chore(ci): bump the gh-actions-packages group with 2 updates

[dependabot]

Bumps the gh-actions-packages group with 2 updates: actions/cache and github/codeql-action.

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

Updates github/codeql-action from 4.35.1 to 4.35.2

Release notes

Sourced from github/codeql-action's releases.

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

... (truncated)

Commits

• 95e58e9 Merge pull request #3824 from github/update-v4.35.2-d2e135a73
• 6f31bfe Update changelog for v4.35.2
• d2e135a Merge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.2
• 60abb65 Add changelog note
• 5a0a562 Update default bundle to codeql-bundle-v2.25.2
• 6521697 Merge pull request #3820 from github/dependabot/github_actions/dot-github/wor...
• 3c45af2 Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-minor-345b93...
• f1c3393 Rebuild
• 1024fc4 Rebuild
• 9dd4cfe Bump the npm-minor group across 1 directory with 6 updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	dependabot/github_actions/gh-actions-packages-04db8ab777
git_commit_date	1776788798	1776792444
git_commit_sha	6880c80	85d0bac
release_version	1.62.0-SNAPSHOT~6880c80c48	1.62.0-SNAPSHOT~85d0bacb2c

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776794380	1776794380
ci_job_id	1616632174	1616632174
ci_pipeline_id	108855240	108855240
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-jk8g1ubj 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-jk8g1ubj 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 62 metrics, 9 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1055644
Total [baseline] (8.797 s) : 0, 8797417
Agent [candidate] (1.055 s) : 0, 1054832
Total [candidate] (8.819 s) : 0, 8818969
section iast
Agent [baseline] (1.245 s) : 0, 1245491
Total [baseline] (9.575 s) : 0, 9575044
Agent [candidate] (1.239 s) : 0, 1239277
Total [candidate] (9.626 s) : 0, 9625749

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.056 s	-
Agent	iast	1.245 s	189.847 ms (18.0%)
Total	tracing	8.797 s	-
Total	iast	9.575 s	777.627 ms (8.8%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.055 s	-
Agent	iast	1.239 s	184.445 ms (17.5%)
Total	tracing	8.819 s	-
Total	iast	9.626 s	806.78 ms (9.1%)

gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.24 ms) : 0, 1240
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (632.116 ms) : 0, 632116
BytebuddyAgent [candidate] (632.17 ms) : 0, 632170
AgentMeter [baseline] (29.524 ms) : 0, 29524
AgentMeter [candidate] (29.537 ms) : 0, 29537
GlobalTracer [baseline] (248.245 ms) : 0, 248245
GlobalTracer [candidate] (248.462 ms) : 0, 248462
AppSec [baseline] (32.474 ms) : 0, 32474
AppSec [candidate] (32.408 ms) : 0, 32408
Debugger [baseline] (59.056 ms) : 0, 59056
Debugger [candidate] (59.08 ms) : 0, 59080
Remote Config [baseline] (595.149 µs) : 0, 595
Remote Config [candidate] (590.806 µs) : 0, 591
Telemetry [baseline] (8.013 ms) : 0, 8013
Telemetry [candidate] (7.966 ms) : 0, 7966
Flare Poller [baseline] (8.324 ms) : 0, 8324
Flare Poller [candidate] (7.371 ms) : 0, 7371
section iast
crashtracking [baseline] (1.252 ms) : 0, 1252
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (818.067 ms) : 0, 818067
BytebuddyAgent [candidate] (813.962 ms) : 0, 813962
AgentMeter [baseline] (11.609 ms) : 0, 11609
AgentMeter [candidate] (11.643 ms) : 0, 11643
GlobalTracer [baseline] (241.971 ms) : 0, 241971
GlobalTracer [candidate] (241.08 ms) : 0, 241080
IAST [baseline] (30.316 ms) : 0, 30316
IAST [candidate] (29.494 ms) : 0, 29494
AppSec [baseline] (26.424 ms) : 0, 26424
AppSec [candidate] (28.756 ms) : 0, 28756
Debugger [baseline] (67.612 ms) : 0, 67612
Debugger [candidate] (65.192 ms) : 0, 65192
Remote Config [baseline] (546.875 µs) : 0, 547
Remote Config [candidate] (545.901 µs) : 0, 546
Telemetry [baseline] (7.861 ms) : 0, 7861
Telemetry [candidate] (7.906 ms) : 0, 7906
Flare Poller [baseline] (3.469 ms) : 0, 3469
Flare Poller [candidate] (3.498 ms) : 0, 3498

