Skip to content

chore(deps): Bump googleapis/release-please-action from 4 to 5#32

Merged
TPTBusiness merged 1 commit into
masterfrom
dependabot/github_actions/googleapis/release-please-action-5
Apr 27, 2026
Merged

chore(deps): Bump googleapis/release-please-action from 4 to 5#32
TPTBusiness merged 1 commit into
masterfrom
dependabot/github_actions/googleapis/release-please-action-5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Bumps googleapis/release-please-action from 4 to 5.

Release notes

Sourced from googleapis/release-please-action's releases.

v5.0.0

5.0.0 (2026-04-22)

⚠ BREAKING CHANGES

  • upgrade to node24 (#1188)

Features

Bug Fixes

  • bump release-please from 17.3.0 to 17.6.0 (#1199) (f533c26)

v4.4.1

4.4.1 (2026-02-20)

Bug Fixes

  • bump release-please from 17.1.3 to 17.3.0 (#1183) (ef9c274)

v4.4.0

4.4.0 (2025-10-09)

Features

  • add ability to select versioning-strategy and release-as (#1121) (ee0f5ba)

Bug Fixes

  • changelog-host parameter ignored when using manifest configuration (#1151) (535c413)
  • bump mocha from 11.7.1 to 11.7.2 in the npm_and_yarn group across 1 directory (#1149) (3612a99)
  • bump release-please from 17.1.2 to 17.1.3 (#1158) (66fbfe9)

v4.3.0

4.3.0 (2025-08-20)

Features

  • deps: update release-please to 17.1.2 (f07192c)

v4.2.0

4.2.0 (2025-03-07)

... (truncated)

Changelog

Sourced from googleapis/release-please-action's changelog.

4.1.1 (2024-05-14)

Bug Fixes

  • bump release-please from 16.10.0 to 16.10.2 (#969) (aa764e0)
  • bump the npm_and_yarn group with 1 update (#967) (ce529d4)

4.1.0 (2024-03-11)

Features

  • add changelog-host input to action.yml (#948) (863b06f)

4.0.3 (2024-03-11)

Bug Fixes

  • bump release-please from 16.5.0 to 16.10.0 (#953) (d7e88e0)

4.0.2 (2023-12-18)

Bug Fixes

4.0.1 (2023-12-07)

Bug Fixes

  • bump release-please from 16.3.1 to 16.4.0 (#897) (2463dad)

4.0.0 (2023-12-01)

⚠ BREAKING CHANGES

  • remove most configuration options in favor of manifest configuration to configure the release-please-action
  • rewrite in typescript
  • remove command option in favor of setting release-type and skip-github-release/skip-github-pull-request
  • run on node20
  • deps: upgrade release-please to v16
  • v4 release

Features

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump googleapis/release-please-action from 4 to 5
b54c239 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 27, 2026

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 27, 2026
@TPTBusiness TPTBusiness merged commit 1cd4995 into master Apr 27, 2026
10 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/googleapis/release-please-action-5 branch April 27, 2026 14:18
TPTBusiness pushed a commit that referenced this pull request Apr 30, 2026
@dependabot @TPTBusiness
chore(deps): Bump googleapis/release-please-action from 4 to 5 (#32)
e81aa32 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 1, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
abac77f 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 1, 2026
@dependabot @TPTBusiness
chore(deps): Bump googleapis/release-please-action from 4 to 5 (#32)
f1dbece 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness
chore: Add CVE-2025-2099 to transformers security notes
5662a39 
- Document CVE-2025-2099 (ReDoS in preprocess_string function)
- Already fixed by transformers>=4.51.0 (patched in 4.50.0)
- Dependabot alert is false positive due to missing lockfile

Fixes Dependabot Alert #32
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
3c3e5a7 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@dependabot @TPTBusiness
chore(deps): Bump googleapis/release-please-action from 4 to 5 (#32)
d7a089a 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
d7e2018 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@dependabot @TPTBusiness
chore(deps): Bump googleapis/release-please-action from 4 to 5 (#32)
7a3ba51 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness
chore: Add CVE-2025-2099 to transformers security notes
8c64df8 
- Document CVE-2025-2099 (ReDoS in preprocess_string function)
- Already fixed by transformers>=4.51.0 (patched in 4.50.0)
- Dependabot alert is false positive due to missing lockfile

Fixes Dependabot Alert #32
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
f171782 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 10, 2026
@dependabot @TPTBusiness
chore(deps): Bump googleapis/release-please-action from 4 to 5 (#32)
79827d5 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 22, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
2fd6e06 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 22, 2026
@dependabot @TPTBusiness
chore(deps): Bump googleapis/release-please-action from 4 to 5 (#32)
7869e0f 
Bumps [googleapis/release-please-action](https://github.com/googleapis/release-please-action) from 4 to 5.
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TPTBusiness