Bump softprops/action-gh-release from 2.0.6 to 2.4.2

[dependabot]

Bumps softprops/action-gh-release from 2.0.6 to 2.4.2.

Release notes

Sourced from softprops/action-gh-release's releases.

v2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

New Contributors

• @​BeryJu made their first contribution in softprops/action-gh-release#684

Full Changelog: softprops/action-gh-release@v2.4.1...v2.4.2

v2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

Full Changelog: softprops/action-gh-release@v2...v2.4.1

v2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

Other Changes 🔄

• chore(deps): bump the npm group with 2 updates by @​dependabot[bot] in softprops/action-gh-release#668

Full Changelog: softprops/action-gh-release@v2.3.4...v2.4.0

v2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

• chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 in the github-actions group by @​dependabot[bot] in softprops/action-gh-release#656
• chore(deps): bump @​types/node from 20.19.11 to 20.19.13 in the npm group by @​dependabot[bot] in softprops/action-gh-release#655
• chore(deps): bump vite from 7.0.0 to 7.1.5 by @​dependabot[bot] in softprops/action-gh-release#657
• chore(deps): bump the npm group across 1 directory with 2 updates by @​dependabot[bot] in softprops/action-gh-release#662
• chore(deps): bump the npm group with 3 updates by @​dependabot[bot] in softprops/action-gh-release#666

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

• dependency updates

2.3.3

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in softprops/action-gh-release#343

Other Changes 🔄

... (truncated)

Commits

• 5be0e66 release 2.4.2
• af658b4 feat: Ensure generated release notes cannot be over 125000 characters (#684)
• 237aacc chore: bump node to 24.11.0
• 00362be chore(deps): bump the npm group with 5 updates (#687)
• 0adea5a chore(deps): bump the npm group with 3 updates (#686)
• aa05f9d chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 in the github-action...
• bbaccb3 chore(deps): bump @​types/node from 20.19.21 to 20.19.22 in the npm group (#682)
• 50fda3f chore(deps): bump vite from 7.1.5 to 7.1.11 (#681)
• 5434409 chore(deps): bump @​types/node from 20.19.19 to 20.19.21 in the npm group (#679)
• 6da8fa9 release 2.4.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cx-ben-alvo]