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.058 s) : 0, 1058107
Total [baseline] (11.091 s) : 0, 11091057
Agent [candidate] (1.056 s) : 0, 1056038
Total [candidate] (11.013 s) : 0, 11013115
section appsec
Agent [baseline] (1.259 s) : 0, 1258739
Total [baseline] (11.003 s) : 0, 11002678
Agent [candidate] (1.265 s) : 0, 1264707
Total [candidate] (10.972 s) : 0, 10972112
section iast
Agent [baseline] (1.23 s) : 0, 1229830
Total [baseline] (11.29 s) : 0, 11289750
Agent [candidate] (1.24 s) : 0, 1240363
Total [candidate] (11.392 s) : 0, 11391869
section profiling
Agent [baseline] (1.188 s) : 0, 1187931
Total [baseline] (10.995 s) : 0, 10994946
Agent [candidate] (1.184 s) : 0, 1184022
Total [candidate] (10.979 s) : 0, 10978866

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.058 s	-
Agent	appsec	1.259 s	200.632 ms (19.0%)
Agent	iast	1.23 s	171.722 ms (16.2%)
Agent	profiling	1.188 s	129.824 ms (12.3%)
Total	tracing	11.091 s	-
Total	appsec	11.003 s	-88.379 ms (-0.8%)
Total	iast	11.29 s	198.693 ms (1.8%)
Total	profiling	10.995 s	-96.111 ms (-0.9%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.056 s	-
Agent	appsec	1.265 s	208.67 ms (19.8%)
Agent	iast	1.24 s	184.326 ms (17.5%)
Agent	profiling	1.184 s	127.984 ms (12.1%)
Total	tracing	11.013 s	-
Total	appsec	10.972 s	-41.003 ms (-0.4%)
Total	iast	11.392 s	378.754 ms (3.4%)
Total	profiling	10.979 s	-34.249 ms (-0.3%)

gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.226 ms) : 0, 1226
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (631.521 ms) : 0, 631521
BytebuddyAgent [candidate] (632.193 ms) : 0, 632193
AgentMeter [baseline] (29.557 ms) : 0, 29557
AgentMeter [candidate] (29.516 ms) : 0, 29516
GlobalTracer [baseline] (250.006 ms) : 0, 250006
GlobalTracer [candidate] (248.553 ms) : 0, 248553
AppSec [baseline] (32.573 ms) : 0, 32573
AppSec [candidate] (32.319 ms) : 0, 32319
Debugger [baseline] (60.117 ms) : 0, 60117
Debugger [candidate] (59.965 ms) : 0, 59965
Remote Config [baseline] (600.74 µs) : 0, 601
Remote Config [candidate] (591.295 µs) : 0, 591
Telemetry [baseline] (8.037 ms) : 0, 8037
Telemetry [candidate] (8.051 ms) : 0, 8051
Flare Poller [baseline] (8.341 ms) : 0, 8341
Flare Poller [candidate] (7.546 ms) : 0, 7546
section appsec
crashtracking [baseline] (1.233 ms) : 0, 1233
crashtracking [candidate] (1.233 ms) : 0, 1233
BytebuddyAgent [baseline] (672.923 ms) : 0, 672923
BytebuddyAgent [candidate] (677.158 ms) : 0, 677158
AgentMeter [baseline] (12.091 ms) : 0, 12091
AgentMeter [candidate] (12.206 ms) : 0, 12206
