Skip to content

chore(studio-deps-dev)(deps-dev): bump webpack from 5.105.4 to 5.106.1 in /studio in the build-tools group#3823

Merged
mergify[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/studio/main/build-tools-f27b643545
Apr 13, 2026
Merged

chore(studio-deps-dev)(deps-dev): bump webpack from 5.105.4 to 5.106.1 in /studio in the build-tools group#3823
mergify[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/studio/main/build-tools-f27b643545

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 12, 2026

Bumps the build-tools group in /studio with 1 update: webpack.

Updates webpack from 5.105.4 to 5.106.1

Release notes

Sourced from webpack's releases.

v5.106.1

Patch Changes

  • Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

  • Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

  • Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

v5.106.0

Minor Changes

  • Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

  • Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

    • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
    • Support custom context path for resolving relative imports in virtual modules
    • Add examples demonstrating context usage and filename customization

  • Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

  • Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

  • Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

  • Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

  • Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

  • Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

  • Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #20660)

  • Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #20669)

  • Fixed resolving in CSS modules. (by @​alexander-akait in #20771)

  • Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #20662)

  • Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #20432)

  • Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #20773)

  • Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #20724)

  • Fix multiple bugs and optimizations in CSS modules: correct third code point position in walkCssTokens number detection, fix multiline CSS comment regex, fix swapped :import/:export error message, fix comma callback incorrectly popping balanced stack, fix cache comparison missing array length check, fix match.index mutation side effect, move publicPathAutoRegex to module scope, precompute merged callbacks in consumeUntil, simplify redundant ternary in CssGenerator, fix typo GRID_TEMPLATE_ARES, remove duplicate grid-column-start, and merge duplicate getCompilationHooks calls. (by @​xiaoxiaojx in #20648)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.106.1

Patch Changes

  • Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

  • Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

  • Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

5.106.0

Minor Changes

  • Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

  • Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

    • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
    • Support custom context path for resolving relative imports in virtual modules
    • Add examples demonstrating context usage and filename customization

  • Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

  • Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

  • Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

  • Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

  • Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

  • Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

  • Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #20660)

  • Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #20669)

  • Fixed resolving in CSS modules. (by @​alexander-akait in #20771)

  • Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #20662)

  • Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #20432)

  • Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #20773)

  • Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #20724)

... (truncated)

Commits
  • a934b9b chore(release): new release (#20808)
  • ecb436b fix: use compiler context for CSS modules hash to avoid collisions (#20799)
  • c0e8cf4 fix: prevent !important from being renamed in CSS modules (#20798)
  • f8d274b fix: anonymous default export name fix-up in ES5 environment (#20796)
  • e370b76 chore(deps-dev): bump the dependencies group with 5 updates (#20790)
  • 8774a01 chore(release): new release (#20593)
  • cc66616 fix: add @deprecated to methods
  • 7cdc173 feat: support source phase import for WebAssembly modules (#20364)
  • 0b60f1c chore(members): update to match @​webpack/core-wg (#20784)
  • 955a68c test: generate snapshots per stats test case (#20785)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(studio-deps-dev)(deps-dev): bump webpack
35a1b7e 
Bumps the build-tools group in /studio with 1 update: [webpack](https://github.com/webpack/webpack).


Updates `webpack` from 5.105.4 to 5.106.1
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.105.4...v5.106.1)

---
updated-dependencies:
- dependency-name: webpack
  dependency-version: 5.106.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: build-tools
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 12, 2026

Labels

The following labels could not be found: frontend, studio. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file security labels Apr 12, 2026
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 12, 2026

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric Results
Complexity 0

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

@mergify mergify Bot merged commit 1c8f7f5 into main Apr 13, 2026
17 of 23 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/studio/main/build-tools-f27b643545 branch April 13, 2026 08:51
mergify Bot added a commit that referenced this pull request Apr 20, 2026
@mergify
chore(deps): bump the github-actions group with 3 updates [skip ci]
a5768ba 
Bumps the github-actions group with 3 updates: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action), [github/codeql-action](https://github.com/github/codeql-action) and [actions/cache](https://github.com/actions/cache).
Updates `anthropics/claude-code-action` from 1.0.93 to 1.0.101
Release notes

*Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).*

> v1.0.101
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.101>
>
> v1.0.100
> --------
>
> What's Changed
> --------------
>
> * Upgrade Claude model from opus-4-6 to opus-4-7 by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1227](https://redirect.github.com/anthropics/claude-code-action/pull/1227)
> * fix: pass install.sh binary path to Agent SDK after 0.2.113 bump by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1235](https://redirect.github.com/anthropics/claude-code-action/pull/1235)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.100>
>
> v1.0.99
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.99>
>
> v1.0.98
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.98>
>
> v1.0.97
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.97>
>
> v1.0.96
> -------
>
> What's Changed
> --------------
>
> * fix: handle fork PRs by fetching via refs/pull/N/head by [`@​stakeswky`](https://github.com/stakeswky) in [anthropics/claude-code-action#963](https://redirect.github.com/anthropics/claude-code-action/pull/963)
>
> New Contributors
> ----------------
>
> * [`@​stakeswky`](https://github.com/stakeswky) made their first contribution in [anthropics/claude-code-action#963](https://redirect.github.com/anthropics/claude-code-action/pull/963)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.96>
>
> v1.0.95
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.95>
>
> v1.0.94
> -------
>
> What's Changed
> --------------
>
> * Prepend system bin dirs to PATH when allowed\_non\_write\_users is set by [`@​OctavianGuzu`](https://github.com/OctavianGuzu) in [anthropics/claude-code-action#1208](https://redirect.github.com/anthropics/claude-code-action/pull/1208)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.94>


Commits

* [`38ec876`](anthropics/claude-code-action@38ec876) chore: bump Claude Code to 2.1.114 and Agent SDK to 0.2.114
* [`0d2971c`](anthropics/claude-code-action@0d2971c) fix: pass install.sh binary path explicitly to Agent SDK ([#1235](https://redirect.github.com/anthropics/claude-code-action/issues/1235))
* [`c68f82c`](anthropics/claude-code-action@c68f82c) chore: bump Claude Code to 2.1.113 and Agent SDK to 0.2.113
* [`78758ed`](anthropics/claude-code-action@78758ed) chore: bump model version in workflows ([#1227](https://redirect.github.com/anthropics/claude-code-action/issues/1227))
* [`c3d45e8`](anthropics/claude-code-action@c3d45e8) chore: bump Claude Code to 2.1.112 and Agent SDK to 0.2.112
* [`931e620`](anthropics/claude-code-action@931e620) chore: bump Claude Code to 2.1.111 and Agent SDK to 0.2.111
* [`905d4eb`](anthropics/claude-code-action@905d4eb) chore: bump Claude Code to 2.1.110 and Agent SDK to 0.2.110
* [`5fb8995`](anthropics/claude-code-action@5fb8995) chore: bump Claude Code to 2.1.109 and Agent SDK to 0.2.109
* [`c3bf66d`](anthropics/claude-code-action@c3bf66d) fix: handle fork PRs by fetching via refs/pull/N/head ([#962](https://redirect.github.com/anthropics/claude-code-action/issues/962)) ([#963](https://redirect.github.com/anthropics/claude-code-action/issues/963))
* [`3943183`](anthropics/claude-code-action@3943183) chore: bump Claude Code to 2.1.108 and Agent SDK to 0.2.108
* Additional commits viewable in [compare view](anthropics/claude-code-action@b47fd72...38ec876)
  
Updates `github/codeql-action` from 4.35.1 to 4.35.2
Release notes

*Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).*

> v4.35.2
> -------
>
> * The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795)
> * The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789)
> * Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794)
> * Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807)
> * Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823)


Changelog

*Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).*

> CodeQL Action Changelog
> =======================
>
> See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
>
> [UNRELEASED]
> ------------
>
> No user facing changes.
>
> 4.35.2 - 15 Apr 2026
> --------------------
>
> * The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795)
> * The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789)
> * Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794)
> * Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807)
> * Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823)
>
> 4.35.1 - 27 Mar 2026
> --------------------
>
> * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781)
>
> 4.35.0 - 27 Mar 2026
> --------------------
>
> * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767)
> * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773)
>
> 4.34.1 - 20 Mar 2026
> --------------------
>
> * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762)
>
> 4.34.0 - 20 Mar 2026
> --------------------
>
> * Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569)
> * We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584)
> * Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585)
>
> 4.33.0 - 16 Mar 2026
> --------------------
>
> * Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562)
>
>   To opt out of this change:
>
>   + **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
> * Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://redirect.github.com/github/codeql-action/pull/3557)
> * The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://redirect.github.com/github/codeql-action/pull/3559)
> * Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://redirect.github.com/github/codeql-action/pull/3563)
> * Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://redirect.github.com/github/codeql-action/pull/3564)
> * A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://redirect.github.com/github/codeql-action/pull/3570)
>
> 4.32.6 - 05 Mar 2026
> --------------------

... (truncated)


Commits

* [`95e58e9`](github/codeql-action@95e58e9) Merge pull request [#3824](https://redirect.github.com/github/codeql-action/issues/3824) from github/update-v4.35.2-d2e135a73
* [`6f31bfe`](github/codeql-action@6f31bfe) Update changelog for v4.35.2
* [`d2e135a`](github/codeql-action@d2e135a) Merge pull request [#3823](https://redirect.github.com/github/codeql-action/issues/3823) from github/update-bundle/codeql-bundle-v2.25.2
* [`60abb65`](github/codeql-action@60abb65) Add changelog note
* [`5a0a562`](github/codeql-action@5a0a562) Update default bundle to codeql-bundle-v2.25.2
* [`6521697`](github/codeql-action@6521697) Merge pull request [#3820](https://redirect.github.com/github/codeql-action/issues/3820) from github/dependabot/github\_actions/dot-github/wor...
* [`3c45af2`](github/codeql-action@3c45af2) Merge pull request [#3821](https://redirect.github.com/github/codeql-action/issues/3821) from github/dependabot/npm\_and\_yarn/npm-minor-345b93...
* [`f1c3393`](github/codeql-action@f1c3393) Rebuild
* [`1024fc4`](github/codeql-action@1024fc4) Rebuild
* [`9dd4cfe`](github/codeql-action@9dd4cfe) Bump the npm-minor group across 1 directory with 6 updates
* Additional commits viewable in [compare view](github/codeql-action@c10b806...95e58e9)
  
Updates `actions/cache` from 5.0.4 to 5.0.5
Release notes

*Sourced from [actions/cache's releases](https://github.com/actions/cache/releases).*

> v5.0.5
> ------
>
> What's Changed
> --------------
>
> * Update ts-http-runtime dependency by [`@​yacaovsnc`](https://github.com/yacaovsnc) in [actions/cache#1747](https://redirect.github.com/actions/cache/pull/1747)
>
> **Full Changelog**: <actions/cache@v5...v5.0.5>


Changelog

*Sourced from [actions/cache's changelog](https://github.com/actions/cache/blob/main/RELEASES.md).*

> Releases
> ========
>
> How to prepare a release
> ------------------------
>
> > [!NOTE]  
> > Relevant for maintainers with write access only.
>
> 1. Switch to a new branch from `main`.
> 2. Run `npm test` to ensure all tests are passing.
> 3. Update the version in [`https://github.com/actions/cache/blob/main/package.json`](https://github.com/actions/cache/blob/main/package.json).
> 4. Run `npm run build` to update the compiled files.
> 5. Update this [`https://github.com/actions/cache/blob/main/RELEASES.md`](https://github.com/actions/cache/blob/main/RELEASES.md) with the new version and changes in the `## Changelog` section.
> 6. Run `licensed cache` to update the license report.
> 7. Run `licensed status` and resolve any warnings by updating the [`https://github.com/actions/cache/blob/main/.licensed.yml`](https://github.com/actions/cache/blob/main/.licensed.yml) file with the exceptions.
> 8. Commit your changes and push your branch upstream.
> 9. Open a pull request against `main` and get it reviewed and merged.
> 10. Draft a new release <https://github.com/actions/cache/releases> use the same version number used in `package.json`
>     1. Create a new tag with the version number.
>     2. Auto generate release notes and update them to match the changes you made in `RELEASES.md`.
>     3. Toggle the set as the latest release option.
>     4. Publish the release.
> 11. Navigate to <https://github.com/actions/cache/actions/workflows/release-new-action-version.yml>
>     1. There should be a workflow run queued with the same version number.
>     2. Approve the run to publish the new version and update the major tags for this action.
>
> Changelog
> ---------
>
> ### 5.0.4
>
> * Bump `minimatch` to v3.1.5 (fixes ReDoS via globstar patterns)
> * Bump `undici` to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
> * Bump `fast-xml-parser` to v5.5.6
>
> ### 5.0.3
>
> * Bump `@actions/cache` to v5.0.5 (Resolves: <https://github.com/actions/cache/security/dependabot/33>)
> * Bump `@actions/core` to v2.0.3
>
> ### 5.0.2
>
> * Bump `@actions/cache` to v5.0.3 [#1692](https://redirect.github.com/actions/cache/pull/1692)
>
> ### 5.0.1
>
> * Update `@azure/storage-blob` to `^12.29.1` via `@actions/cache@5.0.1` [#1685](https://redirect.github.com/actions/cache/pull/1685)
>
> ### 5.0.0
>
> > [!IMPORTANT]
> > `actions/cache@v5` runs on the Node.js 24 runtime and requires a minimum Actions Runner version of `2.327.1`.

... (truncated)


Commits

* [`27d5ce7`](actions/cache@27d5ce7) Merge pull request [#1747](https://redirect.github.com/actions/cache/issues/1747) from actions/yacaovsnc/update-dependency
* [`f280785`](actions/cache@f280785) licensed changes
* [`619aeb1`](actions/cache@619aeb1) npm run build generated dist files
* [`bcf16c2`](actions/cache@bcf16c2) Update ts-http-runtime to 0.3.5
* See full diff in [compare view](actions/cache@6682284...27d5ce7)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore  major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore  minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore  ` will remove the ignore condition of the specified dependency and ignore conditions
mergify Bot added a commit that referenced this pull request May 3, 2026
@mergify
chore(deps): bump the github-actions group with 2 updates [skip ci]
89dc4a6 
Bumps the github-actions group with 2 updates: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `anthropics/claude-code-action` from 1.0.107 to 1.0.111
Release notes

*Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).*

> v1.0.111
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.111>
>
> v1.0.110
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.110>
>
> v1.0.109
> --------
>
> What's Changed
> --------------
>
> * docs: pull\_request\_target guidance and base-action trust model by [`@​OctavianGuzu`](https://github.com/OctavianGuzu) in [anthropics/claude-code-action#1250](https://redirect.github.com/anthropics/claude-code-action/pull/1250)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.109>
>
> v1.0.108
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.108>


Commits

* [`fefa07e`](anthropics/claude-code-action@fefa07e) chore: bump Claude Code to 2.1.126 and Agent SDK to 0.2.126
* [`ef50f12`](anthropics/claude-code-action@ef50f12) chore: bump Claude Code to 2.1.123 and Agent SDK to 0.2.123
* [`b3c0320`](anthropics/claude-code-action@b3c0320) chore: bump Claude Code to 2.1.122 and Agent SDK to 0.2.122
* [`c93e8fe`](anthropics/claude-code-action@c93e8fe) docs: pull\_request\_target guidance and base-action trust model ([#1250](https://redirect.github.com/anthropics/claude-code-action/issues/1250))
* [`11a9dad`](anthropics/claude-code-action@11a9dad) chore: bump Claude Code to 2.1.121 and Agent SDK to 0.2.121
* See full diff in [compare view](anthropics/claude-code-action@567fe95...fefa07e)
  
Updates `github/codeql-action` from 4.35.2 to 4.35.3
Release notes

*Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).*

> v4.35.3
> -------
>
> * *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837)
> * Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850)
> * Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853)
> * Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852)
> * Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865)


Changelog

*Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).*

> CodeQL Action Changelog
> =======================
>
> See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
>
> [UNRELEASED]
> ------------
>
> No user facing changes.
>
> 4.35.3 - 01 May 2026
> --------------------
>
> * *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837)
> * Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850)
> * Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853)
> * Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852)
> * Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865)
>
> 4.35.2 - 15 Apr 2026
> --------------------
>
> * The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795)
> * The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789)
> * Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794)
> * Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807)
> * Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823)
>
> 4.35.1 - 27 Mar 2026
> --------------------
>
> * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781)
>
> 4.35.0 - 27 Mar 2026
> --------------------
>
> * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767)
> * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773)
>
> 4.34.1 - 20 Mar 2026
> --------------------
>
> * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762)
>
> 4.34.0 - 20 Mar 2026
> --------------------
>
> * Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569)
> * We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584)
> * Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585)
>
> 4.33.0 - 16 Mar 2026
> --------------------
>
> * Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562)
>
>   To opt out of this change:
>
>   + **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.

... (truncated)


Commits

* [`e46ed2c`](github/codeql-action@e46ed2c) Merge pull request [#3867](https://redirect.github.com/github/codeql-action/issues/3867) from github/update-v4.35.3-8c6e48dbe
* [`b73d1d1`](github/codeql-action@b73d1d1) Add changelog entry for [#3853](https://redirect.github.com/github/codeql-action/issues/3853)
* [`24e0bb0`](github/codeql-action@24e0bb0) Reorder changelog entries
* [`ec298da`](github/codeql-action@ec298da) Update changelog for v4.35.3
* [`8c6e48d`](github/codeql-action@8c6e48d) Merge pull request [#3865](https://redirect.github.com/github/codeql-action/issues/3865) from github/update-bundle/codeql-bundle-v2.25.3
* [`7190983`](github/codeql-action@7190983) Add changelog note
* [`2bb2095`](github/codeql-action@2bb2095) Update default bundle to codeql-bundle-v2.25.3
* [`7851e55`](github/codeql-action@7851e55) Merge pull request [#3850](https://redirect.github.com/github/codeql-action/issues/3850) from github/mbg/private-registry/cloudsmith-gcp
* [`262a15f`](github/codeql-action@262a15f) Add generic non-printable chars test for OIDC configs
* [`a6109b1`](github/codeql-action@a6109b1) Merge pull request [#3853](https://redirect.github.com/github/codeql-action/issues/3853) from github/mbg/start-proxy/improved-checks
* Additional commits viewable in [compare view](github/codeql-action@95e58e9...e46ed2c)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore  major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore  minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore  ` will remove the ignore condition of the specified dependency and ignore conditions
mergify Bot added a commit that referenced this pull request May 10, 2026
@mergify
chore(deps): bump the github-actions group with 2 updates [skip ci]
51ef5c3 
Bumps the github-actions group with 2 updates: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `anthropics/claude-code-action` from 1.0.111 to 1.0.119
Release notes

*Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).*

> v1.0.119
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.119>
>
> v1.0.118
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.118>
>
> v1.0.117
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.117>
>
> v1.0.116
> --------
>
> What's Changed
> --------------
>
> * Update HackerOne links in SECURITY.md by [`@​OctavianGuzu`](https://github.com/OctavianGuzu) in [anthropics/claude-code-action#1268](https://redirect.github.com/anthropics/claude-code-action/pull/1268)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.116>
>
> v1.0.115
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.115>
>
> v1.0.114
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.114>
>
> v1.0.113
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.113>
>
> v1.0.112
> --------
>
> What's Changed
> --------------
>
> * fix: make trigger\_phrase match case-insensitive by [`@​JustinBis`](https://github.com/JustinBis) in [anthropics/claude-code-action#1279](https://redirect.github.com/anthropics/claude-code-action/pull/1279)
>
> New Contributors
> ----------------
>
> * [`@​JustinBis`](https://github.com/JustinBis) made their first contribution in [anthropics/claude-code-action#1279](https://redirect.github.com/anthropics/claude-code-action/pull/1279)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.112>


Commits

* [`476e359`](anthropics/claude-code-action@476e359) chore: bump Claude Code to 2.1.138 and Agent SDK to 0.2.138
* [`ad67978`](anthropics/claude-code-action@ad67978) chore: bump Claude Code to 2.1.137 and Agent SDK to 0.2.137
* [`034cbdb`](anthropics/claude-code-action@034cbdb) chore: bump Claude Code to 2.1.136 and Agent SDK to 0.2.136
* [`939ae9c`](anthropics/claude-code-action@939ae9c) chore: bump Claude Code to 2.1.133 and Agent SDK to 0.2.133
* [`e9c374d`](anthropics/claude-code-action@e9c374d) Update HackerOne links in SECURITY.md ([#1268](https://redirect.github.com/anthropics/claude-code-action/issues/1268))
* [`9db782c`](anthropics/claude-code-action@9db782c) chore: bump Claude Code to 2.1.132 and Agent SDK to 0.2.132
* [`62238dd`](anthropics/claude-code-action@62238dd) chore: bump Claude Code to 2.1.131 and Agent SDK to 0.2.131
* [`7d7d305`](anthropics/claude-code-action@7d7d305) chore: bump Claude Code to 2.1.129 and Agent SDK to 0.2.129
* [`2cc1ac1`](anthropics/claude-code-action@2cc1ac1) chore: bump Claude Code to 2.1.128 and Agent SDK to 0.2.128
* [`38f25dd`](anthropics/claude-code-action@38f25dd) fix: make trigger\_phrase match case-insensitive ([#1279](https://redirect.github.com/anthropics/claude-code-action/issues/1279))
* See full diff in [compare view](anthropics/claude-code-action@fefa07e...476e359)
  
Updates `github/codeql-action` from 4.35.3 to 4.35.4
Release notes

*Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).*

> v4.35.4
> -------
>
> * Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://redirect.github.com/github/codeql-action/pull/3881)


Changelog

*Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).*

> CodeQL Action Changelog
> =======================
>
> See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
>
> [UNRELEASED]
> ------------
>
> No user facing changes.
>
> 4.35.4 - 07 May 2026
> --------------------
>
> * Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://redirect.github.com/github/codeql-action/pull/3881)
>
> 4.35.3 - 01 May 2026
> --------------------
>
> * *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837)
> * Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850)
> * Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853)
> * Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852)
> * Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865)
>
> 4.35.2 - 15 Apr 2026
> --------------------
>
> * The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795)
> * The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789)
> * Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794)
> * Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807)
> * Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823)
>
> 4.35.1 - 27 Mar 2026
> --------------------
>
> * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781)
>
> 4.35.0 - 27 Mar 2026
> --------------------
>
> * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767)
> * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773)
>
> 4.34.1 - 20 Mar 2026
> --------------------
>
> * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762)
>
> 4.34.0 - 20 Mar 2026
> --------------------
>
> * Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569)
> * We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584)
> * Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585)
>
> 4.33.0 - 16 Mar 2026
> --------------------
>
> * Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562)

... (truncated)


Commits

* [`68bde55`](github/codeql-action@68bde55) Merge pull request [#3885](https://redirect.github.com/github/codeql-action/issues/3885) from github/update-v4.35.4-803d9e8c3
* [`9739ad2`](github/codeql-action@9739ad2) Update changelog for v4.35.4
* [`803d9e8`](github/codeql-action@803d9e8) Merge pull request [#3883](https://redirect.github.com/github/codeql-action/issues/3883) from github/mbg/test/macro-wrapper
* [`0fd9c7d`](github/codeql-action@0fd9c7d) Merge pull request [#3882](https://redirect.github.com/github/codeql-action/issues/3882) from github/dependabot/github\_actions/dot-github/wor...
* [`922d6fb`](github/codeql-action@922d6fb) Use `makeMacro` instead of `test.macro`
* [`df77e87`](github/codeql-action@df77e87) Update test macro snippet
* [`6e3f985`](github/codeql-action@6e3f985) Add wrapper for `test.macro`
* [`e7a347d`](github/codeql-action@e7a347d) Merge pull request [#3881](https://redirect.github.com/github/codeql-action/issues/3881) from github/update-bundle/codeql-bundle-v2.25.4
* [`17eabb2`](github/codeql-action@17eabb2) Rebuild
* [`aaef09c`](github/codeql-action@aaef09c) Bump ruby/setup-ruby
* Additional commits viewable in [compare view](github/codeql-action@e46ed2c...68bde55)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore  major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore  minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore  ` will remove the ignore condition of the specified dependency and ignore conditions
mergify Bot added a commit that referenced this pull request May 17, 2026
@mergify
chore(deps): bump the github-actions group with 2 updates [skip ci]
3513f7e 
Bumps the github-actions group with 2 updates: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `anthropics/claude-code-action` from 1.0.119 to 1.0.123
Release notes

*Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).*

> v1.0.123
> --------
>
> What's Changed
> --------------
>
> * fix: allow , in branch names by [`@​bugbubug`](https://github.com/bugbubug) in [anthropics/claude-code-action#1310](https://redirect.github.com/anthropics/claude-code-action/pull/1310)
> * fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/ by [`@​matanbaruch`](https://github.com/matanbaruch) in [anthropics/claude-code-action#1186](https://redirect.github.com/anthropics/claude-code-action/pull/1186)
> * fix: exclude .claude-pr snapshot from git staging by [`@​cvan20191`](https://github.com/cvan20191) in [anthropics/claude-code-action#1277](https://redirect.github.com/anthropics/claude-code-action/pull/1277)
> * fix: write execution file when SDK throws by [`@​Jerry2003826`](https://github.com/Jerry2003826) in [anthropics/claude-code-action#1255](https://redirect.github.com/anthropics/claude-code-action/pull/1255)
> * fix: handle non-user actors (e.g. Copilot) in permission and actor checks by [`@​krislavten`](https://github.com/krislavten) in [anthropics/claude-code-action#1144](https://redirect.github.com/anthropics/claude-code-action/pull/1144)
> * chore: bump pinned Bun to 1.3.14 by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1312](https://redirect.github.com/anthropics/claude-code-action/pull/1312)
>
> New Contributors
> ----------------
>
> * [`@​bugbubug`](https://github.com/bugbubug) made their first contribution in [anthropics/claude-code-action#1310](https://redirect.github.com/anthropics/claude-code-action/pull/1310)
> * [`@​matanbaruch`](https://github.com/matanbaruch) made their first contribution in [anthropics/claude-code-action#1186](https://redirect.github.com/anthropics/claude-code-action/pull/1186)
> * [`@​cvan20191`](https://github.com/cvan20191) made their first contribution in [anthropics/claude-code-action#1277](https://redirect.github.com/anthropics/claude-code-action/pull/1277)
> * [`@​Jerry2003826`](https://github.com/Jerry2003826) made their first contribution in [anthropics/claude-code-action#1255](https://redirect.github.com/anthropics/claude-code-action/pull/1255)
> * [`@​krislavten`](https://github.com/krislavten) made their first contribution in [anthropics/claude-code-action#1144](https://redirect.github.com/anthropics/claude-code-action/pull/1144)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.123>
>
> v1.0.122
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.122>
>
> v1.0.121
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.121>
>
> v1.0.120
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.120>


Commits

* [`51ea8ea`](anthropics/claude-code-action@51ea8ea) chore: bump Claude Code to 2.1.142 and Agent SDK to 0.3.142
* [`acfa366`](anthropics/claude-code-action@acfa366) chore: bump pinned Bun to 1.3.14 ([#1312](https://redirect.github.com/anthropics/claude-code-action/issues/1312))
* [`9eb125a`](anthropics/claude-code-action@9eb125a) fix: handle non-user actors (e.g. Copilot) in permission and actor checks ([#1](https://redirect.github.com/anthropics/claude-code-action/issues/1)...
* [`1450f65`](anthropics/claude-code-action@1450f65) fix: write execution file when SDK throws ([#1255](https://redirect.github.com/anthropics/claude-code-action/issues/1255))
* [`0756f6e`](anthropics/claude-code-action@0756f6e) fix: exclude .claude-pr snapshot from git staging ([#1277](https://redirect.github.com/anthropics/claude-code-action/issues/1277))
* [`f4d6a11`](anthropics/claude-code-action@f4d6a11) fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/ (#...
* [`bf6d40e`](anthropics/claude-code-action@bf6d40e) fix: allow , in branch names ([#1310](https://redirect.github.com/anthropics/claude-code-action/issues/1310))
* [`86eb26b`](anthropics/claude-code-action@86eb26b) chore: bump Claude Code to 2.1.141 and Agent SDK to 0.2.141
* [`f4fb5c6`](anthropics/claude-code-action@f4fb5c6) chore: bump Claude Code to 2.1.140 and Agent SDK to 0.2.140
* [`dde2242`](anthropics/claude-code-action@dde2242) chore: bump Claude Code to 2.1.139 and Agent SDK to 0.2.139
* See full diff in [compare view](anthropics/claude-code-action@476e359...51ea8ea)
  
Updates `github/codeql-action` from 4.35.4 to 4.35.5
Release notes

*Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).*

> v4.35.5
> -------
>
> * We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://redirect.github.com/github/codeql-action/pull/3899)
> * For performance and accuracy reasons, [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://redirect.github.com/github/codeql-action/pull/3791)
> * If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://redirect.github.com/github/codeql-action/pull/3892)
> * Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://redirect.github.com/github/codeql-action/pull/3880)


Changelog

*Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).*

> CodeQL Action Changelog
> =======================
>
> See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
>
> [UNRELEASED]
> ------------
>
> * Add support for SHA-256 Git object IDs. [#3893](https://redirect.github.com/github/codeql-action/pull/3893)
>
> 4.35.5 - 15 May 2026
> --------------------
>
> * We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://redirect.github.com/github/codeql-action/pull/3899)
> * For performance and accuracy reasons, [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://redirect.github.com/github/codeql-action/pull/3791)
> * If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://redirect.github.com/github/codeql-action/pull/3892)
> * Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://redirect.github.com/github/codeql-action/pull/3880)
>
> 4.35.4 - 07 May 2026
> --------------------
>
> * Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://redirect.github.com/github/codeql-action/pull/3881)
>
> 4.35.3 - 01 May 2026
> --------------------
>
> * *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837)
> * Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850)
> * Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853)
> * Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852)
> * Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865)
>
> 4.35.2 - 15 Apr 2026
> --------------------
>
> * The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795)
> * The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789)
> * Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794)
> * Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807)
> * Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823)
>
> 4.35.1 - 27 Mar 2026
> --------------------
>
> * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781)
>
> 4.35.0 - 27 Mar 2026
> --------------------
>
> * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767)
> * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773)
>
> 4.34.1 - 20 Mar 2026
> --------------------
>
> * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762)
>
> 4.34.0 - 20 Mar 2026
> --------------------

... (truncated)


Commits

* [`9e0d7b8`](github/codeql-action@9e0d7b8) Merge pull request [#3905](https://redirect.github.com/github/codeql-action/issues/3905) from github/update-v4.35.5-d4b485515
* [`6d7d599`](github/codeql-action@6d7d599) Add changelog entry for [#3899](https://redirect.github.com/github/codeql-action/issues/3899)
* [`51f7e38`](github/codeql-action@51f7e38) Update changelog for v4.35.5
* [`d4b4855`](github/codeql-action@d4b4855) Merge pull request [#3899](https://redirect.github.com/github/codeql-action/issues/3899) from github/mbg/esbuild/split
* [`127de81`](github/codeql-action@127de81) Merge remote-tracking branch 'origin/main' into mbg/esbuild/split
* [`7fde13f`](github/codeql-action@7fde13f) Use src + basename in header to avoid issues on Windows
* [`dfa61e7`](github/codeql-action@dfa61e7) Improve pattern matching and error handling
* [`52aafec`](github/codeql-action@52aafec) Import and call `runWrapper` normally in `analyze` tests
* [`0d08c01`](github/codeql-action@0d08c01) Auto-generate shared bundle
* [`14085a6`](github/codeql-action@14085a6) Auto-generate entry points
* Additional commits viewable in [compare view](github/codeql-action@68bde55...9e0d7b8)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore  major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore  minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore  ` will remove the ignore condition of the specified dependency and ignore conditions
mergify Bot added a commit that referenced this pull request May 24, 2026
@mergify
chore(deps): bump the github-actions group with 5 updates [skip ci]
e04b4c3 
Bumps the github-actions group with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.0.0` | `4.1.0` |
| [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.123` | `1.0.133` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.35.5` | `4.36.0` |
| [docker/login-action](https://github.com/docker/login-action) | `4.1.0` | `4.2.0` |
| [codecov/codecov-action](https://github.com/codecov/codecov-action) | `6.0.0` | `6.0.1` |
Updates `docker/setup-buildx-action` from 4.0.0 to 4.1.0
Release notes

*Sourced from [docker/setup-buildx-action's releases](https://github.com/docker/setup-buildx-action/releases).*

> v4.1.0
> ------
>
> * Bump `@​docker/actions-toolkit` from 0.79.0 to 0.90.0 in [docker/setup-buildx-action#489](https://redirect.github.com/docker/setup-buildx-action/pull/489)
> * Bump brace-expansion from 1.1.12 to 5.0.6 in [docker/setup-buildx-action#547](https://redirect.github.com/docker/setup-buildx-action/pull/547) [docker/setup-buildx-action#508](https://redirect.github.com/docker/setup-buildx-action/pull/508)
> * Bump fast-xml-builder from 1.0.0 to 1.2.0 in [docker/setup-buildx-action#540](https://redirect.github.com/docker/setup-buildx-action/pull/540)
> * Bump fast-xml-parser from 5.4.2 to 5.8.0 in [docker/setup-buildx-action#496](https://redirect.github.com/docker/setup-buildx-action/pull/496)
> * Bump flatted from 3.3.3 to 3.4.2 in [docker/setup-buildx-action#499](https://redirect.github.com/docker/setup-buildx-action/pull/499)
> * Bump glob from 10.3.12 to 13.0.6 in [docker/setup-buildx-action#495](https://redirect.github.com/docker/setup-buildx-action/pull/495)
> * Bump handlebars from 4.7.8 to 4.7.9 in [docker/setup-buildx-action#504](https://redirect.github.com/docker/setup-buildx-action/pull/504)
> * Bump lodash from 4.17.23 to 4.18.1 in [docker/setup-buildx-action#523](https://redirect.github.com/docker/setup-buildx-action/pull/523)
> * Bump picomatch from 4.0.3 to 4.0.4 in [docker/setup-buildx-action#503](https://redirect.github.com/docker/setup-buildx-action/pull/503)
> * Bump postcss from 8.5.6 to 8.5.10 in [docker/setup-buildx-action#537](https://redirect.github.com/docker/setup-buildx-action/pull/537)
> * Bump tar from 6.2.1 to 7.5.15 in [docker/setup-buildx-action#545](https://redirect.github.com/docker/setup-buildx-action/pull/545)
> * Bump undici from 6.23.0 to 6.25.0 in [docker/setup-buildx-action#492](https://redirect.github.com/docker/setup-buildx-action/pull/492)
> * Bump vite from 7.3.1 to 7.3.2 in [docker/setup-buildx-action#520](https://redirect.github.com/docker/setup-buildx-action/pull/520)
>
> **Full Changelog**: <docker/setup-buildx-action@v4.0.0...v4.1.0>


Commits

* [`d7f5e7f`](docker/setup-buildx-action@d7f5e7f) Merge pull request [#489](https://redirect.github.com/docker/setup-buildx-action/issues/489) from docker/dependabot/npm\_and\_yarn/docker/actions-to...
* [`92bc5c9`](docker/setup-buildx-action@92bc5c9) chore: update generated content
* [`da11e35`](docker/setup-buildx-action@da11e35) build(deps): bump `@​docker/actions-toolkit` from 0.79.0 to 0.90.0
* [`f021e16`](docker/setup-buildx-action@f021e16) Merge pull request [#492](https://redirect.github.com/docker/setup-buildx-action/issues/492) from docker/dependabot/npm\_and\_yarn/undici-6.24.1
* [`b5af94f`](docker/setup-buildx-action@b5af94f) chore: update generated content
* [`16ad977`](docker/setup-buildx-action@16ad977) build(deps): bump undici from 6.23.0 to 6.25.0
* [`d7a12d7`](docker/setup-buildx-action@d7a12d7) Merge pull request [#495](https://redirect.github.com/docker/setup-buildx-action/issues/495) from docker/dependabot/npm\_and\_yarn/glob-10.5.0
* [`28ff27d`](docker/setup-buildx-action@28ff27d) build(deps): bump glob from 10.3.12 to 13.0.6
* [`daf436b`](docker/setup-buildx-action@daf436b) Merge pull request [#496](https://redirect.github.com/docker/setup-buildx-action/issues/496) from docker/dependabot/npm\_and\_yarn/fast-xml-parser-5...
* [`9725348`](docker/setup-buildx-action@9725348) chore: update generated content
* Additional commits viewable in [compare view](docker/setup-buildx-action@4d04d5d...d7f5e7f)
  
Updates `anthropics/claude-code-action` from 1.0.123 to 1.0.133
Release notes

*Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).*

> v1.0.133
> --------
>
> What's Changed
> --------------
>
> * Use workload identity federation for Claude auth in CI workflows by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1344](https://redirect.github.com/anthropics/claude-code-action/pull/1344)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.133>
>
> v1.0.132
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.132>
>
> v1.0.131
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.131>
>
> v1.0.130
> --------
>
> What's Changed
> --------------
>
> * Add Workload Identity Federation (OIDC) authentication support by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1338](https://redirect.github.com/anthropics/claude-code-action/pull/1338)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.130>
>
> v1.0.129
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.129>
>
> v1.0.128
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.128>
>
> v1.0.127
> --------
>
> What's Changed
> --------------
>
> * Refactor allowed\_bots actor resolution by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1330](https://redirect.github.com/anthropics/claude-code-action/pull/1330)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.127>
>
> v1.0.126
> --------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.126>
>
> v1.0.125
> --------
>
> What's Changed
> --------------
>
> * Simplify comment tool instructions in prompt by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1328](https://redirect.github.com/anthropics/claude-code-action/pull/1328)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.125>
>
> v1.0.124
> --------
>
> What's Changed
> --------------
>
> * fix: add parentheses to fix operator precedence in co-author check by [`@​FuturizeRush`](https://github.com/FuturizeRush) in [anthropics/claude-code-action#1199](https://redirect.github.com/anthropics/claude-code-action/pull/1199)
> * Strengthen simplified tag-mode prompt (USE\_SIMPLE\_PROMPT) by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1313](https://redirect.github.com/anthropics/claude-code-action/pull/1313)
> * Fix prettier formatting in create-prompt by [`@​ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1325](https://redirect.github.com/anthropics/claude-code-action/pull/1325)
>
> New Contributors
> ----------------

... (truncated)


Commits

* [`787c5a0`](anthropics/claude-code-action@787c5a0) chore: bump Claude Code to 2.1.150 and Agent SDK to 0.3.150
* [`4257c8e`](anthropics/claude-code-action@4257c8e) Use workload identity federation for Claude auth in CI workflows ([#1344](https://redirect.github.com/anthropics/claude-code-action/issues/1344))
* [`bbfaf8e`](anthropics/claude-code-action@bbfaf8e) chore: bump Claude Code to 2.1.149 and Agent SDK to 0.3.149
* [`4481e6d`](anthropics/claude-code-action@4481e6d) chore: bump Claude Code to 2.1.148 and Agent SDK to 0.3.148
* [`661a6fe`](anthropics/claude-code-action@661a6fe) Add Workload Identity Federation (OIDC) authentication support ([#1338](https://redirect.github.com/anthropics/claude-code-action/issues/1338))
* [`c9d66af`](anthropics/claude-code-action@c9d66af) chore: bump Claude Code to 2.1.147 and Agent SDK to 0.3.147
* [`20c8abf`](anthropics/claude-code-action@20c8abf) chore: bump Claude Code to 2.1.146 and Agent SDK to 0.3.146
* [`1dc994e`](anthropics/claude-code-action@1dc994e) Resolve actor account type before applying allowed\_bots ([#1330](https://redirect.github.com/anthropics/claude-code-action/issues/1330))
* [`ca89df3`](anthropics/claude-code-action@ca89df3) chore: bump Claude Code to 2.1.145 and Agent SDK to 0.3.145
* [`fd1877d`](anthropics/claude-code-action@fd1877d) Simplify comment tool instructions in prompt ([#1328](https://redirect.github.com/anthropics/claude-code-action/issues/1328))
* Additional commits viewable in [compare view](anthropics/claude-code-action@51ea8ea...787c5a0)
  
Updates `github/codeql-action` from 4.35.5 to 4.36.0
Release notes

*Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).*

> v4.36.0
> -------
>
> * *Breaking change*: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://redirect.github.com/github/codeql-action/pull/3894)
> * Add support for SHA-256 Git object IDs. [#3893](https://redirect.github.com/github/codeql-action/pull/3893)
> * Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://redirect.github.com/github/codeql-action/pull/3926)


Changelog

*Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).*

> CodeQL Action Changelog
> =======================
>
> See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
>
> [UNRELEASED]
> ------------
>
> No user facing changes.
>
> 4.36.0 - 22 May 2026
> --------------------
>
> * *Breaking change*: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://redirect.github.com/github/codeql-action/pull/3894)
> * Add support for SHA-256 Git object IDs. [#3893](https://redirect.github.com/github/codeql-action/pull/3893)
> * Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://redirect.github.com/github/codeql-action/pull/3926)
>
> 4.35.5 - 15 May 2026
> --------------------
>
> * We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://redirect.github.com/github/codeql-action/pull/3899)
> * For performance and accuracy reasons, [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://redirect.github.com/github/codeql-action/pull/3791)
> * If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://redirect.github.com/github/codeql-action/pull/3892)
> * Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://redirect.github.com/github/codeql-action/pull/3880)
>
> 4.35.4 - 07 May 2026
> --------------------
>
> * Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://redirect.github.com/github/codeql-action/pull/3881)
>
> 4.35.3 - 01 May 2026
> --------------------
>
> * *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837)
> * Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850)
> * Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853)
> * Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852)
> * Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865)
>
> 4.35.2 - 15 Apr 2026
> --------------------
>
> * The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795)
> * The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789)
> * Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794)
> * Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807)
> * Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823)
>
> 4.35.1 - 27 Mar 2026
> --------------------
>
> * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781)
>
> 4.35.0 - 27 Mar 2026
> --------------------
>
> * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767)
> * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773)

... (truncated)


Commits

* [`7211b7c`](github/codeql-action@7211b7c) Merge pull request [#3927](https://redirect.github.com/github/codeql-action/issues/3927) from github/update-v4.36.0-ebc2d9e2b
* [`7740f2f`](github/codeql-action@7740f2f) Update changelog for v4.36.0
* [`ebc2d9e`](github/codeql-action@ebc2d9e) Merge pull request [#3926](https://redirect.github.com/github/codeql-action/issues/3926) from github/update-bundle/codeql-bundle-v2.25.5
* [`d1f74b7`](github/codeql-action@d1f74b7) Add changelog note
* [`2dc40ce`](github/codeql-action@2dc40ce) Update default bundle to codeql-bundle-v2.25.5
* [`8449852`](github/codeql-action@8449852) Merge pull request [#3910](https://redirect.github.com/github/codeql-action/issues/3910) from github/henrymercer/repo-size-diff-check
* [`72ac23c`](github/codeql-action@72ac23c) Update excluded required check list
* [`c5297a2`](github/codeql-action@c5297a2) Merge pull request [#3919](https://redirect.github.com/github/codeql-action/issues/3919) from github/henrymercer/workflow-concurrency
* [`8ffeae7`](github/codeql-action@8ffeae7) CI: Automatically cancel non-generated workflows
* [`f3f52bf`](github/codeql-action@f3f52bf) Revert `getErrorMessage` import
* Additional commits viewable in [compare view](github/codeql-action@9e0d7b8...7211b7c)
  
Updates `docker/login-action` from 4.1.0 to 4.2.0
Release notes

*Sourced from [docker/login-action's releases](https://github.com/docker/login-action/releases).*

> v4.2.0
> ------
>
> * Bump `@​actions/core` from 3.0.0 to 3.0.1 in [docker/login-action#976](https://redirect.github.com/docker/login-action/pull/976)
> * Bump `@​aws-sdk/client-ecr` and `@​aws-sdk/client-ecr-public` to 3.1050.0 in [docker/login-action#960](https://redirect.github.com/docker/login-action/pull/960)
> * Bump `@​docker/actions-toolkit` from 0.86.0 to 0.90.0 in [docker/login-action#970](https://redirect.github.com/docker/login-action/pull/970)
> * Bump brace-expansion from 2.0.1 to 5.0.6 in [docker/login-action#993](https://redirect.github.com/docker/login-action/pull/993)
> * Bump fast-xml-builder from 1.1.4 to 1.2.0 in [docker/login-action#985](https://redirect.github.com/docker/login-action/pull/985)
> * Bump fast-xml-parser from 5.3.6 to 5.8.0 in [docker/login-action#963](https://redirect.github.com/docker/login-action/pull/963)
> * Bump http-proxy-agent and https-proxy-agent to 9.0.0 in [docker/login-action#961](https://redirect.github.com/docker/login-action/pull/961)
> * Bump postcss from 8.5.6 to 8.5.10 in [docker/login-action#979](https://redirect.github.com/docker/login-action/pull/979)
> * Bump tar from 6.2.1 to 7.5.15 in [docker/login-action#991](https://redirect.github.com/docker/login-action/pull/991)
> * Bump vite from 7.3.1 to 7.3.3 in [docker/login-action#986](https://redirect.github.com/docker/login-action/pull/986)
>
> **Full Changelog**: <docker/login-action@v4.1.0...v4.2.0>


Commits

* [`650006c`](docker/login-action@650006c) Merge pull request [#960](https://redirect.github.com/docker/login-action/issues/960) from docker/dependabot/npm\_and\_yarn/aws-sdk-dependenc...
* [`99df1a3`](docker/login-action@99df1a3) chore: update generated content
* [`3ab375f`](docker/login-action@3ab375f) build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
* [`39d8580`](docker/login-action@39d8580) Merge pull request [#970](https://redirect.github.com/docker/login-action/issues/970) from docker/dependabot/npm\_and\_yarn/docker/actions-to...
* [`4eefcd3`](docker/login-action@4eefcd3) chore: update generated content
* [`56d092c`](docker/login-action@56d092c) build(deps): bump `@​docker/actions-toolkit` from 0.86.0 to 0.90.0
* [`e2e31ca`](docker/login-action@e2e31ca) Merge pull request [#976](https://redirect.github.com/docker/login-action/issues/976) from docker/dependabot/npm\_and\_yarn/actions/core-3.0.1
* [`0bced94`](docker/login-action@0bced94) chore: update generated content
* [`3e75a0f`](docker/login-action@3e75a0f) build(deps): bump `@​actions/core` from 3.0.0 to 3.0.1
* [`365bebd`](docker/login-action@365bebd) Merge pull request [#984](https://redirect.github.com/docker/login-action/issues/984) from docker/dependabot/github\_actions/aws-actions/con...
* Additional commits viewable in [compare view](docker/login-action@4907a6d...650006c)
  
Updates `codecov/codecov-action` from 6.0.0 to 6.0.1
Release notes

*Sourced from [codecov/codecov-action's releases](https://github.com/codecov/codecov-action/releases).*

> v6.0.1
> ------
>
> What's Changed
> --------------
>
> * fix: prevent template injection in run: steps (VULN-1652) by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1947](https://redirect.github.com/codecov/codecov-action/pull/1947)
> * chore(release): 6.0.1 by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1949](https://redirect.github.com/codecov/codecov-action/pull/1949)
>
> **Full Changelog**: <codecov/codecov-action@v6.0.0...v6.0.1>


Changelog

*Sourced from [codecov/codecov-action's changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md).*

> v5.5.2
> ------
>
> ### What's Changed
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2>
>
> v5.5.1
> ------
>
> ### What's Changed
>
> * fix: overwrite pr number on fork by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1871](https://redirect.github.com/codecov/codecov-action/pull/1871)
> * build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by `@​app/dependabot` in [codecov/codecov-action#1868](https://redirect.github.com/codecov/codecov-action/pull/1868)
> * build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by `@​app/dependabot` in [codecov/codecov-action#1867](https://redirect.github.com/codecov/codecov-action/pull/1867)
> * fix: update to use local app/ dir by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1872](https://redirect.github.com/codecov/codecov-action/pull/1872)
> * docs: fix typo in README by [`@​datalater`](https://github.com/datalater) in [codecov/codecov-action#1866](https://redirect.github.com/codecov/codecov-action/pull/1866)
> * Document a `codecov-cli` version reference example by [`@​webknjaz`](https://github.com/webknjaz) in [codecov/codecov-action#1774](https://redirect.github.com/codecov/codecov-action/pull/1774)
> * build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by `@​app/dependabot` in [codecov/codecov-action#1861](https://redirect.github.com/codecov/codecov-action/pull/1861)
> * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by `@​app/dependabot` in [codecov/codecov-action#1833](https://redirect.github.com/codecov/codecov-action/pull/1833)
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1>
>
> v5.5.0
> ------
>
> ### What's Changed
>
> * feat: upgrade wrapper to 0.2.4 by [`@​jviall`](https://github.com/jviall) in [codecov/codecov-action#1864](https://redirect.github.com/codecov/codecov-action/pull/1864)
> * Pin actions/github-script by Git SHA by [`@​martincostello`](https://github.com/martincostello) in [codecov/codecov-action#1859](https://redirect.github.com/codecov/codecov-action/pull/1859)
> * fix: check reqs exist by [`@​joseph-sentry`](https://github.com/joseph-sentry) in [codecov/codecov-action#1835](https://redirect.github.com/codecov/codecov-action/pull/1835)
> * fix: Typo in README by [`@​spalmurray`](https://github.com/spalmurray) in [codecov/codecov-action#1838](https://redirect.github.com/codecov/codecov-action/pull/1838)
> * docs: Refine OIDC docs by [`@​spalmurray`](https://github.com/spalmurray) in [codecov/codecov-action#1837](https://redirect.github.com/codecov/codecov-action/pull/1837)
> * build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by `@​app/dependabot` in [codecov/codecov-action#1829](https://redirect.github.com/codecov/codecov-action/pull/1829)
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0>
>
> v5.4.3
> ------
>
> ### What's Changed
>
> * build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by `@​app/dependabot` in [codecov/codecov-action#1822](https://redirect.github.com/codecov/codecov-action/pull/1822)
> * fix: OIDC on forks by [`@​joseph-sentry`](https://github.com/joseph-sentry) in [codecov/codecov-action#1823](https://redirect.github.com/codecov/codecov-action/pull/1823)
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3>
>
> v5.4.2
> ------

... (truncated)


Commits

* [`e79a696`](codecov/codecov-action@e79a696) chore(release): 6.0.1 ([#1949](https://redirect.github.com/codecov/codecov-action/issues/1949))
* [`51e6422`](codecov/codecov-action@51e6422) fix: prevent template injection in run: steps (VULN-1652) ([#1947](https://redirect.github.com/codecov/codecov-action/issues/1947))
* See full diff in [compare view](codecov/codecov-action@57e3a13...e79a696)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore  major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore  minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore  ` will remove the ignore condition of the specified dependency and ignore conditions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robfrank robfrank robfrank approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robfrank