Skip to content

deps(java): bump com.puppycrawl.tools:checkstyle from 13.3.0 to 13.4.0 in /dependencies/checkstyle in the java-gradle group across 1 directory#7689

Merged
github-actions[bot] merged 1 commit intomainfrom
dependabot/gradle/dependencies/checkstyle/java-gradle-1cf8d3a1c1
Mar 31, 2026
Merged

deps(java): bump com.puppycrawl.tools:checkstyle from 13.3.0 to 13.4.0 in /dependencies/checkstyle in the java-gradle group across 1 directory#7689
github-actions[bot] merged 1 commit intomainfrom
dependabot/gradle/dependencies/checkstyle/java-gradle-1cf8d3a1c1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 30, 2026
edited
Loading

Bumps the java-gradle group with 1 update in the /dependencies/checkstyle directory: com.puppycrawl.tools:checkstyle.

Updates com.puppycrawl.tools:checkstyle from 13.3.0 to 13.4.0

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-13.4.0

Checkstyle 13.4.0 - https://checkstyle.org/releasenotes.html#Release_13.4.0

Breaking backward compatibility:

#8315 - Improve violation message of ImportOrder

New:

#17565 - Line break must be present after { of non-empty block in switch rule #18065 - New Check: IllegalSymbol to forbit emoj in code

Bug fixes:

#18228 - False-positive: Suppress indentation check when quotes start at the left margin #17137 - UnnecessaryNullCheckWithInstanceOf ignores redundant null check for complex cases. #17842 - False-negative: Member names with underscores

... (truncated)

Commits
  • ad2d2d2 [maven-release-plugin] prepare release checkstyle-13.4.0
  • ac969f5 doc: release notes for 13.4.0
  • b96d1c3 Issue #15456: Define violation messages for JavadocTagContinuationIndentation
  • d47cde5 Issue #11163: Enforce file size on InputNeedBracesTestSwitchExpression
  • bbb00f9 Issue #16361: add comment on testAddException
  • 601213d Issue #12721: add Buildkite CI with mvn verify
  • 95cecf8 dependency: bump org.openrewrite.recipe:rewrite-migrate-java
  • 92dcd3d dependency: bump pmd.version from 7.22.0 to 7.23.0
  • ab7a33c Issue #16361: Refactor testNewCtor
  • 70cab66 Issue #16361: Add explanatory comment for testReadResourceWithInvalidName
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Mar 30, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Mar 30, 2026
@github-actions github-actions Bot enabled auto-merge March 30, 2026 14:48
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 30, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Pass ✅
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
GROOVY Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Fail ❌

Super-linter detected linting errors

For more information, see the
GitHub Actions workflow run

Powered by Super-linter

TRIVY 
trivy filesystem --config /github/workspace/.github/linters/trivy.yaml /github/workspace

Report Summary

┌─────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│               Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dependencies/Gemfile.lock           │  bundler   │        3        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dependencies/composer/composer.lock │  composer  │        0        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dependencies/package-lock.json      │    npm     │       14        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dev-dependencies/package-lock.json  │    npm     │       10        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ Dockerfile                          │ dockerfile │        -        │         0         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dev-dependencies/Dockerfile         │ dockerfile │        -        │         0         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ test/linters/trivy/good/Dockerfile  │ dockerfile │        -        │         0         │    -    │
└─────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


dependencies/Gemfile.lock (bundler)
===================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │       Fixed Version       │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────────┼──────────────────────────────────────────────────────────────┤
│ activesupport │ CVE-2026-33169 │ MEDIUM   │ fixed  │ 8.1.2             │ 8.1.2.1, 8.0.4.1, 7.2.3.1 │ rails: rails-activesupport: Active Support: Denial of        │
│               │                │          │        │                   │                           │ Service via crafted long digit strings...                    │
│               │                │          │        │                   │                           │ https://avd.aquasec.com/nvd/cve-2026-33169                   │
│               ├────────────────┤          │        │                   │                           ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-33170 │          │        │                   │                           │ Rails: Active Support: Active Support: Cross-Site Scripting  │
│               │                │          │        │                   │                           │ (XSS) due to improper HTML...                                │
│               │                │          │        │                   │                           │ https://avd.aquasec.com/nvd/cve-2026-33170                   │
│               ├────────────────┤          │        │                   │                           ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-33176 │          │        │                   │                           │ Rails: Active Support: Active Support: Denial of Service via │
│               │                │          │        │                   │                           │ large scientific notation...                                 │
│               │                │          │        │                   │                           │ https://avd.aquasec.com/nvd/cve-2026-33176                   │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────────┴──────────────────────────────────────────────────────────────┘

dependencies/package-lock.json (npm)
====================================
Total: 14 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 5, CRITICAL: 1)

┌─────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Status │ Installed Version │        Fixed Version        │                            Title                             │
├─────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ brace-expansion │ CVE-2026-33750      │ MEDIUM   │ fixed  │ 1.1.12            │ 5.0.5, 3.0.2, 2.0.3, 1.1.13 │ The brace-expansion library generates arbitrary strings      │
│                 │                     │          │        │                   │                             │ containing a c ...                                           │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33750                   │
│                 │                     │          │        ├───────────────────┤                             │                                                              │
│                 │                     │          │        │ 2.0.2             │                             │                                                              │
│                 │                     │          │        │                   │                             │                                                              │
│                 │                     │          │        │                   │                             │                                                              │
│                 │                     │          │        ├───────────────────┤                             │                                                              │
│                 │                     │          │        │ 5.0.4             │                             │                                                              │
│                 │                     │          │        │                   │                             │                                                              │
│                 │                     │          │        │                   │                             │                                                              │
├─────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ handlebars      │ CVE-2026-33937      │ CRITICAL │        │ 4.7.8             │ 4.7.9                       │ handlebars.js: Handlebars: Remote Code Execution via crafted │
│                 │                     │          │        │                   │                             │ Abstract Syntax Tree object in...                            │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33937                   │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33938      │ HIGH     │        │                   │                             │ handlebars: Handlebars: Arbitrary code execution via         │
│                 │                     │          │        │                   │                             │ @partial-block overwrite                                     │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33938                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33939      │          │        │                   │                             │ handlebars.js: Handlebars.js: Denial of Service via          │
│                 │                     │          │        │                   │                             │ malformed decorator syntax in template compilation...        │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33939                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33940      │          │        │                   │                             │ handlebars.js: Handlebars.js: Arbitrary code execution via   │
│                 │                     │          │        │                   │                             │ crafted template context                                     │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33940                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33941      │          │        │                   │                             │ handlebars.js: Handlebars: Arbitrary code execution via CLI  │
│                 │                     │          │        │                   │                             │ precompiler input sanitization flaw                          │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33941                   │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33916      │ MEDIUM   │        │                   │                             │ handlebars.js: Handlebars: Cross-Site Scripting (XSS) via    │
│                 │                     │          │        │                   │                             │ prototype pollution in partial resolution                    │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33916                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ GHSA-7rx3-28cr-v5wh │          │        │                   │                             │ Handlebars.js has a Prototype Method Access Control Gap via  │
│                 │                     │          │        │                   │                             │ Missing __lookupSetter__ Blocklist...                        │
│                 │                     │          │        │                   │                             │ https://github.com/advisories/GHSA-7rx3-28cr-v5wh            │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ GHSA-442j-39wm-28r2 │ LOW      │        │                   │                             │ Handlebars.js has a Property Access Validation Bypass in     │
│                 │                     │          │        │                   │                             │ container.lookup                                             │
│                 │                     │          │        │                   │                             │ https://github.com/advisories/GHSA-442j-39wm-28r2            │
├─────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ path-to-regexp  │ CVE-2026-4926       │ HIGH     │        │ 8.3.0             │ 8.4.0                       │ path-to-regexp: path-to-regexp: Denial of Service via        │
│                 │                     │          │        │                   │                             │ crafted regular expressions                                  │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-4926                    │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-4923       │ MEDIUM   │        │                   │                             │ Impact: When using multiple wildcards, combined with at      │
│                 │                     │          │        │                   │                             │ least one par...                                             │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-4923                    │
├─────────────────┼─────────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ yaml            │ CVE-2026-33532      │          │        │ 2.8.2             │ 2.8.3, 1.10.3               │ yaml: yaml: Denial of Service via deeply nested YAML         │
│                 │                     │          │        │                   │                             │ document parsing                                             │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33532                   │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

dev-dependencies/package-lock.json (npm)
========================================
Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 4, CRITICAL: 1)

┌─────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Status │ Installed Version │        Fixed Version        │                            Title                             │
├─────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ brace-expansion │ CVE-2026-33750      │ MEDIUM   │ fixed  │ 1.1.12            │ 5.0.5, 3.0.2, 2.0.3, 1.1.13 │ The brace-expansion library generates arbitrary strings      │
│                 │                     │          │        │                   │                             │ containing a c ...                                           │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33750                   │
│                 │                     │          │        ├───────────────────┤                             │                                                              │
│                 │                     │          │        │ 2.0.2             │                             │                                                              │
│                 │                     │          │        │                   │                             │                                                              │
│                 │                     │          │        │                   │                             │                                                              │
├─────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ handlebars      │ CVE-2026-33937      │ CRITICAL │        │ 4.7.8             │ 4.7.9                       │ handlebars.js: Handlebars: Remote Code Execution via crafted │
│                 │                     │          │        │                   │                             │ Abstract Syntax Tree object in...                            │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33937                   │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33938      │ HIGH     │        │                   │                             │ handlebars: Handlebars: Arbitrary code execution via         │
│                 │                     │          │        │                   │                             │ @partial-block overwrite                                     │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33938                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33939      │          │        │                   │                             │ handlebars.js: Handlebars.js: Denial of Service via          │
│                 │                     │          │        │                   │                             │ malformed decorator syntax in template compilation...        │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33939                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33940      │          │        │                   │                             │ handlebars.js: Handlebars.js: Arbitrary code execution via   │
│                 │                     │          │        │                   │                             │ crafted template context                                     │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33940                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33941      │          │        │                   │                             │ handlebars.js: Handlebars: Arbitrary code execution via CLI  │
│                 │                     │          │        │                   │                             │ precompiler input sanitization flaw                          │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33941                   │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-33916      │ MEDIUM   │        │                   │                             │ handlebars.js: Handlebars: Cross-Site Scripting (XSS) via    │
│                 │                     │          │        │                   │                             │ prototype pollution in partial resolution                    │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33916                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ GHSA-7rx3-28cr-v5wh │          │        │                   │                             │ Handlebars.js has a Prototype Method Access Control Gap via  │
│                 │                     │          │        │                   │                             │ Missing __lookupSetter__ Blocklist...                        │
│                 │                     │          │        │                   │                             │ https://github.com/advisories/GHSA-7rx3-28cr-v5wh            │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ GHSA-442j-39wm-28r2 │ LOW      │        │                   │                             │ Handlebars.js has a Property Access Validation Bypass in     │
│                 │                     │          │        │                   │                             │ container.lookup                                             │
│                 │                     │          │        │                   │                             │ https://github.com/advisories/GHSA-442j-39wm-28r2            │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

@ferrarimarco
Copy link
Copy Markdown
Collaborator

ferrarimarco commented Mar 31, 2026

@dependabot rebase

@dependabot
deps(java): bump com.puppycrawl.tools:checkstyle
867caa2 
Bumps the java-gradle group with 1 update in the /dependencies/checkstyle directory: [com.puppycrawl.tools:checkstyle](https://github.com/checkstyle/checkstyle).


Updates `com.puppycrawl.tools:checkstyle` from 13.3.0 to 13.4.0
- [Release notes](https://github.com/checkstyle/checkstyle/releases)
- [Commits](checkstyle/checkstyle@checkstyle-13.3.0...checkstyle-13.4.0)

---
updated-dependencies:
- dependency-name: com.puppycrawl.tools:checkstyle
  dependency-version: 13.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: java-gradle
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/gradle/dependencies/checkstyle/java-gradle-1cf8d3a1c1 branch from 391360b to 867caa2 Compare March 31, 2026 13:18
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Pass ✅
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
GROOVY Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅

All files and directories linted successfully

For more information, see the
GitHub Actions workflow run

Powered by Super-linter

3 similar comments
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Pass ✅
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
GROOVY Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅

All files and directories linted successfully

For more information, see the
GitHub Actions workflow run

Powered by Super-linter

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Pass ✅
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
GROOVY Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅

All files and directories linted successfully

For more information, see the
GitHub Actions workflow run

Powered by Super-linter

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Pass ✅
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
GROOVY Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅

All files and directories linted successfully

For more information, see the
GitHub Actions workflow run

Powered by Super-linter

@ferrarimarco ferrarimarco added this to the v8.6.0 milestone Mar 31, 2026
@github-actions github-actions Bot added this pull request to the merge queue Mar 31, 2026
Merged via the queue into main with commit 4c66d9d Mar 31, 2026
333 of 337 checks passed
@github-actions github-actions Bot deleted the dependabot/gradle/dependencies/checkstyle/java-gradle-1cf8d3a1c1 branch March 31, 2026 14:55
@github-actions github-actions Bot mentioned this pull request Mar 31, 2026
Merged
@marcusmai-telia marcusmai-telia mentioned this pull request Apr 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferrarimarco ferrarimarco ferrarimarco approved these changes

@zkoppert zkoppert Awaiting requested review from zkoppert zkoppert is a code owner

@Hanse00 Hanse00 Awaiting requested review from Hanse00 Hanse00 is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

v8.6.0

Development

Successfully merging this pull request may close these issues.

1 participant

@ferrarimarco