chore(deps): update super-linter/super-linter action to v8.3.1 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
super-linter/super-linter	action	minor	v8.0.0 → v8.3.1

GitHub Vulnerability Alerts

CVE-2026-25761

Summary

The Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions.

Details

The issue appears originates in the logic that scans the repository for changed files to check.

1. Use a workflow that runs Super-linter on pull_request events.
2. Open a pull request that adds a new file with a crafted filename containing command substitution and an outbound request that includes $GITHUB_TOKEN.
3. Run the workflow.

Impact

• Arbitrary command execution in the context of the workflow run that invokes Super-linter (triggered by attacker-controlled filenames in a PR).
• Credential exposure / misuse: the injected command can read environment variables available to the action, including GITHUB_TOKEN.

The level of exposure depends on the source of the pull request.

To actively exploit the vulnerability, an attacker needs have the ability to run workflows without any approval from the repository admin.

Also, the GITHUB_TOKEN needs to have unconstrained access to repository resources. Even in that case, for pull request coming from forked repositories, no secrets are passed to the forked repository when running workflows triggered by pull_request events, and the GITHUB_TOKEN drops and write permission on the source repository source.

Finally, although not specific to this vulnerability, we recommend auditing workflow_call and pull_request_target workflows because they can lead to compromise, regardless of whether you're using Super-linter, or not, as explained by this GitHub Enterprise doc.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

---

Release Notes

super-linter/super-linter (super-linter/super-linter)

v8.3.1

Compare Source

🐛 Bugfixes

• docs: ansible-lints lints the entire dir (#​7272) (b721f3c), closes #​7263
• handle paths with parentheses (#​7273) (d29d0d4)
• rollback to python 3.13 (#​7269) (10265f1)
• trivial log message bug when file does not exist (#​7268) (c6a7b38)

⬆️ Dependency updates

• bundler: bump rubocop-rails in /dependencies in the rubocop group (#​7251) (d8a2032)
• java: bump com.google.googlejavaformat:google-java-format (#​7270) (140a2e3)
• java: bump com.puppycrawl.tools:checkstyle (#​7264) (550df3c)
• java: bump the java-gradle group across 3 directories with 3 updates (#​7252) (5306a0a)
• npm: bump @​modelcontextprotocol/sdk in /dependencies (#​7248) (4d59852)
• npm: bump express from 5.1.0 to 5.2.1 in /dependencies (#​7246) (50462d3)
• npm: bump jws from 4.0.0 to 4.0.1 in /dependencies (#​7260) (cc90344)
• npm: bump next from 16.0.7 to 16.0.9 in /dependencies (#​7277) (b7cedfb)
• npm: bump the npm group across 1 directory with 3 updates (#​7289) (f65215e)
• npm: bump the npm group across 1 directory with 5 updates (#​7271) (b4e616f)
• npm: bump the npm group across 1 directory with 7 updates (#​7259) (0ab9ad4)
• npm: bump the npm group across 1 directory with 8 updates (#​7266) (39e94f8)
• python: bump the pip group across 1 directory with 2 updates (#​7288) (4559b6e)
• python: bump the pip group across 1 directory with 7 updates (#​7265) (026d3fe)

🧰 Maintenance

• add prettier and htmlhint to the npm group (#​7257) (4692c1c)
• deps: update docker dependencies (#​7285) (f4d16d3), closes #​7244
• fix docs typos and update next (#​7284) (0df9f3c)
• update issue template and print graph (#​7276) (dfb728c)

v8.3.0

Compare Source

🚀 Features

• add ability to specify config files for nbqa tools (#​7184) (b37c1c3)
• lint dependabot, github actions with zizmor (#​7241) (09306cd), closes #​7137
• support rust 2024 (#​7211) (c15ee6d), closes #​7139

🐛 Bugfixes

• parse json to extract terraform version (#​7239) (29f1727)

⬆️ Dependency updates

• bundler: bump rubocop in /dependencies in the rubocop group (#​7188) (74b2444)
• bundler: bump rubocop-rails in /dependencies in the rubocop group (#​7231) (dd55c52)
• bundler: bump the rubocop group in /dependencies with 2 updates (#​7178) (3bdc919)
• bundler: bump the rubocop group in /dependencies with 4 updates (#​7202) (0e09528)
• docker: bump python in the docker-base-images group (#​7123) (41c3da1)
• docker: bump the docker group across 1 directory with 12 updates (#​7235) (b1cf27d)
• docker: bump the docker group across 1 directory with 6 updates (#​7148) (76149cf)
• docker: bump the docker group across 1 directory with 9 updates (#​7194) (45f731e)
• npm: bump @​babel/eslint-parser in /dependencies (#​7183) (197eb88)
• npm: bump @​typescript-eslint/eslint-plugin (#​7127) (2d57f06)
• npm: bump @​typescript-eslint/eslint-plugin (#​7196) (033ea99)
• npm: bump body-parser from 2.2.0 to 2.2.1 in /dependencies (#​7238) (30403f6)
• npm: bump eslint from 9.37.0 to 9.38.0 in /dependencies (#​7170) (b42af6f)
• npm: bump eslint from 9.38.0 to 9.39.0 in /dependencies (#​7191) (0cf22c8)
• npm: bump eslint from 9.39.0 to 9.39.1 in /dependencies (#​7197) (513ae8b)
• npm: bump eslint-plugin-react-hooks (#​7180) (61e4208)
• npm: bump js-yaml from 3.14.1 to 3.14.2 in /dependencies (#​7210) (29faa98)
• npm: bump npm-groovy-lint from 15.2.1 to 15.2.2 in /dependencies (#​7130) (4913825)
• npm: bump renovate from 41.142.0 to 41.146.5 in /dependencies (#​7134) (900b973)
• npm: bump renovate from 41.151.1 to 41.161.0 in /dependencies (#​7182) (1d8c2a2)
• npm: bump renovate from 41.161.0 to 42.4.0 in /dependencies (#​7198) (0a4ed30)
• npm: bump the eslint-plugins-configs group across 1 directory with 2 updates (#​7145) (c137ca9)
• npm: bump the npm group across 1 directory with 2 updates (#​7175) (f0b0ff5)
• npm: bump the npm group across 1 directory with 3 updates (#​7146) (d4d3f16)
• npm: bump the npm group across 1 directory with 3 updates (#​7195) (ad4f63c)
• npm: bump the npm group across 1 directory with 5 updates (#​7233) (5cadbf1)
• npm: bump the npm group across 1 directory with 8 updates (#​7221) (3802c52)
• npm: bump the react group across 1 directory with 2 updates (#​7190) (d6c8078)
• npm: bump the react group across 1 directory with 4 updates (#​7128) (4034702)
• npm: bump the typescript group across 1 directory with 2 updates (#​7176) (39aba76)
• python: bump the pip group across 1 directory with 11 updates (#​7199) (07fbf76)
• python: bump the pip group across 1 directory with 3 updates (#​7234) (c8bd6d3)
• python: bump the pip group across 1 directory with 4 updates (#​7219) (91361a3)

🧰 Maintenance

• bump dotnet/sdk to 9.0.306-alpine3.22 (#​7140) (39be15a)
• deps: bump the go_modules group across 2 directories with 1 update (#​7217) (8ef289e)
• dev-docker: bump node in /dev-dependencies (#​7132) (b8dd2b4)
• dev-docker: bump node in /dev-dependencies (#​7189) (635e1f1)
• dev-docker: bump node in /dev-dependencies (#​7218) (0095a4c)
• dev-npm: bump js-yaml (#​7200) (f4f746e)
• dev-npm: bump release-please in /dev-dependencies (#​7129) (3addd51)
• disable md060 on summary tables (#​7228) (4850a5d)
• fix validate_all_codebase value in readme (#​7193) (c40192c)
• github-actions: bump actions/checkout in the dev-ci-tools group (#​7232) (f40c174)
• github-actions: bump the dev-ci-tools group with 3 updates (#​7181) (6d95c88)
• improve logging (#​7173) (ada6bf3)
• improve testing and get push.before (#​7143) (de2fd49)
• merge npm dependabot groups (#​7216) (7a4cfc6)
• set devcontainer name (#​7240) (5aa81e2)
• update google-java-format to 1.29.0 (#​7104) (1399737)

v8.2.1

Compare Source

🐛 Bugfixes

• biome ignore errors on unmatched files (#​7089) (8d1cfd5)
• handle pull_request_target (#​7088) (188a10f)
• handle schedule and workflow_dispatch events (#​7098) (28cb079), closes #​7095
• set CONFLICT_FOUND as expected (#​7093) (07cfe7e), closes #​7092
• strip workspace from the regex check path (#​7110) (3b72a2d), closes #​7086
• validate DEFAULT_BRANCH when using find (#​7119) (7508f4c), closes #​7117

⬆️ Dependency updates

• docker: bump the docker group with 2 updates (#​7100) (28c5681)
• npm: bump eslint from 9.36.0 to 9.37.0 in /dependencies (#​7102) (cf6cb1e)
• npm: bump renovate from 41.132.2 to 41.136.0 in /dependencies (#​7107) (495692f)
• npm: bump the eslint-plugins-configs group across 1 directory with 2 updates (#​7101) (b3a735d)
• npm: bump the npm group across 1 directory with 4 updates (#​7108) (ce227b3)
• npm: bump typescript (#​7109) (deba11c)
• python: bump the pip group across 1 directory with 7 updates (#​7106) (7c02a56)

🧰 Maintenance

• add missing ruff variables to readme (#​7091) (7daeceb), closes #​7099
• explain who ignores VALIDATE_ALL_CODEBASE (#​7111) (9150eb9), closes #​7090
• github-actions: bump peter-evans/create-issue-from-file (#​7103) (ec80a77)
• update rack to 3.2.3 (#​7136) (2e6ad3d)
• update ruby transitive dependencies (#​7115) (00a71f6)

v8.2.0

Compare Source

🚀 Features

• add kubeconform (#​7011) (415cc32), closes #​6967
• add pre-commit (#​7064) (9106b37), closes #​3683
• export GITHUB_TOKEN (#​7054) (879aeb5), closes #​6970
• run ruff as a formatter (#​6981) (f9bdfcb), closes #​5951
• set zizmor github token variable (#​6971) (097f489)
• support biome (#​7005) (fdf27fe), closes #​6298
• support git worktrees (#​6983) (deb9853), closes #​6944

🐛 Bugfixes

• initialize GITHUB_BEFORE_SHA on merge commits (#​7053) (4649231), closes #​6873
• initialize GITHUB_SHA for both worktrees and regular repos (#​7010) (8477b13)
• install r only when needed (#​7029) (5114ec9), closes #​7022
• set biome working directory (#​7035) (d32a717)

⬆️ Dependency updates

• bundler: bump rubocop in /dependencies in the rubocop group (#​6973) (1e6cd2f)
• bundler: bump rubocop in /dependencies in the rubocop group (#​6999) (0c0b832)
• bundler: bump rubocop-performance (#​7014) (1f7db0b)
• bundler: bump the rubocop group in /dependencies with 2 updates (#​7071) (1680ba2)
• bundler: bump the rubocop group in /dependencies with 3 updates (#​6989) (dee2e4e)
• docker: bump aquasecurity/trivy in the docker group (#​7080) (41480db)
• docker: bump goreleaser/goreleaser in the docker group (#​7070) (c2c988a)
• docker: bump the docker group across 1 directory with 4 updates (#​7031) (a1aae7d)
• docker: bump the docker group with 3 updates (#​6995) (54c24c1)
• docker: bump the docker group with 3 updates (#​7000) (9df4ad9)
• docker: bump the docker group with 3 updates (#​7043) (e2dbaa1)
• docker: bump the docker group with 5 updates (#​6974) (8ea4f49)
• docker: bump the docker group with 8 updates (#​7056) (ccb8ba0)
• java: bump com.puppycrawl.tools:checkstyle (#​6991) (6fc26f0)
• java: bump com.puppycrawl.tools:checkstyle (#​7072) (96c0ec9)
• npm: bump @​babel/eslint-parser in /dependencies (#​7017) (c0393aa)
• npm: bump @​typescript-eslint/eslint-plugin (#​6992) (d37840f)
• npm: bump @​typescript-eslint/eslint-plugin (#​7003) (6d3fb85)
• npm: bump @​typescript-eslint/eslint-plugin (#​7023) (a974afd)
• npm: bump @​typescript-eslint/eslint-plugin (#​7059) (dc633f9)
• npm: bump @​typescript-eslint/eslint-plugin (#​7074) (ecf5001)
• npm: bump @​typescript-eslint/eslint-plugin (#​7081) (7412580)
• npm: bump axios (#​7040) (407092f)
• npm: bump eslint from 9.33.0 to 9.34.0 in /dependencies (#​6977) (0480c3e)
• npm: bump eslint from 9.34.0 to 9.35.0 in /dependencies (#​7016) (aa8b43f)
• npm: bump eslint from 9.35.0 to 9.36.0 in /dependencies (#​7061) (3077915)
• npm: bump eslint-plugin-n (#​7046) (18787aa)
• npm: bump htmlhint from 1.6.3 to 1.7.0 in /dependencies (#​7045) (808542e)
• npm: bump htmlhint from 1.7.0 to 1.7.1 in /dependencies (#​7062) (0592f61)
• npm: bump next (#​6990) (afc246b)
• npm: bump react-router-dom (#​6975) (dc353b6)
• npm: bump react-router-dom (#​7048) (ba436ab)
• npm: bump react-router-dom (#​7069) (9c98974)
• npm: bump renovate from 41.114.0 to 41.123.0 in /dependencies (#​7060) (1ccb602)
• npm: bump renovate from 41.123.0 to 41.131.12 in /dependencies (#​7075) (725fe03)
• npm: bump renovate from 41.131.12 to 41.132.2 in /dependencies (#​7082) (d42850b)
• npm: bump renovate from 41.81.5 to 41.83.1 in /dependencies (#​6978) (b9a2b77)
• npm: bump renovate from 41.86.1 to 41.92.0 in /dependencies (#​6994) (2bf83e4)
• npm: bump renovate from 41.92.0 to 41.96.2 in /dependencies (#​7001) (e81e1ef)
• npm: bump renovate from 41.96.2 to 41.97.10 in /dependencies (#​7018) (b850925)
• npm: bump renovate from 41.98.1 to 41.99.7 in /dependencies (#​7032) (49f224f)
• npm: bump renovate from 41.99.7 to 41.113.7 in /dependencies (#​7044) (6d78b52)
• npm: bump tar-fs (#​7066) (7941ea8)
• npm: bump the eslint-plugins-configs group across 1 directory with 2 updates (#​7058) (77f4c91)
• npm: bump the npm group across 1 directory with 2 updates (#​7047) (9cde340)
• npm: bump the npm group across 1 directory with 3 updates (#​7034) (5cb82c0)
• npm: bump the npm group across 1 directory with 5 updates (#​7077) (98635c9)
• python: bump the pip group across 1 directory with 2 updates (#​6976) (db91c76)
• python: bump the pip group across 1 directory with 2 updates (#​7019) (1515dc8)
• python: bump the pip group across 1 directory with 2 updates (#​7079) (8c221da)
• python: bump the pip group across 1 directory with 3 updates (#​6993) (7987cfe)
• python: bump the pip group across 1 directory with 3 updates (#​7057) (91f7aaf)
• python: bump the pip group across 1 directory with 3 updates (#​7078) (92f78b7)
• python: bump the pip group across 1 directory with 4 updates (#​7042) (e284708)

🧰 Maintenance

• add and refactor development guide (#​6985) (5e61a2e)
• add git worktrees section to local run documentation (#​6984) (633b53a)
• check for errors on github event functions (#​7055) (274fcd6)
• clarify default configuration files (#​7033) (7272759), closes #​7008
• dev-docker: bump node in /dev-dependencies (#​6988) (7a05695)
• dev-docker: bump node in /dev-dependencies (#​7041) (e5020df)
• dev-docker: bump node in /dev-dependencies (#​7073) (35ce250)
• github-actions: bump actions/github-script in the dev-ci-tools group (#​7012) (fdb4fb1)
• github-actions: bump actions/stale in the dev-ci-tools group (#​7002) (5e7453d)
• github-actions: bump docker/login-action in the dev-ci-tools group (#​7076) (3ec8ffb)
• install new docker vs code extensions (#​6969) (0768adf)
• set persist-credentials in readme example (#​7026) (c54ecba)
• simplify dependabot config and extend docs (#​6998) (1fa37ee)
• simplify more tests (#​7006) (e933646)
• simplify more tests (#​7025) (3bd0e1d)
• simplify more tests (#​7028) (2624757)
• simplify more tests (#​7063) (96daff4)
• simplify tests (#​7004) (80e59bb)
• update .sqlfluff config link (#​7039) (b408793), closes #​7036
• upgrade actions/checkout from v4 to v5 and fix some typos (#​6996) (348aa96)
• use gitleaks directory command (#​6997) (18d7882)

v8.1.0

Compare Source

🚀 Features

• add env var for npm-groovy-lint log level (#​6907) (32d5e3d)
• add trivy and trivy sbom (#​6925) (542ff97), closes #​693
• add zizmor (#​6957) (eda5c0e), closes #​6740
• install os packages at run time (#​6943) (fecfeb3), closes #​5824
• pass options to jvm when running checkstyle (#​6928) (3b3b2cd), closes #​6927 #​6926

⬆️ Dependency updates

• bundler: bump rubocop in /dependencies in the rubocop group (#​6918) (112c95e)
• bundler: bump rubocop-rails in /dependencies in the rubocop group (#​6947) (bdbef71)
• bundler: bump the rubocop group in /dependencies with 2 updates (#​6929) (f7958f1)
• docker: bump python in the docker-base-images group (#​6937) (fed04a2)
• docker: bump python in the docker-base-images group (#​6952) (8d1d341)
• docker: bump the docker group with 4 updates (#​6933) (8fd087d)
• docker: bump the docker group with 4 updates (#​6948) (95bb9b6)
• docker: bump the docker group with 5 updates (#​6896) (f651b3c)
• docker: bump the docker group with 7 updates (#​6911) (1b4e552)
• java: bump com.pinterest.ktlint:ktlint-cli (#​6894) (b5fcc9b)
• java: bump com.puppycrawl.tools:checkstyle (#​6930) (230c55a)
• npm: bump @​eslint/plugin-kit (#​6886) (83aa3a5)
• npm: bump @​typescript-eslint/eslint-plugin (#​6893) (73f831b)
• npm: bump @​typescript-eslint/eslint-plugin (#​6950) ([e030d7b](https://redirect.github.com/super-linter/super-linter/commit/e030d7b9108260bf7a6a9f71666d3ba2a6bf

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.