest]
  minversion = "9.0"
  addopts = ["-ra", "-q"]
  testpaths = [
      "tests",
      "integration",
  ]

  The documentation now (sometimes) shows configuration snippets in both TOML and INI formats, in a tabbed interface.

  See config file formats for full details.

• #​13823: Added a "strict mode" enabled by the strict configuration option.

  When set to true, the strict option currently enables

  • strict_config
  • strict_markers
  • strict_parametrization_ids
  • strict_xfail

  The individual strictness options can be explicitly set to override the global strict setting.

  The previously-deprecated --strict command-line flag now enables strict mode.

  If pytest adds new strictness options in the future, they will also be enabled in strict mode.
  Therefore, you should only enable strict mode if you use a pinned/locked version of pytest,
  or if you want to proactively adopt new strictness options as they are added.

  See strict mode for more details.

• #​13737: Added the strict_parametrization_ids configuration option.

  When set, pytest emits an error if it detects non-unique parameter set IDs,
  rather than automatically making the IDs unique by adding 0, 1, ... to them.
  This can be particularly useful for catching unintended duplicates.

• #​13072: Added support for displaying test session progress in the terminal tab using the OSC 9;4; ANSI sequence.
  When pytest runs in a supported terminal emulator like ConEmu, Gnome Terminal, Ptyxis, Windows Terminal, Kitty or Ghostty,
  you'll see the progress in the terminal tab or window,
  allowing you to monitor pytest's progress at a glance.

  This feature is automatically enabled when running in a TTY. It is implemented as an internal plugin. If needed, it can be disabled as follows:

  • On a user level, using -p no:terminalprogress on the command line or via an environment variable PYTEST_ADDOPTS='-p no:terminalprogress'.
  • On a project configuration level, using addopts = "-p no:terminalprogress".

• #​478: Support PEP420 (implicit namespace packages) as --pyargs target when consider_namespace_packages is true in the config.

  Previously, this option only impacted package imports, now it also impacts tests discovery.

• #​13678: Added a new faulthandler_exit_on_timeout configuration option set to "false" by default to let faulthandler interrupt the pytest process after a timeout in case of deadlock.

  Previously, a faulthandler timeout would only dump the traceback of all threads to stderr, but would not interrupt the pytest process.

  -- by ogrisel.

• #​13829: Added support for configuration option aliases via the aliases parameter in Parser.addini() <pytest.Parser.addini>.

  Plugins can now register alternative names for configuration options,
  allowing for more flexibility in configuration naming and supporting backward compatibility when renaming options.
  The canonical name always takes precedence if both the canonical name and an alias are specified in the configuration file.

Improvements in existing functionality

• #​13330: Having pytest configuration spread over more than one file (for example having both a pytest.ini file and pyproject.toml with a [tool.pytest.ini_options] table) will now print a warning to make it clearer to the user that only one of them is actually used.

  -- by sgaist

• #​13574: The single argument --version no longer loads the entire plugin infrastructure, making it faster and more reliable when displaying only the pytest version.

  Passing --version twice (e.g., pytest --version --version) retains the original behavior, showing both the pytest version and plugin information.

  [!NOTE]
  Since --version is now processed early, it only takes effect when passed directly via the command line. It will not work if set through other mechanisms, such as PYTEST_ADDOPTS or addopts.

• #​13823: Added strict_xfail as an alias to the xfail_strict option,
  strict_config as an alias to the --strict-config flag,
  and strict_markers as an alias to the --strict-markers flag.
  This makes all strictness options consistently have configuration options with the prefix strict_.

• #​13700: --junitxml no longer prints the generated xml file summary at the end of the pytest session when --quiet is given.

• #​13732: Previously, when filtering warnings, pytest would fail if the filter referenced a class that could not be imported. Now, this only outputs a message indicating the problem.

• #​13859: Clarify the error message for pytest.raises() when a regex match fails.

• #​13861: Better sentence structure in a test's expected error message. Previously, the error message would be "expected exception must be <expected>, but got <actual>". Now, it is "Expected <expected>, but got <actual>".

Removals and backward incompatible breaking changes

• #​12083: Fixed a bug where an invocation such as pytest a/ a/b would cause only tests from a/b to run, and not other tests under a/.

  The fix entails a few breaking changes to how such overlapping arguments and duplicates are handled:

  1. pytest a/b a/ or pytest a/ a/b are equivalent to pytest a; if an argument overlaps another arguments, only the prefix remains.
  2. pytest x.py x.py is equivalent to pytest x.py; previously such an invocation was taken as an explicit request to run the tests from the file twice.

  If you rely on these behaviors, consider using --keep-duplicates <duplicate-paths>, which retains its existing behavior (including the bug).

• #​13719: Support for Python 3.9 is dropped following its end of life.

• #​13766: Previously, pytest would assume it was running in a CI/CD environment if either of the environment variables $CI or $BUILD_NUMBER was defined;
  now, CI mode is only activated if at least one of those variables is defined and set to a non-empty value.

• #​13779: PytestRemovedIn9Warning deprecation warnings are now errors by default.

  Following our plan to remove deprecated features with as little disruption as
  possible, all warnings of type PytestRemovedIn9Warning now generate errors
  instead of warning messages by default.

  The affected features will be effectively removed in pytest 9.1, so please consult the
  deprecations section in the docs for directions on how to update existing code.

  In the pytest 9.0.X series, it is possible to change the errors back into warnings as a
  stopgap measure by adding this to your pytest.ini file:

  [pytest]
  filterwarnings =
      ignore::pytest.PytestRemovedIn9Warning

  But this will stop working when pytest 9.1 is released.

  If you have concerns about the removal of a specific feature, please add a
  comment to 13779.

Deprecations (removal in next major release)

• #​13807: monkeypatch.syspath_prepend() <pytest.MonkeyPatch.syspath_prepend> now issues a deprecation warning when the prepended path contains legacy namespace packages (those using pkg_resources.declare_namespace()).
  Users should migrate to native namespace packages (420).
  See monkeypatch-fixup-namespace-packages for details.

Bug fixes

• #​13445: Made the type annotations of pytest.skip and friends more spec-complaint to have them work across more type checkers.

• #​13537: Fixed a bug in which ExceptionGroup with only Skipped exceptions in teardown was not handled correctly and showed as error.

• #​13598: Fixed possible collection confusion on Windows when short paths and symlinks are involved.

• #​13716: Fixed a bug where a nonsensical invocation like pytest x.py[a] (a file cannot be parametrized) was silently treated as pytest x.py. This is now a usage error.

• #​13722: Fixed a misleading assertion failure message when using pytest.approx on mappings with differing lengths.

• #​13773: Fixed the static fixture closure calculation to properly consider transitive dependencies requested by overridden fixtures.

• #​13816: Fixed pytest.approx which now returns a clearer error message when comparing mappings with different keys.

• #​13849: Hidden .pytest.ini files are now picked up as the config file even if empty.
  This was an inconsistency with non-hidden pytest.ini.

• #​13865: Fixed --show-capture with --tb=line.

• #​13522: Fixed pytester in subprocess mode ignored all :attr`pytester.plugins <pytest.Pytester.plugins>` except the first.

  Fixed pytester in subprocess mode silently ignored non-str pytester.plugins <pytest.Pytester.plugins>.
  Now it errors instead.
  If you are affected by this, specify the plugin by name, or switch the affected tests to use pytester.runpytest_inprocess <pytest.Pytester.runpytest_inprocess> explicitly instead.

Packaging updates and notes for downstreams

• #​13791: Minimum requirements on iniconfig and packaging were bumped to 1.0.1 and 22.0.0, respectively.

Contributor-facing changes

• #​12244: Fixed self-test failures when TERM=dumb.
• #​12474: Added scheduled GitHub Action Workflow to run Sphinx linkchecks in repo documentation.
• #​13621: pytest's own testsuite now handles the lsof command hanging (e.g. due to unreachable network filesystems), with the affected selftests being skipped after 10 seconds.
• #​13638: Fixed deprecated gh pr new command in scripts/prepare-release-pr.py.
  The script now uses gh pr create which is compatible with GitHub CLI v2.0+.
• #​13695: Flush stdout and stderr in Pytester.run to avoid truncated outputs in test_faulthandler.py::test_timeout on CI -- by ogrisel.
• #​13771: Skip test_do_not_collect_symlink_siblings on Windows environments without symlink support to avoid false negatives.
• #​13841: tox>=4 is now required when contributing to pytest.
• #​13625: Added missing docstrings to pytest_addoption(), pytest_configure(), and cacheshow() functions in cacheprovider.py.

Miscellaneous internal changes

• #​13830: Configuration overrides (-o/--override-ini) are now processed during startup rather than during config.getini() <pytest.Config.getini>.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	14		0	0	0.26s
✅ BASH	bash-exec	7		0	0	0.02s
✅ BASH	shellcheck	4		0	0	0.19s
⚠️ BASH	shfmt	7		1	0	0.01s
✅ CSHARP	csharpier	3		0	0	2.08s
⚠️ CSHARP	roslynator	1		1	0	12.55s
✅ CSS	stylelint	1		0	0	2.05s
✅ DOCKERFILE	hadolint	5		0	0	0.28s
✅ EDITORCONFIG	editorconfig-checker	435		0	0	11.95s
✅ ENV	dotenv-linter	1		0	0	0.03s
⚠️ GROOVY	npm-groovy-lint	8		0	20	25.6s
✅ HTML	djlint	2		0	0	1.72s
✅ HTML	htmlhint	2		0	0	0.28s
⚠️ JAVA	checkstyle	64		0	90	9.4s
✅ JSON	jsonlint	53		0	0	0.46s
✅ JSON	prettier	53		0	0	5.04s
✅ JSON	v8r	53		0	0	35.06s
⚠️ MARKDOWN	markdownlint	23		273	0	2.58s
✅ PYTHON	bandit	1		0	0	2.16s
✅ PYTHON	black	1		0	0	2.17s
✅ PYTHON	flake8	1		0	0	1.05s
✅ PYTHON	isort	1		0	0	0.54s
✅ PYTHON	mypy	1		0	0	10.96s
✅ PYTHON	ruff	1		0	0	0.04s
✅ REPOSITORY	gitleaks	yes		no	no	1.25s
✅ REPOSITORY	git_diff	yes		no	no	0.32s
⚠️ REPOSITORY	kics	yes		no	119	52.28s
✅ REPOSITORY	secretlint	yes		no	no	6.23s
✅ REPOSITORY	syft	yes		no	no	14.58s
⚠️ REPOSITORY	trivy	yes		14	no	17.69s
✅ REPOSITORY	trivy-sbom	yes		no	no	7.13s
✅ REPOSITORY	trufflehog	yes		no	no	13.54s
✅ XML	xmllint	4		0	0	1.11s
✅ YAML	prettier	118		0	0	2.67s

Detailed Issues

⚠️ JAVA / checkstyle - 90 warnings

warning: First sentence of Javadoc is missing an ending period.

warning: First sentence of Javadoc is missing an ending period.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 103).

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: First sentence of Javadoc is missing an ending period.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 107).

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: First sentence of Javadoc is missing an ending period.

warning: Line is longer than 100 characters (found 115).

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 220).

warning: Line is longer than 100 characters (found 104).

warning: Line is longer than 100 characters (found 117).

warning: Line is longer than 100 characters (found 154).

warning: Line is longer than 100 characters (found 111).

warning: Line is longer than 100 characters (found 128).

warning: Line is longer than 100 characters (found 142).

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 104).

warning: Line is longer than 100 characters (found 132).

warning: Line is longer than 100 characters (found 141).

warning: 90 warnings emitted

⚠️ REPOSITORY / kics - 119 warnings

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
    ┌─ docker-compose/docker-compose.staging.yaml:211:1
    │
211 │   notify:
    │ ^^^^^^^^^
    │
    = Container Capabilities Unrestricted
    = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/notify/tests/e2e/docker-compose.yaml:56:1
   │
56 │   maildev:
   │ ^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/tests/e2e/docker-compose.yaml:19:1
   │
19 │   tester:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/deploy/docker-compose.dev.yml:38:1
   │
38 │   keycloak:
   │ ^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/tests/e2e/docker-compose.yaml:59:1
   │
59 │   keycloak:
   │ ^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ docker-compose/docker-compose.staging.yaml:25:1
   │
25 │   omopdb:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/deploy/docker-compose.dev.yml:53:1
   │
53 │   fhir-pseudonymizer:
   │ ^^^^^^^^^^^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/tests/e2e/docker-compose.yaml:44:1
   │
44 │   loader:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
  ┌─ src/query/tests/e2e/docker-compose.yaml:2:1
  │
2 │   query:
  │ ^^^^^^^^
  │
  = Container Capabilities Unrestricted
  = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
  ┌─ src/notify/tests/e2e/docker-compose.yaml:4:1
  │
4 │   notify:
  │ ^^^^^^^^^
  │
  = Container Capabilities Unrestricted
  = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/query/tests/e2e/docker-compose.yaml:45:1
   │
45 │   broadsea-atlasdb:
   │ ^^^^^^^^^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/notify/tests/e2e/docker-compose.yaml:26:1
   │
26 │   jobstore-db:
   │ ^^^^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/notify/tests/e2e/docker-compose.yaml:33:1
   │
33 │   tester:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as w

(Truncated to 5714 characters out of 37150)

⚠️ MARKDOWN / markdownlint - 273 errors

CHANGELOG.md:5 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:9:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:10:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:13 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:24 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:25 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:30 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:31 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:45 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:52 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:53 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:56:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:59 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:60 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:66:121 MD013/line-length Line length [Expected: 120; Actual: 241]
CHANGELOG.md:73 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:74 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:81:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:86 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:91 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:92 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:105:121 MD013/line-length Line length [Expected: 120; Actual: 229]
CHANGELOG.md:106:121 MD013/line-length Line length [Expected: 120; Actual: 228]
CHANGELOG.md:109:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:122 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:125:121 MD013/line-length Line length [Expected: 120; Actual: 224]
CHANGELOG.md:127 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:128 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:132 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:133 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:139 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:140 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:144 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:145 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:151 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:152 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:158 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:159 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:163 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:164 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:167:121 MD013/line-length Line length [Expected: 120; Actual: 219]
CHANGELOG.md:168:121 MD013/line-length Line length [Expected: 120; Actual: 221]
CHANGELOG.md:169:121 MD013/line-length Line length [Expected: 120; Actual: 228]
CHANGELOG.md:170:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:171:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:177:121 MD013/line-length Line length [Expected: 120; Actual: 233]
CHANGELOG.md:180 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:181 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Documentation"]
CHANGELOG.md:185 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:186 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:207:121 MD013/line-length Line length [Expected: 120; Actual: 228]
CHANGELOG.md:209:121 MD013/line-length Line length [Expected: 120; Actual: 230]
CHANGELOG.md:211:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:212:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:213:121 MD013/line-length Line length [Expected: 120; Actual: 234]
CHANGELOG.md:215:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:216:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:217:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:218:121 MD013/line-length Line length [Expected: 120; Actual: 239]
CHANGELOG.md:219:121 MD013/line-length Line length [Expected: 120; Actual: 239]
CHANGELOG.md:220:121 MD013/line-length Line length [Expected: 12

(Truncated to 5714 characters out of 26039)

⚠️ GROOVY / npm-groovy-lint - 20 warnings

note: Class should be marked with one of @GrailsCompileStatic, @CompileStatic or @CompileDynamic
 = Check that classes are explicitely annotated with either @GrailsCompileStatic, @CompileStatic or @CompileDynamic

note: Class should be marked with one of @GrailsCompileStatic, @CompileStatic or @CompileDynamic
 = Check that classes are explicitely annotated with either @GrailsCompileStatic, @CompileStatic or @CompileDynamic

note: The String 'spring-boot-loader' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:71:24
   │
71 │             intoLayer("spring-boot-loader") {
   │                        ^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'org/springframework/boot/loader/**' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:72:26
   │
72 │                 include("org/springframework/boot/loader/**")
   │                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'application' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:74:24
   │
74 │             intoLayer("application")
   │                        ^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'module-dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:77:24
   │
77 │             intoLayer("module-dependencies") {
   │                        ^^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'org.miracum:*:*' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:78:26
   │
78 │                 include("org.miracum:*:*")
   │                          ^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:80:24
   │
80 │             intoLayer("dependencies")
   │                        ^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:25
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                         ^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'spring-boot-loader' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:41
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                                         ^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'module-dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:63
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                                                               ^^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'application' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:86
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                                                                                      ^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: Class should be marked with one of @GrailsCompileStatic, @CompileStatic or @CompileDynamic
 = Check that classes are explicitely annotated with ei

(Truncated to 5714 characters out of 7255)

⚠️ CSHARP / roslynator - 1 error

Results of roslynator linter (version 0.10.2.0)
See documentation on https://megalinter.io/9.1.0/descriptors/csharp_roslynator/
-----------------------------------------------

❌ [ERROR] tests/chaos/tester/tester.csproj
    Loading project 'tests/chaos/tester/tester.csproj'...
    Analyze 'tester'
    System.AggregateException: One or more errors occurred. (Could not load file or assembly 'System.Composition.AttributedModel, Version=9.0.0.8, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. The system cannot find the file specified.
    )
     ---> System.IO.FileNotFoundException: Could not load file or assembly 'System.Composition.AttributedModel, Version=9.0.0.8, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. The system cannot find the file specified.
    
    File name: 'System.Composition.AttributedModel, Version=9.0.0.8, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
       at System.ModuleHandle.ResolveType(QCallModule module, Int32 typeToken, IntPtr* typeInstArgs, Int32 typeInstCount, IntPtr* methodInstArgs, Int32 methodInstCount, ObjectHandleOnStack type)
       at System.ModuleHandle.ResolveTypeHandle(Int32 typeToken, RuntimeTypeHandle[] typeInstantiationContext, RuntimeTypeHandle[] methodInstantiationContext)
       at System.Reflection.RuntimeModule.ResolveType(Int32 metadataToken, Type[] genericTypeArguments, Type[] genericMethodArguments)
       at System.Reflection.CustomAttribute.FilterCustomAttributeRecord(MetadataToken caCtorToken, MetadataImport& scope, RuntimeModule decoratedModule, MetadataToken decoratedToken, RuntimeType attributeFilterType, Boolean mustBeInheritable, ListBuilder`1& derivedAttributes, RuntimeType& attributeType, IRuntimeMethodInfo& ctorWithParameters, Boolean& isVarArg)
       at System.Reflection.CustomAttribute.AddCustomAttributes(ListBuilder`1& attributes, RuntimeModule decoratedModule, Int32 decoratedMetadataToken, RuntimeType attributeFilterType, Boolean mustBeInheritable, ListBuilder`1 derivedAttributes)
       at System.Reflection.CustomAttribute.GetCustomAttributes(RuntimeModule decoratedModule, Int32 decoratedMetadataToken, Int32 pcaCount, RuntimeType attributeFilterType)
       at System.Reflection.CustomAttribute.GetCustomAttributes(RuntimeType type, RuntimeType caType, Boolean inherit)
       at System.Attribute.GetCustomAttributes(MemberInfo element, Type attributeType, Boolean inherit)
       at Roslynator.AnalyzerAssembly.Load(Assembly analyzerAssembly, Boolean loadAnalyzers, Boolean loadFixers, String language) in /_/src/Workspaces.Core/AnalyzerAssembly.cs:line 129
       at Roslynator.AnalyzerLoader.GetAnalyzersAndFixers(Project project, Boolean loadFixers) in /_/src/Workspaces.Core/AnalyzerLoader.cs:line 112
       at Roslynator.AnalyzerLoader.GetAnalyzers(Project project) in /_/src/Workspaces.Core/AnalyzerLoader.cs:line 55
       at Roslynator.Diagnostics.CodeAnalyzer.AnalyzeProjectCoreAsync(Project project, CancellationToken cancellationToken) in /_/src/Workspaces.Core/Diagnostics/CodeAnalyzer.cs:line 124
       at Roslynator.Diagnostics.CodeAnalyzer.AnalyzeProjectAsync(Project project, CancellationToken cancellationToken) in /_/src/Workspaces.Core/Diagnostics/CodeAnalyzer.cs:line 99
       at Roslynator.CommandLine.AnalyzeCommand.ExecuteAsync(ProjectOrSolution projectOrSolution, CancellationToken cancellationToken) in /_/src/CommandLine/Commands/AnalyzeCommand.cs:line 73
       at Roslynator.CommandLine.MSBuildWorkspaceCommand`1.ExecuteAsync(String path, MSBuildWorkspace workspace, CancellationToken cancellationToken) in /_/src/CommandLine/Commands/MSBuildWorkspaceCommand.cs:line 164
       at Roslynator.CommandLine.MSBuildWorkspaceCommand`1.ExecuteAsync(IEnumerable`1 paths, String msbuildPath, IEnumerable`1 properties) in /_/src/CommandLine/Commands/MSBuildWorkspaceCommand.cs:line 89
       at Roslynator.CommandLine.Program.AnalyzeAsync(AnalyzeCommandLineOptions options) in /_/src/CommandLine/Program.cs:line 346
       --- End of inner exception stack trace ---
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       at Roslynator.CommandLine.Program.<>c.<Main>b__0_3(MSBuildCommandLineOptions options) in /_/src/CommandLine/Program.cs:line 175
       at CommandLine.ParserResultExtensions.MapResult[T1,T2,TResult](ParserResult`1 result, Func`2 parsedFunc1, Func`2 parsedFunc2, Func`2 notParsedFunc)
       at Roslynator.CommandLine.Program.Main(String[] args) in /_/src/CommandLine/Program.cs:line 169

⚠️ BASH / shfmt - 1 error

diff src/gradlew.orig src/gradlew
--- src/gradlew.orig
+++ src/gradlew
@@ -71,15 +71,15 @@
 
 # Need this for daisy-chained symlinks.
 while
-	APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
-	[ -h "$app_path" ]
+  APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
+  [ -h "$app_path" ]
 do
-	ls=$(ls -ld "$app_path")
-	link=${ls#*' -> '}
-	case $link in         #(
-	/*) app_path=$link ;; #(
-	*) app_path=$APP_HOME$link ;;
-	esac
+  ls=$(ls -ld "$app_path")
+  link=${ls#*' -> '}
+  case $link in         #(
+  /*) app_path=$link ;; #(
+  *) app_path=$APP_HOME$link ;;
+  esac
 done
 
 # This is normally unused
@@ -92,14 +92,14 @@
 MAX_FD=maximum
 
 warn() {
-	echo "$*"
+  echo "$*"
 } >&2
 
 die() {
-	echo
-	echo "$*"
-	echo
-	exit 1
+  echo
+  echo "$*"
+  echo
+  exit 1
 } >&2
 
 # OS specific support (must be 'true' or 'false').
@@ -116,47 +116,47 @@
 
 # Determine the Java command to use to start the JVM.
 if [ -n "$JAVA_HOME" ]; then
-	if [ -x "$JAVA_HOME/jre/sh/java" ]; then
-		# IBM's JDK on AIX uses strange locations for the executables
-		JAVACMD=$JAVA_HOME/jre/sh/java
-	else
-		JAVACMD=$JAVA_HOME/bin/java
-	fi
-	if [ ! -x "$JAVACMD" ]; then
-		die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
-
-Please set the JAVA_HOME variable in your environment to match the
-location of your Java installation."
-	fi
+  if [ -x "$JAVA_HOME/jre/sh/java" ]; then
+    # IBM's JDK on AIX uses strange locations for the executables
+    JAVACMD=$JAVA_HOME/jre/sh/java
+  else
+    JAVACMD=$JAVA_HOME/bin/java
+  fi
+  if [ ! -x "$JAVACMD" ]; then
+    die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+  fi
 else
-	JAVACMD=java
-	if ! command -v java >/dev/null 2>&1; then
-		die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-
-Please set the JAVA_HOME variable in your environment to match the
-location of your Java installation."
-	fi
+  JAVACMD=java
+  if ! command -v java >/dev/null 2>&1; then
+    die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+  fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop"; then
-	case $MAX_FD in #(
-	max*)
-		# In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-		# shellcheck disable=SC2039,SC3045
-		MAX_FD=$(ulimit -H -n) ||
-			warn "Could not query maximum file descriptor limit"
-		;;
-	esac
-	case $MAX_FD in #(
-	'' | soft) : ;; #(
-	*)
-		# In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-		# shellcheck disable=SC2039,SC3045
-		ulimit -n "$MAX_FD" ||
-			warn "Could not set maximum file descriptor limit to $MAX_FD"
-		;;
-	esac
+  case $MAX_FD in #(
+  max*)
+    # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+    # shellcheck disable=SC2039,SC3045
+    MAX_FD=$(ulimit -H -n) ||
+      warn "Could not query maximum file descriptor limit"
+    ;;
+  esac
+  case $MAX_FD in #(
+  '' | soft) : ;; #(
+  *)
+    # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+    # shellcheck disable=SC2039,SC3045
+    ulimit -n "$MAX_FD" ||
+      warn "Could not set maximum file descriptor limit to $MAX_FD"
+    ;;
+  esac
 fi
 
 # Collect all arguments for the java command, stacking in reverse order:
@@ -169,34 +169,34 @@
 
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if "$cygwin" || "$msys"; then
-	APP_HOME=$(cygpath --path --mixed "$APP_HOME")
-
-	JAVACMD=$(cygpath --unix "$JAVACMD")
-
-	# Now convert the arguments - kludge to limit ourselves to /bin/sh
-	for arg; do
-		if
-			case $arg in #(
-			-*) false ;; # don't mess with options #(
-			/?*)
-				t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
-				[ -e "$t" ]
-				;; #(
-			*) false ;;
-			esac
-		then
-			arg=$(cygpath --path --ignore --mixed "$arg")
-		fi
-		# Roll the args list around exactly as many times as the number of
-		# args, so each arg winds up back in the position where it started, but
-		# possibly modified.
-		#
-		# NB: a `for` loop captures its iteration list before it begins, so
-		# changing the positional parameters here affects neither the number of
-		# iterations, nor the values presented in `arg`.
-		shift              # remove old arg
-		set -- "$@" "$arg" # push replacement arg
-	done
+  APP_HOME=$(cygpath --path --mixed "$APP_HOME")
+
+  JAVACMD=$(cygpath --unix "$JAVACMD")
+
+  # Now convert the arguments - kludge to limit ourselves to /bin/sh
+  for arg; do
+    if
+      case $arg in #(
+      -*) false ;; # don't mess with options #(
+      /?*)
+        t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
+        [ -e "$t" ]
+        ;; #(
+      *) false ;;
+      esac
+    then
+      arg=$(cygpath --path --ignore --mixed "$arg")
+    fi
+    # Roll the args list around exactly as many times as the number of
+    # args, so each arg winds up back in the position where it started, but
+    # possibly modified.
+    #
+    # NB: a `for` loop captures its iteration list before it begins, so
+    # changing the positional parameters here affects neither the number of
+    # iterations, nor the values presented in `arg`.
+    shift              # remove old arg
+    set -- "$@" "$arg" # push replacement arg
+  done
 fi
 
 # Add default JVM options here. You can also use JAV

(Truncated to 5714 characters out of 6627)

⚠️ REPOSITORY / trivy - 14 errors

error: Package: form-data
Installed Version: 2.3.3
Vulnerability CVE-2025-7783
Severity: CRITICAL
Fixed Version: 2.5.4, 3.0.4, 4.0.4
Link: [CVE-2025-7783](https://avd.aquasec.com/nvd/cve-2025-7783)
    ┌─ src/list/frontend/tests/e2e/package-lock.json:922:1
    │  
922 │ ╭     "node_modules/form-data": {
923 │ │       "version": "2.3.3",
924 │ │       "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz",
925 │ │       "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==",
    · │
935 │ │       }
936 │ │     },
    │ ╰^
    │  
    = form-data: Unsafe random function in form-data
    = Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
      
