[Infrastructure] Bump oxsecurity/megalinter from 9.4.0 to 9.5.0 by dependabot[bot] · Pull Request #16280 · AliceO2Group/O2Physics

dependabot · 2026-05-18T03:51:51Z

Bumps oxsecurity/megalinter from 9.4.0 to 9.5.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

Breaking changes

Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9

oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta

oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

extends: ["airbnb"] → extends: ["airbnb-extended"]

extends: ["standard"] → extends: ["neostandard"]

Core

User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings

Security: more default hidden environment variables, so a compromised linter cannot leak your secrets

Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)

Upgrade GO runtime to 1.26.3

New linters

osv-scanner: trivy-like vulnerability scanner by Google

zizmor: GitHub Actions static analysis

Disabled linters

KICS (until upstream security issue is fixed)

Spectral (crashing)

Re-enabled linters

Trivy (v0.70.0): the supply chain security incident is resolved

Deprecated linters

Removed linters

Media

Linters enhancements

ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config

shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file

raku (Rakudo): now ships on ARM64 too

scala: linter installation is now deterministic (same binary across rebuilds)

v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)

lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)

Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

Fixes

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

[v9.5.0] - 2026-05-16

Take 2 mn to read MegaLinter v9.5.0 announcements

Breaking changes

Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9

oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta

oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

extends: ["airbnb"] → extends: ["airbnb-extended"]

extends: ["standard"] → extends: ["neostandard"]

Core

User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings

Security: more default hidden environment variables, so a compromised linter cannot leak your secrets

Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)

Upgrade GO runtime to 1.26.3

New linters

osv-scanner: trivy-like vulnerability scanner by Google

zizmor: GitHub Actions static analysis

Disabled linters

KICS (until upstream security issue is fixed)

Spectral (crashing)

Re-enabled linters

Trivy (v0.70.0): the supply chain security incident is resolved

Deprecated linters

Removed linters

Media

Linters enhancements

ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config

shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file

raku (Rakudo): now ships on ARM64 too

scala: linter installation is now deterministic (same binary across rebuilds)

v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)

lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)

Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

Fixes

Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved

... (truncated)

Commits

0e3ce9b Fix release workflows.
3e132b1 Release MegaLinter v9.5.0
cbb7fe9 Doc + prepare 9.5.0 release (#7836)
29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
e04f202 feat: implement user notifications system and replace migration warnings (#7833)
54bfad8 chore(deps): update dependency @stoplight/spectral-cli to v6.16.0 (#7830)
f809408 Eslint legacy detection & warning (#7831)
6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter) from 9.4.0 to 9.5.0. - [Release notes](https://github.com/oxsecurity/megalinter/releases) - [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md) - [Commits](oxsecurity/megalinter@v9.4.0...v9.5.0) --- updated-dependencies: - dependency-name: oxsecurity/megalinter dependency-version: 9.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-18T03:52:06Z

O2 linter results: ❌ 0 errors, ⚠️ 0 warnings, 🔕 0 disabled

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 18, 2026

dependabot Bot requested review from alibuild, ddobrigk, iarsene, jgrosseo and ktf as code owners May 18, 2026 03:51

dependabot Bot added the dependencies Pull requests that update a dependency file label May 18, 2026

dependabot Bot requested review from a team and dsekihat as code owners May 18, 2026 03:51

dependabot Bot added the github_actions Pull requests that update GitHub Actions code label May 18, 2026

github-actions Bot added the infrastructure label May 18, 2026

github-actions Bot changed the title ~~Bump oxsecurity/megalinter from 9.4.0 to 9.5.0~~ [Infrastructure] Bump oxsecurity/megalinter from 9.4.0 to 9.5.0 May 18, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Infrastructure] Bump oxsecurity/megalinter from 9.4.0 to 9.5.0#16280

[Infrastructure] Bump oxsecurity/megalinter from 9.4.0 to 9.5.0#16280
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/oxsecurity/megalinter-9.5.0

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 18, 2026

v9.5.0

What's Changed

[v9.5.0] - 2026-05-16

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants