Skip to content

fix(deps): update dependency buefy to v3#493

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/buefy-3.x
Open

fix(deps): update dependency buefy to v3#493
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/buefy-3.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 1, 2025

This PR contains the following updates:

Package Change Age Confidence
buefy (source) 0.9.293.0.4 age confidence

Release Notes

buefy/buefy (buefy)

v3.0.4

Compare Source

Fixes
  • #​4277 Fixed dropdown style for link-based items.
  • #​4280 Fixed missing background color in Datepicker.
  • #​4283 Added missing reference to Table component.
Enhancements
  • #​4261 Updated and expanded documentation as part of the revamp.
  • #​4287 Enhanced RTL support for Checkbox, Radio, Switch, and Form Field components.
  • #​4267 Added support for custom class props across components.
Chores & Dependency Updates
  • #​4268 Bumped Vite from 6.3.6 to 6.4.1.
  • #​4273 Bumped js-yaml from 4.1.0 to 4.1.1.
  • #​4279 Upgraded various project dependencies.
  • #​4281 Bumped shelljs and pre-commit versions.

v3.0.3

Compare Source

Fixes
Fixes (docs)
  • #​4254 Fixed CarbonAds code and themed it around buefy's theme.
  • #​4255 Fixed broken dev script in documentation - npm run dev stopped working.
Chores (docs)
  • #​4249 Bumped vite from 6.3.5 to 6.3.6.

v3.0.2

Compare Source

Fixes
  • #​4238 Updated navbar icon colors and fixed NavBurger rendering.
  • #​4229 Bubble up mouse events from b-table rows for better interactivity (@​kikuomax).
  • #​4236 Augmented Using Vue docs and examples for clarity (@​ElteHupkes).
  • #​4235 Extended Buefy CSS output to include built versions for CDN and static use.
  • #​4237 Updated internal CSS path references for consistency.
Fixes (docs)
  • #​4227 Updated StackBlitz integration to reflect latest component usage and styling.

v3.0.1

Compare Source

Fixes
  • #​4211 Restored autocomplete arrow key hover styles.
  • #​4205 Removed old modal style for closing "x" (now fixed in Bulma v1).
  • #​4204 Added missing span to NavBurger.
  • #​4210 chore(lib): use @forward in Buefy main Sass file to allow custom Sass variables.
Fixes (docs)

v3.0.0

Compare Source

Breaking Changes
  • Migrated entire codebase to Bulma v1.0.3 for modernized styling and layout.
  • Deprecated Sass global built-in functions; replaced with modern equivalents.
  • Removed legacy bulmacssvars and outdated style references.
  • Replaced all value props with modelValue across components to align with Vue 3 standards.
  • Programmatically mounted components (e.g., Modal, Dialog, Snackbar) now require standalone Vue apps and cannot use plugins.
  • StepItem, CarouselItem, and TabItem now require explicit order props to maintain consistent rendering order.
New Features
  • Introduced a new color system for Buefy v3 documentation and component theming.
  • Added support for Cleave.js as a directive for input formatting.
  • Updated all style variables and documentation to reflect Bulma v1 conventions.
Fixes
  • Resolved SCSS issues in Dropdown, Navbar, and Input loading states.
  • Fixed deprecated Sass usage and lint/type check errors across the codebase.
  • Updated unit tests to reflect new architecture and styling.
Fixes (docs)
  • Updated documentation for Sass and CSS variable usage.
  • Refreshed component style variable references and examples.
  • Migrated interactive examples to StackBlitz and updated Netlify deploy previews.
Others
  • Merged 28 commits for Bulma v1 migration and v3 release.
  • Bumped version to v3.0.0 and updated changelog accordingly.
  • Cleaned up dev dependencies and workflows for modern build tools.

v1.0.2

Compare Source

Fixes
  • #​4139 Fixed various bugs in the Autocomplete component.
  • #​4189 Fixed Clockpicker not closing properly and removed the autoSwitch prop.
  • #​4156 Exported SnackbarOpenParams type for better TypeScript support.
  • #​4176 Fixed issues in the ImproveThis component.
  • Removed deprecated high contrast styles and references.
  • Removed accidental dependencies and cleaned up unused references to buefy-next.
Fixes (docs)
  • #​4142 Updated documentation for Vue 3 components.
  • #​4193 Cleaned up README content and formatting.
  • Updated social and Discord links across documentation.
  • Migrated interactive examples from CodePen to StackBlitz.
Others
  • #​4173 Version bump: package.json version set to 1.0.2
  • #​4197 Update Changelog for version 1.0.2
  • #​4184 Added bulma as a direct dependency of Buefy.
  • #​4192 Cleaned up StackBlitz integration and dev dependencies.
  • #​4196 Implemented Carbon Ads integration.
  • Updated workflows and access levels for dev packages.
  • Added reference to ClockpickerFace component.
  • Added Buefy Collective metadata for community support.

v1.0.1

Breaking changes
  • #​4135 Tooltip introduced a new variant is-auto for the position prop and made it the new default.
Fixes
  • Updated workflows and scripts to reference the package as "buefy" instead of "@​ntohq/buefy-next".
  • Updated main repo references:
  • package.json now points to the new repository and issues URLs.
  • Linting, type check, and unit test scripts reference "buefy" workspace.
  • All configuration and ignore files renamed/moved from buefy-next to buefy.
Fixes (docs)
  • README installation and usage instructions updated to use buefy as the npm package.
  • Documentation now references buefy instead of @​ntohq/buefy-next everywhere.
  • Clarified developer release installation instructions and naming conventions in the README.
Others
  • Version bump: package.json version set to 1.0.1.
  • jsconfig updated to reference new source directory.
  • Large updates to package-lock.json and workflow YAML files to match new structure.

v1.0.0

This version was published more than 8 years before the intended release of Buefy 1.0 and does not represent the official, stable v1. It was released prematurely and lacks the features, structure, and design decisions that define the true Buefy v1.0.0

Please upgrade to v1.0.1 or newer to access the latest architecture, complete documentation, and active support.


Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Oct 1, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: src/list/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: [email protected]
npm error Found: [email protected]
npm error node_modules/vue
npm error   vue@"2.7.16" from [email protected]
npm error   frontend
npm error     [email protected]
npm error     node_modules/list
npm error       workspace frontend from the root project
npm error
npm error Could not resolve dependency:
npm error peer vue@"^3.0.0" from [email protected]
npm error node_modules/buefy
npm error   buefy@"3.0.4" from [email protected]
npm error   frontend
npm error     [email protected]
npm error     node_modules/list
npm error       workspace frontend from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-02-17T20_05_59_567Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-02-17T20_05_59_567Z-debug-0.log

@github-actions
Copy link

github-actions bot commented Oct 1, 2025

⚠️MegaLinter analysis: Success with warnings

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 14 0 0 0.24s
✅ BASH bash-exec 7 0 0 0.03s
✅ BASH shellcheck 4 0 0 0.24s
⚠️ BASH shfmt 7 1 0 0.01s
✅ CSHARP csharpier 3 0 0 2.47s
⚠️ CSHARP roslynator 1 1 0 12.96s
✅ CSS stylelint 1 0 0 2.26s
✅ DOCKERFILE hadolint 5 0 0 0.23s
✅ EDITORCONFIG editorconfig-checker 435 0 0 2.73s
✅ ENV dotenv-linter 1 0 0 0.01s
⚠️ GROOVY npm-groovy-lint 8 0 20 26.31s
✅ HTML djlint 2 0 0 2.31s
✅ HTML htmlhint 2 0 0 0.36s
⚠️ JAVA checkstyle 64 0 90 10.03s
✅ JSON jsonlint 53 0 0 0.59s
✅ JSON prettier 53 0 0 5.67s
✅ JSON v8r 53 0 0 33.85s
⚠️ MARKDOWN markdownlint 23 273 0 2.28s
✅ PYTHON bandit 1 0 0 2.36s
✅ PYTHON black 1 0 0 1.66s
✅ PYTHON flake8 1 0 0 0.88s
✅ PYTHON isort 1 0 0 0.66s
✅ PYTHON mypy 1 0 0 11.49s
✅ PYTHON ruff 1 0 0 0.03s
✅ REPOSITORY checkov yes no no 46.43s
✅ REPOSITORY gitleaks yes no no 4.93s
✅ REPOSITORY git_diff yes no no 0.42s
⚠️ REPOSITORY kics yes no 109 60.05s
✅ REPOSITORY secretlint yes no no 3.87s
✅ REPOSITORY syft yes no no 17.37s
⚠️ REPOSITORY trivy yes 18 no 23.61s
✅ REPOSITORY trivy-sbom yes no no 5.95s
✅ REPOSITORY trufflehog yes no no 6.86s
✅ XML xmllint 4 0 0 1.47s
✅ YAML prettier 118 0 0 3.52s

Detailed Issues

⚠️ JAVA / checkstyle - 90 warnings
warning: First sentence of Javadoc is missing an ending period.

warning: First sentence of Javadoc is missing an ending period.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 103).

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: First sentence of Javadoc is missing an ending period.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 107).

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: First sentence of Javadoc is missing an ending period.

warning: Line is longer than 100 characters (found 115).

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 220).

warning: Line is longer than 100 characters (found 104).

warning: Line is longer than 100 characters (found 117).

warning: Line is longer than 100 characters (found 154).

warning: Line is longer than 100 characters (found 111).

warning: Line is longer than 100 characters (found 128).

warning: Line is longer than 100 characters (found 142).

warning: Missing a Javadoc comment.

warning: Line is longer than 100 characters (found 104).

warning: Line is longer than 100 characters (found 132).

warning: Line is longer than 100 characters (found 141).

warning: 90 warnings emitted
⚠️ REPOSITORY / kics - 109 warnings
warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
    ┌─ docker-compose/docker-compose.staging.yaml:211:1
    │
211 │   notify:
    │ ^^^^^^^^^
    │
    = Container Capabilities Unrestricted
    = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/notify/tests/e2e/docker-compose.yaml:56:1
   │
56 │   maildev:
   │ ^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
  ┌─ src/list/frontend/tests/e2e/docker-compose.yaml:2:1
  │
2 │   list:
  │ ^^^^^^^
  │
  = Container Capabilities Unrestricted
  = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ docker-compose/docker-compose.staging.yaml:25:1
   │
25 │   omopdb:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/notify/tests/e2e/docker-compose.yaml:26:1
   │
26 │   jobstore-db:
   │ ^^^^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/query/tests/e2e/docker-compose.yaml:28:1
   │
28 │   tester:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/deploy/docker-compose.dev.yml:36:1
   │
36 │   keycloak:
   │ ^^^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/notify/tests/e2e/docker-compose.yaml:33:1
   │
33 │   tester:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/deploy/docker-compose.dev.yml:14:1
   │
14 │   loader:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
  ┌─ src/notify/tests/e2e/docker-compose.yaml:4:1
  │
4 │   notify:
  │ ^^^^^^^^^
  │
  = Container Capabilities Unrestricted
  = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
  ┌─ src/list/frontend/deploy/docker-compose.dev.yml:2:1
  │
2 │   fhir:
  │ ^^^^^^^
  │
  = Container Capabilities Unrestricted
  = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
   ┌─ src/list/frontend/deploy/docker-compose.dev.yml:26:1
   │
26 │   jaeger:
   │ ^^^^^^^^^
   │
   = Container Capabilities Unrestricted
   = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
    ┌─ docker-compose/docker-compose.staging.yaml:230:1
    │
230 │   list:
    │ ^^^^^^^
    │
    = Container Capabilities Unrestricted
    = Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.

warning: Docker compose file doesn't have 'cap_dr

(Truncated to 5714 characters out of 33943)
⚠️ MARKDOWN / markdownlint - 273 errors
CHANGELOG.md:5 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:9:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:10:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:13 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:24 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:25 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:30 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:31 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:45 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:52 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:53 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:56:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:59 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:60 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:66:121 MD013/line-length Line length [Expected: 120; Actual: 241]
CHANGELOG.md:73 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:74 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:81:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:86 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:91 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:92 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:105:121 MD013/line-length Line length [Expected: 120; Actual: 229]
CHANGELOG.md:106:121 MD013/line-length Line length [Expected: 120; Actual: 228]
CHANGELOG.md:109:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:122 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:125:121 MD013/line-length Line length [Expected: 120; Actual: 224]
CHANGELOG.md:127 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:128 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:132 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:133 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:139 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:140 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:144 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:145 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:151 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:152 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:158 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:159 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:163 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:164 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:167:121 MD013/line-length Line length [Expected: 120; Actual: 219]
CHANGELOG.md:168:121 MD013/line-length Line length [Expected: 120; Actual: 221]
CHANGELOG.md:169:121 MD013/line-length Line length [Expected: 120; Actual: 228]
CHANGELOG.md:170:121 MD013/line-length Line length [Expected: 120; Actual: 220]
CHANGELOG.md:171:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:177:121 MD013/line-length Line length [Expected: 120; Actual: 233]
CHANGELOG.md:180 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:181 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Documentation"]
CHANGELOG.md:185 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
CHANGELOG.md:186 MD024/no-duplicate-heading Multiple headings with the same content [Context: "Miscellaneous Chores"]
CHANGELOG.md:207:121 MD013/line-length Line length [Expected: 120; Actual: 228]
CHANGELOG.md:209:121 MD013/line-length Line length [Expected: 120; Actual: 230]
CHANGELOG.md:211:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:212:121 MD013/line-length Line length [Expected: 120; Actual: 232]
CHANGELOG.md:213:121 MD013/line-length Line length [Expected: 120; Actual: 234]
CHANGELOG.md:215:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:216:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:217:121 MD013/line-length Line length [Expected: 120; Actual: 237]
CHANGELOG.md:218:121 MD013/line-length Line length [Expected: 120; Actual: 239]
CHANGELOG.md:219:121 MD013/line-length Line length [Expected: 120; Actual: 239]
CHANGELOG.md:220:121 MD013/line-length Line length [Expected: 12

(Truncated to 5714 characters out of 26039)
⚠️ GROOVY / npm-groovy-lint - 20 warnings
note: Class should be marked with one of @GrailsCompileStatic, @CompileStatic or @CompileDynamic
 = Check that classes are explicitely annotated with either @GrailsCompileStatic, @CompileStatic or @CompileDynamic

note: Class should be marked with one of @GrailsCompileStatic, @CompileStatic or @CompileDynamic
 = Check that classes are explicitely annotated with either @GrailsCompileStatic, @CompileStatic or @CompileDynamic

note: The String 'spring-boot-loader' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:71:24
   │
71 │             intoLayer("spring-boot-loader") {
   │                        ^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'org/springframework/boot/loader/**' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:72:26
   │
72 │                 include("org/springframework/boot/loader/**")
   │                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'application' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:74:24
   │
74 │             intoLayer("application")
   │                        ^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'module-dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:77:24
   │
77 │             intoLayer("module-dependencies") {
   │                        ^^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'org.miracum:*:*' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:78:26
   │
78 │                 include("org.miracum:*:*")
   │                          ^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:80:24
   │
80 │             intoLayer("dependencies")
   │                        ^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:25
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                         ^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'spring-boot-loader' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:41
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                                         ^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'module-dependencies' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:63
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                                                               ^^^^^^^^^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: The String 'application' can be wrapped in single quotes instead of double quotes
   ┌─ src/buildSrc/src/main/groovy/org.miracum.recruit.java-application-conventions.gradle:82:86
   │
82 │         layerOrder = [ "dependencies", "spring-boot-loader", "module-dependencies", "application" ]
   │                                                                                      ^^^^^^^^^^^
   │
   = String objects should be created with single quotes, and GString objects created with double quotes. Creating normal String objects with double quotes is confusing to readers.

note: Class should be marked with one of @GrailsCompileStatic, @CompileStatic or @CompileDynamic
 = Check that classes are explicitely annotated with ei

(Truncated to 5714 characters out of 7255)
⚠️ CSHARP / roslynator - 1 error
Results of roslynator linter (version 0.11.0.0)
See documentation on https://megalinter.io/9.2.0/descriptors/csharp_roslynator/
-----------------------------------------------

❌ [ERROR] tests/chaos/tester/tester.csproj
    Loading project 'tests/chaos/tester/tester.csproj'...
    Analyze 'tester'
      Program.cs(50,32): error CS0103: The name 'TimeSpan' does not exist in the current context
      Program.cs(108,5): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(115,28): error CS0103: The name 'File' does not exist in the current context
      Program.cs(117,9): error CS0103: The name 'JsonSerializer' does not exist in the current context
      Program.cs(125,9): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(127,22): error CS0103: The name 'Policy' does not exist in the current context
      Program.cs(140,9): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(141,15): error CS0103: The name 'System' does not exist in the current context
      Program.cs(141,49): error CS0103: The name 'TimeSpan' does not exist in the current context
      Program.cs(147,5): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(155,5): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(160,5): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(169,5): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(184,13): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(192,19): error CS0103: The name 'System' does not exist in the current context
      Program.cs(192,53): error CS0103: The name 'TimeSpan' does not exist in the current context
      Program.cs(196,9): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(202,13): error CS0103: The name 'Console' does not exist in the current context
      Program.cs(213,15): error CS0103: The name 'System' does not exist in the current context
      Program.cs(213,49): error CS0103: The name 'TimeSpan' does not exist in the current context
      Program.cs(101,42): error CS0161: 'RunTest(FileInfo, Uri, TimeSpan, int)': not all code paths return a value
      Program.cs(145,42): error CS0161: 'RunDeleteMessages(Uri)': not all code paths return a value
      Program.cs(163,42): error CS0161: 'RunAssert(Uri, int, int)': not all code paths return a value
      Program.cs(1,7): error CS0246: The type or namespace name 'System' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(2,7): error CS0246: The type or namespace name 'System' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(3,7): error CS0246: The type or namespace name 'System' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(4,7): error CS0246: The type or namespace name 'Hl7' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(5,7): error CS0246: The type or namespace name 'Hl7' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(6,7): error CS0246: The type or namespace name 'Hl7' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(7,7): error CS0246: The type or namespace name 'Polly' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(9,23): error CS0246: The type or namespace name 'RootCommand' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(11,35): error CS0246: The type or namespace name 'Option<>' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(11,42): error CS0246: The type or namespace name 'Uri' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(18,33): error CS0246: The type or namespace name 'Command' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(26,22): error CS0246: The type or namespace name 'Option<>' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(26,29): error CS0246: The type or namespace name 'FileInfo' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(34,27): error CS0246: The type or namespace name 'Option<>' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(40,31): error CS0246: The type or namespace name 'Option<>' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(40,38): error CS0246: The type or namespace name 'Uri' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(44,41): error CS0246: The type or namespace name 'Uri' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(46,26): error CS0246: The type or namespace name 'Option<>' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(46,33): error CS0246: The type or namespace name 'TimeSpan' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(52,23): error CS0246: The type or namespace name 'Command' could not be found (are you missing a using directive or an assembly reference?)
      Program.cs(73,38): error CS0246: The type or namesp

(Truncated to 5714 characters out of 26578)
⚠️ BASH / shfmt - 1 error
diff src/gradlew.orig src/gradlew
--- src/gradlew.orig
+++ src/gradlew
@@ -71,15 +71,15 @@
 
 # Need this for daisy-chained symlinks.
 while
-    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
-    [ -h "$app_path" ]
+  APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
+  [ -h "$app_path" ]
 do
-    ls=$( ls -ld "$app_path" )
-    link=${ls#*' -> '}
-    case $link in             #(
-      /*)   app_path=$link ;; #(
-      *)    app_path=$APP_HOME$link ;;
-    esac
+  ls=$(ls -ld "$app_path")
+  link=${ls#*' -> '}
+  case $link in         #(
+  /*) app_path=$link ;; #(
+  *) app_path=$APP_HOME$link ;;
+  esac
 done
 
 # This is normally unused
@@ -86,20 +86,20 @@
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
+APP_HOME=$(cd -P "${APP_HOME:-./}" >/dev/null && printf '%s\n' "$PWD") || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
 
-warn () {
-    echo "$*"
-} >&2
-
-die () {
-    echo
-    echo "$*"
-    echo
-    exit 1
+warn() {
+  echo "$*"
+} >&2
+
+die() {
+  echo
+  echo "$*"
+  echo
+  exit 1
 } >&2
 
 # OS specific support (must be 'true' or 'false').
@@ -107,57 +107,56 @@
 msys=false
 darwin=false
 nonstop=false
-case "$( uname )" in                #(
-  CYGWIN* )         cygwin=true  ;; #(
-  Darwin* )         darwin=true  ;; #(
-  MSYS* | MINGW* )  msys=true    ;; #(
-  NONSTOP* )        nonstop=true ;;
+case "$(uname)" in           #(
+CYGWIN*) cygwin=true ;;      #(
+Darwin*) darwin=true ;;      #(
+MSYS* | MINGW*) msys=true ;; #(
+NONSTOP*) nonstop=true ;;
 esac
 
-
-
 # Determine the Java command to use to start the JVM.
-if [ -n "$JAVA_HOME" ] ; then
-    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
-        # IBM's JDK on AIX uses strange locations for the executables
-        JAVACMD=$JAVA_HOME/jre/sh/java
-    else
-        JAVACMD=$JAVA_HOME/bin/java
-    fi
-    if [ ! -x "$JAVACMD" ] ; then
-        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
-
-Please set the JAVA_HOME variable in your environment to match the
-location of your Java installation."
-    fi
+if [ -n "$JAVA_HOME" ]; then
+  if [ -x "$JAVA_HOME/jre/sh/java" ]; then
+    # IBM's JDK on AIX uses strange locations for the executables
+    JAVACMD=$JAVA_HOME/jre/sh/java
+  else
+    JAVACMD=$JAVA_HOME/bin/java
+  fi
+  if [ ! -x "$JAVACMD" ]; then
+    die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+  fi
 else
-    JAVACMD=java
-    if ! command -v java >/dev/null 2>&1
-    then
-        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-
-Please set the JAVA_HOME variable in your environment to match the
-location of your Java installation."
-    fi
+  JAVACMD=java
+  if ! command -v java >/dev/null 2>&1; then
+    die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+  fi
 fi
 
 # Increase the maximum file descriptors if we can.
-if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
-    case $MAX_FD in #(
-      max*)
-        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC2039,SC3045
-        MAX_FD=$( ulimit -H -n ) ||
-            warn "Could not query maximum file descriptor limit"
-    esac
-    case $MAX_FD in  #(
-      '' | soft) :;; #(
-      *)
-        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC2039,SC3045
-        ulimit -n "$MAX_FD" ||
-            warn "Could not set maximum file descriptor limit to $MAX_FD"
-    esac
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop"; then
+  case $MAX_FD in #(
+  max*)
+    # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+    # shellcheck disable=SC2039,SC3045
+    MAX_FD=$(ulimit -H -n) ||
+      warn "Could not query maximum file descriptor limit"
+    ;;
+  esac
+  case $MAX_FD in #(
+  '' | soft) : ;; #(
+  *)
+    # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+    # shellcheck disable=SC2039,SC3045
+    ulimit -n "$MAX_FD" ||
+      warn "Could not set maximum file descriptor limit to $MAX_FD"
+    ;;
+  esac
 fi
 
 # Collect all arguments for the java command, stacking in reverse order:
@@ -169,35 +168,36 @@
 #   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
 
 # For Cygwin or MSYS, switch paths to Windows format before running java
-if "$cygwin" || "$msys" ; then
-    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
-
-    JAVACMD=$( cygpath --unix "$JAVACMD" )
-
-    # Now convert the arguments - kludge to limit ourselves to /bin/sh
-    for arg do
-        if
-            case $arg in                                #(
-              -*)   false ;;                            # don't mess with options #(
-              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
-                    [ -e "$t" ] ;;                      #(
-              *)    false ;;
-            esac
-        then
-            arg=$( cygpath --path --ignore --mixed "$arg" )
-        fi
-        # Roll the args list around exactly as many times as the number of
-        # args, so each arg

(Truncated to 5714 characters out of 8251)
⚠️ REPOSITORY / trivy - 18 errors
error: Package: form-data
Installed Version: 2.3.3
Vulnerability CVE-2025-7783
Severity: CRITICAL
Fixed Version: 2.5.4, 3.0.4, 4.0.4
Link: [CVE-2025-7783](https://avd.aquasec.com/nvd/cve-2025-7783)
    ┌─ src/list/frontend/tests/e2e/package-lock.json:925:1
    │  
925 │ ╭     "node_modules/form-data": {
926 │ │       "version": "2.3.3",
927 │ │       "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz",
928 │ │       "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==",
    · │
938 │ │       }
939 │ │     },
    │ ╰^
    │  
    = form-data: Unsafe random function in form-data
    = Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
      
      This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

error: Package: qs
Installed Version: 6.10.4
Vulnerability CVE-2025-15284
Severity: HIGH
Fixed Version: 6.14.1
Link: [CVE-2025-15284](https://avd.aquasec.com/nvd/cve-2025-15284)
     ┌─ src/list/frontend/tests/e2e/package-lock.json:1683:1
     │  
1683 │ ╭     "node_modules/qs": {
1684 │ │       "version": "6.10.4",
1685 │ │       "resolved": "https://registry.npmjs.org/qs/-/qs-6.10.4.tgz",
1686 │ │       "integrity": "sha512-OQiU+C+Ds5qiH91qh/mg0w+8nwQuLjM4F4M/PbmhDOoYehPh+Fb0bDjtR1sOvy7YKxvj28Y/M0PhP5uVX0kB+g==",
     · │
1697 │ │       }
1698 │ │     },
     │ ╰^
     │  
     = qs: qs: Denial of Service via improper input validation in array parsing
     = Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
       
       
       SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
       
       DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
       
       Vulnerable code (lib/parse.js:159-162):
       
       if (root === '[]' && options.parseArrays) {
           obj = utils.combine([], leaf);  // No arrayLimit check
       }
       
       
       
       
       
       Working code (lib/parse.js:175):
       
       else if (index <= options.arrayLimit) {  // Limit checked here
           obj = [];
           obj[index] = leaf;
       }
       
       
       
       
       
       The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
       
       PoCTest 1 - Basic bypass:
       
       npm install qs
       
       
       
       
       
       const qs = require('qs');
       const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
       console.log(result.a.length);  // Output: 6 (should be max 5)
       
       
       
       
       
       Test 2 - DoS demonstration:
       
       const qs = require('qs');
       const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
       const result = qs.parse(attack, { arrayLimit: 100 });
       console.log(result.a.length);  // Output: 10000 (should be max 100)
       
       
       
       
       
       Configuration:
       
         *  arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
         *  Use bracket notation: a[]=value (not indexed a[0]=value)
       
       
       ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
       
       Attack scenario:
       
         *  Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
         *  Application parses with qs.parse(query, { arrayLimit: 100 })
         *  qs ignores limit, parses all 100,000 elements into array
         *  Server memory exhausted → application crashes or becomes unresponsive
         *  Service unavailable for all users
       Real-world impact:
       
         *  Single malicious request can crash server
         *  No authentication required
         *  Easy to automate and scale
         *  Affects any endpoint parsing query strings with bracket notation

error: Package: braces
Installed Version: 2.3.2
Vulnerability CVE-2024-4068
Severity: HIGH
Fixed Version: 3.0.3
Link: [CVE-2024-4068](https://avd.aquasec.com/nvd/cve-2024-4068)
      ┌─ src/list/package-lock.json:20463:1
      │  
20463 │ ╭     "node_modules/jscodeshift/node_modules/braces": {
20464 │ │       "version": "2.3.2",
20465 │ │       "license": "MIT",
20466 │ │       "optional": true,
      · │
20481 │ │       }
20482 │ │     },
      │ ╰^
      │  
      = braces: fails to limit the number of characters it can handle
      = The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

error: Package: cross-spawn
Installed Version: 6.0.5
Vulnerability CVE-2024-21538
Severity: HIGH
Fixed Version: 7.0.5, 6.0.6
Link: [CVE-2024-21538](https://avd.aquasec.com/nvd/cve-2024-21538)
      ┌─ src/list/package-lock.json:13820:1
      │  
13820 │ ╭     "node_modules/execa/node_module

(Truncated to 5714 characters out of 22461)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_RUFF,ACTION_ACTIONLINT,BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,CSHARP_CSHARPIER,CSHARP_ROSLYNATOR,CSS_STYLELINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,ENV_DOTENV_LINTER,GROOVY_NPM_GROOVY_LINT,HTML_DJLINT,HTML_HTMLHINT,JAVA_CHECKSTYLE,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,XML_XMLLINT,YAML_PRETTIER

MegaLinter is graciously provided by OX Security

@renovate renovate bot force-pushed the renovate/buefy-3.x branch 2 times, most recently from 2f85868 to 3d76bc2 Compare October 2, 2025 00:54
@renovate renovate bot force-pushed the renovate/buefy-3.x branch 6 times, most recently from 2572004 to a637fbd Compare November 6, 2025 23:09
@renovate renovate bot force-pushed the renovate/buefy-3.x branch 2 times, most recently from 3739c3a to 05b1393 Compare November 11, 2025 08:58
@renovate renovate bot force-pushed the renovate/buefy-3.x branch from 05b1393 to 9486b39 Compare December 3, 2025 07:53
@renovate renovate bot force-pushed the renovate/buefy-3.x branch 5 times, most recently from 7930d2f to 1fe29af Compare December 14, 2025 21:57
@renovate renovate bot force-pushed the renovate/buefy-3.x branch 4 times, most recently from 11cada6 to 3102d61 Compare January 8, 2026 08:04
@renovate renovate bot force-pushed the renovate/buefy-3.x branch from 3102d61 to 0329ec8 Compare January 21, 2026 06:25
@renovate renovate bot force-pushed the renovate/buefy-3.x branch 7 times, most recently from 6a7e74a to 7bf131d Compare February 4, 2026 14:57
@renovate renovate bot force-pushed the renovate/buefy-3.x branch from 7bf131d to 59ee2f9 Compare February 4, 2026 15:05
@renovate renovate bot force-pushed the renovate/buefy-3.x branch from 59ee2f9 to 47e46ac Compare February 4, 2026 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants