bot: bump oxsecurity/megalinter from 9.2.0 to 9.5.0

[dependabot]

Bumps oxsecurity/megalinter from 9.2.0 to 9.5.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.5.0

What's Changed

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Breaking changes

• Core

• New linters

• Disabled linters

• Re-enabled linters

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

• Fixes

  • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.

• Reporters

• Flavors

• Doc

  • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats

• mega-linter-runner

• Dev

• CI

• Linter versions upgrades (N)

  • black from 26.3.1 to 26.5.0 on 2026-05-16
  • stylua from 2.4.1 to 2.5.2 on 2026-05-17
  • terraform-fmt from 1.15.2 to 1.15.3 on 2026-05-17
  • jscpd from 4.1.1 to 4.2.0 on 2026-05-17
  • stylelint from 17.11.0 to 17.11.1 on 2026-05-17

... (truncated)

Commits

• 0e3ce9b Fix release workflows.
• 3e132b1 Release MegaLinter v9.5.0
• cbb7fe9 Doc + prepare 9.5.0 release (#7836)
• 29bcf10 [automation] Auto-update linters version, help and documentation (#7832)
• ed753c5 chore(deps): update jdkato/vale docker tag to v3.14.2 (#7829)
• e04f202 feat: implement user notifications system and replace migration warnings (#7833)
• 54bfad8 chore(deps): update dependency @​stoplight/spectral-cli to v6.16.0 (#7830)
• f809408 Eslint legacy detection & warning (#7831)
• 6725b65 chore(deps): update dependency langsmith to v0.8.5 (#7828)
• cbcc02f chore(deps): update dependency rumdl to v0.1.93 (#7825)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ BASH	bash-exec	1		0	0	0.18s
✅ BASH	shellcheck	1		0	0	0.07s
✅ BASH	shfmt	1	0	0	0	0.01s
✅ COPYPASTE	jscpd	yes		no	no	1.25s
⚠️ MARKDOWN	markdownlint	2	0	3	0	0.73s
✅ MARKDOWN	markdown-table-formatter	3	0	0	0	0.29s
✅ REPOSITORY	checkov	yes		no	no	16.43s
✅ REPOSITORY	gitleaks	yes		no	no	0.16s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	41.79s
❌ REPOSITORY	osv-scanner	yes		1	no	0.14s
✅ REPOSITORY	syft	yes		no	no	2.11s
✅ REPOSITORY	trivy	yes		no	no	9.29s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.14s
✅ REPOSITORY	trufflehog	yes		no	no	3.46s

Detailed Issues

❌ REPOSITORY / osv-scanner - 1 error

Scanning dir .
Starting filesystem walk for root: /
End status: 26 dirs visited, 77 inodes visited, 0 Extract calls, 1.789273ms elapsed, 1.789513ms wall time
No package sources found, --help for usage information.

⚠️ MARKDOWN / markdownlint - 3 errors

SECURITY.md:7:23 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
SECURITY.md:8:23 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
SECURITY.md:9:23 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,COPYPASTE_JSCPD,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG

Show us your support by starring ⭐ the repository