Checkmarx One – Scan Summary & Details – c4840c81-3620-4ec7-802a-f19c55bbcca6

New Issues (35)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Cx6057d4e5-4760	Npm-coa-3.1.3	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... ID: 3xsgXvhrykjVoZ7YVTWpHSJdsJo4kvSkY%2BkFpvAAMBY%3D Vulnerable Package
	Cx657a3ff1-7b92	Npm-coa-3.1.3	details Description: This package downloads a harmful file. File hash: ```7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5``` ### About Using a dynamic... ID: KZ61piTHrLmaHz3yYZ9mZY2g3HAHWG0pM1AASTKzeWA%3D Vulnerable Package
	Cxa079aba6-fc3c	Npm-coa-3.1.3	details Description: This package exfiltrates stored credentials and sensitive information ### About Data exfiltration may be done in numerous ways such as through HTT... ID: VFqwzZZOANDuGRuOhiGP7NsAjXmNLDT4IUpPL9Wvcg8%3D Vulnerable Package
	Cxb34b508c-969f	Npm-coa-3.1.3	details Description: This package exfiltrates computer and operating system information ### About Data exfiltration may be done in numerous ways such as through HTTP r... ID: xVVsxIL8wtdaE2AjrxtD62qGS8KLmkfkDav9OGVKqxI%3D Vulnerable Package
	Cxb5dfb167-23a8	Npm-coa-3.1.3	details Description: The npm package coa had versions published with malicious code. Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as p... Attack Vector: NETWORK Attack Complexity: LOW ID: OtjL1R24bVUVYTu548sMkY0JCgchnhDf18nFDxEOBDw%3D Vulnerable Package
	Cxbd621f75-d5df	Npm-coa-3.1.3	details Description: This package downloads a harmful file. File hash: ```ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e``` ### About Using a dynamic... ID: xH5rVpbADkzNLaMGpmQIXlNx%2B9uVsAsp%2FkC7YVgqKJk%3D Vulnerable Package
	Cxc2338b3a-b052	Npm-coa-3.1.3	details Description: This package downloads a harmful file. File hash: ```2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd``` ### About Using a dynamic... ID: ZdgKScIjvJ7Ult6WjUHJb8AiO0N3UEzbReFVJQkB4o4%3D Vulnerable Package
	Cxc56b90ed-4804	Npm-coa-3.1.3	details Description: This package executes a crypto mining software ### About Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem ... ID: JVqDomM5Npg7zuGyWGmKfV1vlHIXFXTwLiY0Vm5ubuY%3D Vulnerable Package
	CVE-2024-12905	Npm-tar-fs-1.16.3	details Recommended version: 1.16.6 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW ID: 5%2FE%2FQ67vMPkN8oyJ%2B7r6%2FyeiMKUoAwgCyWR88dbeZcE%3D Vulnerable Package
	CVE-2024-12905	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW ID: cvPvE0o%2F%2B5k6yGCUEqEkrZ4ELqqEdDRdRB40YL9B%2By4%3D Vulnerable Package
	CVE-2024-21538	Npm-cross-spawn-6.0.5	details Recommended version: 6.0.6 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW ID: bk6GXg2iYyH%2BqMDlZxTsCQpjii%2F5DPtqUkftsKQ6D%2BM%3D Vulnerable Package
	CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW ID: Kj4JizyKJPf3AJGPXmggRBkJpE6oqnFFelnW0WsSiIk%3D Vulnerable Package
	CVE-2025-48387	Npm-tar-fs-1.16.3	details Recommended version: 1.16.6 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ... Attack Vector: NETWORK Attack Complexity: LOW ID: EXKLWfjB7AdjQ8pzTZDtVIy%2BIioSez0tgm0ynfa5%2Fbk%3D Vulnerable Package
	CVE-2025-48387	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ... Attack Vector: NETWORK Attack Complexity: LOW ID: ogP4ASf5oBE%2B5Ax1B03UtDPAcX3pDrNoWEkDItzR3PU%3D Vulnerable Package
	CVE-2025-59343	Npm-tar-fs-1.16.3	details Recommended version: 1.16.6 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW ID: CGAN%2Fiy3YC9lmaA%2F5bBFarliKGYeYT9j7HhR%2BrRKi2w%3D Vulnerable Package
	CVE-2025-59343	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW ID: PEizoAL8H6xixUakvTsKG%2B7oWyKQKmABZjAbr53epfY%3D Vulnerable Package
	Cx687dda59-2e3a	Npm-unzip-stream-0.3.1	details Recommended version: 0.3.2 Description: The unzip-stream allows Arbitrary File Write via artifact extraction. When using the "Extract()" method of unzip-stream, malicious zip files were a... Attack Vector: NETWORK Attack Complexity: LOW ID: S08vMLz6lNJ4n7%2F%2FPTmRUNLbeU1F7emYD3yYh5w4RrQ%3D Vulnerable Package
	Cxc7705965-e0f0	Npm-@babel/core-7.15.0	details Recommended version: 7.18.6 Description: The @babel/core package versions prior to 7.18.6 were discovered to contain a memory leak vulnerability. Attack Vector: NETWORK Attack Complexity: LOW ID: NRNE4da%2B%2FatvolSaB5XIXKwKf1C7o7ypqSv8Bib0nZY%3D Vulnerable Package
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW ID: gbyvttybFBRwDEt3Ws8Wp3vHhKs3k%2BeOeWknmNljqwQ%3D Vulnerable Package
	ALB Listening on HTTP	/positive1.tf: 9	details AWS Application Load Balancer (alb) should not listen on HTTP ID: yZXbrnwNo%2FZnfgvlzkJfobryAGE%3D
	CVE-2023-0842	Npm-xml2js-0.4.23	details Recommended version: 0.5.0 Description: The xml2js in versions prior to 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the applicat... Attack Vector: NETWORK Attack Complexity: LOW ID: jdInqA3vEfaa9zdFv6hFxDZhirWqE6o4HQESCvDCKz4%3D Vulnerable Package
	CVE-2024-11831	Npm-serialize-javascript-6.0.0	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW ID: Em1uyObL%2Fy9fZHxpUo4c077B4Ku8btdA8%2BQ03Si3WeE%3D Vulnerable Package
	CVE-2024-4067	Npm-micromatch-4.0.5	details Recommended version: 4.0.8 Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.... Attack Vector: NETWORK Attack Complexity: LOW ID: gNzRDF%2BeGHAdr3wSdvi%2BqEcMp7A7yBmtYYN9oAGAXyc%3D Vulnerable Package
	CVE-2024-43788	Npm-webpack-5.90.1	details Recommended version: 5.94.0 Description: Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundlin... Attack Vector: NETWORK Attack Complexity: LOW ID: Li3XYDKyIKQS%2FhA7sMG8s2pHEMpk3NOkMLmt8Jp8CKo%3D Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.3.3	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW ID: I146TRvfyjHhgCCFrsw%2B8AmtZeOdHM2TgYp3LKhVaNc%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.2.1	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW ID: 36z%2BDzzuzPIE7GQCkfyIkGUktzHVeQc8uMznuapBjsQ%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.0.30	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW ID: tvY5enxDm5%2FoGLs6t%2FDeRkhvJ3D93bVpEyM0jYIeniA%3D Vulnerable Package
	ELBv2 LB Access Log Disabled	/positive1.tf: 15	details ELBv2 LBs should have access log enabled to capture detailed information about requests sent to your load balancer. ID: T6F6kPHYKPFyDpB87WgOa6ulhic%3D
	APT-GET Missing Flags To Avoid Manual Input	/Dockerfile: 5	details Check if apt-get calls use flags to avoid user manual input. ID: PP9WHiBQsCBajZJkTBnbeQ%2FWmoo%3D
	CVE-2025-5889	Npm-brace-expansion-1.1.11	details Recommended version: 1.1.12 Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the... Attack Vector: NETWORK Attack Complexity: HIGH ID: 9FMpmKq0oZ9CvSKu2GM8APPRu6uMbBlvqjg5pSQ%2BadE%3D Vulnerable Package
	CVE-2025-5889	Npm-brace-expansion-2.0.1	details Recommended version: 2.0.2 Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the... Attack Vector: NETWORK Attack Complexity: HIGH ID: VrCimVj%2B2nZOY2kRWukFm8sCp9I2Y%2BezAj%2FWXbI9pts%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-4.3.4	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: ftFJ3k0lfsvmndAYkyhAVWV2wslj7FPWXjoehm5PzKo%3D Vulnerable Package
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: GFv7YpwPyFMEfyTpNssycczyYxE%3D
	IAM Access Analyzer Not Enabled	/positive1.tf: 1	details IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions ID: lBtOCwOL2iHuQvGMcYE7rViwtdM%3D
	Shield Advanced Not In Use	/positive1.tf: 15	details AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing,... ID: uksw0A3tt%2BuOK%2Bie011Hp%2FcD5Dk%3D

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR