Skip to content

chore(deps): update pre-commit hook mongodb/kingfisher to v1.102.0#371

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/mongodb-kingfisher-1.x
May 30, 2026
Merged

chore(deps): update pre-commit hook mongodb/kingfisher to v1.102.0#371
renovate[bot] merged 1 commit into
mainfrom
renovate/mongodb-kingfisher-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 30, 2026

This PR contains the following updates:

Package Type Update Change
mongodb/kingfisher repository minor v1.101.0v1.102.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

mongodb/kingfisher (mongodb/kingfisher)

v1.102.0

Compare Source

  • Security: hardened ASAR and in-memory archive extraction to skip traversal or absolute entry paths before writing to the temp extraction directory.
  • Security: git clone provider tokens (KF_GITHUB_TOKEN, KF_GITLAB_TOKEN, KF_GITEA_TOKEN, KF_AZURE_TOKEN, KF_HUGGINGFACE_TOKEN) are now installed as host-scoped, HTTPS-only credential helpers (credential.https://<host>.helper) instead of unscoped global ones, so a malicious clone target can no longer capture them via an auth challenge. Trusted hosts derive from each provider's SaaS default plus any configured --<provider>-api-url/--azure-base-url/--endpoint, preserving GitHub Enterprise and other self-hosted flows.
  • Security: --output report files are opened with O_NOFOLLOW (with a symlink pre-check on non-Unix) so a symlink planted at the report path inside a scanned repository can no longer redirect the write to truncate or overwrite an arbitrary file.
  • Security: single-stream gzip/bzip2/xz/zlib decompression is now bounded by a 512 MB decompressed-byte cap, preventing a small compression bomb from exhausting disk during a scan.
  • Added 3 detection and validation rules for Cognition Devin API credentials: kingfisher.devin.1 (legacy personal keys, apk_user_ prefix), kingfisher.devin.2 (legacy service keys, apk_ prefix), and kingfisher.devin.3 (v3 service-user tokens, cog_ prefix / RFC 4648 base32). Live validation uses GET /v1/sessions for apk_* keys and GET /v3/self for cog_ tokens.
  • Added kingfisher scan docker --archive <image.tar> for scanning saved Docker/OCI image archives directly, including OCI-layout docker save output and compressed tar archives.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Only on Saturday (* * * * 6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Third-party library dependencies. label May 30, 2026
@renovate renovate Bot enabled auto-merge (squash) May 30, 2026 06:01
@renovate renovate Bot merged commit b07aa42 into main May 30, 2026
8 checks passed
@renovate renovate Bot deleted the renovate/mongodb-kingfisher-1.x branch May 30, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Third-party library dependencies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants