action-allowlist-review: bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 in /.github/actions/for-dependabot-triggered-reviews

[dependabot]

Bumps dependabot/fetch-metadata from 3.0.0 to 3.1.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

• Add permissions to all workflows by @​truggeri in dependabot/fetch-metadata#687
• build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @​dependabot[bot] in dependabot/fetch-metadata#690
• build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @​dependabot[bot] in dependabot/fetch-metadata#693
• build(deps-dev): bump @​hono/node-server from 1.19.10 to 1.19.13 by @​dependabot[bot] in dependabot/fetch-metadata#694
• build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @​dependabot[bot] in dependabot/fetch-metadata#695
• Dynamically update the tracking tag in action by @​truggeri in dependabot/fetch-metadata#696
• fix: handle duplicate dependency names in parseMetadataLinks by @​devantler in dependabot/fetch-metadata#700
• fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @​devantler in dependabot/fetch-metadata#698
• Updates to README for permissions clarification by @​truggeri in dependabot/fetch-metadata#697
• fix: resolve update-type null for Python, Composer, and Terraform PRs by @​vitorsdcs in dependabot/fetch-metadata#704
• build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @​dependabot[bot] in dependabot/fetch-metadata#703
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in dependabot/fetch-metadata#701
• build(deps): bump @​actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @​dependabot[bot] in dependabot/fetch-metadata#702
• build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @​dependabot[bot] in dependabot/fetch-metadata#705
• v3.1.0 by @​fetch-metadata-action-automation[bot] in dependabot/fetch-metadata#692

New Contributors

• @​devantler made their first contribution in dependabot/fetch-metadata#700
• @​vitorsdcs made their first contribution in dependabot/fetch-metadata#704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

Commits

• 25dd0e3 v3.1.0 (#692)
• e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
• 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
• 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
• 5168191 Updating dist build
• 23882e1 build(deps): bump @​actions/github in the dependencies group
• 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
• 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
• b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
• c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
• Additional commits viewable in compare view

[potiuk]

@dependabot rebase

[potiuk]

Status

verify-action-build flagged this bump with 1 unverified binary download(s) detected — but on inspection this one is a false positive in our verifier, not an issue in the action. Approving on that basis.

Why it's a false positive

The flagged code is src/dependabot/verified_commits.ts:99:

const svg = await new Promise<string>((resolve) => {
  https.get(`https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=${name}&package-manager=${ecosystem}&previous-version=${oldVersion}&new-version=${newVersion}`, res => {
    let data = ''
    res.on('data', chunk => { data += chunk.toString('utf8') })
    res.on('end', () => { resolve(data) })
  }).on('error', () => { resolve('') })
})

const scoreChunk = svg.match(/<title>compatibility: (?<score>\d+)%<\/title>/m)
return scoreChunk?.groups ? parseInt(scoreChunk.groups.score) : 0

Unlike #769 (tc.downloadTool of a luarocks source tarball that's then extracted, configured, built and installed) or other real binary-download cases, this:

1. Fetches an SVG badge computed on demand by GitHub for each (name, ecosystem, prev, new) tuple — there is no "known-good" SHA256 a maintainer could pin against.
2. The bytes are never installed, executed, persisted to disk, or trusted — they're regex-matched for a single integer 0–100.
3. Worst-case malicious response: regex fails to match → returns 0. No security boundary crossed.
4. Host is *.githubapp.com — same trust domain as the GitHub-hosted runner itself.

Adding a checksum/signature check upstream would be cargo-cult; there's no shape of "expected hash" to compare against on a per-request computed badge.

Source review of the bump

v3.0.0 → v3.1.0 source diff is the legitimate set of changes the release advertises. No suspicious behaviour introduced; the underlying bump is fine.

Follow-up

Opening a separate PR on verify-action-build to narrow the binary-download check so it doesn't flag (a) trusted-host fetches like *.githubapp.com and (b) responses that are obviously parsed-as-data (regex/JSON.parse) rather than persisted/executed. That'll prevent this false-positive on the next dependabot/fetch-metadata bump (and on similar patterns in other actions that fetch metadata badges).

Conditional approval

Approving on the same basis as #761/#769 — verifier finding has been investigated, source review of the bump itself is clean. Asking for a second pair of eyes before merge.

cc: @raboof @dave2wave @dfoulks1

Generated-by: Claude Opus 4.7 (1M context)