chore(deps): update docker.io/library/eclipse-temurin docker tag to v25

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker.io/library/eclipse-temurin	final	major	21-jre-noble → 25-jre-noble

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.01s
✅ DOCKERFILE	hadolint	1		0	0	0.24s
✅ JSON	jsonlint	6		0	0	0.17s
✅ JSON	npm-package-json-lint	yes		no	no	0.74s
✅ JSON	prettier	6		0	0	0.73s
✅ JSON	v8r	6		0	0	8.14s
✅ MARKDOWN	markdownlint	2		0	0	0.89s
✅ MARKDOWN	markdown-table-formatter	2		0	0	0.33s
✅ REPOSITORY	checkov	yes		no	no	33.23s
✅ REPOSITORY	dustilock	yes		no	no	0.12s
✅ REPOSITORY	gitleaks	yes		no	no	0.42s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
❌ REPOSITORY	grype	yes		4	2	52.23s
⚠️ REPOSITORY	kics	yes		no	1	39.46s
✅ REPOSITORY	secretlint	yes		no	no	1.62s
✅ REPOSITORY	syft	yes		no	no	4.53s
❌ REPOSITORY	trivy	yes		4	no	13.25s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.76s
✅ REPOSITORY	trufflehog	yes		no	no	5.11s
✅ YAML	prettier	10		0	0	0.72s
✅ YAML	v8r	10		0	0	9.77s
✅ YAML	yamllint	10		0	0	0.9s

Detailed Issues

❌ REPOSITORY / grype - 4 errors

warning: A medium vulnerability in npm package: lodash, version 4.17.21 was found at: /package-lock.json

warning: A medium vulnerability in npm package: lodash, version 4.17.21 was found at: /package-lock.json

error: A high vulnerability in npm package: glob, version 10.4.5 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

warning: 2 warnings emitted
error: 4 errors emitted

❌ REPOSITORY / trivy - 4 errors

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ package-lock.json:1127:1
     │  
1127 │ ╭     "node_modules/minizlib/node_modules/glob": {
1128 │ │       "version": "10.4.5",
1129 │ │       "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
1130 │ │       "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
     · │
1145 │ │       }
1146 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-23950
Severity: HIGH
Fixed Version: 7.5.4
Link: [CVE-2026-23950](https://avd.aquasec.com/nvd/cve-2026-23950)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
     = node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: [CVE-2026-24842](https://avd.aquasec.com/nvd/cve-2026-24842)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
     = node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

error: 4 errors emitted

⚠️ REPOSITORY / kics - 1 warning

warning: Dockerfile doesn't contain instruction 'HEALTHCHECK'
  ┌─ Dockerfile:1:1
  │
1 │ FROM docker.io/library/eclipse-temurin:25-jre-noble@sha256:be96a9c92694b6f84260445f7885acc9b2b933fb621d349948a24cdf4504ae7c
  │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  │
  = Healthcheck Instruction Missing
  = Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

warning: 1 warnings emitted

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/cupcake@v9.2.0 (88 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.2.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

Trivy image scan report

ghcr.io/miracum/ig-build-tools:pr-234 (ubuntu 24.04)

No Vulnerabilities found

No Misconfigurations found

Java

13 known vulnerabilities found (HIGH: 4 MEDIUM: 6 LOW: 3 CRITICAL: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
ch.qos.logback:logback-core	CVE-2024-12798	MEDIUM	1.2.13	1.5.13, 1.3.15
ch.qos.logback:logback-core	CVE-2025-11226	MEDIUM	1.2.13	1.5.19, 1.3.16
ch.qos.logback:logback-core	CVE-2024-12801	LOW	1.2.13	1.5.13, 1.3.15
ch.qos.logback:logback-core	CVE-2026-1225	LOW	1.2.13	1.5.25
ch.qos.logback:logback-core	CVE-2026-1225	LOW	1.5.20	1.5.25
com.nimbusds:nimbus-jose-jwt	CVE-2025-53864	MEDIUM	9.37.3	10.0.2, 9.37.4
commons-beanutils:commons-beanutils	CVE-2025-48734	HIGH	1.9.4	1.11.0
org.apache.commons:commons-lang3	CVE-2025-48924	MEDIUM	3.14.0	3.18.0
org.fhir:ucum	CVE-2024-55887	HIGH	1.0.3	1.0.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	CVE-2024-52807	HIGH	1.7.1	1.7.4
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	CVE-2025-24363	MEDIUM	1.7.1	1.8.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	CVE-2024-52807	HIGH	1.7.1	1.7.4
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	CVE-2025-24363	MEDIUM	1.7.1	1.8.9

No Misconfigurations found

Node.js

6 known vulnerabilities found (MEDIUM: 2 LOW: 0 CRITICAL: 0 HIGH: 4)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
glob	CVE-2025-64756	HIGH	10.4.5	11.1.0, 10.5.0
lodash	CVE-2025-13465	MEDIUM	4.17.21	4.17.23
lodash	CVE-2025-13465	MEDIUM	4.17.21	4.17.23
tar	CVE-2026-23745	HIGH	7.4.3	7.5.3
tar	CVE-2026-23950	HIGH	7.4.3	7.5.4
tar	CVE-2026-24842	HIGH	7.4.3	7.5.7

No Misconfigurations found

Ruby

No Vulnerabilities found

No Misconfigurations found

root/.dotnet/tools/.store/firely.terminal/3.4.0/firely.terminal/3.4.0/tools/net8.0/any/Firely.Terminal.deps.json

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/miracum/ig-build-tools:pr-234 (ubuntu 24.04)

No Vulnerabilities found

No Misconfigurations found

Java

13 known vulnerabilities found (CRITICAL: 0 HIGH: 4 MEDIUM: 6 LOW: 3)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
ch.qos.logback:logback-core	CVE-2024-12798	MEDIUM	1.2.13	1.5.13, 1.3.15
ch.qos.logback:logback-core	CVE-2025-11226	MEDIUM	1.2.13	1.5.19, 1.3.16
ch.qos.logback:logback-core	CVE-2024-12801	LOW	1.2.13	1.5.13, 1.3.15
ch.qos.logback:logback-core	CVE-2026-1225	LOW	1.2.13	1.5.25
ch.qos.logback:logback-core	CVE-2026-1225	LOW	1.5.20	1.5.25
com.nimbusds:nimbus-jose-jwt	CVE-2025-53864	MEDIUM	9.37.3	10.0.2, 9.37.4
commons-beanutils:commons-beanutils	CVE-2025-48734	HIGH	1.9.4	1.11.0
org.apache.commons:commons-lang3	CVE-2025-48924	MEDIUM	3.14.0	3.18.0
org.fhir:ucum	CVE-2024-55887	HIGH	1.0.3	1.0.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	CVE-2024-52807	HIGH	1.7.1	1.7.4
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	CVE-2025-24363	MEDIUM	1.7.1	1.8.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	CVE-2024-52807	HIGH	1.7.1	1.7.4
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	CVE-2025-24363	MEDIUM	1.7.1	1.8.9

No Misconfigurations found

Node.js

6 known vulnerabilities found (CRITICAL: 0 HIGH: 4 MEDIUM: 2 LOW: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
glob	CVE-2025-64756	HIGH	10.4.5	11.1.0, 10.5.0
lodash	CVE-2025-13465	MEDIUM	4.17.21	4.17.23
lodash	CVE-2025-13465	MEDIUM	4.17.21	4.17.23
tar	CVE-2026-23745	HIGH	7.4.3	7.5.3
tar	CVE-2026-23950	HIGH	7.4.3	7.5.4
tar	CVE-2026-24842	HIGH	7.4.3	7.5.7

No Misconfigurations found

Ruby

No Vulnerabilities found

No Misconfigurations found

root/.dotnet/tools/.store/firely.terminal/3.4.0/firely.terminal/3.4.0/tools/net8.0/any/Firely.Terminal.deps.json

No Vulnerabilities found

No Misconfigurations found