Skip to content

chore(deps): update dependency zizmor to v1.26.1#166

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/zizmor-1.x
Open

chore(deps): update dependency zizmor to v1.26.1#166
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/zizmor-1.x

Conversation

@renovate

@renovate renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
zizmor (source) 1.24.11.26.1 age confidence

Release Notes

zizmorcore/zizmor (zizmor)

v1.26.1

Compare Source

This is a small corrective release for 1.26.0.

v1.26.0

Compare Source

New Features 🌈🔗
  • New audit: typosquat-uses detects uses: clauses that reference likely typoed actions (#​1985)

    Many thanks to @​andrew for proposing and implementing this improvement!

  • New audit: unsound-ternary detects pseudo-ternary expressions that don't evaluate as expected (#​2085)

    Many thanks to @​terror for proposing and implementing this improvement!

  • New audit: adhoc-packages detects run: steps that install packages in an ad-hoc manner (#​2061)

    Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱🔗
Performance Improvements 🚄🔗
  • Most online audits are significantly faster, thanks to more precise retry handling (#​2036)
    Bug Fixes 🐛🔗

  • Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#​2026)

    Many thanks to @​fionn for implementing this fix!

  • Fixed a bug where ref-version-mismatch would fail to fully match some version comments (#​2040)

  • Fixed a bug where dependabot-cooldown would fail to honor the user's configured days when performing autofixes (#​2055)

  • Steps and jobs gated by statically-false if: conditions (e.g. if: false, if: ${{ false }}) are now skipped during auditing, since they cannot execute (#​2059, #​2069)

  • Fixed a bug where ref-version-mismatch would fail to identify some valid version comments (#​2073)

  • Fixed a bug where unpinned-images would incorrectly flag empty matrix expansions as unpinned container image references (#​2102)

  • Fixed a bug where unpinned-images would incorrectly flag some matrix expansions as unpinned (#​2098)

  • The SARIF (--format=sarif) and GitHub Annotations (--format=github) output formats now provide more correct/useful paths, particularly when the user provides a relative path as input to zizmor rather than zizmor . (#​1748, #​2095)

Changes ⚠️🔗
  • The impostor-commit audit no longer suggests auto-fixes, to avoid incorrectly minimizing the amount of manual remediation work needed (#​2054)

  • The JSON and SARIF outputs no longer contain a misleading prefix key (#​2095)

v1.25.2

Compare Source

Bug Fixes 🐛🔗

v1.25.1

Compare Source

Bug Fixes 🐛🔗

v1.25.0

Compare Source

New Features 🌈🔗

  • zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#​1913)

    Many thanks to @​Proximyst for proposing and implementing this improvement!

  • New audit: github-app detects dangerous usages of GitHub App installation tokens (#​1926)

  • New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#​1820)

  • zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#​1935)

  • zizmor's LSP now honors the --persona flag on the CLI (#​1943)

  • zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#​1965)

Enhancements🔗

Performance Improvements 🚄🔗

  • The impostor-commit audit is now significantly faster (in addition to being more correct) when the user has pinned their action to a tag SHA instead of a commit SHA (#​1998)
    Bug Fixes 🐛🔗

  • Fixed a crash in the template-injection audit when a workflow uses a parenthesized compound expression in context position (#​1904)

  • Fixed a bug where local directory input collection could miss workflows for relative-path invocations from within .github subdirectories (#​1909)

  • Fixed a bug where the unpinned-images audit would miss images defined in container: clauses (#​1944)

  • Fixed a bug where inline ignore comments could not be easily applied to superfluous-actions findings (#​1945)

  • Fixed a bug where the cache-poisoning audit would fail to detect some release trigger patterns (#​1946)

  • Fixed a bug where inline ignore comments could not be easily applied to cache-poisoning findings (#​1962)

  • Fixed a class of imprecisions where the cache-poisoning audit would incorrectly flag cache usage that doesn't actually occur on release events (#​1940)

    Many thanks to @​reubenwong97 for implementing this fix!

  • Fixed a bug where dependabot.yml files containing a private cargo repository couldn't be parsed (#​1976)

  • Fixed a bug where zizmor's input validation warnings lacked a mention of which files failed to validate (#​1980)

  • Fixed a bug where the impostor-commit audit would falsely indicate impostor commits if an action was pinned to a tag SHA instead of a commit SHA (#​1998)


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants