Skip to content

Bump docker/login-action from 4.0.0 to 4.1.0#32

Merged
rennf93 merged 1 commit into
masterfrom
dependabot/github_actions/docker/login-action-4.1.0
Apr 6, 2026
Merged

Bump docker/login-action from 4.0.0 to 4.1.0#32
rennf93 merged 1 commit into
masterfrom
dependabot/github_actions/docker/login-action-4.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 6, 2026

Copy link
Copy Markdown
Contributor

Bumps docker/login-action from 4.0.0 to 4.1.0.

Release notes

Sourced from docker/login-action's releases.

v4.1.0

Full Changelog: docker/login-action@v4.0.0...v4.1.0

Commits
  • 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 1e233e6 chore: update generated content
  • 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
  • ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
  • 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
  • d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
  • a6f092b chore: update generated content
  • 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
  • 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 102c0e6 chore: update generated content
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump docker/login-action from 4.0.0 to 4.1.0
f00ed50 
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v4.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 6, 2026
@github-actions

github-actions Bot commented Apr 6, 2026

Copy link
Copy Markdown

🔍 Vulnerabilities of renzof93/github-actions-secrets-mgmt:latest

📦 Image Reference renzof93/github-actions-secrets-mgmt:latest
digestsha256:dc0648647a5548408d91f0ebf695de5b5bf356ace96ad54109b4cf96ba91e0a2
vulnerabilitiescritical: 0 high: 0 medium: 3 low: 0
platformlinux/amd64
size104 MB
packages63
📦 Base Image python:3-alpine3.20
also known as
  • 3.13-alpine3.20
  • 3.13.3-alpine3.20
  • alpine3.20
digestsha256:68834522e73344a5337150a62e87a75be9046c0e39b9bab925be078d953e54e1
vulnerabilitiescritical: 0 high: 6 medium: 12 low: 4
critical: 0 high: 0 medium: 2 low: 0 requests 2.32.3 (pypi)

pkg:pypi/requests@2.32.3

medium 5.3: CVE--2024--47081 Insufficiently Protected Credentials

Affected range<2.32.4
Fixed version2.32.4
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score0.070%
EPSS Percentile22nd percentile
Description

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2

medium 4.4: CVE--2026--25645 Insecure Temporary File

Affected range<2.33.0
Fixed version2.33.0
CVSS Score4.4
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS Score0.004%
EPSS Percentile0th percentile
Description

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

critical: 0 high: 0 medium: 1 low: 0 pynacl 1.5.0 (pypi)

pkg:pypi/pynacl@1.5.0

medium 4.5: CVE--2025--69277 Incomplete List of Disallowed Inputs

Affected range<1.6.2
Fixed version1.6.2
CVSS Score4.5
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score0.007%
EPSS Percentile1st percentile
Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

This advisoory lists packages in the GitHub Advisory Database's supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.

@github-actions

github-actions Bot commented Apr 6, 2026

Copy link
Copy Markdown

Recommended fixes for image renzof93/github-actions-secrets-mgmt:latest

Base image is python:3-alpine3.20

Name3.13.3-alpine3.20
Digestsha256:68834522e73344a5337150a62e87a75be9046c0e39b9bab925be078d953e54e1
Vulnerabilitiescritical: 0 high: 6 medium: 12 low: 4
Pushed11 months ago
Size16 MB
Packages41
Flavoralpine
OS3.20
Runtime3.13.3

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
3-alpine
Tag is preferred tag
Also known as:
  • alpine
  • alpine3.23
  • 3.14.3-alpine
  • 3.14.3-alpine3.23
  • 3.14-alpine
  • 3.14-alpine3.23
  • 3-alpine3.23
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Tag is preferred tag
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 18
  • Image contains equal number of packages
  • 3-alpine was pulled 51K times last month
Image details:
  • Size: 18 MB
  • Flavor: alpine
  • OS: 3.23
  • Runtime: 3.14.3
 2 months ago



3.13-alpine
Minor runtime version update
Also known as:
  • 3.13.12-alpine
  • 3.13.12-alpine3.23
  • 3.13-alpine3.23
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Image contains 2 fewer packages
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 18
Image details:
  • Size: 17 MB
  • Flavor: alpine
  • OS: 3.23
  • Runtime: 3.13.12
 2 months ago



3.13-alpine3.22
Minor runtime version update
Also known as:
  • 3.13.12-alpine3.22
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Image contains 2 fewer packages
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 19
Image details:
  • Size: 17 MB
  • Flavor: alpine
  • OS: 3.22
  • Runtime: 3.13.12
 2 months ago



3-alpine3.22
Minor runtime version update
Also known as:
  • alpine3.22
  • 3.14.3-alpine3.22
  • 3.14-alpine3.22
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Minor OS version update
  • Tag was pushed more recently
  • Image has similar size
  • Image introduces no new vulnerability but removes 19
  • Image contains equal number of packages
Image details:
  • Size: 18 MB
  • Flavor: alpine
  • OS: 3.22
  • Runtime: 3.14.3
 2 months ago



@rennf93 rennf93 merged commit 22b29e0 into master Apr 6, 2026
1 of 2 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/docker/login-action-4.1.0 branch April 6, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rennf93