action-allowlist-review: bump DavidAnson/markdownlint-cli2-action from 23.0.0 to 23.1.0 in /.github/actions/for-dependabot-triggered-reviews#784
Conversation
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 23.0.0 to 23.1.0. - [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases) - [Commits](DavidAnson/markdownlint-cli2-action@ce4853d...6b51ade) --- updated-dependencies: - dependency-name: DavidAnson/markdownlint-cli2-action dependency-version: 23.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
|
Heads-up before approval: the upstream repo The action is bundled ( I've opened an upstream request asking the author to commit a lock file: DavidAnson/markdownlint-cli2-action#362 @dfoulks1 @ppkarwasz — what's your take? Do we approve this bump now and treat the upstream lockfile request as a follow-up, or hold approval until the upstream ships a lock file? I lean toward approving (the action is widely used and bundled with a pinned SHA, so the immediate risk is bounded), but happy to wait if either of you would rather block on it. |
|
I would bump this now and enforce additional checks in the next releases as we learn more about the release process. This action is much safer than other actions we already allow, since it pins its main dependency ( |
Seems that the author is about to release new version after I poked him (and you followed up @ppkarwasz ! ) ... So.. .I guess we can wait :) |
|
Superseded by #811. |
Bumps DavidAnson/markdownlint-cli2-action from 23.0.0 to 23.1.0.
Commits
6b51adeUpdate to version 23.1.0.ea6e0daFreshen generated index.js file.3c4c2c8Bump markdownlint-cli2 from 0.22.0 to 0.22.13a933d4Bump@actions/corefrom 3.0.0 to 3.0.1648042eFreshen generated index.js file.d1cf982Bump eslint from 10.2.0 to 10.2.14db3dfcBump eslint from 10.1.0 to 10.2.070dbff9Bump eslint-plugin-unicorn from 63.0.0 to 64.0.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)