Atlantis #github-prs

GitHub

08/14/2025, 12:05 AM

#5710 Sync fork Pull request opened by cemery93 runatlantis/atlantis

GitHub

08/14/2025, 12:06 AM

#5711 chore(deps): update amannn/action-semantic-pull-request digest to e32d7e6 in .github/workflows/pr-lint.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------------ | ------ | ------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [amannn/action-semantic-pull-request](https://redirect.github.com/amannn/action-semantic-pull-request) | action | digest | 0723387 -> e32d7e6 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/775b84ba3ba759cdfa2dbf1db2d031e73608fbd88eff34632b7b5e39dd764e18/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f616d616e6e6e2f616374696f6e2d73656d616e7469632d70756c6c2d726571756573742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/amannn/action-semantic-pull-request) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled because a matching PR was automerged previously. ♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/15/2025, 2:31 AM

#5712 chore(deps): update ghcr.io/runatlantis/testing-env:latest docker digest to 725981e in .github/workflows/test.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------------------------------- | --------- | ------ | ------------------ | | ghcr.io/runatlantis/testing-env | container | digest | 143a71d -> 725981e | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/15/2025, 6:02 AM

#5713 fix: clear pending VCS status when silence flags enabled and no projects found Pull request opened by jamengual ## Summary Fixes issue #5389 where PRs were getting stuck with pending status when

ATLANTIS_SILENCE_VCS_STATUS_NO_PLANS

and

ATLANTIS_SILENCE_VCS_STATUS_NO_PROJECTS

were enabled and no projects matched

when_modified

patterns. ## Problem Description In v0.33.0, users with

when_modified

configurations started experiencing PRs stuck in pending status when: 1.

ATLANTIS_SILENCE_VCS_STATUS_NO_PLANS=true

ATLANTIS_SILENCE_VCS_STATUS_NO_PROJECTS=true

2. No files matching the

when_modified

patterns were changed 3. The PR check remained in "pending" state indefinitely, blocking auto-merge ## Root Cause Analysis The issue was introduced in PR #5242 (commit be06063) which moved the VCS status update to "pending" earlier in the process: Before v0.33: • Status updates happened within plan/apply runners AFTER determining if projects existed • If no projects found + silence enabled → no status update (clean) In v0.33: • Status set to "pending" immediately in

command_runner.go

when webhook received • If no projects found + silence enabled → pending status never cleared → STUCK ## Solution Modified

server/events/plan_command_runner.go

to clear pending status even when silence flags are enabled: ### Changes Made 1. Autoplan path (lines 115-128): Added else block to clear pending status when silence is enabled but no projects found 2. Manual plan path (lines 246-259): Added else block for the same scenario 3. Status clearing: When conditions met, update status to success (0/0) to clear pending state ### Code Changes // Before (v0.33.0) if !(p.silenceVCSStatusNoPlans || p.silenceVCSStatusNoProjects) { // Update status } return // Status left in pending if silence enabled // After (this fix) if !(p.silenceVCSStatusNoPlans || p.silenceVCSStatusNoProjects) { // Update status normally } else { // Clear pending status even when silenced ctx.Log.Debug("clearing pending status since no projects found and silence is enabled") // Update to success 0/0 to clear pending } ## Testing ### New Test Coverage • Added

TestPlanCommandRunner_SilenceFlagsClearsPendingStatus

to prevent regression • Updated existing test expectations for silence flag behavior • Test verifies that status is cleared when silence flags are enabled and no projects found ### Verification • All existing tests pass • New test demonstrates the fix works correctly • Debug logging added to trace when status clearing occurs ## Impact • Fixes: PRs no longer stuck in pending when using

when_modified

with silence flags • Maintains: All existing behavior for normal cases • Improves: Auto-merge functionality works as expected • Safe: Minimal change with comprehensive test coverage ## Test Plan • Unit tests pass • New regression test added • Manual verification of log messages • All existing silence flag tests continue to pass ## Related Issues Fixes #5389 ## Breaking Changes None. This is a bug fix that restores expected behavior. runatlantis/atlantis

GitHub

08/15/2025, 9:23 PM

#5714 docs: replace version badges with comments in repo-level atlantis.yaml example Pull request opened by jamengual ## Summary Replace HTML badge elements with clean YAML comments in the 'Example Using All Keys' section of the repo-level atlantis.yaml documentation to improve readability while preserving version information. ## Changes Made • Converted HTML badges to comments: Replaced

<Badge text="vX.X.X+" type="info"/>

with

# Available since vX.X.X

• Improved readability: The YAML example is now much cleaner and easier to read • Maintained version info: All version information is preserved as inline comments • Better copyability: Users can now easily copy the YAML without HTML elements ## Before vs After Before: version: 3 <Badge text="v0.1.0+" type="info"/> automerge: true <Badge text="v0.15.0+" type="info"/> After: version: 3 # Available since v0.1.0 automerge: true # Available since v0.15.0 ## Motivation The HTML badge elements made the YAML example cluttered and less readable. Converting to comments: • Maintains all version information • Improves code readability • Makes the example easier to copy/paste • Keeps version badges only in server configuration docs as intended ## Impact • Documentation: Cleaner, more readable YAML examples • User Experience: Easier to copy and understand configuration options • Consistency: Version badges now only appear in server configuration docs • No Breaking Changes: Pure documentation improvement ## Files Changed • `runatlantis.io/docs/repo-level-atlantis-yaml.md`: Updated "Example Using All Keys" section runatlantis/atlantis

GitHub

08/16/2025, 12:39 AM

#5715 chore(deps): update github/codeql-action digest to df55935 in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | ce28f5b -> df55935 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/17/2025, 1:03 AM

#5716 chore(deps): update goreleaser/goreleaser-action digest to e435ccd in .github/workflows/release.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [goreleaser/goreleaser-action](https://redirect.github.com/goreleaser/goreleaser-action) | action | digest | 9c156ee -> e435ccd | [[OpenSSF Scorecard](https://camo.githubusercontent.com/ef7962312193032489efe04a3b1cb431cfcec8f73a92f267168de14e05ddac07/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f72656c65617365722f676f72656c65617365722d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/goreleaser/goreleaser-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/18/2025, 2:09 AM

#5717 chore(deps): update ngrok/ngrok:latest docker digest to 1dae5be in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ----------- | ------ | ------------------ | | ngrok/ngrok | digest | 0dbf30e -> 1dae5be | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/19/2025, 1:38 AM

#5719 chore(deps): update github/codeql-action digest to 96f518a in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | df55935 -> 96f518a | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/19/2025, 11:26 PM

#5720 chore(deps): update dependency mermaid to v11.10.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------- | --------------- | ------ | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | devDependencies | minor | [11.4.1 -> 11.10.0](https://renovatebot.com/diffs/npm/mermaid/11.4.1/11.10.0) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8e87a9a1690f0e3cf51a75f6bcee6a042335af31366b2f77e279afb4c1d9a4d9/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6d65726d6169642d6a732f6d65726d6169642f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/mermaid-js/mermaid) | ### GitHub Vulnerability Alerts #### CVE-2025-54880 ### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3

html()

method, creating a sink for cross site scripting. ### Details Architecture diagram service

iconText

values are passed to the d3

html()

method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration. The vulnerability lies here: export const drawServices = async function ( db: ArchitectureDB, elem: D3Element, services: ArchitectureService[] ): Promise<number> { for (const service of services) { /** ... **/ } else if (service.iconText) { bkgElem.html(

<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>

); const textElemContainer = bkgElem.append('g'); const fo = textElemContainer .append('foreignObject') .attr('width', iconSize) .attr('height', iconSize); const divElem = fo .append('div') .attr('class', 'node-icon-text') .attr('style',

height: ${iconSize}px;

) .append('div') .html(service.iconText); // <- iconText passed into innerHTML /** ... **/ }; }; This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, I've not dug into which version of mermaid was first affected. ### PoC Render the following diagram and observe the modified DOM.

Copy code

architecture-beta
    group api(cloud)[API]
    service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA ### Impact XSS on all sites that use mermaid and render user supplied diagrams without further sanitization. ### Remediation Sanitize the value of

iconText

before passing it to

html()

. #### CVE-2025-54881 ### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to

innerHTML

during calculation of element size, causing XSS. ### Details Sequence diagram node labels with KaTeX delimiters are passed through

calculateMathMLDimensions

. This method passes the full label to

innerHTML

which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled). The vulnerability lies here: export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => { text = await renderKatex(text, config); const divElem = document.createElement('div'); divElem.innerHTML = text; // XSS sink, text has not been sanitized. divElem.id = 'katex-temp'; divElem.style.visibility = 'hidden'; divElem.style.position = 'absolute'; divElem.style.top = '0'; const body = document.querySelector('body'); body?.insertAdjacentElement('beforeend', divElem); const dim = { width: divElem.clientWidth, height: divElem.clientHeight }; divElem.remove(); return dim; }; The

calculateMathMLDimensions

method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0. ### PoC Render the following diagram and observe the modified DOM.

Copy code

sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU ### Impact XSS on all sites that use mermaid and render user supplied diagrams without further sanitization. ### Remediation The value of the

text

argument for the

calculateMathMLDimensions

method needs to be sanitized before getting passed on to

innerHTML

. --- ### Release Notes mermaid-js/mermaid (mermaid) ### `v11.10.0` Compare Source ##### Minor Changes • #6744 `daf8d8d` Thanks @SpecularAura! - feat: Added support for per link curve styling in flow… runatlantis/atlantis

GitHub

08/20/2025, 3:31 AM

#5721 chore(deps): update redis:7.4-alpine docker digest to bb186d0 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ------- | ------ | ------------------ | | redis | digest | ee9e874 -> bb186d0 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/20/2025, 2:45 PM

#5723 chore(deps-dev): bump mermaid from 11.4.1 to 11.10.0 Pull request opened by dependabot[bot] Bumps mermaid from 11.4.1 to 11.10.0. Release notes Sourced from mermaid's releases.

## mermaid@11.10.0

### Minor Changes

• #6744 `daf8d8d` Thanks `@SpecularAura`! - feat: Added support for per link curve styling in flowchart diagram using edge ids

### Patch Changes

• #6857 `b9ef683` Thanks `@knsv`! - feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration

• #6653 `2c0931d` Thanks `@darshanr0107`! - chore: Remove the "-beta" suffix from the XYChart, Block, Sankey diagrams to reflect their stable status

• #6683 `33e08da` Thanks `@darshanr0107`! - fix: Position the edge label in state diagram correctly relative to the edge

• #6693 `814b68b` Thanks `@darshanr0107`! - fix: Apply correct dateFormat in Gantt chart to show only day when specified

• #6734 `fce7cab` Thanks `@darshanr0107`! - fix: handle exclude dates properly in Gantt charts when using dateFormat: 'YYYY-MM-DD HHmmss'

• #6733 `fc07f0d` Thanks `@omkarht`! - fix: fixed connection gaps in flowchart for roundedRect, stadium and diamond shape

• #6876 `12e01bd` Thanks `@sidharthv96`! - fix: sanitize icon labels and icon SVGs

Resolves CVE-2025-54880 reported by `@fourcube`

• #6801 `01aaef3` Thanks `@sidharthv96`! - fix: Update casing of ID in requirement diagram

• #6796 `c36cd05` Thanks `@HashanCP`! - fix: Make flowchart elk detector regex match less greedy

• #6702 `8bb29fc` Thanks `@qraqras`! - fix(block): overflowing blocks no longer affect later lines

This may change the layout of block diagrams that have overflowing lines (i.e. block diagrams that use up more columns that the
columns
specifier).

• #6717 `71b04f9` Thanks `@darshanr0107`! - fix: log warning for blocks exceeding column width

This update adds a validation check that logs a warning message when a block's width exceeds the defined column layout.

• #6820 `c99bce6` Thanks `@kriss-u`! - fix: Add escaped class literal name on namespace

• #6332 `6cc1926` Thanks `@ajuckel`! - fix: Allow equals sign in sequenceDiagram labels

• #6651 `9da6fb3` Thanks `@darshanr0107`! - Add validation for negative values in pie charts:

Prevents crashes during parsing by validating values post-parsing.

Provides clearer, user-friendly error messages for invalid negative inputs.

• #6803 `e48b0ba` Thanks `@omkarht`! - chore: migrate to class-based ArchitectureDB implementation

• #6838 `4d62d59` Thanks `@saurabhg772244`! - fix: node border style for handdrawn shapes

... (truncated) Commits • `96778f7` Merge pull request #6880 from mermaid-js/changeset-release/master • `d4c058b` Version Packages • `b638a0a` temp: Remove peerDeps from examples • `fd9aa36` chore: Update peerDependencies for examples • `46a9f1b` temp: Disable cspell check as it's blocking release • `83c6224` Merge pull request #6878 from mermaid-js/develop • `d8161b1` fix: move fourcube to contributor • `8223141` chore: add fourcube to cspell • `99f98a6` Merge pull request #6877 from mermaid-js/update-timings • `ef28f54` chore: update E2E timings • Additional commits viewable in compare view <https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores|[Dependabot compatibility score](https://camo.githubusercontent.com/c1ca0cdf5bc97a530bee0d7d14e776d8dac00ea3ad401fd71c9d0d18e58d318a/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72… runatlantis/atlantis

GitHub

08/21/2025, 3:02 AM

#5724 chore(deps): update step-security/harden-runner digest to ec9f2d5 in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------------- | ------ | ------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | digest | 002fdce -> ec9f2d5 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/79b73feee658f578ed164ed10d5294cc2e58c70ec1db9ee00d03c41311bccebc/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f737465702d73656375726974792f68617264656e2d72756e6e65722f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/21/2025, 11:33 AM

#5726 fix: show output if the custom policy check errors Pull request opened by zendesk-piotrpawluk ## what The custom policy check output is now visible as PR comment even if the check exits with non-zero status. Example: # custom-policy-check.sh echo "some test output for policy check" echo "another line" exit 1 Old: [Screenshot 2025-08-21 at 11 36 04](https://private-user-images.githubusercontent.com/146927496/480471378-86953d90-424b-4d20-b611-5bd788dd7860.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTU3Nzc3MDUsIm5iZiI6MTc1NTc3NzQwNSwicGF0aCI6Ii8xNDY5Mjc0OTYvNDgwNDcxMzc4LTg2OTUzZDkwLTQyNGItNGQyMC1iNjExLTViZDc4OGRkNzg2MC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwODIxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDgyMVQxMTU2NDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jNjc1ODNiZTdhY2JkYTViMGQ5YTA0MDQzMzVjMDY4YzJmYzU5MzMyZGUxNjFkZmM1OWVhMTllZmVjN2FmZjFlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.a5trK9JJwlKUlGJCTzqnd2TV2UBo845_CLFWKmGVPA0) New - policy error: [Screenshot 2025-08-21 at 13 16 00](https://private-user-images.githubusercontent.com/146927496/480472276-ef09f917-eaf6-4205-8a2d-64d904bd6576.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTU3Nzc3MDUsIm5iZiI6MTc1NTc3NzQwNSwicGF0aCI6Ii8xNDY5Mjc0OTYvNDgwNDcyMjc2LWVmMDlmOTE3LWVhZjYtNDIwNS04YTJkLTY0ZDkwNGJkNjU3Ni5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwODIxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDgyMVQxMTU2NDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1lZWE5ZmExNTg1YmU2YmZlZTY3OGI4OGRkYzViOTM5YmMzODQ3NTA1Y2Y3OTAxYTcxY2FhNzEzMGZlNzgzNzg3JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.KfT3jQFCcT5f3P7k5LwweksaMwjra5lYfq2b3gj1xoU) (vs policy failure (exit 0 and "fail" in stdout)): [Screenshot 2025-08-21 at 13 25 55](https://private-user-images.githubusercontent.com/146927496/480475576-0786d4bd-5fa3-4249-9d77-4bcc8a97e3f8.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTU3Nzc3MDUsIm5iZiI6MTc1NTc3NzQwNSwicGF0aCI6Ii8xNDY5Mjc0OTYvNDgwNDc1NTc2LTA3ODZkNGJkLTVmYTMtNDI0OS05ZDc3LTRiY2M4YTk3ZTNmOC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwODIxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDgyMVQxMTU2NDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wNWI3MzgwODAwMDZkYjMzOTBmZDE0MDBmZjFkMTA0OGMwMDliMDljOGY2OGI4ODAzOTg0NTc3ZTQ2YTc1MTA3JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.wDlEGzrSTCjJ7yQwfxz9quNx2QmhsuceetG2HBwE2u4) ## why • Some tools are using non-zero exit code to indicate policy failure - previously we had to always

|| true

to see the output and to let users

approve_policies

. • Also if a custom script has a bug, there are no logs from the script execution available anywhere (unless you enable debug logging which is not really feasible in production environment) to help debugging. • This change also lets users to proceed with apply (by

approve_policies

) even if there is an issue with the policy check script itself. ## tests • tested manually (see screenshots above)... • ... and added tests for running custom policy check ## references • closes #5725 runatlantis/atlantis

GitHub

08/21/2025, 2:59 PM

#5727 chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 Pull request opened by dependabot[bot] Bumps github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0. Release notes Sourced from github.com/go-viper/mapstructure/v2's releases.

## v2.4.0

## What's Changed

• refactor: replace interface{} with any by `@sagikazarmark` in go-viper/mapstructure#115

• build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by `@dependabot`[bot] in go-viper/mapstructure#114

• Generic tests by `@sagikazarmark` in go-viper/mapstructure#118

• Fix godoc reference link in README.md by `@peczenyj` in go-viper/mapstructure#107

• feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by `@ErfanMomeniii` in go-viper/mapstructure#117

• feat: add back previous StringToSlice as a weak function by `@sagikazarmark` in go-viper/mapstructure#119

## New Contributors

• `@ErfanMomeniii` made their first contribution in go-viper/mapstructure#117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

Commits • `b9794a5` Merge pull request #119 from go-viper/string-to-weak-slice • `17cdcb0` feat: add back previous StringToSlice as a weak function • `3caca36` Merge pull request #117 from ErfanMomeniii/main • `9a861bc` Merge pull request #107 from peczenyj/patch-2 • `86ed5b5` refactor: update • `ace5b4e` chore: add interface any linter • `1a4f1ae` Merge pull request #118 from go-viper/generic-tests • `a268909` fix: lint • `17f1fd4` test: add more comments • `b48c856` test: expand tests • Additional commits viewable in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/9f097c147ac3f4bbafbe39f227ebc873117ded6d63b2e2d697223480fdb5d8e8/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6769746875622e636f6d2f676f2d76697065722f6d61707374727563747572652f7632267061636b6167652d6d616e616765723d676f5f6d6f64756c65732670726576696f75732d76657273696f6e3d322e332e30266e65772d76657273696f6e3d322e342e30) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

GitHub

08/21/2025, 2:59 PM

#5662 chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 Pull request opened by dependabot[bot] Bumps github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0. Release notes Sourced from github.com/go-viper/mapstructure/v2's releases.

## v2.3.0

## What's Changed

• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by `@dependabot` in go-viper/mapstructure#46

• build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by `@dependabot` in go-viper/mapstructure#47

• [enhancement] Add check for
reflect.Value
in
ComposeDecodeHookFunc
by `@mahadzaryab1` in go-viper/mapstructure#52

• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by `@dependabot` in go-viper/mapstructure#51

• build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by `@dependabot` in go-viper/mapstructure#50

• build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by `@dependabot` in go-viper/mapstructure#55

• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by `@dependabot` in go-viper/mapstructure#58

• ci: add Go 1.24 to the test matrix by `@sagikazarmark` in go-viper/mapstructure#74

• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by `@dependabot` in go-viper/mapstructure#72

• build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by `@dependabot` in go-viper/mapstructure#76

• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by `@dependabot` in go-viper/mapstructure#78

• feat: add decode hook for netip.Prefix by `@tklauser` in go-viper/mapstructure#85

• Updates by `@sagikazarmark` in go-viper/mapstructure#86

• build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by `@dependabot` in go-viper/mapstructure#87

• build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by `@dependabot` in go-viper/mapstructure#93

• build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by `@dependabot` in go-viper/mapstructure#92

• build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by `@dependabot` in go-viper/mapstructure#97

• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by `@dependabot` in go-viper/mapstructure#96

• Update README.md by `@peczenyj` in go-viper/mapstructure#90

• Add omitzero tag. by `@Crystalix007` in go-viper/mapstructure#98

• Use error structs instead of duplicated strings by `@m1k1o` in go-viper/mapstructure#102

• build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by `@dependabot` in go-viper/mapstructure#101

• feat: add common error interface by `@sagikazarmark` in go-viper/mapstructure#105

• update linter by `@sagikazarmark` in go-viper/mapstructure#106

• Feature allow unset pointer by `@rostislaved` in go-viper/mapstructure#80

## New Contributors

• `@tklauser` made their first contribution in go-viper/mapstructure#85

• `@peczenyj` made their first contribution in go-viper/mapstructure#90

• `@Crystalix007` made their first contribution in go-viper/mapstructure#98

• `@rostislaved` made their first contribution in go-viper/mapstructure#80

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

Commits • `8c61ec1` Merge pull request #80 from rostislaved/feature-allow-unset-pointer • `df765f4` Merge pull request #106 from go-viper/update-linter • `5f34b05` update linter • `36de1e1` Merge pull request #105 from go-viper/error-refactor • `6a283a3` chore: update error type doc • `599cb73` Merge pull request #101 from go-viper/dependabot/github_actions/github/codeql... • `ed3f921` feat: remove value from error messages • `a3f8b22` revert: error message change • `9661f6d` feat: add common error interface • `f12f6c7` Merge pull request #102 from m1k1o/prettify-errors2 • Additional commits viewable in compare view <https://docs.github.com/en/github/managing-security-vulnerabilities/about-… runatlantis/atlantis

GitHub

08/22/2025, 12:32 AM

#5728 chore(deps): update github/codeql-action digest to 3c3833e in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | 96f518a -> 3c3833e | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/22/2025, 5:14 AM

#5729 chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------- | -------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/go-viper/mapstructure/v2](https://redirect.github.com/go-viper/mapstructure) | indirect | minor | v2.3.0 -> v2.4.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/f2db1d76c9862101e6ed7b6fd02e4a2fee5b07678cf657d3e73f58eea897c981/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f2d76697065722f6d61707374727563747572652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/go-viper/mapstructure) | ### GitHub Vulnerability Alerts #### GHSA-2464-8j7c-4cjm ### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ### Details OpenBao (and presumably HashiCorp Vault) have surfaced error messages from

mapstructure

as follows: https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L43-L50 _, _, err := d.getPrimitive(field, schema) if err != nil { return fmt.Errorf("error converting input for field %q: %w", field, err) } where this calls `mapstructure.WeakDecode(...)`: https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L181-L193 func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) { raw, ok := d.Raw[k] if !ok { return nil, false, nil } switch t := schema.Type; t { case TypeBool: var result bool if err := mapstructure.WeakDecode(raw, &result); err != nil { return nil, false, err } return result, true, nil Notably,

WeakDecode(...)

eventually calls one of the decode helpers, which surfaces the original value via

strconv

helpers: https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L720-L727 https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L791-L798 https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/decode_hooks.go#L180 & more. These are different code paths than are fixed in the previous iteration at GHSA-fv92-fjc5-jj9h. ### PoC To reproduce with OpenBao:

Copy code

$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300

and in a new tab:

Copy code

$ BAO_TOKEN=root BAO_ADDR=<http://localhost:8300> bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "<http://localhost:8200/v1/auth/userpass/users/asdf>"

--> server logs:

2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""

### Impact This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at

'' expected a map, got 'string'

-- when the field type is

string

and a

map

is provided, we see the above information leak -- the previous example had a

map

type field with a

string

value provided). This was rated 4.5 Medium by HashiCorp in the past iteration. --- ### go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data GHSA-2464-8j7c-4cjm More information #### Details ##### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ##### Details OpenBao (and presumably HashiCorp Vault) have surfaced error messages from

mapstructure

WeakDecode(...)

eventually calls one of the decode helpers, which surfaces the original value via

strconv

helpers: https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L720-L727 https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L791-L798 https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/decode_hooks.go#L180 & more. These are different code paths than are fixed in the previous iteration at <https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h "GHSA-fv92-fjc5-jj9h"|GHSA-fv92-fjc5-jj… runatlantis/atlantis

GitHub

08/23/2025, 12:42 AM

#5730 chore(deps): update dependency opentofu/opentofu to v1.10.5 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------ | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [opentofu/opentofu](https://redirect.github.com/opentofu/opentofu) | patch | 1.10.1 -> 1.10.5 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/0ebb8403b55a900d867bbb1646300b60f0911f3f1315fc1df79cdea74864c0dc/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e746f66752f6f70656e746f66752f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/opentofu/opentofu) | --- ### Release Notes opentofu/opentofu (opentofu/opentofu) ### `v1.10.5` Compare Source BUG FIXES: • Fixed issue where usage of TF_PLUGIN_CACHE_DIR could result in unexpected lock contention errors (#3090) • NOTE: It is still highly recommended to have valid .terraform.lock.hcl files in projects using TF_PLUGIN_CACHE_DIR Full Changelog: opentofu/opentofu@v1.10.4...v1.10.5 ### `v1.10.4` Compare Source BUG FIXES: • Fixed crash where sensitive set values used in for_each could cause a panic. (#3070) • Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#3068) • Reduced calls to ListKeys in azure backend (for rate limiting). (#3083) Full Changelog: opentofu/opentofu@v1.10.3...v1.10.4 ### `v1.10.3` Compare Source #### 1.10.3 BUG FIXES: • OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by

try

can

and then that expression becomes relevant for deciding whether to report a "change outside of OpenTofu" in the human-oriented plan diff. (#2988) • Ensure provider downloads into temp are cleaned up correctly on windows. (#2843) • Correctly handle structural typed attributes during test provider mocking. (#2994) • Fix erroneous detection of changes with sensitive resource attributes. (#3024) Full Changelog: opentofu/opentofu@v1.10.2...v1.10.3 ### `v1.10.2` Compare Source #### 1.10.2 • S3 backend now correctly sends the

x-amz-server-side-encryption

header for the lockfile. (#2870) • A provider source address explicitly using the hostname

<http://registry.terraform.io|registry.terraform.io>

will no longer cause errors related to a corresponding provider on

<http://registry.opentofu.org|registry.opentofu.org>

when executing workflow commands like plan and apply. (#2979) Full Changelog: opentofu/opentofu@v1.10.1...v1.10.2 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/23/2025, 9:03 AM

#5624 chore(deps): update module github.com/cloudflare/circl to v1.6.1 [security] (release-0.34) - autoclosed Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------------------------- | -------- | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/cloudflare/circl](https://redirect.github.com/cloudflare/circl) | indirect | minor | v1.3.9 -> v1.6.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e64afce031736414dbce459f99df0a6d81f00deb69ebecb215e8b27bd8f0fa9d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f636c6f7564666c6172652f636972636c2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/cloudflare/circl) | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results CVE-2025-8556 / GHSA-2x5j-vhc8-9cwm / GO-2025-3754 More information #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity • CVSS Score: 3.7 / 10 (Low) • Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

#### References • https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm • https://nvd.nist.gov/vuln/detail/CVE-2025-8556 • https://access.redhat.com/security/cve/CVE-2025-8556 • https://bugzilla.redhat.com/show_bug.cgi?id=2371624 • https://github.com/cloudflare/circl • https://github.com/cloudflare/circl/tree/v1.6.1 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes cloudflare/circl (github.com/cloudflare/circl) ### `v1.6.1`: CIRCL v1.6.1 Compare Source #### CIRCL v1.6.1 • Fixes some point checks on the FourQ curve. • Hybrid KEM fails on low-order points. ##### What's Changed • kem/hybrid: ensure X25519 hybrids fails with low order points by @Lekensteyn in https://github.com/cloudflare/circl/pull/541 • .github: Use native ARM64 builders instead of QEMU by @Lekensteyn in https://github.com/cloudflare/circl/pull/542 • Fixes several errors on twisted Edwards curves. by @armfazh in https://github.com/cloudflare/circl/pull/545 • Release v1.6.1 by @armfazh in https://github.com/cloudflare/circl/pull/546 Full Changelog: cloudflare/circl@v1.6.0...v1.6.1 ### `v1.6.0`: CIRCL v1.6.0 Compare Source #### CIRCL v1.6.0 ##### New! • Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf). • X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem) ##### What's Changed • Add OIDs to ML-DSA by @bwesterb in https://github.com/cloudflare/circl/pull/519 • Adds Prio3 a set of verifiable distributed aggregation functions. by @armfazh in https://github.com/cloudflare/circl/pull/522 • Run semgrep cronjob only in upstream repository. by @armfazh in https://github.com/cloudflare/circl/pull/526 • X-Wing PQ/T hybrid by @bwesterb in https://github.com/cloudflare/circl/pull/471 • ckem: move crypto/elliptic to crypto/ecdh by @MingLLuo in https://github.com/cloudflare/circl/pull/529 • hpke: Update HPKE code to use ecdh stdlib package. by @armfazh in https://github.com/cloudflare/circl/pull/530 • prio3: Adds polynomial multiplication using NTT by @armfazh in https://github.com/cloudflare/circl/pull/532 • Add Prio3 in readme. by <https://redire… runatlantis/atlantis

GitHub

08/23/2025, 9:03 AM

#5551 chore(deps): update module golang.org/x/net to v0.38.0 [security] (release-0.34) - autoclosed Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ---------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/net | v0.36.0 -> v0.38.0 | [[age](https://camo.githubusercontent.com/8085a98b86fb9e6465f09bee9106b8853aa9ee3bad200d0f2f8af44dea6308f9/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/9810c1580c594ae2abbe137b563959d9c8fc66f05cbcce4a10c763d0d475c5e2/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f7267253266782532666e65742f76302e33362e302f76302e33382e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity Unknown #### References • https://go.dev/cl/662715 • https://go.dev/issue/73070 • https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/net vulnerable to Cross-site Scripting CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595 More information #### Details The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). #### Severity • CVSS Score: Unknown • Vector String:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-22872 • https://go.dev/cl/662715 • https://go.dev/issue/73070 • https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA • https://pkg.go.dev/vuln/GO-2025-3595 • https://security.netapp.com/advisory/ntap-20250516-0007 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/24/2025, 1:52 AM

#5731 chore(deps): update actions/dependency-review-action action to v4.7.2 in .github/workflows/dependency-review.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------ | ------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | patch | v4.7.1 -> v4.7.2 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/83f6d4b9e75e0e8932e8f0a92513496a549b148e10bcc1e2233640ff3500b009/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f616374696f6e732f646570656e64656e63792d7265766965772d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/actions/dependency-review-action) | --- ### Release Notes actions/dependency-review-action (actions/dependency-review-action) ### `v4.7.2`: 4.7.2 Compare Source #### What's Changed • Add Missing Languages to CodeQL Advanced Configuration by @KyFaSt in https://github.com/actions/dependency-review-action/pull/945 • Deprecate deny lists by @claire153 in https://github.com/actions/dependency-review-action/pull/958 • Address discrepancy between docs and reality by @ahpook in https://github.com/actions/dependency-review-action/pull/960 #### New Contributors • @KyFaSt made their first contribution in https://github.com/actions/dependency-review-action/pull/945 • @claire153 made their first contribution in https://github.com/actions/dependency-review-action/pull/958 • @ahpook made their first contribution in https://github.com/actions/dependency-review-action/pull/960 Full Changelog: actions/dependency-review-action@v4...v4.7.2 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/25/2025, 1:14 AM

#5733 chore(deps): update dependency vitepress to v1.6.4 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------- | --------------- | ------ | ------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vitepress](https://vitepress.dev/) ([source](https://redirect.github.com/vuejs/vitepress)) | devDependencies | patch | [1.6.3 -> 1.6.4](https://renovatebot.com/diffs/npm/vitepress/1.6.3/1.6.4) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/2f909dd81c6e3a16ec8f71c41c7abb50af2f2eb2c69f9f953f9386654b36d7d2/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f7675656a732f7669746570726573732f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vuejs/vitepress) | --- ### Release Notes vuejs/vitepress (vitepress) ### `v1.6.4` Compare Source --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/25/2025, 1:29 PM

#5735 docs: #5734 - Update notes for GH App webhooks Pull request opened by jreslock ## what The webhook configuration notes are confusing on the documentation page that instructs users how to configure a GitHub App for source control integration. There are two somewhat conflicting statements that could be combined into a single note and given a bit more explanation. This will prevent questions like the one I asked in Slack specifically about being confused by this documentation. ## why I have time to help and I think clear documentation is extremely helpful in providing a smooth adoption/on-boarding experience for new users while also helping "advanced" users move faster. If there are suggestions on wording, grammar, etc. please comment. I am happy to make whatever changes are requested/required. I am by no means emotionally attached to the actual verbiage I proposed in this PR as long as it is clear and concise. ## tests I have not tested because this is just a doc change. I am not sure how to build or test that the docs render correctly. Happy to do that if someone would like to point me in that direction. ## references closes #5734 runatlantis/atlantis

GitHub

08/26/2025, 3:08 AM

#5737 feat: add logging to markdown template loading and overide Pull request opened by SaberSHO ## what • Fix silent failure of
--markdown-template-overrides-dir
functionality • Add comprehensive diagnostic logging to template loading process with clear error reporting • Replace silent error handling with proper user feedback when template overrides fail to load • Implement execution diagnostics to trace which templates are being rendered and catch runtime errors ## why • Resolves complete non-functionality of template overrides reported in Issue #5736 where custom templates were never loaded due to silent

ParseGlob

failures • Improves user experience by providing clear visibility into template loading process instead of silent fallbacks to built-in templates • Enables proper troubleshooting through detailed logging when template override configurations have issues (missing directories, syntax errors, file permissions) • Follows CONTRIBUTING.md standards with compliant logging format (lowercase messages, quoted variables, appropriate log levels) ## tests • Built and deployed locally to Kubernetes cluster with same configuration as Issue #5736 • Verified diagnostic logging works - logs now clearly show template loading process: {"level":"info","msg":"loading built-in markdown templates"} {"level":"info","msg":"successfully loaded 78 built-in templates"} {"level":"info","msg":"checking for template overrides in directory \"/home/atlantis/templates\""} {"level":"warn","msg":"template override directory does not exist \"/home/atlantis/templates\""} • Confirmed fix identifies root cause - logging revealed path double-escaping issue that was previously invisible • Created comprehensive unit tests in

markdown_renderer_template_override_test.go

covering: • Successful template override loading • Template syntax error handling • Empty directory scenarios • Multiple template files • Direct reproduction of original bug from Issue #5736 • Updated existing test files to accommodate new

logger

parameter in

NewMarkdownRenderer

• Fixed import issues in e2e test files introduced by changes • Verified template override tests pass - all new functionality works as expected • Local test results show no regressions - failures are environment-related (old git version, missing conftest binary) ## references • Closes #5736 • Implementation follows the detailed fix plan in

atlantis-template-override-fix-plan.md

• Addresses original bug report documented in

atlantis-bug-report.md

• All logging follows CONTRIBUTING.md guidelines for consistency with project standards --- Key Achievement: This fix transforms template overrides from completely non-functional (silent failures) to fully functional with excellent diagnostic capabilities, enabling users to easily troubleshoot configuration issues. runatlantis/atlantis

GitHub

08/26/2025, 3:28 AM

#5738 chore(deps): update dependency vue to v3.5.19 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | | ------------------------------------------------------------------------------------------------------------------------------ | --------------- | ------ | ----------------------------------------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vue](https://redirect.github.com/vuejs/core/tree/main/packages/vue#readme) ([source](https://redirect.github.com/vuejs/core)) | devDependencies | patch | [3.5.17 -> 3.5.19](https://renovatebot.com/diffs/npm/vue/3.5.17/3.5.19) | 3.5.20 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/4604f69472f217964dd83570eb2a08ef4a83c103858e8ef004c0f01adc1c80da/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f7675656a732f636f72652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vuejs/core) | --- ### Release Notes vuejs/core (vue) ### `v3.5.19` Compare Source ##### Bug Fixes • compiler-core: adjacent v-else should cause a compiler error (#13699) (911e670), closes #13698 • compiler-core: prevent cached array children from retaining detached dom nodes (#13691) (7f60ef8), closes element-plus/element-plus#21408 #13211 • compiler-sfc: improve type inference for generic type aliases types (#12876) (d9dd628), closes #12872 • compiler-sfc: throw mismatched script langs error before invoking babel (#13194) (0562548), closes #13193 • compiler-ssr: disable v-memo transform in ssr vdom fallback branch (#13725) (0a202d8), closes #13724 • devtools: clear performance measures (#13701) (c875019), closes #13700 • hmr: prevent updating unmounting component during HMR rerender (#13775) (6e5143d), closes #13771 #13772 • hydration: also set vShow name if

__FEATURE_PROD_HYDRATION_MISMATCH_DETAILS__

flag is enabled (#13777) (439e1a5), closes #13744 • reactivity: warn on nested readonly ref update during unwrapping (#12141) (1498821) • runtime-core: avoid setting direct ref of useTemplateRef in dev (#13449) (4a2953f) • runtime-core: improve consistency of

PublicInstanceProxyHandlers.has

(#13507) (d7283f3) • suspense: don't immediately resolve suspense on last dep unmount (#13456) (a871315), closes #13453 • transition: handle KeepAlive + transition leaving edge case (#13152) (3190b17), closes #13153 ### `v3.5.18` Compare Source ##### Bug Fixes • compiler-core: avoid cached text vnodes retaining detached DOM nodes (#13662) (00695a5), closes #13661 • compiler-core: avoid self updates of

v-pre

(#12556) (21b685a) • compiler-core: identifiers in function parameters should not be inferred as references (#13548) (9b02923) • compiler-core: recognize empty string as non-identifier (#12553) (ce93339) • compiler-core: transform empty

v-bind

dynamic argument content correctly (#12554) (d3af67e) • compiler-sfc: transform empty srcset w/ includeAbsolute: true (#13639) (d8e40ef), closes vitejs/vite-plugin-vue#631 • css-vars: nullish v-bind in style should not lead to unexpected inheritance (#12461) (c85f1b5), closes #12434 <… runatlantis/atlantis

GitHub

08/26/2025, 3:48 PM

#5741 docs: fix version availability for repo level branch key Pull request opened by cwitthaus Change repo level branch key description to state that it has been available since version 0.21.0 ## what Documentation update to fix the note about when the branch key became available for usage in a repo-level atlantis.yaml file. ## why Documentation is incorrect, I lost some time trying to understand why the branch key wasn't working with version 0.20.1 and want to keep others from losing that time. ## tests No testing, just a small documentation change. ## references closes #5740 Changelog showing branch key being added: v0.20.1...v0.21.0 Release of 0.21.0 showing branch key being added: https://github.com/runatlantis/atlantis/releases/tag/v0.21.0 runatlantis/atlantis

GitHub

08/27/2025, 2:29 AM

#5743 fix(deps): update module github.com/spf13/pflag to v1.0.7 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ----------------------------------------------------------------- | ------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github.com/spf13/pflag](https://redirect.github.com/spf13/pflag) | require | patch | v1.0.6 -> v1.0.7 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/b25ff769c6455ba41bc515421789bce2157f54e8f00446e18d086dbf81c54090/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f73706631332f70666c61672f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/spf13/pflag) | --- ### Release Notes spf13/pflag (github.com/spf13/pflag) ### `v1.0.7` Compare Source #### What's Changed • Fix defaultIsZeroValue check for generic Value types by @MidnightRocket in #422 • feat: Use structs for errors returned by pflag. by @eth-p in #425 • Fix typos by @co63oc in #428 • fix #423 : Add helper function and some documentation to parse shorthand go test flags. by @valdar in #424 • add support equivalent to golang flag.TextVar(), also fixes the test failure as described in #368 by @hujun-open in #418 • add support for Func() and BoolFunc() #426 by @LeGEC in #429 • fix: correct argument length check in FlagSet.Parse by @ShawnJeffersonWang in #409 • fix usage message for func flags, fix arguments order by @LeGEC in #431 • Add support for time.Time flags by @max-frank in #348 #### New Contributors • @MidnightRocket made their first contribution in #422 • @eth-p made their first contribution in #425 • @co63oc made their first contribution in #428 • @valdar made their first contribution in #424 • @hujun-open made their first contribution in #418 • @LeGEC made their first contribution in #429 • @ShawnJeffersonWang made their first contribution in #409 • @max-frank made their first contribution in #348 Full Changelog: spf13/pflag@v1.0.6...v1.0.7 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

GitHub

08/27/2025, 2:06 PM

#5744 reduce metrics cardianlity Pull request opened by cringhofer ## what ## why ## tests ## references runatlantis/atlantis

GitHub

08/27/2025, 11:46 PM

#5745 feat: Adjust Endpoint Base-Path Based on ATLANTIS_ATLANTIS_URL Pull request opened by adam-verigin ## what The Atlantis documentation for --atlantis-url says:

Supports a basepath if you're hosting Atlantis under a path.

However, setting a URL with a basepath only updates the URLs in the Atlantis UI; none of the Atlantis endpoints are updated to include the basepath. This PR updates the mux Router so that if the

--atlantis-url

includes a base path, all the endpoints will also be prefixed with the same base path. ## why My team is hoping to host multiple Atlantis instances behind a single AWS ALB, using path-based routing. ALBs don't let us modify the request path, so we need Atlantis to be able to serve from a base path. This PR allows us to do that. Right now, this will append this functionality to the

--atlantis-url

flag. I could understand if you would prefer a separate flag, like

--atlantis-base-path

, to make this functionality more explicit. If you would prefer that, please let me know and I can update the PR. ## tests • I've added some tests to verify that the base path is correctly extracted from the

--atlantis-url

flag I have deployed this with and without a basepath set to manually verify the behaviour. I would love to add more tests to verify that the endpoints are correctly registered with the base path, but I'm not sure of a good way to do that. If you have any guidance on how I could do that, please let me know. ## references The base path support was originally added in #213 runatlantis/atlantis