fix(deps): bump conda-incubator/setup-miniconda from 3 to 4

[dependabot]

Bumps conda-incubator/setup-miniconda from 3 to 4.

Release notes

Sourced from conda-incubator/setup-miniconda's releases.

Version 4.0.0

Breaking Changes

• #459: Upgrade action runtime to Node.js 24.x (requires runners with Node 24 support; this is the reason for the v4 major bump)
• #450: Switch action build to ESM (for @actions/exec v3)

Features and Enhancements

• #469: Add conda-init input to optionally skip conda init and document activation for restricted environments
• #482: Add channels parsing utility and URL validation
• #481: Enable stricter TypeScript checks and typing
• #480: Add more tests, increase coverage, add Codecov integration and coverage badge
• #479: Add TypeDoc-based API docs, generation and checks; configure GitHub Pages and Netlify previews

Fixes

• #465: Fix double channel configuration being applied
• #467: Speed up Windows post-run cleanup by moving the extracted packages directory instead of removing files one by one
• #470: Fix name-version-build syntax expansion and add tests
• #475: Split shell init and activation of the test environment to remove spurious warning
• #498: Skip Netlify preview for Dependabot PRs

Performance

• #486: Remove HTML index scraping for Miniconda version validation
• #487: Parallelize Windows takeown calls with Promise.all
• #488: Replace isDefaultEnvironment subprocess with local YAML reads
• #489: Replace conda config subprocesses with direct .condarc YAML writes

Tasks and Maintenance

• #444: Bump conda-incubator/setup-miniconda from 3.2.0 to 3.3.0
• #445: Bump actions/checkout from 6.0.1 to 6.0.2
• #449: Bump @​actions/exec from 2.0.0 to 3.0.0
• #456, #484, #491: Bump actions/upload-artifact
• #460: Bump actions/download-artifact from 7.0.0 to 8.0.1
• #464: Update dependencies for actions and packages
• #466: Bump @​actions/tool-cache from 2.0.2 to 4.0.0
• #473: Bump flatted from 3.2.9 to 3.4.2
• #476: Bump picomatch
• #477: Bump conda-incubator/installer from 0.1.0 to 0.1.1
• #485: Bump vite from 8.0.0 to 8.0.8
• #492: Bump actions/upload-pages-artifact from 3 to 5

... (truncated)

Changelog

Sourced from conda-incubator/setup-miniconda's changelog.

[v4.0.0] (2026-04-23)

Breaking Changes

• #459[459]: Upgrade action runtime to Node.js 24.x (requires runners with Node 24 support; this is the reason for the v4 major bump)
• #450[450]: Switch action build to ESM (for @actions/exec v3)

Features and Enhancements

• #469[469]: Add conda-init input to optionally skip conda init and document activation for restricted environments
• #482[482]: Add channels parsing utility and URL validation
• #481[481]: Enable stricter TypeScript checks and typing
• #480[480]: Add more tests, increase coverage, add Codecov integration and coverage badge
• #479[479]: Add TypeDoc-based API docs, generation and checks; configure GitHub Pages and Netlify previews

Fixes

• #465[465]: Fix double channel configuration being applied
• #467[467]: Speed up Windows post-run cleanup by moving the extracted packages directory instead of removing files one by one
• #470[470]: Fix name-version-build syntax expansion and add tests
• #475[475]: Split shell init and activation of the test environment to remove spurious warning

Performance

• #486[486]: Remove HTML index scraping for Miniconda version validation
• #487[487]: Parallelize Windows takeown calls with Promise.all
• #488[488]: Replace isDefaultEnvironment subprocess with local YAML reads
• #489[489]: Replace conda config subprocesses with direct .condarc YAML writes

Tasks and Maintenance

• #444[444]: Bump conda-incubator/setup-miniconda from 3.2.0 to 3.3.0
• #445[445]: Bump actions/checkout from 6.0.1 to 6.0.2
• #449[449]: Bump @​actions/exec from 2.0.0 to 3.0.0
• #456[456], #484[484], #491[491]: Bump actions/upload-artifact
• #460[460]: Bump actions/download-artifact from 7.0.0 to 8.0.1
• #464[464]: Update dependencies for actions and packages
• #466[466]: Bump @​actions/tool-cache from 2.0.2 to 4.0.0
• #473[473]: Bump flatted from 3.2.9 to 3.4.2
• #476[476]: Bump picomatch
• #477[477]: Bump conda-incubator/installer from 0.1.0 to 0.1.1
• #485[485]: Bump vite from 8.0.0 to 8.0.8
• #492[492]: Bump actions/upload-pages-artifact from 3 to 5

... (truncated)

Commits

• bce0bd8 Prepare v4 release (#499)
• 78fb0ff ci(docs): skip Netlify preview for Dependabot PRs (#498)
• d32e72e Bump @​actions/core from 3.0.0 to 3.0.1 (#496)
• 3e251ae Bump actions/upload-artifact from 4 to 7 (#491)
• 7ff02ae Bump actions/upload-pages-artifact from 3 to 5 (#492)
• 65b62b8 Bump actions/deploy-pages from 4 to 5 (#494)
• 1eb4d38 Bump marocchino/sticky-pull-request-comment from 2 to 3 (#493)
• bfb6f7e Bump codecov/codecov-action from 5 to 6 (#495)
• 77236ef Merge pull request #489 from conda-incubator/perf/direct-condarc-write
• 36bff15 Replace conda config subprocesses with direct .condarc YAML write
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Rico (RicoFactset)]

Checkmarx One – Scan Summary & Details – 9ca58929-e7d8-4215-a077-ac22b5b52061

---

New Issues (5)

High: 3 · Medium: 1 · Low: 1

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-26007	Python-cryptography-42.0.6	details Recommended version: 46.0.7 Description: Cryptography is a package that exposes cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
2		CVE-2026-27932	Python-joserfc-1.2.2	details Recommended version: 1.6.3 Description: joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions through 1.6... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-32274	Python-black-24.8.0	details Recommended version: 26.3.1 Description: Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formattin... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-25645	Python-requests-2.32.4	details Recommended version: 2.33.0 Description: Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when ... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
5		CVE-2026-34073	Python-cryptography-42.0.6	details Recommended version: 46.0.7 Description: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constrain... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package

---

Use Checkmarx (@Checkmarx) to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR