Skip to content

chore(deps): update pre-commit hook mongodb/kingfisher to v1.102.0#235

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/mongodb-kingfisher-1.x
May 30, 2026
Merged

chore(deps): update pre-commit hook mongodb/kingfisher to v1.102.0#235
renovate[bot] merged 1 commit into
mainfrom
renovate/mongodb-kingfisher-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 30, 2026

This PR contains the following updates:

Package Type Update Change
mongodb/kingfisher repository minor v1.101.0v1.102.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

mongodb/kingfisher (mongodb/kingfisher)

v1.102.0

Compare Source

  • Security: hardened ASAR and in-memory archive extraction to skip traversal or absolute entry paths before writing to the temp extraction directory.
  • Security: git clone provider tokens (KF_GITHUB_TOKEN, KF_GITLAB_TOKEN, KF_GITEA_TOKEN, KF_AZURE_TOKEN, KF_HUGGINGFACE_TOKEN) are now installed as host-scoped, HTTPS-only credential helpers (credential.https://<host>.helper) instead of unscoped global ones, so a malicious clone target can no longer capture them via an auth challenge. Trusted hosts derive from each provider's SaaS default plus any configured --<provider>-api-url/--azure-base-url/--endpoint, preserving GitHub Enterprise and other self-hosted flows.
  • Security: --output report files are opened with O_NOFOLLOW (with a symlink pre-check on non-Unix) so a symlink planted at the report path inside a scanned repository can no longer redirect the write to truncate or overwrite an arbitrary file.
  • Security: single-stream gzip/bzip2/xz/zlib decompression is now bounded by a 512 MB decompressed-byte cap, preventing a small compression bomb from exhausting disk during a scan.
  • Added 3 detection and validation rules for Cognition Devin API credentials: kingfisher.devin.1 (legacy personal keys, apk_user_ prefix), kingfisher.devin.2 (legacy service keys, apk_ prefix), and kingfisher.devin.3 (v3 service-user tokens, cog_ prefix / RFC 4648 base32). Live validation uses GET /v1/sessions for apk_* keys and GET /v3/self for cog_ tokens.
  • Added kingfisher scan docker --archive <image.tar> for scanning saved Docker/OCI image archives directly, including OCI-layout docker save output and compressed tar archives.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Only on Saturday (* * * * 6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) May 30, 2026 06:02
@renovate renovate Bot merged commit 1c84563 into main May 30, 2026
35 checks passed
@renovate renovate Bot deleted the renovate/mongodb-kingfisher-1.x branch May 30, 2026 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants