Bump dependency zizmor to v1.15.1

[renovate]

This PR contains the following updates:

Package	Update	Change
zizmor	minor	1.14.2 -> 1.15.1

---

Release Notes

zizmorcore/zizmor (zizmor)

v1.15.1

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would fail to parse Dependabot configuration files due to missing support for some package ecosystems (#​1240)

v1.15.0

Compare Source

This release comes with support for auditing Dependabot configuration files! Like with composite action definition auditing (introduced in v1.0.0), Dependabot configuration auditing is enabled by default but can be disabled as part of input collection.

To complement this new functionality, this release comes with two new audits: dependabot-execution and dependabot-cooldown.

New Features 🌈🔗

• New audit: dependabot-execution detects Dependabot configurations that allow insecure external code execution (#​1220)

• New audit: dependabot-cooldown detects Dependabot configurations that do not include cooldown settings, or that set an insufficient cooldown (#​1223)

Performance Improvements 🚄🔗

• zizmor now uses jemalloc as its default allocator on non-MSVC targets, which should significantly improve performance for Linux and macOS users (#​1200)

Enhancements 🌱🔗

• zizmor now unconditionally emits its version number to stderr on startup (#​1199)

• The ref-version-mismatch audit now supports auto-fixes for many findings (#​1205)

  Many thanks to @​mostafa for implementing this improvement!

• The [impostor-commit] audit now supports auto-fixes for many findings (#​1090)

  Many thanks to @​mostafa for implementing this improvement!

• zizmor is now more resilient to sporadic request failures when performing GitHub API requests (#​1219)

• --collect=dependabot is now supported as a collection option, allowing users to audit only Dependabot configuration files (#​1215)

• The --fix mode (introduced with v1.10.0) is now considered stable and no longer experimental (#​1232)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would fail instead of analyzing single-file inputs that lacked an explicit parent path component, e.g. zizmor foo.yml instead of zizmor ./foo.yml (#​1212)

Deprecations ⚠️🔗

• The workflows-only and actions-only values for --collect are now deprecated. These values have been replaced with workflows and actions, respectively, which have the same behavior but can be composed together with other collection modes. The deprecated modes will be removed in a future release (#​1228)

  Until removal, using these values will emit a warning.

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 09:59 PM, Monday through Friday ( * 5-21 * * MON-FRI ) in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (1.15.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.