Skip to content

Bump oxsecurity/megalinter from 9.4.0 to 9.5.0#1160

Merged
Romanitho merged 1 commit into
developfrom
dependabot/github_actions/develop/oxsecurity/megalinter-9.5.0
May 19, 2026
Merged

Bump oxsecurity/megalinter from 9.4.0 to 9.5.0#1160
Romanitho merged 1 commit into
developfrom
dependabot/github_actions/develop/oxsecurity/megalinter-9.5.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 18, 2026

Copy link
Copy Markdown
Contributor

Bumps oxsecurity/megalinter from 9.4.0 to 9.5.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

  • Breaking changes

    • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

      • oxsecurity/megalinter:v9ghcr.io/oxsecurity/megalinter:v9
      • oxsecurity/megalinter:betaghcr.io/oxsecurity/megalinter:beta
      • oxsecurity/megalinter-<flavor>:v9ghcr.io/oxsecurity/megalinter-<flavor>:v9

      GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

    • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

    • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

      • extends: ["airbnb"]extends: ["airbnb-extended"]
      • extends: ["standard"]extends: ["neostandard"]
  • Core

    • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
    • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
    • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
    • Upgrade GO runtime to 1.26.3
  • New linters

    • osv-scanner: trivy-like vulnerability scanner by Google
    • zizmor: GitHub Actions static analysis
  • Disabled linters

    • KICS (until upstream security issue is fixed)
    • Spectral (crashing)
  • Re-enabled linters

  • Deprecated linters

  • Removed linters

  • Media

  • Linters enhancements

    • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
    • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
    • raku (Rakudo): now ships on ARM64 too
    • scala: linter installation is now deterministic (same binary across rebuilds)
    • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
    • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
    • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source
  • Fixes

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

  • Breaking changes

  • Core

  • New linters

  • Disabled linters

  • Re-enabled linters

  • Deprecated linters

  • Removed linters

  • Media

  • Linters enhancements

  • Fixes

    • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
  • Reporters

  • Flavors

  • Doc

    • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats
  • mega-linter-runner

  • Dev

  • CI

  • Linter versions upgrades (N)

    • black from 26.3.1 to 26.5.0 on 2026-05-16
    • stylua from 2.4.1 to 2.5.2 on 2026-05-17
    • terraform-fmt from 1.15.2 to 1.15.3 on 2026-05-17
    • jscpd from 4.1.1 to 4.2.0 on 2026-05-17
    • stylelint from 17.11.0 to 17.11.1 on 2026-05-17

... (truncated)

Commits
  • 0e3ce9b Fix release workflows.
  • 3e132b1 Release MegaLinter v9.5.0
  • cbb7fe9 Doc + prepare 9.5.0 release (#7836)
  • 29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
  • ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
  • e04f202 feat: implement user notifications system and replace migration warnings (#7833)
  • 54bfad8 chore(deps): update dependency @​stoplight/spectral-cli to v6.16.0 (#7830)
  • f809408 Eslint legacy detection & warning (#7831)
  • 6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
  • cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter) from 9.4.0 to 9.5.0.
- [Release notes](https://github.com/oxsecurity/megalinter/releases)
- [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md)
- [Commits](oxsecurity/megalinter@8fbdead...0e3ce9b)

---
updated-dependencies:
- dependency-name: oxsecurity/megalinter
  dependency-version: 9.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 18, 2026
@github-actions

Copy link
Copy Markdown
Contributor

MegaLinter analysis: Error

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ COPYPASTE jscpd yes no no 2.77s
⚠️ REPOSITORY checkov yes 3 no 22.41s
⚠️ REPOSITORY devskim yes 1 8 2.75s
✅ REPOSITORY dustilock yes no no 0.03s
✅ REPOSITORY gitleaks yes no no 0.88s
✅ REPOSITORY git_diff yes no no 0.02s
✅ REPOSITORY grype yes no no 46.08s
❌ REPOSITORY kingfisher yes 1 no 8.57s
❌ REPOSITORY osv-scanner yes 1 no 0.17s
✅ REPOSITORY secretlint yes no no 1.62s
✅ REPOSITORY syft yes no no 2.57s
✅ REPOSITORY trivy yes no no 10.98s
✅ REPOSITORY trivy-sbom yes no no 0.29s
✅ REPOSITORY trufflehog yes no no 4.24s

Detailed Issues

❌ REPOSITORY / kingfisher - 1 error

Linter output file not found

❌ REPOSITORY / osv-scanner - 1 error

Linter output file not found

⚠️ REPOSITORY / checkov - 3 errors

Linter output file not found

⚠️ REPOSITORY / devskim - 1 error

Linter output file not found

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@Romanitho
Romanitho merged commit 2314ef9 into develop May 19, 2026
1 of 2 checks passed
@dependabot
dependabot Bot deleted the dependabot/github_actions/develop/oxsecurity/megalinter-9.5.0 branch May 19, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant