[PR #110] [MERGED] chore(deps): bump zizmor from 1.24.1 to 1.25.2 #1553

Closed
opened 2026-06-16 01:49:48 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/vavkamil/awesome-bugbounty-tools/pull/110
Author: @dependabot[bot]
Created: 6/1/2026
Status: Merged
Merged: 6/3/2026
Merged by: @vavkamil

Base: mainHead: dependabot/pip/zizmor-1.25.2


📝 Commits (1)

  • 7382877 chore(deps): bump zizmor from 1.24.1 to 1.25.2

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 requirements.txt (+1 -1)

📄 Description

Bumps zizmor from 1.24.1 to 1.25.2.

Release notes

Sourced from zizmor's releases.

v1.25.2

Bug Fixes 🐛🔗

v1.25.1

Bug Fixes 🐛🔗

v1.25.0

New Features 🌈🔗

  • zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

    Many thanks to @​Proximyst for proposing and implementing this improvement!

  • New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)

  • New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

  • zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

  • zizmor's LSP now honors the --persona flag on the CLI (#1943)

  • zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements🔗

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.25.2

Bug Fixes 🐛

  • Fixed a bug where the [unpinned-tools] audit would incorrectly flag the @​aquasecurity/trivy-action action as installing an unpinned tool version, rather than @​aquasecurity/setup-trivy (#2018)

1.25.1

Bug Fixes 🐛

  • Fixed a bug where the [cache-poisoning] audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

  • Fixed a typo when suggesting --fix flags for findings (#2010)

    Many thanks to @​0xdea for implementing this fix!

  • Fixed a typo in [unpinned-tools] annotations (#2008)

    Many thanks to @​martincostello for implementing this fix!

  • Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of @​actions/create-github-app-token as unsafe (#2011)

1.25.0

New Features 🌈

  • zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

    Many thanks to @​Proximyst for proposing and implementing this improvement!

  • New audit: [github-app] detects dangerous usages of GitHub App installation tokens (#1926)

  • New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

  • zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

  • zizmor's LSP now honors the --persona flag on the CLI (#1943)

  • zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/vavkamil/awesome-bugbounty-tools/pull/110 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 6/1/2026 **Status:** ✅ Merged **Merged:** 6/3/2026 **Merged by:** [@vavkamil](https://github.com/vavkamil) **Base:** `main` ← **Head:** `dependabot/pip/zizmor-1.25.2` --- ### 📝 Commits (1) - [`7382877`](https://github.com/vavkamil/awesome-bugbounty-tools/commit/73828777960fbdb865c68451f0e0015a68c2108d) chore(deps): bump zizmor from 1.24.1 to 1.25.2 ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `requirements.txt` (+1 -1) </details> ### 📄 Description Bumps [zizmor](https://github.com/zizmorcore/zizmor) from 1.24.1 to 1.25.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/releases">zizmor's releases</a>.</em></p> <blockquote> <h2>v1.25.2</h2> <h2>Bug Fixes 🐛<a href="https://docs.zizmor.sh/release-notes/#bug-fixes">🔗</a></h2> <ul> <li>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#unpinned-tools">unpinned-tools</a> audit would incorrectly flag the <a href="https://github.com/aquasecurity/trivy-action">aquasecurity/trivy-action</a> action as installing an unpinned tool version, rather than <a href="https://github.com/aquasecurity/setup-trivy">aquasecurity/setup-trivy</a> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2018">#2018</a>)</li> </ul> <h2>v1.25.1</h2> <h2>Bug Fixes 🐛<a href="https://docs.zizmor.sh/release-notes/#bug-fixes">🔗</a></h2> <ul> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#cache-poisoning">cache-poisoning</a> audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2004">#2004</a>)</p> </li> <li> <p>Fixed a typo when suggesting --fix flags for findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2010">#2010</a>)</p> <p>Many thanks to <a href="https://github.com/0xdea"><code>@​0xdea</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a typo in <a href="https://docs.zizmor.sh/audits/#unpinned-tools">unpinned-tools</a> annotations (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2008">#2008</a>)</p> <p>Many thanks to <a href="https://github.com/martincostello"><code>@​martincostello</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#github-app">github-app</a> audit would incorrectly flag some safe uses of <a href="https://github.com/actions/create-github-app-token">actions/create-github-app-token</a> as unsafe (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2011">#2011</a>)</p> </li> </ul> <h2>v1.25.0</h2> <h2>New Features 🌈<a href="https://docs.zizmor.sh/release-notes/#new-features">🔗</a></h2> <ul> <li> <p>zizmor's finding severities can now be remapped on a per-audit basis. See <a href="https://docs.zizmor.sh/configuration/#rules-id-remap">the configuration</a> for details (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1913">#1913</a>)</p> <p>Many thanks to <a href="https://github.com/Proximyst"><code>@​Proximyst</code></a> for proposing and implementing this improvement!</p> </li> <li> <p>New audit: <a href="https://docs.zizmor.sh/audits/#github-app">github-app</a> detects dangerous usages of GitHub App installation tokens (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1926">#1926</a>)</p> </li> <li> <p>New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1820">#1820</a>)</p> </li> <li> <p>zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1935">#1935</a>)</p> </li> <li> <p>zizmor's LSP now honors the --persona flag on the CLI (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1943">#1943</a>)</p> </li> <li> <p>zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for &quot;composite&quot; actions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1965">#1965</a>)</p> </li> </ul> <h2>Enhancements<a href="https://docs.zizmor.sh/release-notes/#enhancements">🔗</a></h2> <ul> <li> <p>Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for <a href="https://github.com/actions-ecosystem/action-add-labels">actions-ecosystem/action-add-labels</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions">superfluous-actions</a></p> </li> <li> <p>Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for <a href="https://github.com/actions-ecosystem/action-remove-labels">actions-ecosystem/action-remove-labels</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions">superfluous-actions</a></p> </li> <li> <p>Recommend jq as a replacement for <a href="https://github.com/sergeysova/jq-action">sergeysova/jq-action</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions">superfluous-actions</a></p> </li> <li> <p>Recommend git add, git commit, and git push as a replacement for <a href="https://github.com/stefanzweifel/git-auto-commit-action">stefanzweifel/git-auto-commit-action</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions">superfluous-actions</a></p> </li> <li> <p>Recommend git add, git commit, and git push as a replacement for <a href="https://github.com/EndBug/add-and-commit">EndBug/add-and-commit</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions">superfluous-actions</a></p> </li> <li> <p><a href="https://github.com/tibdex/github-app-token">tibdex/github-app-token</a> is now recognized as an archived action by <a href="https://docs.zizmor.sh/audits/#archived-uses">archived-uses</a> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1910">#1910</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md">zizmor's changelog</a>.</em></p> <blockquote> <h2>1.25.2</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Fixed a bug where the [unpinned-tools] audit would incorrectly flag the <code>@​aquasecurity/trivy-action</code> action as installing an unpinned tool version, rather than <code>@​aquasecurity/setup-trivy</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2018">#2018</a>)</li> </ul> <h2>1.25.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li> <p>Fixed a bug where the [cache-poisoning] audit would fail to consider <code>release</code> events as exempt from cache usage findings when filtered by a tag condition (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2004">#2004</a>)</p> </li> <li> <p>Fixed a typo when suggesting <code>--fix</code> flags for findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2010">#2010</a>)</p> <p>Many thanks to <a href="https://github.com/0xdea"><code>@​0xdea</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a typo in [unpinned-tools] annotations (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2008">#2008</a>)</p> <p>Many thanks to <a href="https://github.com/martincostello"><code>@​martincostello</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of <code>@​actions/create-github-app-token</code> as unsafe (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2011">#2011</a>)</p> </li> </ul> <h2>1.25.0</h2> <h3>New Features 🌈</h3> <ul> <li> <p>zizmor's finding severities can now be remapped on a per-audit basis. See <a href="https://github.com/zizmorcore/zizmor/blob/main/docs/configuration.md#rules-id-remap">the configuration</a> for details (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1913">#1913</a>)</p> <p>Many thanks to <a href="https://github.com/Proximyst"><code>@​Proximyst</code></a> for proposing and implementing this improvement!</p> </li> <li> <p><strong>New audit</strong>: [github-app] detects dangerous usages of GitHub App installation tokens (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1926">#1926</a>)</p> </li> <li> <p><strong>New audit</strong>: [unpinned-tools] detects actions that install tools without pinning to a specific version (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1820">#1820</a>)</p> </li> <li> <p><code>zizmor</code> now accepts the <code>--no-ignores</code> flag to disable all ignore comments and configurations when reporting findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1935">#1935</a>)</p> </li> <li> <p><code>zizmor</code>'s LSP now honors the <code>--persona</code> flag on the CLI (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1943">#1943</a>)</p> </li> <li> <p><code>zizmor</code> is now aware of Docker-based action definitions, in addition to the pre-existing support for &quot;composite&quot; actions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1965">#1965</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zizmorcore/zizmor/commit/b50d8f60e27e0084aa3a5f5dff46054a8253ac2a"><code>b50d8f6</code></a> zizmor 1.25.2 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2022">#2022</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/e8c96481b76ee03dc3e72cc744ad77cfc62cc238"><code>e8c9648</code></a> Bump rustls-webpki to 0.103.13 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2021">#2021</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/9e19bdedaa4af986b47d7f3ffdadcdd7b226c8a6"><code>9e19bde</code></a> Bump aws-lc crates (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2020">#2020</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/49cb189191c75a18d73a92ae47985424cc0acd3e"><code>49cb189</code></a> Bump rand to 0.9.4 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2019">#2019</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/bfdb64993cecb911e385622b989a44431fc2d13f"><code>bfdb649</code></a> unpinned-tools: fix trivy action being detected (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2018">#2018</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/9300d3b5a7f06a3d77f092d01434dab99399f3e5"><code>9300d3b</code></a> ww/release (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2016">#2016</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/331917af1e4f7c6aed23ddd41477c2042d8a857d"><code>331917a</code></a> chore: drop <code>serde_yaml</code> rename (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2015">#2015</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/506f0856dec8a5c863a4dce695a83491187c543d"><code>506f085</code></a> github-app: test <code>repositories</code>, not <code>repository</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2011">#2011</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/53dea374e8a01f8df00f9d1acd7dbdfb1838acd8"><code>53dea37</code></a> unpinned-tools, docs: fix typos (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2008">#2008</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/8068e115f99b6b84611a8865a8cad0858bd5e07c"><code>8068e11</code></a> fix: replace <code>--fix=unsafe</code> with <code>--fix=unsafe-only</code> in suggestion (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2010">#2010</a>)</li> <li>Additional commits viewable in <a href="https://github.com/zizmorcore/zizmor/compare/v1.24.1...v1.25.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zizmor&package-manager=pip&previous-version=1.24.1&new-version=1.25.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-16 01:49:48 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-bugbounty-tools#1553