GlobalTracer [baseline] (248.493 ms) : 0, 248493
GlobalTracer [candidate] (249.279 ms) : 0, 249279
AppSec [baseline] (186.124 ms) : 0, 186124
AppSec [candidate] (186.257 ms) : 0, 186257
Debugger [baseline] (65.504 ms) : 0, 65504
Debugger [candidate] (65.831 ms) : 0, 65831
Remote Config [baseline] (570.529 µs) : 0, 571
Remote Config [candidate] (576.543 µs) : 0, 577
Telemetry [baseline] (7.877 ms) : 0, 7877
Telemetry [candidate] (7.952 ms) : 0, 7952
Flare Poller [baseline] (3.458 ms) : 0, 3458
Flare Poller [candidate] (3.492 ms) : 0, 3492
IAST [baseline] (24.248 ms) : 0, 24248
IAST [candidate] (24.349 ms) : 0, 24349
section iast
crashtracking [baseline] (1.244 ms) : 0, 1244
crashtracking [candidate] (1.228 ms) : 0, 1228
BytebuddyAgent [baseline] (807.874 ms) : 0, 807874
BytebuddyAgent [candidate] (816.495 ms) : 0, 816495
AgentMeter [baseline] (11.392 ms) : 0, 11392
AgentMeter [candidate] (11.553 ms) : 0, 11553
GlobalTracer [baseline] (238.501 ms) : 0, 238501
GlobalTracer [candidate] (240.275 ms) : 0, 240275
AppSec [baseline] (28.457 ms) : 0, 28457
AppSec [candidate] (27.61 ms) : 0, 27610
Debugger [baseline] (65.328 ms) : 0, 65328
Debugger [candidate] (65.317 ms) : 0, 65317
Remote Config [baseline] (542.846 µs) : 0, 543
Remote Config [candidate] (527.032 µs) : 0, 527
Telemetry [baseline] (7.804 ms) : 0, 7804
Telemetry [candidate] (7.767 ms) : 0, 7767
Flare Poller [baseline] (3.418 ms) : 0, 3418
Flare Poller [candidate] (3.41 ms) : 0, 3410
IAST [baseline] (29.168 ms) : 0, 29168
IAST [candidate] (29.981 ms) : 0, 29981
section profiling
ProfilingAgent [baseline] (94.653 ms) : 0, 94653
ProfilingAgent [candidate] (93.72 ms) : 0, 93720
crashtracking [baseline] (1.188 ms) : 0, 1188
crashtracking [candidate] (1.173 ms) : 0, 1173
BytebuddyAgent [baseline] (691.836 ms) : 0, 691836
BytebuddyAgent [candidate] (691.078 ms) : 0, 691078
AgentMeter [baseline] (9.226 ms) : 0, 9226
AgentMeter [candidate] (9.254 ms) : 0, 9254
GlobalTracer [baseline] (208.302 ms) : 0, 208302
GlobalTracer [candidate] (206.903 ms) : 0, 206903
AppSec [baseline] (33.128 ms) : 0, 33128
AppSec [candidate] (32.772 ms) : 0, 32772
Debugger [baseline] (66.164 ms) : 0, 66164
Debugger [candidate] (65.886 ms) : 0, 65886
Remote Config [baseline] (581.94 µs) : 0, 582
Remote Config [candidate] (581.302 µs) : 0, 581
Telemetry [baseline] (7.869 ms) : 0, 7869
Telemetry [candidate] (7.772 ms) : 0, 7772
Flare Poller [baseline] (3.61 ms) : 0, 3610
Flare Poller [candidate] (3.516 ms) : 0, 3516
Profiling [baseline] (95.227 ms) : 0, 95227
Profiling [candidate] (94.284 ms) : 0, 94284

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	dependabot/github_actions/gh-actions-packages-04db8ab777
git_commit_date	1776788798	1776792444
git_commit_sha	6880c80	85d0bac
release_version	1.62.0-SNAPSHOT~6880c80c48	1.62.0-SNAPSHOT~85d0bacb2c

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776794772	1776794772
ci_job_id	1616632177	1616632177
ci_pipeline_id	108855240	108855240
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-mhjrcppx 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-mhjrcppx 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 4 performance improvements and 0 performance regressions! Performance is the same for 16 metrics, 16 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load	better [-325.242µs; -179.065µs] or [-10.630%; -5.853%]	better [-1213.882µs; -408.846µs] or [-14.057%; -4.734%]	unstable [-25.144op/s; +238.894op/s] or [-2.115%; +20.095%]	2.807ms	7.824ms	1295.719op/s	3.060ms	8.636ms	1188.844op/s
scenario:load:petclinic:iast:high_load	better [-1.508ms; -0.639ms] or [-8.076%; -3.425%]	unsure [-1.761ms; -0.402ms] or [-5.952%; -1.359%]	unstable [-11.809op/s; +42.371op/s] or [-4.798%; +17.215%]	17.595ms	28.508ms	261.406op/s	18.668ms	29.590ms	246.125op/s
scenario:load:petclinic:tracing:high_load	better [-1096.898µs; -539.169µs] or [-5.974%; -2.936%]	unsure [-1349.826µs; -355.135µs] or [-4.584%; -1.206%]	unstable [-17.556op/s; +36.931op/s] or [-6.984%; +14.692%]	17.544ms	28.596ms	261.062op/s	18.362ms	29.448ms	251.375op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.339 ms) : 18154, 18524
.   : milestone, 18339,
appsec (19.104 ms) : 18911, 19297
.   : milestone, 19104,
code_origins (17.774 ms) : 17601, 17947
.   : milestone, 17774,
iast (18.961 ms) : 18774, 19149
.   : milestone, 18961,
profiling (18.352 ms) : 18170, 18534
.   : milestone, 18352,
tracing (18.568 ms) : 18384, 18753
.   : milestone, 18568,
section candidate
no_agent (18.247 ms) : 18062, 18433
.   : milestone, 18247,
appsec (19.161 ms) : 18970, 19351
.   : milestone, 19161,
code_origins (17.875 ms) : 17700, 18051
.   : milestone, 17875,
iast (17.849 ms) : 17674, 18024
.   : milestone, 17849,
profiling (18.49 ms) : 18306, 18673
.   : milestone, 18490,
tracing (17.873 ms) : 17696, 18049
.   : milestone, 17873,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	18.339 ms [18.154 ms, 18.524 ms]	-
appsec	19.104 ms [18.911 ms, 19.297 ms]	764.784 µs (4.2%)
code_origins	17.774 ms [17.601 ms, 17.947 ms]	-565.114 µs (-3.1%)
iast	18.961 ms [18.774 ms, 19.149 ms]	621.901 µs (3.4%)
profiling	18.352 ms [18.17 ms, 18.534 ms]	12.76 µs (0.1%)
tracing	18.568 ms [18.384 ms, 18.753 ms]	229.099 µs (1.2%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	18.247 ms [18.062 ms, 18.433 ms]	-
appsec	19.161 ms [18.97 ms, 19.351 ms]	913.366 µs (5.0%)
code_origins	17.875 ms [17.7 ms, 18.051 ms]	-372.01 µs (-2.0%)
iast	17.849 ms [17.674 ms, 18.024 ms]	-398.583 µs (-2.2%)
profiling	18.49 ms [18.306 ms, 18.673 ms]	242.292 µs (1.3%)
tracing	17.873 ms [17.696 ms, 18.049 ms]	-374.724 µs (-2.1%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.241 ms) : 1230, 1253
.   : milestone, 1241,
iast (3.252 ms) : 3208, 3296
.   : milestone, 3252,
iast_FULL (6.149 ms) : 6085, 6213
.   : milestone, 6149,
iast_GLOBAL (3.862 ms) : 3790, 3933
.   : milestone, 3862,
profiling (2.076 ms) : 2059, 2093
.   : milestone, 2076,
tracing (1.904 ms) : 1888, 1919
.   : milestone, 1904,
section candidate
no_agent (1.268 ms) : 1255, 1281
.   : milestone, 1268,
iast (3.355 ms) : 3302, 3409
.   : milestone, 3355,
iast_FULL (6.254 ms) : 6189, 6319
.   : milestone, 6254,
iast_GLOBAL (3.537 ms) : 3485, 3588
.   : milestone, 3537,
profiling (2.249 ms) : 2228, 2269
.   : milestone, 2249,
tracing (1.893 ms) : 1877, 1910
.   : milestone, 1893,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.241 ms [1.23 ms, 1.253 ms]	-
iast	3.252 ms [3.208 ms, 3.296 ms]	2.011 ms (162.0%)
iast_FULL	6.149 ms [6.085 ms, 6.213 ms]	4.908 ms (395.4%)
iast_GLOBAL	3.862 ms [3.79 ms, 3.933 ms]	2.62 ms (211.1%)
profiling	2.076 ms [2.059 ms, 2.093 ms]	834.619 µs (67.2%)
tracing	1.904 ms [1.888 ms, 1.919 ms]	662.635 µs (53.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.268 ms [1.255 ms, 1.281 ms]	-
iast	3.355 ms [3.302 ms, 3.409 ms]	2.087 ms (164.6%)
iast_FULL	6.254 ms [6.189 ms, 6.319 ms]	4.986 ms (393.2%)
iast_GLOBAL	3.537 ms [3.485 ms, 3.588 ms]	2.268 ms (178.9%)
profiling	2.249 ms [2.228 ms, 2.269 ms]	980.446 µs (77.3%)
tracing	1.893 ms [1.877 ms, 1.91 ms]	625.373 µs (49.3%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	dependabot/github_actions/gh-actions-packages-04db8ab777
git_commit_date	1776788798	1776792444
git_commit_sha	6880c80	85d0bac
release_version	1.62.0-SNAPSHOT~6880c80c48	1.62.0-SNAPSHOT~85d0bacb2c

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1776794496	1776794496
ci_job_id	1616632179	1616632179
ci_pipeline_id	108855240	108855240
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-rgpd6wca 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-rgpd6wca 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.978 s) : 14978000, 14978000
.   : milestone, 14978000,
appsec (14.925 s) : 14925000, 14925000
.   : milestone, 14925000,
iast (19.063 s) : 19063000, 19063000
.   : milestone, 19063000,
iast_GLOBAL (17.923 s) : 17923000, 17923000
.   : milestone, 17923000,
profiling (15.076 s) : 15076000, 15076000
.   : milestone, 15076000,
tracing (14.993 s) : 14993000, 14993000
.   : milestone, 14993000,
section candidate
no_agent (15.043 s) : 15043000, 15043000
.   : milestone, 15043000,
appsec (14.945 s) : 14945000, 14945000
.   : milestone, 14945000,
iast (18.664 s) : 18664000, 18664000
.   : milestone, 18664000,
iast_GLOBAL (17.671 s) : 17671000, 17671000
.   : milestone, 17671000,
profiling (14.852 s) : 14852000, 14852000
.   : milestone, 14852000,
tracing (14.874 s) : 14874000, 14874000
.   : milestone, 14874000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.978 s [14.978 s, 14.978 s]	-
appsec	14.925 s [14.925 s, 14.925 s]	-53.0 ms (-0.4%)
iast	19.063 s [19.063 s, 19.063 s]	4.085 s (27.3%)
iast_GLOBAL	17.923 s [17.923 s, 17.923 s]	2.945 s (19.7%)
profiling	15.076 s [15.076 s, 15.076 s]	98.0 ms (0.7%)
tracing	14.993 s [14.993 s, 14.993 s]	15.0 ms (0.1%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.043 s [15.043 s, 15.043 s]	-
appsec	14.945 s [14.945 s, 14.945 s]	-98.0 ms (-0.7%)
iast	18.664 s [18.664 s, 18.664 s]	3.621 s (24.1%)
iast_GLOBAL	17.671 s [17.671 s, 17.671 s]	2.628 s (17.5%)
profiling	14.852 s [14.852 s, 14.852 s]	-191.0 ms (-1.3%)
tracing	14.874 s [14.874 s, 14.874 s]	-169.0 ms (-1.1%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~85d0bacb2c, baseline=1.62.0-SNAPSHOT~6880c80c48
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.498 ms) : 1486, 1509
.   : milestone, 1498,
appsec (3.836 ms) : 3613, 4059
.   : milestone, 3836,
iast (2.299 ms) : 2229, 2369
.   : milestone, 2299,
iast_GLOBAL (2.332 ms) : 2262, 2401
.   : milestone, 2332,
profiling (2.137 ms) : 2081, 2193
.   : milestone, 2137,
tracing (2.098 ms) : 2043, 2152
.   : milestone, 2098,
section candidate
no_agent (1.502 ms) : 1491, 1514
.   : milestone, 1502,
appsec (3.836 ms) : 3611, 4060
.   : milestone, 3836,
iast (2.299 ms) : 2229, 2369
.   : milestone, 2299,
iast_GLOBAL (2.336 ms) : 2266, 2406
.   : milestone, 2336,
profiling (2.12 ms) : 2064, 2175
.   : milestone, 2120,
tracing (2.093 ms) : 2039, 2146
.   : milestone, 2093,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.498 ms [1.486 ms, 1.509 ms]	-
appsec	3.836 ms [3.613 ms, 4.059 ms]	2.338 ms (156.1%)
iast	2.299 ms [2.229 ms, 2.369 ms]	801.076 µs (53.5%)
iast_GLOBAL	2.332 ms [2.262 ms, 2.401 ms]	833.905 µs (55.7%)
profiling	2.137 ms [2.081 ms, 2.193 ms]	639.24 µs (42.7%)
tracing	2.098 ms [2.043 ms, 2.152 ms]	600.0 µs (40.1%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.502 ms [1.491 ms, 1.514 ms]	-
appsec	3.836 ms [3.611 ms, 4.06 ms]	2.333 ms (155.3%)
iast	2.299 ms [2.229 ms, 2.369 ms]	796.713 µs (53.0%)
iast_GLOBAL	2.336 ms [2.266 ms, 2.406 ms]	833.637 µs (55.5%)
profiling	2.12 ms [2.064 ms, 2.175 ms]	617.387 µs (41.1%)
tracing	2.093 ms [2.039 ms, 2.146 ms]	590.552 µs (39.3%)

[AlexeyKuznetsov-DD]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-21 18:54:59 UTC ℹ️ Start processing command /merge

---

2026-04-21 18:55:03 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).

---

2026-04-21 20:12:48 UTC ℹ️ MergeQueue: This merge request was merged