Skip to content

[pull] master from gocd:master#4026

Open
pull[bot] wants to merge 133 commits into
stackriot:masterfrom
gocd:master
Open

[pull] master from gocd:master#4026
pull[bot] wants to merge 133 commits into
stackriot:masterfrom
gocd:master

Conversation

@pull

@pull pull Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot locked and limited conversation to collaborators Jun 9, 2026
@pull pull Bot added ⤵️ pull merge-conflict Resolve conflicts manually labels Jun 9, 2026
chadlwilson and others added 21 commits June 9, 2026 22:42
@chadlwilson
build: fix matching of license data for artifacts with classifiers
e12f28d
@chadlwilson
build(deps): bump gradle-license-report to 3.1.3
2a19608
@chadlwilson
chore: suppress new spring vuln after review
047351f
@chadlwilson
build: continue building Debian 12 for 26.1.0
03db58e 
Haven't had a release for a while, so continue building for next release.
@chadlwilson
chore: suppress new Spring Security vulnerabilities after review
483b60f
@chadlwilson
build(deps): bump gradle-license-report to 3.1.4
4be33a3
@chadlwilson
chore: suppress more Spring FW bugs after review
a41454a
@chadlwilson
chore: remove unnecessary suppressions
a0f19a1
@chadlwilson
chore: add back suppression for trivy
db6aa1d
@chadlwilson
chore: remove unnecessary suppression
e47b8fc
@chadlwilson
chore: suppress additional Spring vulnerabilities after review
37d2f1f
@chadlwilson
chore: remove unnecessary suppression
a04e081
@dependabot
build(deps): bump com.autonomousapps.dependency-analysis
9f9c6c6 
Bumps com.autonomousapps.dependency-analysis from 3.14.1 to 3.15.0.

---
updated-dependencies:
- dependency-name: com.autonomousapps.dependency-analysis
  dependency-version: 3.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ui-dev: bump @types/node
31d50e6 
Bumps the types group in /server/src/main/webapp/WEB-INF/rails with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).


Updates `@types/node` from 24.13.1 to 24.13.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 24.13.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
...

Signed-off-by: dependabot[bot] <support@github.com>
@chadlwilson
Merge pull request #14425 from gocd/dependabot/gradle/com.autonomousa…
3acd4c3 
…pps.dependency-analysis-3.15.0

build(deps): bump com.autonomousapps.dependency-analysis from 3.14.1 to 3.15.0
@chadlwilson
Merge pull request #14426 from gocd/dependabot/npm_and_yarn/server/sr…
b1f7a58 
…c/main/webapp/WEB-INF/rails/types-5a9b28b384

ui-dev: bump @types/node from 24.13.1 to 24.13.2 in /server/src/main/webapp/WEB-INF/rails in the types group
@chadlwilson
build(deps): bump minor sass and google-protobuf versions
8ee0380
@chadlwilson
build(deps): bump transitive dependencies to latest
acd33ba
@chadlwilson
chore: suppress reincarnated spring security vuln CVE-2026-47838 afte…
2cd7483 
…r review
@chadlwilson
fix: rework material connection and pipeline group admin testing
f0dda0f
@chadlwilson
chore: rename helpers for accuracy
7d6e313 
These do authorization, not authentication.
dependabot Bot and others added 2 commits June 15, 2026 11:48
@dependabot
build(deps): bump aquasec/trivy from 0.71.0 to 0.71.1 in /docker
05c6236 
Bumps aquasec/trivy from 0.71.0 to 0.71.1.

---
updated-dependencies:
- dependency-name: aquasec/trivy
  dependency-version: 0.71.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@chadlwilson
build(deps): bump yarn to 4.17
988b33a
dependabot Bot and others added 27 commits June 28, 2026 16:31
@dependabot
ui-dev: bump @types/node
f95a0c1 
Bumps the types group in /server/src/main/webapp/WEB-INF/rails with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).


Updates `@types/node` from 26.0.0 to 26.0.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
...

Signed-off-by: dependabot[bot] <support@github.com>
@chadlwilson
Merge pull request #14449 from gocd/dependabot/gradle/com.github.oshi…
ccfabe0 
…-oshi-core-7.3.2

build(deps): bump com.github.oshi:oshi-core from 7.3.1 to 7.3.2
@dependabot
ui: bump filesize in /server/src/main/webapp/WEB-INF/rails
e57785f 
Bumps [filesize](https://github.com/avoidwork/filesize.js) from 11.0.17 to 11.0.18.
- [Changelog](https://github.com/avoidwork/filesize.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/avoidwork/filesize.js/commits/11.0.18)

---
updated-dependencies:
- dependency-name: filesize
  dependency-version: 11.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ui: bump shell-quote in /server/src/main/webapp/WEB-INF/rails
b06c2af 
Bumps [shell-quote](https://github.com/ljharb/shell-quote) from 1.8.4 to 1.9.0.
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.4...v1.9.0)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump com.autonomousapps.dependency-analysis
1f45715 
Bumps com.autonomousapps.dependency-analysis from 3.15.0 to 3.16.0.

---
updated-dependencies:
- dependency-name: com.autonomousapps.dependency-analysis
  dependency-version: 3.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ui-dev: bump crass in /server/src/main/webapp/WEB-INF/rails
dfa7915 
Bumps [crass](https://github.com/rgrove/crass) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/rgrove/crass/releases)
- [Changelog](https://github.com/rgrove/crass/blob/main/HISTORY.md)
- [Commits](rgrove/crass@v1.0.6...v1.0.7)

---
updated-dependencies:
- dependency-name: crass
  dependency-version: 1.0.7
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@chadlwilson
Merge pull request #14452 from gocd/dependabot/npm_and_yarn/server/sr…
c86c5b1 
…c/main/webapp/WEB-INF/rails/filesize-11.0.18

ui: bump filesize from 11.0.17 to 11.0.18 in /server/src/main/webapp/WEB-INF/rails
@dependabot
ui-dev: bump stylelint in /server/src/main/webapp/WEB-INF/rails
414e289 
Bumps [stylelint](https://github.com/stylelint/stylelint) from 17.13.0 to 17.14.0.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/main/CHANGELOG.md)
- [Commits](stylelint/stylelint@17.13.0...17.14.0)

---
updated-dependencies:
- dependency-name: stylelint
  dependency-version: 17.14.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@chadlwilson
Merge pull request #14454 from gocd/dependabot/gradle/com.autonomousa…
43e1177 
…pps.dependency-analysis-3.16.0

build(deps): bump com.autonomousapps.dependency-analysis from 3.15.0 to 3.16.0
@chadlwilson
Merge pull request #14457 from gocd/dependabot/bundler/server/src/mai…
0dd2070 
…n/webapp/WEB-INF/rails/crass-1.0.7

ui-dev: bump crass from 1.0.6 to 1.0.7 in /server/src/main/webapp/WEB-INF/rails
@chadlwilson
Merge pull request #14458 from gocd/dependabot/npm_and_yarn/server/sr…
7585b66 
…c/main/webapp/WEB-INF/rails/stylelint-17.14.0

ui-dev: bump stylelint from 17.13.0 to 17.14.0 in /server/src/main/webapp/WEB-INF/rails
@dependabot
build(deps): bump gradle-wrapper from 9.6.0 to 9.6.1
8b79d4c 
Bumps [gradle-wrapper](https://github.com/gradle/gradle) from 9.6.0 to 9.6.1.
- [Release notes](https://github.com/gradle/gradle/releases)
- [Commits](gradle/gradle@v9.6.0...v9.6.1)

---
updated-dependencies:
- dependency-name: gradle-wrapper
  dependency-version: 9.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump ch.qos.logback:logback-classic from 1.5.35 to 1.5.37
09a9456 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.35 to 1.5.37.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.35...v_1.5.37)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump com.github.jnr:jffi from 1.3.15 to 1.4.0
e52df2e 
Bumps [com.github.jnr:jffi](https://github.com/jnr/jffi) from 1.3.15 to 1.4.0.
- [Commits](jnr/jffi@jffi-1.3.15...1.4.0)

---
updated-dependencies:
- dependency-name: com.github.jnr:jffi
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@chadlwilson
Merge pull request #14450 from gocd/dependabot/npm_and_yarn/server/sr…
6c16cf6 
…c/main/webapp/WEB-INF/rails/types-6315faf2cf

ui-dev: bump @types/node from 26.0.0 to 26.0.1 in /server/src/main/webapp/WEB-INF/rails in the types group
@chadlwilson
Merge pull request #14459 from gocd/dependabot/gradle/gradle-wrapper-…
d6c45ac 
…9.6.1

build(deps): bump gradle-wrapper from 9.6.0 to 9.6.1
@chadlwilson
Merge pull request #14460 from gocd/dependabot/gradle/ch.qos.logback-…
54b4613 
…logback-classic-1.5.37

build(deps): bump ch.qos.logback:logback-classic from 1.5.35 to 1.5.37
@chadlwilson
Merge pull request #14453 from gocd/dependabot/npm_and_yarn/server/sr…
7e77014 
…c/main/webapp/WEB-INF/rails/shell-quote-1.9.0

ui: bump shell-quote from 1.8.4 to 1.9.0 in /server/src/main/webapp/WEB-INF/rails
@chadlwilson
Merge pull request #14461 from gocd/dependabot/gradle/com.github.jnr-…
65e624c 
…jffi-1.4.0

build(deps): bump com.github.jnr:jffi from 1.3.15 to 1.4.0
@chadlwilson
chore: bump expected jpms version
ac1b64d
@chadlwilson
Revert "build(deps): bump com.github.jnr:jffi from 1.3.15 to 1.4.0"
73ad808
@chadlwilson
Merge pull request #14462 from gocd/revert-14461-dependabot/gradle/co…
b9724b4 
…m.github.jnr-jffi-1.4.0

Revert "build(deps): bump com.github.jnr:jffi from 1.3.15 to 1.4.0"
@chadlwilson
chore: avoid dependabot from trying to "upgrade" jffi
ba9c83f 
This isn't actually changing the transitive dependency; only the version expectation from jruby.
@chadlwilson
chore: suppress expected warning
1842b17
@chadlwilson
chore: fix error message typo
2e52396
@chadlwilson
chore: dont recompile regex every time
cf646cd
@chadlwilson
chore: avoid static block when unnecessary
bcb2ace
@chadlwilson
docs: document the threat model and clarify security policy further
01cea4e 
Attempt to give more information to contributors and AI agents about the intended design and deployment asumptions of GoCD.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull merge-conflict Resolve conflicts manually

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chadlwilson