deps(deps): update davidanson/markdownlint-cli2-action action to v19

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
DavidAnson/markdownlint-cli2-action	action	major	v18.0.0 -> v19.0.0

---

Release Notes

DavidAnson/markdownlint-cli2-action (DavidAnson/markdownlint-cli2-action)

v19.0.0: Update markdownlint version (markdownlint-cli2 v0.17.0, markdownlint v0.37.0).

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1

digest	sha256:a72f628fa83ed3eaffa03750bad3be46092968fe07eb8d683a5a7c650be925c2
vulnerabilities
platform	linux/amd64
size	104 MB
packages	239

📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10

also known as	3 3.20 3.20.3 latest
digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilities

golang.org/x/crypto 0.27.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 17th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

stdlib 1.22.4 (golang) pkg:golang/[email protected] Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 17th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 17th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range >=1.22.0-0 <1.22.5 Fixed version 1.22.5 EPSS Score 0.045% EPSS Percentile 17th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.218% EPSS Percentile 60th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/net 0.24.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 17th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

golang.org/x/net 0.29.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 17th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name	3.20.3
Digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilities
Pushed	3 months ago
Size	3.6 MB
Packages	17
OS	3.20.3

The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
3 Newer image for same tag Also known as: 3.21.0 3.21 latest	Benefits: Newer image for same tag Minor OS version update Tag is preferred tag Tag was pushed more recently Image has similar size Tag is latest Image introduces no new vulnerability but removes 1 3 was pulled 251K times last month Image details: Size: 3.6 MB OS: 3.21.0	3 weeks ago

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1

digest	sha256:a72f628fa83ed3eaffa03750bad3be46092968fe07eb8d683a5a7c650be925c2
vulnerabilities
platform	linux/amd64
size	104 MB
packages	239

📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10

also known as	3 3.20 3.20.3 latest
digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilities

golang.org/x/crypto 0.27.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 17th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

stdlib 1.22.4 (golang) pkg:golang/[email protected] Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 17th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 17th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range >=1.22.0-0 <1.22.5 Fixed version 1.22.5 EPSS Score 0.045% EPSS Percentile 17th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.218% EPSS Percentile 60th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/net 0.29.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 17th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

golang.org/x/net 0.24.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 17th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name	3.20.3
Digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilities
Pushed	3 months ago
Size	3.6 MB
Packages	17
OS	3.20.3

The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
3 Newer image for same tag Also known as: 3.21.0 3.21 latest	Benefits: Newer image for same tag Minor OS version update Tag is preferred tag Tag was pushed more recently Image has similar size Tag is latest Image introduces no new vulnerability but removes 1 3 was pulled 251K times last month Image details: Size: 3.6 MB OS: 3.21.0	3 weeks ago

Change base image

✅ There are no tag recommendations at this time.