XS⚠️ ◾ Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 by muiriswoulfe · Pull Request #742 · microsoft/PR-Metrics

muiriswoulfe · 2026-03-25T19:18:58Z

Summary

Node.js: Upgrade from v20.20.0 to v24.13.0 (runtime, CI workflows, and package.json engines constraint).
Super-Linter: Migrate from github/super-linter v7 to super-linter/super-linter v8.5.0. Remove obsolete EDITORCONFIG_FILE_NAME env var. Disable new v8 linters not yet configured for this repo (Biome, zizmor, codespell).
GitHub Actions: Bump actions/checkout to v6.0.2, actions/setup-node to v6.3.0, actions/upload-artifact to v7.0.0, github/codeql-action to v4.34.1, and grafana/github-api-commit-action to latest.
Azure DevOps pipelines: Update release.yml and template.yml.
Release workflows: Update release-initiate.yml and release-publish.yml.
Action runtime: Bump action.yml Node.js version and task manifest versions.

Test Plan

Verify all CI jobs pass with the updated action versions and Node.js v24.
Verify super-linter v8.5.0 runs successfully.
Incrementally enable disabled super-linter validators with appropriate configuration.

Migrate from github/super-linter to super-linter/super-linter. Add Biome and codespell configuration for compatibility with v8.

muiriswoulfe · 2026-03-25T19:19:32Z

PR Metrics

✔ Thanks for keeping your pull request small.
⚠️ Consider adding additional tests.

	Lines
Product Code	5
Test Code	3
Subtotal	8
Ignored Code	55
Total	63

Metrics computed by PR Metrics. Add it to your Azure DevOps and GitHub PRs!

muiriswoulfe · 2026-03-25T19:22:16Z

Super-linter summary

Language	Validation result
BIOME_LINT	Fail ❌
CHECKOV	Pass ✅
EDITORCONFIG	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Fail ❌
TRIVY	Fail ❌
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_LINT

The number of diagnostics exceeds the limit allowed. Use --max-diagnostics to increase it.
Diagnostics not shown: 173.
Checked 114 files in 1550ms. No fixes applied.
Found 1 error.
Found 180 warnings.
Found 12 infos.src/task/index.ts:10:31 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

     8 │ import { container } from "tsyringe";
     9 │ import { exitCodeForFailure } from "./src/utilities/constants.js";
  > 10 │ import { fileURLToPath } from "url";
       │                               ^^^^^
    11 │ import path from "path";
    12 │

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     8  8 │   import { container } from "tsyringe";
     9  9 │   import { exitCodeForFailure } from "./src/utilities/constants.js";
    10    │ - import·{·fileURLToPath·}·from·"url";
       10 │ + import·{·fileURLToPath·}·from·"node:url";
    11 11 │   import path from "path";
    12 12 │


src/task/index.ts:11:18 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

     9 │ import { exitCodeForFailure } from "./src/utilities/constants.js";
    10 │ import { fileURLToPath } from "url";
  > 11 │ import path from "path";
       │                  ^^^^^^
    12 │
    13 │ const run = async (): Promise<void> => {

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     9  9 │   import { exitCodeForFailure } from "./src/utilities/constants.js";
    10 10 │   import { fileURLToPath } from "url";
    11    │ - import·path·from·"path";
       11 │ + import·path·from·"node:path";
    12 12 │
    13 13 │   const run = async (): Promise<void> => {


src/task/src/git/gitInvoker.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import * as Validator from "../utilities/validator.js";
  > 7 │ import ExecOutput from "../runners/execOutput.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "../utilities/logger.js";
    9 │ import RunnerInvoker from "../runners/runnerInvoker.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·ExecOutput·from·"../runners/execOutput.js";
      │        +++++

src/task/src/git/gitInvoker.ts:8:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     6 │ import * as Validator from "../utilities/validator.js";
     7 │ import ExecOutput from "../runners/execOutput.js";
   > 8 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     9 │ import RunnerInvoker from "../runners/runnerInvoker.js";
    10 │ import { decimalRadix } from "../utilities/constants.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    8 │ import·type·Logger·from·"../utilities/logger.js";
      │        +++++

src/task/src/git/gitInvoker.ts:190:13 lint/suspicious/noGlobalIsNan  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━

  ! isNaN is unsafe. It attempts a type coercion. Use Number.isNaN instead.

    188 │     this._logger.logDebug("* GitInvoker.isPullRequestIdAvailable()");
    189 │
  > 190 │     return !isNaN(parseInt(this.pullRequestIdInternal, decimalRadix));
        │             ^^^^^
    191 │   }
    192 │

  i See the MDN documentation for more details.

  i Unsafe fix: Use Number.isNaN instead.

    188 188 │       this._logger.logDebug("* GitInvoker.isPullRequestIdAvailable()");
    189 189 │
    190     │ - ····return·!isNaN(parseInt(this.pullRequestIdInternal,·decimalRadix));
        190 │ + ····return·!Number.isNaN(parseInt(this.pullRequestIdInternal,·decimalRadix));
    191 191 │     }
    192 192 │


src/task/src/git/octokitGitDiffParser.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━

  ! Some named imports are only used as types.

     4 │  */
     5 │
   > 6 │ import parseGitDiff, {
       │        ^^^^^^^^^^^^^^^
   > 7 │   AddedFile,
        ...
  > 12 │   RenamedFile,
  > 13 │ } from "parse-git-diff";
       │ ^^^^^^^^^^^^^^^^^^^^^^^
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";

  i This import is only used as a type.

    6 │ import parseGitDiff, {
  > 7 │   AddedFile,
      │   ^^^^^^^^^
    8 │   AnyChunk,
    9 │   ChangedFile,

  i This import is only used as a type.

     6 │ import parseGitDiff, {
     7 │   AddedFile,
   > 8 │   AnyChunk,
       │   ^^^^^^^^
     9 │   ChangedFile,
    10 │   Chunk,

  i This import is only used as a type.

     7 │   AddedFile,
     8 │   AnyChunk,
   > 9 │   ChangedFile,
       │   ^^^^^^^^^^^
    10 │   Chunk,
    11 │   GitDiff,

  i This import is only used as a type.

     8 │   AnyChunk,
     9 │   ChangedFile,
  > 10 │   Chunk,
       │   ^^^^^
    11 │   GitDiff,
    12 │   RenamedFile,

  i This import is only used as a type.

     9 │   ChangedFile,
    10 │   Chunk,
  > 11 │   GitDiff,
       │   ^^^^^^^
    12 │   RenamedFile,
    13 │ } from "parse-git-diff";

  i This import is only used as a type.

    10 │   Chunk,
    11 │   GitDiff,
  > 12 │   RenamedFile,
       │   ^^^^^^^^^^^
    13 │ } from "parse-git-diff";
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Add inline type keywords.

      5   5 │
      6   6 │   import parseGitDiff, {
      7     │ - ··AddedFile,
      8     │ - ··AnyChunk,
      9     │ - ··ChangedFile,
     10     │ - ··Chunk,
     11     │ - ··GitDiff,
     12     │ - ··RenamedFile,
          7 │ + ··type·AddedFile,
          8 │ + ··type·AnyChunk,
          9 │ + ··type·ChangedFile,
         10 │ + ··type·Chunk,
         11 │ + ··type·GitDiff,
         12 │ + ··type·RenamedFile,
     13  13 │   } from "parse-git-diff";
     14  14 │   import AxiosWrapper from "../wrappers/axiosWrapper.js";


src/task/src/git/octokitGitDiffParser.ts:14:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    12 │   RenamedFile,
    13 │ } from "parse-git-diff";
  > 14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
    16 │ import Logger from "../utilities/logger.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    14 │ import·type·AxiosWrapper·from·"../wrappers/axiosWrapper.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:15:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    13 │ } from "parse-git-diff";
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
  > 15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    16 │ import Logger from "../utilities/logger.js";
    17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    15 │ import·type·GetPullResponse·from·"../wrappers/octokitInterfaces/getPullResponse.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:16:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
  > 16 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";
    18 │ import { singleton } from "tsyringe";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    16 │ import·type·Logger·from·"../utilities/logger.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:17:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
    16 │ import Logger from "../utilities/logger.js";
  > 17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    18 │ import { singleton } from "tsyringe";
    19 │

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    17 │ import·type·OctokitWrapper·from·"../wrappers/octokitWrapper.js";
       │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import { CommentThreadStatus } from "azure-devops-node-api/interfaces/GitInterfaces.js";
  > 7 │ import GitInvoker from "../git/gitInvoker.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "../utilities/logger.js";
    9 │ import PullRequest from "../pullRequests/pullRequest.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·GitInvoker·from·"../git/gitInvoker.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:8:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     6 │ import { CommentThreadStatus } from "azure-devops-node-api/interfaces/GitInterfaces.js";
     7 │ import GitInvoker from "../git/gitInvoker.js";
   > 8 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     9 │ import PullRequest from "../pullRequests/pullRequest.js";
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    8 │ import·type·Logger·from·"../utilities/logger.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:9:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     7 │ import GitInvoker from "../git/gitInvoker.js";
     8 │ import Logger from "../utilities/logger.js";
   > 9 │ import PullRequest from "../pullRequests/pullRequest.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";
    11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    9 │ import·type·PullRequest·from·"../pullRequests/pullRequest.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:10:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     8 │ import Logger from "../utilities/logger.js";
     9 │ import PullRequest from "../pullRequests/pullRequest.js";
  > 10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";
    12 │ import PullRequestDetailsInterface from "../repos/interfaces/pullRequestDetailsInterface.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    10 │ import·type·PullRequestComments·from·"../pullRequests/pullRequestComments.js";
       │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:11:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     9 │ import PullRequest from "../pullRequests/pullRequest.js";
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";
  > 11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    12 │ import PullRequestDetailsInterface from "../repos/interfaces/pullRequestDetailsInterface.js";
    13 │ import ReposInvoker from "../repos/reposInvoker.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    11 │ import·type·PullRequestCommentsData·from·"../pullRequests/pullRequestCommentsData.js";
       │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:12:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";
    11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";
  > 12 │ import PullRequestDetailsInterface from "../repos/interfaces/pullRequestDetailsInterface.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    13 │ import ReposInvoker from "../repos/reposInvoker.js";
    14 │ import RunnerInvoker from "../runners/runnerInvoker.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    12 │ import·type·PullRequestDetailsInterface·from·"../repos/interfaces/pullRequestDetailsInterface.js";
       │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:13:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";
    12 │ import PullRequestDetailsInterface from "../repos/interfaces/pullRequestDetailsInterface.js";
  > 13 │ import ReposInvoker from "../repos/reposInvoker.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    14 │ import RunnerInvoker from "../runners/runnerInvoker.js";
    15 │ import { injectable } from "tsyringe";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    13 │ import·type·ReposInvoker·from·"../repos/reposInvoker.js";
       │        +++++

src/task/src/pullRequestMetrics.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import "reflect-metadata";
  > 7 │ import CodeMetricsCalculator from "./metrics/codeMetricsCalculator.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "./utilities/logger.js";
    9 │ import RunnerInvoker from "./runners/runnerInvoker.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·CodeMetricsCalculator·from·"./metrics/codeMetricsCalculator.js";
      │        +++++

src/task/tests/wrappers/errorWithStatus.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    4 │  */
    5 │
  > 6 │ import ErrorWithStatusInterface from "../../src/repos/interfaces/errorWithStatusInterface.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    7 │
    8 │ /**

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    6 │ import·type·ErrorWithStatusInterface·from·"../../src/repos/interfaces/errorWithStatusInterface.js";
      │        +++++

src/task/tests/wrappers/execSyncResult.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    4 │  */
    5 │
  > 6 │ import { IExecSyncResult } from "azure-pipelines-task-lib/toolrunner.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    7 │
    8 │ /**

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    6 │ import·type·{·IExecSyncResult·}·from·"azure-pipelines-task-lib/toolrunner.js";
      │        +++++

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

EDITORCONFIG

�[33;1m.github/workflow-scripts/Test-LicensesResult.ps1:�[33;0m
�[31;1m	Wrong character encoding ("UTF-8-SIG" instead of "utf-8")�[33;0m
�[31;1m
1 errors found�[33;0m

GITHUB_ACTIONS_ZIZMOR

�[1m�[33mwarning[dependabot-cooldown]�[0m�[1m: insufficient cooldown in Dependabot updates�[0m
 �[1m�[94m--> �[0m/github/workspace/.github/dependabot.yml:8:5
  �[1m�[94m|�[0m
�[1m�[94m8�[0m �[1m�[94m|�[0m   - package-ecosystem: github-actions
  �[1m�[94m|�[0m     �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33mmissing cooldown configuration�[0m
  �[1m�[94m|�[0m
  �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
  �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
  �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#dependabot-cooldown�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:30:9
   �[1m�[94m|�[0m
�[1m�[94m30�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m32�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m33�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           token: ${{ secrets.PR_METRICS_TOKEN }}
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:73:9
   �[1m�[94m|�[0m
�[1m�[94m73�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m74�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:108:9
    �[1m�[94m|�[0m
�[1m�[94m108�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m109�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m110�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m111�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
    �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:129:9
    �[1m�[94m|�[0m
�[1m�[94m129�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m130�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
    �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:150:9
    �[1m�[94m|�[0m
�[1m�[94m150�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m151�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m152�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m153�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
    �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:221:63
    �[1m�[94m|�[0m
�[1m�[94m221�[0m �[1m�[94m|�[0m         run: gh pr merge --auto --delete-branch --squash "${{ github.event.pull_request.html_url }}"
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                                    �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[bot-conditions]�[0m�[1m: spoofable bot actor check�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:219:13
    �[1m�[94m|�[0m
�[1m�[94m219�[0m �[1m�[94m|�[0m       - if: github.actor == 'dependabot[bot]'
    �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mactor context may be spoofable�[0m
�[1m�[94m220�[0m �[1m�[94m|�[0m         name: Enable Auto-Merge
    �[1m�[94m|�[0m         �[1m�[94m-----------------------�[0m �[1m�[94mthis step�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#bot-conditions�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:61:91
   �[1m�[94m|�[0m
�[1m�[94m61�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
   �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:133:84
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v3.29.5
    �[1m�[94m|�[0m         �[1m�[94m------------------------------------------------------------------------�[0m   �[1m�[33m^^^^^^^�[0m �[1m�[33mpoints to commit 51f77329afa6�[0m
    �[1m�[94m|�[0m         �[1m�[94m|�[0m
    �[1m�[94m|�[0m         �[1m�[94mis pointed to by tag v4.30.7�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:141:87
    �[1m�[94m|�[0m
�[1m�[94m141�[0m �[1m�[94m|�[0m         uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v3.29.5
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------------------------------------------------�[0m   �[1m�[33m^^^^^^^�[0m �[1m�[33mpoints to commit 51f77329afa6�[0m
    �[1m�[94m|�[0m         �[1m�[94m|�[0m
    �[1m�[94m|�[0m         �[1m�[94mis pointed to by tag v4.30.7�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:204:91
    �[1m�[94m|�[0m
�[1m�[94m204�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
    �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:28:9
   �[1m�[94m|�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m30�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m31�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           token: ${{ secrets.PR_METRICS_TOKEN }}
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:58:99
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         run: Set-Content -Path '.github/workflows/support/release-publish-trigger.txt' -Value ${{ env.version }}
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                                                                        �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:61:43
   �[1m�[94m|�[0m
�[1m�[94m61�[0m �[1m�[94m|�[0m         run: git checkout -b release/v${{ env.version }}
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:76:41
   �[1m�[94m|�[0m
�[1m�[94m75�[0m �[1m�[94m|�[0m         run: |-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m76�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
   �[1m�[94m|�[0m                                         �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:77:48
   �[1m�[94m|�[0m
�[1m�[94m75�[0m �[1m�[94m|�[0m         run: |-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m76�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
�[1m�[94m77�[0m �[1m�[94m|�[0m           git reset --hard origin/release/v${{ env.version }}
   �[1m�[94m|�[0m                                                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:82:49
   �[1m�[94m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m81�[0m �[1m�[94m|�[0m           gh pr create
�[1m�[94m82�[0m �[1m�[94m|�[0m           --title "[Autogenerated] Release v${{ env.version }} with Package Updates"
   �[1m�[94m|�[0m                                                 �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:83:61
   �[1m�[94m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m   run: >-
   �[1m�[94m|�[0m       �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m83�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m     --body "Autogenerated release for PR Metrics v${{ env.version }}. This includes version updates, dependency updates, and lic�[1m�[94m...�[0m
   �[1m�[94m|�[0m                                                           �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:112:41
    �[1m�[94m|�[0m
�[1m�[94m111�[0m �[1m�[94m|�[0m         run: |-
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m112�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
    �[1m�[94m|�[0m                                         �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:113:48
    �[1m�[94m|�[0m
�[1m�[94m111�[0m �[1m�[94m|�[0m         run: |-
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m112�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
�[1m�[94m113�[0m �[1m�[94m|�[0m           git reset --hard origin/release/v${{ env.version }}
    �[1m�[94m|�[0m                                                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:67:91
   �[1m�[94m|�[0m
�[1m�[94m67�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
   �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:103:91
    �[1m�[94m|�[0m
�[1m�[94m103�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
    �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:29:9
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m30�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:85:28
   �[1m�[94m|�[0m
�[1m�[94m83�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m84�[0m �[1m�[94m|�[0m           gh api repos/${{ github.repository }}/releases/generate-notes
�[1m�[94m85�[0m �[1m�[94m|�[0m           -f tag_name="${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                            �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:93:34
   �[1m�[94m|�[0m
�[1m�[94m92�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m93�[0m �[1m�[94m|�[0m           gh release create "${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                                  �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:97:32
   �[1m�[94m|�[0m
�[1m�[94m92�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m97�[0m �[1m�[94m|�[0m           --title "Release ${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                                �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[32m80�[39m findings (�[1m�[93m53�[39m suppressed, �[92m22�[39m fixable�[0m): �[35m3�[39m informational, �[36m8�[39m low, �[33m15�[39m medium, �[31m1�[39m high🌈 zizmor v1.22.0
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/dependabot.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/release-initiate.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/release-publish.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/action.yml

SPELL_CODESPELL

/github/workspace/src/task/src/metrics/codeMetrics.ts:397: FileTest ==> file test
/github/workspace/src/task/src/metrics/codeMetrics.ts:456: indexS ==> indexes, indices
/github/workspace/src/task/src/metrics/codeMetrics.ts:479: indexS ==> indexes, indices
/github/workspace/src/task/src/metrics/codeMetrics.ts:480: indexS ==> indexes, indices

TRIVY


Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┬─────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────┼──────┼─────────────────┼───────────────────┼─────────┤
│ package-lock.json │ npm  │        5        │         -         │    -    │
└───────────────────┴──────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ undici  │ CVE-2026-1526 │ HIGH     │ fixed  │ 6.23.0            │ 6.24.0, 7.24.0 │ undici: undici: Denial of Service via unbounded memory       │
│         │               │          │        │                   │                │ consumption during WebSocket permessage-deflate...           │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1526                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1528 │          │        │                   │                │ undici: undici: Denial of Service via crafted WebSocket      │
│         │               │          │        │                   │                │ frame with large length...                                   │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1528                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-2229 │          │        │                   │                │ undici: Undici: Denial of Service via invalid WebSocket      │
│         │               │          │        │                   │                │ permessage-deflate extension parameter                       │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-2229                    │
│         ├───────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1525 │ MEDIUM   │        │                   │                │ undici: Undici: HTTP Request Smuggling and Denial of Service │
│         │               │          │        │                   │                │ due to duplicate...                                          │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1525                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1527 │          │        │                   │                │ undici: Undici: HTTP header injection and request smuggling  │
│         │               │          │        │                   │                │ vulnerability                                                │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1527                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Copilot

Pull request overview

This PR updates the repo’s CI linting setup by migrating Super-Linter to the v8.x lineage and adding configuration for newly enabled/adjusted linters (Biome + codespell).

Changes:

Switch Super-Linter GitHub Action from github/super-linter v7 to super-linter/super-linter v8.5.0 and adjust related env vars.
Add a root biome.json to tune Biome linting behavior (formatter disabled, import organizing off, specific rule tweaks).
Add .github/linters/.codespellrc to reduce codespell false positives.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
biome.json	Introduces Biome configuration used by CI linting.
.github/workflows/build.yml	Migrates Super-Linter to v8.5.0 and disables Biome formatting validation.
.github/linters/.codespellrc	Adds codespell configuration to suppress/skip known noisy inputs.

.github/linters/.codespellrc

These will be added as needed after super-linter v8 CI results.

muiriswoulfe · 2026-03-25T19:57:39Z

Super-linter summary

Language	Validation result
BIOME_LINT	Fail ❌
CHECKOV	Pass ✅
EDITORCONFIG	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Fail ❌
TRIVY	Fail ❌
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_LINT

The number of diagnostics exceeds the limit allowed. Use --max-diagnostics to increase it.
Diagnostics not shown: 178.
Checked 115 files in 1383ms. No fixes applied.
Found 1 error.
Found 181 warnings.
Found 15 infos.dist/exec-child.js:5:28 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

    3 │ }
    4 │
  > 5 │ var childProcess = require('child_process');
      │                            ^^^^^^^^^^^^^^^
    6 │ var fs = require('fs');
    7 │

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     3  3 │   }
     4  4 │
     5    │ - var·childProcess·=·require('child_process');
        5 │ + var·childProcess·=·require('node:child_process');
     6  6 │   var fs = require('fs');
     7  7 │


dist/exec-child.js:6:18 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

    5 │ var childProcess = require('child_process');
  > 6 │ var fs = require('fs');
      │                  ^^^^
    7 │
    8 │ var paramFilePath = process.argv[2];

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     4  4 │
     5  5 │   var childProcess = require('child_process');
     6    │ - var·fs·=·require('fs');
        6 │ + var·fs·=·require('node:fs');
     7  7 │
     8  8 │   var paramFilePath = process.argv[2];


dist/index.mjs lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i The size of the file is 2.8 MiB, which exceeds the configured maximum of 1.0 MiB for this project.
    Use the `files.maxSize` configuration to change the maximum size of files processed, or `files.includes` to ignore the file.


src/task/index.ts:10:31 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

     8 │ import { container } from "tsyringe";
     9 │ import { exitCodeForFailure } from "./src/utilities/constants.js";
  > 10 │ import { fileURLToPath } from "url";
       │                               ^^^^^
    11 │ import path from "path";
    12 │

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     8  8 │   import { container } from "tsyringe";
     9  9 │   import { exitCodeForFailure } from "./src/utilities/constants.js";
    10    │ - import·{·fileURLToPath·}·from·"url";
       10 │ + import·{·fileURLToPath·}·from·"node:url";
    11 11 │   import path from "path";
    12 12 │


src/task/index.ts:11:18 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

     9 │ import { exitCodeForFailure } from "./src/utilities/constants.js";
    10 │ import { fileURLToPath } from "url";
  > 11 │ import path from "path";
       │                  ^^^^^^
    12 │
    13 │ const run = async (): Promise<void> => {

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     9  9 │   import { exitCodeForFailure } from "./src/utilities/constants.js";
    10 10 │   import { fileURLToPath } from "url";
    11    │ - import·path·from·"path";
       11 │ + import·path·from·"node:path";
    12 12 │
    13 13 │   const run = async (): Promise<void> => {


src/task/src/git/octokitGitDiffParser.ts:166:11 lint/complexity/noUselessSwitchCase  FIXABLE  ━━━━━━━━━━

  i Useless case clause.

    164 │             break;
    165 │           }
  > 166 │           case "DeletedFile":
        │           ^^^^^^^^^^^^^^^^^^^
    167 │           default:
    168 │             this._logger.logDebug(

  i because the default clause is present:

    165 │           }
    166 │           case "DeletedFile":
  > 167 │           default:
        │           ^^^^^^^^
  > 168 │             this._logger.logDebug(
  > 169 │               `Skipping file type '${file.type}' while performing diff parsing.`,
  > 170 │             );
  > 171 │             break;
        │             ^^^^^^
    172 │         }
    173 │       }

  i Unsafe fix: Remove the useless case.

    164 164 │               break;
    165 165 │             }
    166     │ - ··········case·"DeletedFile":
    167 166 │             default:
    168 167 │               this._logger.logDebug(


dist/exec-child.js:19:45 lint/complexity/useArrowFunction  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! This function expression can be turned into an arrow function.

    17 │ var stderrFile = params.stderrFile;
    18 │
  > 19 │ var c = childProcess.exec(cmd, execOptions, function (err) {
       │                                             ^^^^^^^^^^^^^^^^
  > 20 │   if (!err) {
        ...
  > 26 │   }
  > 27 │ });
       │ ^
    28 │
    29 │ var stdoutStream = fs.createWriteStream(stdoutFile);

  i Function expressions that don't use this can be turned into arrow functions.

  i Safe fix: Use an arrow function instead.

    17 17 │   var stderrFile = params.stderrFile;
    18 18 │
    19    │ - var·c·=·childProcess.exec(cmd,·execOptions,·function·(err)·{
       19 │ + var·c·=·childProcess.exec(cmd,·execOptions,·(err)·=>·{
    20 20 │     if (!err) {
    21 21 │       process.exitCode = 0;


src/task/src/git/gitInvoker.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import * as Validator from "../utilities/validator.js";
  > 7 │ import ExecOutput from "../runners/execOutput.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "../utilities/logger.js";
    9 │ import RunnerInvoker from "../runners/runnerInvoker.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·ExecOutput·from·"../runners/execOutput.js";
      │        +++++

src/task/src/git/gitInvoker.ts:8:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     6 │ import * as Validator from "../utilities/validator.js";
     7 │ import ExecOutput from "../runners/execOutput.js";
   > 8 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     9 │ import RunnerInvoker from "../runners/runnerInvoker.js";
    10 │ import { decimalRadix } from "../utilities/constants.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    8 │ import·type·Logger·from·"../utilities/logger.js";
      │        +++++

src/task/src/git/gitInvoker.ts:190:13 lint/suspicious/noGlobalIsNan  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━

  ! isNaN is unsafe. It attempts a type coercion. Use Number.isNaN instead.

    188 │     this._logger.logDebug("* GitInvoker.isPullRequestIdAvailable()");
    189 │
  > 190 │     return !isNaN(parseInt(this.pullRequestIdInternal, decimalRadix));
        │             ^^^^^
    191 │   }
    192 │

  i See the MDN documentation for more details.

  i Unsafe fix: Use Number.isNaN instead.

    188 188 │       this._logger.logDebug("* GitInvoker.isPullRequestIdAvailable()");
    189 189 │
    190     │ - ····return·!isNaN(parseInt(this.pullRequestIdInternal,·decimalRadix));
        190 │ + ····return·!Number.isNaN(parseInt(this.pullRequestIdInternal,·decimalRadix));
    191 191 │     }
    192 192 │


src/task/src/git/octokitGitDiffParser.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━

  ! Some named imports are only used as types.

     4 │  */
     5 │
   > 6 │ import parseGitDiff, {
       │        ^^^^^^^^^^^^^^^
   > 7 │   AddedFile,
        ...
  > 12 │   RenamedFile,
  > 13 │ } from "parse-git-diff";
       │ ^^^^^^^^^^^^^^^^^^^^^^^
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";

  i This import is only used as a type.

    6 │ import parseGitDiff, {
  > 7 │   AddedFile,
      │   ^^^^^^^^^
    8 │   AnyChunk,
    9 │   ChangedFile,

  i This import is only used as a type.

     6 │ import parseGitDiff, {
     7 │   AddedFile,
   > 8 │   AnyChunk,
       │   ^^^^^^^^
     9 │   ChangedFile,
    10 │   Chunk,

  i This import is only used as a type.

     7 │   AddedFile,
     8 │   AnyChunk,
   > 9 │   ChangedFile,
       │   ^^^^^^^^^^^
    10 │   Chunk,
    11 │   GitDiff,

  i This import is only used as a type.

     8 │   AnyChunk,
     9 │   ChangedFile,
  > 10 │   Chunk,
       │   ^^^^^
    11 │   GitDiff,
    12 │   RenamedFile,

  i This import is only used as a type.

     9 │   ChangedFile,
    10 │   Chunk,
  > 11 │   GitDiff,
       │   ^^^^^^^
    12 │   RenamedFile,
    13 │ } from "parse-git-diff";

  i This import is only used as a type.

    10 │   Chunk,
    11 │   GitDiff,
  > 12 │   RenamedFile,
       │   ^^^^^^^^^^^
    13 │ } from "parse-git-diff";
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Add inline type keywords.

      5   5 │
      6   6 │   import parseGitDiff, {
      7     │ - ··AddedFile,
      8     │ - ··AnyChunk,
      9     │ - ··ChangedFile,
     10     │ - ··Chunk,
     11     │ - ··GitDiff,
     12     │ - ··RenamedFile,
          7 │ + ··type·AddedFile,
          8 │ + ··type·AnyChunk,
          9 │ + ··type·ChangedFile,
         10 │ + ··type·Chunk,
         11 │ + ··type·GitDiff,
         12 │ + ··type·RenamedFile,
     13  13 │   } from "parse-git-diff";
     14  14 │   import AxiosWrapper from "../wrappers/axiosWrapper.js";


src/task/src/git/octokitGitDiffParser.ts:14:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    12 │   RenamedFile,
    13 │ } from "parse-git-diff";
  > 14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
    16 │ import Logger from "../utilities/logger.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    14 │ import·type·AxiosWrapper·from·"../wrappers/axiosWrapper.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:15:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    13 │ } from "parse-git-diff";
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
  > 15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    16 │ import Logger from "../utilities/logger.js";
    17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    15 │ import·type·GetPullResponse·from·"../wrappers/octokitInterfaces/getPullResponse.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:16:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
  > 16 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";
    18 │ import { singleton } from "tsyringe";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    16 │ import·type·Logger·from·"../utilities/logger.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:17:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
    16 │ import Logger from "../utilities/logger.js";
  > 17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    18 │ import { singleton } from "tsyringe";
    19 │

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    17 │ import·type·OctokitWrapper·from·"../wrappers/octokitWrapper.js";
       │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import { CommentThreadStatus } from "azure-devops-node-api/interfaces/GitInterfaces.js";
  > 7 │ import GitInvoker from "../git/gitInvoker.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "../utilities/logger.js";
    9 │ import PullRequest from "../pullRequests/pullRequest.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·GitInvoker·from·"../git/gitInvoker.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:8:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     6 │ import { CommentThreadStatus } from "azure-devops-node-api/interfaces/GitInterfaces.js";
     7 │ import GitInvoker from "../git/gitInvoker.js";
   > 8 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     9 │ import PullRequest from "../pullRequests/pullRequest.js";
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    8 │ import·type·Logger·from·"../utilities/logger.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:9:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     7 │ import GitInvoker from "../git/gitInvoker.js";
     8 │ import Logger from "../utilities/logger.js";
   > 9 │ import PullRequest from "../pullRequests/pullRequest.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";
    11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    9 │ import·type·PullRequest·from·"../pullRequests/pullRequest.js";
      │        +++++

src/task/tests/wrappers/errorWithStatus.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    4 │  */
    5 │
  > 6 │ import ErrorWithStatusInterface from "../../src/repos/interfaces/errorWithStatusInterface.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    7 │
    8 │ /**

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    6 │ import·type·ErrorWithStatusInterface·from·"../../src/repos/interfaces/errorWithStatusInterface.js";
      │        +++++

src/task/tests/wrappers/execSyncResult.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    4 │  */
    5 │
  > 6 │ import { IExecSyncResult } from "azure-pipelines-task-lib/toolrunner.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    7 │
    8 │ /**

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    6 │ import·type·{·IExecSyncResult·}·from·"azure-pipelines-task-lib/toolrunner.js";
      │        +++++

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

EDITORCONFIG

�[33;1m.github/workflow-scripts/Test-LicensesResult.ps1:�[33;0m
�[31;1m	Wrong character encoding ("UTF-8-SIG" instead of "utf-8")�[33;0m
�[31;1m
1 errors found�[33;0m

GITHUB_ACTIONS_ZIZMOR

�[1m�[33mwarning[dependabot-cooldown]�[0m�[1m: insufficient cooldown in Dependabot updates�[0m
 �[1m�[94m--> �[0m/github/workspace/.github/dependabot.yml:8:5
  �[1m�[94m|�[0m
�[1m�[94m8�[0m �[1m�[94m|�[0m   - package-ecosystem: github-actions
  �[1m�[94m|�[0m     �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33mmissing cooldown configuration�[0m
  �[1m�[94m|�[0m
  �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
  �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
  �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#dependabot-cooldown�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:30:9
   �[1m�[94m|�[0m
�[1m�[94m30�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m32�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m33�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           token: ${{ secrets.PR_METRICS_TOKEN }}
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:73:9
   �[1m�[94m|�[0m
�[1m�[94m73�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m74�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:108:9
    �[1m�[94m|�[0m
�[1m�[94m108�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m109�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m110�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m111�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
    �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:129:9
    �[1m�[94m|�[0m
�[1m�[94m129�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m130�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
    �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:150:9
    �[1m�[94m|�[0m
�[1m�[94m150�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m151�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m152�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m153�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
    �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:221:63
    �[1m�[94m|�[0m
�[1m�[94m221�[0m �[1m�[94m|�[0m         run: gh pr merge --auto --delete-branch --squash "${{ github.event.pull_request.html_url }}"
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                                    �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[bot-conditions]�[0m�[1m: spoofable bot actor check�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:219:13
    �[1m�[94m|�[0m
�[1m�[94m219�[0m �[1m�[94m|�[0m       - if: github.actor == 'dependabot[bot]'
    �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mactor context may be spoofable�[0m
�[1m�[94m220�[0m �[1m�[94m|�[0m         name: Enable Auto-Merge
    �[1m�[94m|�[0m         �[1m�[94m-----------------------�[0m �[1m�[94mthis step�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#bot-conditions�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:61:91
   �[1m�[94m|�[0m
�[1m�[94m61�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
   �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:133:84
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v3.29.5
    �[1m�[94m|�[0m         �[1m�[94m------------------------------------------------------------------------�[0m   �[1m�[33m^^^^^^^�[0m �[1m�[33mpoints to commit 51f77329afa6�[0m
    �[1m�[94m|�[0m         �[1m�[94m|�[0m
    �[1m�[94m|�[0m         �[1m�[94mis pointed to by tag v4.30.7�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:141:87
    �[1m�[94m|�[0m
�[1m�[94m141�[0m �[1m�[94m|�[0m         uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v3.29.5
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------------------------------------------------�[0m   �[1m�[33m^^^^^^^�[0m �[1m�[33mpoints to commit 51f77329afa6�[0m
    �[1m�[94m|�[0m         �[1m�[94m|�[0m
    �[1m�[94m|�[0m         �[1m�[94mis pointed to by tag v4.30.7�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:204:91
    �[1m�[94m|�[0m
�[1m�[94m204�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
    �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:28:9
   �[1m�[94m|�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m30�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m31�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           token: ${{ secrets.PR_METRICS_TOKEN }}
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:58:99
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         run: Set-Content -Path '.github/workflows/support/release-publish-trigger.txt' -Value ${{ env.version }}
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                                                                        �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:61:43
   �[1m�[94m|�[0m
�[1m�[94m61�[0m �[1m�[94m|�[0m         run: git checkout -b release/v${{ env.version }}
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:76:41
   �[1m�[94m|�[0m
�[1m�[94m75�[0m �[1m�[94m|�[0m         run: |-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m76�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
   �[1m�[94m|�[0m                                         �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:77:48
   �[1m�[94m|�[0m
�[1m�[94m75�[0m �[1m�[94m|�[0m         run: |-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m76�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
�[1m�[94m77�[0m �[1m�[94m|�[0m           git reset --hard origin/release/v${{ env.version }}
   �[1m�[94m|�[0m                                                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:82:49
   �[1m�[94m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m81�[0m �[1m�[94m|�[0m           gh pr create
�[1m�[94m82�[0m �[1m�[94m|�[0m           --title "[Autogenerated] Release v${{ env.version }} with Package Updates"
   �[1m�[94m|�[0m                                                 �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:83:61
   �[1m�[94m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m   run: >-
   �[1m�[94m|�[0m       �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m83�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m     --body "Autogenerated release for PR Metrics v${{ env.version }}. This includes version updates, dependency updates, and lic�[1m�[94m...�[0m
   �[1m�[94m|�[0m                                                           �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:112:41
    �[1m�[94m|�[0m
�[1m�[94m111�[0m �[1m�[94m|�[0m         run: |-
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m112�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
    �[1m�[94m|�[0m                                         �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:113:48
    �[1m�[94m|�[0m
�[1m�[94m111�[0m �[1m�[94m|�[0m         run: |-
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m112�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
�[1m�[94m113�[0m �[1m�[94m|�[0m           git reset --hard origin/release/v${{ env.version }}
    �[1m�[94m|�[0m                                                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:67:91
   �[1m�[94m|�[0m
�[1m�[94m67�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
   �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:103:91
    �[1m�[94m|�[0m
�[1m�[94m103�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
    �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:29:9
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m30�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:85:28
   �[1m�[94m|�[0m
�[1m�[94m83�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m84�[0m �[1m�[94m|�[0m           gh api repos/${{ github.repository }}/releases/generate-notes
�[1m�[94m85�[0m �[1m�[94m|�[0m           -f tag_name="${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                            �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:93:34
   �[1m�[94m|�[0m
�[1m�[94m92�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m93�[0m �[1m�[94m|�[0m           gh release create "${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                                  �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:97:32
   �[1m�[94m|�[0m
�[1m�[94m92�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m97�[0m �[1m�[94m|�[0m           --title "Release ${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                                �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[32m80�[39m findings (�[1m�[93m53�[39m suppressed, �[92m22�[39m fixable�[0m): �[35m3�[39m informational, �[36m8�[39m low, �[33m15�[39m medium, �[31m1�[39m high🌈 zizmor v1.22.0
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/dependabot.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/release-initiate.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/release-publish.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/action.yml

SPELL_CODESPELL

/github/workspace/src/LICENSE.txt:4197: Savin ==> Saving, Satin, Sarin
/github/workspace/src/LICENSE.txt:4198: Savin ==> Saving, Satin, Sarin
/github/workspace/src/LICENSE.txt:4202: Savin ==> Saving, Satin, Sarin
/github/workspace/src/task/Strings/resources.resjson/en-US/resources.resjson:51: sXL ==> xsl
/github/workspace/src/task/src/metrics/codeMetrics.ts:397: FileTest ==> file test
/github/workspace/src/task/src/metrics/codeMetrics.ts:456: indexS ==> indexes, indices
/github/workspace/src/task/src/metrics/codeMetrics.ts:479: indexS ==> indexes, indices
/github/workspace/src/task/src/metrics/codeMetrics.ts:480: indexS ==> indexes, indices
/github/workspace/src/task/task.json:83: sXL ==> xsl
/github/workspace/src/task/tests/pullRequests/pullRequestComments.spec.ts:235: atLeast ==> at least
/github/workspace/src/task/tests/pullRequests/pullRequestComments.spec.ts:327: atLeast ==> at least
/github/workspace/src/task/tests/pullRequests/pullRequestComments.spec.ts:423: atLeast ==> at least

TRIVY


Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┬─────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────┼──────┼─────────────────┼───────────────────┼─────────┤
│ package-lock.json │ npm  │        5        │         -         │    -    │
└───────────────────┴──────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ undici  │ CVE-2026-1526 │ HIGH     │ fixed  │ 6.23.0            │ 6.24.0, 7.24.0 │ undici: undici: Denial of Service via unbounded memory       │
│         │               │          │        │                   │                │ consumption during WebSocket permessage-deflate...           │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1526                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1528 │          │        │                   │                │ undici: undici: Denial of Service via crafted WebSocket      │
│         │               │          │        │                   │                │ frame with large length...                                   │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1528                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-2229 │          │        │                   │                │ undici: Undici: Denial of Service via invalid WebSocket      │
│         │               │          │        │                   │                │ permessage-deflate extension parameter                       │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-2229                    │
│         ├───────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1525 │ MEDIUM   │        │                   │                │ undici: Undici: HTTP Request Smuggling and Denial of Service │
│         │               │          │        │                   │                │ due to duplicate...                                          │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1525                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1527 │          │        │                   │                │ undici: Undici: HTTP header injection and request smuggling  │
│         │               │          │        │                   │                │ vulnerability                                                │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1527                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

.github/workflows/build.yml

muiriswoulfe · 2026-03-25T20:01:51Z

Super-linter summary

Language	Validation result
BIOME_LINT	Fail ❌
CHECKOV	Pass ✅
EDITORCONFIG	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Fail ❌
TRIVY	Fail ❌
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_LINT

The number of diagnostics exceeds the limit allowed. Use --max-diagnostics to increase it.
Diagnostics not shown: 178.
Checked 115 files in 1638ms. No fixes applied.
Found 1 error.
Found 181 warnings.
Found 15 infos.dist/exec-child.js:5:28 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

    3 │ }
    4 │
  > 5 │ var childProcess = require('child_process');
      │                            ^^^^^^^^^^^^^^^
    6 │ var fs = require('fs');
    7 │

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     3  3 │   }
     4  4 │
     5    │ - var·childProcess·=·require('child_process');
        5 │ + var·childProcess·=·require('node:child_process');
     6  6 │   var fs = require('fs');
     7  7 │


dist/exec-child.js:6:18 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

    5 │ var childProcess = require('child_process');
  > 6 │ var fs = require('fs');
      │                  ^^^^
    7 │
    8 │ var paramFilePath = process.argv[2];

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     4  4 │
     5  5 │   var childProcess = require('child_process');
     6    │ - var·fs·=·require('fs');
        6 │ + var·fs·=·require('node:fs');
     7  7 │
     8  8 │   var paramFilePath = process.argv[2];


dist/index.mjs lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i The size of the file is 2.8 MiB, which exceeds the configured maximum of 1.0 MiB for this project.
    Use the `files.maxSize` configuration to change the maximum size of files processed, or `files.includes` to ignore the file.


src/task/index.ts:10:31 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

     8 │ import { container } from "tsyringe";
     9 │ import { exitCodeForFailure } from "./src/utilities/constants.js";
  > 10 │ import { fileURLToPath } from "url";
       │                               ^^^^^
    11 │ import path from "path";
    12 │

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     8  8 │   import { container } from "tsyringe";
     9  9 │   import { exitCodeForFailure } from "./src/utilities/constants.js";
    10    │ - import·{·fileURLToPath·}·from·"url";
       10 │ + import·{·fileURLToPath·}·from·"node:url";
    11 11 │   import path from "path";
    12 12 │


src/task/index.ts:11:18 lint/style/useNodejsImportProtocol  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  i A Node.js builtin module should be imported with the node: protocol.

     9 │ import { exitCodeForFailure } from "./src/utilities/constants.js";
    10 │ import { fileURLToPath } from "url";
  > 11 │ import path from "path";
       │                  ^^^^^^
    12 │
    13 │ const run = async (): Promise<void> => {

  i Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.

  i Unsafe fix: Add the node: protocol.

     9  9 │   import { exitCodeForFailure } from "./src/utilities/constants.js";
    10 10 │   import { fileURLToPath } from "url";
    11    │ - import·path·from·"path";
       11 │ + import·path·from·"node:path";
    12 12 │
    13 13 │   const run = async (): Promise<void> => {


src/task/src/git/octokitGitDiffParser.ts:166:11 lint/complexity/noUselessSwitchCase  FIXABLE  ━━━━━━━━━━

  i Useless case clause.

    164 │             break;
    165 │           }
  > 166 │           case "DeletedFile":
        │           ^^^^^^^^^^^^^^^^^^^
    167 │           default:
    168 │             this._logger.logDebug(

  i because the default clause is present:

    165 │           }
    166 │           case "DeletedFile":
  > 167 │           default:
        │           ^^^^^^^^
  > 168 │             this._logger.logDebug(
  > 169 │               `Skipping file type '${file.type}' while performing diff parsing.`,
  > 170 │             );
  > 171 │             break;
        │             ^^^^^^
    172 │         }
    173 │       }

  i Unsafe fix: Remove the useless case.

    164 164 │               break;
    165 165 │             }
    166     │ - ··········case·"DeletedFile":
    167 166 │             default:
    168 167 │               this._logger.logDebug(


dist/exec-child.js:19:45 lint/complexity/useArrowFunction  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! This function expression can be turned into an arrow function.

    17 │ var stderrFile = params.stderrFile;
    18 │
  > 19 │ var c = childProcess.exec(cmd, execOptions, function (err) {
       │                                             ^^^^^^^^^^^^^^^^
  > 20 │   if (!err) {
        ...
  > 26 │   }
  > 27 │ });
       │ ^
    28 │
    29 │ var stdoutStream = fs.createWriteStream(stdoutFile);

  i Function expressions that don't use this can be turned into arrow functions.

  i Safe fix: Use an arrow function instead.

    17 17 │   var stderrFile = params.stderrFile;
    18 18 │
    19    │ - var·c·=·childProcess.exec(cmd,·execOptions,·function·(err)·{
       19 │ + var·c·=·childProcess.exec(cmd,·execOptions,·(err)·=>·{
    20 20 │     if (!err) {
    21 21 │       process.exitCode = 0;


src/task/src/git/gitInvoker.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import * as Validator from "../utilities/validator.js";
  > 7 │ import ExecOutput from "../runners/execOutput.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "../utilities/logger.js";
    9 │ import RunnerInvoker from "../runners/runnerInvoker.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·ExecOutput·from·"../runners/execOutput.js";
      │        +++++

src/task/src/git/gitInvoker.ts:8:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     6 │ import * as Validator from "../utilities/validator.js";
     7 │ import ExecOutput from "../runners/execOutput.js";
   > 8 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     9 │ import RunnerInvoker from "../runners/runnerInvoker.js";
    10 │ import { decimalRadix } from "../utilities/constants.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    8 │ import·type·Logger·from·"../utilities/logger.js";
      │        +++++

src/task/src/git/gitInvoker.ts:190:13 lint/suspicious/noGlobalIsNan  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━

  ! isNaN is unsafe. It attempts a type coercion. Use Number.isNaN instead.

    188 │     this._logger.logDebug("* GitInvoker.isPullRequestIdAvailable()");
    189 │
  > 190 │     return !isNaN(parseInt(this.pullRequestIdInternal, decimalRadix));
        │             ^^^^^
    191 │   }
    192 │

  i See the MDN documentation for more details.

  i Unsafe fix: Use Number.isNaN instead.

    188 188 │       this._logger.logDebug("* GitInvoker.isPullRequestIdAvailable()");
    189 189 │
    190     │ - ····return·!isNaN(parseInt(this.pullRequestIdInternal,·decimalRadix));
        190 │ + ····return·!Number.isNaN(parseInt(this.pullRequestIdInternal,·decimalRadix));
    191 191 │     }
    192 192 │


src/task/src/git/octokitGitDiffParser.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━━

  ! Some named imports are only used as types.

     4 │  */
     5 │
   > 6 │ import parseGitDiff, {
       │        ^^^^^^^^^^^^^^^
   > 7 │   AddedFile,
        ...
  > 12 │   RenamedFile,
  > 13 │ } from "parse-git-diff";
       │ ^^^^^^^^^^^^^^^^^^^^^^^
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";

  i This import is only used as a type.

    6 │ import parseGitDiff, {
  > 7 │   AddedFile,
      │   ^^^^^^^^^
    8 │   AnyChunk,
    9 │   ChangedFile,

  i This import is only used as a type.

     6 │ import parseGitDiff, {
     7 │   AddedFile,
   > 8 │   AnyChunk,
       │   ^^^^^^^^
     9 │   ChangedFile,
    10 │   Chunk,

  i This import is only used as a type.

     7 │   AddedFile,
     8 │   AnyChunk,
   > 9 │   ChangedFile,
       │   ^^^^^^^^^^^
    10 │   Chunk,
    11 │   GitDiff,

  i This import is only used as a type.

     8 │   AnyChunk,
     9 │   ChangedFile,
  > 10 │   Chunk,
       │   ^^^^^
    11 │   GitDiff,
    12 │   RenamedFile,

  i This import is only used as a type.

     9 │   ChangedFile,
    10 │   Chunk,
  > 11 │   GitDiff,
       │   ^^^^^^^
    12 │   RenamedFile,
    13 │ } from "parse-git-diff";

  i This import is only used as a type.

    10 │   Chunk,
    11 │   GitDiff,
  > 12 │   RenamedFile,
       │   ^^^^^^^^^^^
    13 │ } from "parse-git-diff";
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Add inline type keywords.

      5   5 │
      6   6 │   import parseGitDiff, {
      7     │ - ··AddedFile,
      8     │ - ··AnyChunk,
      9     │ - ··ChangedFile,
     10     │ - ··Chunk,
     11     │ - ··GitDiff,
     12     │ - ··RenamedFile,
          7 │ + ··type·AddedFile,
          8 │ + ··type·AnyChunk,
          9 │ + ··type·ChangedFile,
         10 │ + ··type·Chunk,
         11 │ + ··type·GitDiff,
         12 │ + ··type·RenamedFile,
     13  13 │   } from "parse-git-diff";
     14  14 │   import AxiosWrapper from "../wrappers/axiosWrapper.js";


src/task/src/git/octokitGitDiffParser.ts:14:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    12 │   RenamedFile,
    13 │ } from "parse-git-diff";
  > 14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
    16 │ import Logger from "../utilities/logger.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    14 │ import·type·AxiosWrapper·from·"../wrappers/axiosWrapper.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:15:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    13 │ } from "parse-git-diff";
    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
  > 15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    16 │ import Logger from "../utilities/logger.js";
    17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    15 │ import·type·GetPullResponse·from·"../wrappers/octokitInterfaces/getPullResponse.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:16:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    14 │ import AxiosWrapper from "../wrappers/axiosWrapper.js";
    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
  > 16 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";
    18 │ import { singleton } from "tsyringe";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    16 │ import·type·Logger·from·"../utilities/logger.js";
       │        +++++

src/task/src/git/octokitGitDiffParser.ts:17:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    15 │ import GetPullResponse from "../wrappers/octokitInterfaces/getPullResponse.js";
    16 │ import Logger from "../utilities/logger.js";
  > 17 │ import OctokitWrapper from "../wrappers/octokitWrapper.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    18 │ import { singleton } from "tsyringe";
    19 │

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    17 │ import·type·OctokitWrapper·from·"../wrappers/octokitWrapper.js";
       │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:7:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    6 │ import { CommentThreadStatus } from "azure-devops-node-api/interfaces/GitInterfaces.js";
  > 7 │ import GitInvoker from "../git/gitInvoker.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    8 │ import Logger from "../utilities/logger.js";
    9 │ import PullRequest from "../pullRequests/pullRequest.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    7 │ import·type·GitInvoker·from·"../git/gitInvoker.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:8:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     6 │ import { CommentThreadStatus } from "azure-devops-node-api/interfaces/GitInterfaces.js";
     7 │ import GitInvoker from "../git/gitInvoker.js";
   > 8 │ import Logger from "../utilities/logger.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     9 │ import PullRequest from "../pullRequests/pullRequest.js";
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    8 │ import·type·Logger·from·"../utilities/logger.js";
      │        +++++

src/task/src/metrics/codeMetricsCalculator.ts:9:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

     7 │ import GitInvoker from "../git/gitInvoker.js";
     8 │ import Logger from "../utilities/logger.js";
   > 9 │ import PullRequest from "../pullRequests/pullRequest.js";
       │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    10 │ import PullRequestComments from "../pullRequests/pullRequestComments.js";
    11 │ import PullRequestCommentsData from "../pullRequests/pullRequestCommentsData.js";

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    9 │ import·type·PullRequest·from·"../pullRequests/pullRequest.js";
      │        +++++

src/task/tests/wrappers/errorWithStatus.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    4 │  */
    5 │
  > 6 │ import ErrorWithStatusInterface from "../../src/repos/interfaces/errorWithStatusInterface.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    7 │
    8 │ /**

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    6 │ import·type·ErrorWithStatusInterface·from·"../../src/repos/interfaces/errorWithStatusInterface.js";
      │        +++++

src/task/tests/wrappers/execSyncResult.ts:6:8 lint/style/useImportType  FIXABLE  ━━━━━━━━━━━━━━━━━━━

  ! All these imports are only used as types.

    4 │  */
    5 │
  > 6 │ import { IExecSyncResult } from "azure-pipelines-task-lib/toolrunner.js";
      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    7 │
    8 │ /**

  i Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.

  i Safe fix: Use import type.

    6 │ import·type·{·IExecSyncResult·}·from·"azure-pipelines-task-lib/toolrunner.js";
      │        +++++

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

EDITORCONFIG

�[33;1m.github/workflow-scripts/Test-LicensesResult.ps1:�[33;0m
�[31;1m	Wrong character encoding ("UTF-8-SIG" instead of "utf-8")�[33;0m
�[31;1m
1 errors found�[33;0m

GITHUB_ACTIONS_ZIZMOR

�[1m�[33mwarning[dependabot-cooldown]�[0m�[1m: insufficient cooldown in Dependabot updates�[0m
 �[1m�[94m--> �[0m/github/workspace/.github/dependabot.yml:8:5
  �[1m�[94m|�[0m
�[1m�[94m8�[0m �[1m�[94m|�[0m   - package-ecosystem: github-actions
  �[1m�[94m|�[0m     �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33mmissing cooldown configuration�[0m
  �[1m�[94m|�[0m
  �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
  �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
  �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#dependabot-cooldown�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:30:9
   �[1m�[94m|�[0m
�[1m�[94m30�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m32�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m33�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           token: ${{ secrets.PR_METRICS_TOKEN }}
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:73:9
   �[1m�[94m|�[0m
�[1m�[94m73�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m74�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:108:9
    �[1m�[94m|�[0m
�[1m�[94m108�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m109�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m110�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m111�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
    �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:129:9
    �[1m�[94m|�[0m
�[1m�[94m129�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m130�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
    �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:150:9
    �[1m�[94m|�[0m
�[1m�[94m150�[0m �[1m�[94m|�[0m         - name: Checkout
    �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m151�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m152�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m153�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
    �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:221:63
    �[1m�[94m|�[0m
�[1m�[94m221�[0m �[1m�[94m|�[0m         run: gh pr merge --auto --delete-branch --squash "${{ github.event.pull_request.html_url }}"
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                                    �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[bot-conditions]�[0m�[1m: spoofable bot actor check�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:219:13
    �[1m�[94m|�[0m
�[1m�[94m219�[0m �[1m�[94m|�[0m       - if: github.actor == 'dependabot[bot]'
    �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mactor context may be spoofable�[0m
�[1m�[94m220�[0m �[1m�[94m|�[0m         name: Enable Auto-Merge
    �[1m�[94m|�[0m         �[1m�[94m-----------------------�[0m �[1m�[94mthis step�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#bot-conditions�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:61:91
   �[1m�[94m|�[0m
�[1m�[94m61�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
   �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:133:84
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v3.29.5
    �[1m�[94m|�[0m         �[1m�[94m------------------------------------------------------------------------�[0m   �[1m�[33m^^^^^^^�[0m �[1m�[33mpoints to commit 51f77329afa6�[0m
    �[1m�[94m|�[0m         �[1m�[94m|�[0m
    �[1m�[94m|�[0m         �[1m�[94mis pointed to by tag v4.30.7�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:141:87
    �[1m�[94m|�[0m
�[1m�[94m141�[0m �[1m�[94m|�[0m         uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v3.29.5
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------------------------------------------------�[0m   �[1m�[33m^^^^^^^�[0m �[1m�[33mpoints to commit 51f77329afa6�[0m
    �[1m�[94m|�[0m         �[1m�[94m|�[0m
    �[1m�[94m|�[0m         �[1m�[94mis pointed to by tag v4.30.7�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build.yml:204:91
    �[1m�[94m|�[0m
�[1m�[94m204�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
    �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:28:9
   �[1m�[94m|�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
�[1m�[94m30�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m31�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           token: ${{ secrets.PR_METRICS_TOKEN }}
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:58:99
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         run: Set-Content -Path '.github/workflows/support/release-publish-trigger.txt' -Value ${{ env.version }}
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                                                                        �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:61:43
   �[1m�[94m|�[0m
�[1m�[94m61�[0m �[1m�[94m|�[0m         run: git checkout -b release/v${{ env.version }}
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:76:41
   �[1m�[94m|�[0m
�[1m�[94m75�[0m �[1m�[94m|�[0m         run: |-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m76�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
   �[1m�[94m|�[0m                                         �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:77:48
   �[1m�[94m|�[0m
�[1m�[94m75�[0m �[1m�[94m|�[0m         run: |-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m76�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
�[1m�[94m77�[0m �[1m�[94m|�[0m           git reset --hard origin/release/v${{ env.version }}
   �[1m�[94m|�[0m                                                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:82:49
   �[1m�[94m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m81�[0m �[1m�[94m|�[0m           gh pr create
�[1m�[94m82�[0m �[1m�[94m|�[0m           --title "[Autogenerated] Release v${{ env.version }} with Package Updates"
   �[1m�[94m|�[0m                                                 �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:83:61
   �[1m�[94m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m   run: >-
   �[1m�[94m|�[0m       �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m83�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m     --body "Autogenerated release for PR Metrics v${{ env.version }}. This includes version updates, dependency updates, and lic�[1m�[94m...�[0m
   �[1m�[94m|�[0m                                                           �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:112:41
    �[1m�[94m|�[0m
�[1m�[94m111�[0m �[1m�[94m|�[0m         run: |-
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m112�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
    �[1m�[94m|�[0m                                         �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[96mhelp[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:113:48
    �[1m�[94m|�[0m
�[1m�[94m111�[0m �[1m�[94m|�[0m         run: |-
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m112�[0m �[1m�[94m|�[0m           git fetch origin release/v${{ env.version }}
�[1m�[94m113�[0m �[1m�[94m|�[0m           git reset --hard origin/release/v${{ env.version }}
    �[1m�[94m|�[0m                                                �[1m�[96m^^^^^^^^^^^�[0m �[1m�[96mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:67:91
   �[1m�[94m|�[0m
�[1m�[94m67�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
   �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[ref-version-mismatch]�[0m�[1m: detects commit SHAs that don't match their version comment tags�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-initiate.yml:103:91
    �[1m�[94m|�[0m
�[1m�[94m103�[0m �[1m�[94m|�[0m         uses: grafana/github-api-commit-action@cb4e7799d2cd77d607acf280ed70a0d03572d8bd # v1.0.0
    �[1m�[94m|�[0m                                                                                           �[1m�[33m^^^^^^�[0m �[1m�[33mpoints to commit b1d81091e848�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#ref-version-mismatch�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:29:9
   �[1m�[94m|�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m30�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:85:28
   �[1m�[94m|�[0m
�[1m�[94m83�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m84�[0m �[1m�[94m|�[0m           gh api repos/${{ github.repository }}/releases/generate-notes
�[1m�[94m85�[0m �[1m�[94m|�[0m           -f tag_name="${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                            �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:93:34
   �[1m�[94m|�[0m
�[1m�[94m92�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m93�[0m �[1m�[94m|�[0m           gh release create "${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                                  �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/release-publish.yml:97:32
   �[1m�[94m|�[0m
�[1m�[94m92�[0m �[1m�[94m|�[0m         run: >-
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m97�[0m �[1m�[94m|�[0m           --title "Release ${{ steps.version.outputs.VERSION }}"
   �[1m�[94m|�[0m                                �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[32m80�[39m findings (�[1m�[93m53�[39m suppressed, �[92m22�[39m fixable�[0m): �[35m3�[39m informational, �[36m8�[39m low, �[33m15�[39m medium, �[31m1�[39m high🌈 zizmor v1.22.0
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/dependabot.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/release-initiate.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/release-publish.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/action.yml

SPELL_CODESPELL

/github/workspace/src/LICENSE.txt:4197: Savin ==> Saving, Satin, Sarin
/github/workspace/src/LICENSE.txt:4198: Savin ==> Saving, Satin, Sarin
/github/workspace/src/LICENSE.txt:4202: Savin ==> Saving, Satin, Sarin
/github/workspace/src/task/Strings/resources.resjson/en-US/resources.resjson:51: sXL ==> xsl
/github/workspace/src/task/src/metrics/codeMetrics.ts:397: FileTest ==> file test
/github/workspace/src/task/src/metrics/codeMetrics.ts:456: indexS ==> indexes, indices
/github/workspace/src/task/src/metrics/codeMetrics.ts:479: indexS ==> indexes, indices
/github/workspace/src/task/src/metrics/codeMetrics.ts:480: indexS ==> indexes, indices
/github/workspace/src/task/task.json:83: sXL ==> xsl
/github/workspace/src/task/tests/pullRequests/pullRequestComments.spec.ts:235: atLeast ==> at least
/github/workspace/src/task/tests/pullRequests/pullRequestComments.spec.ts:327: atLeast ==> at least
/github/workspace/src/task/tests/pullRequests/pullRequestComments.spec.ts:423: atLeast ==> at least

TRIVY


Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┬─────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────┼──────┼─────────────────┼───────────────────┼─────────┤
│ package-lock.json │ npm  │        5        │         -         │    -    │
└───────────────────┴──────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ undici  │ CVE-2026-1526 │ HIGH     │ fixed  │ 6.23.0            │ 6.24.0, 7.24.0 │ undici: undici: Denial of Service via unbounded memory       │
│         │               │          │        │                   │                │ consumption during WebSocket permessage-deflate...           │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1526                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1528 │          │        │                   │                │ undici: undici: Denial of Service via crafted WebSocket      │
│         │               │          │        │                   │                │ frame with large length...                                   │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1528                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-2229 │          │        │                   │                │ undici: Undici: Denial of Service via invalid WebSocket      │
│         │               │          │        │                   │                │ permessage-deflate extension parameter                       │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-2229                    │
│         ├───────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1525 │ MEDIUM   │        │                   │                │ undici: Undici: HTTP Request Smuggling and Denial of Service │
│         │               │          │        │                   │                │ due to duplicate...                                          │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1525                    │
│         ├───────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2026-1527 │          │        │                   │                │ undici: Undici: HTTP header injection and request smuggling  │
│         │               │          │        │                   │                │ vulnerability                                                │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-1527                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Replace the literal en-dash with a PowerShell Unicode escape sequence and strip the UTF-8 BOM to satisfy super-linter encoding checks.

Disable Biome lint, zizmor, codespell, and Trivy while keeping EditorConfig enabled.

muiriswoulfe · 2026-03-25T20:39:38Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

muiriswoulfe · 2026-03-25T20:42:19Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Copilot

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

.github/workflows/build.yml

…nter-v8 # Conflicts: # .github/workflow-scripts/Test-LicensesResult.ps1

muiriswoulfe · 2026-03-26T14:50:03Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

## Summary - **Node.js v20 to v24**: Updated across all GitHub Actions workflows, ADO pipelines, `action.yml`, `task.json`, and `package.json`. - **GitHub Actions version bumps**: `actions/checkout` v6, `actions/setup-node` v6, `github/codeql-action` v4, `actions/upload-artifact` v7, `actions/attest-build-provenance` v4, `sigstore/cosign-installer` v4.1, `grafana/github-api-commit-action` update. - **Security hardening**: Applied zizmor fixes (`persist-credentials: false`, environment variable indirection for `github.event` expressions). - **Pipeline config**: Added Dependabot cooldown, codespell configuration, fixed PowerShell en-dash encoding. > **Note**: Super-linter upgrade excluded – to be handled separately. ## Test plan - [ ] Verify CI passes with Node.js v24 - [ ] Verify ADO pipeline builds succeed - [ ] Verify GitHub Action runs correctly with `node24` runtime - [ ] Verify release workflows function correctly

Copilot

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated 2 comments.

package.json

.github/workflows/build.yml

muiriswoulfe · 2026-03-26T16:05:06Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

- Removed the VALIDATE_TRIVY configuration to streamline the validation process.

muiriswoulfe · 2026-03-27T10:45:13Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TRIVY	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Copilot

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated no new comments.

muiriswoulfe · 2026-03-30T16:19:34Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TRIVY	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

muiriswoulfe · 2026-04-02T15:53:52Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TRIVY	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Copilot

Pull request overview

Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.

.github/workflows/build.yml

.github/linters/trivy.yaml

## Summary - Node 22+ provides `import.meta.dirname` natively in ESM. This replaces the `path.dirname(fileURLToPath(import.meta.url))` workaround in 4 files and removes the associated imports.

Copilot

Pull request overview

Copilot reviewed 21 out of 23 changed files in this pull request and generated no new comments.

muiriswoulfe · 2026-04-03T15:29:57Z

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
EDITORCONFIG	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
JSON_PRETTIER	Pass ✅
MARKDOWN	Pass ✅
MARKDOWN_PRETTIER	Pass ✅
NATURAL_LANGUAGE	Pass ✅
POWERSHELL	Pass ✅
PRE_COMMIT	Pass ✅
TRIVY	Pass ✅
TYPESCRIPT_PRETTIER	Pass ✅
XML	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

chore: update super-linter from v7 to v8.5.0

ae70096

Migrate from github/super-linter to super-linter/super-linter. Add Biome and codespell configuration for compatibility with v8.

muiriswoulfe requested review from a team and Copilot March 25, 2026 19:18

muiriswoulfe changed the title ~~WIP: Update Super-Linter from v7 to v8.5.0~~ XS✔ ◾ WIP: Update Super-Linter from v7 to v8.5.0 Mar 25, 2026

Copilot started reviewing on behalf of muiriswoulfe March 25, 2026 19:20 View session

Copilot AI reviewed Mar 25, 2026

View reviewed changes

.github/linters/.codespellrc Outdated Show resolved Hide resolved

chore: remove codespellrc and biome.json

38088ea

These will be added as needed after super-linter v8 CI results.

chore: revert comment to original wording

5fbb393

Copilot AI review requested due to automatic review settings March 25, 2026 19:58

Copilot started reviewing on behalf of muiriswoulfe March 25, 2026 19:59 View session

Copilot AI reviewed Mar 25, 2026

View reviewed changes

.github/workflows/build.yml Show resolved Hide resolved

muiriswoulfe added 2 commits March 25, 2026 20:35

fix: remove UTF-8 BOM and replace en-dash with Unicode escape

d70ee03

Replace the literal en-dash with a PowerShell Unicode escape sequence and strip the UTF-8 BOM to satisfy super-linter encoding checks.

chore: disable additional super-linter v8 validators

0dbf593

Disable Biome lint, zizmor, codespell, and Trivy while keeping EditorConfig enabled.

chore: fix linting

29653dd

Copilot AI review requested due to automatic review settings March 25, 2026 20:39

Copilot started reviewing on behalf of muiriswoulfe March 25, 2026 20:40 View session

Copilot AI reviewed Mar 25, 2026

View reviewed changes

.github/workflows/build.yml Outdated Show resolved Hide resolved

muiriswoulfe changed the title ~~XS✔ ◾ WIP: Update Super-Linter from v7 to v8.5.0~~ XS✔ ◾ Update Super-Linter from v7 to v8.5.0 Mar 26, 2026

muiriswoulfe self-assigned this Mar 26, 2026

muiriswoulfe added the dependencies Updates to dependencies label Mar 26, 2026

Merge remote-tracking branch 'origin/main' into muiriswoulfe/super-li…

f768c6e

…nter-v8 # Conflicts: # .github/workflow-scripts/Test-LicensesResult.ps1

muiriswoulfe changed the title ~~XS✔ ◾ Update Super-Linter from v7 to v8.5.0~~ XS⚠️ ◾ Update Super-Linter from v7 to v8.5.0 Mar 26, 2026

Copilot AI reviewed Mar 26, 2026

View reviewed changes

package.json Show resolved Hide resolved

.github/workflows/build.yml Show resolved Hide resolved

omex-github-bot-external changed the title ~~WIP: Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS⚠️ ◾ WIP: Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Mar 26, 2026

Merge branch 'main' into muiriswoulfe/super-linter-v8

223d986

muiriswoulfe changed the title ~~XS⚠️ ◾ WIP: Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS⚠️ ◾Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Mar 26, 2026

ci(build): remove VALIDATE_TRIVY from validation steps

0500824

- Removed the VALIDATE_TRIVY configuration to streamline the validation process.

Copilot AI review requested due to automatic review settings March 27, 2026 10:42

muiriswoulfe changed the title ~~XS⚠️ ◾Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS⚠️ ◾ XS⚠️ ◾Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Mar 27, 2026

Copilot started reviewing on behalf of muiriswoulfe March 27, 2026 10:43 View session

Copilot AI reviewed Mar 27, 2026

View reviewed changes

muiriswoulfe changed the title ~~XS⚠️ ◾ XS⚠️ ◾Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS⚠️ ◾Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Mar 27, 2026

muiriswoulfe changed the title ~~XS⚠️ ◾Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS⚠️ ◾ Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Mar 27, 2026

Fixing trivy

346585b

Updating Node references

d82adb0

Copilot AI review requested due to automatic review settings April 2, 2026 15:51

Copilot started reviewing on behalf of muiriswoulfe April 2, 2026 15:52 View session

Copilot AI reviewed Apr 2, 2026

View reviewed changes

.github/workflows/build.yml Show resolved Hide resolved

.github/linters/trivy.yaml Show resolved Hide resolved

muiriswoulfe and others added 2 commits April 3, 2026 14:38

XS⚠️ ◾ [WIP] Simplify: Use import.meta.dirname (Node 24) (#769)

6ba48a2

## Summary - Node 22+ provides `import.meta.dirname` natively in ESM. This replaces the `path.dirname(fileURLToPath(import.meta.url))` workaround in 4 files and removes the associated imports.

Merge branch 'main' into muiriswoulfe/super-linter-v8

15316cb

Copilot AI review requested due to automatic review settings April 3, 2026 15:22

Copilot started reviewing on behalf of muiriswoulfe April 3, 2026 15:23 View session

Copilot AI reviewed Apr 3, 2026

View reviewed changes

Merge branch 'main' into muiriswoulfe/super-linter-v8

e8a2d15

muiriswoulfe changed the title ~~XS⚠️ ◾ Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS✔ ◾ Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Apr 3, 2026

muiriswoulfe enabled auto-merge (squash) April 3, 2026 15:30

omex-github-bot-external changed the title ~~XS✔ ◾ Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0~~ XS⚠️ ◾ Update Pipelines, Node.js to v24, and Super-Linter to v8.5.0 Apr 3, 2026

Conversation

muiriswoulfe commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test Plan

Uh oh!

muiriswoulfe commented Mar 25, 2026 • edited by omex-github-bot-external Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Metrics

Uh oh!

muiriswoulfe commented Mar 25, 2026

Super-linter summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

muiriswoulfe commented Mar 25, 2026

Super-linter summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

muiriswoulfe commented Mar 25, 2026

Super-linter summary

Uh oh!

muiriswoulfe commented Mar 25, 2026

Super-linter summary

Uh oh!

muiriswoulfe commented Mar 25, 2026

Super-linter summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

muiriswoulfe commented Mar 26, 2026

Super-linter summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

muiriswoulfe commented Mar 26, 2026

Super-linter summary

Uh oh!

muiriswoulfe commented Mar 27, 2026

Super-linter summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

muiriswoulfe commented Mar 30, 2026

Super-linter summary

Uh oh!

muiriswoulfe commented Apr 2, 2026

Super-linter summary

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

muiriswoulfe commented Apr 3, 2026

Super-linter summary

Uh oh!

Reviewers

muiriswoulfe commented Mar 25, 2026 •

edited

Loading

muiriswoulfe commented Mar 25, 2026 •

edited by omex-github-bot-external

Loading