Skip to content

Bump the action-deps group with 2 updates #892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 5, 2025
Merged

Bump the action-deps group with 2 updates #892

merged 2 commits into from
Sep 5, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 5, 2025

Bumps the action-deps group with 2 updates: actions/setup-python and codecov/codecov-action.

Updates actions/setup-python from 5.6.0 to 6.0.0

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

Full Changelog: actions/setup-python@v5...v6.0.0

Commits
  • e797f83 Upgrade to node 24 (#1164)
  • 3d1e2d2 Revert "Enhance cache-dependency-path handling to support files outside the w...
  • 65b0712 Clarify pythonLocation behavior for PyPy and GraalPy in environment variables...
  • 5b668cf Bump actions/checkout from 4 to 5 (#1181)
  • f62a0e2 Change missing cache directory error to warning (#1182)
  • 9322b3c Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIn...
  • fbeb884 Bump form-data to fix critical vulnerabilities #182 & #183 (#1163)
  • 03bb615 Bump idna from 2.9 to 3.7 in /tests/data (#843)
  • 36da51d Add version parsing from Pipfile (#1067)
  • 3c6f142 update documentation (#1156)
  • Additional commits viewable in compare view

Updates codecov/codecov-action from 5.5.0 to 5.5.1

Release notes

Sourced from codecov/codecov-action's releases.

v5.5.1

What's Changed

New Contributors

Full Changelog: codecov/codecov-action@v5.5.0...v5.5.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.1

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.1..v5.4.2

v5.4.1

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the action-deps group with 2 updates
f41b304 
Bumps the action-deps group with 2 updates: [actions/setup-python](https://github.com/actions/setup-python) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `actions/setup-python` from 5.6.0 to 6.0.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...e797f83)

Updates `codecov/codecov-action` from 5.5.0 to 5.5.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@fdcc847...5a10915)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: action-deps
- dependency-name: codecov/codecov-action
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: action-deps
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Sep 5, 2025
@dependabot dependabot bot requested a review from jkreileder as a code owner September 5, 2025 02:10
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Sep 5, 2025
@codecov
Copy link

codecov bot commented Sep 5, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (2d86827) to head (d607cfd).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main      #892   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            8         8           
  Lines          151       151           
  Branches        11        11           
=========================================
  Hits           151       151
Flag Coverage Δ
python-3.10 100.00% <ø> (ø)
python-3.11 100.00% <ø> (ø)
python-3.12 100.00% <ø> (ø)
python-3.13 100.00% <ø> (ø)
python-3.9 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link

github-actions bot commented Sep 5, 2025
edited
Loading

Test Results

  5 files  ±0    5 suites  ±0   5s ⏱️ ±0s
 36 tests ±0   36 ✅ ±0  0 💤 ±0  0 ❌ ±0 
180 runs  ±0  180 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit d607cfd. ± Comparison against base commit 2d86827.

♻️ This comment has been updated with latest results.

@jkreileder jkreileder enabled auto-merge (squash) September 5, 2025 06:48
@github-actions
Copy link

github-actions bot commented Sep 5, 2025

🔍 Vulnerabilities of jkreileder/cf-ips-to-hcloud-fw:pr-892

📦 Image Reference jkreileder/cf-ips-to-hcloud-fw:pr-892
digestsha256:d166a407cbeb32c85cc8ee95c56292d575ce20a368854cf14278fe5022701f32
vulnerabilitiescritical: 2 high: 0 medium: 3 low: 2
platformlinux/amd64
size26 MB
packages60
📦 Base Image python:3-alpine
also known as
  • 3-alpine3.22
  • 3.13-alpine
  • 3.13-alpine3.22
  • 3.13.7-alpine
  • 3.13.7-alpine3.22
  • alpine
  • alpine3.22
digestsha256:527c28b29498575b851ad88e7522ac7201bbd9e920d2c11b00ff2b39b315f5f8
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 2
critical: 2 high: 0 medium: 0 low: 0 h11 0.14.0 (pypi)

pkg:pypi/[email protected]

critical 9.1: GHSA--vqfr--h8mv--ghfj OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<0.16.0
Fixed version0.16.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Description

A leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions.

critical 9.1: CVE--2025--43859 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected range<0.16.0
Fixed version0.16.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.056%
EPSS Percentile17th percentile
Description

Impact

A leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions.

Details

HTTP/1.1 Chunked-Encoding bodies are formatted as a sequence of "chunks", each of which consists of:

  • chunk length
  • \r\n
  • length bytes of content
  • \r\n

In versions of h11 up to 0.14.0, h11 instead parsed them as:

  • chunk length
  • \r\n
  • length bytes of content
  • any two bytes

i.e. it did not validate that the trailing \r\n bytes were correct, and if you put 2 bytes of garbage there it would be accepted, instead of correctly rejecting the body as malformed.

By itself this is harmless. However, suppose you have a proxy or reverse-proxy that tries to analyze HTTP requests, and your proxy has a different bug in parsing Chunked-Encoding, acting as if the format is:

  • chunk length
  • \r\n
  • length bytes of content
  • more bytes of content, as many as it takes until you find a \r\n

For example, pound had this bug -- it can happen if an implementer uses a generic "read until end of line" helper to consumes the trailing \r\n.

In this case, h11 and your proxy may both accept the same stream of bytes, but interpret them differently. For example, consider the following HTTP request(s) (assume all line breaks are \r\n):

GET /one HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

5
AAAAAXX2
45
0

GET /two HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

0

Here h11 will interpret it as two requests, one with body AAAAA45 and one with an empty body, while our hypothetical buggy proxy will interpret it as a single request, with body AAAAXX20\r\n\r\nGET /two .... And any time two HTTP processors both accept the same string of bytes but interpret them differently, you have the conditions for a "request smuggling" attack. For example, if /two is a dangerous endpoint and the job of the reverse proxy is to stop requests from getting there, then an attacker could use a bytestream like the above to circumvent this protection.

Even worse, if our buggy reverse proxy receives two requests from different users:

GET /one HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

5
AAAAAXX999
0

GET /two HTTP/1.1
Host: localhost
Cookie: SESSION_KEY=abcdef...

...it will consider the first request to be complete and valid, and send both on to the h11-based web server over the same socket. The server will then see the two concatenated requests, and interpret them as one request to /one whose body includes /two's session key, potentially allowing one user to steal another's credentials.

Patches

Fixed in h11 0.15.0.

Workarounds

Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

Credits

Reported by Jeppe Bonde Weikop on 2025-01-09.

critical: 0 high: 0 medium: 2 low: 0 urllib3 2.3.0 (pypi)

pkg:pypi/[email protected]

medium 5.3: CVE--2025--50182 URL Redirection to Untrusted Site ('Open Redirect')

Affected range>=2.2.0
<2.5.0
Fixed version2.5.0
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score0.013%
EPSS Percentile2nd percentile
Description

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.

However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.

Affected usages

Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.

Remediation

If you use urllib3 in Node.js, upgrade to a patched version of urllib3.

Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.

medium 5.3: CVE--2025--50181 URL Redirection to Untrusted Site ('Open Redirect')

Affected range<2.5.0
Fixed version2.5.0
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score0.015%
EPSS Percentile2nd percentile
Description

urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows:

resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False)
print(resp.status)
# 302

However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects:

import urllib3

http = urllib3.PoolManager(retries=0)  # should raise MaxRetryError on redirect
http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0))  # equivalent to the above
http = urllib3.PoolManager(retries=False)  # should return the first response

resp = http.request("GET", "https://httpbin.org/redirect/1")

However, the retries parameter is currently ignored, which means all the above examples don't disable redirects.

Affected usages

Passing retries on PoolManager instantiation to disable redirects or restrict their number.

By default, requests and botocore users are not affected.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.

Remediation

You can remediate this vulnerability with the following steps:

  • Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [email protected] to discuss sponsorship or contribution opportunities.
  • Disable redirects at the request() level instead of the PoolManager() level.
critical: 0 high: 0 medium: 1 low: 0 requests 2.32.3 (pypi)

pkg:pypi/[email protected]

medium 5.3: CVE--2024--47081 Insufficiently Protected Credentials

Affected range<2.32.4
Fixed version2.32.4
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score0.028%
EPSS Percentile6th percentile
Description

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2

critical: 0 high: 0 medium: 0 low: 2 busybox 1.37.0-r18 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

low : CVE--2025--46394

Affected range<=1.37.0-r19
Fixed versionNot Fixed
EPSS Score0.022%
EPSS Percentile4th percentile
Description

low : CVE--2024--58251

Affected range<=1.37.0-r19
Fixed versionNot Fixed
EPSS Score0.031%
EPSS Percentile7th percentile
Description

@github-actions
Copy link

github-actions bot commented Sep 5, 2025

Recommended fixes for image jkreileder/cf-ips-to-hcloud-fw:pr-892

Base image is python:3-alpine

Name3.13.7-alpine3.22
Digestsha256:527c28b29498575b851ad88e7522ac7201bbd9e920d2c11b00ff2b39b315f5f8
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 2
Pushed3 weeks ago
Size17 MB
Packages39
Flavoralpine
OS3.22
Runtime3.13.7
The base image is also available under the supported tag(s): 3-alpine3.22, 3.13-alpine, 3.13-alpine3.22, 3.13.7-alpine, 3.13.7-alpine3.22, alpine, alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions
Copy link

github-actions bot commented Sep 5, 2025

Overview

Image reference jkreileder/cf-ips-to-hcloud-fw:1 quay.io/jkreileder/cf-ips-to-hcloud-fw:pr-892
- digest a013f898285a d166a407cbeb
- tag 1 pr-892
- provenance 90ebdb0 aad7ee6
- vulnerabilities critical: 2 high: 1 medium: 4 low: 2 critical: 2 high: 0 medium: 3 low: 2
- platform linux/amd64 linux/amd64
- size 23 MB 26 MB (+3.4 MB)
- packages 60 60
Base Image python:3-alpine
also known as:
3-alpine3.22
3.13-alpine
3.13-alpine3.22
alpine
alpine3.22		 python:3-alpine
also known as:
3-alpine3.22
3.13-alpine
3.13-alpine3.22
3.13.7-alpine
3.13.7-alpine3.22
alpine
alpine3.22
- vulnerabilities critical: 0 high: 1 medium: 1 low: 2 critical: 0 high: 0 medium: 0 low: 2
Environment Variables (2 changes)
  • ± 2 changed
  • 4 unchanged
 GPG_KEY=7169605F62C751356D054A26A821E680E5FA6305
 PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 PYTHONDONTWRITEBYTECODE=1
 PYTHONFAULTHANDLER=1
-PYTHON_SHA256=93e583f243454e6e9e4588ca2c2662206ad961659863277afcdb96801647d640
+PYTHON_SHA256=5462f9099dfd30e238def83c71d91897d8caa5ff6ebc7a50f14d4802cdaaa79a
-PYTHON_VERSION=3.13.5
+PYTHON_VERSION=3.13.7
Labels (3 changes)
  • ± 3 changed
  • 5 unchanged
-org.opencontainers.image.created=2025-06-20T11:12:42.735Z
+org.opencontainers.image.created=2025-09-05T06:49:13.246Z
 org.opencontainers.image.description=Update Hetzner Cloud firewall rules with current Cloudflare IP ranges
 org.opencontainers.image.licenses=MIT
-org.opencontainers.image.revision=90ebdb0cde09868906e19bfb8b149a1abd09824b
+org.opencontainers.image.revision=aad7ee66e513111c8aac0247d88b0615ea4d843e
 org.opencontainers.image.source=https://github.com/jkreileder/cf-ips-to-hcloud-fw
 org.opencontainers.image.title=cf-ips-to-hcloud-fw
 org.opencontainers.image.url=https://github.com/jkreileder/cf-ips-to-hcloud-fw
-org.opencontainers.image.version=1.0.17
+org.opencontainers.image.version=pr-892
Policies (0 improved, 1 worsened, 2 missing data)
Policy Name jkreileder/cf-ips-to-hcloud-fw:1 quay.io/jkreileder/cf-ips-to-hcloud-fw:pr-892 Change Standing
Default non-root user No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities ⚠️ 2 ⚠️ 2 No Change
No high-profile vulnerabilities No Change
No outdated base images ❓ No data
No unapproved base images ❓ No data
Supply chain attestations ⚠️ 2 +2 Worsened
Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)
  • ♾️ 13 packages changed
  • 47 packages unchanged
  • ✔️ 2 vulnerabilities removed
Changes for packages of type apk (10 changes)
Package Version
jkreileder/cf-ips-to-hcloud-fw:1		 Version
quay.io/jkreileder/cf-ips-to-hcloud-fw:pr-892
♾️ .python-rundeps 20250619.205442 20250819.144338
♾️ alpine-base 3.22.0-r0 3.22.1-r0
♾️ alpine-release 3.22.0-r0 3.22.1-r0
♾️ ca-certificates 20241121-r2 20250619-r0
♾️ ca-certificates-bundle 20241121-r2 20250619-r0
♾️ libcrypto3 3.5.0-r0 3.5.1-r0
♾️ libssl3 3.5.0-r0 3.5.1-r0
♾️ openssl 3.5.0-r0 3.5.1-r0
critical: 0 high: 0 medium: 1 low: 0
Removed vulnerabilities (1):
  • medium : CVE--2025--4575
♾️ sqlite 3.49.2-r0 3.49.2-r1
critical: 0 high: 1 medium: 0 low: 0
Removed vulnerabilities (1):
  • high : CVE--2025--6965
♾️ sqlite-libs 3.49.2-r0 3.49.2-r1
Changes for packages of type generic (1 changes)
Package Version
jkreileder/cf-ips-to-hcloud-fw:1		 Version
quay.io/jkreileder/cf-ips-to-hcloud-fw:pr-892
♾️ python 3.13.5 3.13.7
Changes for packages of type pypi (2 changes)
Package Version
jkreileder/cf-ips-to-hcloud-fw:1		 Version
quay.io/jkreileder/cf-ips-to-hcloud-fw:pr-892
♾️ cf-ips-to-hcloud-fw 1.0.17 1.0.18.dev0
♾️ pip 25.1.1 25.2

@jkreileder jkreileder merged commit 06015d7 into main Sep 5, 2025
59 checks passed
@jkreileder jkreileder deleted the dependabot/github_actions/action-deps-0563b434fb branch September 5, 2025 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkreileder jkreileder jkreileder approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkreileder