Skip to content

chore(deps): bump actions/upload-artifact from 3.pre.node20 to 4.3.3#133

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/upload-artifact-4.3.3
Closed

chore(deps): bump actions/upload-artifact from 3.pre.node20 to 4.3.3#133
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/upload-artifact-4.3.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github May 6, 2024

Bumps actions/upload-artifact from 3.pre.node20 to 4.3.3.

Release notes

Sourced from actions/upload-artifact's releases.

v4.3.3

What's Changed

Full Changelog: actions/upload-artifact@v4.3.2...v4.3.3

v4.3.2

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4.3.1...v4.3.2

v4.3.1

v4.3.0

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.3.0

v4.2.0

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.2.0

v4.1.0

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.1.0

v4.0.0

... (truncated)

Commits
  • 6546280 updating package version
  • c004fb4 Merge branch 'main' into eggyhead/use-artifact-v2.1.6
  • 90aba49 updating toolkit artifact dependency to 2.1.6
  • b06cde3 Merge pull request #563 from actions/eggyhead/release-4.3.2
  • 1746f4a Revert "updating to release 4.3.2"
  • 31685d0 updating to release 4.3.2
  • 18bf333 Merge pull request #562 from actions/eggyhead/update-artifact-v215
  • dac413b update package lock version
  • bb3b4a3 updating package version
  • 3e3da83 updating artifact and core dependencies
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump actions/upload-artifact from 3.pre.node20 to 4.3.3
ccae318 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.pre.node20 to 4.3.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@97a0fba...6546280)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from jmeridth as a code owner May 6, 2024 00:23
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 6, 2024
@dependabot dependabot bot requested a review from zkoppert as a code owner May 6, 2024 00:23
@dependabot dependabot bot added the github_actions Pull requests that update GitHub Actions code label May 6, 2024
jmeridth added a commit that referenced this pull request May 8, 2024
@jmeridth
chore: group dependabot dependency updates for minor/patch updates
31c6b51 
Closes #133, Closes #134, Closes #135, Close #137

To minimize the number of pull requests we get from dependabot, using
groups will help with this.  Still want major semver changes to be
single PRs so that stand out and we pay particular attention to them.

- [x] handle our multiple github action updates while in here.

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth mentioned this pull request May 8, 2024
Merged
5 tasks
@jmeridth jmeridth closed this in #138 May 8, 2024
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github May 8, 2024

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/github_actions/actions/upload-artifact-4.3.3 branch May 8, 2024 00:24
zkoppert added a commit that referenced this pull request Feb 27, 2026
@zkoppert
fix: enforce pip hash verification in Dockerfile
fe28d31 
Replace plain requirements.txt with hash-pinned dependencies
generated by pip-compile --generate-hashes, and add
--require-hashes to the pip install command in the Dockerfile.

This resolves code scanning alert #133 (pip install without
hash verification) by ensuring all packages are verified
against known hashes during installation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
zkoppert added a commit that referenced this pull request Feb 27, 2026
@zkoppert
fix: enforce pip hash verification in Dockerfile
752812e 
Add requirements-docker.txt with hash-pinned dependencies
(generated via pip-compile --generate-hashes) and use
--require-hashes in the Dockerfile pip install command.

The original requirements.txt is kept for development/CI use,
while requirements-docker.txt includes all transitive
dependencies with SHA256 hashes for supply chain security.

Resolves code scanning alert #133.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
zkoppert added a commit that referenced this pull request Feb 28, 2026
@zkoppert
fix: use --no-deps for pip install in Dockerfile
3761715 
Expand requirements.txt to include all transitive dependencies
(via pip-compile) and use --no-deps in the Dockerfile to prevent
pip from fetching any packages not explicitly listed.

This resolves code scanning alert #133 by ensuring only
explicitly pinned packages are installed, mitigating supply
chain risks from unexpected transitive dependency resolution.

The fully-resolved requirements.txt remains dependabot-friendly
since each pin can be updated independently.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
zkoppert added a commit that referenced this pull request Feb 28, 2026
@zkoppert
fix: use --no-deps for pip install in Dockerfile
1c49b63 
Expand requirements.txt to include all transitive dependencies
(via pip-compile) and use --no-deps in the Dockerfile to prevent
pip from fetching any packages not explicitly listed.

This resolves code scanning alert #133 by ensuring only
explicitly pinned packages are installed, mitigating supply
chain risks from unexpected transitive dependency resolution.

The fully-resolved requirements.txt remains dependabot-friendly
since each pin can be updated independently.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmeridth jmeridth Awaiting requested review from jmeridth jmeridth is a code owner

@zkoppert zkoppert Awaiting requested review from zkoppert zkoppert is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants