chore(deps): bump megalinter/megalinter from 9.4.0 to 9.5.0

[dependabot]

Bumps megalinter/megalinter from 9.4.0 to 9.5.0.

Release notes

Sourced from megalinter/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

... (truncated)

Changelog

Sourced from megalinter/megalinter's changelog.

[v9.5.0] - 2026-05-16

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved

... (truncated)

Commits

• 0e3ce9b Fix release workflows.
• 3e132b1 Release MegaLinter v9.5.0
• cbb7fe9 Doc + prepare 9.5.0 release (#7836)
• 29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
• ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
• e04f202 feat: implement user notifications system and replace migration warnings (#7833)
• 54bfad8 chore(deps): update dependency @​stoplight/spectral-cli to v6.16.0 (#7830)
• f809408 Eslint legacy detection & warning (#7831)
• 6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
• cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
• Additional commits viewable in compare view

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	2		0	0	0.01s
❌ ACTION	zizmor	2		1	0	0.37s
⚠️ COPYPASTE	jscpd	yes		10	no	2.53s
⚠️ GO	golangci-lint	yes		1	no	65.53s
✅ GO	revive	yes		no	no	10.82s
✅ MARKDOWN	markdownlint	1		0	0	1.17s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.39s
✅ REPOSITORY	checkov	yes		no	no	27.05s
✅ REPOSITORY	gitleaks	yes		no	no	0.38s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	105.71s
❌ REPOSITORY	osv-scanner	yes		1	no	29.88s
✅ REPOSITORY	secretlint	yes		no	no	0.96s
✅ REPOSITORY	syft	yes		no	no	8.46s
✅ REPOSITORY	trivy	yes		no	no	19.87s
✅ REPOSITORY	trivy-sbom	yes		no	no	6.47s
✅ REPOSITORY	trufflehog	yes		no	no	4.95s
✅ SPELL	lychee	5		0	0	0.59s
⚠️ YAML	prettier	4		1	2	1.05s
✅ YAML	v8r	4		0	0	4.38s
✅ YAML	yamllint	4		0	0	1.39s

Detailed Issues

❌ REPOSITORY / osv-scanner - 1 error

Scanning dir .
Starting filesystem walk for root: /
Scanned go.mod file and found 162 packages
End status: 90 dirs visited, 216 inodes visited, 1 Extract calls, 15.63614ms elapsed, 15.636375ms wall time

Total 2 packages affected by 8 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 8 Unknown) from 1 ecosystem.
7 vulnerabilities can be fixed.

+------------------------------+------+-----------+-------------------------------------+---------+---------------+--------+
| OSV URL                      | CVSS | ECOSYSTEM | PACKAGE                             | VERSION | FIXED VERSION | SOURCE |
+------------------------------+------+-----------+-------------------------------------+---------+---------------+--------+
| https://osv.dev/GO-2024-3218 |      | Go        | github.com/libp2p/go-libp2p-kad-dht | 0.40.0  | --            | go.mod |
| https://osv.dev/GO-2026-4601 |      | Go        | stdlib                              | 1.25.7  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4602 |      | Go        | stdlib                              | 1.25.7  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4870 |      | Go        | stdlib                              | 1.25.7  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4918 |      | Go        | stdlib                              | 1.25.7  | 1.25.10       | go.mod |
| https://osv.dev/GO-2026-4946 |      | Go        | stdlib                              | 1.25.7  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4947 |      | Go        | stdlib                              | 1.25.7  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4971 |      | Go        | stdlib                              | 1.25.7  | 1.25.10       | go.mod |
+------------------------------+------+-----------+-------------------------------------+---------+---------------+--------+

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/codeql-analysis.yml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

⚠️ GO / golangci-lint - 1 error

../../..cmd/mesh-commands.go:72:4: exitAfterDefer: log.Fatal will exit, and `defer cancel()` will not run (gocritic)
			log.Fatal().Err(err).Msg("dispatch failed")
			^
../../..pkg/mesh/host.go:12:1: File is not properly formatted (gofmt)
	dht "github.com/libp2p/go-libp2p-kad-dht"
^
../../..pkg/mesh/http.go:35:1: File is not properly formatted (gofmt)
	mux.HandleFunc("/exec", h.handleLocal)         // run on local node only
^
../../..pkg/mesh/types.go:68:1: File is not properly formatted (gofmt)
	ID        string          `json:"id"`        // matches Command.ID
^
../../..pkg/laws/user.go:118:2: QF1003: could use tagged switch on facts.Facts.Distro.Family (staticcheck)
	if facts.Facts.Distro.Family == "alpine" {
	^
5 issues:
* gocritic: 1
* gofmt: 3
* staticcheck: 1

⚠️ COPYPASTE / jscpd - 10 errors

Clone found (go):
 - pkg/mesh/service.go [276:78 - 283:5] (7 lines, 81 tokens)
   pkg/mesh/service.go [233:61 - 240:11]

Clone found (go):
 - pkg/mesh/http.go [237:2 - 246:2] (9 lines, 96 tokens)
   pkg/mesh/http.go [215:2 - 224:2]

Clone found (go):
 - pkg/laws/ssh.go [99:3 - 110:3] (11 lines, 131 tokens)
   pkg/laws/ssh.go [70:4 - 82:10]

Clone found (go):
 - pkg/laws/service.go [171:5 - 176:30] (5 lines, 77 tokens)
   pkg/laws/service.go [152:7 - 157:32]

Clone found (go):
 - pkg/laws/file.go [300:23 - 310:6] (10 lines, 97 tokens)
   pkg/laws/file.go [250:21 - 260:8]

Clone found (go):
 - pkg/laws/file.go [333:3 - 352:8] (19 lines, 222 tokens)
   pkg/laws/file.go [282:3 - 300:4]

Clone found (go):
 - pkg/laws/file.go [381:2 - 394:91] (13 lines, 120 tokens)
   pkg/laws/file.go [251:3 - 313:6]

Clone found (go):
 - pkg/laws/file.go [411:58 - 433:8] (22 lines, 259 tokens)
   pkg/laws/file.go [328:61 - 299:3]

Clone found (go):
 - cmd/local-lint.go [48:3 - 62:6] (14 lines, 135 tokens)
   cmd/local-pretend.go [48:3 - 62:6]

Clone found (go):
 - cmd/local-apply.go [48:75 - 63:5] (15 lines, 117 tokens)
   cmd/local-pretend.go [49:52 - 63:7]

┌────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ go     │ 32             │ 5594        │ 41691        │ 10           │ 125 (2.23%)      │ 1335 (3.2%)       │
├────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total: │ 32             │ 5594        │ 41691        │ 10           │ 125 (2.23%)      │ 1335 (3.2%)       │
└────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 10 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (2.23%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (2.23%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

⚠️ YAML / prettier - 1 error

Checking formatting...
[warn] .github/workflows/megalinter.yaml
[warn] Code style issues found in the above file. Run Prettier with --write to fix.

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,ACTION_ZIZMOR,COPYPASTE_JSCPD,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[iggy]

@dependabot rebase