Skip to content

ci(deps): bump @cyclonedx/cdxgen from 12.2.1 to 12.3.3 in /.github/tools in the node-workflow-tools group#59

Merged
mbarbero merged 1 commit into
mainfrom
dependabot/npm_and_yarn/dot-github/tools/node-workflow-tools-da64d07ef0
May 22, 2026
Merged

ci(deps): bump @cyclonedx/cdxgen from 12.2.1 to 12.3.3 in /.github/tools in the node-workflow-tools group#59
mbarbero merged 1 commit into
mainfrom
dependabot/npm_and_yarn/dot-github/tools/node-workflow-tools-da64d07ef0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 18, 2026

Bumps the node-workflow-tools group in /.github/tools with 1 update: @cyclonedx/cdxgen.

Updates @cyclonedx/cdxgen from 12.2.1 to 12.3.3

Release notes

Sourced from @​cyclonedx/cdxgen's releases.

Release v12.3.3

This release includes security fixes and some features.

What's Changed

🤖 AI-auto Changes

Full Changelog: cdxgen/cdxgen@v12.3.2...v12.3.3

Release v12.3.2

What's Changed

🤖 AI-auto Changes

Full Changelog: cdxgen/cdxgen@v12.3.1...v12.3.2

Release v12.3.1

cdxgen can now identify the MCP configurations and skills used in your project. It can also predict supply-chain attacks against your cargo dependencies.

What's Changed

🤖 AI-auto Changes

Full Changelog: cdxgen/cdxgen@v12.3.0...v12.3.1

Release v12.3.0 - dependency risk prioritisation

cdxgen v12.3.0

Full changelog: cdxgen/cdxgen@v12.2.1...v12.3.0

v12.3.0 is a big release for cdxgen. It expands the project beyond BOM generation with new capabilities for upstream dependency risk prioritisation, SPDX conversion/export, runtime and container risk analysis, and broader ecosystem/source intelligence.

Highlights

... (truncated)

Commits
  • cb5a2f2 Fix Docker registry auth: prevent credential leaks by enforcing host matching...
  • b1e1798 types
  • 6633128 Add BOM audit rules for disabled setup caches with remote npm/PyPI sources (#...
  • aecf1af Populate evidence.identity.tools for externally identified components (#3960)
  • cda94f0 Refactor staged rootfs dockertests into CI helpers and fix staged `all-layers...
  • b3fd4df Ignore vendored Composer and jar artifacts in mixed npm source scans (#3955)
  • b024b8b Support staged rootfs inputs for remote/offline OBOM generation (#3956)
  • 387a63c Harden Dependency-Track submission host enforcement and redact secret-bearing...
  • 976f449 Add collider.lock support to C/C++ BOM generation (#3959)
  • c703be5 Trim non-runtime files from published npm artifacts, image context, and SEA b...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
ci(deps): bump @cyclonedx/cdxgen
07d27f6 
Bumps the node-workflow-tools group in /.github/tools with 1 update: [@cyclonedx/cdxgen](https://github.com/cdxgen/cdxgen).


Updates `@cyclonedx/cdxgen` from 12.2.1 to 12.3.3
- [Release notes](https://github.com/cdxgen/cdxgen/releases)
- [Commits](cdxgen/cdxgen@v12.2.1...v12.3.3)

---
updated-dependencies:
- dependency-name: "@cyclonedx/cdxgen"
  dependency-version: 12.3.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: node-workflow-tools
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies This issue or pull request is about third-party dependencies label May 18, 2026
@mbarbero mbarbero merged commit b96b047 into main May 22, 2026
26 checks passed
@mbarbero mbarbero deleted the dependabot/npm_and_yarn/dot-github/tools/node-workflow-tools-da64d07ef0 branch May 22, 2026 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies This issue or pull request is about third-party dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbarbero