Atlantis #github-prs

GitHub

04/13/2025, 1:39 AM

#5533 chore(deps): update ghcr.io/runatlantis/testing-env:latest docker digest to ff2a5fb in .github/workflows/test.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------------------------------- | --------- | ------ | ------------------ | | ghcr.io/runatlantis/testing-env | container | digest | 925d411 -> ff2a5fb | --- ### Configuration 📅 Schedule: Branch creation - "* 0-3 * * *" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

04/13/2025, 1:51 AM

#5534 ci(renovate): only update node deps on main branch Pull request opened by nitrocode ## what • ci(renovate): only update node deps on main branch ## why • Prevent needing to manually close renovate branches e.g. #5498 ## references • https://docs.renovatebot.com/configuration-options/#matchbasebranches runatlantis/atlantis

GitHub

04/13/2025, 1:56 AM

#5535 ci(renovate): replace hardcoded branches with regex Pull request opened by nitrocode ## what • ci(renovate): replace hardcoded branches with regex ## why • Prevent hard coding branches which makes it easier to release new versions and maintain older versions ## tests • I have tested my changes by https://regexr.com/8e2d2 ## references • https://docs.renovatebot.com/configuration-options/#basebranches runatlantis/atlantis

GitHub

04/14/2025, 4:12 AM

#5537 ci(renovate): reduce noise by grouping by confidence Pull request opened by nitrocode ## what • ci(renovate): reduce noise by grouping by confidence ## why • Mend, owner of renovatebot, uses analytics across all orgs that use renovate to figure out confidence is upgrading to a specific package version • This change utilizes these analytics and groups PRs by the confidence rating to upgrade multiple very high and high rated deps in thr same PR • Nevermind, this option matchConfidence is only available in a closed beta and requires a proprietary key. See reference. ## references • https://docs.mend.io/wsk/common-practices-for-renovate-configuration • https://docs.renovatebot.com/configuration-options/#matchconfidence runatlantis/atlantis

GitHub

04/14/2025, 3:02 PM

GitHub

04/14/2025, 5:34 PM

#5539 chore(deps): update dependency vite to v6.2.7 [security] (release-0.34) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | minor | [6.1.3 -> 6.2.7](https://renovatebot.com/diffs/npm/vite/6.1.3/6.2.7) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | --- ### Vite allows server.fs.deny to be bypassed with .svg or relative paths CVE-2025-31486 / GHSA-xcj6-pq6g-qj4x More information #### Details ##### Summary The contents of arbitrary files can be returned to the browser. ##### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. ##### Details #####

.svg

Requests ending with

.svg

are loaded at this line. https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 By adding

?.svg

with

?.wasm?init

or with

sec-fetch-dest: script

header, the restriction was able to bypass. This bypass is only possible if the file is smaller than `build.assetsInlineLimit` (default: 4kB) and when using Vite 6.0+. ##### relative paths The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g.

../../

). ##### PoC npm create vite@latest cd vite-project/ npm install npm run dev send request to read

etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init' curl 'http://127.0.0.1:5173/@&#8203;fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw' #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

#### References • https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x • https://nvd.nist.gov/vuln/detail/CVE-2025-31486 • https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647 • https://github.com/vitejs/vite • https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Vite has an

server.fs.deny

bypass with an invalid

request-target

CVE-2025-32395 / GHSA-356w-63v5-8wf4 More information #### Details ##### Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. ##### Impact Only apps with the following conditions are affected. • explicitly exposing the Vite dev server to the network (using --host or server.host config option) • running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) ##### Details HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`. Although an attacker can send such a request. For those requests with an invalid

request-line

(it includes

request-target

), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3). On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of `http.IncomingMessage.url` contains

. Vite assumed

req.url

won't contain

when checking

server.fs.deny

, allowing those kinds of requests to bypass the check. On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of

http.IncomingMessage.url

did not contain

. ##### PoC

Copy code

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read

/etc/passwd

Copy code

curl --request-target /@&#8203;fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd <http://127.0.0.1:5173>

#### Severity • CVSS Score: Unknown • Vector String:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

#### References • https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4 • https://nvd.nist.gov/vuln/detail/CVE-2025-32395 • https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70 • https://github.com/vitejs/vite This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Vite's server.fs.deny bypassed with /. for files under project root CVE-2025-46565 / GHSA-859w-5945-r5v3 More information #### Details ##### Summary The contents of files in the project `root` that are denied by a file matching pattern can be returned to the browser. ##### Impact Only apps explicitly exposing the Vite dev server to the network (using --host … runatlantis/atlantis

GitHub

04/16/2025, 11:15 PM

#5541 chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 Pull request opened by dependabot[bot] ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- Bumps golang.org/x/net from 0.36.0 to 0.38.0. Commits • `e1fcd82` html: properly handle trailing solidus in unquoted attribute value in foreign... • `ebed060` internal/http3: fix build of tests with GOEXPERIMENT=nosynctest • `1f1fa29` publicsuffix: regenerate table • `1215081` http2: improve error when server sends HTTP/1 • `312450e` html: ensure <search> tag closes <p> and update tests • `09731f9` http2: improve handling of lost PING in Server • `55989e2` http2/h2c: use ResponseController for hijacking connections • `2914f46` websocket: re-recommend gorilla/websocket • `99b3ae0` go.mod: update golang.org/x dependencies • See full diff in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/9c276eaf7e67fa61794cd1a7164eb8a65ecfa4d7960d06c3dde7db250a879e2e/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d676f6c616e672e6f72672f782f6e6574267061636b6167652d6d616e616765723d676f5f6d6f64756c65732670726576696f75732d76657273696f6e3d302e33362e30266e65772d76657273696f6e3d302e33382e30) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

GitHub

04/18/2025, 2:06 AM

#4777 feat(api): add ShowResult attribute to plan response Pull request opened by raulsh ## what Add new ShowResult attribute in /api/plan endpoint. It reads show output file and put into API response. ## why It allows to use JSON output to create new implementations/tools based on this instead of plain text Terraform output. In my case, I can build a drift detection tools that relies on Atlantis plan execution (instead of executing plan on separate environment). Even I tried with https://github.com/cresta/atlantis-drift-detection. But just uses Atlantis just to check if a project have changes and locking state if need to do a plan. But after that, it needs to execute a plan outside Atlantis. ## tests ## references • closes #4776 runatlantis/atlantis

GitHub

04/21/2025, 2:11 AM

#5146 fix: Allow and encourage explicitly setting SHA in API requests Pull request opened by lukaspj ## what I propose adding the Commit SHA as a required field on API requests. ## why When running API Requests, we are currently only requiring the following fields: type APIRequest struct { Repository string

validate:"required"

Ref string

validate:"required"

Type string

validate:"required"

PR int Projects []string Paths []struct { Directory string Workspace string } } However, this is not sufficient information as many operations rely on knowing the exact commit we are working on and not just the Ref, which is a moving target. Furthermore, it's more reliable to explicitly state the SHA you want to perform actions on, otherwise you could get unexpected results as the pipeline you are currently working with locally might be pointing to a different version of the Ref than the one that Atlantis fetches. ## tests I would like guidance on how to appropriately testing this change as I'm fairly unfamiliar with the Atlantis codebase. ## references closes #5143 runatlantis/atlantis

GitHub

04/22/2025, 5:57 PM

#5264 fix: parallel plan and apply also in a single workspace (rebased) Pull request opened by plentydone ## what @finnag did all the real work here. I just rebased and regenerated mocks. I'm new to this codebase, but I've reviewed the code and it seems reasonable to me, and I've reviewed all the commits between October and today and I see no logical conflicts. If in fresh review any changes are needed, I'm happy to do so. From the original PR description:

• Add more thorough locking around Clone() calls, covering all of these phases:

Am I on the right commit

Merge with upstream

Clone if necessary

• Reduce the number of remote git operations when planning or applying in parallel

Clean up the Clone() method, split into Clone() and MergeAgain()

For parallel mode to work, you must either set the environment variable
TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE
to something, or check in your .hcl files. Otherwise terraform cannot run in parallel.

## why • The Clone call had several race conditions where it could miss clones or delete the working directory under running processes causing failures. ## tests I ran

make test-all fmt lint

## references • This is just #3670 rebased • Closes #3670 runatlantis/atlantis

GitHub

04/22/2025, 6:00 PM

#5543 chore(deps): update module golang.org/x/net to v0.38.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ---------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/net | v0.36.0 -> v0.38.0 | [[age](https://camo.githubusercontent.com/8085a98b86fb9e6465f09bee9106b8853aa9ee3bad200d0f2f8af44dea6308f9/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/c6f84ae4e14713523cb1898d3a4a4cd5693d08913d33970acad58d753ab1178e/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/46754d081520b7dddd67231f3ba0724238b2c5fa1ba39c9a732e0034739f8187/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/9810c1580c594ae2abbe137b563959d9c8fc66f05cbcce4a10c763d0d475c5e2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### CVE-2025-22872 The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). --- ### golang.org/x/net vulnerable to Cross-site Scripting CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity • CVSS Score: Unknown • Vector String:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-22872 • https://go.dev/cl/662715 • https://go.dev/issue/73070 • https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA • https://pkg.go.dev/vuln/GO-2025-3595 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity Unknown #### References • https://go.dev/cl/662715 • https://go.dev/issue/73070 • https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). :vertical_t… runatlantis/atlantis

GitHub

04/23/2025, 5:38 AM

#3670 fix: parallel plan and apply also in a single workspace Pull request opened by finnag ## what • Add more thorough locking around Clone() calls, covering all of these phases: • Am I on the right commit • Merge with upstream • Clone if necessary • Reduce the number of remote git operations when planning or applying in parallel • Clean up the Clone() method, split into Clone() and MergeAgain() For parallel mode to work, you must either set the environment variable TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE to something, or check in your .hcl files. Otherwise terraform cannot run in parallel. ## why The Clone call had several race conditions where it could miss clones or delete the working directory under running processes causing failures. ## tests • I have tested my changes by make test-all • Run in production with several repos, large and small, including a monorepo multi-directory setup ## references runatlantis/atlantis

GitHub

04/23/2025, 6:04 AM

#5545 ci(codeowners): add app/renovate-approve Pull request opened by nitrocode ## what • chore(codeowners): add app/renovate-approve ## why • Allow renovate-approved changes to be mergeable • Ignore the codeowners error because this is suggested by others including the lead maintainer. See references. ## references • renovatebot/renovate-approve-bot#23 • https://github.com/search?q=app%2Frenovate-approve+path%3Acodeowners&type=code • Prevents manual approval of PRs like #5543 runatlantis/atlantis

GitHub

04/23/2025, 6:15 AM

#5546 chore(deps): update dependency open-policy-agent/conftest to v0.59.0 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [open-policy-agent/conftest](https://redirect.github.com/open-policy-agent/conftest) | minor | 0.58.0 -> 0.59.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/02a4aef64d2c5192de53266ba3c27ad831608eb54e62f90ce37392cbb2a73789/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e2d706f6c6963792d6167656e742f636f6e66746573742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/open-policy-agent/conftest) | --- ### Release Notes open-policy-agent/conftest (open-policy-agent/conftest) ### `v0.59.0` Compare Source #### Announcements ##### Breaking Changes ⚠️ • Bump hcl2json - This makes the behavior of the conversion more consistent by always using arrays for blocks that can be repeated. See https://github.com/open-policy-agent/conftest/pull/1074 and https://github.com/open-policy-agent/conftest/issues/1006 for more info. ##### Breaking Changes Reminder In the v0.60 release of conftest (in May 2025), we will change the default version of Rego syntax from v0 to v1. This will be a breaking change if your Rego policies are not compatible with the v1 syntax. • Individual policies can be updated gradually, by adding

import rego.v1

to the policy. • The

rego-version

flag will remain available indefinitely, and users who do not wish to update their Rego policies can continue to use v0 syntax by setting this flag to

v0

. For more information about upgrading to Rego v1 syntax, see the upstream docs at https://www.openpolicyagent.org/docs/latest/v0-upgrade/. #### Changelog ##### New Features • `21e1163`: feat: add pre-commit hook support (#1077) (@thevilledev) ##### OPA Changes • `eac6f5e`: build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 (#1092) (@dependabot[bot]) ##### Other Changes • `813f329`: build(deps): bump cuelang.org/go from 0.12.0 to 0.12.1 (#1094) (@dependabot[bot]) • `45bf533`: build(deps): bump github.com/BurntSushi/toml from 1.4.0 to 1.5.0 (#1089) (@dependabot[bot]) • `19f1eaf`: build(deps): bump github.com/magiconair/properties from 1.8.9 to 1.8.10 (#1097) (@dependabot[bot]) • `a20159b`: build(deps): bump github.com/moby/buildkit from 0.20.0 to 0.20.1 (#1083) (@dependabot[bot]) • `32aac49`: build(deps): bump github.com/moby/buildkit from 0.20.1 to 0.20.2 (#1091) (@dependabot[bot]) • `1b1ce3a`: build(deps): bump golang from 1.24.0-alpine to 1.24.1-alpine (#1086) (@dependabot[bot]) • `cb88a17`: build(deps): bump golang from 1.24.1-alpine to 1.24.2-alpine (#1096) (@dependabot[bot]) • `8c8b13f`: ci: Remove PR workflow access to all permissions from GITHUB_TOKEN (#1088) (@jalseth) • `688c88f`: deps: Bump hcl2json to v0.6.7 (#1074) (@jalseth) • `e9612c3`: refactor(ci): replace Makefile-based Docker builds with GitHub Action (#1082) (@Amamgbu) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

04/23/2025, 6:15 AM

#5547 chore(deps): update dependency open-policy-agent/conftest to v0.59.0 in testing/dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [open-policy-agent/conftest](https://redirect.github.com/open-policy-agent/conftest) | minor | 0.58.0 -> 0.59.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/02a4aef64d2c5192de53266ba3c27ad831608eb54e62f90ce37392cbb2a73789/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e2d706f6c6963792d6167656e742f636f6e66746573742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/open-policy-agent/conftest) | --- ### Release Notes open-policy-agent/conftest (open-policy-agent/conftest) ### `v0.59.0` Compare Source #### Announcements ##### Breaking Changes ⚠️ • Bump hcl2json - This makes the behavior of the conversion more consistent by always using arrays for blocks that can be repeated. See https://github.com/open-policy-agent/conftest/pull/1074 and https://github.com/open-policy-agent/conftest/issues/1006 for more info. ##### Breaking Changes Reminder In the v0.60 release of conftest (in May 2025), we will change the default version of Rego syntax from v0 to v1. This will be a breaking change if your Rego policies are not compatible with the v1 syntax. • Individual policies can be updated gradually, by adding

import rego.v1

to the policy. • The

rego-version

flag will remain available indefinitely, and users who do not wish to update their Rego policies can continue to use v0 syntax by setting this flag to

v0

GitHub

04/23/2025, 6:18 AM

#5548 fix(deps): update module github.com/bradleyfalzon/ghinstallation/v2 to v2.15.0 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------------ | ------- | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/bradleyfalzon/ghinstallation/v2](https://redirect.github.com/bradleyfalzon/ghinstallation) | require | minor | v2.14.0 -> v2.15.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/cef6484b4ef46333141fa75d05f2c7c4a702dc25ff12b21ac2915b665d103d05/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f627261646c657966616c7a6f6e2f6768696e7374616c6c6174696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/bradleyfalzon/ghinstallation) | --- ### Release Notes bradleyfalzon/ghinstallation (github.com/bradleyfalzon/ghinstallation/v2) ### `v2.15.0` Compare Source #### What's Changed • bump go-github to v69.2.0 by @cpanato in https://github.com/bradleyfalzon/ghinstallation/pull/147 • Bump github.com/google/go-cmp from 0.6.0 to 0.7.0 by @dependabot in https://github.com/bradleyfalzon/ghinstallation/pull/148 • Bump actions/setup-go from 5.3.0 to 5.4.0 in the actions group by @dependabot in https://github.com/bradleyfalzon/ghinstallation/pull/151 • Bump golangci/golangci-lint-action from 6.5.0 to 7.0.0 by @dependabot in https://github.com/bradleyfalzon/ghinstallation/pull/152 • Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 by @dependabot in https://github.com/bradleyfalzon/ghinstallation/pull/149 • update go-github to v71 by @cpanato in https://github.com/bradleyfalzon/ghinstallation/pull/154 • upgrade golangci-lint to v2 and use best practices for the workflows by @cpanato in https://github.com/bradleyfalzon/ghinstallation/pull/155 Full Changelog: bradleyfalzon/ghinstallation@v2.14.0...v2.15.0 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

04/24/2025, 2:09 AM

#3985 feat(api): add new params `BaseBranch`, `Commit` Pull request opened by rgs1 ## what • add additional parameters

BaseBranch

and

Commit

## why As of now, the /api/plan endpoint constructs a PullRequest that uses the provided Ref parameter as the base branch and head commit. This causes issues when running additional steps along with plan (e.g.: policy check, infracost, etc). Here's an example error:

Copy code

repo was already cloned but is not at correct commit, wanted \"pr-plan-test\" got \"7a19f2011...\"

This will then trigger a new clone which will override needed artifacts from the previous steps which will then cause /api/plan to fail. By properly setting HeadCommit from the new optional APIRequest parameter this issue is avoided. ## references ## tests • I have tested my changes by adding unit tests runatlantis/atlantis

GitHub

04/24/2025, 6:52 AM

#5550 chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-0.32) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ---------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/net | v0.36.0 -> v0.38.0 | [[age](https://camo.githubusercontent.com/8085a98b86fb9e6465f09bee9106b8853aa9ee3bad200d0f2f8af44dea6308f9/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/c6f84ae4e14713523cb1898d3a4a4cd5693d08913d33970acad58d753ab1178e/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/46754d081520b7dddd67231f3ba0724238b2c5fa1ba39c9a732e0034739f8187/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/9810c1580c594ae2abbe137b563959d9c8fc66f05cbcce4a10c763d0d475c5e2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### golang.org/x/net vulnerable to Cross-site Scripting CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity • CVSS Score: Unknown • Vector String:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

GitHub

04/24/2025, 6:53 AM

#5551 chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-0.34) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | | ---------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/net | v0.36.0 -> v0.38.0 | [[age](https://camo.githubusercontent.com/8085a98b86fb9e6465f09bee9106b8853aa9ee3bad200d0f2f8af44dea6308f9/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[adoption](https://camo.githubusercontent.com/c6f84ae4e14713523cb1898d3a4a4cd5693d08913d33970acad58d753ab1178e/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f61646f7074696f6e2f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[passing](https://camo.githubusercontent.com/46754d081520b7dddd67231f3ba0724238b2c5fa1ba39c9a732e0034739f8187/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6d7061746962696c6974792f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/9810c1580c594ae2abbe137b563959d9c8fc66f05cbcce4a10c763d0d475c5e2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### golang.org/x/net vulnerable to Cross-site Scripting CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity • CVSS Score: Unknown • Vector String:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

GitHub

04/25/2025, 10:17 AM

#5553 feat: New reaction emojis Pull request opened by Daniel2000815 runatlantis/atlantis

GitHub

04/26/2025, 8:20 PM

#5554 fix: Added support for slashes in bitbucket project name Pull request opened by psalkiewicz ## what It is a simple change that allows using slashes (/) in bitbucket project names. Atlantis already allows that for gitlab and azuredevops repositories. I came across the issue with Bitbucket and this will add the functionality to the atlantis project. ## why • Bitbucket allows use of slashes in project name (just like gitlab and azuredevops) • Using such projects caused a http 400 error in atlantis • I added another exclusion - if the vcsHostType is Bitbucketserver it will allow using slashes in project name • This fixes the http 400 error when a webhook from bitbucket comes from a project name which contains a slash. ## tests • I tested the issue locally ## references • This bug was reported last year and my fix solves the issue • #4283 runatlantis/atlantis

GitHub

04/30/2025, 7:54 AM

#5557 feat: Extending webhook config to support project and directory regex matching Pull request opened by jracollins ## what This PR adds both

project-regex

and

directory-regex

matching support to extend the existing webhook event configuration. ## why Repositories can contain many Atlantis managed Terraform projects, and can control their applies based on

CODEOWNERS

checks in MRs/PRs by directories etc. As an example folder structure:

Copy code

environments/
├─ development/
│  ├─ project-a/
├─ production/
├─ staging/

Not every apply within the repository may need a slack/webhook notification, or you may want to filter specific projects/folders to different channels or webhook endpoints. Currently Atlantis doesn't support a way of configuring webhooks to fire based on directory, or project name ## tests Added new test cases covering multiple combinations of the existing and new regex fields. ## references Closes #5450 runatlantis/atlantis

GitHub

04/30/2025, 7:36 PM

#5560 chore(deps-dev): bump vite Pull request opened by dependabot[bot] Bumps and vite. These dependencies needed to be updated together. Updates

vite

from 6.2.6 to 6.3.4 Release notes Sourced from vite's releases.

## v6.3.4

Please refer to CHANGELOG.md for details.

## v6.3.3

Please refer to CHANGELOG.md for details.

## v6.3.2

Please refer to CHANGELOG.md for details.

## create-vite@6.3.1

Please refer to CHANGELOG.md for details.

## v6.3.1

Please refer to CHANGELOG.md for details.

## create-vite@6.3.0

Please refer to CHANGELOG.md for details.

## v6.3.0

Please refer to CHANGELOG.md for details.

## v6.3.0-beta.2

Please refer to CHANGELOG.md for details.

## v6.3.0-beta.1

Please refer to CHANGELOG.md for details.

## v6.3.0-beta.0

Please refer to CHANGELOG.md for details.

## v6.2.7

Please refer to CHANGELOG.md for details.

Changelog Sourced from vite's changelog.

## 6.3.4 (2025-04-30)

• fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965

• fix(optimizer): return plain object when using
require
to import externals in optimized dependenci (efc5eab), closes #19940

• refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

## 6.3.3 (2025-04-24)

• fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

• fix(assets): ensure ?no-inline is not included in the asset url in the production environment (#1949 (16a73c0), closes #19496

• fix(css): resolve relative imports in sass properly on Windows (#19920) (ffab442), closes #19920

• fix(deps): update all non-major dependencies (#19899) (a4b500e), closes #19899

• fix(ssr): fix execution order of re-export (#19841) (ed29dee), closes #19841

• fix(ssr): fix live binding of default export declaration and hoist exports getter (#19842) (80a91ff), closes #19842

• perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#19921) (55cfd04), closes #19921

• test(ssr): test
ssrTransform
re-export deps and test stacktrace with first line (#19629) (9399cda), closes #19629

## 6.3.2 (2025-04-18)

• fix: match default asserts case insensitive (#19852) (cbdab1d), closes #19852

• fix: open first url if host does not match any urls (#19886) (6abbdce), closes #19886

• fix(css): respect
css.lightningcss
option in css minification process (#19879) (b5055e0), closes #19879

• fix(deps): update all non-major dependencies (#19698) (bab4cb9), closes #19698

• feat(css): improve lightningcss messages (#19880) (c713f79), closes #19880

## 6.3.1 (2025-04-17)

• fix: avoid using
Promise.allSettled
in preload function (#19805) (35c7f35), closes #19805

• fix: backward compat for internal plugin
transform
calls (#19878) (a152b7c), closes #19878

## 6.3.0 (2025-04-16)

• fix(hmr): avoid infinite loop happening with
hot.invalidate
in circular deps (#19870) (d4ee5e8), closes <https://r…

runatlantis/atlantis

GitHub

04/30/2025, 7:39 PM

#5561 chore(deps): update dependency vite to v6.2.7 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | patch | [6.2.6 -> 6.2.7](https://renovatebot.com/diffs/npm/vite/6.2.6/6.2.7) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | ### GitHub Vulnerability Alerts #### GHSA-859w-5945-r5v3 ### Summary The contents of files in the project `root` that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project `root` and are denied by a file matching pattern can be bypassed. • Examples of file matching patterns:

.env

.env.*

*.{crt,pem}

**/.env

• Examples of other patterns:

**/.git/**

.git/**

.git/**/*

### Details `server.fs.deny` can contain patterns matching against files (by default it includes

.env

.env.*

*.{crt,pem}

as such patterns). These patterns were able to bypass for files under

root

by using a combination of slash and dot (

/.

). ### PoC

Copy code

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. <http://localhost:5173>

[image](https://camo.githubusercontent.com/0681fe273f64c4f05b177de25c9e98c65f18d2bd7f16cc39e7b10cb1bbdd34b2/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f38323266343431362d616134322d343631662d386339352d613838643135356536373462) [image](https://camo.githubusercontent.com/e3e7a92dd6c590d0a2134c215b21095193a83d5673cd6067a5e30460ec230651/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f34323930323134342d383633612d346166622d616335622d666331366566666133376363) --- ### Release Notes vitejs/vite (vite) ### `v6.2.7` Compare Source Please refer to CHANGELOG.md for details. --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

04/30/2025, 7:40 PM

#5562 chore(deps): update dependency vite to v5.4.19 [security] (release-0.33) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | ------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | patch | [5.4.12 -> 5.4.19](https://renovatebot.com/diffs/npm/vite/5.4.12/5.4.19) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | ### GitHub Vulnerability Alerts #### CVE-2025-46565 ### Summary The contents of files in the project `root` that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project `root` and are denied by a file matching pattern can be bypassed. • Examples of file matching patterns:

.env

.env.*

*.{crt,pem}

**/.env

• Examples of other patterns:

**/.git/**

.git/**

.git/**/*

### Details `server.fs.deny` can contain patterns matching against files (by default it includes

.env

.env.*

*.{crt,pem}

as such patterns). These patterns were able to bypass for files under

root

by using a combination of slash and dot (

/.

). ### PoC

Copy code

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. <http://localhost:5173>

[image](https://camo.githubusercontent.com/0681fe273f64c4f05b177de25c9e98c65f18d2bd7f16cc39e7b10cb1bbdd34b2/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f38323266343431362d616134322d343631662d386339352d613838643135356536373462) [image](https://camo.githubusercontent.com/e3e7a92dd6c590d0a2134c215b21095193a83d5673cd6067a5e30460ec230651/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f34323930323134342d383633612d346166622d616335622d666331366566666133376363) --- ### Vite bypasses server.fs.deny when using ?raw?? CVE-2025-30208 / GHSA-x574-m823-4x7w More information #### Details ##### Summary The contents of arbitrary files can be returned to the browser. ##### Impact Only apps explicitly exposing the Vite dev server to the network (using

--host

or `server.host` config option) are affected. ##### Details

@fs

denies access to files outside of Vite serving allow list. Adding

?raw??

?import&raw??

to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as

are removed in several places, but are not accounted for in query string regexes. ##### PoC $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt ##### expected behaviour $ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. ##### security bypassed $ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

#### References • https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w • https://nvd.nist.gov/vuln/detail/CVE-2025-30208 • https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4 • https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c • https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41 • https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca • https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1 • https://github.com/vitejs/vite This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Vite has a

server.fs.deny

bypassed for

inline

and

raw

with

?import

query CVE-2025-31125 / GHSA-4r4m-qw57-chr8 More information #### Details ##### Summary The contents of arbitrary files can be returned to the browser. ##### Impact Only apps explicitly exposing the Vite dev server to the network (using

--host

or `server.host` config option) are affected. ##### Details • base64 encoded content of non-allowed files is exposed using

?inline&import

(originally reported as

?import&?inline=1.wasm?init

) • content of non-allowed files is exposed using

?raw?import

/@&#8203;fs/

isn't needed to reproduce the issue for files inside the proj… runatlantis/atlantis

GitHub

05/01/2025, 2:15 AM

#3807 feat: Added apply-error-label config option Pull request opened by kvanzuijlen ## what Automatically adds a label to the PR when the apply command failed. ## why Can be used together with #3799. It might be undesired to unlock a project in a partially applied state. This could have users think about it twice before unlocking a project in a partially applied state ## tests • I have tested my changes by writing unit tests ## references Addition to #3799 runatlantis/atlantis

GitHub

05/01/2025, 10:35 PM

#5564 feat(api): pass flags to plan and apply endpoints Pull request opened by jasondamour ## what • Support adding ExtraArgs per-directory via API endpoints ## why • API should support all the same options as the PR integration ## tests [x]

make test

## references • Re-implementation of the work done by @igaskin in #3287 • Closes #3256 runatlantis/atlantis

GitHub

05/03/2025, 2:08 AM

#5177 fix: change clone URL check for gitlab to account for possible subpath Pull request opened by philslab-ninja ## what This change allows GitLab URLs that include a subpath in the hostname while maintaining the security checks for repository path validation. The validation will pass as long as the full URL path ends with the expected repository path, which accommodates the case where ATLANTIS_GITLAB_HOSTNAME includes a path component. ## why In one of my projects github enterprise unfortunately was setup with a basepath (like git.acme.com/gitlab). Setting ATLANTIS_GITLAB_HOSTNAME to git.acme.com/gitlab results in an error like: expected clone url to have path "/path/to/repo.git" but had "/gitlab/path/to/repo.git" ## tests • I have tested my changes by building and using the application with the changed behaviour ## references closes #1450 runatlantis/atlantis

GitHub

05/04/2025, 8:25 PM

#5566 docs: update example for policy checks against terraform files Pull request opened by kirecek ## what • update example for policy checks againts source files with code that works • include custom policy checks in the navbar ## why Suggested example to run conftest againts source files by patching

run:

does not really work because of the following issues: • #4308 With custom policy checks enabled, output is parsed but it's not evaluated correctly as described here. • #4952 runatlantis/atlantis

GitHub

05/05/2025, 11:13 AM

#5567 fix: correct plan/apply divergent error message Pull request opened by Fab1n ## what Change the wording of the error message that gets displayed as comment on PRs where the default branch has diverged from the PR's branch. It switches both mentioned branches to be inline with rebase terminology in git. Let me know if this is correct or not. ## why The error message is wrong I think and could lead to confusion. ## tests • I have tested my changes by adapting one necessary test Also this is only printed string change. runatlantis/atlantis