      This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

error: Package: braces
Installed Version: 2.3.2
Vulnerability CVE-2024-4068
Severity: HIGH
Fixed Version: 3.0.3
Link: [CVE-2024-4068](https://avd.aquasec.com/nvd/cve-2024-4068)
      ┌─ src/list/package-lock.json:20539:1
      │  
20539 │ ╭     "node_modules/jscodeshift/node_modules/braces": {
20540 │ │       "version": "2.3.2",
20541 │ │       "license": "MIT",
20542 │ │       "optional": true,
      · │
20557 │ │       }
20558 │ │     },
      │ ╰^
      │  
      = braces: fails to limit the number of characters it can handle
      = The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

error: Package: cross-spawn
Installed Version: 6.0.5
Vulnerability CVE-2024-21538
Severity: HIGH
Fixed Version: 7.0.5, 6.0.6
Link: [CVE-2024-21538](https://avd.aquasec.com/nvd/cve-2024-21538)
      ┌─ src/list/package-lock.json:13811:1
      │  
13811 │ ╭     "node_modules/execa/node_modules/cross-spawn": {
13812 │ │       "version": "6.0.5",
13813 │ │       "devOptional": true,
13814 │ │       "license": "MIT",
      · │
13824 │ │       }
13825 │ │     },
      │ ╰^
      │  
      = cross-spawn: regular expression denial of service
      = Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

error: Package: cross-spawn
Installed Version: 7.0.3
Vulnerability CVE-2024-21538
Severity: HIGH
Fixed Version: 7.0.5, 6.0.6
Link: [CVE-2024-21538](https://avd.aquasec.com/nvd/cve-2024-21538)
      ┌─ src/list/package-lock.json:11420:1
      │  
11420 │ ╭     "node_modules/cross-spawn": {
11421 │ │       "version": "7.0.3",
11422 │ │       "devOptional": true,
11423 │ │       "license": "MIT",
      · │
11431 │ │       }
11432 │ │     },
      │ ╰^
      │  
      = cross-spawn: regular expression denial of service
      = Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

error: Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2025-12816
Severity: HIGH
Fixed Version: 1.3.2
Link: [CVE-2025-12816](https://avd.aquasec.com/nvd/cve-2025-12816)
      ┌─ src/list/package-lock.json:22961:1
      │  
22961 │ ╭     "node_modules/node-forge": {
22962 │ │       "version": "1.3.1",
22963 │ │       "devOptional": true,
22964 │ │       "license": "(BSD-3-Clause OR GPL-2.0)",
      · │
22967 │ │       }
22968 │ │     },
      │ ╰^
      │  
      = An interpretation-conflict (CWE-436) vulnerability in node-forge versi ...
      = An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

error: Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2025-66031
Severity: HIGH
Fixed Version: 1.3.2
Link: [CVE-2025-66031](https://avd.aquasec.com/nvd/cve-2025-66031)
      ┌─ src/list/package-lock.json:22961:1
      │  
22961 │ ╭     "node_modules/node-forge": {
22962 │ │       "version": "1.3.1",
22963 │ │       "devOptional": true,
22964 │ │       "license": "(BSD-3-Clause OR GPL-2.0)",
      · │
22967 │ │       }
22968 │ │     },
      │ ╰^
      │  
      = Forge (also called `node-forge`) is a native implementation of Transpo ...
      = Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

error: Package: ws
Installed Version: 6.2.2
Vulnerability CVE-2024-37890
Severity: HIGH
Fixed Version: 5.2.4, 6.2.3, 7.5.10, 8.17.1
Link: [CVE-2024-37890](https://avd.aquasec.com/nvd/cve-2024-37890)
      ┌─ src/list/package-lock.json:28901:1
      │  
28901 │ ╭     "node_modules/w

(Truncated to 5714 characters out of 10621)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_RUFF,ACTION_ACTIONLINT,BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,CSHARP_CSHARPIER,CSHARP_ROSLYNATOR,CSS_STYLELINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,ENV_DOTENV_LINTER,GROOVY_NPM_GROOVY_LINT,HTML_DJLINT,HTML_HTMLHINT,JAVA_CHECKSTYLE,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,XML_XMLLINT,YAML_PRETTIER