chore(deps): update all non-major dependencies

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/checkout	action	patch	v4.1.4 -> v4.1.7
actions/dependency-review-action	action	minor	v4.2.5 -> v4.3.3
actions/setup-node	action	patch	v4.0.2 -> v4.0.3
github/codeql-action	action	patch	v3.25.3 -> v3.25.11
gts	devDependencies	patch	5.3.0 -> 5.3.1
ossf/scorecard-action	action	patch	v2.3.1 -> v2.3.3
step-security/harden-runner	action	minor	v2.7.0 -> v2.8.1

---

Release Notes

actions/checkout (actions/checkout)

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in https://github.com/actions/checkout/pull/1739
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1697
• Check out other refs/* by commit by @​orhantoy in https://github.com/actions/checkout/pull/1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in https://github.com/actions/checkout/pull/1776

v4.1.6

Compare Source

• Check platform to set archive extension appropriately by @​cory-miller in https://github.com/actions/checkout/pull/1732

v4.1.5

Compare Source

What's Changed

• Update NPM dependencies by @​cory-miller in https://github.com/actions/checkout/pull/1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in https://github.com/actions/checkout/pull/1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1695
• README: Suggest user.email to be 41898282+github-actions[bot]@​users.noreply.github.com by @​cory-miller in https://github.com/actions/checkout/pull/1707

Full Changelog: actions/checkout@v4.1.4...v4.1.5

actions/dependency-review-action (actions/dependency-review-action)

v4.3.3: Notes for v4.3.3

Compare Source

What's Changed

• Allow slashes in purl package names by @​juxtin in https://github.com/actions/dependency-review-action/pull/765
• use the v3 version of the deps.dev API by @​josieang in https://github.com/actions/dependency-review-action/pull/741
• PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @​am-stead in https://github.com/actions/dependency-review-action/pull/773
• fix show-openssf-scorecard-levels input by @​ramann in https://github.com/actions/dependency-review-action/pull/776
• Updates to the contribution guidelines by @​jonjanego in https://github.com/actions/dependency-review-action/pull/778
• Create issue templates by @​jonjanego in https://github.com/actions/dependency-review-action/pull/777
• Fix the max comment length issue by @​jhutchings1 and @​elireisman in https://github.com/actions/dependency-review-action/pull/767
• Bump project version to 4.3.3 in prep for a release by @​elireisman in https://github.com/actions/dependency-review-action/pull/781

New Contributors

• @​josieang made their first contribution in https://github.com/actions/dependency-review-action/pull/741
• @​am-stead made their first contribution in https://github.com/actions/dependency-review-action/pull/773
• @​ramann made their first contribution in https://github.com/actions/dependency-review-action/pull/776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

• Fix package-url parsing for allow-dependencies-licenses by @​juxtin in https://github.com/actions/dependency-review-action/pull/761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

v4.3.1

Compare Source

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See https://github.com/actions/dependency-review-action/pull/753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

v4.3.0

Compare Source

New Features

• The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

• Fix action variable name for scorecard by @​lukehinds in https://github.com/actions/dependency-review-action/pull/735
• Fix extra https:// in summary by @​jhutchings1 in https://github.com/actions/dependency-review-action/pull/748
• Bump typescript from 5.3.3 to 5.4.5 by @​dependabot in https://github.com/actions/dependency-review-action/pull/744
• Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @​dependabot in https://github.com/actions/dependency-review-action/pull/737
• Show denied packages with red X by @​juxtin in https://github.com/actions/dependency-review-action/pull/750
• deny-packages configuration option can deny specified version or all packages by @​febuiles and @​bteng22 in https://github.com/actions/dependency-review-action/pull/733

New Contributors

• @​bteng22 made their first contribution in https://github.com/actions/dependency-review-action/pull/733
• @​lukehinds made their first contribution in https://github.com/actions/dependency-review-action/pull/735

Full Changelog: actions/dependency-review-action@v4.2.5...V4.3.0

actions/setup-node (actions/setup-node)

v4.0.3

Compare Source

github/codeql-action (github/codeql-action)

v3.25.11

Compare Source

v3.25.10

Compare Source

v3.25.9

Compare Source

v3.25.8

Compare Source

v3.25.7

Compare Source

v3.25.6

Compare Source

v3.25.5

Compare Source

v3.25.4

Compare Source

google/gts (gts)

v5.3.1

Compare Source

Bug Fixes

• deps: replace dependency eslint-plugin-node with eslint-plugin-n (#​865) (efbe3a8)
• deps: update dependency eslint to v8.57.0 (#​833) (0c0a45c)
• deps: update dependency prettier to v3.2.5 (#​846) (7e60e38)

Performance Improvements

• Supercharge Performance & Efficiency: Leveraging Promise.all for Resource-Friendly Tasks 🚤 (#​838) (7424fe1)

ossf/scorecard-action (ossf/scorecard-action)

v2.3.3

Compare Source

[!NOTE]
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1366
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1374
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1377

For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.

Documentation

• 📖 Move token discussion out of main README. by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1279
• 📖 link to ossf/scorecard workflow instead of maintaining an example by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1352
• 📖 update api links to new scorecard.dev site by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1376

Full Changelog: ossf/scorecard-action@v2.3.1...v2.3.3

v2.3.2

Compare Source

step-security/harden-runner (step-security/harden-runner)

v2.8.1

Compare Source

What's Changed

• Bug fix: Update isGitHubHosted implementation by @​varunsh-coder in https://github.com/step-security/harden-runner/pull/425
  The previous implementation incorrectly identified large GitHub-hosted runners as self-hosted runners. As a result, harden-runner was not executing on these large GitHub-hosted runners.

Full Changelog: step-security/harden-runner@v2...v2.8.1

v2.8.0

Compare Source

What's Changed

Release v2.8.0 by @​h0x0er and @​varunsh-coder in https://github.com/step-security/harden-runner/pull/416
This release includes:

• File Monitoring Enhancements: Adds the capability to view the name and path of every file written during the build process.
• Process Tracking Enhancements: Adds the capability to view process names and arguments of processes run during the build process.

These enhancements are based on insights from the XZ Utils incident, aimed at improving observability and detections during the build process.

Full Changelog: step-security/harden-runner@v2...v2.8.0

v2.7.1

Compare Source

What's Changed

Release v2.7.1 by @​varunsh-coder, @​h0x0er, @​ashishkurmi in https://github.com/step-security/harden-runner/pull/397
This release:

• Improves the capability to inspect outbound HTTPS traffic on GitHub-hosted and self-hosted VM runners
• Updates README to add link to case study video on how Harden-Runner detected a supply chain attack on a Google open-source project
• Addresses minor bugs

Full Changelog: step-security/harden-runner@v2.7.0...v2.7.1

---

Configuration

📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[forking-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.