chore(deps): bump megalinter/megalinter from 9.4.0 to 9.5.0

[dependabot]

Bumps megalinter/megalinter from 9.4.0 to 9.5.0.

Release notes

Sourced from megalinter/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

... (truncated)

Changelog

Sourced from megalinter/megalinter's changelog.

[v9.5.0] - 2026-05-16

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved

... (truncated)

Commits

• 0e3ce9b Fix release workflows.
• 3e132b1 Release MegaLinter v9.5.0
• cbb7fe9 Doc + prepare 9.5.0 release (#7836)
• 29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
• ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
• e04f202 feat: implement user notifications system and replace migration warnings (#7833)
• 54bfad8 chore(deps): update dependency @​stoplight/spectral-cli to v6.16.0 (#7830)
• f809408 Eslint legacy detection & warning (#7831)
• 6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
• cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.21s
❌ ACTION	zizmor	4	0	1	0	0.23s
✅ COPYPASTE	jscpd	yes		no	no	1.29s
✅ DOCKERFILE	hadolint	1		0	0	0.12s
✅ GO	golangci-lint	yes	yes	no	no	63.82s
✅ GO	revive	yes		no	no	0.03s
✅ MARKDOWN	markdownlint	2	0	0	0	0.77s
✅ MARKDOWN	markdown-table-formatter	2	0	0	0	0.37s
✅ REPOSITORY	checkov	yes		no	no	47.91s
✅ REPOSITORY	gitleaks	yes		no	no	0.33s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	79.34s
❌ REPOSITORY	osv-scanner	yes		1	no	26.51s
✅ REPOSITORY	secretlint	yes		no	no	0.8s
✅ REPOSITORY	syft	yes		no	no	3.38s
✅ REPOSITORY	trivy	yes		no	no	14.77s
✅ REPOSITORY	trivy-sbom	yes		no	no	4.1s
✅ REPOSITORY	trufflehog	yes		no	no	4.26s
✅ SPELL	lychee	14		0	0	0.1s
✅ YAML	prettier	12	0	0	0	0.83s
✅ YAML	v8r	12		0	0	14.04s
✅ YAML	yamllint	12		0	0	0.91s

Detailed Issues

❌ REPOSITORY / osv-scanner - 1 error

Scanning dir .
Starting filesystem walk for root: /
Scanned go.mod file and found 64 packages
End status: 68 dirs visited, 174 inodes visited, 1 Extract calls, 13.542396ms elapsed, 13.542596ms wall time

Total 1 package affected by 22 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 22 Unknown) from 1 ecosystem.
22 vulnerabilities can be fixed.

+------------------------------+------+-----------+---------+---------+---------------+--------+
| OSV URL                      | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
+------------------------------+------+-----------+---------+---------+---------------+--------+
| https://osv.dev/GO-2025-4007 |      | Go        | stdlib  | 1.25.0  | 1.25.3        | go.mod |
| https://osv.dev/GO-2025-4008 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4009 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4010 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4011 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4012 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4013 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4014 |      | Go        | stdlib  | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4155 |      | Go        | stdlib  | 1.25.0  | 1.25.5        | go.mod |
| https://osv.dev/GO-2025-4175 |      | Go        | stdlib  | 1.25.0  | 1.25.5        | go.mod |
| https://osv.dev/GO-2026-4337 |      | Go        | stdlib  | 1.25.0  | 1.25.7        | go.mod |
| https://osv.dev/GO-2026-4340 |      | Go        | stdlib  | 1.25.0  | 1.25.6        | go.mod |
| https://osv.dev/GO-2026-4341 |      | Go        | stdlib  | 1.25.0  | 1.25.6        | go.mod |
| https://osv.dev/GO-2026-4601 |      | Go        | stdlib  | 1.25.0  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4602 |      | Go        | stdlib  | 1.25.0  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4865 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4869 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4870 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4918 |      | Go        | stdlib  | 1.25.0  | 1.25.10       | go.mod |
| https://osv.dev/GO-2026-4946 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4947 |      | Go        | stdlib  | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4971 |      | Go        | stdlib  | 1.25.0  | 1.25.10       | go.mod |
+------------------------------+------+-----------+---------+---------+---------------+--------+

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/buildpush.yaml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,ACTION_ZIZMOR,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository