chore(deps): update github/codeql-action action to v3.31.9 #352

CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
Update default CodeQL bundle version to 2.23.5. #3288

See the full CHANGELOG.md for more information.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.0 - 24 Oct 2025

Bump minimum CodeQL bundle version to 2.17.6. #3223
When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #3222

See the full CHANGELOG.md for more information.

`v3.30.9`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.9 - 17 Oct 2025

Update default CodeQL bundle version to 2.23.3. #3205
Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204

See the full CHANGELOG.md for more information.

`v3.30.8`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

`v3.30.7`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

`v3.30.6`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

Update default CodeQL bundle version to 2.23.2. #3168

See the full CHANGELOG.md for more information.

`v3.30.5`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #3160

See the full CHANGELOG.md for more information.

`v3.30.4`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025

We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #3099 and #3100
We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #3107
You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #3130
Update default CodeQL bundle version to 2.23.1. #3118

See the full CHANGELOG.md for more information.

`v3.30.3`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

`v3.30.2`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

Fixed a bug which could cause language autodetection to fail. #3084
Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064

See the full CHANGELOG.md for more information.

`v3.30.1`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025

Update default CodeQL bundle version to 2.23.0. #3077

See the full CHANGELOG.md for more information.

`v3.30.0`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054

See the full CHANGELOG.md for more information.

`v3.29.11`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.11 - 21 Aug 2025

Update default CodeQL bundle version to 2.22.4. #3044

See the full CHANGELOG.md for more information.

`v3.29.10`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.10 - 18 Aug 2025

No user facing changes.

See the full CHANGELOG.md for more information.

`v3.29.9`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.9 - 12 Aug 2025

No user facing changes.

See the full CHANGELOG.md for more information.

`v3.29.8`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.8 - 08 Aug 2025

Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

See the full CHANGELOG.md for more information.

`v3.29.7`

Compare Source

This is a re-release of v3.29.5 to mitigate an issue that was discovered with v3.29.6.

`v3.29.6`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.6 - 07 Aug 2025

The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999
Update default CodeQL bundle version to 2.22.3. #3000

See the full CHANGELOG.md for more information.

`v3.29.5`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.5 - 29 Jul 2025

Update default CodeQL bundle version to 2.22.2. #2986

See the full CHANGELOG.md for more information.

`v3.29.4`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.4 - 23 Jul 2025

No user facing changes.

See the full CHANGELOG.md for more information.

`v3.29.3`

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.3 - 21 Jul 2025

No user facing changes.

See the full CHANGELOG.md for more information.

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2025-12-01T01:19:35Z

Overview

Image reference	`djaytan/papermc-server:1.21.4`	`djaytan/papermc-server:test`
- digest	`e5ddd5b8b4b2`	`31f0592ee5e1`
- tag	`1.21.4`	`test`
- stream	latest
- provenance	`221f80c`
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	133 MB	144 MB (+10 MB)
- packages	170	177 (+7)
Base Image	`alpine:3.22.0` also known as: • `3` • `3.22` • `latest`	`alpine:3` also known as: • `3.22` • `latest`
- vulnerabilities

Policies (0 improved, 2 worsened, 3 missing data)

Policy Name	`djaytan/papermc-server:1.21.4`	`djaytan/papermc-server:test`	Change	Standing
No unapproved base images	⚠️ 1	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 14	⚠️ 15	+1	Worsened
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (10 package changes and 5 vulnerability changes)

➕ 8 packages added

➖ 1 packages removed

♾️ 1 packages changed

164 packages unchanged

❗ 5 vulnerabilities added

Changes for packages of type apk (8 changes)

	Package	Version `djaytan/papermc-server:1.21.4`	Version `djaytan/papermc-server:test`
➕	alpine-base		`3.22.0-r0`
➕	ca-certificates		`20241121-r2`
➕	gcc		`14.2.0-r6`
♾️	libxml2	`2.13.9-r0`	`2.13.8-r0`

			Added vulnerabilities (5):
➕	ncurses		`6.5_p20250503-r0`
➕	openssl		`3.5.0-r0`

			Added vulnerabilities (4):
➕	pax-utils		`1.3.8-r1`
➕	xz		`5.8.1-r0`

Changes for packages of type generic (2 changes)

	Package	Version `djaytan/papermc-server:1.21.4`	Version `djaytan/papermc-server:test`
➖	openjdk	`21.0.7`
➕	openjdk		`21.0.7`

github-actions · 2025-12-01T01:19:37Z

🔍 Vulnerabilities of `djaytan/papermc-server:test`

📦 Image Reference djaytan/papermc-server:test

digest	`sha256:31f0592ee5e1de1930b20901f3f4ec4e9b3e0cbe8907b8381533e718752d478b`
vulnerabilities
platform	linux/amd64
size	144 MB
packages	177

📦 Base Image alpine:3

also known as	`3.22` `3.22.0` `latest`
digest	`sha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce`
vulnerabilities

libxml2 2.13.8-r0 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

Affected range	`<2.13.9-r0`
Fixed version	`2.13.9-r0`
EPSS Score	`0.459%`
EPSS Percentile	`63rd percentile`

Description

Affected range	`<2.13.9-r0`
Fixed version	`2.13.9-r0`
EPSS Score	`0.263%`
EPSS Percentile	`49th percentile`

Description

Affected range	`<2.13.9-r0`
Fixed version	`2.13.9-r0`
EPSS Score	`0.584%`
EPSS Percentile	`68th percentile`

Description

Affected range	`<2.13.9-r0`
Fixed version	`2.13.9-r0`
EPSS Score	`0.141%`
EPSS Percentile	`35th percentile`

Description

Affected range	`<2.13.9-r0`
Fixed version	`2.13.9-r0`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

stdlib 1.24.4 (golang)

pkg:golang/[email protected]

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.026%`
EPSS Percentile	`6th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.026%`
EPSS Percentile	`6th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.021%`
EPSS Percentile	`5th percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`>=1.24.0 <1.24.6`
Fixed version	`1.24.6`
EPSS Score	`0.020%`
EPSS Percentile	`5th percentile`

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.025%`
EPSS Percentile	`6th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.019%`
EPSS Percentile	`4th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.029%`
EPSS Percentile	`7th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.033%`
EPSS Percentile	`9th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.025%`
EPSS Percentile	`6th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

org.apache.commons/commons-compress 1.5 (maven)

pkg:maven/org.apache.commons/[email protected]

Improper Handling of Length Parameter Inconsistency

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.802%`
EPSS Percentile	`73rd percentile`

Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Improper Handling of Length Parameter Inconsistency

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`1.437%`
EPSS Percentile	`80th percentile`

Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Improper Handling of Length Parameter Inconsistency

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`1.893%`
EPSS Percentile	`83rd percentile`

Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Excessive Iteration

Affected range	`<1.21`
Fixed version	`1.21`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.843%`
EPSS Percentile	`74th percentile`

Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range	`>=1.3 <1.26.0`
Fixed version	`1.26.0`
CVSS Score	`5.9`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

openssl 3.5.0-r0 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

Affected range	`<3.5.4-r0`
Fixed version	`3.5.4-r0`
EPSS Score	`0.026%`
EPSS Percentile	`6th percentile`

Description

Affected range	`<3.5.4-r0`
Fixed version	`3.5.4-r0`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Affected range	`<3.5.1-r0`
Fixed version	`3.5.1-r0`
EPSS Score	`0.015%`
EPSS Percentile	`2nd percentile`

Description

Affected range	`<3.5.4-r0`
Fixed version	`3.5.4-r0`
EPSS Score	`0.027%`
EPSS Percentile	`7th percentile`

Description

com.google.protobuf/protobuf-java 4.26.1 (maven)

pkg:maven/com.google.protobuf/[email protected]

Improper Input Validation

Affected range	`>=4.0.0-RC1 <4.27.5`
Fixed version	`4.27.5`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.085%`
EPSS Percentile	`25th percentile`

Description

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected]

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

protobuf-java (3.25.5, 4.27.5, 4.28.2)

protobuf-javalite (3.25.5, 4.27.5, 4.28.2)

protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)

protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)

com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

golang.org/x/net 0.34.0 (golang)

pkg:golang/golang.org/x/[email protected]

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<0.38.0`
Fixed version	`0.38.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`
EPSS Score	`0.019%`
EPSS Percentile	`4th percentile`

Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Misinterpretation of Input

Affected range	`<0.36.0`
Fixed version	`0.36.0`
CVSS Score	`4.4`
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L`
EPSS Score	`0.023%`
EPSS Percentile	`5th percentile`

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

commons-lang/commons-lang 2.6 (maven)

pkg:maven/commons-lang/[email protected]

Uncontrolled Recursion

Affected range	`>=2.0 <=2.6`
Fixed version	Not Fixed
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

busybox 1.37.0-r18 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

Affected range	`<1.37.0-r20`
Fixed version	`1.37.0-r20`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Affected range	`<1.37.0-r20`
Fixed version	`1.37.0-r20`
EPSS Score	`0.020%`
EPSS Percentile	`4th percentile`

Description

sonarqubecloud · 2025-12-17T01:03:27Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate bot added the t:dependencies label Dec 1, 2025

renovate bot requested a review from Djaytan as a code owner December 1, 2025 01:17

renovate bot added the t:dependencies label Dec 1, 2025

renovate bot changed the title ~~chore(deps): update github/codeql-action action to v3.31.5~~ chore(deps): update github/codeql-action action to v3.31.6 Dec 1, 2025

renovate bot force-pushed the renovate/github-codeql-action-3.x branch from c625b1a to c9b7ef3 Compare December 1, 2025 14:45

renovate bot changed the title ~~chore(deps): update github/codeql-action action to v3.31.6~~ chore(deps): update github/codeql-action action to v3.31.7 Dec 9, 2025

renovate bot force-pushed the renovate/github-codeql-action-3.x branch from c9b7ef3 to 295487f Compare December 9, 2025 17:11

renovate bot changed the title ~~chore(deps): update github/codeql-action action to v3.31.7~~ chore(deps): update github/codeql-action action to v3.31.8 Dec 12, 2025

renovate bot force-pushed the renovate/github-codeql-action-3.x branch from 295487f to f169380 Compare December 12, 2025 15:15

chore(deps): update github/codeql-action action to v3.31.9

e649aad

renovate bot force-pushed the renovate/github-codeql-action-3.x branch from f169380 to e649aad Compare December 17, 2025 01:03

renovate bot changed the title ~~chore(deps): update github/codeql-action action to v3.31.8~~ chore(deps): update github/codeql-action action to v3.31.9 Dec 17, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update github/codeql-action action to v3.31.9 #352

chore(deps): update github/codeql-action action to v3.31.9 #352

Uh oh!

renovate bot commented Dec 1, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Dec 1, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Dec 1, 2025 •

edited

Loading

Summary

Severity

Proof of Concept

Remediation and Mitigation

Uh oh!

sonarqubecloud bot commented Dec 17, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

chore(deps): update github/codeql-action action to v3.31.9 #352

Are you sure you want to change the base?

chore(deps): update github/codeql-action action to v3.31.9 #352

Uh oh!

Conversation

renovate bot commented Dec 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

CodeQL Action Changelog

3.31.9 - 16 Dec 2025

CodeQL Action Changelog

3.31.8 - 11 Dec 2025

CodeQL Action Changelog

3.31.7 - 05 Dec 2025

CodeQL Action Changelog

3.31.6 - 01 Dec 2025

CodeQL Action Changelog

3.31.5 - 24 Nov 2025

CodeQL Action Changelog

3.31.4 - 18 Nov 2025

CodeQL Action Changelog

3.31.3 - 13 Nov 2025

CodeQL Action Changelog

3.31.0 - 24 Oct 2025

CodeQL Action Changelog

3.30.9 - 17 Oct 2025

CodeQL Action Changelog

3.30.8 - 10 Oct 2025

CodeQL Action Changelog

3.30.7 - 06 Oct 2025

CodeQL Action Changelog

3.30.6 - 02 Oct 2025

CodeQL Action Changelog

3.30.5 - 26 Sep 2025

CodeQL Action Changelog

3.30.4 - 25 Sep 2025

CodeQL Action Changelog

3.30.3 - 10 Sep 2025

CodeQL Action Changelog

3.30.2 - 09 Sep 2025

CodeQL Action Changelog

3.30.1 - 05 Sep 2025

CodeQL Action Changelog

3.30.0 - 01 Sep 2025

CodeQL Action Changelog

3.29.11 - 21 Aug 2025

CodeQL Action Changelog

3.29.10 - 18 Aug 2025

CodeQL Action Changelog

3.29.9 - 12 Aug 2025

CodeQL Action Changelog

3.29.8 - 08 Aug 2025

CodeQL Action Changelog

3.29.6 - 07 Aug 2025

CodeQL Action Changelog

3.29.5 - 29 Jul 2025

CodeQL Action Changelog

3.29.4 - 23 Jul 2025

CodeQL Action Changelog

3.29.3 - 21 Jul 2025

Configuration

Uh oh!

github-actions bot commented Dec 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overview

Uh oh!

github-actions bot commented Dec 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Vulnerabilities of djaytan/papermc-server:test

Summary

Severity

Proof of Concept

Remediation and Mitigation

Uh oh!

sonarqubecloud bot commented Dec 17, 2025

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

renovate bot commented Dec 1, 2025 •

edited

Loading

github-actions bot commented Dec 1, 2025 •

edited

Loading

github-actions bot commented Dec 1, 2025 •

edited

Loading

🔍 Vulnerabilities of `djaytan/papermc-server:test`