chore(deps): update dependency @faker-js/faker to v10

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@faker-js/faker (source)	9.9.0 → 10.4.0

---

Release Notes

faker-js/faker (@​faker-js/faker)

v10.4.0

Compare Source

New Locales

• locale: add Japanese bear definitions (#​3720) (2a4b15c)
• locale: add Japanese bird definitions (#​3719) (dc31ff8)
• locale: add Japanese cat breed definitions (#​3716) (54af8a8)
• locale: add Japanese cattle breed definitions (#​3717) (c2c7342)
• locale: add Japanese fish definitions (#​3721) (15fc361)
• locale: add Japanese horse breed definitions (#​3718) (e02536e)
• locale: add Norwegian (nb_NO) country definition (#​3714) (614b4e9)

Features

• fi locale phone numbers (#​3747) (7afa8b5)
• food: add plant-based dish variety (#​3745) (41edf49)

Changed Locales

• locale: filter and cleanup PersonEntryDefintions data (#​3266) (67defc8)

Bug Fixes

• locales: correct typos and capitalization in es_MX street names (#​3737) (2b32c28)

v10.3.0

Compare Source

New Locales

• locale: add Japanese dog definition (#​3715) (76c9df1)
• locale: add Japanese color definitions (#​3707) (bbbb215)
• locale: add Japanese food module (#​3706) (71d55c0)
• locale: add Japanese internet definitions (#​3708) (184a709)
• locale: add Japanese job definitions for person module (#​3705) (e7f3ccd)
• locale: add Japanese suffix definitions for person module (#​3704) (45ad7d8)
• locale: add Norwegian (nb_NO) continent definitions (#​3712) (c0f0f23)
• locale: add Norwegian (nb_NO) direction definition (#​3713) (43b18fa)
• locale: add Norwegian (nb_NO) sex definitions (#​3710) (76063f2)
• locale: add Norwegian (nb_NO) vehicle definition (#​3732) (d1c32b0)

Features

• locales: add Norwegian (nb_NO) zodiac sign definitions (#​3711) (e306542)
• person: sexType can return 'generic' (#​3259) (0e099a1)
• string: support uuid v7 (#​3701) (87c2753)

Changed Locales

• locale: normalize system locale data (#​3702) (ba91653)

Bug Fixes

• locale: remove empty string from Hebrew lorem words (#​3698) (81a896c)
• location: state name to 'Trøndelag' for nb_NO (#​3691) (eaef389)

v10.2.0

Compare Source

New Locales

• locale: add bn_BD location module (#​3614) (99a448c)
• locale: add counties & states to nb_NO location (#​3617) (3dbcbe1)
• locale: add da states (regions) (#​3656) (78c892b)
• locale: add id_ID translation for animal, color, commerce, and word also add country to location id_ID translation. (#​3608) (02c2c3e)
• locale: add ku_kmr_latin locale (#​3629) (247f42d)
• locale: add person module data to ku_ckb (#​3630) (6be2c20)

Features

• Add support for UPC (#​3648) (57b2d78)
• commerce: allow for locale-specific product name patterns (#​3657) (1cf3991)
• finance: add IR iban (#​3678) (101a74a)
• locales: add sl_SI locale, person module (#​3564) (e7c9945)
• location: Hungarian support for city name, full street address, continents, countries and directions (hu) (#​3618) (2c9aefd)

Bug Fixes

• food: move raspberry from vegetable to fruit (#​3650) (6a4f01f)
• locale: endonym should be in Latin script (#​3660) (4cda07f)
• locale: remove additional inappropriate words from ja locale (#​3665) (18a1554)
• locale: remove offensive and inappropriate words from ja locale (#​3661) (8310c8c)
• locale: remove some negative hu words (#​3664) (bd36bae)
• location: Use accents in en country names (#​3637) (24aa11f)
• vehicle: Updated spelling Mercielago to Murcielago (#​3636) (bfb1bdb)

v10.1.0

Compare Source

New Locales

• locale: Add ku_ckb locale (#​3441) (9de894a)
• locale: add Russian localization for book module (#​3628) (428ff33)

Bug Fixes

• locale: fix the Spring Airlines IATA Code (#​3612) (b547045)

v10.0.0

Compare Source

New Locales

• locale: extended list of colors in Polish (#​3586) (9940d54)

Features

• locales: add animal vocabulary(bear, bird, cat, rabbit, pet_name) in Korean (#​3535) (0d2143c)

Changed Locales

• locale: remove invalid credit card issuer patterns (#​3568) (9783d95)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	3.63s
✅ EDITORCONFIG	editorconfig-checker	2		0	0	0.01s
✅ JSON	jsonlint	1		0	0	0.41s
✅ JSON	npm-package-json-lint	yes		no	no	0.49s
⚠️ JSON	prettier	1	0	1	0	0.36s
✅ JSON	v8r	1		0	0	6.34s
❌ REPOSITORY	checkov	yes		5	no	21.22s
❌ REPOSITORY	devskim	yes		45	no	162.55s
✅ REPOSITORY	dustilock	yes		no	no	1.29s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	grype	yes		71	no	51.18s
❌ REPOSITORY	kics	yes		56	no	4.48s
❌ REPOSITORY	kingfisher	yes		1	no	5.42s
❌ REPOSITORY	secretlint	yes		1	no	1.39s
✅ REPOSITORY	syft	yes		no	no	6.01s
⚠️ REPOSITORY	trivy	yes		1	no	13.8s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.58s
✅ REPOSITORY	trufflehog	yes		no	no	4.19s
✅ SPELL	cspell	3		0	0	3.08s
❌ SPELL	lychee	2		1	0	0.1s
✅ YAML	prettier	1	0	0	0	0.35s
✅ YAML	v8r	1		0	0	1.45s
❌ YAML	yamllint	1		4	0	5.4s

Detailed Issues

❌ REPOSITORY / checkov - 5 errors

dockerfile scan results:

Passed checks: 77, Failed checks: 1, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /Dockerfile.
	File: /Dockerfile:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1  | ARG NODE_VERSION=lts-slim
		2  | 
		3  | FROM node:${NODE_VERSION} AS dependencies
		4  | 
		5  | WORKDIR /app
		6  | 
		7  | ENV PNPM_HOME="/pnpm"
		8  | ENV PATH="$PNPM_HOME:$PATH"
		9  | 
		10 | RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store \
		11 |     --mount=type=bind,source=package.json,target=/app/package.json \
		12 |     --mount=type=bind,source=pnpm-lock.yaml,target=/app/pnpm-lock.yaml \
		13 |     corepack enable && \
		14 |     pnpm install --frozen-lockfile --strict-peer-dependencies
		15 | 
		16 | FROM dependencies AS builder
		17 | 
		18 | COPY --chown=node:node src/ /app/src
		19 | 
		20 | RUN --mount=type=bind,source=package.json,target=/app/package.json \
		21 |     --mount=type=bind,source=nest-cli.json,target=/app/nest-cli.json \
		22 |     --mount=type=bind,source=tsconfig.json,target=/app/tsconfig.json \
		23 |     --mount=type=bind,source=tsconfig.build.json,target=/app/tsconfig.build.json \
		24 |     pnpm build
		25 | 
		26 | FROM builder AS pruner
		27 | 
		28 | RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store \
		29 |     --mount=type=bind,source=package.json,target=/app/package.json \
		30 |     --mount=type=bind,source=pnpm-lock.yaml,target=/app/pnpm-lock.yaml \
		31 |     pnpm prune --prod --ignore-scripts
		32 | 
		33 | FROM gcr.io/distroless/nodejs22-debian12:nonroot
		34 | 
		35 | WORKDIR /app
		36 | 
		37 | ENV PORT=3000
		38 | 
		39 | COPY --chown=nonroot:nonroot --from=pruner /app/node_modules ./node_modules
		40 | COPY --chown=nonroot:nonroot --from=builder /app/dist .
		41 | COPY --chown=nonroot:nonroot CHANGELOG.md LICENSE package.json /app/
		42 | 
		43 | EXPOSE ${PORT}
		44 | 
		45 | HEALTHCHECK --interval=30s --timeout=2s --start-period=10s --retries=2 CMD [ "/nodejs/bin/node", "bin/health-checker.js" ]
		46 | 
		47 | CMD ["main.js"]
github_actions scan results:

Passed checks: 212, Failed checks: 4, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(CI)
	File: /.github/workflows/ci.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Release)
	File: /.github/workflows/release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(CodeQL)
	File: /.github/workflows/codeql-analysis.yml:27-28
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Publish)
	File: /.github/workflows/publish.yml:11-12

❌ REPOSITORY / devskim - 45 errors

eee9c9fefee9a77bc79f12af1eecef9f9c3e79fa94fe7ef0e9c393a7e06c9a7c6af6e9ee3322efb3fbbb34fa8393e30734c8673bf77768203b34ba83877bc2e69f3edc3bf9f464efe4deeeeedee9fd03e2c4fbcf9e7e7a7c7aef806688a8754f84e6d32727bb4ff6ee3fdd3d79f894d8f0e0de8393a79f125d4e9eecdfdf2366b827b87dfa74ef805e7e7272efe9e9b3e3939367bbf788140ff630ea9353c2f444a09d9e1c936c1e3f7d4a442372ec7e7a40b376ef606fe71ef1170df9290fe1c1fe931d921ae2937bfb27bb9f9eee7cba73eff8c9e9fec983079f9e9e3e7970ffe4d13eb7fbf4d993a70f9fdc7b704ca3be7ff0ecc1dec983273b4f7677770f8e1fdebf77ff0981032f3d3878ba7342f4dcdd39bef7e993a7bb249e9f3e7d422cbefbe9318defdea7cf78100f48ad7c7a7af0ec64e7c983e3672433243aa7c77b3407f76970273ba7a78feea3d9b383bd27c4fcc7f4ff9d27c46544a307079f3ea119d9bdf7e401491d8ff560e7c1dee983277bbbc446f79e3e3938b97ff0e0fec1930734ddc4243468e1a583fbfbc7c7a7d4d3eefde39dfdd3839367fbbb4f1ed20c1e3c39d83b38dd3d7df8681fcd3e7db6f78438617f77fff4f8094d1d29076284d31312d59d7bbbc4c34cb983837d12d09387bbcf200e3411245aa459ee3d7d76ffe4d3873bc77b4439347bb2b3f780e4f3e421217eb2f7ece983e3270fee51934f1f1089779e3eb92fb811390f4e49d68f1f7e4af2\"","markdown":"`\"1f8b0800000000000400edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227676f6eeef3f7df0e4deb3ddfb4fee3f7d7a707ab0bbb7f7f4e1bdbde307a7270f3e3dd8f9f4d1ee6f9cececdcdb3978f0706f677fe7e1fefecebdfbf74e4f77f69f3d7c72bcff6cf7f4f8f4e4e19347f7b8d9c1ee83e3d307bb274f8f9f3e3c7876bcbbf3e9c3677b27fba73bf79e3c3cd87ff850a09ddc7ffaecf8e0fec3a7fbbb9f3e39dd39387978efe0e4d3ddbdfdfbc7270fee3d7c72c0d076a9a34f1f3c797afaf0c1b3d3bdbdbd9d9ddda727f7ef3dd83b3d7ef6f0d367a727cf1eeda1d9def1c9a79f3e79b6ffe9eea727f7768e9fed3f397d7af0f0d3e3e37b0feedf3fbeff644fa0ed9d9cdcdb23fcf61fec1cd3581fecef3ffd7467e7e1fde307f78f3fdd3939b8c7b8ed3ed939a5913ed8db7b72fce0de93277b7bbb4f9eecef3f38397eba77fa908874fc688fdb3d7d787cf2ecc92e11e1e9331acabd277bc7f7ee3fdbd9bff78046f1f4e1b3270ceede936707f79e3d78f0f4e1c393d383e3fdfbfbf73edd7ff6e9d3d3bdfddd7bbb4f08456976f2e4fede937b4f77ef9d1e3fbc77eff4c1e9dece8393873b0f3ffdf478f7ded383e31369f6f4d9bd87bb4ff61f3cfdf494fe77fff4e9c33d1af683dde39dd34fef1d9cee1d73339aa5ddddfd87f79eed1d3ca1a97878faece993d393270f3f3da1160ff7efeded3ffa14cdf6f6ee1f9cde3bb9b7ffe4e1d3ddbd4f4f1fee9c3cb8fff0c9938784cea7279fde13faee3f7bb0bbf3e0ded3e327cfee3ffd74efc9a734d8dd9d83bd67fb07f74ef7778e8fef337defef12dc7bc44df71f3ebc47487ffaf4d9cea74f771eeedd7b76effece1e61c7b8dddfdfdf3b797aff00f0ee3f20b2eede7ff6708fa6f93ecde1139a63a1db7d747472b0f7e9d3834fefdf279e20f4f63f059f3c78b6777aefe9fda7d2ece1ceb3074f4f4e1eec3cf9f4defea7fbc7a734cb44fb7b279fee3fdd7b70b0fbe9a33d46eee1c1a7a7c7f7eeed9f7cfae0607fefd9a73455f74ff70e9eed3fbc7ffaecd3fb270702eee9c9fefee9a77bc79f12af1eecef9f9c3e79fa94fe7ef0e9c393a7e06c9a7c6af6e9ee3322efb3fbbb34fa8393e30734c8673bf77768203b34ba83877bc2e69f3edc3bf9f464efe4deeeeedee9fd03e2c4fbcf9e7e7a7c7aef806688a8754f84e6d32727bb4ff6ee3fdd3d79f894d8f0e0de8393a79f125d4e9eecdfdf2366b827b87dfa74ef805e7e7272efe9e9b3e3939367bbf788140ff630ea9353c2f444a09d9e1c936c1e3f7d4a442372ec7e7a40b376ef606fe71ef1170df9290fe1c1fe931d921ae2937bfb27bb9f9eee7cba73eff8c9e9fec983079f9e9e3e7970ffe4d13eb7fbf4d993a70f9fdc7b704ca3be7ff0ecc1dec983273b4f7677770f8e1fdebf77ff0981032f3d3878ba7342f4dcdd39bef7e993a7bb249e9f3e7d422cbefbe9318defdea7cf78100f48ad7c7a7af0ec64e7c983e3672433243aa7c77b3407f76970273ba7a78feea3d9b383bd27c4fcc7f4ff9d27c46544a307079f3ea119d9bdf7e401491d8ff560e7c1dee983277bbbc446f79e3e3938b97ff0e0fec1930734ddc4243468e1a583fbfbc7c7a7d4d3eefde39dfdd3839367fbbb4f1ed20c1e3c39d83b38dd3d7df8681fcd3e7db6f78438617f77fff4f8094d1d29076284d31312d59d7bbbc4c34cb983837d12d09387bbcf200e3411245aa459ee3d7d76ffe4d3873bc77b4439347bb2b3f780e4f3e421217eb2f7ece983e3270fee51934f1f1089779e3eb92fb811390f4e49d68f1f7e4af2\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 4000 characters out of 313729)

❌ REPOSITORY / grype - 71 errors

(25th)  < 0.1  
yaml                  2.8.2      2.8.3     npm   GHSA-48c2-rrv3-qjmp  Medium    < 0.1% (16th)  < 0.1  
brace-expansion       1.1.11     1.1.12    npm   GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (25th)  < 0.1  
brace-expansion       2.0.1      2.0.2     npm   GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (25th)  < 0.1  
minimatch             3.1.2      3.1.3     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (7th)   < 0.1  
minimatch             7.4.6      7.4.8     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (7th)   < 0.1  
minimatch             9.0.5      9.0.7     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (7th)   < 0.1  
minimatch             3.1.2      3.1.3     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (6th)   < 0.1  
minimatch             7.4.6      7.4.7     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (6th)   < 0.1  
minimatch             9.0.5      9.0.6     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (6th)   < 0.1  
qs                    6.14.0     6.14.2    npm   GHSA-w7fw-mjwx-w883  Low       < 0.1% (18th)  < 0.1  
minimatch             3.1.2      3.1.4     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (6th)   < 0.1  
minimatch             7.4.6      7.4.8     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (6th)   < 0.1  
minimatch             9.0.5      9.0.7     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (6th)   < 0.1  
lodash                4.17.21    4.17.23   npm   GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (8th)   < 0.1  
lodash-es             4.17.21    4.17.23   npm   GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (8th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
multer                2.0.2      2.1.0     npm   GHSA-v52c-386h-88mc  High      < 0.1% (4th)   < 0.1  
multer                2.0.2      2.1.0     npm   GHSA-xf7r-hgr6-v32p  High      < 0.1% (4th)   < 0.1  
undici                6.14.1     6.21.2    npm   GHSA-cxrh-j4jr-qwg3  Low       < 0.1% (14th)  < 0.1  
js-yaml               3.14.1     3.14.2    npm   GHSA-mh29-5h37-fv8m  Medium    < 0.1% (5th)   < 0.1  
js-yaml               4.1.0      4.1.1     npm   GHSA-mh29-5h37-fv8m  Medium    < 0.1% (5th)   < 0.1  
@nestjs/core          10.4.22    11.1.18   npm   GHSA-36xv-jgw5-4q75  Medium    < 0.1% (5th)   < 0.1  
undici                6.14.1     6.23.0    npm   GHSA-g9mf-h72j-4rw9  Medium    < 0.1% (5th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-phc3-fgpg-7m6h  Medium    < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
ajv                   8.12.0     8.18.0    npm   GHSA-2g4f-4pwh-qvx6  Medium    < 0.1% (5th)   < 0.1  
jws                   3.2.2      3.2.3     npm   GHSA-869p-cjfg-cm3x  High      < 0.1% (1st)   < 0.1  
diff                  4.0.2      4.0.4     npm   GHSA-73rr-hh4g-fpgx  Low       < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
webpack               5.97.1     5.104.0   npm   GHSA-38r7-794h-5758  Low       < 0.1% (1st)   < 0.1  
webpack               5.97.1     5.104.1   npm   GHSA-8fgc-7cc6-rx7x  Low       < 0.1% (1st)   < 0.1  
serialize-javascript  6.0.1      7.0.3     npm   GHSA-5c6j-r48x-rmvq  High      N/A            N/A
[0051] ERROR discovered vulnerabilities at or above the severity threshold

(Truncated to last 4000 characters out of 7631)

❌ REPOSITORY / kics - 56 errors

Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


	[4]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


	[5]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


Passwords And Secrets - Password in URL, Severity: HIGH, Results: 3
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:89

		088:         env:
		089:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper
		090:       - name: Run the server 🚀


	[2]: .github/workflows/ci.yml:95

		094:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		095:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper
		096:           NODE_ENV: production


	[3]: .devcontainer/docker-compose.yml:24

		023:     environment:
		024:       - DATABASE_URL=<SECRET-MASKED-ON-PURPOSE>:5432/postgres
		025: 


Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:94

		093:           PORT: 3000
		094:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		095:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper


	[2]: .github/workflows/ci.yml:33

		032:         env:
		033:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		034:       - name: Report test results 📝


Passwords And Secrets - Generic Password, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .devcontainer/docker-compose.yml:32

		031:     environment:
		032:       POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		033:       POSTGRES_USER: postgres


	[2]: .github/workflows/ci.yml:63

		062:           POSTGRES_USER: armband
		063:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		064:           POSTGRES_DB: sharper


Missing User Instruction, Severity: HIGH, Results: 2
Description: Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
Platform: Dockerfile
CWE: 250
Risk Score: 7.7
Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f

	[1]: .devcontainer/Dockerfile:1

		001: FROM mcr.microsoft.com/devcontainers/javascript-node:1-18-bullseye
		002: 
		003: # [Optional] Uncomment this section to install additional OS packages.


	[2]: Dockerfile:33

		032: 
		033: FROM gcr.io/distroless/nodejs22-debian12:nonroot
		034: 



Results Summary:
CRITICAL: 0
HIGH: 9
MEDIUM: 21
LOW: 24
INFO: 2
TOTAL: 56

A new version 'v2.1.20' of KICS is available, please consider updating

(Truncated to last 4000 characters out of 17401)

❌ REPOSITORY / kingfisher - 1 error

New Kingfisher release 1.95.0 available
 INFO kingfisher: Launching with 8 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 453 rules
 INFO kingfisher::scanner::runner: Starting secret validation phase...
POSTGRES URL WITH HARDCODED PASSWORD => [KINGFISHER.POSTGRES.1]
 |Finding.......: [REDACTED:41928bf4]
 |Fingerprint...: 2034115162828868254
 |Confidence....: medium
 |Entropy.......: 3.87
 |Validation....: Inactive Credential
 |__Response....: Postgres connection failed.
 |Language......: YAML
 |Line Num......: 24
 |Path..........: ./.devcontainer/docker-compose.yml


==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 1
 |__Skipped Validations.......: 0
 |Rules Applied...............: 453
 |__Blobs Scanned.............: 287
 |Bytes Scanned...............: 7.87 MiB
 |Scan Duration...............: 207ms 36us 821ns
 |Scan Date...................: 2026-04-15 08:30:49 +00:00
 |Kingfisher Version..........: 1.84.0
 |__Latest Version............: 1.95.0
New Kingfisher release 1.95.0 available

❌ SPELL / lychee - 1 error

[403] https://www.npmjs.com/support | Network error: Forbidden
📝 Summary
---------------------
🔍 Total............4
✅ Successful.......1
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........2
❓ Unknown..........0
🚫 Errors...........1

Errors in pnpm-lock.yaml
[403] https://www.npmjs.com/support | Network error: Forbidden

❌ REPOSITORY / secretlint - 1 error

.devcontainer/docker-compose.yml
  24:21  error  [PostgreSQLConnection] found PostgreSQL connection string: ****************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

.github/workflows/ci.yml
  89:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string
  95:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 3 problems (3 errors, 0 warnings, 0 infos)

❌ YAML / yamllint - 4 errors

pnpm-lock.yaml
  1:1       warning  missing document start "---"  (document-start)
  37:501    error    line too long (545 > 500 characters)  (line-length)
  10203:501 error    line too long (537 > 500 characters)  (line-length)
  10338:501 error    line too long (584 > 500 characters)  (line-length)

⚠️ JSON / prettier - 1 error

[error] Cannot find package 'prettier-plugin-toml' imported from noop.js

⚠️ REPOSITORY / trivy - 1 error

│        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-22036 │          │        │                   │ 7.18.2, 6.23.0                                          │ undici: Undici: Denial of Service via excessive              │
│                 │                │          │        │                   │                                                         │ decompression steps                                          │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-22036                   │
│                 ├────────────────┼──────────┤        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2024-38372 │ LOW      │        │                   │ 6.19.2                                                  │ Undici vulnerable to data leak when using                    │
│                 │                │          │        │                   │                                                         │ response.arrayBuffer()                                       │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2024-38372                   │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2025-47279 │          │        │                   │ 5.29.0, 6.21.2, 7.5.0                                   │ undici: Undici Memory Leak with Invalid Certificates         │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2025-47279                   │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

.devcontainer/Dockerfile (dockerfile)
=====================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds-0002
────────────────────────────────────────


DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



Dockerfile (dockerfile)
=======================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds-0002
────────────────────────────────────────



📣 Notices:
  - Version 0.69.3 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

(Truncated to last 4000 characters out of 27100)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository